Re: [uknof] Re: [members] Network Level Content Blocking (UK)
[I have included the nanog list back here, as it was originally cross posted and there seem to now be divergent discussions in progress] On Sat, Jun 09, 2007 at 10:13:11PM +0100, Vince Hoffman wrote: > Ian Dickinson wrote: > > John Ekins wrote: > >> Some very big sites HAVE been on the list at times. This was clearly an > >> issue we took into account. Our system coped. > > > > Good for you. > > > >> I can't believe this is news to Pipex. This has been discussed at the > >> IWF and ISPA. And Pipex is a member of both. It has been discussed over > >> and over. The fact is small ISPs (like Brightview - 60,000 ADSL) and big > >> ISPs (BT, Virgin Media (NTL/Telewest) - millions) have implemented this. > >> They had the same issues and found a way to make it work. > > > > It's not news - I'm merely taking issue with your "zero-cost" stance, which > > I > > think is *potentially* misleading. > > > A colleague of mine informed me that receiving the IWF feed requires us > to be a member, a not totally insignificant cost (about £5k for us,) is > this correct? If so, combine it with colo, admin and hardware costs and > its certainly not "zero-cost" for us I think theres a bit too much focus being given to the implementation side of this problem. The Internet is currently a very cheap industry to set up in, compare to say becoming a telco in the 90s with large licensing fees and huge capex for startup. If the government says the Internet services need to provide X Y and Z at $ cost then so be it. I think the real issue is the technology and the perception it has. It is being imposed on operators to violate routing strategies and add these /32s which cannot scale, additionally inserting web caches many years after web caches ceased to be defacto with all the issues and reduced service level they come with. And after doing all this we are blocking on a tiny hand managed list, this doesnt even compare to early spam blocking systems and look how ineffectual they were! The scary part is this is being cited in parliamentary sessions as being the holy grail of child porn fighting. That is the real worry. Yes it is relatively expensive to implement, yes it can only be done through a series of hacks and violations to protocol and no it doesnt provide 1% of real protection or help to push forwards the anti child porn goals. So why are so many ISPs keen to sign up? Well any number of reasons - PR, political pressure, fear of being branded pro-child porn by the media. I think we as an industry can do so much better to find solutions to this problem without pandering to the first crazy idea that our PR mad government comes up with. Steve
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On Fri, 8 Jun 2007, Donald Stahl wrote: > "The greatest dangers to liberty lurk in insidious encroachment by men of > zeal, well-meaning but without understanding." > > -Judge Louis Brandeis > I am not willing to give up any of my own liberties to protect children. > We already have laws that do that and judging by the number of people > arrested they seem to work. You reach a point of diminishing returns. Hello, Before *this* thread spins out of control, I would like to draw your attention to NANOG-L AUP, available at http://www.nanog.org/aup.html , particularly #6: Postings of political, philosophical, and legal nature are discouraged. In other words, it is on-topic to discuss operational effect of filtering - what the original post started with. It is on-topic to discuss how to filter and comply with government or corporate mandates to filter. It is on-topic to discuss existing logging/filtering solutions and their operational impact. It is "not so much" on topic to discuss legalities of filtering, but I think most agree that it still belongs here. It is clearly off-topic to discuss lists of british colonies, or civil liberties or protection of children - there are better forums to do this. Please follow any replies to this message to [EMAIL PROTECTED] -alex (acting mlc chair)
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
This was a very curious experience. What they want to achieve is protecting children from abuse. This is of course a laudable goal. But they think they can do that by ridding the internet of images depicting said abuse. There are pretty strong laws against that in the Netherlands*, but this woman thought that wasn't enough: she felt it would be good to also outlaw _text_ describing child abuse. This is really scary. If these well-intentioned but extremely dangerous people get their way, someone can end up in jail for simply writing some text. "The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." -Judge Louis Brandeis "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience. - C.S. Lewis I'm not one to give up my civil liberties without a struggle, but protecting kids may be important enough to make it worth giving up a few. But is it too much to ask for something that actually works in return? "They that would give up essential liberty for a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania, 1759 "Experience teaches us to be most on our guard to protect liberty when the government's purposes are beneficent." -Judge Louis Brandeis I am not willing to give up any of my own liberties to protect children. We already have laws that do that and judging by the number of people arrested they seem to work. You reach a point of diminishing returns. At some point you have to accept that the world is a dangerous place and that bad things happen. There is a balancing point and a greater good to think about. Making everyone elses life less free does not balance out with the prospect of maybe saving a few kids. As the laws become more invasive they will eventually breed resentment and hatred for the government and fellow citizens. The end result will be civil unrest and fighting and that helps noone. Sadly it's already happening. Americans hate each other more than at any almost any other time in our history- and the hatred is becoming vicious. -Don
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On Fri, Jun 08, 2007, Leigh Porter wrote: > It is quite odd really that governments want to implement something to > prevent people from breaking a law. And some posts have been correct in > asking what's next? Automatic copyright/patent infringing filtering? Obviously you've not paid much attention to what Youtube have been doing lately.. Adrian
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
Well, it seems to be a standard operating procedure that anyone in a high profile case gets accused of possessing "child porn" via anonymous leaks from the police to the national press. (See the Forest Gate incident - not only did they tear the guy's house apart looking for nonexistent "chemical weapons", they "accidentally" shot him, then they briefed the tabloids that his computer was riddled with evil images of children. Naturally, he was never prosecuted for same.) If any UK ISP is willing to NOT do this, you've got my business.
