1337 H4XX0rZ wanted!

It's great to see such impressive strides being made in the important field of protecting children from boobies.

Back in the day, there was software that confidently classified the Mona Lisa as porno. And also classified porno as being perfectly squeaky clean.

Nowadays, there's software on which my very favourite Australian Federal Government ever has apparently spent 84 million Australian dollars (about $US69 million, as I write this).

This software can, it is said, be bypassed by a kid in a matter of minutes.

(I see no reason to change my conclusion from the end of 2000: It doesn't matter, to the people who make it or the people who pay for it, whether censorware works or not.)

The news.com.au piece doesn't actually tell you how the pictured smirking 16-year-old bypassed the NetAlert suite of programs (while leaving them apparently running!). I presumed it was something rudimentary, like killing a couple of processes in Task Manager. Maybe a few seconds with regedit, too.

[UPDATE: As of 2012, that news.com.au page disappeared, in accordance with their ancient tradition; archive.org has it, but without the picture of the smirking teenager. The government Netalert site has been quietly led beghind the barn and shot in the head, too; here's how it looked when it was young and optimistic. Netalert-dot-COM-dot-au is alive and well, but it's not quite the same thing. I've had to archive.org-ify a few other pages, too.]

This ITWire piece details an inelegant way of temporarily and invisibly disbling Optenet, one of the three programs, by... killing a couple of processes in Task Manager.

This page mentions ways to prevent people from "tampering with Integard", which are hilarious enough that I'll leave them as a surprise, but which include not letting anybody boot the computer from CD.

That is, of course, well beyond the capabilities of the average parent (change boot order in BIOS setup program, set BIOS password, and then just hope your kid doesn't know how to clear the CMOS, which wipes the password and resets the boot order to default in one hit).

Just booting from BartPE or a Linux disc and nuking the nannyware isn't, of course, the sort of elegant and undetectable hack that's being advertised here. So there's probably something neater out there.

I'll be pretty surprised if you even need Process Explorer to nobble the rest of these marvellously enterprisey programs so wisely purchased from their skilled authors with my tax dollars. But who knows?

You mission, gentle readers, is to Outflank the Nanny, in as few keystrokes as possible. The software's a free download.

Our Government's dedication to quality software extends to the "Required" e-mail address and postcode on the download page. The postcode can be any four digits, and the e-mail address just needs to have an @ and a . in it, with two or three characters following the .

(The Safe Eyes download requires some kind of further account creation folderol. I also don't know whether they check to see if you've got an Australian-looking IP address.)

32 Responses to “1337 H4XX0rZ wanted!”

  1. pittance Says:

    I can't help thinking that a more effective way to stop teenage boys _looking_ for porn is to spend maybe a quarter of all of that money on creating some good, wholesome, government approved, family values safe porn and send it direct to all of the teenage boys in Oz so avoiding the need for them to go looking for it.

    Much more efficient in terms of the tax dollars of the hard-working Australian public.

  2. Ambush Says:

    One hopes that the company that produces NetAlert won't go down the road of "upgrading" the effectiveness of their programs through the use of a rootkit.

  3. Stefans Says:

    I can't resist a challenge, so I tried my hand (metaphorically) at cracking the Integard software. My first problem was not being Australian, so I just downloaded the 14-day trial from Integard's website.
    As I installed it I was asked for an email address and password: I gave it a mailinator address and a password. It uses this password as the admin password.
    I set it to the most restrictive setting, and then wholeheartedly set about trying to break it. I tried ending the process, which borked all network connectivity. Followed by an hour or so of me trying to work out how the hell something has set itself as a proxy for all TCP traffic and work out why it's created a seperate loopback device: This was fruitless, and required a few reboots to restore my connection (This was before I realised that it was a service, and I coult end/restart it in the services config).
    Eventually, I conceded defeat and decided that Tom Woods is just a genius. When I was on the uninstall screen, I noticed the "Forgotten password" button, and the text claiming that it sent your password to you. Well, that seems rather stuipid: Fire up ethereal, click the forgotten password button. Voila! One password in a GET parameter. I could use that password to disable filtering, or whatever. I used it to uninstall the program. This required yet another reboot to unbork network connections.
    The only downside that I can see to this attack is that the concerned parent (Or malicious friend. This could be hilarious at LAN parties.) will get an email telling them that they've forgotten their password. Although that could be avoided by setting a hosts entry to redirect traffic from http://www.integarde.com (I forget the actual URL, I think that's it) to http://www.google.com. Google would return a 404 error, but you'd be able to sniff the password out of the request, and nobody gets an email.
    As to leaving the systray icon intact: the icon is controlled by a separate program that you could probably kill or suspend without borking your network connection, although I didn't try this.
    Basically: Clever software, big flaw. Never send passwords in clear text.
    Oh, and does anybody know how they do the "redirect all tcp traffic through a new loopback device" trick?

