[AusNOG] census issues tonight

Wed Aug 10 12:22:13 EST 2016

I do remember pointing out at the time that the current legislation
requires that all DOS traffic be logged.

Kind regards

Paul Wilkins

On 10 August 2016 at 12:19, David Beveridge <dave at bevhost.com> wrote:

> Maybe they're trying to spell out the need for data retention.
>
> On Wed, Aug 10, 2016 at 12:16 PM, Paul Wilkins <paulwilkins369 at gmail.com>
> wrote:
>
>> Is anyone aware of a successful prosecution ever for a DoS? I'm curious,
>> because the chain of evidence simply won't be available. At the attacked
>> site, you'll have records, maybe that pass evidentiary rules, but trace
>> that back to the source?
>>
>> Also the nature of the internet is that any TCP handshake is a request
>> for service. It's not quite clear where multiple requests for service
>> repeated rapidly is an attack, or even an attempted attack, but arguably
>> only multiple requests for service. It's a fundamental problem with the
>> internet infrastructure that any response from an open port is arguably an
>> invitation to communicate. There's no discrimination on purpose, and
>> proving criminal intent would be awkward. This is why I would think the
>> successful prosecutions there have been have been where DOS have been
>> accompanied by demands with menace, which is a different legal standard.
>>
>> Kind regards
>>
>> Paul Wilkins
>>
>>
>> On 10 August 2016 at 11:56, paul+ausnog at oxygennetworks.com.au <
>> paul+ausnog at oxygennetworks.com.au> wrote:
>>
>>> Consider precedent to be set !
>>>
>>>
>>>
>>> In the case of the ABS versus an unknown attacker……we find the attack to
>>> be an attempt, not an attack, you’re clear !
>>>
>>>
>>>
>>> Paul
>>>
>>>
>>>
>>> *From:* James Troy [mailto:james.troy at asta.com.au]
>>> *Sent:* Wednesday, 10 August 2016 11:48 AM
>>> *To:* James Braunegg; paul+ausnog at oxygennetworks.com.au; 'Daniel';
>>> ausnog at lists.ausnog.net
>>> *Subject:* RE: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> So for anyone who is bought up on hacking charges in the next 12 months
>>> their defence can be “It’s not an attack, it was an attempt and therefore
>>> should not be classified as an attack”
>>>
>>>
>>>
>>> Kind Regards,
>>>
>>> *James Troy*
>>>
>>>
>>>
>>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>>> <ausnog-bounces at lists.ausnog.net>] *On Behalf Of *James Braunegg
>>> *Sent:* Wednesday, 10 August 2016 11:44 AM
>>> *To:* paul+ausnog at oxygennetworks.com.au; 'Daniel';
>>> ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> Meh when is an attempt an attack… durrr if you attempt something your
>>> attacking something…. And the service was denied at the end of the day… and
>>> the attack was completed by the ABS turning the site off…
>>>
>>>
>>>
>>> Gota love Australia ! Aussie Aussie Aussie Oi Oi Oi
>>>
>>>
>>>
>>> Kindest Regards
>>>
>>>
>>>
>>>
>>> *James Braunegg**P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03)
>>> 9751 7616
>>>
>>> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
>>> *W:*  www.micron21.com/ddos-protection   *T:* @micron21
>>>
>>>
>>>
>>> Follow us on Twitter <http://www.twitter.com/micron21> for important
>>> service and system updates.
>>>
>>> [image: M21.jpg]
>>>
>>>
>>> This message is intended for the addressee named above. It may contain
>>> privileged or confidential information. If you are not the intended
>>> recipient of this message you must not use, copy, distribute or disclose it
>>> to anyone other than the addressee. If you have received this message in
>>> error please return the message to the sender by replying to it and then
>>> delete the message from your computer.
>>>
>>>
>>>
>>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>>> <ausnog-bounces at lists.ausnog.net>] *On Behalf Of *
>>> paul+ausnog at oxygennetworks.com.au
>>> *Sent:* Wednesday, 10 August 2016 11:40 AM
>>> *To:* 'Daniel' <satellite at internode.on.net>; ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> What a load of crap LOL, I love seeing people who know nothing about
>>> what they are talking about try and talk about it, it’s good for a sitcom
>>> or 2….
>>>
>>>
>>>
>>> It wasn’t an attack, it was just an “attempt” ROFL
>>>
>>>
>>>
>>> Paul
>>>
>>>
>>>
>>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>>> <ausnog-bounces at lists.ausnog.net>] *On Behalf Of *Daniel
>>> *Sent:* Wednesday, 10 August 2016 11:34 AM
>>> *To:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> The relevant minister (Michael McCormack) has released a statement
>>> blaming DDoS in combination with a router hardware failure:
>>>
>>>
>>>
>>>
>>>
>>> “There was a large scale denial of service attempt to the census website
>>> and online form. A denial of service is an attempt to block people from
>>> accessing a website. Following, and because of this, there was a hardware
>>> failure,” he said.
>>>
>>>
>>>
>>> “A router became overloaded. After this, what is known as a false
>>> positive occurred. This is essentially a false alarm in some of the system
>>> monitoring information. As a result the ABS employed a cautious strategy
>>> which was to shut down the online census form to ensure the integrity of
>>> the data already submitted was protected.
>>>
>>>
>>>
>>> “I will be clear from the outset, this was not an attack. Nor was it a
>>> hack but rather, it was an attempt to frustrate the collection of bureau of