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
Why did they even go for him in the fist place? Has anybody heard of operation Ore in the UK? It looks like a bit of a disaster, who would have thought that stolen credit Card details would have been used to buy illegal porn? -- Leigh Alexander Harrowell wrote: Well, it seems to be a standard operating procedure that anyone in a high profile case gets accused of possessing "child porn" via anonymous leaks from the police to the national press. (See the Forest Gate incident - not only did they tear the guy's house apart looking for nonexistent "chemical weapons", they "accidentally" shot him, then they briefed the tabloids that his computer was riddled with evil images of children. Naturally, he was never prosecuted for same.) If any UK ISP is willing to NOT do this, you've got my business.
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
It is quite odd really that governments want to implement something to prevent people from breaking a law. And some posts have been correct in asking what's next? Automatic copyright/patent infringing filtering? On that subject- we should probably change the language as well. Make it so that people can't even think of breaking the law because the words for such an action no longer exist. That would be doubleplusgood! -Don
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
Iljitsch van Beijnum wrote: On 8-jun-2007, at 12:01, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: In this case I would suggest that it is in ISPs best interests to get involved with network content blocking, so that ISPs collectively become deep experts on the subject. We are then in a position to modify these activities in a way that is beneficial to ISPs and their customers (who happen to be voters too). Your assumption that blocking parts of the internet is a useful activity is flawed. The only positive effect that this has is that it protects users from accidentally running into stuff they'd rather not come into contact with. But this is much more effeciently and effictively done using commercially available filters. I talked to some people from the Dutch equivalent to http://www.iwf.org.uk/ This was a very curious experience. What they want to achieve is protecting children from abuse. This is of course a laudable goal. But they think they can do that by ridding the internet of images depicting said abuse. There are pretty strong laws against that in the Netherlands*, but this woman thought that wasn't enough: she felt it would be good to also outlaw _text_ describing child abuse. This is really scary. If these well-intentioned but extremely dangerous people get their way, someone can end up in jail for simply writing some text. All the while, children in known dangerous situations go on a waiting list before they can be removed from the dangerous (home) environment. So apparently, it's more important to go after the results of child abuse in the past, and maybe even go after people who only fantasize about this stuff, rather than help kids that are in danger NOW. But hey, removing kids from abusive homes costs money and results in angry parents on the news. Strongarming ISPs into taking "voluntary" action on the other hand, is free and only results in angry threads on NANOG. I'm not one to give up my civil liberties without a struggle, but protecting kids may be important enough to make it worth giving up a few. But is it too much to ask for something that actually works in return? * Not long ago, a man was convicted because he had 10 images of this kind on his computer. They were part of a 10 image porn collection. His claim that the 10 images were downloaded accidentally wasn't accepted by the judge: he should have been more careful. I agree that it will not protect children at all. Presumably there are already a large number of images (I hear figures of people having n * thousand images) so there is already enough material for there not to be a reason to generate more which would of course involve abuse. So what then is the aim of the filtering? Is it just the latest political bandwagon It is quite odd really that governments want to implement something to prevent people from breaking a law. And some posts have been correct in asking what's next? Automatic copyright/patent infringing filtering? -- Leigh
Re: Network Level Content Blocking (UK)
* Jeroen Massar: > I wonder how this solves the, from what I found out, common situation > that people rent cheap "root servers" in a country like Germany where > they VPN into and thus have full access to everything. In Germany, the legal framework for filtering transit traffic already exists, so if the UK precedent shows that it's technically and economically feasible, this will be implemented over here, too. I doubt the situation is much different in most European countries. Of course, when the blocking is pretty much universal, I don't really see how the list maintainer verifies that the reason for blocking still exists. On the other hand, this might also provide an opportunity to shut down some of the most egregious malware distributors and controllers.
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On Fri, Jun 08, 2007, David Freedman wrote: > > Its too late, you've already admitted that the data exists and can be > captured. > > This is always where it starts... The logging code in release versions of Squid is pretty horrible and won't handle the loads modern ISPs will put under it. You have to disable it to get any decent performance. Adrian
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On 8-jun-2007, at 12:01, <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: In this case I would suggest that it is in ISPs best interests to get involved with network content blocking, so that ISPs collectively become deep experts on the subject. We are then in a position to modify these activities in a way that is beneficial to ISPs and their customers (who happen to be voters too). Your assumption that blocking parts of the internet is a useful activity is flawed. The only positive effect that this has is that it protects users from accidentally running into stuff they'd rather not come into contact with. But this is much more effeciently and effictively done using commercially available filters. I talked to some people from the Dutch equivalent to http:// www.iwf.org.uk/ This was a very curious experience. What they want to achieve is protecting children from abuse. This is of course a laudable goal. But they think they can do that by ridding the internet of images depicting said abuse. There are pretty strong laws against that in the Netherlands*, but this woman thought that wasn't enough: she felt it would be good to also outlaw _text_ describing child abuse. This is really scary. If these well-intentioned but extremely dangerous people get their way, someone can end up in jail for simply writing some text. All the while, children in known dangerous situations go on a waiting list before they can be removed from the dangerous (home) environment. So apparently, it's more important to go after the results of child abuse in the past, and maybe even go after people who only fantasize about this stuff, rather than help kids that are in danger NOW. But hey, removing kids from abusive homes costs money and results in angry parents on the news. Strongarming ISPs into taking "voluntary" action on the other hand, is free and only results in angry threads on NANOG. I'm not one to give up my civil liberties without a struggle, but protecting kids may be important enough to make it worth giving up a few. But is it too much to ask for something that actually works in return? * Not long ago, a man was convicted because he had 10 images of this kind on his computer. They were part of a 10 image porn collection. His claim that the 10 images were downloaded accidentally wasn't accepted by the judge: he should have been more careful.
RE: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
> Have you been asked by the Dibble for the squid's server log > yet? It's the obvious next step - if you had a URL request > blocked, obviously you were where you shouldn't have been. > You're either with us...or you're with the terrorists. If this website blocking is voluntary and if your goal is to protect your customers from inadvertently loading one of their pages, then you would not want to log any details, would you? If you want to help the police by reducing the number of spurious hits on this known illegal website so that they have a higher chance of tracking real criminals from the website hits, then you would not want to muddy the waters by sending your useless data to them, would you? Situations like this are always very complex and it does not help when people throw around simplistic analyses that are not grounded in reality. There was recent media coverage in the UK that indicates there are far more pedophiles than was thought and that real pedophiles don't fit the common stereotypes that people have of them. To me, this indicates that the police are struggling with data explosion and need help in reducing that data to increase their chances of catching SOME of the criminals. It does not suggest that police want to catch ALL the criminals and some number of innocent people as well. After all, any arrests will have to be processed through the court system and when you throw lots of innocent people and marginal cases into the courts, the cases drag on for a long time and clog up the system. That would be counterproductive wouldn't it? The objections that I see from people in regard to things like website blocking and network tapping, seem to assume that governments are very narrowminded, very efficient and have evil intent. In my experience, there is a lot more systems thinking in governments that you think, they are not terribly efficient, and they do not collectively have evil intent. They do make a lot of mistakes, but these get corrected. If nothing else, governments have learned that it is very bad to cover up mistakes, but you can make a lot of political hay by admitting them and proposing the next bold new solution. If you really don't like something that governments do, you are better off not attacking it in a narrow way, but suggesting that it was a mistake and pushing government into the next bold new initiative to fix the mistake. This works especially well around election time, but it can also be done between elections because even the party in power changes tack from time to time. In this case I would suggest that it is in ISPs best interests to get involved with network content blocking, so that ISPs collectively become deep experts on the subject. We are then in a position to modify these activities in a way that is beneficial to ISPs and their customers (who happen to be voters too). And we are in a position to advise government on future actions as well. If ISPs choose not to get involved, then they are less likely to be listened to by government partly because they have less credibility and partly because they simply don't understand the issue and therefore fail to communicate effectively. Inter-ISP cooperation is a big problem that needs to be solved on a global scale. Fortunately, there is a growing number of international forums in which ISPs do get together to deal with specific flashpoints. If your company has any part of your network in the UK, please do get involved by contacting LINX as requested: We have 13 companies involved so far but really want to get as many ISP's together to make sure that people understand the implications of the governments request. Whilst the intent is to focus the content on the technical side we are keen to make sure that the all parts of the ISP industry are brought up to date so may run multiple strands with different levels of technical content if we have the numbers. If you are interested please contact John Souter ([EMAIL PROTECTED]) or Malcolm Hutty ([EMAIL PROTECTED]) for more details. --Michael Dillon
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On 6/8/07, Leigh Porter <[EMAIL PROTECTED]> wrote: I actually removed the code in Squid that logs so it's impossible to log without significant development work ;-) -- Leigh Porter Internet governance by benevolent conspiracy:-)
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
ssshhh David Freedman wrote: Its too late, you've already admitted that the data exists and can be captured. This is always where it starts... Dave. Leigh Porter wrote: Alexander Harrowell wrote: On 6/7/07, Leigh Porter <[EMAIL PROTECTED]> wrote: Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that. For what it's worth though it works well for what it is and we certainly get a few hits on it. Have you been asked by the Dibble for the squid's server log yet? It's the obvious next step - if you had a URL request blocked, obviously you were where you shouldn't have been. You're either with us...or you're with the terrorists. I actually removed the code in Squid that logs so it's impossible to log without significant development work ;-) -- Leigh Porter
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
Its too late, you've already admitted that the data exists and can be captured. This is always where it starts... Dave. Leigh Porter wrote: Alexander Harrowell wrote: On 6/7/07, Leigh Porter <[EMAIL PROTECTED]> wrote: Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that. For what it's worth though it works well for what it is and we certainly get a few hits on it. Have you been asked by the Dibble for the squid's server log yet? It's the obvious next step - if you had a URL request blocked, obviously you were where you shouldn't have been. You're either with us...or you're with the terrorists. I actually removed the code in Squid that logs so it's impossible to log without significant development work ;-) -- Leigh Porter
Re: Network Level Content Blocking (UK)
On Thursday 07 June 2007 23:15, Deepak Jain wrote: > > I can't imagine this would fly in the US. Such systems have already been ruled "unconstitutional" in the US. > -- The Home Office Minister has already said he expects it in place, > thats not far from a precondition of operation. We are kind of use to the home office minister saying all sorts of cranky things. Chances are he'll be gone by the end of the month. My personal dealing with the IWF (stop emailing me, we don't have any NNTP servers anymore) don't fill me with confidence. If the government mandate this, they'll have to provide a list of images to block under a more accountable regime than some random "voluntary body", and they'll have to take responsibility when people point out the government is blocking access to specific sites that contain material that criticises them. I think complying with a voluntary censorship regime is a bad idea all around. I'm one of James's employers customers when I'm surfing at home. Simon
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
Alexander Harrowell wrote: On 6/7/07, Leigh Porter <[EMAIL PROTECTED]> wrote: Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that. For what it's worth though it works well for what it is and we certainly get a few hits on it. Have you been asked by the Dibble for the squid's server log yet? It's the obvious next step - if you had a URL request blocked, obviously you were where you shouldn't have been. You're either with us...or you're with the terrorists. I actually removed the code in Squid that logs so it's impossible to log without significant development work ;-) -- Leigh Porter
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
On 6/7/07, Leigh Porter <[EMAIL PROTECTED]> wrote: Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that. For what it's worth though it works well for what it is and we certainly get a few hits on it. Have you been asked by the Dibble for the squid's server log yet? It's the obvious next step - if you had a URL request blocked, obviously you were where you shouldn't have been. You're either with us...or you're with the terrorists.
Re: Network Level Content Blocking (UK)
On Thu, Jun 07, 2007 at 04:01:54PM +, Chris L. Morrow wrote: > On Thu, 7 Jun 2007, Alexander Harrowell wrote: > > I strongly recommend you read Richard Clayton's paper on how (among > > other things) one could hack the Cleanfeed system to *find* the really > > bad stuff. He and his colleagues at the Cambridge Computer Lab also > > yup, read it, which was part of the reason for the note I sent... these > sorts of blocking mechanisms don't seem to achieve the goals expected, and > even in many cases make the goals of the 'icky pict' crowd more achievable > :( "If a politician fixes a problem then he loses it as a campaign issue. But if he makes the problem worse while heroically fighting against it, then he's golden." -- Rex Tincher - Matt
Re: Network Level Content Blocking (UK)
On 7-jun-2007, at 23:29, William Allen Simpson wrote: Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it. "images of child abuse" Obviously if you block access to the images the child abuse goes away. Where can I sign up for my lobotomy so that government policy starts to make sense?
Re: Network Level Content Blocking (UK)