  4. Daniel Rutter Says:

    Outstanding work, Stefans!

  5. cctsm Says:

    Well, you could always whip up a fake executable with a forged UI - or just something which plunks a systray icon in, and does nothing else.

    I might shove it into a virtual machine and have Process Explorer running while installing it. Might give some clues on how it attaches to the TCP/IP stack.

  6. giles Says:

    Assuming only that porn viewing will be done outside the parents' purview:

    1. Boot a live CD
    2. surf away
    3. save any, um, "fine art" downloads to a USB memory device

    Breaking the software would probably be fun, but not necessary.

    Bonus to this solution is that there are no logs on the PC of what has been accessed.

  7. OCT Says:

    It took me a total of 5 minutes to break Integard:
    **The usual disclaimer applies to this information - if you break your computer, you get to keep both pieces.**
    1) Install Integard
    2) Download LSP-Fix
    3) Reboot in Safe mode
    4) Run LSP-Fix, remove Integard.dll from the Winsock LSP chain (this is the key to the loopback, Stefans)
    5) Run Regedit, and delete:
    6) Reboot.

  8. OCT Says:

    Optenet is very simmilar.
    1) Install Optenet
    2) Download LSP-Fix
    3) Reboot in Safe mode
    4) Run LSP-Fix, remove lsp.dll from the Winsock LSP chain.
    5) Run Regedit, and delete:
    6) Reboot.

    I feel like I've just done the world an incredible disservice...

  9. Stefans Says:

    Well, that's certainly more elegant. I was completely stumped by the extra stuff in the Winsock LSP chain and had no idea what was happening. Seems the "tampering with Integard" FAQ entry needs an extra couple of bullets: Set a strong admin password and lock the PC in a safe.

  10. Stefans Says:

    Just for completeness, when I was busy getting frustrated with the Integard trial, I looked in the registry and found a field called "date" which was a UNIX time stamp for the time and date I installed the trial. It wouldn't be suprised if the time left on the trial was calculated soley off that. So if, for whatever reason, you want a copy of Integard but you don't want to pay and you're not Australian - that might be a good place to start.
    Oh, and thanks Dan :D

  11. chiefnewo Says:

    Unfortunately that's the sort of "policy" you get when you're looking for election winning offers, but your only source of public opinion is the Eternal Brotherhood (or whatever those religious guys Howard was talking to are).

  12. Daniel Rutter Says:

    I believe you're talking about the Exclusive Brethren, the Australian branch of which is both as nutty as small Christian cults tend to be, and surprisingly politically powerful for a bunch of people who never vote.

    Australia's totally-not-a-bunch-of-loony-Christians-how-dare-you-suggest-it Family First Party has expressed an opinion on this subject too, saying that "compulsory filtering by internet providers" (with the option for adults to opt out, by some means) should also be put in place.

    Speaking as people who know absolutely nothing about the Internet, they don't see why this should be in any way difficult.

  13. Legba Says:

    It is a pity the young man had to make such a fuss over cracking it. I suppose it was inevitable but it would have been nice for the concerned parents groups and the 'Think-of-the-children' nutters to have plonked this software down and moved off into the bliss of a job well done knowing they would never have to worry about the issue ever ever ever again. Everyone could have then just got back to business as usual and everyone would be happy.

    But it is cracked and out in the wild and now Family First have ammunition to push the 'we need ISP level filters' line and *everyone* knows how easy that is.

  14. Grail Says:

    Anyone had a try at the Safe Eyes one?