>>> statistics census data. ABS census security was not compromised. I repeat,
>>> not compromised and no data was lost.”
>>>
>>>
>>>
>>>
>>>
>>> http://www.theaustralian.com.au/national-affairs/census-2016
>>> -website-crashes-under-weight-of-demand/news-story/1febee892
>>> e1ab043c0e7682c7a3485a4
>>>
>>>
>>>
>>> (paywalled)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>>> <ausnog-bounces at lists.ausnog.net>] *On Behalf Of *Andy Taylor
>>> *Sent:* Wednesday, 10 August 2016 10:57 AM
>>> *To:* 'Nathanael Bettridge' <nathanael at prodigy.com.au>; 'Robert Hudson'
>>> <hudrob at gmail.com>; 'Michael Keating' <mkeating44 at gmail.com>
>>> *Cc:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> I noticed last night before the system crashed completely the following
>>> error:
>>>
>>>
>>> “status -1 code 101”
>>>
>>>
>>>
>>> I don’t know much about .jsp, but it appears that this was an issue with
>>> the header?
>>>
>>> Is it possible that this was a layer 7 attack that was being implemented?
>>>
>>>
>>>
>>> A *status code* of *101* indicates that the server is changing to the
>>> protocol it defines in the "Upgrade" header it returns to the client. For
>>> example, when requesting a page, a browser might receive a statis *code*
>>>  of *101*, followed by an "Upgrade" header showing that the server is
>>> changing to a different version of HTTP.
>>>
>>>
>>>
>>> Andy Taylor
>>>
>>> *Technical Director*
>>>
>>>
>>>
>>> 0424 656 973
>>>
>>>
>>>
>>> [image: ca_logo]
>>>
>>>
>>>
>>> www.coastalaudio.com.au
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>>> <ausnog-bounces at lists.ausnog.net>] *On Behalf Of *Nathanael Bettridge
>>> *Sent:* Wednesday, 10 August 2016 10:53 AM
>>> *To:* 'Robert Hudson' <hudrob at gmail.com>; 'Michael Keating' <
>>> mkeating44 at gmail.com>
>>> *Cc:* 'ausnog at lists.ausnog.net' <ausnog at lists.ausnog.net>
>>> *Subject:* Re: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> The validity of the data is suspect. Users in bad moods submitting info
>>> that would otherwise be trustworthy, partially completed surveys, I’m sure
>>> thousands of households that will now fall through the gaps, the spreading
>>> out of census data over a much longer than normal time frame – as a
>>> statistical snapshot the Census is effectively ruined.
>>>
>>>
>>>
>>> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net
>>> <ausnog-bounces at lists.ausnog.net>] *On Behalf Of *Robert Hudson
>>> *Sent:* Wednesday, 10 August 2016 10:44 AM
>>> *To:* Michael Keating <mkeating44 at gmail.com>
>>> *Cc:* ausnog at lists.ausnog.net
>>> *Subject:* Re: [AusNOG] census issues tonight
>>>
>>>
>>>
>>> Why is it safe to say that the stored data is OK? What evidence do we
>>> have to support that belief?
>>>
>>>
>>>
>>> On 10 Aug 2016 9:52 AM, "Michael Keating" <mkeating44 at gmail.com> wrote:
>>>
>>> I think the point being made, was that the distrust of the Census has
>>> been increased with the failure of the website, and the mainstream media
>>> taking the 'hacking' angle. It's safe to say the stored data is ok, but
>>> there are millions more submissions to go. If people think it was 'hacked',
>>> they won't give a truthful answer for fear of their information being
>>> stolen (which we know, it won't). More of a general observation than a
>>> technical observation (which I do agree with).
>>>
>>>
>>>
>>> On Wed, Aug 10, 2016 at 9:26 AM, Mark Andrews <marka at isc.org> wrote:
>>>
>>>
>>> In message <c7617127-36a9-f5dc-894e-727a6700e016 at spectrum.com.au>, Matt
>>> Perkins writes:
>>> > If you ask me the dataset is now terminally compromised. This is
>>> > essentially market research and peoples ability to answer that sort of
>>> > stuff truthfully goes to how much the person doing the servery is
>>> > trusted. With the ABS spouting stuff like Attack from overseas, people
>>> > are very unlikely to tell the truth on this census.
>>> >
>>> > Fellas you blew it.  Cancel the census reschedule for next year and
>>> send
>>> > out paper form's Your collective uselessness just put us back 5 years.
>>> >
>>> > Matt
>>>
>>> A DoS attack does not make the dataset compromised.
>>>
>>> Having too small key space does.  1/100000 is not a big space for
>>> computers to search through.  It's only ~20 bits of security.  A
>>> extra 4 digits would have raised it to ~30 bits.  A extra 8 digits
>>> would have raised it to ~43 bits.  Entering 5 x 4 digit sequences
>>> is not hard.  We do 4 x 4 + 3 for every visa / mastercard transaction
>>> we do online today.
>>>
>>> Mark
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>> ------------------------------
>>>
>>> *Total Control Panel*
>>>
>>> Login <https://antispam.avgcloud.net/login?domain=prodigy.com.au>
>>>
>>> To: nathanael at prodigy.com.au
>>> <https://antispam.avgcloud.net/address-properties?aID=1106235830&domain=prodigy.com.au>
>>>
>>> From: ausnog-bounces at lists.ausnog.net
>>>
>>> Remove
>>> <https://antispam.avgcloud.net/FooterAction?ver=3&un-wl-sender-domain=1&hID=1359707166&domain=prodigy.com.au>
>>> lists.ausnog.net from my allow list
>>>
>>> *You received this message because the domain lists.ausnog.net
>>> <http://lists.ausnog.net> is on your allow list.*
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160810/c0f3efd8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160810/c0f3efd8/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16869 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160810/c0f3efd8/attachment-0001.png>