Thursday, November 6, 2008

Email to Senator Stephen Conroy

Email him yourselves at senator.conroy@aph.gov.au.

--
Dear Senator Conroy

My name is Jarrod Loidl and I am curently employed as an Information Security Specialist. I have been actively employed as an information security professional for the past five years, active in the Information Technology industry for the past ten years. In that time I've spent approximately six years working for various Internet Service Providers (both in Australia and outside of Australia).

Some of the responsibilities I have had in that time have been:
- managing spam filters for a major U.S. ISP serving approximately four million users,
- reporting child pornography cases to federal law enforcement,
- managing intrusion detection and prevention systems,
- conducting/coordinating penetration tests and vulnerability assessments of various networks,
- develop and provide recommendations on security architecture for various projects,
- provide strategy guidance on policy creation and development, etc.

I am also a member of the Australian Information Security Association and Open Web Application Security Project.

As such I am aware of the way criminals operate over the Internet to escape detection and have a unique perspective on these issues having worked them from both technical and security angles. I am also familiar with the social and political issues surrounding the proposed Internet filtering.

I am writing to state my opposition to this plan and it is my hope that by explaining why, you will reach the same conclusion.

Firstly, these filters being proposed are based on HTTP proxy level filtering. That means these filters will only inspect unencrypted web traffic. That means that anything that is encrypted or not web based, will bypass the filtering.

What follows is a list of technologies that are free (or easily affordable at most) that will defeat this form of filtering:
- Anonymous Proxies and anoymisation services (e.g. TOR),
- Virtual Private Networks,
- SSH Tunnels,
- Peer-To-Peer (P2P) Networks,
- SFTP/FTP.
I'm sure there are more but those are the most prevalent in use today.

Studies have statistically shown that most of the traffic ISPs service today is P2P based. This traffic is not just generated by kids downloading music but also criminals sharing child pornography. These tools are either easy to install, easily bypass the proposed filters and what's more are completely legitimate in day to day business - so blocking or prohibiting these tools isn't a feasible option either. Criminals have been using many of these tools for years to minimise their chances of detection or avoid it entirely. I urge you to ask anyone dealing with child pornography or computer crime from the Australian Federal Police or Australian High Tech Crime Commission.


Infact, this proposal may have the unintended side effect of creating a smarter criminal by forcing them in larger numbers to adopt the above technologies and hamper law enforcement dramatically.

Secondly, my understanding of the proposal hinges on the use of two blacklists (and please correct me if I'm mistaken) - one is an "opt-out" list for general adult content. The second list cannot be "opted out" and is for content deemed illegal. Looking at the black list issue from a purely technical perspective, it is well regarded as a poor security model. The reason being is that anything not defined as prohibited is expressly permitted. This means any site that hasn't been classified as either adult or illegal will be allowed. Managing these lists becomes a full time basis as they will only grow over time as more sites are classified. Infact for a blacklist to work, you would need to classify every site on the Internet - a rather impossible feat given my estimate to be in excess of 30 billion pages to date and growing at an exponential rate.


If the solution relies on automated tools to populate these lists, this opens up the potential for sites to be incorrectly classified - potentially creating an even larger problem.


But let us assume for a moment that somehow, every page is classified appropriately. The proxy filters will then have to match all web requests against these two very, very, very large lists to see if a search is prohibited. This will cripple Internet speeds - already I'm sure you've heard of the reports surrounding performance concerns. I can assure you that by using this approach that such reports will only increase over time as the lists grow in size and performance impacts will be inevitable.

The preferable security model is to do the reverse - whitelist "permissible" websites and block anything not on that list. However, this would also require the classification of every website as well and also create another large list - thus creating the same issues.

Thirdly, there is the issue of classifying content. How is that assessment made and who determines it? What if a site is classified incorrectly? What one individual finds offensive another may not. Is it open to public scrutiny? What checks and balances are put in place to prevent abuse by Government or private enterprise by adding content they deem to be "undesirable"? There are equal arguments for and against open inspection of the black lists by the public and I completely recognise this. If you open the lists to inspection, people will invariably try to access the content however, if you don't how can the public at large be assured they aren't being censored by content that the Government doesn't want them to access? There is no clear cut answer to this - only a careful deliberation of risks can help to shed some light here. However when you weigh it all up with the other points I've raised I'm sure you will agree that this proposal creates more problems than it solves.

To summarise my key concerns -
- It is technically trivial to bypass such filtering,
- Managing the blacklists or whitelists for that matter to determine the content of all web traffic is largely impossible,
- This will create performance issues,
- By allowing a specific group to classify content on behalf of all Australians poses the risk of widespread abuse to all Australians.

In my following of this issue it seems that there hasn't been much clarification around the impetus of this plan. Is the plan to protect children from exposure to inappropriate content? Is it to stop the proliferation of child pornography? Before we can rush ahead with a technical solution that does not work, we need to be very clear about what it is we are trying to prevent. With collaboration with the ISP industry, information security professionals, law enforcement as well privacy and civil liberty groups such as the Electronic Frontiers Association - I have no doubt a better path can be found.


As a soon to be parent, I fully support the governments cyber-safety initiative. However as an information security professional I must advise you that the current proposal is rife with flaws and further examination of the issues is required. What I've covered here is just the tip of the iceberg.


I apologise for the long email but sincerely hope you read this and take the above into due consideration. I welcome any further feedback or response.

Best regards,

- Jarrod Loidl
Ph: XXX-XXX-XXXX

No comments: