 Welcome to the annual Defcon Convention. This meeting was held at Exciting Las Vegas, Nevada from July 9th through the 11th, 1999. In this video, take 149 fireworks, trends, and problems. I might have... Is this better? Yes! Can I use something? Okay, I'll just catch... I'm gonna get shorter a little bit. I just want to talk to you a little bit about similar things that are going on with firewalls right now. Firewalls are probably the most popular tool that's out there to secure a network right now. And what many businesses aren't realizing is that they're not everything. They're getting firewalls and they're pretending that they have a complete solution to every problem they might have. And they don't realize that they still have viruses. They still have insider attacks. They still have attacks going on against the services that they have available. Is that better? Okay. One of the most important selling points to firewalls right now tends to be fear, uncertainty, and doubt. A lot of managers are throwing away a lot of money or things that they don't really understand. One company that I saw on the web page had a demonstration of hackers breaking into your computer because you didn't have their firewall. And they actually took you step by step how hackers were using WinHack Gold and Legion to attack your open file shares through finding users in IRC. I thought it was quite a joke. One of the quotes they had on their page was, think of the hours you can spend going through your personal data after you download it. And they actually had pictures of personal information and billing and whatnot for the person. I thought it was funny. The truth of the matter is that all the firewall actually did was block file sharing and it didn't even use packet filtering to do it. It used MBT stat after someone had already connected and it didn't do any other packet filtering whatsoever. It did not support it. It pretended to get rid of several back doors as well. It claimed to fill throughout several hundred of them. And when I disassembled the software, I found out that the only thing it ever attempted to get rid of at all was back orifice. And in actuality, it wasn't even successful in removing back orifice. Although I'd love to see how they work with the OTK. Another article that I saw on a local paper was talking about many companies can afford firewalls and a quarter of them is all being $10,000 or more and said that in order to run them at all, he needed a full-time administrator who would command a salary upwards of $100,000 a year and I don't think that's quite too accurate. He claimed how evil hackers would run rampant through your network. And then, funnily enough, the article actually ended talking about a specific firewall and gave you their website so you could purchase it, which I thought was inappropriate for a newspaper. A lot of people just simply don't realize what is still open when they have a firewall up. A recent example would be Microsoft's Internet Information Service. A bug came out of that that allowed an attacker over only port 80, nothing other than web traffic, to gain control of a web server and they did not need any other means to connect to the machine at all, which would pass through any firewall that allowed web browsing, including Microsoft's on-site. Firewalls simply aren't intended to solve every security problem. Although integration with intrusion detection and virus scanning over predefined methods of downloading are helping to make a more complete solution out of it, but there are other things that need to be approached. One of the big problems a lot of the firewalls out there right now is people simply aren't able to manage them. They don't know how. The methods of management are a little confusing for them. And sometimes they're trying to install them on too many different machines rather than having one integrated firewall and they're using remote administration methods to get to them. When they're doing this, they're often using very insecure methods to manage their firewalls often remotely from outside of their own networks and they're using web browsers to do it. They're using SNMP to do it. Although some of them are actually using secure encrypted methods to get to them, I don't advocate any remote administration outside of your own network. One firewall I saw claim that SNMP would be the future of firewalling administration. And they predicted that very soon every firewall would support it as the sole means of administration. For other solutions, some vendors are actually installing and configuring the firewalls remotely. They're using tools such as PC Anywhere or simply Talnet or SSH. Another problem with this other than people being able to sniff the traffic to see what passwords are used to get to it to see what rule sets are being applied is that you can't always trust who's going to be working for a vendor. A vendor's got 10,000 different customers sending their firewalls administered and they're sending someone to be yours from the office. You don't know if the person is confident. You don't know if the person is in touch at all with what your service or your business or your organization needs. And you can't always trust them to be honest with what they're doing. Another problem with firewalls is that many of the people installing them do not know what they're trying to configure, what they're trying to allow and disallow. One of the major problems is with ISPs because the most secure method of setting up a firewall is to not deny all traffic unless it's specifically permitted. But with ISPs, there's a lot of services that you wouldn't normally see in organizations. People want to use Microsoft NetMeaning. They want to play Quake. They want to play Duke Nukem over the net. They want to use AOL Instant Messenger. And a lot of administrators don't know what ports that these things are using and they don't know how they work. One of the things that I found most useful for determining that was to grab the services file from inMap which seems to be the most comprehensive that I've seen as RFCs are outdated due to a lot of the services that are proprietary. The easiest way to set things up would be to use one of the more user-friendly administration, the user-friendly firewalls if you're not familiar with them and find out... I refer to things by names. Everybody can't memorize every port number that they're going to have to use. Although for those of you who know, I still prefer command line. Another thing that's very interesting to me is the integration with other tools. Now that a lot of firewalls are using intrusion detection, they're using virtual private networking. Some of them support virus scanning over FTP and HTTP. And this allows a lot of other problems to be solved through the one device. I like to talk about virtual private networking for a minute because it's one of the key selling points for a lot of firewalls right now that a lot of people are going after. And it's probably one of the