Forgot your password?
typodupeerror
The Internet Censorship Government Networking The Courts United Kingdom Your Rights Online

Open Rights Group International Says Virgin, Sky Blocking Innocent Sites 83

Posted by timothy
from the no-brush-is-quite-broad-enough dept.
New submitter stewartrob70 writes with an explanation of the inadvertent (or at least unwarranted) blocking of innocuous sites that UK ISPs Virgin and Sky are engaged in, as reported by PC Pro. The ISPs' filtering systems "appear to be blocking innocent third-party sites with apparently little or no human oversight." stewartrob70 excerpts from a blog posting with an explanation of why: "In order to understand why this specific issue happened, you need to be familiar with a quirk in how DNS is commonly used in third-party load-balanced site deployments. Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example www.example.com may be pointed at loadbalancer.example.net. However, 'example.com' usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "example.com" to a server that merely redirects all requests to 'www.example.com.' From forum posts we can see that it's this redirection system, in this specific case an A record used for 'http-redirection-a.dnsmadeeasy.com,' that has been blocked by the ISPs — probably a court-order-blocked site is also using the service — making numerous sites unavailable for any request made without the ''www' prefix."
This discussion has been archived. No new comments can be posted.

Open Rights Group International Says Virgin, Sky Blocking Innocent Sites

Comments Filter:
  • And this is why (Score:5, Insightful)

    by gigaherz (2653757) on Monday October 21, 2013 @04:23AM (#45186501)
    This is why ISPs have been complaining for years that filtering bad content is not as easy as the copyright people make the politicians think it is.
    • Re:And this is why (Score:4, Interesting)

      by FriendlyLurker (50431) on Monday October 21, 2013 @04:48AM (#45186571)
      You assume that "copyright people", "politicians" and rich elites in general care about "Innocent Sites": censorship for limiting, framing and generally controlling the political discourse is the goal. They have solved the majority of the ISP problem by compensating them with our tax dollars so their complaint's disappear. Soon if not already it is profitable for said ISP's to censor content against secret behind closed door lists, so only those with some sense of moral compass outside of pure profit motive will complain and that will be fine as they can be ignored by mass media. Virgin and Sky were too big to ignore when they were complaining - now they are silent on the issue.
      • by gigaherz (2653757)
        Of course they don't care. We are talking about corporations and politicians. What they were complaining about was that it's not EASY, so it requires more EFFORT. And in corporate terms, effort means money. Of course they stop complaining when you compensate them for the cost of running the filters, but the point stands: they DID complain.
    • Re:And this is why (Score:5, Informative)

      by Joining Yet Again (2992179) on Monday October 21, 2013 @05:23AM (#45186639)

      "This is why ISPs..."

      Oh, what bullshit. ISPs have bent over backwards so they don't lose out on delicious government contracts, which in the UK require satisfactory filtering methods in place.

      There are maybe one or two ISPs which have had a backbone in all this - such as Andrews&Arnold. You can tell the difference because their Internet service is 100% unfiltered. They even ask you if you want filtering and refuse to provide you with service if you say "yes".

      • by gigaherz (2653757)
        My point was that some ISPs have complained about the cost of running good filters, not that it affects innocent websites. Good filters happen to be the ones that do NOT block innocent websites, but of course they cost more. Avoiding that cost is a very important topic for the ISPs, while blocking innocent websites is just a small PR issue. In the case of Virgin and Sky, cheap blocking seems to have been the chocie.
        • Re:And this is why (Score:4, Interesting)

          by Joining Yet Again (2992179) on Monday October 21, 2013 @05:44AM (#45186697)

          I haven't heard many complaints about the cost, to be honest.

          Run no filter:
          - lose gov contracts;

          Run cheap filter:
          - gain gov contracts;
          - increase prices slightly for everyone;
          - minority of people notice they're missing legitimate web sites;

          Run expensive filter:
          - minority still complain because they tend to object to filtering in principle;
          - lose custom from extra costs which will be passed on to consumer.

          So "run cheap filter" is always the profitable option in the UK, which is why everyone feeds the IWF list plus the easiest interpretation of court orders into something in the style of the original Cleanfeed, augmented more recently by DPI by some ISPs.

