GCHQ Planning UK-Wide DNS Firewall (thestack.com) 194
An anonymous reader writes: UK surveillance agency GCHQ is exploring the use of a national 'firewall' in its fight against cybercrime, according to the organisation's head of cybersecurity. Alongside BT, Talk Talk and Virgin Media, GCHQ will work to filter out websites and email campaigns which are known to contain malicious content. The intelligence organisation believes that the best to way to set up such a blockade would be to build a national domain name system (DNS). In a speech delivered at the Billington Cyber Security Summit in Washington DC, director general for cyber security at GCHQ, Ciaran Martin, said: 'We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?'
and then block porn / 3rd party candidates / free (Score:5, Insightful)
and then block porn / 3rd party candidates / free press.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Our third party self destructed a couple of years ago and our second party is in process of self destruction.
England's main parties you mean.. in Scotland the Scottish National Party is first by several country miles in terms of both Westminster and Holyrood elected representatives numbers.
Re: (Score:2)
Well, nationally too. The SNP don't make it into fourth place nationally. They're barely ahead of the Green party ffs.
Re: (Score:2)
Well, nationally too. The SNP don't make it into fourth place nationally. They're barely ahead of the Green party ffs.
the changes at Holyrood [bbcimg.co.uk] kinda makes a point that image eh?
2010 's Westminster seats in Scotland [bbci.co.uk]
and after the 2015 election the electoral map looked like this [bbci.co.uk]
Also... just ahead of the greens?.. quite an achievement considering they only stand for election in Scottish seats and have no need or interest in campaigning in English/Welsh or Irish seats. They have the votes of the vast majority of Scots but i suppose that doesn't count as if it's of any importance eh?
Re: (Score:2)
The SNP have more representation in Westminster per vote than any other party. Maybe more than every other party ever.
So no, getting more votes in Scotland than everybody else counts for fuck all. It's still not democratic.
I do also seem to recall them losing the vote they really cared about. No wonder Sturgeon's scared shitless of calling another referendum, for all her bleating about the supposed need for one.
Re: (Score:2)
And the reason for the Lib Dem destruction is in propping up a coalition government that nobody liked. The electorate punished them and not the larger partner of the coalition. Strange. Or maybe demonstration of just how much control the right wing media has over a large portion of the electorate.
The implosion of Labour is hilarious. The party is collapsing because it's got too many MPs who wanted to be in the Conservative Party but somehow joined Labour, presumably by mistake.
The Conservatives may be divid
Re: (Score:3)
English politics are strange.
Conservatives and Lib Dems set up a coalition, Conservatives do a lot of bad things and Lib Dems only prevent some of them: Lib Dems collapse.
Conservatives and Labour jointly try to run a campaign to stay in the EU, to deal with the mess that the Conservatives created: Labour collapse.
Re: (Score:2)
I voted Lib Dem a few times, but the coalition was a betrayal. Tory policies are so far removed from what the Libs stood for, and they got such a bad deal out of the negotiation... And look where it got us. Out of the EU and likely on the virge of the UK breaking up as Scotland and Gibraltar seek to remain in.
Labour is having an existential crisis. They want a leader with principals, but need a slimey piece of shit like Cameron to win an election.
Re: (Score:2)
And the reason for the Lib Dem destruction is in propping up a coalition government that nobody liked. The electorate punished them and not the larger partner of the coalition. Strange.
Not really that strange. As far as I can tell, they got delayed punishment for going into a coalition with the Conservatives in the first place, rather than aligning with Labour as most Lib Dem voters would have expected. The fury at that cannot be understated; I believe their membership dropped considerably immediately after that fateful decision. Their rout at the following general election was only to be expected. Clegg destroyed that party.
Re: (Score:2)
It's England.
Well, the UK. For now.
Re: (Score:2)
--USA person
Re: (Score:2)
There is really only one party. They all serve the same masters.
Re: (Score:2)
and then block porn / 3rd party candidates / free press.
Which of the remaining 11 parties after the first two currently in the house of commons do you consider to be the third one? And to which party to you count the cross bench peers in the Lords?
Re: (Score:2)
Well, apply recursion to the process and the simple answer is 'all of them'.
Re: (Score:2)
Re:and then block porn / 3rd party candidates / fr (Score:5, Insightful)
Thoughtcrime, Winston Smith. It's all doubleplusungood thoughtcrime.
Re: (Score:2)
British PMs are never elected, their party is.
I think the PM still has to win their seat. Has a PM ever served where their party won FPTP but they didn't win their seat?
Re: (Score:2)
British PMs are never elected, their party is.
