What inspired you to offer the service?

People will always choose the easiest way to get the latest movies and TV shows and downloading off the internet is it. Unfortunately options are now limited to VPN tunnels not only for p2p but also for using an American IP address to get access to TV sites like www.hulu.com.

Are you getting many customers and what do they want it for?

Yes I am. VPN tunnels have a number of uses that include getting an American IP address to watch tv sites such as hulu.com, encrypt internet traffic when they are using a public WiFi point and of course hiding their real IP address.

How do you feel about the fact that some of your customers will probably be using your service to break NZ law?

No Comment.

What sort of information do you keep about your customers?

We only keep the email address.

What sort of information do you keep about your customers connections? (Such as when they connect, how long they connect for, anything they do through the service.)

We do not log what the user does or transfers over our network but we do log the time of connection and disconnection. We use this data to strategically deploy network resources. We also log the country the user is logging in from, this helps us to detect hijacked accounts and abuse. We do not log IP addresses.

Do you think your business has an obligation under the Telecommunications (Interception Capability) Act to allow the NZ police or other enforcement agencies to monitor traffic?

No, I am not a network operator. A network operator means a person who owns, controls, or operates a public telecommunications network or a person who supplies (whether by wholesale or retail) another person with the capability to provide a telecommunications service. CyberDodge does not provide anyone else with the capability to provide a service and CyberDodge is not a public telecommunications network. Public telecommunications network means a public switched telephone network and a public data network. CyberDodge is not a public switched telephone network nor a public data network. A public data network means a data network used, or intended for use, in whole or in part, by the public and includes, without limitation, the following facilities: Internet access and email access. CyberDodge requires that you have internet and email access already. This law applies to ISPs, which CyberDodge is not.

Do you think your business has an obligation under the Copyright (Infringing File Sharing) Act to store customer IP addresses so that you can pass on notices?

No, I am not a IPAP. IPAP, or Internet protocol address provider, means a person that operates a business that, other than as an incidental feature of its main business activities, offers the transmission, routing, and providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing and allocates IP addresses to its account holders and charges its account holders for its services and is not primarily operated to cater for transient users. CyberDodge does not offer the transmission nor providing of connections for digital online communications. CyberDodge only routes digital online communications. This law applies to ISPs and CyberDodge is not a ISP.

A thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks - used by many sites to handle video streaming).

Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.

This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We've also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.

What we believe is happening

The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA's ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)

Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 124.150.165.62 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.

This ISP's link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted - but not actually blocked - by any IP address the DIA is wanting to inspect.

What does this mean?

The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.

Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.

The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it's not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.

We're very interested in hearing from anyone else having difficulties accessing a site where 124.150.165.62 appears in a traceroute to the site. We're particularly interested in legal content being degraded by passing through the DIA's filter.

Please do your job.

Yours, Tech Liberty

We believe that secret censorship is a threat to our democracy. We need to be careful when giving our government the ability to limit what we can see and hear - which is why we require the Chief Censor to publish their decisions. This openness, the ability for anyone to review and challenge, helps prevent abuse of the censorship scheme.

One of our objections to the government's Internet censorship filter was that the Department of Internal Affairs has refused to release the list of censored sites. They say that they'll only censor certain types of material, but how can we know that they're sticking to this without being able to see the list?

The DIA did respond to these concerns by establishing the Independent Reference Group to provide at least some semi-independent oversight of the filter, although they had to be persuaded to let the IRG have access to the list of blocked sites. Then, from the minutes of the IRG's meeting on 15th October 2010:

Members of the Group were invited to identify any website that they wish to review. They declined to do so at this stage.

Now, we quite understand that members of the IRG don't want to look at those sites. But that's not the point - they have a responsibility to ensure that the filter "...is operated with integrity and adheres to the principles set down in the Code of Practice."

This oversight isn't going to work if the IRG don't exercise it. The filter list grew from 153 entries in June to 538 in November - surely it would have made sense to have a look at the list and select some of the additions for a brief review?

Recommendation

We recommend that at each meeting the IRG should randomly select a sample of newly added sites and review the content to ensure that the filter is not being abused. Anything less is neglecting their duty.

It seems that a lot has happened since we did our last update.