      • Re:And this is why (Score:4, Informative)

        by isorox (205688) on Monday October 21, 2013 @05:58AM (#45186741) Homepage Journal

        "This is why ISPs..."

        Oh, what bullshit. ISPs have bent over backwards so they don't lose out on delicious government contracts, which in the UK require satisfactory filtering methods in place.

        There are maybe one or two ISPs which have had a backbone in all this - such as Andrews&Arnold. You can tell the difference because their Internet service is 100% unfiltered. They even ask you if you want filtering and refuse to provide you with service if you say "yes".

        Not all ISPs

        Not only is Andrews & Arnold [aaisp.net.uk] XKCD 806 [xkcd.com] compliant, but they meet all of mumsnet^W David Cameron's censorship requirements.

        The government wants us to offer filtering as an option, so we offer an active choice when you sign up, you choose one of two options:-

        Unfiltered Internet access - no filtering of any content within the A&A network - you are responsible for any filtering in your own network, or
        Censored Internet access - restricted access to unpublished government mandated filter list (plus Daily Mail web site) - but still cannot guarantee kids don't access porn.
        If you choose censored you are advised: Sorry, for a censored internet you will have to pick a different ISP or move to North Korea. Our services are all unfiltered.

        Is that a good enough active choice for you Mr Cameron?

        • I did mention AAISP in the final paragraph, but I suppose their approach is so correct that it's worth mentioning twice (or thrice, right here!).

          Government and big business play an on-going game of pretending to wrestle each other, but they're usually happy enough to work together while giving the plebs some "state vs private sector interests" theatre to get worked up about.

          • by isorox (205688)

            I did mention AAISP in the final paragraph, but I suppose their approach is so correct that it's worth mentioning twice (or thrice, right here!).

            Yeah, sorry, stupid me! Since slashdot started going downhil (1999, hoho), I've taken to reading it on my phone using google web toolkit, but you only get the start of the posts.

        • by AmiMoJo (196126) *

          I really don't see the point of what A&A are trying to do because ultimately they still use BT's network and you are still subject to full spying. They even help GCHQ out by not using carrier grade NAT. You still need a VPN out of the country to even begin to be safe and have some privacy, and they could easily offer that service as a standard part of their package. I'm sure a lot of people would love to simply tick a box and have all their traffic re-directed to say Sweden over a fully encrypted link.

          O

          • The only way A&A could protect you from GCHQ is by running their own copper/fibre all over the country, which would be ridiculously expensive for a small ISP. Even then, as soon as the data leaves their copper/fibre, they can offer no protection whatsoever.
          • SWEDEN!? (Score:4, Informative)

            by FriendlyLurker (50431) on Monday October 21, 2013 @07:57AM (#45187265)

            VPN via Sweden, are you freakin kidding me - you might as well cc all your data to GCHQ directly!? Sweden's NSA Spy Links “Deeply Troubling” [yale.edu], or check out the professors blog for ongoing abuses on all fronts [professorsblogg.com] by the Swedish authorities. Whatever cred Sweden may have established during the cold war years, they have more than used up and are still digging down. The country (well its political leaders) can't be trusted - not a good place to do business anymore.

            If any country near the UK has some semblance of credibility, perhaps try Iceland as the first hop for your VPN. They are even trying to promote themselves as a naturally cooled server hub [datacenterknowledge.com], which is nice...

            • by AmiMoJo (196126) *

              Of course Sweden is just as compromised as the UK, but that isn't the point. The VPN helps hide your identity, but there are still two dangers. There might be legal pressure put on the VPN provider, but Sweden actually has some quite strong protections. At least, scum like music industry parasites can't use civil courts to make them hand over data. The other danger is a spy agency monitoring both ends of the connection to try and identify you, but Sweden probably doesn't have the resources to do it.

              Iceland

              • Sweden - NSA Codename "Sardine" [falkvinge.net] - more than likely receives secret funding from the NSA to establish the infrastructure, just like the UK does [theguardian.com]. They may even recieve more funding than the UK given their gateway status to Russian internet traffic.