I think the PM still has to win their seat. Has a PM ever served where their party won FPTP but they didn't win their seat?
Yes, but not since 1902. (It used to be acceptable for the PM to come from the House of Lords, which is unelected.)
Re: (Score:2)
Re: Copying China (Score:2)
Re: (Score:2)
I bet they will ban Stormfront...
why would they block the first Dresden files book
Good, Bad And Ugly (Score:5, Insightful)
The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.
The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.
The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.
Re: (Score:2)
That's OK. You can just run your own DNS server, and add those missing entries. You're welcome!
Re: (Score:2)
Re: (Score:2)
just point to the remote DNS hosted by the NSA instead, there is still some freedoms allowed in the US.
Re: (Score:2)
also where is the host files guy when you need him
Re: (Score:2)
Except you know... your DNS needs to contact remote DNS servers for lookups which are then redirected to the government DNS on the great firewall of ...
If I tell my DNS server it's authoritative for wikileaks.org and thepiratebay.se, it doesn't contact any remote servers to resolve those domains, it answers with whatever IPs I configured. Let it forward the rest of the queries happily along. If this "Great DNS Firewall" idea takes off, I suppose free thinkers in the UK will all be trading bootleg zone files, of all things.
Re: (Score:2)
Well, it's bad no matter how you look at it, primarily because even if you accept that filters are good, by and large they're ineffective, and are very prone to false positives.
Re:Good, Bad And Ugly (Score:4, Insightful)
Yes, it will eventually used to block torrent sites, the Pirate Bay, etc. It will be used to block any of the other downloading sites that are available whether they are torrent trackers or straight downloads or streaming sites.
Even more, if riots break out, or dissension protests start up, all of a sudden Twitter and FB will be temporarily blocked to prevent coordination by participants. The US has already done similar to this, for instance in bay area BART stations where they shutdown the cell phone repeaters to prevent communication in the stations when Oakland had riots/protests going on. If UK can do it by simply blocking DNS to these sites, the same results will happen.
Who decides what is considered "MalWare"? What are the criteria? Malware could be the typical kind, but could also include hacking software, keygen apps, apps that the RIAA/MPAA and big-media doesn't like? Everyones idea of what is malware, is probably slightly different. Viruses yes, but not all the others are malware. I know most virus scanners pick up keygen's and other cracking software as a virus even if it's not, but because want to scare away people from using them.
Re: (Score:2)
OpenDNS is owned by Cisco, talk about having your tongue up the ass of the kind of corporate fascist scum who have governments in their pocket.....
Re: (Score:2)
I've used it for years without issues. If I have problems or don't like what they are doing, I can always point my home router
Re: (Score:2)
Missing the obvious, good citizen.
Memory hole! Censorship! It didn't happen, it never happened.
Re: (Score:2)
The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.
The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.
The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.
Erm.. the UK already requires ISP's to block torrent sites. It's as effective as an ashtray on a motorbike. Every torrent site can be accessed via a simple google search and they've simply given up on playing whack-a-mole with new URLs. As long as they have "thepiratebay.*" blocked, ISP's have effectively done all they legally have to and stooped caring.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.
The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.
The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.
The un-fucking-believably stupid: Ignoring the capacity for police state tactics in surveilling the domestic population, this is the same as tacking a bullseye onto the nation's internet and telling every terrorist, rogue nation and hacktivist:
DO NOT PRESS THIS BUTTON. THIS ONE. RIGHT HERE. IT WOULD BE VERY BAD. SO DON'T PRESS IT.
Re: (Score:2)
the idea maybe that the flagged terrorist site is not in the DNS at all. so the rhetoric that could be considered "poisonous" is not accessed. the issue maybe what is considered "poisonous", terrorism today and free speech tomorrow.
it would be interesting if this was a transparent effort where the logic/decision tree was available for discussion.
the ugly is if you type in www.theguardian.com are you getting the guardian or just a reasonable facsimile of it with the appropriate malware injected.
Malware and terrorists will just use IP addresses (Score:2)
So isil.org would be blocked, but wearenotterroristsnothingtoseehere.org would not be.
Oh, also, https://142.235.76.22/ [142.235.76.22] would also not be blocked, since it doesn't use DNS
Re: (Score:2)
"wearenotterroristsnothingtoseehere.org" until some one puts it on the list, there are third party vendors that classify websites including "violence or terrorism" and so its not far fetched by any means.
as to the second part... of course not its an DNS list unless they start filtering by content by providing a content filter and not just DNS filter.
Won't work. (Score:5, Insightful)
Re: (Score:2)
Well, with name based virtual hosts you certainly need some sort of name to send the request to, whether provided by DNS or /etc/hosts or whatever.