least under-sid features. A lot of people don't understand that there's different forms of cryptography, there's different codes that people use and some are really good and some aren't. And there's some things that have been broken and people have broken PPPT. PPPT is a good example. Microsoft based it off the RC4 stream site for which it isn't all that bad but their implementation was really poor and its security was based simply on a user's password, which, if you know, can be cracked usually in a few hours. If you're going to go with VPN support on any firewall, the things I would suggest using are... When you're looking for VPN support on a firewall I would really suggest going to something that's more tested and secure, such as SSL or IPsec. I like the protocols a lot better. It gives you choice of which algorithms you want to use when you're running the firewall and you have the choice of which algorithms you're going to use. A lot of people argue over whether Diffie Helman or RSA is better for key exchange. I don't think it matters. A lot of people don't realize that Diffie Helman's been around for a long time because it's been patented and a lot of businesses haven't been able to use it in their products until recently but both are really secure and they're probably equally secure. It has been proven that if you can break Diffie Helman you can also break RSA but the reverse has a mission. I'm sorry, yes. If you break Diffie Helman you can also break RSA but the reverse is not true or hasn't been proven to be. On the client side you don't have a lot of choice that you're out of luck but as for encryption some places are still using DES and RC4 and I'd say don't go there. You're going to have to use something a little bit stronger. I'd prefer a triple DES idea. One thing not to be fooled by if you want to choose DES over idea is that triple DES is often claimed as being 168 bit. The key is indeed 168 bits but it isn't that strong because of the usage of multiple encryption. In reality it only has the strength of what you would expect a 112 bit key to be so you're really only getting double encryption out of it. I prefer idea myself. It's a little bit longer and a little bit faster. Another thing a lot of firewalls are trying to market is the use of demilitarized zones. Demilitarized zones really aren't anything new. It's something that's been out there for a long time. It sounds cool and so a lot of people are claiming to support it. All the demilitarized zone is an intermediary network between the firewall that you have against the internet and another firewall that you have between your local network and some firewalls have multiple more than two interfaces and they allow you to set up a demilitarized zone on that firewall. I don't think it's such a bad idea security-wise. It's just that it's not anything special. It's not anything that most people don't already have supported in their firewalls and it's not something they pay a lot of extra money for. In a demilitarized zone what you're going to have is you have your outside firewall just connected between you and the internet or a wide area network. You have a few intermediary machines, often they're machines that don't have the security that you want inside your local network or they have services that you don't consider to be secure and don't want them on your local network so that other things can be compromised and often as well there's a proxy server that will allow you to connect to the proxy server so that it can make connections for you to the inside. Another thing that I'm seeing a lot of lately is software firewalls whereas the better firewalls that I had seen in the past were mostly hardware. There's a lot of nice software firewalls coming out that are easy to configure. They're fairly secure. They run fast enough to support your bandwidth. However, one of the big problems with software firewalls is there is an underlying OS that was made for general purposes. It was not made specifically to be a firewall. If you get a Cisco PIX box it was made to be a firewall. There was nothing else made into that OS and if they do a good job in products such as that, the OS is okay. In software firewalls you have to look at the underlying OS because it's running on Unix or it's running on Windows NT and if there's still problems with that underlying OS your firewall can be compromised. There was a recent problem with one firewall where in-map scans would actually crash the whole machine because of its integration with the underlying TCPIP stack on NT. A small sector of software firewalls or PC firewalls which I really am not in favor of in most cases. They're not good for office environments because they're hard to administrate. Most of them don't support remote administration and they want you to configure each machine individually and it's very feasible. Another problem is that users often want to tinker with them and if they can change them they can either make them very insecure or they can destroy their network functionality on their machine because they won't be able to get to anything anymore. Another problem with PC firewalls especially on Windows platforms which most PCs are running now Windows 95 starts up its networking services before anybody logs in. Your file sharing is already open to languages but most of the PC firewalls will not start until after you log in. So if I log out of my Windows 95 machine at work and I've got a little PC firewall running that I think is protecting me until I log back in somebody can access those file shares and can do what they want. They can if they're open they can get to them. If they have passwords they can reforce them. Another problem is that in many cases if they connect to them before I log in to my machine after the firewall starts because most firewalls for performance purposes do not analyze every single packet they look at special information in that packet and they see if it's opening a new connection and if it's opening a new connection they apply it to its real set and they decide whether they should allow that connection to continue if they decide it shouldn't they deny it and they close it down. When the connection is already established because somebody connected to my machine before I logged in because there's no opening of a connection to filter out. It's merely traffic and it assumes that that connection has already been authenticated and it's already been assumed to be okay and it lets it run the way it is. One solution that I can see to this in PC firewalls because they pose a different problem is to close is to run through the open sockets on the machine and close down everything that does not apply to the rules that does not is not allowed by the ruleset but outside of the Windows PC firewalls I think that those freeware firewalls that are distributed with Unix especially FreeBSD and Linux I think they're pretty good firewalls I like to use and I use IPFW at home on my FreeBSD machine One problem with the freeware firewalls is that they're not as supportive to some of the commercial things and they do have the documentation to get the kind of tech support that you want if you need it however I find them highly configurable I find them very secure I find them easy to use myself if you know what you're doing with them One of my favorite freeware from Unix firewalls is TCPwappers which you can wrap around the services normally started by HANAD on your machine there's no TCPwappers because they can create a lot of fun for me because with TCPwappers you can also run outside programs using information from the connection as arguments to those programs and so on a pretty free day Friday night it's often fun to pick up some denial of service scripts and watch Kitty scanning for back office crying in their machines crash Oops Another type of firewall that I'm seeing that I think is a waste of money which is going to be talked about in a minute here are a lot of the censorship firewalls and they're trying to scan out orno sites are trying to get rid of playware they're trying to get rid of bloodkittycam.com so you can't get to them from work and one of the things that I find the problem with is that these firewalls often cost 10 to 15 thousand dollars a bit more and they're using a list of sites that they deemed inappropriate and they don't want you to get to them from work and the problem is worrying they often you can often get around them especially if you find sites that aren't included in your list and another problem is why do you need to pay 15 thousand dollars to prevent your users from doing something even one thing to do at work when all it takes is a nice meeting with their manager, system administrator and the threatening of losing their job they're not going to do what they're not supposed to be doing or they're going to be fired I don't think it's worth spending 15 thousand dollars to prevent them from looking pornography at work One of the other things that I'm liking is I'm seeing a lot of new tools coming out of firewalls, you can find out what's going on find out what's working, find out what's not the tools I like to use most are in-map and fire walk in-map allows you to use fragmented packets which you can try to pass under some firewalls a fragment packet does not contain everything that a firewall needs to analyze the packet and so it has a few choices it can either drop the packet completely because it's fragmented it can support them and it can queue the first part of the fragment and wait for the rest of the fragment to come in and then decide whether to allow it to pass or not or it can simply allow them all through and many of them just allow them all through more firewalls are starting to support queuing of those packets so they can decide whether they should be restricted or not however there's a denial of service problem that they're similar to sin flooding and that if you send the first part of several fragmented packets and accuse them it will quickly run out of memory to queue more packets because it's all in use in the second half of the firewall and I have to freeze it up the firewall that I like to use other than inlap is a nice little trace route type utility that allows me to figure out what a lot of the problems are with my real setting allow me to find out what can get through and allow me to gather information about the Houston Cyber Network and I find it is up in both of them especially interesting because it allows me to do before what you often it took proprietary commercial software to deal such as ISS and that's why the CyberCon might have been for me that's all I have for right now I'd like to pass control of right now to Mr. Abinett Is he getting it? I'm as bedded quiet as to how many operating are under my operating system specific problems that some of you may have strong One of the big problems that you'll see with a lot of firewalls that haven't relying on OS is even the hardware where it specifically is if they allow you to connect to those machines they allow you to attempt to hack those machines so even if I'm running a stripped down version of BSD on my appliance firewall if there are any services running on that machine that I can connect to that could possibly allow me to get access it's a bad thing because it will allow me if I know what to do to hack that firewall and take control of it a little bit I usually use BSD rather than I'm excited a little bit about IP change but I haven't used them yet Are you wanting to know what I prefer? He was asking me what was advisable for the firewalls that are running on Windows NT most of the firewall oh shut up Brandon most of the firewalls I've dealt with NT it's being shackled by your guardian I prefer the next firewalls myself I like command line, I like just get down and dirty I don't like to deal with the GUI in those cases I don't really have any preference over any of the major commercial ones I think the best thing is just to decide what you need for what you're doing I mean if you're running a small ISP you don't need to spend $15,000 on a copy of checkmate with APN support and you can probably get away with the smurf or you get a firewall however if you're running a large corporation you're probably better with going with one of the major companies who can give you the support you need who can come down and help you if you have problems who can tell you what you need to do is anyone showing support at all? is anyone showing support at all? I don't know what this time of anyone is saying it's the part where the GUI systems are but I don't think it would be a bad idea because they're oftentimes a much better alternative to the commercial firewalls for small organizations and businesses so I'd like to see that if you guys really want to see me make it you're gonna have to go to my website so you're a little too kinky even for this group here as you can see our multimedia extravaganza here we're seeing if the cords will stretch hey there's a lot of cord that might even work alright follow me introducing Bennett Hazleton Hazleton I'm gonna be talking about a piece of software called the Anti-Centorship Proxy which can be used for getting around firewalls and proxy servers not talking about firewalls and proxy servers that have bugs in them but this is something that can actually be used for circumventing correctly implemented firewalls and proxy servers that are built to censor certain websites that's something that Stephen talked about near the end also talking about different forms other types of software-based censorship and how you can get around some of them a lot of this talk is about the politics of the situation there are bills in congress now proposing that all schools will have to spend lots of money on a particular company's product that censors certain websites from the excess from the computer so and this is a political discussion that's been going on for about two or three years now it's very relevant these days my email address is