[EMAIL PROTECTED] wrote: On Thu, 07 Jun 2007 22:40:20 +0200, Iljitsch van Beijnum said: Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. Quoting the article http://publicaffairs.linx.net/news/?p=497 "At present, the government does not propose to require UK ISPs to block content and our policy is to pursue a self-regulatory approach wherever possible. However, our legislation as drafted provides the flexibility to accomodate a change in Government policy should the need ever arise." Lot of different ways to read that depending on your paranoia level. The phrase "Slippery Slope" does come to mind, however... Well indeed, it'll be "terrorist" sites and "Fundamentalist religious" sites and "Sites that contain material that may incite religious hatred" or some other such nonsense. And then who decides what does and does not constitute these sites and *BANG* you have the great firewall of Britain or America or wherever. And since all these things are largely operated by para-government organisations and civil servants your vote makes little difference. But the reality is that right now the four hoursemen are a lovely political hot topic and either networks in the UK do somethin g about it themselves (i.e. filtering, not matter how ineffective it is) or some idiot who can't tell Internet Explorer from Excel will do it for us. Everybody knows it's really quite dumb, but it's less dumb than the dumbness that will be legislated if nothing gets done. So we'll all have odd boxes that inject a thousand or so routes into BGP (nowhere neat that many actually) and filters a bit of port 80 and everybody's happy for a while. Perhaps it'll even go away. -- Leigh Porter
Re: Network Level Content Blocking (UK)
Ok. I'll chime in. William Allen Simpson wrote: Iljitsch van Beijnum wrote: Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it. It was in http://publicaffairs.linx.net/news/?p=497 "images of child abuse" "voluntary" "co-operation" "At present, the government does not propose to require UK ISPs to block content and our policy is to pursue a self-regulatory approach wherever possible." "However, 90 per cent. of connections is not enough" I find these two lines to be the most interesting "..we are setting a target that by the end of 2007, all ISPs offering broadband internet connectivity to the UK general public put in place technical measures that prevent their customers accessing websites containing illegal images of child abuse identified by the IWF." and "“At present, the government does not propose to require UK ISPs to block content and our policy is to pursue a self-regulatory approach wherever possible. However, our legislation as drafted provides the flexibility to accomodate a change in Government policy should the need ever arise. “ The last line being most significant. I read it as, "We will threaten you with a law to do the work, but since we don't want it challenged [like we would with the US legal system] we are going to threaten it...even if it might not pass." And this is for anyone "selling broadband to the general public" -- however that is defined. Are commercial connections the general public? or just residential? While I can't wait until web hosts/operators have to debug screwy performance and Squid bugs for sites passed through "untouched" by these proxies just because they share an IP address While offering this as a service, or a free service is interesting (and in the spirit of voluntary cooperation) where users could opt in or out for it might be interesting... I can't imagine this would fly in the US. Britain's moves to become a police state notwithstanding, I wonder how this insidious door-opener for censorship will rear its head as it effects the general Internet. Google's "voluntarily" censoring itself in China as a precondition of operating there. I am sure this "voluntary" policy in Britain will make getting various permits or approvals impossible even if they don't create a law to expressly mandate its use -- The Home Office Minister has already said he expects it in place, thats not far from a precondition of operation. On the positive side, this will spark all kinds of innovation and give the conspiracy theorists all sorts of fun filled evenings. Deepak Jain AiNET
Re: Network Level Content Blocking (UK)
Iljitsch van Beijnum wrote: Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it. It was in http://publicaffairs.linx.net/news/?p=497 "images of child abuse" "voluntary" "co-operation" "At present, the government does not propose to require UK ISPs to block content and our policy is to pursue a self-regulatory approach wherever possible." "However, 90 per cent. of connections is not enough"
Re: Network Level Content Blocking (UK)
On Thu, 07 Jun 2007 22:40:20 +0200, Iljitsch van Beijnum said: > Interestingly, nobody has mentioned on the list what the offending > content is yet. Or why this would even remotely be a good idea. Quoting the article http://publicaffairs.linx.net/news/?p=497 "At present, the government does not propose to require UK ISPs to block content and our policy is to pursue a self-regulatory approach wherever possible. However, our legislation as drafted provides the flexibility to accomodate a change in Government policy should the need ever arise." Lot of different ways to read that depending on your paranoia level. The phrase "Slippery Slope" does come to mind, however... pgp7aKsBNudOx.pgp Description: PGP signature
Re: Network Level Content Blocking (UK)
On 7-jun-2007, at 22:05, Sean Donelan wrote: That's a cool way to implement monitoring of traffic towards random parts of the internet. There are much easier, cheaper ways to do that. Easier and cheaper? Can't think of any... This method nicely gets around the need to tap and process numerous (10) gigabit links, which isn't particularly easy and certainly not all that cheap. Interestingly, nobody has mentioned on the list what the offending content is yet. Or why this would even remotely be a good idea. I would think that if the content in question is legal, ISPs and the government shouldn't touch it, and if it isn't, law enforcement should do something about it.
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, Iljitsch van Beijnum wrote: Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern. That's a cool way to implement monitoring of traffic towards random parts of the internet. There are much easier, cheaper ways to do that. And as another person pointed out, the IWF method is not very surreptitious so the bad guys can tell someone found them and can improve their methods. And did I mention the false positive problem of click-fraud and embedded IMG URLs accessing those sites too. Yes, your computer may have been recorded accessing a bad site when you read a spam mail.