And yes, running your own DNS is trivial. IF your provider isn't blocking requests out that aren't headed to their own servers, much like smtp and port 25....
Drawbacks of ways to visit a site without DNS (Score:3)
You don't need DNS to visit a website.
I can think of two ways to visit a website without DNS, and both have serious drawbacks.
Re: (Score:3)
Other than border security intercepting all outbound connections or datagrams on port 53.
Not necessarily. A VPN to a n external server and they would never know what is inside that tunnel.
Re: (Score:2)
Why would they continue to allow a VPN across this nationwide firewall?
The goal is to protect the Britons from "bad" websites as defined by the government. The first thing they want to try is to hide these sites from Britons by removing any DNS entry to them. When the government realizes that people are circumventing their firewall then I'd fully expect them to do what they can to block that traffic as well.
This is doomed to fail since, as you predict, people will find a way around it. If they are succes
Re: (Score:2)
Nope.
You also need the desired host name as part of your browser's web request, because most websites share an IP address with other web sites. Than means your going to have to either have a giant-ass hosts file or your own name server that magically gets updated with hundreds of millions of DNS records.
Re: (Score:3)
This is highly untrue, actually. Larger web sites don't run on a single IP address, they run on a collection of IP addresses using various redundant networks (such as IP load balancing by issuing different addresses from DNS requests). This also allows for easier system maintenance while maintaining 100% uptime. Need a server to go down for a while in the pool? Just remove that server's IP address from the DNS load balancing pool, wait some time for client DNS caching to expire, then take down that particul
Re: (Score:2)
Re: (Score:2)
I tried to mention tools like yours, but even including your initials in my comment caused it to trip Slashdot's lameness filter.
Re: (Score:2, Insightful)
Agreed.
The Internet was designed to route around disruptions in the network. Censorship one type of disruption.
If an end user doesn't like what GCHQ is doing, they can:
1. Install a DNSSEC-enabled nameserver software on their end device or home network to bypass the firewalls and detect man-in-the-middle rewrties.
2. Utilize another open recursive server - there are millions to choose from.
3. Utilizea a VPN to get out of the country and utilize Google or OpenDNS o
Re: (Score:2)
Re: (Score:2)
I wonder if they plan on proxying DNS requests leaving the country? If so, the only workaround would be to use encryption and/or DNSSEC and a DNS server outside the country... possibly on a non-standard port in case they block 53.
Re: (Score:3)
You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.
Hmm intriguing idea. I guess you could run your own DNS root server and maintain your own records for everything on all zones on the Internet. Its going to take some bandwidth to keep all that updated!
But if you are thinking of just running your own local DNS server then its going to need forwarders and those forwarders are going to either be within the firewall and thus limited or outside the firewall and inaccessible.
Or you could use an alternative port on a DNS forwarder outside the firewall. Some DNS se
Re: (Score:2)
You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS
So, why don't it work? The plan is apparently to stop malware with DNS filtering. They're not going to stop you running your own DNS and visiting the malware sites if you really want to.
Re: (Score:2)
Because if you can stop the 90+% of regular users from getting the malware-of-the-week, that's a win. Most people wouldn't even realise what was going on.
Re: (Score:2)
I think we're in agreement.
Re: (Score:2)
Re: (Score:2)
It wouldn't be proof against VPNs, so there's already a way around this. As usual, such measures might catch the low hanging fruit, but anyone with even a moderate degree of technical ability could get around it.
Re: (Score:2)
Until they block any encrypted traffic at the border...
Re: (Score:2)
Which would cause immeasurable damage to a country that right now is trying to sell itself as open for business, seeing as it is preparing to leave the EU.
Re: (Score:2)
People's Republic of Great Britain (Score:5, Insightful)
Re: (Score:2)
In all seriousness, I don't think this is that big a deal. >99% of people already blindly trust their DNS to their ISP (generally about as untrustworthy as governments are in any case), and those that don't won't be affected by any regulations the UK wants to impose.
Re: (Score:2)
There was an internet in *1984*. Pay attention.
There also were those who controlled what was remembered, and those who architected language with the end goal of non-state approved concepts being impossible to express or even conceived.
Re: (Score:3)
There was an internet in *1984*. Pay attention.
The Internet existed in real life in the year AD 1984, yes. There was no internet in the novel Nineteen Eighty-Four by George Orwell, which was written in AD 1949.
There also were those who controlled what was remembered, and those who architected language with the end goal of non-state approved concepts being impossible to express or even conceived.