gonna be up here on the projector at the end in Hazelton known to the underground hacker elite inner circle as Bennett in Hazelton someone wants to christen me as something like death maximist thunder wolf warp spider or something far away in this conference I don't have a name like that quite often um general different categories of software-based blocking that we've dealt with circumventing they are the very simple ones that are sort of like software-opside or patrol net nanny all they do is they replace some crucial system files with their own hooked version of the system files in order to force themselves to keep running all the time but if you have a testing machine and you can install a copy of these and you can use a file system and registry profiling system and difference analyzer to see what keys it enters in the registry and what files it replaces and then a system out of writing a windows script that can reverse that process in order to forceably uninstall those programs from your computer without the administrative password of course. There are other programs that are slightly stronger and harder to defeat but are still client-side programs that reside on the computer that you're sitting in front of ones like foolproof and fortress and these are mostly desktop access control programs which means they can restrict certain operations and they don't themselves censor websites but they are meant to be used in conjunction with another program like cyber patrol and it's supposed to use something like foolproof to make it harder to remove cyber patrol from the computer and these are a little more sophisticated and they can do things like make it impossible to boot from a floppy disk and access the file system on the machine because they scramble the master boot record on the hard drive in the machine to make sure that you can only access files on the machine if you boot from the hard drive and then there are really serious challenges getting around things like firewalls and proxy servers the ones that are not installing the machine that you're sitting in front of so you can't write a script to get around them it's a matter of making contact with a website outside the network that is not blocked by the firewall or proxy server and opening a sort of communications channel with that website that can transparently serve you the websites you're trying to access which are blocked by the firewall sitting between you and your accomplice outside the network but part of the politics of the whole situation is how do these sensorware companies so-called sensorware like softwatch and cyber patrol and the firewall companies how do they determine what URLs are going to end up on their lists of sites to be blocked from access on that network part of it is when you access a page on a machine that has one of those programs installed on it the page as it's downloaded will be scanned for certain keywords, certain words in the title certain words like sex that appear in the URL and then if it meets enough of those conditions it will get blocked automatically automatically also the software company keeps a list of URLs known only to the company that contain material they consider inappropriate and if the URL that you try to access is on that list it will be blocked regardless of whether it meets any of those other criteria and so allegedly these companies keep employees whose job it is to surf the web all day and look for inappropriate material I actually read an interview with one of these guys once who worked for a company called N2HT which makes a product called Bess and he said that he just come home after a long day of searching some muddy websites for material he stopped for the bookstore on the way home was just trying to relax, pulled some books off themselves and started reading eventually he was he was not actually reading the pages he was just scanning for dirty words because that's what he'd been doing all day he was like oh jeez I've got to get this out of my head I've got to get away the list of URLs that are maintained by these companies they keep a copy of the list on a central server and if you have a client side version of the program like Cyber Patrol installed on your machine periodically the companies encourage you to download a latest updated version of the URL list because the web is constantly changing the URL is adding an entry to the list and this is in order to keep the software up to date sometimes they will start charging you for continued updates after a six months free period or something like that and the list as they reside on your machine are always stored in an encrypted format because they are considered to be trade secrets by the companies which have invested considerable effort in compiling these lists so they do not in fact want their customers to know but is on the list of sites they consider appropriate there's something like 50 to 100,000 sites on a typical list and generally they try to keep these secret a lot of the politics involved in the fight over say whether blocking software should be forcibly installed in the libraries that receive federal money is about whether the blocking software companies are doing their job competently and how in fact they manage these lists of sites which they consider to be inappropriate there are lots of examples that people talk about of sites that are blocked that most people feel should not be these days generally if you ask anybody what is embarrassing or what is wrong with blocking software almost the only thing that everybody ever says is breast cancer sites or chicken breast recipes people say those have been blocked because they contain the word breast in the title that's true but that is a very bad example and that's really not where all the controversy is coming from that would fall into the category of pages that are blocked due to keyword scanning in other words the program is downloading the page and it scans it for particular words like West and the site is not blocked because it's on the company's list of inappropriate pages it's just blocked because it happens to have that keyword there that's one example some companies their products work in order to block a site they block it by an IP address and there are some hosting companies which host multiple web pages on the same IP address and you can have hundreds of sites sharing the same machine, same IP number and if one of those sites gets blocked they will all get blocked at the same time so there are lots of examples of sites that are blocked for that reason as well there are sites that are blocked for political reasons which means the company deliberately blocked it and maybe they they've tried to avoid controversy but somebody discovered it was blocked and publicized it and the company defended it for whatever reason there are also pages that are blocked which prove that the company is not in fact reviewing all of the sites on their URL list to determine if they meet their criteria this is the main area where