Welcome to FAQ. If you can't find your answer here, please let us know. We're here to help.

Proactive

The leading solution to block child sexual abuse content

NetClean ProActive is the leading solution for securing your network and blocking child sexual abuse content.

PROACTIVE FAQ

Whitebox

An extremely powerful tool for Internet service providers

NetClean WhiteBox is an extremely powerful tool for ISPs, designed to block access to websites containing child sexual abuse material.

WHITEBOX FAQ

Griffeye-Analyze

NetClean Analyze becomes Griffeye Analyze 

The world’s premier intelligence and visual big data platform for digital media investigations handling images and video.

ANALYZE FAQ

About the problem

What Is CSA Material?

Child sexual abuse material is documented sexual abuse of children. It has nothing to do with pornography. Child sexual abuse material consists of images and films and do not show adults who wear children’s clothing or call themselves “teens”. It is much worse.

According to the “2009 Annual and Charity Report” of the Internet Watch Foundation (IWF) 72% of the child victims appear to be between the ages of 0 and 10; 23% six years old or under; and 3% two years or under. 44% of the images depict the rape or torture of the child. (1) There are images of penetrations of infants. According to the US-based National Center for Missing and Exploited Children (NCMEC), 83 % of those arrested for possession of child pornography had images of children between 6-12 years old, 39 % had images of children between 3-5 years and 19 % had images of children under 3 years old (2) .

1 http://www.iwf.org.uk/accountability/annual-reports/2009-annual-report
2 http://www.missingkids.com

How Does CSA Material Spread?

During 2009, IWF took action to report 8,844 instances of child sexual abuse content around the world. Each of these actions regarded an individual web page or URL. The URLs were identified on 1,316 different domains. The number of URLs with child sexual abuse content known to IWF has remained fairly stable for the last three years however the overall number of domains on which this content is found has decreased by 57% since 2006 as the overall domains used for such purposes shift platforms and consolidate. This trend must be understood in the wider context of changes in the dynamic way in which such images are distributed, that is, often randomly generated, opportunistic and hosted on legitimate web services.

There remains a demand for access to child sexual abuse content via publically available commercial websites. These websites are often highly dynamic and have a persistent presence on the global internet. One such website was hosted briefly in the UK during 2009 before being removed. During the few days it was available on UK networks the website received requests from over 25,000 unique IP addresses worldwide, including requests from mobile internet accounts and gaming platforms.

IWF analysts have seen a trend in the abuse of free hosting services for the distribution of both commercial and non-commercial child sexual abuse content. IWF carried out a detailed analysis of 300 websites most used for storing or distributing child sexual abuse images. 51% offered free website hosting or free image sharing services which were used for criminal purposes. This sample analysis indicates that over half of the child sexual abuse content IWF identifies is found on a range of legitimate free hosting services.

IWF identified 461 criminal gangs that businesses to profit from the sexual abuse of children.

IWF also identified 286 instances of innocent websites being hacked to facilitate the distribution or sale of child sexual abuse images and were therefore unknowingly assisting criminal commercial operations. The owner of a hacked website and the company providing the hosting services are likely to be unaware of the presence of such content.

Internet Watch Foundation (IWF) 2009 Annual and Charity Report

How Many People Have an Interest in CSA Material?

This is a very difficult question to answer. By looking at various studies you can form a picture of the problem. Regardless of the study, however, we must be clear that more information is needed to respond accurately. In an American study (1) from 1989, the results showed that between 1 and 5 % of the population are paedophiles. According to the BRå; Crime Prevention Council in Sweden, some international research claims that less than 1 % of the adult population would have paedophile tendencies.

One person working to combat child sexual abuse material is police inspector Anders Persson. For some years, he has been requisitioned by Interpol at its headquarters in Lyon.

– The demand for child sexual abuse material is enormous. This is evident when websites featuring new images are posted. The number of visits is often so large that the hosting site where the Internet site is located notice a dramatic increase in the number of visitors.

1 Briere, J. & amp; Runtz, M. (1989). University males’ sexual interest in children: Predicting potential indices of “paedophilia” in a non-forensic sample. Child Abuse & Neglect: The international Journal, 13, 65-75.