Increase in the number of ISPs

The ISPs using the system are now:

• Maxnet
• Watchdog
• TelstraClear
• Airnet
• Xtreme

Telecom are obviously next and Vodafone are also apparently well on the way to implementing it. According to the DIA, "Discussions are continuing with Ihug/Vodafone, Woosh, Orcon and 2degrees. Design changes are being investigated to adapt the system for performance on mobile devices." However public statements from Orcon have said they have no plans to implement the filter.

Even so, this means that most users of the Internet in New Zealand will be using a filtered connection.

The filter list

The number of entries has risen from 153 (as at 29th June 2010) to 538 (as at 2nd November 2010), representing 463 unique domain names.

What is being filtered

From the DIA's Independent Reference Group minutes: "Aware that the inclusion of drawings or computer generated images of child sexual abuse may be considered controversial, officials advised that there are 30 such websites on the filtering list. Nic McCully advised that officials had submitted computer generated images for classification and she considered that only objectionable images were being filtered. It was noted that images of popular television cartoon characters engaged in sexual acts, which are quite common on the internet, would not be added to the filter list."

Further reading

• Tech Liberty's Internet Filtering FAQ
• Tech Liberty's Internet Filtering Technical FAQ
• Which ISPs Will Filter?
• Why We Oppose Internet Filtering
• Stop the Filter campaign website

References

• http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Censorship-Compliance-Independent-Reference-Group-Meeting-Minutes-15-October-2010?OpenDocument
• IRG 2nd Quarter Briefing Document from the DIA (not online)
• Letters from the DIA (not online)
• http://www.nbr.co.nz/article/telecom-installs-govt-website-blocking-filter-132625

• They completed trials of the system nearly two years ago.
• They have signed up just two small ISPs, Watchdog and Maxnet, although we believe that Maxnet are not using it yet.
• The list of banned webpages has only 153 entries on it (well down from the 7000 they were claiming earlier).

While they've been doing this:

• Internet NZ has announced their opposition to the filter on technical and practical grounds.
• Six ISPs have said they definitely won't use the filter, another couple have said they have no plans to implement it, and only three have stated an intention to sign up alongside the current two.
• Political pressure has forced the Australian Labor government to delay implementing their filter, and the opposing Coalition has said they'll scrap the system if elected.
• The US government has opposed internet censorship and stated their commitment to developing tools that allow people to circumvent it.

And all the normal reasons against the DIA's proposed censorship scheme remain:

• The filtering system only works against unencrypted websites and doesn't stop the main ways used to distribute objectionable images - torrenting, email, chat. Only 8.5% of the traffic going through the filter can be checked.
• It's easy for motivated people to work around the filter.
• Secret censorship (the list of banned sites is kept secret) is offensive in an open and democratic society.
• Better filtering solutions that cover a wider range of objectionable material are available for those who want them for their family or business.

Time to stop?

The filtering system doesn't seem to be getting anywhere and isn't going to work if it ever does - surely it's time to just close the project down. The money saved could be much better spent funding the DIA's efforts at infiltrating the groups that trade in objectionable images and shutting them down.

Which ISPs?

We've updated our list of which internet service providers will or won't be implementing the DIA's filter.

New additions to the not filtering camp:

• Unleash - "we will not be implementing this filter and we have no plan to do so in the future."
• Iconz - "ICONZ are not currently signed up to the filter, nor do we have any intention of doing so in the future."

And an ISP that will be filtering:

• Xtreme Networks - "It's a no-brainer for us, it's free."

That gives us three ISPs that will be filtering, six that won't, and two that are undecided. We're still waiting for hear from Woosh, FX, Compass, Inspire, and Actrix.

More material from the DIA

The Department of Internal Affairs has posted a couple of new documents on their website:

1. They have done their own FAQ in opposition to Tech Liberty's FAQ.
2. There is also an Information Pack (pdf).

Filtering Delayed in Australia

The fight against the Australian filter system continues. Significantly worse than the New Zealand system, the Australian filter will be compulsory, covers a wide range of material and there is no oversight of the list of filtered sites.

In a sign that protests are working, it was recently announced that passing of the filtering law will be delayed until after the election. Further links and comment from Electronic Freedom Australia.

See OpenInternet.com.au for more information about the Australian anti-filtering campaign.

The obvious question has to be, why was Tech Liberty announcing something that the Department of Internal Affairs had done? Where was their announcement that the filter had gone live on the 1st of February? Don't civil servants have a duty to communicate to the people that they serve?

Sadly this reticence with information has been typical of the Department of Internal Affairs in relation to the implementation of the Internet filter.