my website Peacefire has concentrated most of our effort is in coming up with examples of pages that are on these lists of allegedly inappropriate URLs that no human being could have looked at and determined inappropriate but what it appears the company is doing is they are running some sort of spider which is going on crawling pages on the web and examining them for certain keywords and then adding them directly to the URL list of inappropriate sites without necessarily having a human being examine them to determine if they meet their criteria and I'll have some more examples of that in a second first some examples of pages that are blocked due to keyword scanning 1996 a little bit after Surfwatch came out people were talking about how the White House web page about Bull and Hillary and Alan Tipper was blocked by Surfwatch because the page was called couples.html and Surfwatch was set to block any page that had the word couples in the URL allegedly because that indicated it was a sexually explicit and the White House webmaster had to rename the page principles.html in order so that Surfwatch using families could access it there was a page that NASA posted about pathfinders exploration of Mars it was called N-A-R-S-E-X-P-L .html did you catch it? N-A-R-S-E-X-P-L.html and cyber patrol in Surfwatch blocked it because it had the word sex in the URL and among the frequently asked questions maintained by the guy who wrote the page he said I set up a separate copy of this page here in case your computer has blocking software on it you can access this page anyway I found one example of an organization it was sort of a support page for children that had cancer and the organization was called Touch and it was an acronym that served for something but in any case all pages had the word touch in the URL and so this page is not accessible also some software blocking from searching anything that had the word teenagers in it like teen smoking or teen safety just because they feel the search engine turned too many matches for pornographic sites if you search for anything that says teenagers another example of pages that are blocked because they shared an IP address with another blocked site these are just some of the smaller examples filteringfacts.org is a page advocating the use of blocking software in libraries and ASP hosted it on the same machine as another site that was blocked by surf watch in the drugs and alcohol category so filteringfacts.org is in fact a one point by surf watch which is recommended by filtering facts as one of the products for use in libraries one is supposed to not make a large number of these kinds of mistakes there was a recent well street journal article about other pages blocked for the same reason Minnow.org which is maintained by Martin Minnow who is related to the FCC commissioner I think works at Apple computer now he's very famous and then a friend of mine registered PluginPray.com and did not actually either one of these people actually put anything on their pages but they were shared with another page they had to be blocked and they discovered they were blocked by surf watch for examples of pages blocked for political reasons a lot of the a lot of the blocking programs block pages which advocate online legalization like normal.org and so remember these products are used in large numbers in schools and technically such the advocated political point of view are constitutionally protected material for people to read even students that are not necessarily 18 yet so that's one particular source of controversy that comes to the question of should these programs be used in schools and libraries the American Family Association which RNA associated with this because of course the AFA is one of the most pro censorship groups on the internet and a while ago I submitted the URL to your cyber patrols review committee claiming that I expressed intolerance towards homosexuals because the AFA website extremely conservative side held out derogatory statements about gays on it and I claim that categories include blocking pages that made derogatory statements about gays and they should block it and I told the internet if they eventually found out about it and they were making well from my point of view I mean we don't think that that kind of thing should be blocked anyway because essentially that kind of hate speech against homosexuals is obviously a lot more effective against adults than just against children there's much more broader support for anti-gay laws over age groups and among younger age groups and that's part of the thinking behind what we do which is essentially by combating censorship software actually advocating more freedom of speech for younger age groups but that is an example of where we temporarily switch sides just for fun to see what would happen a lot of gay and lesbian live pages are blocked by programs like for example Cyber Sitter has a category for blocking pages like national organization for women and gay and lesbian awareness against affirmation and that long line there for international gay and lesbian human rights commission which advocated equal rights for gays and other programs have been caught blocking political pages about gay rights for the same reason a website called censorware.org which is another site similar to peacefire.org and it has a lot of information about blocking software and the politics behind it was blocked by a blocking software company after censorware.org published a report criticizing that particular company's blocking software product they added censorware.org for about a day or two to their list of allegedly pornographic sites Cyber Retro has also blocked some news groups about atheism and the most social thing about political issues these are not websites but they've also been a source of controversy as far as concerns with criteria are they using and determining what's inappropriate for people under 18 and then the last category is the one that peacefire.org specializes in publicizing examples of the top example here was an article that I found on the denverpost.com news websites and it was an article about the Catholic Church's responses to the shootings in Littleton and it was an article it didn't have any pictures let alone any pornographic pictures it was identical to the one that appeared in the paper there was no way that a human being could have conceivably looked at this URL and determined that it was inappropriate for children but it had the word bomb in the URL of the title it was bomb 3496.html or something so my first thought was the best was the program was blocking the space so my first thought was maybe they're automatically blocking all pages that have the word bomb in them so what you do is add some characters to the beginning of the past section of the URL so it's now denverpost.com by YZZ slash followed by the original path that URL was not blocked so clearly they're not blocking all pages that have the word bomb in them but this page, this particular