Do People Really Watch, Handle or Distribute CSA Material at their Workplace?

Yes, they do. Accordingly to NetClean’s experience about 1 of 1000 watch child sexual abuse content at work. People have easy access there and many feel their office computer is more private than the one back home, where the computer is shared with the rest of the family. When a person has accepted that he or she is interested in looking at child sexual abuse content he usually doesn’t take any precautions and they allow themselves to watch the material both at the office and at home.

In an 2010 article (1) in the Boston Globe it said that Federal investigators had identified several dozen Pentagon officials and contractors with high-level security clearances who allegedly purchased and downloaded child pornography, including an undisclosed number who used their government computers to obtain the illegal material, this according to investigative reports. The investigations had included employees of the National Security Agency, the National Reconnaissance Office, and the Defense Advanced
Research Projects Agency — which deal with some of the most sensitive work in intelligence and defense — among other organisations within the Defense Department.

http://www.boston.com/news/nation/washington/articles/2010/07/23/pentagon_workers_tied_to_child_porn/

What Does a Person That Is Interested in CSA Material Look Like?

A person surfing child sexual abuse material might look and act like anyone you know. There is often a false impression that there is an “ugly old man”, a recluse or a “strange” person who many believe could be interested in child sexual abuse material. Yet in fact, it could be anyone at all. Moreover, there is no link to social groups or occupations. Mr. Michael Moran, officer in INTERPOL’s Trafficking in Human Beings Sub-Directorate says:

– The reality we have to face in our societies is that there are people (men and women) who want to have sex with prepubescent children, and we need to face up to it. These people can be anyone. Police officers, system administrators, politicians and priests have all been arrested in investigations I have worked on, and each one will have offended to differing degrees and for different reasons.

Proactive

What Happens After the Installation?

The first thing the agent does is contact the NetClean ProActive Management Server (NMS). The NMS then adds the agent to its list of computers with the IP number of the computer as well as the computer’s Host name (FQDN). The NMS will also return an ID-number to the agent. The next time the agent is connected, it will contact the NMS with its ID number. This is why it is important that you do not copy an installed version of NetClean ProActive to a computer; the computer would be given the same ID number. You can find the agent identification settings in the Server Settings.

Why Should We Communicate the Installation of ProActive Internally?

Communicating the initiative externally will strengthen the organization on a number of levels. Installing ProActive is an active choice that shows that the company takes part in a global collaboration to stop and block access and spread of child sexual abuse material. By incorporating NetClean ProActive as part of the CSR activities, the company demonstrates a clear intention to combine a succesful business practice with social responsibility.

How Can We Communicate About the Installation Internally?

It is an advantage to use the company’s normal channels of communication to inform all employees what NetClean ProActive means for each and every one personally.  We recommend that the document “Information for personnel” is adapted to fit the organization, and then communicated to all employees via multiple channels of communication. We also recommend that all employees be informed continually, for example once a year, that the company uses NetClean ProActive. For this purpose, make use of internal newsletters, meetings or intranet. Contact NetClean for more information.

How Is it Possible to Distinguish a Child Sexual Abuse Image?

NetClean works together with law enforcement authorities, which create digital fingerprints of illegal child sexual abuse images on their databases. This gives each image a unique code which NetClean ProActive software then searches for, which means that only known child sexual abuse images in the police archives are detected.

What Should I Do If, by Mistake, I Come Across a Child Sexual Abuse Image?

The program will find the image so it is extremely important that you inform the Security manager or your direct manager about it. No information goes directly to the police; all incidents are initially dealt with internally.

Will My Holiday Photos Be Found?

No, since the program only detects images that are stored in the police’s already classified archive of child sexual abuse images. Only incident information is logged.

Who Receives a Report If I Come Across a Child Sexual Abuse Image?

It is decided by your company who within the company that will be informed if NetClean ProActive detects a suspected image. These people will receive a text message or e-mail about it. No information goes directly to the police; all incidents are initially dealt with internally.

What Happens If ProActive Discovers Child Sexual Abuse Content in Our Network?

