blocking

  • Belgium intends to block childporn at the dns level

    Reguarl readers of this blog will know by now that we use blocking on a temporary basis as a first-time defense (among others) but that we know that it is not a Global a permanent solution and that it is very difficult and intensive to block things at that level ) surely when you try to do it for a whole population and as an obligation.

    They are interested in an Norwegian systems that is being used in several other European countries and that is being used to block childporn and maybe phishing servers. THe workgroup that is being led by Mr Beirens from the Federal Computer Crime Unit hasn't finished her work yet so there is nothing concrete yet, put the ISP's seem to be in favor of this system.

    So lets have a good critical look at it.

    First it is a DNS based system so it is based upon the DNS servers of the ISP. If they are the blockers, you should investigate the ways you can circumvent that filter.

    * you use Googlecache or Googletranslate to get to the domain

    * you use tor to get to the domain

    * you just type in the IP address

    * you use a proxy or redirect service to get to the name

    * how would you tackle childporn and other sites that are being hosted by botnets that are working with fast flux dns networks (in which the name of the site where you access the files changes nearly everytime because it is being hosted on for example 1000 sites (even if they only have a redirect service running))

    The Australians are testing a national internet filter service and some students have proven that they could bypass it very easily.

    Another problem is that many of the phishing files are hosted on cracked/hacked hosts. What are you going to do if a page on a normal website has been blocked ? Block the whole site or just the page(s) and for how long.  Normal porno galleries are for the moment also infected with less than 16 files and another problem is that the legal minimum for age for consensual sex is not the same over the world.

    Second problem is who are you going to block ? They are speaking about a blacklist that the FCCU has rassembled over the years. This is a minimum but won't have much lasting effect. If you want to attack child porn (if you arrive at a definition of that) and phishing (that make their money in the first 4 hours that such a site is up) than you have to do it in an effecitve way. 

    Third problem is that it ain't clear who is going to decide on the list. Some think that the justice department should be involved, others think that the FCCU alone should take the decision based upon 'sufficient proof'. But how can the FCCU do it when they are already totally understaffed ? THis is a permament 24h fulltime job for some people. The underground web moves fast so if you are working on normal working  hours you are leaving to much time open as a 'window of vulnerability'.

    Fourth problem is how will you get the democratic debate and oversight organised and how will you prevent mission creep that will involve other kinds of sites that were not targeted in the first place.

    Fifth problem is that you are going to block one category of sites because they are illegal, but P2P sites to name another category are also illegal. So why would you block one category and not another ? And gambling and betting sites ? And online pharmacy sites that aren't certified ? And illegal passports and offshores sites ? Why only chose those categories that are only touching a marginal public and are so outrageous that you can get it past the press and the parliament ? What will happen when for example someone asks the court that the system would also be used to block P2P sites or gambling sites because they are also illegal ? How could a court refuse that ? I understand that you don't tell this because there are many more people in Belgium doing P2P than childporn, but in the end you know you will arrive at a Chinese wall situation.

    You should also understand that when you create a wall like that hackers and others will have to subvert sites and systems inside the wall to distribute their material and that you should be sure to have a cert and a good information policy because the number of attacks against your internal systems can be greater.

    Alternatives

    * We like the system from http://www.Opendns.com  because it combines listings that are permanently updated from several sources. If I was an ISP it would chose some of my DNS servers to use their service and I would propose my clients to use voluntary a malware filtering DNS service. I think this would be a great business proposal but also something that many of your customers would appreciate. You could even organise it that if you want to do ebusiness or ebanking you are obliged to pass through opendns.com so that the chance you arrive at a phishing site is limited.

    The FCCU could add their listings to this index if these aren't already in it. Why not do the right thing and put your information and listing at the disposal of the whole community as the community is doing with opendns.com (through http://www.phishtank.com    and others) If the community and checkers agree that the listings are correct, they will be added.  And that goes faster than through the justice department.

    * There are other international agreedupon listings of childporn and other listings that could be used by ISP's or the police to block.

    * Make first a take-down agreement with the local ISP's like they have in Holland. This way some hacked websites that are being used for phishing and other illegal stuff can be taken down easily even if the administrative process may take longer afterwards.

    we will come back soon