[LINK] ALP Net censorship policy hidden, but alive and far-reaching

Rachel Polanskis grove at zeta.org.au
Wed Aug 18 23:15:28 AEST 2010

There is also SSH Tunneling, which is a more technical way of creating secure server connections, where you open a port on a remote server and channel it back to your local system on another port, such that it is all transmitted on SSH port 22.  For example, you could run a hidden webserver on a port 8080, open the ssh tunnel by connecting to the remote 
server with the option to forward the port via port 22.  On the local system, you request
a port that you point your webserver to, vis:

ssh -L 8080:some.remote.secrethost:80 some.remote.secrethost

or similar.   Now,  the implications of this are actually not often discussed.  For sysadmins,
this is a great way to access network services you have a remote login to, that permits you 
to create an SSH tunnel on a system with a service you may not typically have access to externally.  I use this all the time, to admin stuff inside of the network at work.  To the outside world, this just looks like an SSH connection that is not easy to snoop.  To someone who wanted to provide access to restricted or evil material, this would similarly be a method for them to do so, sending any kind of content over a secure network, with access possibly only on a subscription or invitation basis.  Without directly saying it, I am convinced that 
all kinds of evil activity is going on right under everyone's noses, using similar methods to carry 
content on otherwise benign ports.   It is also easy to obfuscate further, since SSH also allows
 the listen port to run on a different port to the default.  Imagine how easy it is to do this further,
with a simple script, that randomises the listen port to predictable values for the end user 
of the content.   All of what I am describing is perfectly legal and used every day by sysadmins 
around the world, to gain access to protected systems in a secure manner.   But it also has a side I believe is definely being used for various evil purposes, that I will not mention 
here.   Sorry if this sounds like a rant, but I have never really seen much discussion on link 
regarding these arcane methods of using the Internet.  There are practical purposes and 
evil capabilites running on any port you care to consider...
and sorry for the top posting - I do not know to sort this on an ipad yet!


rachel polanskis 
<r.polanskis at uws.edu.au> 
<grove at zeta.org.au>

On 18/08/2010, at 9:36 PM, Robin Whittle <rw at firstpr.com.au> wrote:

> Hi David,
> Thanks very much for pointing out that I had mistakenly described the
> ALP's mandatory ISP filtering policy as applying to R-rated material.
> You wrote:
>> The ALP is most definitely not a progressive party. It's a conservative party 
>> that grew out of a catholic, trade union background. It's just more progressive 
>> that the Liberal Party, which isn't hard, as even Menzies wouldn't recognise the 
>> party he created and is probably turning in his grave at what it's become.
> Yes, as one Link person mentioned to me off-list:
>  Our options are a bunch of pathological authoritarians or a
>  mob of myopic misers. Which is least unfit to govern is our
>  melancholy duty to decide on election day. Choose your poison.
> But now, on the Internet censorship issue, after what was apparently
> quite an argument, the genuinely liberal people within the Coalition
> won the debate.  So on this issue, the ALP is clearly to the right of
> the liberals in the Coalition - probably about as far right as the
> Coalition right-wingers, Family First and the DLP or whatever remains
> of them.
>> As for the internet filter, where is there something that says it will include 
>> R-rated content? Everything I've seen refers to RC content. The latest is at 
>> http://www.abc.net.au/news/stories/2010/08/17/2985789.htm.
> This is him just back-pedalling indicating the censorship won't be as
> bad as people fear, because there is going to be some new kind of the
> criteria for what is "RC".
> The authoritative source of the policy seems to be:
>  http://www.alp.org.au/federal-government/news/safer-internet-families/
> This mentioned RC material, as you mentioned - not R-rated.  There's
> no mention of what protocols the ISPs are supposed to filter.
> Presumably it is TCP port 80, which is used by most websites, since
> "http://xxx.yyy.zzz" tells the browser to open an HTTP session via
> TCP port 80.  However, "http://xxx.yyy.zzz:81" tells the browser to
> do the same using TCP port 81.  There are 65536 TCP ports, and a web
> server could use all, or almost all of them.  It is easy to configure
> web servers to respond to HTTP requests on multiple TCP ports, or a
> range of ports.  Various other TCP port numbers are traditionally
> used for other purposes:
>  http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
> It is easy to make a web server respond on TCP port 30301, which is
> normally used for BitTorrent.  ISPs wouldn't want to have their
> filtering servers trawling through the vast volumes of BitTorrent
> packets, on the lookout for some which appear to be used to carry
> HTTP requests and responses.
> They can't very well block entire IP addresses, since a single web
> server machine on a single IP address could have dozens of websites
> on it, and only one of them might the one which runs foul of
> Australian Internet censorship rules.
> There's always HTTPS, of course, which has requests and responses
> fully encrypted so no filtering box can discern their contents, or
> change them - so the filtering server could only block this on an
> IP-address by IP-address basis.
> The page:
> http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering
> talks about specifying the banning material by way of a URL, which
> seems to indicate they are thinking of web-browser protocols - HTTP
> and perhaps FTP.
> The filtering trial information:
> http://www.dbcde.gov.au/online_safety_and_security/cybersafety_plan/internet_service_provider_isp_filtering/isp_filtering_live_pilot
> indicates on page 7 that they only attempted to block "web"
> communications:
>    Telstra found its filtering solution was not effective in
>    the case of non-web based protocols such as instant messaging,
>    peer-to-peer or chat rooms. Enex confirms that this is also the
>    case for all filters presented in the pilot.
> Pages 8 and 9 don't mention specific protocols, but it is safe to
> assume they are dealing with HTTP, presumably on port 80.  The term
> "FTP" doesn't appear in the report, but it is possible to run a
> website over FTP, rather than HTTP - though not quite as efficiently
> and, I think, without many of the modern server-based conveniences.
> I guess that would be one easy way a web server could avoid the
> current filter.  However, then the web-server needs its own IP
> address, which they could catch with IP address blocking.
> Page 20 contains some details of the blacklists:
>   The ACMA blacklist does not simply include top level URLs.
>   It is, in fact, very granular and may specify detail right
>   down to a particular target within a site (e.g. the actual
>   page listed on a site). Other jurisdictions’ blacklists
>   (such as New Zealand’s) contain the top level URL only, so
>   everything hosted on that site is considered blacklisted.
> The detailed approach could turn into a vast list.  The approach
> which only works with the server's URL would be a blunter tool,
> requiring entire sites be blocked, if only a small fraction of the
> material at the site was intended to be blocked.  Pages are not
> necessarily static or on stable URLs so it would be easy for a site's
> operators to work around the relatively fixed nature of the detailed
> filtering.
> Telstra attempted filtering by doctoring their DNS resolver.  That is
> easy to get around - just configure the PC to use some other resolver.
> Page 22 indicates they want to ban particular pages on YouTube.  That
> will tangle them up in work in perpetuity, since new pages are added
> by users at a prodigious rate.  According to:
>  http://en.wikipedia.org/wiki/Blocking_of_YouTube
> Australia would then join Brazil, the China, Indonesia, Iran,
> Morocco, Pakistan, Tunisia, Turkey, Saudi Arabia, Syria, Thailand,
> and the United Arab Emirates.
> A non-authoritative estimate of the number of videos added per day is
> 200,000:
>  http://wiki.answers.com/Q/How_many_videos_are_there_on_YouTube
> Pages 25 and 26 mention 37 methods of circumvention, and the
> generally minimal ability of the filtering systems to prevent these
> from being successful.  "For public interest reasons" this taxpayer
> funded report doesn't mention the methods.
> Obviously if the user runs an encrypted VPN to a server not affected
> by Australian ISP filtering, they will be unaffected by the
> filtering.  A vibrant industry for these services would soon pop up
> if this censorship was ever implemented.
> The report doesn't mention the specific filtering software, servers
> etc. which were used, but it does give an overall description of
> various approaches:
>  Hybrid pass-by filtering:
>     Use BGP (router protocol) to force packets being sent to
>     particular IP addresses to a filtering device - and then have
>     the device try to sort out which HTTP requests are for banned
>     virtual web servers, or sections of banned virtual web sites,
>     which are using that IP address.
>     This reduces the load on the filtering boxes, since requests
>     to any IP address not associated with banned material does
>     not have to go through the filtering system.
>     This approach to blocking doesn't appear to involve the data
>     coming back from the remote server - it is just a method of
>     intercepting requests which in some way matches the blacklist.
>  Pass-through deep packet inspection