First a text message or e-mail is sent to the personnel within the company who administer the alerts. No information goes directly to the police; all incidents are initially dealt with internally. The possession of child sexual abuse photos or videos is illegal and as such should be treated in the same way within the company as other types of offence. Refer to company policy documentation. If an analysis determines that it is not a question of spam, trojans, an accident etc and that an offence is still suspected, it should be reported to the police.

What Should I Do when the System Detects Something?

The purpose of NetClean ProActive is to prevent child sexual abuse content from entering the company and to protect innocent people against suspicion of using it. NetClean’s “Procedures” suggests courses of action for dealing with the detection of suspected images.

Will ProActive Make My Computer or Network Slower?

No, the software does not noticeable affect the performance.

How Will NetClean ProActive Affect My Daily Work?

After installation, NetClean ProActive will have absolutely no effect on your daily work unless you receive a suspected image alert via a text message or e-mail.

Whitebox

What Happens If the Website Switches to a New Internet Address?

The system periodically refreshes the mappings between website and IP address (i.e. does a new DNS lookup). This is done often, the system also ”remembers” addresses with some delay to catch the sites that switch often between several sets of IP addresses.

How Are the “IP Blacklist” and the “URL Blacklist” Updated?

The source of the blacklist can be from any source the ISP relies on, it can be from Law Enforcement Agencies, or via any organisation that deals with child pornography, or you could use the default lists included from Interpol and IWF which are updated daily, which we would recommend. The list of URLs will be converted to a list of IP addresses, this is done several times a day. This is done dynamically.

How Many IP Addresses Are Listed in the “IP Blacklist”? Is There a Maximum Threshold?

The blacklist consists of URLs, not IP addresses per se, so it varies, an example could be a list with 3000 URLs results in approximately 350 IP addresses that will be announced in BGP to the ISP using the WhiteBox. (This due to the fact that many of the URLs are on the same websites or simply is not reachable, some of the URLs exists only a short time)

Does It Support IPv6?

Yes, IPv6 is supported.

How Are FTP, IRC, P2P and Newsgroup Flows etc Handled?

They are simply routed through the box if they are hosted on the same IP addresses as the Websites that are to be blocked. Other protocols could be considered to be included in the WhiteBox further on, but the current version handles HTTP only.

At What Level Is the Filtering Applied?

The filters can be applied at two levels:

  • Website
  • Parts of a website

It is possible to filter down to the level of folders or individual documents as images on a website, e.g. you could filter http://www.website.com/badcontent but allowhttp://www.website.com/goodcontent on the same website.

What Happens when There Are Multiple Websites on One Internet Address?

The requests for all of the websites are diverted to the filter server. The filter server receives the requests and looks at the URL to determine whether that site is banned or not. If it is banned a “This website is banned” message is returned, otherwise the filter server forwards the request to the web server.

Does the Filter Server Get Both the Request and the Response from the Website?

It is decided by your company who within the company that will be informed if NetClean ProActive detects a suspected image. These people will receive a text message or e-mail about it. No information goes directly to the police; all incidents are initially dealt with internally.

Will the Filtering Cause any Performance Issues?

Requests to blocked websites will, of course, not be available. Requests to websites that aren’t blocked but are on the same internet addresses as blocked websites will not suffer any performance loss other than an extra router hop. Requests to websites that aren’t blocked and are not on the same internet addresses will not be affected.

From a User Point of View, What Is the Additional Delay With the WhiteBox Solution?

None. The WhiteBox is actually a router, with a very high speed deep-packet-inspection of the http traffic, effectively blocking child sexual abuse websites on the Internet.

Does the Filtering Include All Traffic to the Internet Address or Only Web Traffic?

All traffic for that internet address is forwarded to the filter server. This includes web, email, chat, and P2P file sharing etc. The NetClean Whitebox is designed to filter website traffic. All other traffic is rerouted via the WhiteBox without passing through the filter daemon at all.

What Information Is Logged by the System?

The ISP does not need to log any information relating to the filtering (although they could choose to). The WhiteBox filter server does not by default log the internet address of any computer that tries to access a blocked site. It can be turned on if the ISP requests it and it is within the laws of that country to do so. The filter server does not log the internet address of a computer that tries to access a non-blocked site on the same internet address as a blocked one, even though this request passes through the filter server.

