Slashdot Mirror
Hundreds of Sites Blocked By Canadian ISP
An anonymous reader writes "Last week Slashdot reported on the blockage
of a union website by Telus, a leading Canadian ISP. Since
that story, the company has restored access but the fallout
continues. The move may lead to new
ISP regulations in Canada and a study
by the OpenNet Initiative has found that by blocking the union
site, Telus also blocked an additional 766 websites including a breast
cancer fundraising site." From the article: "While there are a number of different ways to block access to Web
sites, the method Telus chose to block the Voices for Change site --
blocking its IP address -- produced massive collateral filtering.
Filtering by IP address is efficient since ISPs can quickly and
effectively block access to the target site using their existing routing
technology. Many ISPs already block certain IP addresses to combat
spam and viruses. Large networks, like Telus, have mechanisms in
place to block IP addresses almost instantaneously, simply by
updating their routers with a "block list" of addresses.
However, it is common for many different, unrelated Web sites to
share the same IP address."
but expect to be sued for providing access to childporn, illegal software, coprighted material, terrorist training manuals, political sites, communists, bomb making equipment
slippery slope egh ? see you in the next RIAA lawsuit !!
"However, it is common for many different, unrelated Web sites to share the same IP address."
It is?
- - - - - - - - - - - - - - - -
I take no responsibility for any spelling mistakes in the above post.
From TFA: "the blockage occurred at the Internet backbone level, thereby blocking access for other ISPs (and their customers) that use Telus as their provider."
I'm certainly no legal expert, but this seems like it could open the floodgate for litigation. Maybe by the time the regulations arrive the market will have already corrected this problem?
From The OpenNet Initiative PDF:Clearly, Telus violated the Canadian Telecommunications Act by their heavy-handed disconnection of www.voices-for-change.com. This alone should be grounds for revocation of their license, but the incidental blocking of an additional 766 unrelated websites is even more reprehensible than their intended censorship.
____
~ |rip/\/\aster /\/\onkey
i'm glad i live in the US where i don't have to worry about such things
I never gave it much thought but that really is true, especially with all of the sites out there that don't do any form of e-commerce and don't need an SSL certificate. That really could be quite a few sites sharing that IP address. I'm not surprised I didn't think of it, because I'm an idiot, but it does surprise me that the ISP didn't--or maybe they just didn't care.
Finance tutorials and more! Understandfinance
It's not that they blocked these websites really, it's that they went about it the wrong way. There are rules and regulations regarding this sort of thing, and they were not followed.
If they had gotten the permission of the Canadian Radio-Television and Telecommunications Commission, then you would be correct. Though i suspect that even if they did this the legal way, it would cause bad PR anydangway!
Nasa spent billions making a pen capable of writing in space. The Russians just use a pencil.
The ISP was pretty much forced to take down the block because of public outcry. No one wants to do business with an ISP that does things like that. With regulation the Canadian government has two options:
a) Force them to let everything through, but this means they can't block virus speading sites, etc
b) Only allow them to block what the regulators seem fit. Which puts what you see and can't see into the hands of beurocrats. This would cover all ISPs in Canada so you can't switch to one that does block stuff you want it to (Porn if you have little kids, etc.)
I personally prefer to let people hurt them in the wallet when they pull crap like this. Corporations take more notice when something hurts them in the wallet.
A buddy of mine is a desktop admin at Telus in Toronto (the strike is in Alberta and BC). That's a hell of a message to send to the rest of your employees: "We 'support' your right to strike, but we don't want your message to get out to the world."
And he thought he hated his job before the strike. Yow.
Don't block IPs unless you're really really sure about it. Lasy bastard admins.
For some reason I refuse to use either spell check or the spacebar properly.
Collateral damage happens, like it or not.
No, it doesn't. Collateral damage happens when the sysadmin is question is lazy and/or ignorant. It would have been easy to block access to only www.voices-for-change.com, and no others, but instead they chose to block the entire IP address. Either they wanted to pass the blockage off as an accidental outage (and failed) or the sysadmin just couldn't be bothered to do the extra work, and just blocked an entire IP in the router. Either way, it's despicable.
____
~ |rip/\/\aster /\/\onkey
It could have been both (at 766 sites, it could quite easily have been both), not to mention that business websites could have been blocked as well. It was a nice, tidy, cut-and-dry violation of the Canadian telecommunications regulations act. The CRTC will probably have some fun things to say about it.
It doesn't say there's already regulation, just that there's a review going on that MAY LEAD TO an ISP trust framework that prevents scummy things like this from happening (whether it's 1 site, or 767 sites).
Will wank off Linus Torvalds for fame.
If you are working with large-scale routing you aren't going to do application-layer filtering unless you have to. They didn't have to until this incident so the infrastructure (and it does require a massive one, transparent proxies for all their bandwidth) wasn't in place. Therefore, a quick instruction to the Cisco BFRs and no more website, based on IP.
It's unfortunate that the virtual hosting got nailed by it but if their decision (a bad one, the PR in Canada right now is horrible) was to block it, that was the only way to implement it.
For those of us with Dynamic IP addresses: there always been those times where you get that one bad bad 'black-listed' IP (previously used for spamming, haxing etc).
/renew? - sometimes does not work due to DHCP server keeps on serving you the same IP based on your MAC ADDR, and you are forced to wait for expiry lease to lapse.
Worse still, 'black-list' blocks not JUST only the IP, but entire subnets or IP ranges...you spend a whole friggen day debugging your network-router-firewall setup and spend the rest of the week arguing with your ISP about who's fault it is.
Solutions:
ifconfig
change MAC address? - an option, as 'most' routers can 'spoof' MAC addresses.
Hm, Telus is an NSP not just an ISP. They are a significant part of the backbone in Canada. As an NSP they are subject to different criteria for providing connectivity. Unfortunately, the laws in Canada are somewhat different than the laws elsewhere.
"It's in the Canadian Criminal Code eh, like there's legal precedents set in cases in law."
"Yeah, so like give us our free beer, eh."
"You want free beer? Go to the brewery. Now get outta here before I put the two of YOU in a bottle."
On that good 'ole Canadian Criminal Code.
(Special thanks to Bob & Doug)
And they said zombies weren't real!
Telus is a company that holds itself out to the public. They had no right to block information that was discerning to their own viewpoints (something we agree on). So if they didn't have a right to block the union website, how does "some poor cancer website" constitute as just collateral damage? This is not war, this is a company stepping over the boundaries of its regulatory regime. Maybe I just see it differently than you.
So let me get this straight...you're comparing the behavior of an ISP, who is required by law to not impede access to the websites it hosts, to the behavior of a private website, who is under no such requirement.
Your argument is rather like saying since the city cannot ban people from driving down a street for no good reason, then it necessarily follows that these same people must be allowed unfettered access to the private residences on that street.
Next time, think before you post.
____
~ |rip/\/\aster /\/\onkey
Haven't you heard? Canada is the new China... On a serious note, this is probably one of the few times when government should start meddling in the affairs of private enterprise. Especially one part of an oligopoly.
Get your torrents...
In my area I have a choice between two high-speed internet carriers, Telus and Shaw Internet. Telus has pretty much just cinched the deal for me, that I'll be moving to Shaw as soon as possible.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
I like to think that I pay for access to the Internet, not some corporation's idea of what the Internet should be like.
Unfortunately, that's not the case.
And what of the poor terrorists who are incidentally paying for the bandwidth too ? I am not trolling or flamebaiting -- all I am saying is that censorship is not a part of a free society -- disagreement is.
where IP addresses change pretty much at the whims and vaguaries of the sys admin and of reality interfering with assigning a 'stable' (not static) IP address.
What if yourHost.site.tld is given an IP address that is 'banned' as belonging to undesirables?