                Also check out the professor blog website I linked previously - you cannot trust Swedens perception of "strong protections" anymore - there are good reasons [professorsblogg.com] why Sweden is now rated below Botswana, Romania and Senegal in the WJP Rule of Law Index. Sad how bad it ha

              • by Anonymous Coward

                Ahh, security through delusion.

              • Slightly offtopic - new information just in [truth-out.org] on Icelandic independence (or lack of).
          • "They even help GCHQ out by not using carrier grade NAT."

            Oh dear.

            "all their traffic re-directed to say Sweden"

            Oh dear oh dear.

    • Re: (Score:1, Offtopic)

      by zippthorne (748122)

      ISPs like Comcast? Cox? TimeWarner?

      Which ISPs have been making this claim?

  • Technically speaking that is, not politically.

    I remember reading about this on one of my ISPs' blog a while ago.

    http://steve.blogs.exetel.com.au/index.php?/archives/186-Content-Filtering.html [exetel.com.au]

    • by dutchwhizzman (817898) on Monday October 21, 2013 @05:29AM (#45186655)

      No, any IP based filtering is bad if you want to only block websites. As just explained in TFA, the http protocol is used to put more than one website on a single IP address. You will block other websites if you are blocking entire IP addresses.

      The big catch here is that to do this "properly" ISPs will have to put up transparent HTTP proxies and MitM https as well, just to be able to block these websites. This will effectively make the entire internet insecure for any serious stuff like banking or purchasing goods, since anyone will be able to spoof https. Not only that, but ISPs will suddenly have complete records of your complete web browsing history. There is no way to deny it, those logs will end up in the hands of the government sooner or later. Having ISPs block web sites is like having road workers make sytems that block foreign people that commit traffic violations, it's just not a feasible concept.

      • MitM is a Politically bad idea, not technical. If the proxy servers in the middle have enough bandwidth and resources, the performance could theoretically even be an improvement. I most certainly agree (from a Political perspective) it is a dangerously slippery slope.

        From a technical perspective, it doesn't make the internet (banking, shopping, etc or other https activity) any different because a government/ISP MitM filter is no different to a Malicious Hacker MitM attack, which is already feasible. Also, I

      • by SuricouRaven (1897204) on Monday October 21, 2013 @06:36AM (#45186859)

        Actually, they *do*. That's how the 'cleanfeed' system works. As was discovered when they blocked wikipedia a few years ago - ISPs redirected all traffic for that IP on port 80 to a transparent proxy that then blocked the offending files specifically, playing hell with wikipedia's anti-vandalism measures.

    • by Anonymous Coward

      What's being blocked is a service that is (apparently) used by one site that is meant to be blocked and others that (supposedly) aren't meant to be blocked. It doesn't matter whether you block them by DNS or BGP: If that service is blocked, all the sites that use it are blocked.

      What does make more sense is not to censor the web but to go after the companies and people that do illegal things. If you think there's a better way to implement censorship, you're part of the problem.

  • why?! (Score:3, Funny)

    by Gravis Zero (934156) on Monday October 21, 2013 @04:43AM (#45186563)

    who is this Sky character and why is he blocking innocent sites?

    oh, virgin... maybe he just needs to get laid.

    • by gigaherz (2653757)
      Says Virgin and Sky Blocking are two people who are part of the Open Rights Group International, who happen to run innocent sites, despite the accusations.
      • by Skowronek (795408)

        The fact that the organization's name can be, quite naturally, abbreviated to ORGI, makes their averred innocence all the more doubtful.

  • by stiggle (649614) on Monday October 21, 2013 @05:01AM (#45186599)

    I know Slashdot is usually behind the curve on news, but the linked articles date back to August....
    (I know - shocking someone read both linked articles :-) )

  • Deplorable network competence there, but it does bring up an unrelated issue. Like most people I've been tending away the "www." in canonical site addresses, but it does have nice redundancy in meaning. Terseness is not always the bestness.

  • What they are doing is enforcing their TOS against servers on residential lines - dynamically assigned IP's, in order to get either more money or convince the wastrel to move to another provider.

    Sorry folks but this has nothing to do with a government bloc in place. It's just another breakage of the internet into little fiefdoms.

A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie

Working...