Deleting Public Records

Last year we used the Official Information Act to ask for copies of the reports that the inspectors has used to justify banning the websites on the list. The DIA refused. After we appealed this refusal to the Ombudsman, the DIA then said that those records had been deleted and therefore it was impossible for them to give them to us anyway. The Department has an obligation under the Public Records Act to keep such information.

We complained to the Chief Archivist, who investigated and confirmed that the DIA had deleted public records without permission. He told us that the DIA has promised to do better in the future, but naturally this didn't help us access the missing records.

The Secret Go-Live Date

Why has the DIA been so secretive about the filter going into operation? Here's two examples where we believe that they have failed to be open and honest about what they are doing, even in response to direct questions.

We wrote to the DIA and asked them, again, when the filter was going to go live. They wrote back on January the 20th and said that as they were about to make an announcement, the Official Information Act gave them grounds to refuse our request. This was 11 days before Watchdog was the first ISP to start using the filter. It's now the 16th of March, nearly two months later, and there's still no announcement from the DIA.

Secondly, on February the 15th we rang Keith Manch, Deputy Secretary of Internal Affairs, and directly asked him when the filter was going live. Keith is responsible for Regulation and Compliance and has been heavily involved in the implementation of the filter. Did he admit that the filter had gone into operation two weeks earlier? No, he carefully took note of our questions and then wrote in a follow-up email that as we had already asked those questions by letter he wouldn't answer. We finally got our answer on March the 8th, admitting that the system had gone live on February the 1st.

Open and Democratic Government

Tech Liberty is at the intersection of technology and civil liberties. We are strong supporters of the right to self-rule as expressed through democratic government. An important element of democratic government is the principle that government must be open and accountable, as without this governments tend to become corrupt and self-serving.

New Zealand recognises this and the Official Information Act and Public Records Acts are some of the ways we use to ensure that our government remains open and accountable. However, the law isn't enough on its own, it also requires a commitment from government departments to honour the spirit of the law and not try to use or misuse the letter of it to conceal information.

We don't believe that the Department of Internal Affairs has been living up to this standard when it comes to the issue of internet filtering.

Security risks of centralised filtering

The DIA's Internet filter will introduce a very tempting attack vector for those with ill intent. When their system is compromised we'll all be at significant risk of losing all of the money in our bank accounts. No, really, we will.

To fully understand how and why this will happen it's important to understand a little bit about how the routing on the Internet works, how the filter will work, and the methods and mind-set of the criminals currently working on the Internet.

Routing Primer

Routing on the Internet is based on hearsay. As a provider of services I tell my neighbours the IP addresses that I look after, and that if they have packets destined for my IP addresses that they should route those packets to me. My neighbour tells their neighbours, and so on. So when someone on the far end of the Internet wants to send a packet to an IP address I am advertising they ask their neighbours if any of them know a way to get to me. One or more of their neighbours will return a path that should get to me - this path is called an AS-path, and is the crux of BGP routing. Using a set of pre-defined rules the person at the far end decides which of their neighbours to send the packets to. Once the best path is selected the packets are handed over and the neighbour then repeats the process with their neighbours.

There are only a limited number of tools that can be used to influence the path packets take. One of the most influential is how specific the advertisement is. Say I want to send some packets to an IP address and two of my neighbours say they know a way to get there. One says it knows how to get to a range of 246 IP addresses, including the intended destination, and the other says it knows how to get to a range of 512 IP addresses that also includes the intended destination. I will choose the more specific route - the one with the smallest range.

In summary, routing is based on what my neighbours tell me, which is in turn based on what their neighbours tell them, and packets always go to the most specific advertised route. I have to trust my neighbours, just as they trust what their neighbours tell them.

What could possibly go wrong?

The Internet is founded on trust, but sadly some people break trust. The easiest way to break the internet is to advertise 'false' routes. If you were to do this, traffic intended for someone else's IP addresses would come to you - you just need to advertise their ranges in more specific advertisements, as packets will always choose the more specific route. This is a little bit spooky, because there would be no tell-tale signs that your packets were going the wrong way - none of the easy-to-spot phishing give-aways (malformed domain names) or slight-less-easy-to-spot-but-still-detectable DNS poisoning (an incorrect IP addresses - you all use a geo-IP tool in your browser, right?). It will appear that your packets have gone to the correct IP address, because they have gone to the correct IP address. It's just that the IP address is on the wrong server.

