| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|||||||||||||||||||||||||||||||||
|
Description of filter system Von Alvar Freude, Dragan Espenschied; Translation by Trixy Gawe, 03.04. 2001, 07:36:20 |
||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||
|
[1] See also  »standardisation of censorship« (german) |
In order to prove that the Internet ist not »naturally« a free media, but one in which hierarchys and power structures can be pictured and created,[1] we notelessly manipulated the network at our academy, the  Merz Akademie. At the same time we wanted to verify if the fear of Filter-Systems actually is justifiable, how fast the manipulation is detected and with how much effort filtering would be feasible. |
|||||||||||||||||||||||||||||||||||
|
With a self-developed filter Software it was possible for us to record almost any websites visited by students, and to change all web topics at will.
1.  The filter software
Exacting specification of functioning and facilities of our software 2. Changing of network architecture
How we were able to route all web access through our software, unnoticed 3. Manipulations and reactions
Temporary drain of the experiment, exacting specification of the conducted manipulations and students reactions on it. 4. Collected e-mails
Three mails concerning the experiments uncovering (german) Our speculation that the manipulation would hardly be noticed and accepted uncritically has mostly been validated. Universally tolerated unawareness does not support the ability of criticism, but the acceptance of sanctions from »above«. More about this in »Filter/Zensur/Kontrolle«. |
||||||||||||||||||||||||||||||||||||
|
The Proxy |
||||||||||||||||||||||||||||||||||||
|
[2] Exacting explanation about Proxy:  »What is a proxy server?«[3] How we did that you can read in »Changing the network structures« |
Our filter-software is based on a proxy server[2] with which we rerouted all web access unnoticed.[3] As our basis we used Apache Webserver, and modulated it over the optional integrated interface mod_perl about the programming language Perl to our needs.
For administration we provided our system with a web surface. It was our aim to posess a host system, reachable from every computer, that should possibly shut out maloperations by ourselfs and from where we would be able to realize any needed procedures. |
|||||||||||||||||||||||||||||||||||
|
The monitoring tool |
||||||||||||||||||||||||||||||||||||
|
[4] For experts: the IP-adresses of the user and contents of post-requests are not saved in our summary-database, the content of POST-requests is not recorded anywhere [5] Whereas the official proxy server of Merz Academy is trying to find out the users identity using the Ident-protocol and saves it with every invoiced document, this is very critical concerning data protection. The network administrators didn't answer our request for information about this subject. |
To reach the aim – manipulating the websites invoked by students of our academy – we primarily had to find out, which websites are popular at all. For this purpose the proxy records all web inquiries and enters it in a data base. We attach importance to not collecting personal data.[4][5]
|
|||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||
|
Different kinds of filtering |
||||||||||||||||||||||||||||||||||||
|
[6] The URL-adress of a document is, in addition to (hardly to see through) digital signatures, the only real proof for its authenticity and is used as an authenticity certificate in the domain of art (Olia Lialina: »Location = Yes« at teleportacia); the control over the URL is the most remunerative starting point for falsifications in the web.[7] We took the Blast-Engine from our project Assoziations-Blaster[8] Introduction to HTML: »Selfhtml« by Stefan Münz |
The great difference between the invoiced sites was getting to us at first, but soon trends arose for web based freemail services, search engines, design sites, students' own projects and download sites.
We evolved six different filter techniques, as flexible as possible and kept generally, to reach every wanted effect through a combination of those:
|
|||||||||||||||||||||||||||||||||||
| Conditions can be assigned to any filter concerning its termination, e.g. in subjection to the called up domain or file or any other suppositions like version of the Browser, daytime etc. ... | ||||||||||||||||||||||||||||||||||||
|
Center of filtering |
||||||||||||||||||||||||||||||||||||
For fast and easy administration we divided the surface into three levels:
|
||||||||||||||||||||||||||||||||||||
|
Protocol of manipulated sites and user entries |
||||||||||||||||||||||||||||||||||||
Naturally we had to be able to verify if the manipulations created by us would make an impact:
|
||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||
|
Relationship of effort / resulting |
||||||||||||||||||||||||||||||||||||
|
[9] our proxy was running on a rather small PentiumII with 350 MHZ and 320 MB central memory, together with the highly frequented Assoziations-Blaster and other projects[10] For example: SmartFilter by Secure Computing and their Whitepaper »Education, the Internet, and SmartFilter: A Balanced Approach of Awareness, Policy, and Security«[11] For example see Stefan Krempl: »The big filter offensive« in Telepolis (September 1999)[12] See Michael Zielenziger: »In Philippines, Net is divine« in Mercury News (Dezember 2000) |
Although our tools don't offer everything you can think of concerning effectivity and comfort we have created the vital elements of a variable monitoring- and manipulating-system:
Networks in the size of a school are, in the United States, a market for filter systems[10], it is thought to do forced filtering at schoold in germany too.[11] The catholic church is using a forced proxy on the Philippines already.[12] *Our system even goes beyond the simple blocking of adresses, as it is practised until now. Through the manipulation of existing contents and adresses the illusion of a free net is still remaining. See also Progression of the experiment.* |