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
when big corporations would just hire a bunch of thugs to beat the hell out of union organizers.
Collateral damage is, what it is: Damage. And as such it should be handled. If you damage something, it's YOUR fault. End of story.
Used to see films set in the future that corporations had replaced governments and thought, it will never happen.
But seeing more and more such news today, it happens to me that, are we in the midst of this change?
In China, the government censors you, in Canada and Australia, the ISP censors you!
I have long argued that the internet access business has needed regulations that govern Quality of Service, Code of Conduct and a Consumer's Bill of Rights.
The behaviour of Telus is outrageous and is probably a VERY SMALL tip on a MASSIVE iceberg.
As more and more services fight for consumer's internet pipe they should have protection against bad service and questionable tactics.
Internet's a public service - paid for by tax dollars.
...
Also, their blocking of the sites prevent OTHERS from getting to it - not necessarily ONLY their customers!
Try this on for size:
2. dstswr2-vlan2.rh.prnynj.cv.net (67.83.242.34)
3. r2-ge9-1.mhe.prnynj.cv.net (67.83.242.5)
10. csr1-ve240.SantaClarasc8.savvis.net (66.35.194.34)
11. 66.35.212.174 (66.35.212.174)
12. slashdot.org (66.35.250.150)
Now, if savvis.net decides to block 66.35 because it's an anti-savvis website, they are not only affecting their direct connectors (in this case, cablevision), they are affecting cablevision's customers as well.
Try thinking for ONE second next time.
AccountKiller
Thats not how it works, and I suspect these guys are running into the same problem we did.
I used to work for a national NSP and during my tenure there we developed a few ways to block IP's despite the fact that half the linecards in our network didn't support packet filtering.
The best way to do this was with a global null route. We'd add a route on all the routers pointing one of our unused IPs to the null0 interface. Then we ran a "null route server" where anything we wanted to block was routed to that IP address (causing all traffic to it to get blocked at the entry point, rather than routed through the network)
We used these measures exclusively for spammers and for large DOS attacks. (For DOS attacks it was less effective because you actually had to block the victim instead of the source, but it was better than nothing)
The point behind this is, many times we had virtual hosting providers call us up and tell us we'd blocked thousands of sites, some even went on to name names. We told them to get the spammer off their server before service would be restored.
This is the normal policy of most ISPs. No Collateral damage involved, you violated the terms of service and I'm sorry your business revolves around the idea of putting a thousand customers on one point of failure.
Now, I'm not saying this is what Telus did. I'm saying this is what they probably did and you guys are jumping to conclusions. The fact is, from a router standpoint it's extrodinarly hard to block "www.example.com" without doing it by IP address.
Ok fine it is a stupid move to have an ISP block access to any website and it should not be done... But the striking telus workers are just as much to blame. Those striking goons have been going about cutting fiber lines... Not to mention they have been asking people to pretty much DOS telus call centers with fake problems.
PS: The website was blocked after Telus found that their striking workers where taking pictures of employees who were crossing the picket line for the purpose of later harrasing those said employees. In my opinion both parties are equally at fault for the nice mess they cooked up.
http://www.crtc.gc.ca/RapidsCCM/Register.asp?lang= E
= E
for details on the violation.
There's a five-step form, and they'll refer the complaint. For a quick cut-and-paste snippet, go to the following:
Please be advised that Telus Corporation may be in violation of the Telecommunications Act, Section 36. Please see http://www.crtc.gc.ca/RapidsCCM/Register.asp?lang
why didn't they configure their domain name servers to simply refuse to resolve the domain name. I create "special" copies of my own domains so they point to my private IP-addresses at home in stead of the internet-address that the rest of the world can use.
They could have created a pointer to a site of their own saying: "we don't like this site and have blocked it".
This unique sig is intended to make this user more recognisable.
lazy workers create unions ;)
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
How can they possibly claim that they took an ethical approach when they unilaterally terminated access to a website that depicted Telus in an unfavorable light. Whether the site in question was violating other contractual obligations or law is independent of the actions of Telus.