Re: Network Level Content Blocking (UK)
Sean Donelan wrote: On Thu, 7 Jun 2007, Sean Donelan wrote: On Thu, 7 Jun 2007, Chris L. Morrow wrote: Its not "content" blocking, its source/destination blocking. oh, so null routes? I got the impression it was application-aware, or atleast port-aware... If it's proxying or doing anything more than port-level blocking it's likely it sees content as well, or COULD. Either way, it's not like it's effective for anything except the m ost casual of users :( Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern. So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols. Sorry, clicked send before finishing. BUT the important thing is the network operator and routers don't actually look at the content. If the same bad content (picture, video, whatever) appears somewhere else that isn't on the IWF list, it won't be blocked. And likewise if the content at the source/destination changes/removed, e.g. the picture disappears, the destination will continue to be blocked until IWF updates their bad list even though nothing bad still at the destination. But this is OK as it's unlikely that something good and wholesome will be on http://n.n.n.n/foobardodgypr0n.html Also the lists are actually updated fairly regularly. -- Leigh Porter
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
Sean Donelan wrote: On Thu, 7 Jun 2007, Chris L. Morrow wrote: Its not "content" blocking, its source/destination blocking. oh, so null routes? I got the impression it was application-aware, or atleast port-aware... If it's proxying or doing anything more than port-level blocking it's likely it sees content as well, or COULD. Either way, it's not like it's effective for anything except the m ost casual of users :( Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern. So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols. What we have is a box that takes the IWF feed of dodgy sites and resolves the entries to IP addresses. These are then injected into the network with Quagga's bgpd. The network then obviously routes anything to these IP addresses and therefore those websites to the filter box. (but not a bad idea)The filter box runs Squid with the URL list from the IWF. Port 80 traffic is directed through squid and anything appearing on the IWF list that is accessed by anybody returns a page telling them to go away. We thought about the error page stuff but what the heck, it's obvious its being filtered anyway so you may as well put some google ads on the page you return (Joke ;-) In fact you could run upside-down-ternet on it, there's no end to the things you could do to screw with people's heads. Anything on a virtual host whos URL is not explicitly in the IWF list is passed through squid without being touched. Since only port 80 is passed through the filter then of course there are all manor of things you could do to circumvent the filter and this will of course always be the case as people will use whatever they can to get what they want. After all, all yuo really need to do in order to get all the dodgy material you want is to subscribe to a decent USENET service and get it all from that. For what it's worth though it works well for what it is and we certainly get a few hits on it. -- Leigh Porter
RE: Network Level Content Blocking (UK)
> Anyway, how does BT's cleanfeed work? How are British 3G > operators doing equivalent blocking? I'd be interested in > learning about the implementation. Well, first of all Cleanfeed's not perfect. And it's not that secret either. http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf --Michael Dillon P.S. Although I work for BT, I have no involvement with the group that is repsonsible for Cleanfeed. All that I know about it, I learned via Google.
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, Sean Donelan wrote: On Thu, 7 Jun 2007, Chris L. Morrow wrote: Its not "content" blocking, its source/destination blocking. oh, so null routes? I got the impression it was application-aware, or atleast port-aware... If it's proxying or doing anything more than port-level blocking it's likely it sees content as well, or COULD. Either way, it's not like it's effective for anything except the m ost casual of users :( Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern. So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols. Sorry, clicked send before finishing. BUT the important thing is the network operator and routers don't actually look at the content. If the same bad content (picture, video, whatever) appears somewhere else that isn't on the IWF list, it won't be blocked. And likewise if the content at the source/destination changes/removed, e.g. the picture disappears, the destination will continue to be blocked until IWF updates their bad list even though nothing bad still at the destination.
Re: Network Level Content Blocking (UK)
On 7-jun-2007, at 20:46, Sean Donelan wrote: Its more than null routes, but not much more. The router does a re- route on a list of network/IP address, and then for the protocols the redirector box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern. That's a cool way to implement monitoring of traffic towards random parts of the internet.
RE: Network Level Content Blocking (UK)
> There are no British colonies in North America...are there? > Or are the red coats coming again? In fact, there are several British colonies now squatting in North America in that great British squatter tradition. One of them occupies a corner of the NANOG list which is why the meeting was mentioned on this list. Another can be found hoarding a chunk of MySpace. And so on. --Michael Dillon P.S. If you didn't get that bit about squatter tradition, check this http://tinyurl.com/2zvogn
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, Chris L. Morrow wrote: Its not "content" blocking, its source/destination blocking. oh, so null routes? I got the impression it was application-aware, or atleast port-aware... If it's proxying or doing anything more than port-level blocking it's likely it sees content as well, or COULD. Either way, it's not like it's effective for anything except the m ost casual of users :( Its more than null routes, but not much more. The router does a re-route on a list of network/IP address, and then for the protocols the redirector box understands (i.e. pretty much only HTTP) it matches part of the application/URL pattern. So IWF can block only one part of a sub-tree of a popular shared webhosting site *IF* is one of a few application protocols.
