Australian Networks Block Community University Website 97
Peter Eckersley writes "At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April. It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason. Further technical analysis and commentary is in our blog post."
Re:Seems legit (Score:5, Insightful)
I love the assumption that the whole world has a DMCA just because you do...
Re: (Score:2, Insightful)
With the US exporting these laws and forcing trade partners to adopt them it's getting there.
This was exported to Australia years ago. America has been doing this for some time, and with lots of other countries, essentially over-riding the citizens in favor of their interests.
Do you even pay attention to the stories around here?
Re: (Score:2)
Australian checking in. Yes, they raid our universities to find kids breaching copyright, so we have US DMCA influence. What better way to deal with crime than to make studying even more difficult to afford...
Maybe (Score:2)
this has more to do with politicians finding out that they have the following kind of lectures online and simply want to shut this kind of thing down before students actually get educated:
"Aurélien Mondon, Do people really want what politicians are offering?, The National Times, 8 July 2010,[6]"
Re: (Score:2)
Rats!
Re: (Score:1)
Bogans. Lots and lots of bogans.
Re:Seems legit (Score:5, Insightful)
With the US exporting these laws
Well, something had to replace manufacturing!
Re: (Score:2)
Re:Seems legit (Score:4, Informative)
Actually, it more-or-less does, at least in where Title 1 is concerned. The DMCA itsself is just the US's implementation of requirements agreed to internationally in a 1996 WIPO treaty, in which signatories agreed to pass laws criminalising circumvention of copyright protection technology. Similar laws exist in Europe (Via national implementations of the European Union Copyright Directive), Canada, Australia, and much of the rest of the world. WIPO is a big organisation.
The notice-and-takedown provisions (Title 2) were not, AFAIK, required by any WIPO agreement and as such are not so universal outside of the US.
Re:Seems legit (Score:5, Informative)
They are present in the US-Australia Free Trade Agreement, Article 17.11 [dfat.gov.au]. Curious how much of that document is about restrictions and not freedom.
Re: (Score:2)
This is how IP laws keep growing.
Every time 2 countries decide to "rationalize" their IP laws, they add their restrictions together, instead of compromising. You tend to end up with the longest term, the lowest bar, and the heaviest penalties.
Re: (Score:1)
I love the assumption that the whole world has a DMCA just because you do...
The DMCA was just the U.S. enactment of the WIPO Copyright Treaty [wikipedia.org], which was also enacted in Australia in 2007. So, yes, the world DOES, in fact, have a DMCA (or at least a good portion [wipo.int] of the world).
Re: (Score:2)
Julia? Is that you?
Did anyone believe this law would not be abused? (Score:3)
Re:Did anyone believe this law would not be abused (Score:5, Insightful)
Sadly, it doesn't even need to be maliciously abused ... just incompetently written and ineptly applied.
Like all laws applying to technology, the people writing them are usually incapable of understanding all of the side effects. So they get passed, and applied as written, which has the unfortunate effect of breaking lots of legitimate things.
If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.
Sadly, I'm betting someone made an effort to point this potential out to them and got ignored.
Re:Did anyone believe this law would not be abused (Score:5, Insightful)
I guess a major part of the problem might be, that there is no penalty for blocking too much. If there is a penalty for blocking too little but none for blocking too much, then there is little incentive to do accurate filtering. A discussion about whether blocking would have been appropriate in this case, had it been more accurately targeted, seems pointless, since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.
Some do see it as a benefit though. How often have some country blocked the worlds largest sites on the excuse that one page on each site is offending their religion. The more coarse grained your filtering is, the easier it is to conceal what you were really aiming to censor and the easier it is to find a plausible excuse for applying the filter in the first place. A civilized country shouldn't accept censorship, and especially not when it comes with such collateral damage. I don't believe there exist a problem in this world, for which censorship is the best solution.
Re: (Score:2)
I guess a major part of the problem might be, that there is no penalty for blocking too much.
Did you miss that this block is on one IP address? That there are 1215 virtual hosts running at this one address? How can you block less than one IP address at a router? You'd have to do deep enough packet inspection to look at the virtual hostname header in any HTTP request, and the RCPT TO in any SMTP transaction. Should there be packet filtering at that level?
since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.
That's right, we don't know which of the 1215 domain names hosted the content that justified the block. But we can know that the fact that YOU pe
Re: (Score:2)
Re: (Score:2)
I don't know if it's just you, but to me it sounds like a reason for governments to discourage IPv6. The way it is now they don't need to reveal which of those sites they really wanted to block, which means any fabricated story will work.