You're referring to the Ministry of Truth and Newspeak, respectively. Both of which have nothing to do with a national DNS. Now, it's true that the government could make it annoying to access unapproved websites, and there's nothing wrong with being skeptical of their intentions, but to say it's Orwellian is a massive hyperbole. Governments all th
Once more with spirit! (Score:2)
How many times do we have to say that 1984 was not an instruction manual?
Evidently one more time as always.
Re: (Score:3)
They will never stop pushing, so we must never stop pushing back.
The price of freedom is eternal vigilance.
Allow opt-out (Score:2)
If they do this, I hope that they will allow an opt-out. Anything else would feel like an act of censorship, even if that may not be the intent.
Re: (Score:2)
Re: (Score:3)
Nothing should *ever* be opt-out. The default should always be to opt-in. If you can't make that enabling process easy to do and successfully sell the idea to your prospective end users (AKA "source of data" - because they are absolutely going to be saving all your DNS queries as "metadata"), then maybe it wasn't such a good idea to start with.
I won't argue with that, though I was more thinking about the alternative of not having a choice (opt-in or opt-out), as to having this imposed. I just don't want to see a 'Great Moat of Britain', being imposed. There are enough right wing isolationist attitudes at play, in the country today, that we don't need another one added to the fray.
Re: (Score:2)
If they do this, I hope that they will allow an opt-out. Anything else would feel like an act of censorship, even if that may not be the intent.
Hahahahahahahaha! Of course that's the intent. And of course they won't allow an opt-out. Even if they did, to ask for it would be more or less to hang a big sign round your neck saying, "TERRORIST!"
FTFY GCHQ (Score:2, Insightful)
what better way of providing national surveillance
We (the US) should not give control away. (Score:2)
Because, if for no other reason, the World will be controlling their Internets anyways.
Let them.
Drop List or censored government DNS server? (Score:2)
Re: (Score:2)
The harm from implementing a large-scale DNS firewall to the DNS system exceeds the benefit.
Once again, of course it does! That's the whole idea. (But it rather depends from whose point of view you are defining "harm" and "benefit").
ICANN Transfer (Score:2)
This is a slippery slope and it's one of the reasons we shouldn't try to fix what isn't broken, by giving up control over domain assignments. We have more of a hands off tradition over here that other countries do not necessarily share.
A journey must begin with a single step (Score:2)
.
This looks like the first step towards censorship to me. What will be next on the list of Things That Should Be Blocked?
And this shall be named... (Score:5, Funny)
The Great Firewall of Britain! (Score:5, Insightful)
"[W]hat better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"
What better way of allowing the UK government to censor what British people can see and hear on the Internet, without the huge majority of them having any idea that their Internet access is being censored?
And for those who have suggested this is no big deal, just wait. This is a case of "First they came for the communists", with a vengeance. Quite apart from the fact that this is exactly what the Chinese government has been doing with its "Great Firewall of China" - and getting it in the neck for alleged tyranny, totalitarianism and censorship.
Of course, how this policy would work out in practice does depend very much on who decides what constitutes "known malware and bad addresses [sic]". Previous draconian laws passed by the British Parliament were, we were solemnly promised, to be used only in the most serious of terrorist cases. A couple of years later, the powers were in fact being used by town councils to spy on what people put into their rubbish, how they kept their gardens, and other such personal and utterly non-vital matters.
If a law is passed establishing a "Great Firewall of Britain", we can be quite sure that within a couple of years literally thousands of government employees - from the Prime Minister to town hall clerks - will be contributing "bad addresses" to the cumulative DNS blacklist. Just like the current Homeland Security watch lists in the USA, thousands of items will be added every month, and nothing will ever be removed.
Indeed, people living in Britain may well find that, one day in the not-too-distant future, they are no longer able to read or contribute to Slashdot. After all, just think of all the contentious issues and worrying statements that are to be found on its pages! Some government functionary - or, perhaps more likely, an instance of that classic responsibility-diffusing mechanism, a committee - will take the view that it would perhaps be for the best if this rather dubious Web site were no longer to be accessible from the UK.
GCHQ (Score:2)
"Lady Chatterley's Lover" redivivus (Score:3)
This proposal reminds me of the 1960 obscenity trial of Penguin Books for the publication of "Lady Chatterley's Lover" by D.H. Lawrence. The chief prosecutor, Mervyn Griffith-Jones, caused some merriment but also revealed his deep prejudices by asking if it were the kind of book "you would wish your wife or servants to read". (If they have time on their hands, readers are encouraged to compile a full list of the ways in which that remark was patronising and bigoted).
