It is perhaps timely that this week three large ISPs in the USA have announced that they have decided to block access to child sexual abuse image newsgroups on Usenet and remove sites hosting this material from their servers. This was initially inaccurately reported so as to imply the installation of blocking systems for other people’s websites; which is unlikely to be especially effective, and may even provide an “oracle” by which the people who seek illegal material can locate new websites to visit.

Our new paper, “The Impact of Incentives on Notice and Take-Down”, examines a number of different types of wicked Internet content and discusses how effective people are at getting the material removed by serving notices upon the website owners who host it. We have a number of interesting results, but perhaps the most striking is that although phishing websites impersonating banks are generally removed in a couple of hours, the mean lifetime for a website hosting child abuse images is almost a month and even the median (the time by which half of the sites are removed) is 12 days.

We believe that the reason that the child abuse image websites are removed so slowly is that the Internet Watch Foundation (IWF), who collate a list of illegal sites, is only prepared to talk directly with the hosting ISPs within the UK. If the site is hosted abroad (which is now 99.8% of all sites) the IWF informs the UK police, who pass the message on to law enforcement in the relevant country, and that clearly leads to considerable delays. Furthermore, the same parochial attitude appears to be taken by similar organisations in other countries.

The IWF are a member of INHOPE, an association of child sexual abuse image reporting hotline organisations operating in 29 countries, and the IWF will also pass reports to the appropriate INHOPE members. However, in the US, which hosts around half of all the illegal sites, IWF tell us that NCMEC the hotline operator there will only pass on notices to their members — and that means that American ISPs do not get a timely notice.

We think it is the close involvement with the police, who have to operate within a particular jurisdiction, which leads the IWF to believe that they would be “treading on other people’s toes” if they contacted ISPs outside the UK. I assume that this is why I was firmly told in an email this week that they “are not permitted or authorised to issue notices to takedown content to anyone outside the UK”. Indeed, this echoed in a letter to The Guardian today by John Carr who says “The IWF cannot issue a notice to a Polish or Irish internet service provider”.

We don’t think there is some magical international permission given to the people who try to take down any of the other types of content we studied — from phishing, to fake escrow sites, to illegal pharmacies. It only seems to be INHOPE members, dealing with child sexual abuse images, who are not prepared to make an attempt!

Besides this issue, we have a number of other interesting results in the paper (so do read it!) For example we looked at “mule recruitment websites” — with job adverts for payment processors who will be conned into handling the proceeds of phishing scams in the belief that they’re handling payments for legitimate companies. These sites are only taken down by volunteer (amateur) efforts — since they don’t attack any particular bank, but the whole industry, no particular bank is prepared to put in any effort to remove them. Unsurprisingly, their average lifetime is 13 days (mean 8 days) — far longer than the phishing websites — which is not good news for gullible consumers.

Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.

Problems with the signalling system on Lodz's tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.

Here's Steve Bellovin:

The device is described in the original article as a modified TV remote control. Presumably, this means that the points are normally controlled by IR signals; what he did was learn the coding and perhaps the light frequency and amplitude needed. This makes a lot of sense; it lets tram drivers control where their trains go, rather than relying on an automated system or some such. Indeed, the article notes "a city tram driver tried to steer his vehicle to the right, but found himself helpless to stop it swerving to the left instead."

The lesson here is that security by obscurity, combined with physical security of the equipment, wasn't enough. This kid jumped whatever fences there were, and reverse-engineered the IR control protocol. Then he was able to play "trains" with real trains.

“Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit.”