" Fellow TELUS team members:
Central to TELUS' purpose is to make the future friendly for our stakeholders. One of the critical elements in realizing this ambition is to ensure our individual and collective reputation is above reproach. How we work is just as important as what we do. Our goal is to demonstrate the highest level of ethics and integrity in our business dealings with all stakeholders (customers, shareholders, suppliers, colleagues, community). This is a corporate priority and a shared responsibility for all TELUS team members as each one of our actions and decisions affect our company and its reputation."
http://www.opennetinitiative.net/bulletins/010/ONI -010-telus.pdf
Sorry about that...
and instead of complaining about the limits of IPv4 addressing, Graham goes off on a rant about how DNSBLs are bad. If there were a better way to block spammers, I would use it. In fact I use popfile, but I still filter 60% of the spam up front with SBL-XBL and DSBL.
Intron: the portion of DNA which expresses nothing useful.
The settlement, available as part of the settlement on the now-unblocked website, paints this as a little less one-sided that the slashdot article.
/some/ obligation to protect its infastructure and managers.
Don't get me wrong, Telus is clearly stark raving mad with nuts on top, but maybe with not quite as nuts as the summary indicates. The settlement includes reference to voices for change removing threatening and revealing information (which we can't judge the merit of, since the information's been removed). Telus clearly has at least
For the record, I hate Telus. And unlike most posters here, this labour action has had a direct impact on my pocketbook -- with Telus managers being even more incompetent than Telus union workers (I don't blame the union or its workers for usually being incompetent -- it seems to be Telus coompany policy that the workers were following), our fax machine has not been reachable at our phone number for a few weeks. We had to get a VoIP line through Vonage. Some of our would-be customers and affiliates have figured it out and sent us purchase orders anyway, but there's no real way to measure exactly how much money we've lost.
In the US of A. If you are a common carrier, you can not be held liable for the information being transmitted over your lines. However, if you censor/filter/control access to what is sent over your lines, you no longer have that safe harbor and are considered to be liable for what is sent as if you are filtering and allow something to go through, it's an implict acceptance of it.
I don't know if this is something that applies to Canada as well. But it's be biggest reasons why ISP's in USA will not filter or control access to parts of the internet based on content. The end user has the option to filter, but it must be controlled by that user, not the ISP.
Although a lot of ISPs shovel all your data through a transparent proxy, so you can just get the web proxy to dump the data. We are, after all, only talking about web traffic with this story aren't we?
jh
Sorry, I just couldn't resist.
^^
I know for a fact that they block port 80, 21, and some other common ones for accounts with dynamic IP's. I was stuck with a dynamic while waiting for my server account to kick in at my new address, and all the common inbound web-ports were blocked. Telus wants you to pay up for inbound traffic, no dyndns for you!
The voices-for-change website was being put all over the news and the radio, saying GO AND SEE PICS OF THE SCABS AT www.voices-for-change.com
The voices for change website was publicly posting pictures of telus employees, management and Union employees that crossed the picket lines, putting their saftey at risk. If you have not noticed, the union in BC can be pretty militant, so yes Telus Banned access to the website until they were able to get a court order to have the website admin remove the pictures, once Telus had this court order, they returned access to the website.
so some can argue that they did it `so that the word of the union cant get out`, but Telus does actually care about their employees, so they shut it down for that reason, for the saftey of their employees, until they were able to take legal action that came to the same result.
I'd love to check to see if breast cancer funding sites are blocked and such.
Where are all the "lol only in america! lol" comments, huh?
The settlement mentions that it is not actually the union's website.
"AOL also uses their web filters to promote a political agenda. For example, children can visit the home page of the Republican National Committee, but not the Democratic National Committee." http://www.computergripes.com/Aol.html
:P I didn't like Earthlinks webmail system or their customer service or their price, but at least they gave me the same level of internet access as I got in the computer labs.
