Open Rights Group International Says Virgin, Sky Blocking Innocent Sites 83
New submitter stewartrob70 writes with an explanation of the inadvertent (or at least unwarranted) blocking of innocuous sites that UK ISPs Virgin and Sky are engaged in, as reported by PC Pro. The ISPs' filtering systems "appear to be blocking innocent third-party sites with apparently little or no human oversight." stewartrob70 excerpts from a blog posting with an explanation of why:
"In order to understand why this specific issue happened, you need to be familiar with a quirk in how DNS is commonly used in third-party load-balanced site deployments. Many third-party load balanced systems, for example those using Amazon's AWS infrastructure, are enabled by pointing CNAME records at names controlled by those third-party systems. For example www.example.com may be pointed at loadbalancer.example.net. However, 'example.com' usually cannot be directly given a CNAME record (CNAME records cannot be mixed with the other record types needed such as those pointing to nameservers and mailservers). A common approach is to point "example.com" to a server that merely redirects all requests to 'www.example.com.' From forum posts we can see that it's this redirection system, in this specific case an A record used for 'http-redirection-a.dnsmadeeasy.com,' that has been blocked by the ISPs — probably a court-order-blocked site is also using the service — making numerous sites unavailable for any request made without the ''www' prefix."
And this is why (Score:5, Insightful)
Re:And this is why (Score:4, Interesting)
Re: (Score:2)
Re:And this is why (Score:5, Informative)
"This is why ISPs..."
Oh, what bullshit. ISPs have bent over backwards so they don't lose out on delicious government contracts, which in the UK require satisfactory filtering methods in place.
There are maybe one or two ISPs which have had a backbone in all this - such as Andrews&Arnold. You can tell the difference because their Internet service is 100% unfiltered. They even ask you if you want filtering and refuse to provide you with service if you say "yes".
Re: (Score:3)
Re:And this is why (Score:4, Interesting)
I haven't heard many complaints about the cost, to be honest.
Run no filter:
- lose gov contracts;
Run cheap filter:
- gain gov contracts;
- increase prices slightly for everyone;
- minority of people notice they're missing legitimate web sites;
Run expensive filter:
- minority still complain because they tend to object to filtering in principle;
- lose custom from extra costs which will be passed on to consumer.
So "run cheap filter" is always the profitable option in the UK, which is why everyone feeds the IWF list plus the easiest interpretation of court orders into something in the style of the original Cleanfeed, augmented more recently by DPI by some ISPs.
Re:And this is why (Score:4, Informative)
See e.g. the long thread on the Be Internet user forum. It was noted that the government refuses to purchase services from ISPs which aren't already enforcing IWF-strength filtering. This was done to encourage ISPs to follow government pro-censorship policy, instead of directly legislating to require censorship. Then the ISP's filters would look like a business decision and the civil libertarians who are "pro-freedom-of-business" wouldn't be able to get their panties in a twist. Fairly clever, if you ask me, and it's just another reminder of the danger of public-private partnerships.
Re: (Score:2)
They were purchasing from Telefonica O2, of which Be was a subsidiary. Telefonica ain't small.
Re:And this is why (Score:4, Informative)
"This is why ISPs..."
Oh, what bullshit. ISPs have bent over backwards so they don't lose out on delicious government contracts, which in the UK require satisfactory filtering methods in place.
There are maybe one or two ISPs which have had a backbone in all this - such as Andrews&Arnold. You can tell the difference because their Internet service is 100% unfiltered. They even ask you if you want filtering and refuse to provide you with service if you say "yes".
Not all ISPs
Not only is Andrews & Arnold [aaisp.net.uk] XKCD 806 [xkcd.com] compliant, but they meet all of mumsnet^W David Cameron's censorship requirements.
The government wants us to offer filtering as an option, so we offer an active choice when you sign up, you choose one of two options:-
Unfiltered Internet access - no filtering of any content within the A&A network - you are responsible for any filtering in your own network, or
Censored Internet access - restricted access to unpublished government mandated filter list (plus Daily Mail web site) - but still cannot guarantee kids don't access porn.
If you choose censored you are advised: Sorry, for a censored internet you will have to pick a different ISP or move to North Korea. Our services are all unfiltered.
Is that a good enough active choice for you Mr Cameron?
Re: (Score:3)
I did mention AAISP in the final paragraph, but I suppose their approach is so correct that it's worth mentioning twice (or thrice, right here!).
Government and big business play an on-going game of pretending to wrestle each other, but they're usually happy enough to work together while giving the plebs some "state vs private sector interests" theatre to get worked up about.