page ended up on their list of URLs inappropriate for teenagers so what they're apparently doing is they have some machine on Beth's network which is going on calling for web pages that have the word bomb in the URL and adding those directly to the list of URLs maintained by them without necessarily revealing them and Beth's there's no nice way to say this they are lying about this they are sending out letters to potential customer schools and libraries saying we review all the URLs on our list to make sure that nothing is added to our list before we have a human being reveal it and make sure that meets our criteria and this is clearly not true because this is a perfect example of something that was blocked even though no human being could have looked at it first it's a very important distinction to draw when somebody says this page is blocked because it had the word bomb in it you have to ask does that mean it was automatically blocked by some rule that the software uses to block all pages that have bomb in the URL or was it blocked because the company added it to their list of inappropriate URLs in the former case it's just an accident in the latter case it means the company is lying about what they're doing and should be that the second example there is a page called maplesoccer.org which is blocked by cyber patrol we couldn't figure out why we went and looked at the page it turns out it was a youth soccer league it had a list of teams and they were categorized under boys under 12 boys under 10 apparently the software saw that and thought it was a child pornography site jewishteens.com is an example of a pain pal site for Jewish teenagers and it was blocked by another company which had apparently added all domain names that had the word teams in them to the list of inappropriate URLs the online electronic text archive I think the one called a wiretap had been blocked as a criminal skill site because there's a quote on the front page something like if you give a person a bomb it will explode once and then it's useful this is over but if you give them a book it'll keep on exploding for 20 years 100 years and its power will never be exhausted and apparently their software scanning machine saw that quote about the bomb and thought it was a criminal skill site another example a psychologist had her personal homepage blocked because on the part where it said how to contact me her phone number had the number 69 in the middle of it I made that one up but all the others were real so real history of the controversy in 1996 that was in the communications decency act passed actually there were some statements for groups like the American civil liberties union and the electronic frontier foundation that came off as sounding as if they were now in favor of blocking software because they thought maybe if we put more restrictions on people under 18 using the internet that will help protect the rights of people over 18 and that was actually 17 years old at that time so peacefire.org was set up to counter that point of view and saying you don't have to trade each watch for one group in order to protect the rights of the other you can advocate for both at the same time. 1997 course this is frame court struck down the CDA and some of these groups again switching sides almost immediately the American Library Association passed a resolution against blocking software in libraries which is still one of the most famous documents that the ALA has written in recent years. 1998 there were some court cases involving the library in Virginia in California that actually the ACLU and ALA sued a library that was using blocking software on grounds that violated the First Amendment of the library's freedom of speech right to freedom of access to information and they won and 1999 there's Senator McCain who's actually running for president has been pushing for a bill that would require all schools and libraries to use blocking software on their computers despite a lot of the information circulating on the internet about what is wrong with these programs and how they have sort of implemented a very political agenda and made that part of how they decide to block sites. I know I told you how to I told you I'd tell you how to get around firewalls and proxy servers it's coming it's coming. In 1996 like I said when the controversy over the CDA was going on and people were actually talking about groups you wouldn't expect it normally from we're talking about blocking software and favorable terms. What we started out doing is putting up pages about cyber-sitter and cyber-patrol and what kind of sites were blocked by these different programs that were obviously not meeting their published criteria. Cyber-sitter for example who's already known the time they blocked national organization for winning and glad cyber-sitter also filters out words from pages so that the word like homosexual if you have a page that will just be deleted in the other words would be crowded around it they even blocked the word fairy because it's considered slang for gay so word fairy will not appear on a page viewed by cyber-sitter shortly after we posted our webpage and at the time we did not actually start posting instructions on how to disable the software and get around them it was just about what kind of claims they were making versus what was the reality that was blocked by these programs. Eventually cyber-sitter found out about our page and they added it to the list of pornographic sites and they contacted the internet search provider and said if you don't kick this guy off we're going to add all 2,500 sites hosted by your company to our list of pornographic web pages you know the neighborhood 1.5 million users will not be able to access anything hosted by a company if you don't kick this guy off. Our ISP did not fortunately did not back down did not kick us off and cyber-sitter being threatened by our ISP's lawyers did not go through their plans to block all sites hosted by our ISP but they did continue to block us and they put some effort into hunting down mirrors of our sites that have been set up in protest and blocking those as well. We were in April 1997 we put out something called the cyber-sitter code breaker which was something that you could run on any program that had cyber-sitter installed on it and it would read in the encrypted list of the sites blocked by cyber-sitter and print out a text file containing it decrypted it turns out our encryption scheme is very simple they just x-word every byte of the file with hexadecimal94 so I'm sitting there looking at a hexh outcome of the file 94949494 trying to think what are they doing a copy of a clog cryptography for God's tastes sitting on the desk trying to figure out what they did hexed10pagnus??? just sitting there Eventually, I hit on it and wrote something like a decode the file and printed out for you. The cyber center, of course, we knew the threats of the lawsuit at that point, saying we were helping people steal low-trade secrets. And