Security Consultants Warn About PROTECT-IP Act

epee1221 writes "Several security professionals released a paper raising objections to the DNS filtering(PDF) mandated by the proposed PROTECT-IP Act. The measure allows courts to require Internet service providers to redirect or block queries for a domain deemed to be infringing on IP laws. ISPs will not be able to improve DNS security using DNSSEC, a system for cryptographically signing DNS records to ensure their authenticity, as the sort of manipulation mandated by PROTECT-IP is the type of interference DNSSEC is meant to prevent. The paper notes that a DNS server which has been compromised by a cracker would be indistinguishable from one operating under a court order to alter its DNS responses. The measure also points to a possible fragmenting of the DNS system, effectively making domain names non-universal, and the DNS manipulation may lead to collateral damage (i.e. filtering an infringing domain may block access to non-infringing content). It is also pointed out that DNS filtering does not actually keep determined users from accessing content, as they can still access non-filtered DNS servers or directly enter the blocked site's IP address if it is known. A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.' Paul Vixie, a coauthor of the paper, elaborates in his blog."

Decay?

[wsxyz]

When was the Internet anything other than a "lawless wild west"?

Re:Decay?

[Mashiki]

Since 10 minutes ago. I declare it now, so they can't change how it exists.

Re:Decay?

[Opportunist]

The internet is not a lawless wild west. It's something our governments love to perpetuate because they notice that their local laws mean jack in a global network. It is lawless from their point of view since they are used to governing every part of your life, which they simply cannot do globally.

But lawless it is not. The difference is not that there is law in meatspace and none in the internet. The difference is that different laws apply when you're dealing with the internet. And with different I don't mean "different from reality" but "different from server to server". Depending on where it is located. A server in India is governed by other laws than one if France.

What governments now perceive as "lawless wild west" is nothing but people choosing to go where the laws concerning the things they want are most favorable to them. It's not like that's a new thing, corporations have been doing this for ages. If you try to cage them in or force a law down their throat they don't like, they simply evade it by moving somewhere else. Virtually, at least.

Why is it ok when a corporation does it to evade paying taxes but it's illegal when I do it to evade censorship?

Re:Decay?

"Why is it ok when a corporation does it to evade paying taxes but it's illegal when I do it to evade censorship?"

Oh, come on! You know the answer to that one!

You don't bribe politicians to get what you want.

Re:Decay?

Ahh, the Internet.....

It's funny how, something you can voluntarily go to, is deemed a dangerous, lawless landscape where piracy is rampant and must be controlled like the physical world. If anything, the Internet is a seemingly real accurate reflection of humanity. Multiple parties all wanting controlling interests for their own ends, while the majority of participants just want to get on living life.

In almost 3000 years, things really haven't changed, have they. Sure we've progressed technologically, but humanity itself hasn't moved forward but inches.

Re:Decay?

[Logic+and+Reason]

Amusingly, the "wild west" is mostly a Hollywood fabrication anyway. I guess that's a good indicator of how reliable the MPAA's claims are.

Relevant reading: The Not So Wild, Wild West.

typical users

[buback]

15 years ago, 'typical users' didn't know how to use napster. 6 years ago, 'typical users' didn't know how to bittorrent.

This kind of argument shows how little they've learned.

Re:typical users

The fun part is that the people who are trying to access the content that this is meant to block are /exactly/ those who would take the 5 minutes needed to learn how to get around them. You think Mr. Pedofiend is going to go "oh man, Cox blocked nakedbabies.com! Guess I'll quit!"? Or you think he'll go "oh man, Cox blocked nakedbabies.com! Let's google how to get around that."

Re:typical users

[CSMatt]

15 years ago, 'typical users' didn't know how to use napster

I should think not, since Napster didn't exist until 1999.

Re:typical users

[Joce640k]

The really fun part is that this actually takes away some government control. Monitoring of DNS lookups at your ISP is a useful way for the feds to track what sites you're visiting. By forcing you to use IP addresses directly they're cutting out the middle man and it will be harder to track you.

Re:typical users

Well, for kiddie porn and other criminal matters "google how to get around that" may just leave you the evidence your investigation needs. Of course, since the vast majority of internet copyright infringement is not criminal, and LE won't be involved, it won't affect pirates much at all.

And for the GP's discussion re:IP addresses: Maybe 10 years from now it'll matter, when most pirate sites can't afford an IPv4 and IPv6es are still a bitch to type, but of course you can still link to an IPv6 directly.

Re:typical users

[RobbieThe1st]

Heck, I'd not consider that a problem at all - Why type a number when you can copy and paste the value?

Re:typical users

[MyFirstNameIsPaul]

As a typical user in 1999, I knew how to use Napster, and so did all the other typical users I knew.

Re:typical users

[Cwix]

Fine 12 years.

Quit being pedantic.

Re:typical users

[TubeSteak]

The typical user knows exactly as much as they need to (or slightly less) in order to go about their business.
When schools and businesses started filtering video/social networking/etc the "typical" user was introduced to web based proxies.
If the **AA manages to push through DNS tampering, the typical user will be introduced to alternative DNS servers and even more proxies.

The internet routes around damage.

Re:typical users

Even better, we could create a system that let people type a name, and get directed to the appropriate server. We could call it Name Lookup Service. Then, we could create an entire secondary market where we could sell Names in the lookup service.

Golly, this is starting to sound familiar.

Re:typical users

Easier still,

a url like: http://12.3.4.5/foo/bar/baz
is just as valid as: http://exampleblockedsite.com/foo/bar/baz

People are just going to start putting IP addresses in URIs instead of domain names, and the DNS breakage will be rendered irrelevant.

Then what will happen next is they will try and force web browser developers to include blocked site lists, which will be thwarted by users replacing or deleting those block lists.

Then I suppose they will attempt to mandate transparent proxies with content filters on all consumer broadband connections...

At this point it's likely users will probably switch to use of another information distribution system, like I2P.

Censorship is always doomed to failure, especially when it is attempted against a population that was previously free from censorship.

Re:typical users

Quit whining because you made a mistake and were called out for it.

Re:typical users

a url like: http://12.3.4.5/foo/bar/baz

is just as valid as: http://exampleblockedsite.com/foo/bar/baz

Except for Host-Header sites, which is like most of them.

Re:typical users

[scdeimos]

No ISP I've ever worked at logged DNS requests and responses. Not for law-enforcement purposes, anyway. All your usage bills are based on traffic crossing the border routers - you can rest assured the src and dst IPs on every single one of those packets is recorded and linked to your account.

Re:typical users

Politically, once DNS blocks are in place it becomes almost trivial to mandate IP blocks instead. As they would be only closing a loophole in an existing law, there would be far less objection.

Re:typical users

[erroneus]

Typical users don't know what a phone number is and can't remember one, nor their driver's license numbers, home addresses... oh wait, yeah they can.

The big fail here is that they truly underestimate "typical users." People will learn and teach each other what they will in order to achieve their ends. I think at no time in human history did anyone say "oh, I'm not smart enough to get what I want, so I won't even try." And yes, there will be people who will write browser add-ons to route around the damage -- oh wait, already done. Not much of a prophet am I? Predicting the past and all?

Re:typical users

[dbIII]

Even non-typical users are screwed if all the DNS traffic is redirected to the ISPs server, which is sometimes the case. I know a VPN or port tunnel of some kind to another bit of the net can get around that but that's not really trivial and requires collaboration from somebody that doesn't have redirection.

Re:typical users

It's not pedantry - there's a difference between typical users not doing something because it's too technically difficult for them to comprehend it, and typical users not doing something because it was only released yesterday and they've never heard of it

Re:typical users

PROTIPs:
- "Typical users" can't crack software.
- "Typical users" can't fix cars.
- "Typical users" can't operate a plane.
PROTIP CONCLUSION: THEY DON'T NEED TO!

[Script kiddie programs "ANTI-BLOCK 5000!!!!11one(lim (x->0) ((sin x)/x))"]
"Typical user": I can't access this site!
Slightly geeky friend / son (got it from friends): Here's this small program on my USB stick. You just plug it in, click OK, and there you go!
"ANTI BLOCK 5000 HAS NOW UNLOCKED YOUR INTERNET! YOUR [sic] WELCOME!!!"
Joe Sixpack / Bonnie Bubblegum: ME TOO!!

Re:typical users

[Gideon+Wells]

Exactly.

Back in highschool around 2001 the administration went with a group who were tasked to filter out all sorts of nastiness. For one, it was meant to protect us the children. For two, it made doing reports at school annoying as it blocked out any reference to Nazis so World War 2 reports had to be researched at home (killing the point of a school net access if you were too poor to own a computer back then. High poverty rate district) or with books only. For third, the entire system was based on a proxy server.

Kids who either were too dumb or just didn't care enough to pass the "how to turn a computer on" class became knowledgeable on how to navigate IE and turn off the proxy server. They didn't know what proxy servers were or why it worked, but the entire school quickly taught each other how to disable going through the proxy server to get what they wanted.

Re:typical users

15 years ago, 'typical users' didn't know how to use napster

I should think not, since Napster didn't exist until 1999.

Which proves his point, since napster didn't exist, nobody knew how to use it, including the 'typical user'.

Re:typical users

DNS blocks first. Then IP blocking. It'll be much easier to pass IP blocking if DNS blocking is already in place, as it'll be merely a way to close a loophole in an existing law rather than something completly new.

Re:typical users

[Opportunist]

And this will immediately change and we'll quickly find a way around it, since they want users to visit their places. If users cannot use their site because their virtual hosting system depends on the Host: info, we'll quickly see "servers" pop up that are reachable by their IP Address that doesn't do much but bounce the connection to the correct server with a fitting Host: info.

Re:typical users

[gpuk]

Not trivial for average joe true but the collaboration requirement is easily fixed by renting a cheap VPS somewhere.

Re:typical users

[bjourne]

DNS filtering is just the beginning. That it is easy to route around is a feature of the plan not a flaw in it. They figure techies will be more inclined to accept it if the idea of censorship if the implementation seems toothless. The next step is to plug the holes in the DNS filtering system, for example by outlawing links to sites banned in the dns filtering registry. Since the public has then already accepted the idea of a filtered internet as a reality, it will be easy for them to drive those changes through.

Re:typical users

[Cwix]

I was pointing out that 12 years or 15 years the point is the same.

Re:typical users

[Cwix]

I wasnt the OP.

Reading comprehension, its good for ya!

Re:typical users

[delinear]

I'm not sure about almost trivial. So many websites occupy shared servers these days, blocking dozens of legitimate sites every time there's an accusation of infringement is going to raise a lot of complaints. It will also shift a huge burden onto hosting companies, who either face losing customers or having to strictly police all their hosted sites for anything the court might deem infringing. Of course, IPv6 would solve a lot of this - maybe we'll see a sudden rise in demand for the new protocol.

Re:typical users

[Type44Q]

15 years ago, 'typical users' didn't know how to use napster

I should think not, since Napster didn't exist until 1999.

Doesn't that make it even less likely that they knew how to use it? :p

Re:typical users

[izomiac]

So, how do they tell which site you visited if there are several hosted on the same IP? Or am I delusional in thinking law-enforcement cares?

Re:typical users

[Joce640k]

I dunno. You could accidentally go to 12.34.56.78, going to "http://www.badnastyillegalstuff.com/" is harder to deny in court.

Re:typical users

[Joce640k]

You won't be able to use IP addresses on such a server so that problem sorts itself out.

Re:typical users

[betterunixthanunix]

Typical users still don't know how to use bittorrent.

Re:typical users

[vgerclover]

You are reading /.

You are not a typical user by any stretch of the imagination.

Re:typical users

[MyFirstNameIsPaul]

Right now it's 2011. Just thought I'd mention it.

Re:typical users

[vgerclover]

I'm reading /. in 2011. In 1999 I was 12. I wasn't an average user then. Were you and your friends really? I don't know many people that go from non-geek to geek in a decade. Actually, I don't know many people that go from non-geek to geek.