AOL is a good example of this, but I have found censorship to be a big problem with a few other cheap internet providers.
In college, I think I was trying compuserve, but they blocked lots of sites. With them, I could not do political research for my sociology class at home. I would have had to go to the computer lab to do real research. That made me angry, so back then I decided not to switch and to keep my $24 a month Earthlink account
It makes me wonder about people looking for a good deal (poor people) and how this affects their political views.
FOX NEWS INTERNET Explosions, Warnings, and none of those boring educated LIBERALS!
Does Censorship = Profit? For who?
- Your friendly neighborhood systems analyst
and we'll see if they don't censor any mail.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Five continents: America, Eurasia, Africa, Oceania, Antarctica.
America has three subcontinents: North -, South -, and Central America.
North and South America aren't separated by sea, only by an ARTIFICIAL cannal in Panama.
Eurasia has subcontinents: Europe and Asia.
Asia is not considered a subcontinent as a matter of fact, being "the central and eastern part of the continent of Eurasia, defined by subtracting the European peninsula from Eurasia", according to wikipedia; it's further subdivided in various regions: North Asia, Central Asia, East Asia, Southeast Asia, South Asia, Southwest Asia.
Back to America, WP says: "The Americas refers collectively to North, Central and South America. The term is a relatively recent and less ambiguous alternative to the name America, which may refer to either the Americas or the USA. The former usage is now often considered archaic in English, but still in use in other languages, where the Americas is often considered to form a single continent. The use of the term America for the United States of America in English and colloquially in other languages is seen by some as politically incorrect (it may be seen as cultural imperialism). Strictly speaking, it is also illogical (for example, it would place South America outside America). Although the context usually makes clear which 'America' is meant, this led to the emergence of the term Americas to take away the ambiguity (in English), if not the illogicality."
Because I consider myself an inhabitant of America, even if I am not a citizen of the US, in Portuguese, I refer to the continent as "América" and to the country as "Estados Unidos" (and its citizens as "Estado-unidenses") and, in English, the continent as America, the country as "the United States" or "USofA", and the citizens "US citizens" if formal and "USofAns" if informal.
You can say all you want that "it won't change a few hundred years of established usage in the English language", but IMHO you are really talking about en_US, not about the other kinds of English. I believe British People refer to the country as "the United States", also.
Feel free to ignore me.
MODERATORS: *Please*, feel free to ignore me.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Does anyone know of a class action lawsuit against Telus for this act? I am *mighty* pissed that they blocked my access to the site, and I want to make them pay for it: I want to join a lawsuit against them.
Please post a reply to this message if you know of a class-action lawsuit against Telus for IP blocking.
--
Don't like it? Respond with words, not karma.
It comes down to the sysadmins being ignorant, because they are managers with little, to no experience operating routers.
However, they blocked it on the backbone, which not only serves TELUS users but people that peer with TELUS. So in essence, it was more then just TELUS users being affected by it.
Free means no restrictions, ironic the FSF's GPL forces restrictions, isn't it? What's your definition of free?
Just like to point out this blerb from the front page of the site in question:
After an out of court settlement today, TELUS acted quickly to remove the restrictions it placed on nearly one million customers. TELUS customers, and other Internet Service Providers who provide ADSL connections through the TELUS network are now able to connect to Voices For Change through its domain name www.voices-for-change.com.
(Now why the frack are ppl arguing about semantics and host headers? It's not even relevant to the topic.. sheesh)
Reality is in the mind of the beholder - me 1996
AA -- if it was illegal why did Telus not use the law? (Maybe because they like to stay outside the law themselves??)
Also, it was not the union who "was posting pictures of employees...". The site was run by a union member, which is a completely different story.
See you,
Stephan
http://stephan.sugarmotor.org
No no no, the IP address was blocked. That's why over 700 other sites were unavailable to Telus customers as well -- making Telus look really foolish and incompetent.
But maybe there is another angle here: the staff on strike may have been able to point out the (purely technical) foolishness of blocking an IP address, while the current replacement staff knows only little.