>     From the cursory description given I guess they are only looking
>     at requests, but they have to look at all requests, not just
>     a subset as with the first approach.
>  Filtering via a proxy server which handles all requests and
>  responses
>     It would be very expensive and potentially slow to have such
>     servers handling all request and response traffic.
>> Of course, you can vote for whoever you like Robin, but voting for the Coalition 
>> also supports a broadband network that is adequate for today, but most 
>> definitely not for tomorrow.
> It would be great if we could have the NBN, but we can't without
> spending far more than $43B.  I think the ALP has been smoking
> loco-weed or reading Eckhart Tolle to seriously propose, and now
> start work on, a massive IT / physical infrastructure project like
> this without any proper planning or cost-benefit analysis.
> If you believe Senator Conroy, this NBN is going to provide 1Gbps to
> each home.  Yet GPON (the technology chosen for the NBN) has 2.4Gbps
> downstream, to be shared between 32 or 64 homes.
> The whole thing is so unprofessional and amateurish.
> If you believe the ALP, all this will cost the user $30 a month.  Yet
> how can an ISP even run their filtering system on such large volumes
> of requests or responses for that?  Let alone source data over the
> Pacific link from the USA?
> I don't understand how anyone can regard this project as realistic.
> The kindest thing you can do for the ALP is vote them out of office,
> so the NBN is closed down ASAP.  If this doesn't happen, the NBN will
> be a millstone around the ALP's neck - and would be remembered for
> decades as a glaring example of Labor empire building, wishful
> thinking, grandiosity etc.
> IT projects have a terrible habit of going over-budget and
> over-deadline.  This is a huge IT project with a physical footprint
> far more extensive and labour-intensive than any other IT project in
> the world.  Can anyone think of such an extensive plan?  Fibre to 10M
> homes, offices etc.?
> This NBN project didn't even have any planning or due diligence, so
> it hasn't a chance of turning out as the ALP plan.  Its our money
> they are doing this with - it is not money pooped out by magic from
> some fantastical bird.
> The most important thing is to have permanent Internet connectivity -
> via whatever means which doesn't involve phone calls.  DSL, 3G
> wireless and for the truly remote, geostationary satellite are all fine.
> The benefit of fibre is to allow 10Mbps and perhaps 100Mbps
> downstream, with somewhat lower upstream rates, which wireless and
> satellite can't do.  That is only of benefit to most people if they
> watching videos - or perhaps if they are generating video material in
> real-time for sale.  I think the e-health stuff, with specialists
> examining patients via high quality video link is primarily BS.
> Voting for the ALP won't make the NBN come true.  The costs of
> running all that fibre all over the country, with new ducting,
> directional boring etc. installing fibre to homes and inside the
> homes etc. are way beyond $4000 a home.  Most homes don't want or
> need the speed, so the whole thing would be built, and the take-up
> would be relatively small if not for the government's
> anti-competitive actions of forcing (with taxpayer funded payment)
> Telstra to abandon its copper network wherever the NBN is installed,
> and to not allow its HFC system to be used for Internet access.
> I wish we could all have Gigabit fibre.  But we can't without far
> more expense than the country can bear.  Even if we had the money, I
> would argue most of it best spent not on video-speed broadband, but
> on education, preventive health, health in general and especially to
> develop and install vast systems of overnight heat-storage, 24 hour a
> day generating, solar thermal power stations.  That is the only hope
> we have of reducing our very high carbon-dioxide output.  A look at a
> global chart of insolation:
>  http://en.wikipedia.org/wiki/File:Insolation.png
> shows that Central and Northern Australia is the best place for solar
> power, short of the Sahara and the Arabian Peninsula.
> I will post corrections to what I wrote on these ALP pages:
> http://alp.org.au/blogs/alp-blog/july-2010/together,-let-s-move-australia-forward/
> http://www.alp.org.au/blogs/alp-blog/august-2010/help-spread-the-facts---national-broadband-network/
> about my "R rated or beyond" mistake.  But please check the quotes I
> point to in my previous message.  They are here:
> http://mailman.anu.edu.au/pipermail/link/2010-August/089091.html
> and indicate that Craig Emerson intends mandatory filtering to
> protect children from seeing things they shouldn't.  Both he and the
> PM refer to preventing people seeing things which are "wrong".
> Indeed it is a conservative, socially controlling, party.
> Below is the correction I posted to one page.  I posted a brief
> correction to the other page, with a link to the first.
>  - Robin
> I was mistaken to state that the ALP Internet censorship policy
> applies to R-rated material.  It applies to "Refused Classification"
> (RC) material
> (http://www.ag.gov.au/www/agd/agd.nsf/Page/Classificationpolicy_Classificationlegislation),
> the full description of which is too long to quote here.  The RC
> criteria includes "Detailed instruction or promotion in matters of
> crime or violence." - which would seem to include military,
> self-defence or boxing instructions.
> So if there is a discussion forum on euthanasia, and someone posts
> instructions to it on how to commit suicide, then the forum could be
> classified RC, with the result that all ISPs would be required to
> block access to the forum.   Likewise any generally non-RC site which
> someone contains even a little RC material.
> The ALP's policy has changed quite a lot, as Irene Graham points out:
> http://mailman.anu.edu.au/pipermail/link/2010-August/089117.html .
> She wrote: "From mid 2008 to mid Dec 2009, there was absolutely no
> doubt that the ALP's policy plan was to mandatorily require ISPs to
> block adults' access to some MA15+, and all R18+ and X18+ material."
> - which is the source of my mistake.
> Internet communications involve much more than the equivalent of
> watching movies or reading magazines.  The Net supports two-way and
> group discussions of all sorts of matters, privately and in public.
> Government's don't usually regulate private conversations, including
> those which take place by phone or by letters in the postal system.
> The Net is like the postal system - extremely flexible and used for
> all sorts of public and private purposes, far more than any one
> person or organisation could understand or anticipate.
> The trial of the filtering system worked only with websites (HTTP and
> HTTPS).  However there's nothing in the ALP's policy which limits it
> to HTTP traffic.  The policy could just as easily be applied to FTP,
> streaming media, peer-to-peer file sharing, instant messenger, email
> and voice and video conferencing.
> So many of our important private, group and public discussion occur
> via the Net.  We shouldn't vote in a party with a policy of censoring
> our Internet communications.
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list