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, Sean Donelan wrote: > > On Thu, 7 Jun 2007, James Blessing wrote: > > 1. Revocation of mere conduit status; by inspecting certain content and > > preventing access to it the ISP is doing more that just passing packets > > and is getting involved in the content. > > Its not "content" blocking, its source/destination blocking. oh, so null routes? I got the impression it was application-aware, or atleast port-aware... If it's proxying or doing anything more than port-level blocking it's likely it sees content as well, or COULD. Either way, it's not like it's effective for anything except the m ost casual of users :(
Re: Network Level Content Blocking (UK)
Alexander Harrowell wrote: I strongly recommend you read Richard Clayton's paper on how (among other things) one could hack the Cleanfeed system to *find* the really bad stuff. He and his colleagues at the Cambridge Computer Lab also have a fine blog - http://www.lightbluetouchpaper.org I don't understand why this is a problem. So they find it, but look, they can't get to it because it's been "cleanfeeded" anyway. Also they only get to know the IP adddress so if the site is a virtual host it's pretty useless to them. -- Leigh
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, Alexander Harrowell wrote: > I strongly recommend you read Richard Clayton's paper on how (among > other things) one could hack the Cleanfeed system to *find* the really > bad stuff. He and his colleagues at the Cambridge Computer Lab also yup, read it, which was part of the reason for the note I sent... these sorts of blocking mechanisms don't seem to achieve the goals expected, and even in many cases make the goals of the 'icky pict' crowd more achievable :(
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, James Blessing wrote: 1. Revocation of mere conduit status; by inspecting certain content and preventing access to it the ISP is doing more that just passing packets and is getting involved in the content. Its not "content" blocking, its source/destination blocking. While IWF may decide to list a particular source/destination based on its view of content, the network doesn't know look at or know what the content is and blocks anything at that source/destination address. The "address" may be an application layer "address," i.e. a URL part rather than a network layer address. But if the "address" is dynamically generated or changed, it may not have the same content. Some cellular networks still have walled gardens, which only allow access to "approved" source/destinations. Again not based on content, but based on business relationships with the cellular network operator. Once you understand its the network isn't blocking "content" but rather an ever expanding list of sources/destinations, the real question is how can you be certain the bad stuff and good stuff will stay in separate places. Or will the bad stuff continue to migrate elsewhere until you've blocked most of the Internet, and only "approved" sources/destinations remain?
Re: Network Level Content Blocking (UK)
I strongly recommend you read Richard Clayton's paper on how (among other things) one could hack the Cleanfeed system to *find* the really bad stuff. He and his colleagues at the Cambridge Computer Lab also have a fine blog - http://www.lightbluetouchpaper.org
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, Jeroen Massar wrote: > > The only thing that this 'content blocking' solves is that pops&moms who > don't have any clue about the Internet at all will be deprived from some > freedom, that the government can look into everything claiming that > everything on the Internet is p0rn (which is not so far from the truth > according to some :). actually it keeps heat off the politicians that passed the law/dictate... I suspect that what happened is the gov't folks involved got into a situation where they couldn't say: "no" without also basically saying: "long live icky content!" :( > All the folks who really want to access icky pictures will do so any way > by using something very simple called HTTPS or any other form of > encrypted access and work arounds like VPN's, Tor, Open proxies and the > myriad of other ways that are possible. what's also 'nice' is that once the 'service' goes into effect the folks trafficing in 'icky picts' will know when their content has been 'found' so they can move it around to another location :( Making prosecution/protection actually HARDER for the gov't folks involved :( it's perverse, but it's mostly true :( -Chris
Re: Network Level Content Blocking (UK)
Joe Abley wrote: [..] > Anyway, how does BT's cleanfeed work? How are British 3G operators doing > equivalent blocking? I'd be interested in learning about the > implementation. I wonder how this solves the, from what I found out, common situation that people rent cheap "root servers" in a country like Germany where they VPN into and thus have full access to everything. Or for that matter any form of VPN or other remote access. The only thing that this 'content blocking' solves is that pops&moms who don't have any clue about the Internet at all will be deprived from some freedom, that the government can look into everything claiming that everything on the Internet is p0rn (which is not so far from the truth according to some :). All the folks who really want to access icky pictures will do so any way by using something very simple called HTTPS or any other form of encrypted access and work arounds like VPN's, Tor, Open proxies and the myriad of other ways that are possible. Takes a little bit of effort, but hey, does it matter, you at least get to get your daily feed of icky stuff and you can say to the government "oh I thought it was okay as it was not blocked by your filter". Btw, the 90% quote given is of course a marvelous thing when you have a single organization which has almost a monopoly ;) I wonder which companies are going to provide the 'solutions' to this problem and how well they sponsored various people of the government. Long live VPN's! Greets, Jeroen signature.asc Description: OpenPGP digital signature
Re: Network Level Content Blocking (UK)
Joe Abley wrote: > Anyway, how does BT's cleanfeed work? How are British 3G operators doing > equivalent blocking? I'd be interested in learning about the > implementation. There is an excellent paper on the failures of clean feed here: http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf J -- COO Entanet International T: 0870 770 9580 W: http://www.enta.net/ L: http://tinyurl.com/3bxqez
Re: Network Level Content Blocking (UK)
On 7-Jun-2007, at 10:47, Jon Lewis wrote: On Thu, 7 Jun 2007, James Blessing wrote: Sorry for the cross posting to a number of lists but this is an important topic for many of you (especially if you get multiple copies). As many people are aware there is an 'expectation' that 'consumer' broadband providers introduce network level content blocking for specified content on the IWF list before the end of 07. There are no British colonies in North America...are there? [On the mainland, not since Belize's independence in 1981. There are British Overseas Territories in the Caribbean (Anguilla, Bermuda, British Virgin Islands, Cayman Islands, Montserrat and the Turks and Caicos Islands) which are in North America according to at least some definitions of the phrase. However, to answer the question you were really asking, there are surely North American companies on this list who do business in the UK, and certainly no reason to think that North American politicians, given an example to follow, would never do so in this continent. So it's not obvious to me that this is off-topic here, speaking as one single subscriber.] Anyway, how does BT's cleanfeed work? How are British 3G operators doing equivalent blocking? I'd be interested in learning about the implementation. Joe
RE: Network Level Content Blocking (UK)
> There are no British colonies in North America...are there? Or are the > red coats coming again? No, but there are a large number of American operators that have networks in the UK and this +will+ affect them. There is also the fear that once this is deployed in one country that others might follow suit. Regards, Neil.