in fact, in February of 1999, it looks like that is what happened. There was a company, ICQ, which was owned by AOL at the time, released a beta version of ICQ99, which had something called a family filter built into it, which in block-serving words from being viewed by ICQ chat participants. And somebody emailed me and said, did you know the ICQ filter was blocking the word peacefire? Now, why would that have anything to do with us? As it turns out, they had downloaded cybersitter, downloaded our code breaker, run it on the list, decrypted it, and stolen it without paying cybersitter royalties. And for a minute, it looked like cybersitter was able to sue them for like a million dollars because of me, which would have made me really sick. But they never actually went for it. Is that a question? Yeah, okay. There was a company called clickchoice.com at AOL. It actually hired to compose the list. But they apparently were not asked to see the list after this company and gave it back to them when they didn't examine it very carefully. Quickly, quickly. So in 1998, we started publishing instructions on how to get around the different programs like cybersitter and cybertrol. Of course, a lot of people now would go back and read the little articles about all the controversy over cybersitter blocking our site. I mean, that even made a point cast on the day that it happened and people can't understand it. Well, of course, they block it inside. Peacefire.org has instructors on how to get around cybersitter. Why wouldn't they? And we didn't have those until 1998, which is why it sparked so much controversy when they blocked us back in 1996. But we did eventually release this information on our page, turn the phone page into a parody of blocking software and marketing program called Renaissance, Innocence Preserving Software for Windows and had instructions on how to get around all of our legislative competitive software. And of course, everybody like Cybertrol Invest that did not already block our site blocked it then. It has been gratifying to be able to gather this kind of information and publish it because even though we don't obviously have the resources to mount any kind of lawsuits or lobbying efforts on our own, there are a lot of groups like the ACLU and the ALA that are lobbying Congress and lobbying their own member libraries not to use blocking software. And like I said, this information has been valuable to librarians, for example, that are defending their non-censored internet access policy. Two people come in and say, why aren't you using blocking software? There have also been lawsuits against the library that did use blocking software. They were able to use some information from our website about what this program blocked, which proved they were not in fact reviewing all the sites on their list. And of course, this has been useful for getting around blocking software to anyone who wants to. I should point out a lot of people have been skeptical that a loosely organized group of teenagers on the internet really could have gone through and gathered information and sort of become the first of its kind of repository for this kind of information. Of course, people in this conference know that a loosely organized group of teenagers on the internet can contain satellite coordinates, but most people are a little more skeptical than that. Probably some of the reasons that this has been possible for us is, first of all, there are a lot of people that don't want to criticize blocking software for any reason, even if they're aware of the problems, such as their words being branded as somebody who does not want to protect children. We instead got branded as people who were whining because we couldn't get around blocking software, and that's still unfortunate, but it's nowhere near as being accused of being a pedophile because you're an adult telling people how to get around their blocking software. Also, this is not always very rewarding work. Usually what happens if you find out a site that's blocked by a particular company, and it takes a lot of trial and error, you have to download the software, play with it until you find something, and then what do you do? If you publish it, the blocking software company, if it's a really embarrassing mistake, they can take it off the list immediately, and then what if you've proven, and then they can say we still have a perfect record. So we got burned on that a couple of times. Nowadays what we do is if we find a list of sites blocked by a particular program that obviously proves they're lying about what they do, we usually give it to a reporter and have them download the software and verify at first that all these sites are blocked, and then we publish it, and then we have sort of a witness that they accuse us of lying. For a little bit of the political history behind this, last year's and these two last years took place in Loudoun County, Virginia, a library was sued for using x-stop blocking software on their computers. They sold you and people from the American Way filed this lawsuit and they won, and part of the testimony was about what kind of sites this x-stop program blocks, and part of that information did in fact come from our website section on x-stop. The other significant lawsuit last year was Livermore, California, a mother whose name was kept secret from the press to preserve her son's identity, sued the library because they were not using blocking software and allegedly endangered her son, and she lost on the grounds that the first man who applies to the library said he can't force them to use blocking software. The other controversy that exists sort of outside the whole controversy surrounding companies that make blocking this program themselves is the push for ratings on people's pages. Microsoft and Netscape browsers now both support ratings on pages where you can set something within the browsers. Lloyd says if this page is rated higher than a certain level, do not let it be accessed from this computer. Microsoft was a huge proponent of ratings back when their browser was the only one that supported it. Nowadays it's kind of slacked off a little because Netscape has it too, but back when they were a more serious proponent of everybody waiting their pages with pics, which stands for platform for internet content selection, it's hard to find the pages about it because if you type pics into a search engine you get free panel answers and pics and stuff like that, but the website is w3.org has information about it. NSNBC, which is happening by Microsoft, rated their site 0, 0, 0, 0, which means no sex, no violence, no language, no anything, and somebody wrote them a letter claiming this is dishonest because they in fact did have stories on their site about violence about rape and they showed a body of a woman who had been killed in an accident and they claimed this was unfair and NSNBC sent back a letter saying well you know we want as many people to access this site as possible and