Re: (Score:2)
Re: (Score:2)
I for one never liked name based vhosts. I have started moving my own domains to IP based vhosts on IPv6. I still have one IPv4 address with name based vhosts for those users who don't have IPv6 yet. Configuring a vhost such that it was name based when accessed over IPv4 and IP based when accessed over IPv6 was slightly tricky. But I got it working.
I do like the idea of using this as an argument for deploying IPv6. Eve
Re: (Score:1)
Should there be packet filtering at that level?
Hell yes. It's not that hard.
Re: (Score:2)
No.
No.
If you can implement blocking which only blocks content found to be illegal by a court of law, then that is fine. But accepting any collateral damage and accepting any blocking without the content being found illegal by a court of law is just wrong. What I am saying is, stop doing filtering, and go for the root of the problem.
Re: (Score:2)
As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.
Re: (Score:2)
That statement makes no sense to me. The only sort of attack mentioned in the story is the DoS attack performed by another network blocking legitimate packets. There is no additional blocking that the server administrator could perform to solve that. And even if the server was under some other kind of attack (such as flooding), the only hostnames pot
Re: (Score:2)
That's right, we don't know which of the 1215 domain names hosted the content that justified the block.
Which, really, is irrelevant. I see 1214 domains ripe for a class action lawsuit, possibly with slander/libel/restraint of trade/... mixed in. If each (or just a lot) of them ponied up $100 down payment (plus kickstarter?), that'd keep a lawyer going for a while.
Re:Did anyone believe this law would not be abused (Score:4, Interesting)
Completely off-topic question regarding your sig:
Do you care about the security of your wireless mouse?
Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?
Re: (Score:2)
On my desktop computer I got a keyboard with a USB hub. A cable between keyboard and mouse is slightly less annoying than a cable from the mouse to the computer. On my laptop I am just using a trackpad. With training I have gotten more used to trackpads, and when I am travelling with my laptop, I often use it without access to a flat surface where I can put the mouse.
I'd still like a wireless mouse with strong cryptography and key exchange while it is charging. I th
Re: (Score:2)
Bluetooth v2.1 security is likely more than adequate for your requirements.
The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not p
Re: (Score:2)
You are assuming cryptography is all about protecting the confidentiality of data. That is a common mistake to make. But in this particular case I did point out in my initial post, that authenticity is also important. In fact in most cases authenticity and integrity of the data is more important than confidentiality.
Instead of asking what you can le
Re: (Score:2)
And this kind of application is just what is needed to bring the issue to the attention of the public at large.
Re: (Score:3, Informative)
yes, there is. the ACMA maintains a (secret) black-list of domain names and IP addresses which contains "prohibited content" which is used in filtering software. Some ISPs voluntarily use that list to block access.
The ACMA's secret blacklist has leaked on at least one occasion in the past.
In Nov last year, the Australian Federal Police started sending mandatory block notices to ISPs.
more info here:
http://www.acma.gov.au/scripts/nc.dll?WEB/STANDARD/1001/pc=PC_90102 [acma.gov.au]
http://en.wikipedia.org/wiki/Internet_cens [wikipedia.org]
Re: (Score:1)
I don't think the internet filter laws got passed. I thought the ISPs jumped in and said they would voluntarily use the Interpol Worst of list [interpol.int]. I think the compromise seems reasonable. If the list is abused then it can be voluntarily not used. To be on the list you need to host porn of kids that are under 13 and this needs to be verified by multiple member countries.
I'm guessing that this has been implemented as a BGP blackhole list from TFA. An easy way for the ISP to go. They will already be running bl
Synopsis: Arms Waving In The Air (Score:2, Insightful)
A site is blocked by various ISPs. Nobody knows for sure why. Some would like to pose the situation as a government conspiracy, or at least an example of why new regulations requiring ISPs to block certain sites is bad.
No one really knows what's going on, least of all the author. There's lots of hand waving and half hearted finger pointing.
Rabble unite?
Re: (Score:2)
Oh, stop being boring.
Re: (Score:1)
My DNS had been shit too lately. Bloody feds. *shakes fist*
Re: (Score:1)
primary: 8.8.8.8
secondary: 8.8.4.4
Re: (Score:1)
google also has dns servers in australia as of early 2012, so the problem of stuffing up akamai download efficiency is now mostly moot in australia
Re: (Score:1)
well, mostly moot
Re: (Score:3)
If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere. I can only see three classes of organisation that could have the power to issue a block order:
1. Government.
2. Whatever organisation supplies Australian ISPs with the list of child porn sites to block. Wouldn't be the first time - remember when all major ISPs in the UK filtered Wikipedia, because our national blocklist provider decided an album cover was child porn?
3. A copyri
Re: (Score:2)
If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere
Yeah, like BGP maybe?
No issue getting to the site from my Australian ISP..
Re: (Score:2)
You're on internode or iinet i take it?
