As a IT manager of a large company – if one of my users manages to get past our filter (it’s old and not very good) then are we as a company liable??

That’s a difference of 2,750,000 users. That’s an enormous difference. Also, a few extra milliseconds on an extremely high speed 10Gb pipe supplying a few thousand users is nothing, a few milliseconds on a narrow, clogged tube dribbling data to millions is very significant.

It’s quite an obvious tactic to start with child porn, because nobody likes that but the perverts. I think you’re right in saying that its not going to stop the real pedos, but I really don’t think thats their intention in the long term. The NZ Censorship system for movies (for example) doesn’t allow a film to be released in NZ unless it’s been screened by the office (at a cost), and given a rating. I can see they would see the internet as a huge gaping hole to them, since you can view videos and publications without any oversight or guidance at all.

They are not going to stop with the child porn. That’s just to get the support of the parents and make anyone wary of protesting it, in fear of being labelled a pervert. This is quite obviously the first step toward a much more restricted internet, blocking anything they don’t agree with or see as appropriate, because that’s how the censorship laws for film and video releases are set up, and that’s their job description according to the censorship laws of NZ.

Even you, as someone very skeptical about it, see the child porn thing as a good step, but that’s not the point, that’s just a ploy. And you’re falling for it. Of course combating child porn is a good thing, everyone knows that. But doing it this way, and in secret, is absolutely not the right way to do it. But again, that’s not their real intention.

I don’t see the censorship laws in New Zealand as draconian at all, but thats because for the most part, they’re out in the open. Since this is closed and secretive, that changes it quite a bit. And it doesn’t matter if “three people” are looking at each site to decide whether or not it’s acceptable in their opinion – there is no judicial oversight, and there is absolutely no public consultation. It’s creepy, and should be properly addressed.

Yes.”

So would this mean that if, for example, an image was blocked on wikipedia (as has happened with the UK system), then all urls from that domain will go through the DIA system?

If that were the case, whats to stop them logging all URLs within wikipedia (say) that you visited. If they can do that, how long will this data be stored? How will it be used?

I note that the largest actual implementation of this product currently handles 350,000 users; this is, pardon me, “bugger all”, and I’m not convinced a handful of Intel/BSD boxes will scale well for a nationwide implementation.

[from my slashdot post on the same subject]

In order for any device to reject a request, and send back a block page, it must be monitoring the TCP stream and be able to inject packets back in the stream in sequence (matching SN/AN) so that the client will not reject the packets. This means it must

a) inspect all the packets of the request.
b) reassemble the packets to form the request to extract the URI requested. This will typically require parsing the request to extract the Host header, and abs_path part of the request.
c) pend the request packet upstream while it tests the URI against its blacklist. If it doesn’t do this, some quick server could start a response before the blacklist check is complete, which would break the ability of the device to send a proper response. Otherwise it will need to queue response packets while it determines if the response can go back to the client.
d) if blocked, it will have to send a synthesized response back, matching the Seq and Ack numbers in the TCP connection it was monitoring, and ensure no other packets from upstream make it back to the client.

This will certainly introduce some latency, as the request or response is pended and blacklist checked. A decent DB lookup should be pretty quick, and in terms of NZ average latency for access to international sites, I’d expect it will probably be hardly noticeable unless the system is overloaded.

There could be other effects as well. Setting up an IP-IP tunnel will typically introduce some packet overhead. It’s likely this will affect the MTU of the path to these sites. This could allow detection without relying on ICMP / tracert, which I’d expect to be blocked or at least not answered by the NetClean box.

Most web browser requests fit within a single TCP packet (usually 1460 bytes of payload). I wonder how the NetClean will handle a request being sent 1 byte at a time.

My biggest concern is what about false-positives? Does the DIA offer to warn a site it is blocked? This is the thin edge of the wedge, using the horror of child porn to slip a system in which will then be used for other things. The secrecy around it is part of the problem plaguing the Australian system. We have to rely on humans in the DIA to be infallible. We all know humans are not. If they don’t tell a site it is blocked, how would a hosting site know it needs to clean out a client hosting kiddie porn?

How as a company can I pre-filter my users to prevent the possibility of the police busting through my door if one of them goes to a bad place?

http://www.opendns.com/