Five minutes into the last computer club meeting, I was in the process of showing somebody a website distributing some software for running a library, and found myself instead showing them a web page telling us that we weren't permitted to access this site because it was in the blocked category of "freeware/software downloads".
Max said that he'd earlier had a similar problem while trying to show somebody an auction site. I tested this out and sure enough eBay, et. al. were similarly inaccesible because they fall in the blocked category of "auction sites".
The club has installed web content filtering "censorware" on the gateway between it's local network and the outside world. As a club member, I'm appalled by this for a number of reasons:
Of course this makes running a computer club from within the club's network practically impossible. Or rather it would if circumventing the censorware hadn't been ten minutes work.
In principle however, it is outrageous that an organisation with a commmunity service mission should opt to control the behaviour of it's members and staff using techniques favoured by brutal dictatorships.
In the first part of this article, which I stress reflects my own personal opinions and not those of the Coffs Ex-Services Computer Club as a whole, I will go into detail about how and why censorware doesn't work as a solution to percieved IT security problems that arise from unrestricted access to the Web.
In future posts, I shall examine the ineffectiveness of censorship as a solution to low employee productivity, why it shouldn't be used even if it was effective, and outline a few of the multitude of trivially easy censorware circumvention techniques.
An organisation might consider deploying censorware for one or more of a number of reasons.
The World Wide Web is just one of a number of vectors for the delivery of malicious software ("malware"). Web content filtering software obviously does not address any of these other vectors. These include email and vulnerabilities in components of a computer's operating system which are exposed to the Internet.
The security threat from "software downloads" can be divided into two categories of software: software the user consciously installs, and software that exploits security risks in the client web browser or operating system to install itself without the user's knowledge or consent.
A great deal of malicious software is disguised within apparently innocuous and useful software. An employee with no knowledge of how to identify such software, or even no idea that ostensibly useful software might be harmful, who finds their ability to download software at their place of work impaired will likely have no hesitation in bringing in a copy from home.
The only effective defense against this kind of software is user education. The StopBadware project releases a yearly report entitled "Trends in Badware: What internet users need to know.", which is an excellent resource for anybody wanting to educate themselves or others about avoiding malicious software on the Web. Any organisation that does not educate their users about the risks involved in installing software of unknown provenance will be wasting their money trying to implement a purely technical solution to the danger.
An increasing percentage of malware infections via the web are in the form of drive-by downloads. This is where a web site or web server is compromised in some way which enables a malicious agent to use it to deliver content which exploits security vulunerabilities in users' web browser software, operating system, or in the users themselves ("social engineering").
Any existing web site with a a sufficiently severe security flaw, or sufficiently lax security policy can be compromised to deliver a drive-by download. Any computer with a direct Internet connection and a sufficiently severe security flaw somewhere in the software installed on it is potentially a "zombie" web server.
A study by Google found that in a sample of web pages in it's index, as many as one in ten were found to be hosting drive-by downloads of malware. These are the untraceable here-today-gone-tomorrow pages that spam email and web postings direct you to.
The malware delivered in this way has been historically used to facilitate the activities of spammers, but is increasingly the product of mainstream organised crime groups (the two classes are not mutually exclusive, of course).
Trying to deal with this problem by maintaining blacklists of blocked web sites is like a game of whack-a-mole where the the playing area is expanding exponentially. 99% of what you're trying to hit is already beyond your reach, and the situation is rapidly deteriorating.
The other possible approach is to try to deduce from a page's content whether it is malicious. These rule-based filters have grown somewhat more sophisticated since the days when one product famously blocked a page at whitehouse.gov as pornographic for using the word "couples" (well, you know what couples get up to, don't you?), but as many of us know from experience with our increasingly ineffective Bayesian spam filters, if ne'er-do-wells find all but one tenth of their objectionable content blocked, the simple solution is to randomise the content further and increase production by a factor of ten.
Content filtering software will likely use a combination of blacklists, whitelists, and automated content filtering techiques. Individually or collectively these are increasingly unlikely to do less harm than good.