If this proposal is taken up by the UK government, it will means that - more than fifty years after the "Lady Chatterley" trial, in an era that prides itself on its freedom of expression - government officials will be asking themselves, in the privacy of their offices, "Is this the kind of Web site you would wish your wife or servants to read?" As it is so very much easier to be safe than sorry, no doubt the answer will very often be, "Actually, no, old man, it isn't" - and off will go another batch of "bad addresses" to the Black List, never ever again to be seen.
Won't they have to also block other DNS services? (Score:2)
Providing a national DNS service with nanny filtering sounds too easy to workaround (just point to Google's DNS, OpenDNS etc. instead - just any non-UK reliable DNS service would do). Wouldn't they also have to have the ISPs blocking those other DNS services as well?
Like all these blocking services, they'll never publish the full list of what they block, hiding behind the claim that it's either proprietary or will give people clues as where the dodgy sites are. Problem is, this means they can block all sort
Re: (Score:2)
Did someone say "Balkanization"? (Score:2)
Re: Did someone say "Balkanization"? (Score:2)
Minor Issue!! (Score:2)
OK, so lets say this is done, and ISP's are required to have the DNS servers IP as their DHCP autoconfig response.
Questions:
1/ Who will own and operate this DNS service?
2/ What will their DNS request logging retention look like?
3/ Who will have access to those records and with what authentication?
4/ Why are you now thinking this is something from George Orwell's 1984?
Malicious content? (Score:3)
What could go wrong? I mean really, who the fuck trusts a consortium of GCHQ and several mega-corps to neutrally and impartially protect them from "known malware and bad addresses"? Incidentally, I have to wonder - do those 'bad addresses' include sites that are critical of the government and/or the companies in question? Might they include 'non-approved' IP telephony services? Sites that promote Scottish independence?
The opportunities for abuse are endless. This is a very bad idea.
Nobody learns any lessons (Score:2)
I'm so tired of this crap. If you fuck with DNS people will just use IP literals or invent separate control channels to replace DNS.
Security strategies that "solve" a current problem while ignoring the fact your adversaries are thinking humans with a mind just like yours only lead to collateral damage while not solving the original problem.
There is still quite a lot of low hanging fruit still left to be plucked in terms of human factors and system design that would actually be effective beyond screwing wit
Re: (Score:2)
"IP literals?" Nope, most web sites use an IP address shared with others, you also need the browser to put desired symbolic host name in hosts: field of request which the web server (or proxy) will then make to the appropriate vhost. That makes the problem more difficult to solve
Re: (Score:2)
"IP literals?" Nope, most web sites use an IP address shared with others
What "most websites" do or don't do is irrelevant. IP addresses are cheap and easy for anyone with good or bad intentions to obtain especially in the future as IPv6 adoption increases. Criminal enterprises are not required to share their address space (e.g. throwaway virtual hosts and botnet victims) with others nor are they required to use DNS.
Oh no, DNS based you say? (Score:2)
Manager: I'm sorry, but if you don't come up with that money by tomorrow, the bank is going to take your house.
Homer: Well, good luck finding it, because I'm going to take the numbers off tonight!
Manager: Well, we'll look for the house with no numbers.
Homer: Then I'll take off the numbers on my neighbor's house.
Manager: Then we'll look for the house next to the house with no numbers.
Homer: [...] All right, you'll get your money...
Great Chinese Firewall as inspiration (Score:2)
Obviously, these people think that the Chinese are handling online free-speech and free access to information just right and want to copy their success-story. Sure, people can still get around this (DNS filtering and blocking is the cheapest, least-secure option), but that can simply be made illegal. In the end, the UK "Internet" will end up as a "walled garden" where only content deemed appropriate by the "authorities" is easy and legal to access. Rogue browsing will be treated according to another success
Re: (Score:2, Insightful)
Hmm well if you understood what a DNS was you might feel differently. This would be easily circumvented but would protect the masses from malicious sites and for once it seems like a reasonable idea from a national agency.
Re: (Score:2)
When the UK was able to fully fund the GCHQ again following massive 1960's Skynet satellite https://en.wikipedia.org/wiki/... [wikipedia.org] costs and many other very expensive upgrades and creative cash flow issues, collect it all was again seen as a solution for Ireland and the world.
The NSA always got th
Re: (Score:2)
Re: (Score:2)
I thought that 8.8.8.8 was the "primary" and 8.8.4.4 was the "backup" (both being Google's public DNS servers)
I could be wrong.
Why is 6 scared? (Score:2)
2. you're just trading the NSA for GCHQ, you patriotic American, you.
Re: (Score:2)
maybe ISP won't allow udp & tcp 53 to any endpoint but their nameservers, they'll be required to only allow theirs to be accessible. sure, geeks can work around that but a regular joe?
Re: (Score:2)