Forgot your password?
typodupeerror
Censorship Australia Education Electronic Frontier Foundation Government

Australian Networks Block Community University Website 97

Posted by timothy
from the you-cannot-read-this-error-message dept.
Peter Eckersley writes "At the EFF we were recently contacted by the organisers of the Melbourne Free University (MFU), an Australian community education group, whose website had been unreachable from a number of Australian ISPs since the 4th of April. It turns out that the IP address of MFU's virtual host has been black-holed by several Australian networks; there is suggestive but not conclusive evidence that this is a result of some sort of government request or order. It is possible that MFU and 1200 other sites that use that IP address are the victims of a block that was put in place for some other reason. Further technical analysis and commentary is in our blog post."
This discussion has been archived. No new comments can be posted.

Australian Networks Block Community University Website

Comments Filter:
  • by kawabago (551139) on Thursday April 11, 2013 @02:44PM (#43425875)
    Next will be political web sites. What government wouldn't exercise the power to remove a critical opposition web site from the internet just before an election?
    • by gstoddart (321705) on Thursday April 11, 2013 @03:00PM (#43426047) Homepage

      Sadly, it doesn't even need to be maliciously abused ... just incompetently written and ineptly applied.

      Like all laws applying to technology, the people writing them are usually incapable of understanding all of the side effects. So they get passed, and applied as written, which has the unfortunate effect of breaking lots of legitimate things.

      If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.

      Sadly, I'm betting someone made an effort to point this potential out to them and got ignored.

      • by kasperd (592156) on Thursday April 11, 2013 @03:21PM (#43426279) Homepage Journal

        If there's 1200 sites sharing that IP address, but they block all of them based on a single complaint, these fall into the category of collateral damage.

        I guess a major part of the problem might be, that there is no penalty for blocking too much. If there is a penalty for blocking too little but none for blocking too much, then there is little incentive to do accurate filtering. A discussion about whether blocking would have been appropriate in this case, had it been more accurately targeted, seems pointless, since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.

        Some do see it as a benefit though. How often have some country blocked the worlds largest sites on the excuse that one page on each site is offending their religion. The more coarse grained your filtering is, the easier it is to conceal what you were really aiming to censor and the easier it is to find a plausible excuse for applying the filter in the first place. A civilized country shouldn't accept censorship, and especially not when it comes with such collateral damage. I don't believe there exist a problem in this world, for which censorship is the best solution.

        • by Obfuscant (592200)

          I guess a major part of the problem might be, that there is no penalty for blocking too much.

          Did you miss that this block is on one IP address? That there are 1215 virtual hosts running at this one address? How can you block less than one IP address at a router? You'd have to do deep enough packet inspection to look at the virtual hostname header in any HTTP request, and the RCPT TO in any SMTP transaction. Should there be packet filtering at that level?

          since we don't even know what content triggered the blocking. And that may actually be the largest problem with this sort of blocking.

          That's right, we don't know which of the 1215 domain names hosted the content that justified the block. But we can know that the fact that YOU pe

          • Is it just me, or does this sound like the perfect motivation for governments to encourage IPv6 adoption?
            • by HiThere (15173)

              I don't know if it's just you, but to me it sounds like a reason for governments to discourage IPv6. The way it is now they don't need to reveal which of those sites they really wanted to block, which means any fabricated story will work.

              • Good point. I was thinking that they could block sites without nearly as much backlash if there weren't many other sites blocked as collateral damage.
            • by kasperd (592156)

              does this sound like the perfect motivation for governments to encourage IPv6 adoption?

              I for one never liked name based vhosts. I have started moving my own domains to IP based vhosts on IPv6. I still have one IPv4 address with name based vhosts for those users who don't have IPv6 yet. Configuring a vhost such that it was name based when accessed over IPv4 and IP based when accessed over IPv6 was slightly tricky. But I got it working.

              I do like the idea of using this as an argument for deploying IPv6. Eve

          • by tibit (1762298)

            Should there be packet filtering at that level?

            Hell yes. It's not that hard.

          • by kasperd (592156)

            Did you miss that this block is on one IP address?

            No.

            Should there be packet filtering at that level?

            No.

            If you can implement blocking which only blocks content found to be illegal by a court of law, then that is fine. But accepting any collateral damage and accepting any blocking without the content being found illegal by a court of law is just wrong. What I am saying is, stop doing filtering, and go for the root of the problem.

            But we can know that the fact that YOU personally don't know what the content

          • As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.

            • by kasperd (592156)

              As a firewall administrator, unless I am being attacked from a specific IP, I will block hostname in preference to IP precisely because of this sort of problem.