Re: (Score:2)
I did mention AAISP in the final paragraph, but I suppose their approach is so correct that it's worth mentioning twice (or thrice, right here!).
Yeah, sorry, stupid me! Since slashdot started going downhil (1999, hoho), I've taken to reading it on my phone using google web toolkit, but you only get the start of the posts.
Re: (Score:2)
I really don't see the point of what A&A are trying to do because ultimately they still use BT's network and you are still subject to full spying. They even help GCHQ out by not using carrier grade NAT. You still need a VPN out of the country to even begin to be safe and have some privacy, and they could easily offer that service as a standard part of their package. I'm sure a lot of people would love to simply tick a box and have all their traffic re-directed to say Sweden over a fully encrypted link.
O
Re: (Score:2)
SWEDEN!? (Score:4, Informative)
VPN via Sweden, are you freakin kidding me - you might as well cc all your data to GCHQ directly!? Sweden's NSA Spy Links “Deeply Troubling” [yale.edu], or check out the professors blog for ongoing abuses on all fronts [professorsblogg.com] by the Swedish authorities. Whatever cred Sweden may have established during the cold war years, they have more than used up and are still digging down. The country (well its political leaders) can't be trusted - not a good place to do business anymore.
If any country near the UK has some semblance of credibility, perhaps try Iceland as the first hop for your VPN. They are even trying to promote themselves as a naturally cooled server hub [datacenterknowledge.com], which is nice...
Re: (Score:2)
Of course Sweden is just as compromised as the UK, but that isn't the point. The VPN helps hide your identity, but there are still two dangers. There might be legal pressure put on the VPN provider, but Sweden actually has some quite strong protections. At least, scum like music industry parasites can't use civil courts to make them hand over data. The other danger is a spy agency monitoring both ends of the connection to try and identify you, but Sweden probably doesn't have the resources to do it.
Iceland
Re: (Score:2)
Sweden - NSA Codename "Sardine" [falkvinge.net] - more than likely receives secret funding from the NSA to establish the infrastructure, just like the UK does [theguardian.com]. They may even recieve more funding than the UK given their gateway status to Russian internet traffic.
Also check out the professor blog website I linked previously - you cannot trust Swedens perception of "strong protections" anymore - there are good reasons [professorsblogg.com] why Sweden is now rated below Botswana, Romania and Senegal in the WJP Rule of Law Index. Sad how bad it ha
Re: (Score:1)
Ahh, security through delusion.
Re: (Score:2)
Re: (Score:2)
"They even help GCHQ out by not using carrier grade NAT."
Oh dear.
"all their traffic re-directed to say Sweden"
Oh dear oh dear.
Re: (Score:1, Offtopic)
ISPs like Comcast? Cox? TimeWarner?
Which ISPs have been making this claim?
Re: (Score:1)
I can access that site from a Sky connection with no problems.
Re: (Score:1)
On Sky: Check
Can access ar15.com: Check
Blocked on Sky? No
Your point?
Re:Not all is inadvertent (Score:4, Funny)
I assume this is a parody of the gun nuts who weaken every decent discussion with paranoid, extremist ramblings.
Re: (Score:2)
They don't do any more damage than the name-calling stereotypers.
Re: (Score:2)
"When Joining Yet Again was talking about paranoid gun nuts, he MUST HAVE BEEN TALKING ABOUT ME."
Re: (Score:3)
Guns are not illegal in the UK, they are just much harder to get.
Re: (Score:2)
OK, you can be "free" and dead. I'll be enjoying my slightly less "free" life.
Re: (Score:3)
Last successful invasion: 1066.
Get back to me in a millennium, yank.
Re: (Score:1)
Re:Not all is inadvertent (Score:4, Informative)
As a successful invasion? No. Not unless 9/11 counts as a successful invasion of the US.
Although WW2 was over 5 years after the Battle of Britain, while the US has indentured itself for decades, so maybe 9/11 was a more effective attack. Thanks for making me think about this.
Re:Not all is inadvertent (Score:4, Funny)
No, it's a bad thing - have you any idea how these people not being killed in gun massacres are over-burdening the NHS? Come on people, you have to think about the greater good.
Re: (Score:1)
Re: (Score:2)
If they happened every other week they might be worth talking about. You are talking about something that happens less often than that, over a sample size of 300 million people in 3.97 million square miles. Anything that happens at least once a day over such a sample size is pretty fucking rare....and these massacres happen, maybe once or twice a year at most.
Re: (Score:3)
BGP instead of DNS filtering makes more sense? (Score:3)
Technically speaking that is, not politically.
