Sunday, October 26, 2008

Internet Censorship in Australia

It seems this nation hasn't learned from the lessons of the past, or at the very least - our government hasn't:
The Age
ABC News

For those interested in some background reading:
EFA Article

This issue rolled around in 1999 and none of the largest ISPs or ISP associations within Australia were consulted when Senator Alston pushed these laws back then. The final workable solution was client side filters deployed on home PCs to restrict undesirable content.

Before delving into the obvious issues:
- the technical difficulties of blacklisting all web traffic (to say nothing of the futility of it),
- any discussions over who has the right to determine what is "undesirable" content,
I'd like to point out that the previous model made sense (at least in part). It placed responsibility for end user security with the user.

If you are going to deploy these filters, do so at the client side. Combined with putting a computer in an open family area, log and monitor their traffic, have open discussions with your children about the use of the Internet (and parents not turning to the PC as the new babysitter) I think is a sound strategy for preventing children from access inappropriate content.

I know many people scoff at such filters but hey, at least this streategy doesn't involve implementing proxying layer content filter to degrade the Internet back to the Dial-up Dark Ages.

However, this isn't really about preventing kids from viewing pornographic or violent material. Infact, it seems the Government can't decide if they are trying to restrict child pornography from the masses or stop children from accessing undesirable content.

From my reading of the above two articles, it sounds to me like the government is really trying to crack down on child pornography and is using the whole "protecting the kids" schtick to justify it.

I wish I could find it but earlier this year, there was another article somewhere that a kid was beta testing these same filters filters and was able to bypass their filters within approximately 30min.

If this isn't enough to persuade you - the model they are using for restricting content is a black list.

Enough said.

When you consider the number of technologies that exist (for free) that can be used by pedophiles to remain almost undetectable - and that such technologies can easily defeat the proposed implementation the government is rolling out, we have to ask ourselves:
a) who are we really protecting?
b) what is the value add?

As security professionals, we ask ourselves these questions every day when we explore new controls to protect data. In asking myself the question here I find that the requirements aren't well defined.

The government has not clearly articulated what they are trying to protect, why they are trying to protect it and most importantly - it has failed to explain how this solution will meet their requirements.

Anyone who strongly objects to Internet Censorship, please read the EFA link under the background reading.

While I'm all in favor of shouting out against censorship, my experience has been that unless you have a better suggestion, you'll be ignored and not taken seriously.

As information security professionals, we should all stand up do what we do best - express our discontent, highlight the technical risks and weaknesses of this solution and encourage an open forum to discuss these issues. Maybe by better understanding the requirements of the day we can find a solution.

Write to your MPs, write to the EFA, Today Tonight, whatever. Just get your opinion out there.

Tuesday, October 7, 2008

Builder or Breaker?

Mark Curphey wrote an excellent piece not long ago about whats wrong with the Information Security industry. For those that haven't read it, the piece is here.

One of the biggest gripes I have had about my job was often the feeling that I'm not a builder. That I'm a breaker - or at least have a strong feeling at times all I'm doing is pointing out what's wrong rather than what's right.

How many of you are guilty of this?

Reading this article made me take a good long think about how I operate and made me realise that I'm closer to being a builder than I previously thought. In the process of mapping out my career plan and training plan for the next 12 months, its fairly evident that the skills I'm focusing on right now that I'm on the right path... or at the very least a better one according to Mark.

Kudos to Mark for the advice.