              That statement makes no sense to me. The only sort of attack mentioned in the story is the DoS attack performed by another network blocking legitimate packets. There is no additional blocking that the server administrator could perform to solve that. And even if the server was under some other kind of attack (such as flooding), the only hostnames pot

          • by tqk (413719)

            That's right, we don't know which of the 1215 domain names hosted the content that justified the block.

            Which, really, is irrelevant. I see 1214 domains ripe for a class action lawsuit, possibly with slander/libel/restraint of trade/... mixed in. If each (or just a lot) of them ponied up $100 down payment (plus kickstarter?), that'd keep a lawyer going for a while.

        • by plover (150551) on Thursday April 11, 2013 @05:43PM (#43427959) Homepage Journal

          Completely off-topic question regarding your sig:

          Do you care about the security of your wireless mouse?

          Did you ever solve your mousey dilemma? If not, Bluetooth v2.1 solves it by default (if you're careful about avoiding interception during the pairing process.) The bigger question is how you determine which version of Bluetooth stack a vendor's mouse supports?

          • by kasperd (592156)

            Did you ever solve your mousey dilemma?

            On my desktop computer I got a keyboard with a USB hub. A cable between keyboard and mouse is slightly less annoying than a cable from the mouse to the computer. On my laptop I am just using a trackpad. With training I have gotten more used to trackpads, and when I am travelling with my laptop, I often use it without access to a flat surface where I can put the mouse.

            I'd still like a wireless mouse with strong cryptography and key exchange while it is charging. I th

            • by plover (150551)

              Bluetooth v2.1 security is likely more than adequate for your requirements.

              The risk of key interception occurs only once, during pairing, and you can mitigate that by pairing the devices in a Faraday cage or in a remote field, and never pairing them again without taking similar precautions. The E0 algorithm used as the stream cipher to carry the data has a couple of published weaknesses, all of which require substantially more data than is allowed in a single Bluetooth session, so decryption is still not p

              • by kasperd (592156)

                And all of this desire for security is based on your suspicion that an eavesdropper could glean information that would harm you from just your mouse movements

                You are assuming cryptography is all about protecting the confidentiality of data. That is a common mistake to make. But in this particular case I did point out in my initial post, that authenticity is also important. In fact in most cases authenticity and integrity of the data is more important than confidentiality.

                Instead of asking what you can le

      • by whoever57 (658626)

        Sadly, it doesn't even need to be maliciously abused ... just incompetently written and ineptly applied.

        And this kind of application is just what is needed to bring the issue to the attention of the public at large.

    • by samson13 (1311981)

      I don't think the internet filter laws got passed. I thought the ISPs jumped in and said they would voluntarily use the Interpol Worst of list [interpol.int]. I think the compromise seems reasonable. If the list is abused then it can be voluntarily not used. To be on the list you need to host porn of kids that are under 13 and this needs to be verified by multiple member countries.

      I'm guessing that this has been implemented as a BGP blackhole list from TFA. An easy way for the ISP to go. They will already be running bl

  • by Anonymous Coward

    A site is blocked by various ISPs. Nobody knows for sure why. Some would like to pose the situation as a government conspiracy, or at least an example of why new regulations requiring ISPs to block certain sites is bad.

    No one really knows what's going on, least of all the author. There's lots of hand waving and half hearted finger pointing.

    Rabble unite?

    • Oh, stop being boring.

    • by jimmetry (1801872)

      My DNS had been shit too lately. Bloody feds. *shakes fist*

    • If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere. I can only see three classes of organisation that could have the power to issue a block order:
      1. Government.
      2. Whatever organisation supplies Australian ISPs with the list of child porn sites to block. Wouldn't be the first time - remember when all major ISPs in the UK filtered Wikipedia, because our national blocklist provider decided an album cover was child porn?
      3. A copyri

      • by Zaelath (2588189)

        If it's blocked by one ISP, you can blame a mistake. If it's blocked by many ISPs, then the directive must have come from somewhere

        Yeah, like BGP maybe?

        No issue getting to the site from my Australian ISP..

        • You're on internode or iinet i take it?

          They really don't want a filter and refused to implement one.

          • by Zaelath (2588189)

            Oh yeah, I'd forgotten Telstra and Optus had opted to voluntarily take a list of child abuse websites and block them.

            If that's what it's about, then IP is the only way to be sure. You can't expect paedos to be stopped by DNS/name filtering.

          • You're on internode or iinet i take it?

            They really don't want a filter and refused to implement one.

            That's why I switched :D (that and sending my browsing history to a US company)... burn in hell Telstra!

            • burn in hell Telstra!