|||||||||||||||||||||||||||||||||||
|
Creation of a new netjoint |
||||||||||||||||||||||||||||||||||||
|
To win effective control over the data-traffic of the web, a central junction in the in-house network had to be occupied. (About the experiments background: »The Experiment«, »insert_coin«) |
||||||||||||||||||||||||||||||||||||
| The processor used for connecting the seperate workstation computers with the internet is the Firewall. However, this is under absolutely administration of the technical assistants. So we had to reroute the information flow in a way that the students server would switch itself between the Firewall and the workstation computers. | ||||||||||||||||||||||||||||||||||||
|
Changing of Netscapes preferences half-automatically |
||||||||||||||||||||||||||||||||||||
| The workstation computers are, with few exceptions, Macintosh-systems. The operating system, in the used version, does not provide reasonable safety against manipulation, e.g. like explicit rights to write for several users. The used system program MacAdmin doesn't allow to defend the parts of the systems-preferences we needed against changing without making work at such a computer impossible. The few left pc systems (with the expection of our workstation) use Windows 98 for operating system which also doesn't provide any safety against manipulation. | ||||||||||||||||||||||||||||||||||||
| Most students use Netscape Communicator or Navigator as Browser. Indeed this offers independent adjustments for several users, but they are locally safed on the computers and therefore are freely accessible. There is the possibility to safe the users profile manually, in the private »Home«-index on the fileserver, and to provide it against general access. But this possibility is not used, for it is complicated, and the students hardly make personal adjustments. | ||||||||||||||||||||||||||||||||||||
| Netscape safes its preferences on the Macintosh in Systemfolder:Preferences:Netscape Users:, in the folders, named clearly after the single users, there is a file »Netscape Preferences«. Under Windows 98, Netscape puts this identical built file in the folder »Users« in the family index of the program. They are easily found by automatic searchfunctions. | ||||||||||||||||||||||||||||||||||||
| The wanted configuration files from Netscape are in ASCII-format. Therefore it was easily possible to write a programm named »Profile-Blaster« for automatic manipulation of the Browser preferences. We started this program out of our network indexes on every computer, and immediately the preferences of every local Netscape user were changed in a way that every web-access was routed over our server. User profiles, that were supervened or changed by time, didn't make big administration effort for we had the Profile-Blaster. | ||||||||||||||||||||||||||||||||||||
| When there was Internet Explorer installed on a computer at the same time, we had to re-adjust the preferences of the Browsers manually. | ||||||||||||||||||||||||||||||||||||
|
[13] Exacting explanation on proxy: »Things worth knowing about Proxy Caches« by Jens Elkner[14] The academy's proxy on the firewall indeed sometimes hat massive perfomance problems, seemingly the amount of data was too much and acess times became anguishing slow. While our self developed filter was able to analyse and manipulate every data packet even on a quite slow Hardware, the mere split-lot transfer of data was too much for the officiell proxy, so we switched it off interim. |
The Browsers were configurated in a way that they used the students server as proxy. Among other things, the task of a proxy is latching data requested from the Internet in the in-home network, so that they are faster available on a new fetch. [13] For perfomance reasons we leave this task to the academy's firewall. The student server receives the requests of the workstation processors, requests the wanted data from the firewall and manipulates it before it is send to the workstation computers. [14]
In the Browsers preferences we stated the internal IP-Number of the student server as proxy adress, not its name student.merz-akademie.de or the short variant »student«. The IP-Number (192.168.1.37) differs only in two numerals from the IP-Number of the Firewall (192.168.1.1) and therefore is hardly to detect. |
|||||||||||||||||||||||||||||||||||
|
A new level of hierarchy |
||||||||||||||||||||||||||||||||||||
|
[15] subtle hackers would laugh away |
Within an already existing net it was now possible to insert a new level of hierarchy. If the cabling of the single computers, as seen from the central computer, was organized in traces or starlike (the network was reconverted respictevely at the start of term), didn't matter. – That the computer we used normally is used as a (Web-)server also was no precondition. Any desired computer, associated to the home network, would have been able to fulfill this task with adequate software.
This manipulation is one example, and even a very simple[15], how hierarchies in the net can be changed. With other means, e.g. the integration of a filter software in the Router, the compulsory use of special proxys or the manipulation of news- or E-mail-services one can create, with more effort, even far reaching hierarchies. |
|||||||||||||||||||||||||||||||||||
|
The interesting question is: who has the possibility and the interest to make such manipulations? Although quite extensive technical knowledge is needed for a manipulation and also for its avoidance, automatically a dependence of persons or institutions origins, who do the technical work. Several interests, embodied in efforts for filters we specify in the chapter »Filter/Zensur/Kontrolle«.
Onwards to the specification of with the filter proxy realized manipulations |
||||||||||||||||||||||||||||||||||||
|
The Academy's situation |
||||||||||||||||||||||||||||||||||||
|
The Merz Akademie is a private, national accepted academy for | ||||||||||||||||||||||||||||||||||||