Re: Network Level Content Blocking (UK)
On Thu, 7 Jun 2007, James Blessing wrote: Sorry for the cross posting to a number of lists but this is an important topic for many of you (especially if you get multiple copies). As many people are aware there is an 'expectation' that 'consumer' broadband providers introduce network level content blocking for specified content on the IWF list before the end of 07. There are no British colonies in North America...are there? Or are the red coats coming again? -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network Level Content Blocking (UK)
Iljitsch van Beijnum wrote: > [trimmed other lists, not sure if they'd appreciate nanog volumes] > > On 7-jun-2007, at 11:06, James Blessing wrote: > >> As many people are aware there is an 'expectation' that 'consumer' >> broadband providers introduce network level content blocking for >> specified content on the IWF list before the end of 07. > > Where is this list, what type of stuff is on it and how do you translate > from the real-world identification of that which is to be blocked into > some kind of restriction in the network? Please see http://publicaffairs.linx.net/news/?p=497 for more details J -- COO Entanet International T: 0870 770 9580 W: http://www.enta.net/ L: http://tinyurl.com/3bxqez
Re: Network Level Content Blocking (UK)
On Jun 7, 2007, at 6:44 AM, Iljitsch van Beijnum wrote: [trimmed other lists, not sure if they'd appreciate nanog volumes] On 7-jun-2007, at 11:06, James Blessing wrote: As many people are aware there is an 'expectation' that 'consumer' broadband providers introduce network level content blocking for specified content on the IWF list before the end of 07. Where is this list, what type of stuff is on it and how do you translate from the real-world identification of that which is to be blocked into some kind of restriction in the network? Whose expectation is it? If it is not a LAW, then, ISPs should reset the expectation and go back to the real problems of running a network. Owen smime.p7s Description: S/MIME cryptographic signature
Re: Network Level Content Blocking (UK)
[trimmed other lists, not sure if they'd appreciate nanog volumes] On 7-jun-2007, at 11:06, James Blessing wrote: As many people are aware there is an 'expectation' that 'consumer' broadband providers introduce network level content blocking for specified content on the IWF list before the end of 07. Where is this list, what type of stuff is on it and how do you translate from the real-world identification of that which is to be blocked into some kind of restriction in the network?
Network Level Content Blocking (UK)
Hi all, Sorry for the cross posting to a number of lists but this is an important topic for many of you (especially if you get multiple copies). As many people are aware there is an 'expectation' that 'consumer' broadband providers introduce network level content blocking for specified content on the IWF list before the end of 07. Whilst this is seen by many as a honorable political crusade to 'protect the innocent' many with a strong technical background are concerned that the long term impact on network development will lead to major 'breakages' within the internet. So far the only debate has revolved around the legal concerns that the introduction of this technology imposes to problems on the ISP: 1. Revocation of mere conduit status; by inspecting certain content and preventing access to it the ISP is doing more that just passing packets and is getting involved in the content. 2. Thin end of the wedge; if we can block Child Abuse Content then we can block copyright infringement 3. Increased liability; by blocking the content at a network level outside of the control of the user the ISP is potentially opening it self to a lawsuit should content leak through the block (although many are saying that this is not going to be enforcable it could still tie up people in court going through the arguments with no guarantee of a win cf mere conduit issue above). LINX (the London Internet Exchange) and ISPA are looking to arrange a day to address the technical issues of placing such a block in the network. The topics are expected to include: 1. Implementation - how do you put this into place 2. Scalability - how do you provide a non-degrading service 3. Circumvention - how do you stop people getting round the block 4. Reverse Engineering - how do you hide the block (should you hide it?) 5. Messaging - what do you tell the person about what you just done 6. Legality - what is the legal impact of this 7. Security - who should have access to what 8. Sanity Checking - how to prevent poisoning of the block list 9. Testing - how do you make sure that the block is working 10. Reality - is this actually the best way to do this We have 13 companies involved so far but really want to get as many ISP's together to make sure that people understand the implications of the governments request. Whilst the intent is to focus the content on the technical side we are keen to make sure that the all parts of the ISP industry are brought up to date so may run multiple strands with different levels of technical content if we have the numbers. If you are interested please contact John Souter ([EMAIL PROTECTED]) or Malcolm Hutty ([EMAIL PROTECTED]) for more details. Thx J -- COO Entanet International T: 0870 770 9580 W: http://www.enta.net/ L: http://tinyurl.com/3bxqez