Re:typical users

[scdeimos]

Most requests have the client IP and a date-time, so they're looking for the logged-in user.

In the rare case where the requesting party is seeking traffic patterns for a particular user you should tell them about Host-Header implementations on multi-tenanted servers - the only way they can confirm the user is accessing a particular web site is if they also have access to the log files on the origin server and those log files include the client IP addresses. As to whether they actually understand that... who knows?

politicians (hock...patoooiiiii)

[xmundt]

Greetings and Salutations....
          Why does this seem like one of those "feel good" laws that politicians pass to get brownie points with their followers, rather than to actually address and fix a problem?
            I am more and more convinced that attempts to regulate the Net are a bad idea, and, any official that attempts to do this should be voted out of office or recalled.

Re:politicians (hock...patoooiiiii)

[DigiShaman]

That's the intent. To create a law that addresses one political issue while at the same time creating several new problems. THIS IS BY DESIGN. It's the political gift that keeps on giving back to legislatures. It's purely justification to expand the government at the expense of public tax dollars. How in the fuck this is news to anyone proves we still live in a sick, sad world. It should be ingrained into every child from birth that large government = evil!

Re:politicians (hock...patoooiiiii)

[reiisi]

Adding a little from the quote that got cut precariously close to out of context:

“Here's the bottom line: We rely on the Internet to do too much and be too much to let it decay into a lawless Wild West. We are confident that America's technology community, which leads the world in innovation and creativity, will be capable of developing a technical solution that helps address the serious challenge of rogue sites,” said Paul Brigner, chief technology officer at MPAA.

In other words, "our geeks are Gods, and they'd damned sure better do our bidding!"

I'm thinking this is the same kind of political behavior that caused that incident with a tower in Babel. (Whether you take the Bible literally about that or not, the metaphor is quite instructive.)

Re:politicians (hock...patoooiiiii)

[c0lo]

Greetings and Salutations....
Why does this seem like one of those "feel good" laws that politicians pass to get brownie points with their followers, rather than to actually address and fix a problem?

This is by design

I am more and more convinced that attempts to regulate the Net are a bad idea, and, any official that attempts to do this should be voted out of office or recalled.

Yes... but nothing new and it must not be restricted only to the Net.

Re:politicians (hock...patoooiiiii)

[rohan972]

Why does this seem like one of those "feel good" laws that politicians pass to get brownie points with their followers, rather than to actually address and fix a problem?

Possibly that is what it is designed to be. The politicians who voted for it might have wanted to raise the money for their next election campaign from the MPAA without closing off their kids access to free content.

Re:politicians (hock...patoooiiiii)

aww yeah getting down with the lsd! i mean lds... whatever so similar can't tell them apart.

Re:politicians (hock...patoooiiiii)

These degenerate politicians can't balance the budget, set term limits, stop any war or war profiteering, get their act together on sensible drug laws, but they sure can move mountains when it comes down to corporate hand-outs. These pork barrel perverts have done enough, it's time they go to jail, and I don't mean club fed.

Re:politicians (hock...patoooiiiii)

Never attribute to malice that which can be explained by ignorance.

Re:politicians (hock...patoooiiiii)

It should be ingrained into every child from birth that large government = evil!

That's simplistic drivel. Scandinavian countries are heavy on the government, and they have some of the happiest, healthiest citizens in the world. The problem with the US is the Military-Industrial Complex. Read Eisenhower's exit speech.

Re:politicians (hock...patoooiiiii)

[AlamedaStone]

Never attribute to malice that which can be explained by ignorance.

Sufficient levels of ignorance are indistinguishable from malice.

Re:politicians (hock...patoooiiiii)

[ravenshrike]

You mean the US MI complex that keeps scandi citizens safe at night in their bed since they currently have all the military might of a small poodle(I kid, their soldiers aren't that bad, but their current militaries are so small as to be useless without US assistance in the event of an invasion with the possible exception of Finland, cause the Finns are fucking hardcore) and would be defenseless against foreign(russian) aggression. The idea that things would all be just spiffy if the american military establishment disappeared on the international stage is flipping laughable.