  15. JL Says:

    Exactly when would be the appropriate time to point out that you don't need a PC to browse the internet anymore. I can see boobies quite happily on my two year old mobile phone. They are very small boobies, but from what I remember of my younger years I'd have to say that this is not a problem.

  16. Changes Says:

    JL: internet browsing on a portable device is a painful procedure. I tried normal browsing on my Palm TX (which has a large screen by the standards of portables) and it was so frustrating I wanted to throw it at the wall.
    Just to see how ludicrous it was I tried some porn browsing, and while it was possible to watch boobies (even moving ones!) on it, the browsing was slow (functionally no cache) and you had to scroll a whole lot.
    And this on a TX. On a mobile phone you'd probably squint your way to a headache before you managed to, er, do anything else with other body parts.

    If you can't use the computer to get off the best solution to the problem (aside from finding a woman, but who are we kidding, it's not quite as easy as some people make it look) is probably to go back to good ol' paper. I don't know how it is in Australia, but here in Italy any second-hand-books stand has stacks of disused porn magazines any teenager can get for spare change.

  17. OCT Says:

    Had a quick look at Safe Eyes. It was hardly worth the time.
    1) Install Safe Eyes
    2) Download LSP-Fix
    3) Reboot in Safe mode
    4) Run LSP-Fix, remove ICF.dll from the Winsock LSP chain.
    5) Run Regedit, and delete:
    The Safe Eyes toolbar entry in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar\\
    6) Reboot.

    I know in each of these processes LSP-Fix is relied on fairly heavily, but manually modifying the LSP chain isn't for the faint hearted.

  18. Mandy Says:

    Chiefnewo is pretty well on the money. Still, it is a useful idea to protect littlies. I mean, if teenage boys want porn, they'll find it outside the home.

    Ok, so my "Government source" told me the other day that young Tom circumvented the filter without access to the Administrator account. Now, that's a feat! I was out searching for Neo...

    Just booting from BartPE or a Linux disc and nuking the nannyware isn’t, of course, the sort of elegant and undetectable hack that’s being advertised here. So there’s probably something neater out there.

    He tells me today that Tom used a boot CD (didn't specify which one, but there are any number available). I didn't get the details of what he did, whether he nuked the files or gained access to the admin account and followed the neat steps OCT has outlined or something else. But I think the Netalert Test Lab was expecting something a little more cunning. And leaving the icon in the system tray isn't too hard (for Integard, at least): either leave off the second part of step 5 in OCT's instructions, or copy IntegardTray to the All Users Startup folder.

    If you are going to use a boot CD, wouldn't you just use Knoppix or DSL or whatever and surf away without leaving any trace at all?

    Well, you heard it here first.

  19. mrspock Says:

    They may be easy to crack now but its only a matter of time until they are as hard to get rid of as spyware.

  20. OCT Says:

    Getting rid of each of these programs wasn't unlike removing spyware at all - there are a couple little tricks I've seen used by other nasties out there that would have certainly made things harder, but by most standards they did a reasonable job.

    I was more surprised by how similar each program was to the last - 1 LSP-chain DLL, 1 process and possibly a service.
    Rather than just sticking to the same old formula, I think the producers of this type of software could take a page out of SmitFraud's book... at least make the removal process 9 steps instead of 6. ;)

    There's really no defense against a boot CD, regardless of administrator account access. Most won't be bothered by Windows user account settings, and if it is, just make yourself an Admin.

  21. mrspock Says:

    Actually there is a defense against a boot CD.

    Most if not all PCs can be configured in the BIOS to prevent booting from the CD.

    And the BIOS can be password protected.

  22. Daniel Rutter Says:

    and the BIOS can be password protected.

    Already mentioned in the original post, I think you'll find :-).

    The weak point here is that the BIOS password will be cleared if you clear the CMOS memory, a piece of information that is quite well known among porn-huntin' 13-year-olds.

    It's a truism of computer security that if the attacker has physical access to the computer you're trying to secure, you're pretty much screwed.

  23. mrspock Says:

    Ok, fair enough if they have physical access they can beat the security.

    But by the time they have done all that they have wiped the BIOS password and the Windows Admin password.

    The parent that went to the trouble of setting that up would notice and the porn hunting 13 year old would be busted.