the guy who sent the letters, this is hypocrisy, they are applying a different standard to themselves and this is actually where support for something called the R-Sack News rating exemption proposal came from where news sites were saying we'll have a different standard for ourselves, but this eventually turned down because a lot of web journalists protested that it was unfair that some centralized bureau would have the power to decide what constitutes a natural news site or not. Here we go, getting closer. A lot of countries like China and the United Arab Emirates do use blocking programs at the national level. China has what they call the Great Firewall of China, it's around the country from which you cannot access certain websites like CNN for example and also Playboy. UAE, I don't think block CNN but they do block Playboy and other sexual explicit sites. Australia has just passed a legislation requiring ISPs to censor incoming traffic from pornographic websites, but the guy who got it passed has just been kicked out of office so its laws is sort of there and might be overturned. But remember, even though you wouldn't think of places like Australia as being a police state, they have no First Amendment like we do in the US so you can't take it to the Sweden Court and overturn it like we did with the Communications Decisive Act. You have to rally public support against it. Myanmar has got so sick of the whole thing they banned ordinary citizens from running modems. Summer of 1998, write this down. This is the biggest font I used in the entire presentation. You have to remember this, I did not do it. I was supposed to be serving this presentation with another guy who couldn't make it, he's Brian Restucia and probably if I had been doing this presentation with him we would have gotten his side sooner and spent less time on mine but he didn't show up so spent a lot of time on my side, his artworks. This is a proxy server that can be used for getting around firewalls and proxies unless of course your firewall or proxy blocks it which is what the rest of this presentation is about solving a problem of. This will be the download page of this and it will rewrite each URL so that the original URL is replaced with the one that goes through this server instead. How do you communicate, how do you get to this website without the intermediate firewall or proxy detecting you? First of all, if you want to have a sort of covert communications channel between yourself and a proxy server outside your network you cannot wear lab and things like cookies or the browser self identifying string to contain your secret information because the proxy server between you and the outside world can strip that information out very easily. You also can have URLs that are too long, hiding lots of data because anyone who's accessing a large number of long URLs in the world is going to arouse suspicion. What Bruce and I were talking about yesterday, steganography only works if you don't deviate from your usual pattern at all and that's only necessary if you're talking about a situation where there's so draconian that just the fact that you are using encryption is enough to get you in trouble. You mentioned in China, well, school is another place. Well, that's true. As for how the downloaded information that you want your proxy on the outside to send back to you, it's a little easier to hide that data because it can be hidden in something like an image which the intermediate censoring proxy is not smart enough to examine the determine whether it's real data or not. So downloads can be encrypted inside of a binary image. Also, if you wanted to pass more information to the outside proxy about what you want to see, you can also use requests for images to send more data at a faster rate. Oh, I'm skipping this one. The problem is that, like I said, the firewall proxy administrator can block that URL in .978.org so you want to have lots of mirror sites which the proxy and firewall administrators cannot block them all and it becomes an interesting problem. How do you distribute URLs for the mirrors to your friends without being far into the hands of spies for the censorware companies which have got these URLs reported to the people who make the block site lists? Well, let's say that you know that if the people are coming to you asking for a mirror location, the proportion of those who are spies working for a blocking software company is about P. So if 100 people come to you, P times 100 of them are spies for blocking software companies. If P is .2, then at least 20 of those people are spies. And let's make the simplifying assumption that you can only give one mirror to each person. Well, let's say you give a mirror location to N people. You want to maximize the expected number of legitimate users which will have access to that mirror. Well, if you give it to more people, more people have access to it but if you give it to too many people, it becomes very likely that one of them is going to be a spy and is going to get you blocked. So if you give it to N people, the probability that they will all be legitimate users is one minus P to the power N. And of course, if they're all legitimate users, then all N of them will have access. If only one of them is a cheater, then none of them will have access. So you want to give the mirror to N users where N maximizes the expression N times one minus P to the power N where P is the proportion of users that are known to be spies. In the real world, those are simplifying conditions that don't apply. Each user can give you more than one mirror. You can give multiple mirrors to a person if you want them to be in case one of them gets shut down but of course if that person is a spy, giving them more than one mirror will result in even more being blocked. And also, you can give out the new URLs every week and you can use data from past handing out of URLs to determine who got the URLs blocked who is more likely to be a spy. And this is a really complicated mathematical problem actually and the ultimate problem is to maximize the proportion of legitimate users coming to you that will have access to at least one uncensored mirror given that if someone is a spy, they can get it blocked but you can use that information in multiple rounds to determine who is most likely to be a spy. For more information about all this, you can visit any of these websites on the screen or email me at that address. I don't know if we can take, if we have time to take two or three questions from the audience. Okay, if you want to ask a question, you have to raise your hand in the first round after. Okay, anyone who doesn't have their hand up after the first 10 seconds, I guess we can't take more than one question than people have at the very beginning. What? I don't know. Who's speaking next? Who has a schedule? Well, let us know first by David Gardner. Are you in the room? Okay, but I guess we can answer questions until the person gets here and speaking next. Thank you.