Re:politicians (hock...patoooiiiii)

[splutty]

Uhm..

What century are you living in exactly?

Re:politicians (hock...patoooiiiii)

[Vectormatic]

First, the idea of a russian invasion into any part of europe is laughable. Second, no one is advocating getting rid entirely of the US military.

The point is that it would be a good idea to stop letting the war industry run the US. Every time the CxOs needs a new yaught/villa/whatever, they send some kickbacks to their friends in high places, and a war on $EVIL is started and bilions are spent on weapons etc.. Keeping a MAD-capable nuclear arsenal and a few carier groups operational isnt the same as going on a never-ending tour of the middle east.

Re:politicians (hock...patoooiiiii)

[AmiMoJo]

large government = evil!

Such a blanket statement is nonsense. In the UK the National Health Service is a massive government run institution and despite its problems is still many times better than what private healthcare in the US can deliver. The public is broadly in favour of expanding it and pumping in more money, so much so that all parties at the last election declared their intent to shield the NHS from spending cuts that every other public institution would have to bare.

Re:politicians (hock...patoooiiiii)

Large government is not necessarily evil, and casting things that way, as if the size of government was the sole source of the problem, is pretty misleading. A small government can be just as malicious. A large, non-vigilant population that doesn't care enough about its government to keep it in line and running properly is evil. An attentive and involved population results in a good government. Neither government nor the people is inherently evil alone. It's more of an evil partnership between an apathetic population and a self-interested government that results in the truly nasty situations. Telling kids that "large government is evil" as if it was some kind of simple and important truth leaves out the other half of the equation. That old saying about "we get the government we deserve" is much more pertinent because it implies we are involved as much in the problem as with the solution.

Re:politicians (hock...patoooiiiii)

Like criminals, politicians need to be exposed to the light.

Why isn't there a more concerted efforts to show the level of corruption required to get these laws passed? We should be crowd sourcing and delving down to find and display with smart infographics how Hollywood is going out of there way to pay for these laws.

Political blackmail may be the only way to correct the system with modern technology.

Re:politicians (hock...patoooiiiii)

[toxickitty]

I wouldn't exactly tout UK goverment as a great entity, I recently watched a youtube video of a randomy terrorist stop as they call it where they were searching vehicles while brandishing automatic rifles... Wow I'd feel safe.. Not to mention the nice Internet Censorship.

Re:politicians (hock...patoooiiiii)

[Type44Q]

large government = evil!

Such a blanket statement is nonsense.

A blanket statement indeed, nonetheless one born of history...

In the UK the National Health Service is a massive government run institution and despite its problems is still many times better than what private healthcare in the US can deliver.

Talk about framing the debate! It's hardly as if those two steaming piles of shit should be our only choices!

Re:politicians (hock...patoooiiiii)

Hmmm...."The sun never sets on the British empire." It does now. Your empire is gone, your economic status as a leader is gone, and I sit watching as you continue to destroy the last vestiges of freedom with cameras on every corner of your country. Your country is the single best example, after the Roman empire, of the collapse of once dominant societies caused by socialism, mercantilism, and militarism.

I hope the U.S. does not continue to follow your lead (off of a high cliff).

Re:politicians (hock...patoooiiiii)

[Mr_ZnArK]

This is so true.... and so sad. Benjamin Franklin would probably be pissed enough to blog about his disdain.

The public is broadly in favour of expanding it and pumping in more money

Re:politicians (hock...patoooiiiii)

[BenoitRen]

It should be ingrained into every child from birth that large government = evil!

No thanks. We have enough crazy Republicans that fuck the public in the ass as it is.

The less government there is, the more freedom everyone else has to screw you. Corporate America is a fine example of this.

Re:politicians (hock...patoooiiiii)

[BenoitRen]

To add to my comment:

You're encouraging exactly what allows laws like these to be proposed and passed. Politicians get bribed by corporations to pass laws like these because there's not enough government regulation when it comes to bribes and what corporations can do.