I remember reading about this on one of my ISPs' blog a while ago.
http://steve.blogs.exetel.com.au/index.php?/archives/186-Content-Filtering.html [exetel.com.au]
Re:BGP instead of DNS filtering makes more sense? (Score:5, Insightful)
No, any IP based filtering is bad if you want to only block websites. As just explained in TFA, the http protocol is used to put more than one website on a single IP address. You will block other websites if you are blocking entire IP addresses.
The big catch here is that to do this "properly" ISPs will have to put up transparent HTTP proxies and MitM https as well, just to be able to block these websites. This will effectively make the entire internet insecure for any serious stuff like banking or purchasing goods, since anyone will be able to spoof https. Not only that, but ISPs will suddenly have complete records of your complete web browsing history. There is no way to deny it, those logs will end up in the hands of the government sooner or later. Having ISPs block web sites is like having road workers make sytems that block foreign people that commit traffic violations, it's just not a feasible concept.
Re: (Score:2)
MitM is a Politically bad idea, not technical. If the proxy servers in the middle have enough bandwidth and resources, the performance could theoretically even be an improvement. I most certainly agree (from a Political perspective) it is a dangerously slippery slope.
From a technical perspective, it doesn't make the internet (banking, shopping, etc or other https activity) any different because a government/ISP MitM filter is no different to a Malicious Hacker MitM attack, which is already feasible. Also, I
Re:BGP instead of DNS filtering makes more sense? (Score:4, Informative)
Actually, they *do*. That's how the 'cleanfeed' system works. As was discovered when they blocked wikipedia a few years ago - ISPs redirected all traffic for that IP on port 80 to a transparent proxy that then blocked the offending files specifically, playing hell with wikipedia's anti-vandalism measures.
Re: (Score:1)
What's being blocked is a service that is (apparently) used by one site that is meant to be blocked and others that (supposedly) aren't meant to be blocked. It doesn't matter whether you block them by DNS or BGP: If that service is blocked, all the sites that use it are blocked.
What does make more sense is not to censor the web but to go after the companies and people that do illegal things. If you think there's a better way to implement censorship, you're part of the problem.
why?! (Score:3, Funny)
who is this Sky character and why is he blocking innocent sites?
oh, virgin... maybe he just needs to get laid.
Re: (Score:2)
Re: (Score:2)
The fact that the organization's name can be, quite naturally, abbreviated to ORGI, makes their averred innocence all the more doubtful.
Re: (Score:2, Funny)
Lieber Slashdot Englisch Kapitalisierung ist schlecht für visuelle Lesbarkeit und Verständnis. Werfen Sie einen Punkt und nimmt eine besser lesbare europäischen Stil. Vielen Dank.
Like that?
Re: (Score:2)
What do you mean by "support"? Use? Because if you want pay TV in the UK, for example for decent sports coverage, then you basically you have to be a customer of one or the other. And that being the case, buying your broadband from them in a package deal is very cost-effective, and while they may be "awful", so are some of the biggest competitors (BT, TalkTalk, EE).
Re: (Score:2, Interesting)
I was with Be for years. Excellent ISP, no blocking, real unlimited bandwidth and helpful technical support to boot. I jumped ship to Virgin when they were bought out by Sky as I really hate Sky. Who else was I going to go with? BT?
There are no more good ISPs left in the UK. This is a real shame.
p.s. As this is Slashdot, I would love to be corrected on the last point ^_^
Re: (Score:2)
There can be only one ...
Andrews & Arnold [aa.net.uk] is probably the best in terms of respecting the End User, but that quality does come at a price.
Re: (Score:2)
Yup, they're great, but you're right about the cost. They need to charge me £100 for installing FTTC (Infinity), whereas BT will do it free of charge, and charge less per month. It's tempting to go to BT, get them to install it, and then go back to Andrews and Arnold after the contract is up.
Re: (Score:2)
Old News from August? (Score:5, Informative)
I know Slashdot is usually behind the curve on news, but the linked articles date back to August.... :-) )
(I know - shocking someone read both linked articles
Re: (Score:1)
finally www has a purpose (Score:2)
Deplorable network competence there, but it does bring up an unrelated issue. Like most people I've been tending away the "www." in canonical site addresses, but it does have nice redundancy in meaning. Terseness is not always the bestness.
Dyndns service (Score:1)
What they are doing is enforcing their TOS against servers on residential lines - dynamically assigned IP's, in order to get either more money or convince the wastrel to move to another provider.
Sorry folks but this has nothing to do with a government bloc in place. It's just another breakage of the internet into little fiefdoms.