Could this ever happen? It has happened. Pakistan Telecom advertised the YouTube ranges and broke YouTube for a few hours. It got into the newspaper and everything. To combat this we can assume that YouTube changed their advertised routes to be more specific. If Pakistan Telecom has been a malicious attacker they would have done the same, and then YouTube would get even more specific, and Pakistan Telecom again, etc, etc. At some point (/24 in most instances - a 256 IP address range) you can't advertise a more specific route because your neighbour won't accept the advertisement, because their routers would run out of memory to hold all the routes. At this point you're at a stalemate with some data going to the legitimate place and some to the bogus place. I mention this limit as it's important to the attack vector later.

How the DIA filter will work

Here is what NetClean say about how their WhiteBox product works: "NetClean WhiteBox server contains the URL block list of the sites to be blocked. It looks up these URLs using DNS and resolves them to their IP addresses. These addresses are propagated to the networks to be filtered via BGP. Traffic to these IP addresses from the networks is routed through the tunnels to the WhiteBox server that checks the URL against the blocking list. If a match is made, a block page is sent to the requestor. If a match is not made, the request continues to the web site and it is accessed as normal."

In other words the DIA filter will essentially do the same thing as occured in the Pakistan vs YouTube issue, they will advertise a false route to divert traffic. The DIA filter will be a neighbour to our ISPs, advertising very specific routes (ie, single IP addresses) that are 'IP addresses of interest'. Traffic that would normally be routed over the public internet to those IP addresses will instead be routed to DIA. The DIA filter will then inspect the data and decide what to do with it. For the purposes of this article I don't know or care what happens to it: the data might be inspected and then passed on to the intended destination, or the packets might be discarded - what happens in the normal operation of the filter isn't relevant to this article.

Note that the advertised route from the DIA filter is more specific than is generally considered acceptable on the Internet at large. This means that in a turf war over IP addresses the DIA filter will always win. The ISP will always send data destined for the intended recipient to the DIA filter when the filter says it wants to receive it. So the DIA filter is a centralised management system capable of controlling data flow to any single IP address as it crosses any ISP.

What bad people are doing these days

The second piece of this puzzle revolves around the way criminal activity is going on the Internet. I'm not talking about script-kiddies defacing a few web servers, but the hardened criminals who are stealing millions of dollars to fund their other activities. I was recently at NZNOG, a seriously geeky conference, and a guy named Adam Boileau spoke on security - the same talk I believe he gave at Kiwicon last year. He reminded me that serious hackers are like any business people: they want to maximise the return on their expenditure. In other words, they want the biggest bang for their buck.

I'll take a short detour here - it's reasonably important to realise that the underground economy of data theft is reasonably mature. There are specific roles and jobs that are carried out by different people, and they sell the results of their efforts to other people who do the next part. So there are the people who break into home PCs and build botnets, which they then sell to others who will use that botnet for, say, a distributed denial of service (DDoS) attack on the web server of some organisation they don't like. Or one person will break into a system and steal a swag of credit card numbers which they'll sell to a second person who will verify which ones work, and they in turn will sell those to people who will use them to buy things (which they return for a cash refund or sell for cash).

So we've got a bunch of bad guys who want to break into as many systems as they can in as short a time as possible, so they can earn more dollars per hour from their activities. These people are often quite smart, and they can figure out that there can be several ways to get the information they want, some more efficient than others. For example, the bad folks looking to get internet banking logins that they can sell worked out that it's more efficient to poison DNS than to send lots of phishing emails. When you poison DNS you get a name server to return the wrong IP address when a domain name is resolved, and then the users web browser goes to the wrong server with their request. If the domain name is abc-bank.co.nz then when the user goes to their bank's internet banking login they actually end up on the bad guys' server, and send their login credentials to the bad guys who in turn use them to log into the real system. "Oh, but I have the fancy second factor authentication RSA dongle / battleship card / one time text system, so they won't get me..." I hear you say. Sadly the bad guys have thought of a way around this - as you type into the fake bank screens from their server they are doing the same into the real bank screens, using your second factor authentication in real time on your real account.

DNS poisoning is tricky for a user to spot, but not impossible. You can use a GeoIP tool in your browser to check that if you're logging in a New Zealand bank that the IP is from New Zealand. I use WorldIP for FireFox. If you use Internet Explorer do a google on something like 'internet explorer geoip plugin'.

