So if I haven't already ranted at you in some way shape or form, you may not know of the Australian government's short-sighted plan to add us to the ranks of oppressive regimes such as Iran and China. In fact that is unfair as Iran's proxy is considered to be looser than the one Senator Conroy wants to implement.
The long and short of it is that Conroy wants to restrict what pages are available to Australian internet users. Sure it is for the kids (won't someone think of the children)… But as I have said to people I would rather my children see the entirety of the disgusting underbelly of the internet than have one single thought provoking site blocked. Not to mention the degradation to performance in a country that is already considered one of the worst in the world for connectivity. In Sweden groups appealed to the government saying 100mbps is welfare. Here most people are still on 1/200th that speed, and with Conroys plan that 1/200th would lose anywhere from 2-80% of its speed, welcome back to dial-up days.
There are a plethora of sites that are likely to be blocked because they aren't "kid" friendly. June next year you will probably see the below when going to user content generated sites such as Youtube and Facebook:

Here is a news flash senator; kids get hold of porn even if you restrict it, even in the pre-internet days. So what your doing will only have negative effects. Parents with no IT knowledge will have a false sense of security and not monitor their kids browsing habits, these same kids will find ways round your precious filter, and these methods that will become popular may even make it harder for parents and educators to monitor their usage.
The filter will slow down internet access and again the people with little IT knowledge will have no idea how to get around it for legitimate sites that are blocked. Then there is the cost which you are expecting ISP's to mostly cover off their own bat, which will increase internet costs in a country that already pays too much for too little.
Way to go Senator you deserve your award:

I feel lost; I don't know what to do. I feel as though someone has decided freedom of information is a bad idea, so let's mandate it. Then what do you do. Once the book burning starts it is hard to stop.
I have emailed the Senator and his opponents, and the letters are in the mail.
I urge everyone to look at the following sites and take action: http://nocleanfeed.com your silence is all they need to pass this and then you are no better than them.
Peace out all, except Conroy and his supporters who can just unplug their computers, televisions, and burn their books for the same effect they are trying to mandate.


PS: I am starting up a dedicated security Blog as I want to separate the two, this of course crosses both blogs so expect to see it on both. My new Security blog is linked on the left or here: http://security.morganstorey.com

Labels: Australia, Conroy, Kids, Politics, Security

On the way back from a very interesting an informative Microsoft Security Summit the other day and I noticed something that caught my eye.
Too many people concentrate on the hardware and software, and leave gaps. Gaps in the physical security, or gaps in the training of staff.
This photo shows off both.

Seems a cleaner at the train station near me had left the door open to the area that she kept her cleaning supplies, the same area that had a rack with server, fibre switch, ethernet switch, patchpanel and other miscelania. Whats that you spy, yep the rack door is unlocked too. Click click and a bad guy is on the network, just plug in a wireless router and see what traffic you can capture, doesn't matter if this network is firewalled the best in the world, or even airgapped, game over.
Back on the security conference I attended it was very interesting, it was all covered under an NDA, except the bit at the end which I already talked about. I am starting a security group in Sydney, sponsored by Microsoft. So Jeff Alexander let everyone know, I had a heap of business cards handed over for people that wanted to be kept in the loop, it is very exciting that we have this much interest already.
Well Peace out all, and please lock your racks and don't put them in a room with a sink for the cleaner to use.

Labels: microsoft, Security, wanderings

So I had a chat with Jeff about starting up a Security group in Sydney similar to counterparts in Canberra,Melbourne, and Brisbane.
It is really a great opportunity and I have been looking for a security group in Sydney for years now, making do with going to security topics at other groups. I don't think it will detract from these other groups just expand on the security theme, going places other groups may not want to go as they are too focussed.
I'd like to get some comments here on what people would like to see and what night etc, but people rarely comment on my blog. So I will setup a site for the group shortly and we can duke it out there.
Peace out all.

Labels: group, Security

More on DNS I know. May as well be another person beating a dead horse. But I give you pretty: http://www.doxpara.com/?p=1206
It is a video of the patched and not patched world wide. It intrigues me that there is a blinking light on the map of Australia about 3 hours north of Adelaide, I doubt it is Alice Springs, to south, maybe Coober Peadie if my geography serves.
Onto some more supposition by me (mainly in reply to Dan [the guy who discovered the Researched the DNS flaw] here);
I agree with what has been said, that we need more security on an inherintly in-secure network. But some (percieved) anonymity and some plain text is good, and what the internet is all about.
Could you imagine every site moving to https, for starters what is the point, who needs to read my blog through an encrypted channel? Really why, I don't really have any direct post functionality, and only a handful of readers, it is not like I am directing them to blindly do anything either.
Onto DNS, I was thinking the other day of another way to fix the issue. Deploy a port knocking technique on the reply based on the query, so that ports would have to be knocked in the correct order on the DNS server pre accepting back the lookup. Similar to the way a person gets into a safe, knowing the numbers isn't good enough you need to know the sequence. This would stop NAT being an issue as the DNS server can make the request out on all ports getting an auto map back on these ports. And would be more secure as the attacker would have to guess the right ports to knock on the way back, or read the request and then generate the reply and reply back, but if they can do that they are already in the middle and its game is over.
What do you think?
Peace out all, especially Dan, good job.

Labels: DNS, Security

So as I said, and the original discoverer Dan said, it was just a patch. Not a fix, not a be-all and end all solution. A temporary patch. We already know some nat devices break the patch's fix. But from the looks here and here it can be broken. The first link even details how, but there is a caveat. It is not easy, and a lot of bandwidth with low latency is required.
The first article explains how they did it over Gige in 10 hours. So most DNS servers that are doing resolves for clients, are probably not even on 20mbs of bandwidth, and latency 10+ times that of ethernet, not including the clients themselves causing some load. So you could say it would take 10+ times longer to do this over the internet, so 100hours. Someone will hopefully notice at around hour 20… But it isn't that simple, what if some baddie hits a server with a mere 100 clients... (Most botnets are 10 times this size). Chaos again. We need a better fix. I mentioned before some kind of signed DNS, I am the first to admit I have gaps in my knowledge as I have never heard of DNSSEC, now I that have listened to the Blackhat talk I have heard about it. I had a quick look at wikipedia and the official site and it is interesting. Of course windows servers only support it as a secondary, also the glaring-hole of non NSEC3 servers allowing enumeration of sites is just plain silly. Seriously just hash The users request domain “Not Found” and add it to the RFC, done.
I think it should include the option for encrypting replies, may as well, could be useful for higher secure organisations.
This is a very real and very now threat, there are at least two pieces of software out there to attack it, one being the very good, but very newbie friendly metasploit.
Well I am pretty much just re-iterating and expanding on my comments on darknet but there you go.
Peace out all.

Labels: DNS, Security