What Does an ISP Have to Do to Enable the Filtering?

The ISP must set up a BGP peering between one of their routers and the WhiteBox so that the ISP can receive the prefixes that the WhiteBox will reroute for inspection.

Does this Put any Load on the ISP’s Systems?

Not really, it will however add routes to the BGP-table. A typical ISP stores about 400 000 routes on their routers. The filtering can add between 300 – 1500 routes (depending on the size of the blocklist of course). While this does add a little load it should not affect any equipment in a negative manner today.

How Well Does the NetClean Whitebox Scale to Heavier Loads?

This scales very well. The load can be shared by adding filter servers to the system; this can support ISP’s of any size.

What Happens If the Filter Server Breaks?

A catastrophic failure, e.g. if the interface brakes, if the disk crashes etc., will result in a broken peering with the ISP, so the announcements of the host routes will cease, and the traffic will go the “normal” way instead. So if the box crashes, the filter service will just stop, not the reachability to the sites. In a case where the peering is still up, but the traffic is not routed, it could result in black hole. This scenario has never occurred, although there is a theoretic possibility this could happen, if a disk crash that result in this behaviour in the operating system.

Are There Web and CLI Management Interfaces?

The main interface with the box is via the Web-GUI by using https but a CLI is also available.

Is It Possible to Monitor the WhiteBox? Snmp for Instance?

The WhiteBox uses snmp traps internally to signal significant events, these traps can be viewed via the GUI. The ISP can receive these traps as well by request.

Could Several WhiteBox Be Managed from a Central Management Console? (Back Office).

Yes. This is the default setup of the WhiteBox, one master server that runs the web GUI, and one or many filter servers anywhere in the ISP-CORE that are managed via the master server.

Is It Possible for the Owner of the WhiteBox to Add or Delete IP in the IP Blacklist?

The WhiteBox does not operate on list of IP addresses, but on lists of URL’s, the WhiteBox can handle multiple lists of URL’s of the customer choice as long as they are within the intended usage of the WhiteBox. But you cannot add a specific IP address to be rerouted or blocked.

Can I Use Radius or Tacacs for the Login to the WhiteBox GUI?

The WhiteBox have support for radius logins and/or static accounts to the web GUI.

Can I Have Different Kind of Users in the GUI, Read-only e.g?

The GUI have support for 3 classes of users, administrator that can do everything, power-user that have limited access, and a read-only user that can look at most things.

What Implementation of BGP-speaker do the WhiteBox Use?

The Whitebox uses part of the quagga-suite to be able to announce routes via BGP. The forwarding is however controlled by the WhiteBox software.

Is there any Additional Costs If We Need to Support Many Blacklist Providers? Is It Time-based?

No, the included default-lists are free to use via the WhiteBox, and other lists that can be imported by request can be used without any extra cost too.

Can I Use 48V Redundant DC in the Equipment?

Yes, you can choose between 230 V redundant AC or 48 V redundant DC.

What If the Equipment Breaks, Can NetClean Replace the Hardware?

NetClean use HP as a hardware platform and use HP carepack which enables us to replace hardware within the next business day. NetClean will be able to remotely reinstall the software if necessary.

What Happens When there Are Multiple Websites on One IP Address?

The requests for all of the websites are diverted to the filter server. The filter server receives the requests and looks at the URL to determine whether that site is banned or not. If it is banned a “This website is banned” message is returned, otherwise the filter server forwards the request to the web server.

How Are the IP Blacklist and the URL Blacklist Updated?

The blacklist can be from any source the ISP relies on, including law enforcement, NGOs or IWF, which we would recommend and include. The list of URLs will be converted to a list of IP addresses. This is done several times a day.

Why Block Child Sexual Abuse Content?

Because of the Internet and the ISPs people can now easily access child abuse content. That was not possible before the Internet.

Blocking will:

  • Put people back into the blue part of the triangle
  • Prevent people from being interested of the material in the first place
  • –> This could lead to less abused children

What Happens when There Are Multiple Websites on One IP Address?

The requests for all of the websites are diverted to the filter server. The filter server receives the requests and looks at the URL to determine whether that site is banned or not. If it is banned a “This website is banned” message is returned, otherwise the filter server forwards the request to the web server.