The bad guy gets more bang for their buck by poisoning DNS than by phishing with email. Why spend a whole week building a botnet when you can spend an afternoon breaking into some established centralised control mechanism, like DNS?

Pulling all the pieces together

Routing over the Internet is controlled using BGP and a high level of trust. Malicious false advertisements can break routing and cause packets to go to the wrong server without any identifiable tell-tales for end users to be able to protect themselves. The DIA filter will exploit this to direct traffic from predefined IP addresses to their filter. The ISPs will believe and trust the routes advertised by the DIA filter. The bad guys find it more efficient to break into a single centralised control mechanism.

If you put this all together you get "lets make a legislated centralised (and explicitly trusted) way to divert traffic from it's proper destination which is virtually undetectable, and then when the haxors break into that system they'll be able to divert ABC Bank's traffic to their own server and BE THE BANK".

The filter system is introducing an architectural weakness into the New Zealand Internet. Not only is it a single point of failure, it is also a single point of attack. While we can expect the DIA to do their best to keep the system secure, we can hardly expect the Censorship unit to have the skills to do more than apply patches supplied by the vendor, and this will be a very tempting target for any number of malicious people.

About the author

Gerard Creamer is an Internet entrepreneur who owns several Internet based businesses, Paystation (electronic payments), Netspace (system hosting and collocation), and Face (web based system development). He is an active member of the NZ Network Operator's Group. Gerard lives in Wellington with his wife and four children.

Thomas Beagle, spokesperson for Tech Liberty, "We're very disappointed that the filter is now running, it's a sad day for the New Zealand internet."

The DIA refuses to say which other ISPs will be joining the filter, claiming the right to negotiate in secret. Tech Liberty understands that Telstra Clear, Telecom and Vodafone have said they will implement the filter, with Orcon, Slingshot and Natcom saying that they won't.

David Zanetti, technical spokesperson for Tech Liberty, "We fear that the filter will reduce the stability of the internet in New Zealand. It is a single point of failure, introduces a new and very tempting target for hackers, and by diverting traffic will cause issues with modern internet applications."

Tech Liberty is concerned about the expansion of government powers represented by the filter. It establishes the principle that the government can choose to arbitrarily set up a new censorship scheme and choose which material to block, with no reference to existing law. Even worse, the list of what is filtered is kept secret, in direct contrast to the rest of New Zealand's censorship regime where the Chief Censor must publish decisions banning offensive material.

The US government has recently spoken out against government filtering of the internet, with Secretary of State Hilary Clinton saying that "Those who disrupt the free flow of information in our society, or any other, pose a threat to our economy, our government and our civil society." She then said that the US is committed to helping people to circumvent government internet filtering.

About Tech Liberty

Tech Liberty is dedicated to protecting people’s rights in the areas of the Internet and technology. We make submissions on public policy, help to educate people about their rights, and defend those whose rights are being infringed.

Related Articles

Internet filtering frequently asked questions and answers - http://techliberty.org.nz/issues/internet-filtering/filtering-faq/

Why we oppose internet filtering - http://techliberty.org.nz/why-we-oppose-internet-filtering/

In a letter written on January the 20th, the DIA told us that they will be making an announcement regarding the implementation of the filter "in the near future". Well over a month later there has been no announcement.

The filter is already running

We now have new information from the Department that says that the filter is already running and that both Watchdog (since Feb 1st) and Maxnet (since Feb 26th) are already using it.

We can find nothing on their websites that announces this. And while Watchdog customers are paying for a filtered service, there is no sign on their website that Maxnet have told their customers that some of their internet traffic is being diverted through a government server.

Disappointment

We're disappointed that the government has started the roll out. We've written and linked to a number of articles that explain our opposition to internet filtering.

We're also disappointed with the way that the Department has sneaked the system into live usage without informing anyone.

It's not too late

While the roll out of the filter has started, it's still not too late to stop it. The Department will be contacting other ISPs and inviting them to sign up for the filter too.

Write to your ISP and tell them that you oppose government internet filtering. Tell them that you don't want them to use it. The more ISPs who don't use it, the more chance we have of the filter being closed down.

If you don't get a satisfactory answer from them, you might want to consider switching ISP. Orcon, Slingshot and Natcom have all said they won't be signing up for the government filtering system.

More information

See our internet filtering page for more information.