    Beating the system is one thing, doing it without being detected is another.

  24. OCT Says:

    If said 13 year old has enough time alone to be browsing the net looking at whatever he pleases, he'd surely have no trouble popping the side of the case and switching a jumper over.
    Unless the parent made a habit of regularly checking the BIOS settings, the modified boot order would most likely go unnoticed forever.
    And then there's always the extra friendly brand name machines that prompt the user to "Press F12 for boot menu" at POST, which works independently of the BIOS settings.

    But, regardless of all that, I've found and tested method of circumventing any of these filters:
    - without needing to change BIOS settings
    - without booting from a CD
    - without rebooting in Safe Mode
    - without removing any component of the filtering software
    - without editing the registry
    - without using LSP-Fix
    - without terminating any process

    Ready for it?

    1) Install any of the above Internet content filters
    2) Install VMware
    3) Create a new virtual machine, install operating system
    4) Go nuts.

    If you had a generous friend, all you'd need is the free VMware player and a copy of his pre-prepared virtual machine image - the image is universally compatible, regardless of the physical computer it's running on.
    I'll admit that the player most likely needs an administrator's account to be installed, but the virtual machine will run as a user after this initial step.
    It couldn't get much easier than that.

  25. flabdablet Says:

    You don't even need the generous friend.

    Admin access is, in general, provided. Any parent clueless enough to install one of these idiot filters is probably also clueless enough not to know about Limited User accounts.

  26. vijanator Says:

    Hey guys, my dad put Integard on my computer on my computer a while ago, and i have so far had real problems trying to uninstall it as i don't have the admin password. Unfortunately, im no where near as smart as the guys on this post, and so far i have had real trouble deciphering the instructions on how to remove integard, especially the stuff about LSP, and stopping the 'forgotten password' email. If someone could pls pls pls help me, i would be so thankful, by putting easy to follow, basic instructions on how to remove it, either on this post, or sent to my email vijanator@gmail, please help, Vij

  27. OCT Says:

    I'm pretty sure the objective of this discussion was to point out the inherent flaws in these programs, not to help kiddies look at dirty websites.
    Your father installed Integard for a reason.

  28. Daniel Rutter Says:

    Yeah, I agree.

    Vijanator should have to pick the lock on the box where his dad hides his porn, like we did.

    It builds character.

  29. rad Says:

    im 15 and im a girl and i have this stupid program installed on my computer i really dont think i need this because i do not go around looking at porn. i have found 54 proxies and i now know that they do not work. i have been researching this stupid program and have looked at everyones suggestions and they seem pretty convincing, the only problem is that i am not that good at computers although i know quite a bit. i am willing to take a risk but im worried that ill fully stuff my computer up more than it already is. so i want to know if there is a possible easy way to get rid of integard. im not on my computer at the moment but if i go to my computer im not sure if this sight will be blocked. i am really desperate! someone help please!!

  30. vijanator Says:

    Unfortunately, i eventually was able to rid my computer of integard thanx to the brilliant instructions of OCT, and now i can view all kinds of pornography, whilst my dad does not even realise the program is gone. Thanks again! Oh, and this is the ONLY site on the web that has instructions on how to break integard, so i consider myself fortunate in finding it

  31. OCT Says:

    Oh dear, I've created a monster.
    No rest for the wicked! Netalert now has a new contender: Filterpak. I wasn't going to post the removal instructions for this one until I saw their slogan: "My Child, My Values".

    1) Install FilterPak
    2) Download LSP-Fix
    3) Reboot in Safe mode
    4) Run LSP-Fix, remove S4F.dll from the Winsock LSP chain.
    5) Run Regedit, and delete:
    6) Reboot.

    I didn't bother testing the VMWare circumvent, but I can't see why it wouldn't work - all the filters so far use the same autostarting process and layered service provider approach.

    That'll be "Your child, My Values" now.

  32. woody2371 Says:

    Of course an even easier way is simply to run these fixes, completely removing it, then tell your parents there's a 'problem' and that they should reinstall it cause it's not working.

    Install a keylogger before they reinstall and voila, you have a password. This, or the packet catching method shown bfeore.

    Such a waste of money.

Leave a Reply