Stephan
http://stephan.sugarmotor.org
It was not the union who was "placing itself on a web server which was shared with innocent bystanders." The site was run by a union member, which is a completely different story.
See you,
Stephan
http://stephan.sugarmotor.org
It would seem to me that primus has definitely crossed the line. I would hope to hear a strong response from the government and the other members of parliament. As we have become inundated with spam and virus traffic people have let the internet providers filter all of their emails and web content already. Now I get the odd email that is sanitized with .pif virus, funny in it that it doesn't even run on a mac.
Internet providers have been able to sneak their filters into service supposedly based on this threat.
So it's like grade school all over again. I can just hear the teacher, " Nobody can throw snowballs all winter again because of what "Johnny" did".
Because of a bunch of sick bastards who write spam and virus's we must now submit ourselves to a level of censorship we don't even allow our own governments, and yes I am Canadian.
My closing idea is that if these businesses are not classed as common carriers, this would imply a failure of government to protect it's citizens. I see hand washing all the way to the top.
By the way write your MP.
This is exactly right, if they are making the choice of what I am allowed to see and do on the Internet, does it mean that I cannot be sued by the Canadian RIAA (CMAA whatever the acronym) because the ISP is essentially endorsing the downloading of music as legal by allowing access to it.
I would like to see the Canadian RIAA square off against the Telco's and ISP's... that would be fun.
Im.
And how does that help me when somebody is trying to actually reach my machine at port 80/25/21/etc?
I've had technical problems with Shaw. Nothing unusual, about what you'd expect. But they really shine if you have a business account and need support.
I know support people have it rough, so I try to be accomodating. I'm happy to plug in a machine with an officially supported OS because I know it'll be easier for both of us if we can get through the script without any fuss. But their support people tell me "No, that's alright. What have you done to troubleshoot?" They're perfectly capable of understanding what I've done and what it implies.
These aren't the senior people that you talk to once you get escalated, these are the first-line people that first answer the phone. I've moved around a bit and dealt with a lot of ISPs, and Shaw's first-line business support people are better than most of the senior people elsewhere.
Shaw gives me a better deal on bandwidth, but I'd use them even if they didn't.
I rarely criticize things I don't care about.
I think in many cases it's rather fortunate, actually....
What about ISP level firewalls? Imagine the bite that would be taken out of the zombie armies if ISPs setup a port blocking firewall to their clients. Tell the customers that you're doing it. Establish a simple opt out system. That way, the people who know how to protect their systems can setup their firewalls the way they see fit. Those who aren't as computer savy will never notice.
Customers get fewer attacks on their computers, and the ISP saves on the bandwidth that the zombies would be eating up.
But you would prefer that the ISP does not interfere? Please explain this to me. I don't understand.
I agree my ISP shouldn't block my access to something I want, but what about if I don't mind some censorship from said monopoly OS worms?
My sincerest appology, I meant to of course post this to the Slashdot thread on the topic of Intelligent Design, and didn't notice my mistake.
Although if I wanted to pretend I erred on purpose, I could say I thought Telus would probably take a the side of the IDers and start blocking scientific websites.
Saskboy's blog is good. 9 out of 10 dentists agree.
The problem isn't that the ISP forces us to use their server for outbound email as much as the fact that if we don't use their server the message will probably be bounced by the recipient as most ISPs now refuse inbound email from DHCP-leased addresses.
The long-term solution is to drop SMTP and move to a protocol that includes sender verification of some sort.
Tell them to use another port, dick head
Ahhh, I truely hope you aren't a Telus worker, but if you are this reflects pretty closely some of the service I've got.
And FYI, STMP isn't really all that easily redirectable, which was needed when I got stuck with a temporary dynamic-IP. No port 25 means no inbound mail, meaning I had to wait a week while a screwup on the other end delayed my business account being properly moved over to a new line and thus email being lost.
Silly Canadians