              I don't think they would make it through customs.
              Some things are just too much for hell

  • by sirwired (27582) on Thursday April 11, 2013 @03:02PM (#43426079)

    Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.

    I know that the summary and the article both mention that the latter is a possibility, but the headline, summary, and article, are all written as if the most likely possibility was that MFU was targeted directly.

    I suspect that the ISP got a request from somebody about one of the hosted sites doing something very naughty, and the person who's job it was to pay attention to such requests didn't get them or ignored them, so an IP block was the next step.

    • by Bacon Bits (926911) on Thursday April 11, 2013 @03:09PM (#43426171)

      That's what I was thinking, too.

      1,200 websites on one IP address? Looking at the list, I see things that are obviously gambling websites. The IP is held by a US-based hosting company (DimeNOC). I understand that yes, this is suspicious, but with 1,199 other potential causes for black holing an IP address, I'm not convinced that MFU caused government to impost a black hole request on an arbitrary (and, if summary is to be believed, incomplete) set of ISPs.

      • by Zocalo (252965) on Thursday April 11, 2013 @03:35PM (#43426437) Homepage

        The IP is held by a US-based hosting company (DimeNOC).

        Well, there you go then; they didn't do their homework or were so desperate to save a buck or two they didn't care about their ISP's reputation. If you chose a cheap hosting deal on an ISP with a reputation for hosting spam, botnet controllers and other such sites while exercising an exceeding lax attitude to abuse reports, you can expect to have the odd issue like this. You get what you pay for applies to ISPs too - big surprise!

        FWIW, DimeNOC is null routed here too, has been for sometime, and is unlikely to be unblocked anytime soon. No conspiracy required; the only traffic we ever saw coming from their IP space was spam, malicious or both, so dropping it at the border was a no brainer.

    • Hmmm... which is more likely? An utterly inoffensive group providing free education materials on the internet is the victim of a shadowy government conspiracy, or that one of the 1,200 other sites on the same IP did something sufficiently stupid as to attract govt. attention.

      Dont forget that if it's like most community colleges the IP address was probably blacklisted due to DDOS attacks originating from infected campus computers.

      I know I had to deal with DDOS attacks from computer labs at my university. My

      • by Pav (4298)
        NOTE: This list is in no way purposed to protect Australia from DDOS's etc... It's a censorship blacklist.
  • Aren't I glad I left you.

    • by Anonymous Coward

      Don't come back you cock-gobbling twat.

      -Australia

  • Thank me (Score:2, Informative)

    by Anonymous Coward

    Hi. Stephen Conroy here. Labor party member. You morons need to know that when we, the government, block sites, its for your own good. Sure, we don't tell you about it, and we've probably blocked things like a dentists website, but really, what about the children?

  • by Kaenneth (82978)

    I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so? (I'm guessing a server class physical machine host 1200 unrelated IPv6 addresses)

    • by kasperd (592156)

      I'm guessing IPv6 eliminates any need to share IP addresses? or is there remaining technical reasons to do so?

      There are technical reasons why you might want to share an IPv6 address between multiple websites. But those technical reasons can be addressed.

      If we assume a webserver is hosting 1200 domains, what would happen if it was assigned a different IPv6 address for each of those domains? The answer depend on which technical solution you choose in order to do that.

      The typical approach is that all of

  • If you don't even get your own IP address it's not much of a surprise that somebody else's actions can turn your little bit of the cloud dark.
    Bring on IPv6.
    • by Anonymous Coward
      ^this. We made the decision this week to simply blanket block most cloud providers IP address ranges from accessing any of our hosted sites due to the constant scans, attacks and crawling of our sites from services people run up in their clouds.We are positive this will block some legimate traffic and sites, but really we think that is the lesser of two evils at this stage. These cloud providers are turning into festering rats nests of scammers, phishing sites, sites hosting malware and botnets etc etc. If
  • You can see all the sites on the IP address on one page here - http://viewdns.info/reverseip/?host=198.136.54.104&t=1 [viewdns.info] Easier than sameid.net.
    • Well that is handy the number of .au sites is quite surprising surely other site owners would have noticed this block as well.

  • I'm using Exetel which is a small ISP that relies on some of the much larger ISPs for infrastructure. My particular plan routes data via Optus, whereas the Exetel example given by the EEF blog post is by someone using a plan routed via AAPT. I can access the website without issue. iiNet at work is also fine.

    I suspect this is not a request by the government to ISPs to block a particular site, mainly because I've read that Optus was happy to voluntarily block content - and they're not doing it. Not yet, at le

As in certain cults it is possible to kill a process if you know its true name. -- Ken Thompson and Dennis M. Ritchie

Working...