As digital rights advocate Cory Doctorow noted recently, the combination of instantaneous rule-based network blocking and time-consuming manual correction of false positives results in an Internet "autoimmune disorder". The price of automatically identifying 100% of unwanted material is mis-identifying a lot of material as unwanted, and the cost of that mis-identification usually goes uncalculated.
A similar sledgehammer/nut problem exists with manually-compiled blacklists. It's extremely unlikely that the management of the Coffs Ex-Services Club decided that their staff should not have access to information about software for running a library. In fact the club does run a lending library for it's members. But the people who run that facility now cannot access some information which may help them do their job because it's implicated in "software downloads", a forbidden category of websites.
Tough luck, guys. You can't own a bull without wrecking a few china shops. It's the price of the total security that our foolproof web content filter provides. We want to protect ourselves from malicious software, so we block "software downloads".
What's that you say about botnets run by organised crime, drive-by downloads, and one in ten webpages? La, la, la... Behind our impenetrable security shield, with our fingers in our ears, we can't heeeeaar you!
It's indicative of the effectiveness of these blacklists that the software we used to circumvent the club's censorware at our last meeting was downloaded from web sites not on the "software downloads" blacklist. These were not obscure "warez" sites, by any means, but the official sites for the projects developing the software, cheerfully admitting that one of the major purposes of the software was to assist in evading online censorship. If these sites were not blacklisted, what are the chances of an effective blacklist of all, or even a significant fraction of, the sources of genuinely malicious software?
The security flaws that content filtering software attempts to address are found at either end of a transfer of data over the Web (the Internet is an end-to-end system, after all), and at either end of a Web connection you will find people. Accordingly, addressing these issues at the source is a hard problem. However, pretending they can be adddressed by simply setting up automated information checkpoints somewhere on the network is delusional.
As noted above, the best bang for your buck is in user education. Believe it or not there are people out there willing to believe that an exiled Nigerian prince would contact them out of the blue in order to share their extroardinary wealth with them. There are certainly many more people who think that Microsoft would email them an urgent security update, or that the dialog box that suddenly pops up telling them that their computer is vulnerable to attack and urging them to click "OK" to install additional software is akin to the voice of God, and not to be disobeyed.
If you have one or more of these people in your organisation, no purely technical solution will ever do as much as a bit of education to reduce the risk they present.
The technical side of malware propagation via the web is enabled by several factors:
To use a biological analogy, the consequence of all this is that the ecosystem of web software is very nearly a monoculture, composed of organisms extremely vulnerable to pathogens, and consequently any virulent contagion spreads like wildfire. The proliferation of the Storm Botnet, estimated as of September this year to have control of as many as 50 million computers is a frightening demonstration of this.
Moreover because the software you are probably using is developed in secret, and distributed under licenses that prohibit disassembly or the distribution of derivative works, there is in most cases only one entity able to provide effective solutions to security flaws. Your IT security is ultimately utterly dependant on a single company with a consistent history of reluctance to disclose security issues when they are found, and a very poor record of issuing security updates in a timely manner.
There are no strong arguments for using the same operating system for every conceivable purpose to which a computer might be put, much less for a single universal web browser, or email client, or word processor, etc.
There are a wide variety of free software operating systems available which are distributed under terms which allow for public scrutiny of their inner workings, and for third-party provision of security fixes. There are hundreds in the family of operating systems derived from the GNU system and the Linux kernel alone, each with their own customisations and strengths, and no two comprising of precisely identical sets of components with the same security weaknesses.
The range of options in free software applications is if anything even more diverse.
A wide scale shift from dependance on the products of a single proprietary vendor to the best tool for the job, distributed under terms that encourage rapid identification and repair of security flaws, is a more complex proposition than continuing to put our hopes in band-aid solutions. However, the historical effectiveness of the latter strategy is fairly clear, and as the saying goes, the definition of insanity is doing the same thing over and over and expecting different results.
Continued in Part 2, Why and How to Resist
Recent comments
19 weeks 2 hours ago
19 weeks 5 days ago
19 weeks 6 days ago
47 weeks 3 days ago
47 weeks 6 days ago
1 year 2 days ago
1 year 2 days ago
1 year 1 week ago
1 year 28 weeks ago
2 years 9 weeks ago