Comments on: Guest article: Security risks of centralised filtering

By: Ben

Ben — Tue, 16 Mar 2010 05:46:45 +0000

In addition to this excellent article, I highly suggest reading this article (plus the two subsequent parts):

http://www.banthisurl.com/2008/12/exclusive-white-hat-hacker-tears-apart-flaws-in-aussie-net-filtering-scheme/

By: Matt P

Matt P — Tue, 16 Mar 2010 00:19:21 +0000

I’m not sure why Joseph and Dipper’s points are even relevant; it’s nitpicking over the fleas on a dead dog.

In the utility calculation of filter vs. no filter, the filter option introduces a plausible and potentially very severe weakness in exchange for…what, precisely?

The feel-good sensation that comes from the nebulous “protecting the children” argument?

There is no net benefit to filtering, and in exchange you get a very real weak point in national Internet capability. That’s not a smart decision from any angle.

By: Thomas Beagle

Thomas Beagle — Mon, 15 Mar 2010 18:23:10 +0000

Joseph – yes, the Pakistan problem was caused by human error. The DIA filter will also be run by humans.

Both Joseph and Dipper may want to consider that Gerard (and some of the people in Tech Liberty) are experienced system and network engineers who are well aware of the problems of running stable and secure IT systems.

By: Sam Sargeant

Sam Sargeant — Mon, 15 Mar 2010 12:14:58 +0000

Dipper; BGP can deal with specific addresses, and that’s exactly how it works in this instance. The government filter advertises a single address (a /32 for you networking and security engineers out there) which ISPs then redirect down a tunnel to the filter system. There are around 7000 of these host-routes being used by the filter. I doubt anyone would notice an extra route being added to that list.

By: Dipper

Dipper — Mon, 15 Mar 2010 10:50:27 +0000

” While we can expect the DIA to do their best to keep the system secure, we can hardly expect the Censorship unit to have the skills to do more than apply patches supplied by the vendor, and this will be a very tempting target for any number of malicious people.”

Are you seriously suggesting that NZ networking and security engineers are a bunch of knuckle dragging morons?

I take umbrage at that suggestion, and at your article lacking in fact or accuracy.

The BGP routing tables do not work with specific IP addresses, it works with ranges of addresses for a start, which would make a malicious redirection very visible, if they managed that at all.

If the hackers can compromise the BGP and DNS servers then you would have had the crap long ago and without any filter systems.

I really do not think that your crims have been waiting in the background for the filter system to be introduced…

I concur with Joseph.

By: joseph

joseph — Mon, 15 Mar 2010 04:39:20 +0000

as mentioned in other posts all government systems and all providers systems are tempting targets to l337 haxors.
therfore your document adds nothing to the argument.

The pakistan incident was due to human error not system. Your statement the unit will only have the skill to apply patches. Let me ask you this do you only patch your http servers and leave it be after that or do you setup other systems to ensure that the entire system is safe. It would be pointless to setup a system any other way. These guys have been around for a while so I am sure they are aware of this.

you mention dns poisoning, which is used by other systems not the one the DIA are ultising.

You neglected to mention the benefits of BGP that both sides will have to limit there exposure to any potential breach, the same procedure put in place for most systems.

now to comment on the centralised statement, from my readings on this site and others the only centralised factor here is that it is the DIA that are running it. they have not commented on anything regarding the location or distribution of sites (from what I gather). so it is potentially de-centralized centralisation.

I had expected more from a NZNOG member.