Are There Other Routing Protocols like OSPF that Could Be Used?

No, just BGP in the current setup of the WhiteBox.

Can an ISP offer both filtered and unfiltered connections?

Yes, there is an option in the GUI to make selected source-prefixes pass through the filter without beeing exposed for inspection. (Typically used by list maintainers to bypass the filtering)

Which mechanisms prevent a DoS?

Since the WhiteBox never displays the IP address, the DoS will not hit the box, you can even set the box on an IP address that is not routed globally to make sure the DoS will be even harder even if the IP address is known, the DoS will more likely hit the targets that are routed through the box than the box itself. However, any equipment on the Internet can be affected by DoS anyway, if the WhiteBox is under attack, it will take several steps to prevent that the users will suffer any performance-loss due to a heavily loaded WhiteBox, if all these steps still results in packet-loss the BGP-session will be shut down for a while and the traffic will flow the normal way.

Is it possible to circumvent the filtering?

It is possible for a motivated user to circumvent the filtering using advanced technologies such as TOR.

What is the Operating System of the WhiteBox? How are Operating System and the WhiteBox software updated?

The WhiteBox Operating system is FreeBSD. The Operating System and the WhiteBox software will be updated by NetClean. This will be done when vulnerabilities in the Operating System or the software is discovered, or when the systems are upgraded with new software.

Can I have a ”white list” of URLs that I wish not ever to be blocked?

Yes, the WhiteBox have a default white list that is dynamically updated, and the ISP can add any number of URL’s as well to be included to the white list. If a URL is in both the blacklist and the white list, the white list will override the blacklist and that URL will not be blocked.

Why does the WhiteBox need a tunnel to my global transit? Why not just use the default route to the Internet via my network?

The filter boxes needs a interface connected to the Internet, and a default route will be placed towards that interface, but, the filter will reroute selected IP addresses in your network, presume the filter box have the IP address 1.1.1.1 and the default route is your box at 1.1.1.2. The filter box use AS1 and you use AS2. Presume we detect that the IP address 2.2.2.2 hosts a website that should be blocked by the filter box. We will via the BGP-peering between us announce this route 2.2.2.2/32 from AS1 towards your AS2, and in your AS2 the next hop for this rerouted prefix will be 1.1.1.1 When a client of yours try to reach the URL http://www.badsite.com/some/bad/path where the fully qualified domain name www.badsite.com resolves to the IP address 2.2.2.2, it will send the packets via your AS2 to the filter AS1 via the next hop 1.1.1.1. The filterbox will detect that the client is trying to reach a site that is in the block list, and block this request and show the client a block-page instead. Let us presume that another customer tries to surf to the same site, but to another page that is NOT in the blocklist, for example http://www.badsite.com/some/good/path. The client packets will as earlier go via AS2 to the filter AS1 via the next hop 1.1.1.1, but in this case the filter will not get a match towards the blocklist, and thus the traffic will be allowed to reach the destination at IP address 2.2.2.2. If we simply send this to the default gateway 1.1.1.2, what will happen is that you will immediately send this traffic back to us at IP address 1.1.1.1, and we would have created a routing loop for the intended destination, and the customer will never be able to reach the site http://www.badsite.com/some/good/path. On the other hand, if we have an interface in the filterbox to another AS, for example AS3, and this AS3 is not aware of the hostroutes that AS1 announces, this AS3 will forward the packets from your client to the intended destination at IP address 2.2.2.2. This is why we need a next hop for the clean traffic outside your AS, the easiest way to do this is via a tunnel. But any other means is OK as well, a directly connected interface works just fine, or actually a tunnel/direct link to the router in AS2 which connects to AS3, and make that specific router unaware of the routes announced from the WhiteBox via BGP-filters.

Griffeye-Analyze

Where can I find more info about Analyze?

NetClean Analyze has become the world’s premier intelligence and visual big data platform for collecting, processing, analysing, visualizing and managing images and videos and is used daily by law enforcement all over the world. It is now time for Analyze to stand on its own two feet. Please go to: www.griffeye.com for more information.

Didn’t find your answer? Please let us know. We’re here to help.