They really don't want a filter and refused to implement one.
Re: (Score:2)
Oh yeah, I'd forgotten Telstra and Optus had opted to voluntarily take a list of child abuse websites and block them.
If that's what it's about, then IP is the only way to be sure. You can't expect paedos to be stopped by DNS/name filtering.
Re: (Score:2)
My work is through Optus, can access the MFU site fine at this time.
Re: (Score:2)
You're on internode or iinet i take it?
They really don't want a filter and refused to implement one.
That's why I switched :D (that and sending my browsing history to a US company)... burn in hell Telstra!
Re: (Score:2)
burn in hell Telstra!
I don't think they would make it through customs.
Some things are just too much for hell
Hmmm... which one is more likely? (Score:5, Interesting)
Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.
I know that the summary and the article both mention that the latter is a possibility, but the headline, summary, and article, are all written as if the most likely possibility was that MFU was targeted directly.
I suspect that the ISP got a request from somebody about one of the hosted sites doing something very naughty, and the person who's job it was to pay attention to such requests didn't get them or ignored them, so an IP block was the next step.
Re:Hmmm... which one is more likely? (Score:5, Informative)
That's what I was thinking, too.
1,200 websites on one IP address? Looking at the list, I see things that are obviously gambling websites. The IP is held by a US-based hosting company (DimeNOC). I understand that yes, this is suspicious, but with 1,199 other potential causes for black holing an IP address, I'm not convinced that MFU caused government to impost a black hole request on an arbitrary (and, if summary is to be believed, incomplete) set of ISPs.
Re:Hmmm... which one is more likely? (Score:5, Informative)
Well, there you go then; they didn't do their homework or were so desperate to save a buck or two they didn't care about their ISP's reputation. If you chose a cheap hosting deal on an ISP with a reputation for hosting spam, botnet controllers and other such sites while exercising an exceeding lax attitude to abuse reports, you can expect to have the odd issue like this. You get what you pay for applies to ISPs too - big surprise!
FWIW, DimeNOC is null routed here too, has been for sometime, and is unlikely to be unblocked anytime soon. No conspiracy required; the only traffic we ever saw coming from their IP space was spam, malicious or both, so dropping it at the border was a no brainer.
Re: (Score:1)
jihadi
What's the bet that both of our IP addresses have now been added to a US national security blacklist and our posts recorded in the Utah data center.
Re: (Score:2)
Dont forget that if it's like most community colleges the IP address was probably blacklisted due to DDOS attacks originating from infected campus computers.
I know I had to deal with DDOS attacks from computer labs at my university. My
Re: (Score:2)
Yay Australia (Score:1, Troll)
Aren't I glad I left you.
Re: (Score:1)
Don't come back you cock-gobbling twat.
-Australia
Re: (Score:2)
Julia? Is that you?
What, slashdot? This exact comment has already been posted? Kind of the point...
Re: (Score:1)
so you're not tony abbott then
Re: (Score:2)
Re: (Score:1)
you are no doubt correct, but i'm sure he could use his taxpayer funded secretary to do it for him
Thank me (Score:2, Informative)
Hi. Stephen Conroy here. Labor party member. You morons need to know that when we, the government, block sites, its for your own good. Sure, we don't tell you about it, and we've probably blocked things like a dentists website, but really, what about the children?
IPv6? (Score:2)
I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so? (I'm guessing a server class physical machine host 1200 unrelated IPv6 addresses)
Re: (Score:2)
I hope this will be true. I dislike all the workarounds applied to stretch the supply of IPv4 addresses, and I dislike name based vhosts. I'd like to see HTTP 2.0 make both of those go away, and replace it with proper IPv6 setups.
Re: (Score:2)
There are technical reasons why you might want to share an IPv6 address between multiple websites. But those technical reasons can be addressed.
If we assume a webserver is hosting 1200 domains, what would happen if it was assigned a different IPv6 address for each of those domains? The answer depend on which technical solution you choose in order to do that.
The typical approach is that all of
Dark clouds on the horizon (Score:2)
Bring on IPv6.
Re: (Score:1)
Other sites on that IP (Score:1)
Re: (Score:2)
Well that is handy the number of .au sites is quite surprising surely other site owners would have noticed this block as well.
Optus looks fine, AAPT probably not (Score:2)
I'm using Exetel which is a small ISP that relies on some of the much larger ISPs for infrastructure. My particular plan routes data via Optus, whereas the Exetel example given by the EEF blog post is by someone using a plan routed via AAPT. I can access the website without issue. iiNet at work is also fine.
I suspect this is not a request by the government to ISPs to block a particular site, mainly because I've read that Optus was happy to voluntarily block content - and they're not doing it. Not yet, at le