Government isn't the enemy; corporations are.

Re:politicians (hock...patoooiiiii)

[Howitzer86]

Step 1) Break Internet
Step 2) Introduce heavily centralized Internet 2
Step 3) ...
Step 4) Profit!!

And this time, #4 is a real step that really happens.. for the right people. For the rest of us it will be more expensive, we'll have less control, less access to information, and a harder time communicating with other internet users. Hopefully it'll severely hurt the economy and the educational system, otherwise there's no chance of getting the government to back pedal on this once it's passed. These guys barely understand what the Internet is, let alone what it does when it's broken.

I expect Slashdot to eventually run a-foul of it and get blocked, after all, we post the video encryption codes and talk about bit-torrent.

Re:politicians (hock...patoooiiiii)

[Attila+Dimedici]

The less government there is, the more freedom everyone else has to screw you. Corporate America is a fine example of this.

No, corporate America is the reverse of this. Corporate America is an example of how the more government regulation there is, the more corporations can act without suffering consequences.

Re:politicians (hock...patoooiiiii)

[TheGratefulNet]

Government isn't the enemy; corporations are.

much more complex than that, come on.

the fact that they can meet in secret, make deals in secret, hide the cash/payoffs (or bury it) and - whammo - you have new bought/paid for laws. entirely bypassing the people. no say-so from consumer groups or private citizens.

no one watching the watchers.

I'd go so far as to say 90% of our problems (in bad laws) would be solved if people really had so-say in what laws were forced on us.

we are RECIPIENTS, not players in the game.

THAT is the problem. the game got taken away from us.

until control returns to the people, expect NO fair laws. none.

Re:politicians (hock...patoooiiiii)

It's not better. It just costs less.

Re:politicians (hock...patoooiiiii)

Wow, I didn't know the National Health Service randomly stopped vehicles in search for terrorists. Guess I learn something new every day!

Re:politicians (hock...patoooiiiii)

[SuperTechnoNerd]

You forgot something:
Large corporations = Evil!
Then you have:
Large corporations + large government = Biggest Evil Of All ^ 2!

Re:politicians (hock...patoooiiiii)

[BenoitRen]

If you twist reality, sure. *rolls eyes*

Re:politicians (hock...patoooiiiii)

[anyGould]

Of course, you're missing the other Secret Defense that most European countries have: since they have a small military, they tend not to screw around with the affairs of other countries, which means that no-one really feels the need to attack them.

Re:politicians (hock...patoooiiiii)

[BenoitRen]

People have the right to vote, and they don't use it responsibly. Lots of people don't vote, and the ones that do either vote for a Democrat or Republican they like, or vote against the other party. It's and endless game of Democrats VS Republicans, and nothing changes.

If people wanted change, they'd vote for third party. But to them it's a "wasted vote".

Re:politicians (hock...patoooiiiii)

[Attila+Dimedici]

So, you think that corporations are less powerful today, when we have much more government regulation, than they were in the 1950s when there was less government regulation? Or is it really the other way around, as government regulations have increased, so has corporate power?

Re:politicians (hock...patoooiiiii)

[BenoitRen]

Corporations have more money today, and they buy more government regulation, like the DMCA. Government regulation hasn't necessarily increased for corporations themselves.

Re:politicians (hock...patoooiiiii)

[Attila+Dimedici]

I like how when presented with a real world situation, you say that other factors apply and that your theory is true, even though the real world, where government regulation and corporate power and wealth have increased in tandem suggests otherwise.

Re:politicians (hock...patoooiiiii)

[reiisi]

aww yeah getting down with the lsd! i mean lds... whatever so similar can't tell them apart.

heh

Well, I guess if I'm going to go seeing metaphors in everything, I can't complain about you seeing a metaphorical connection between those two.

But maybe you'll then grant me the observation that similar things could be said about the education system vs. lsd.

Re:politicians (hock...patoooiiiii)

[monkyyy]

i`ll fix the statement
large groups of people lacking individualality = EVIL!

Re:politicians (hock...patoooiiiii)

[randyleepublic]

Oh for fuck's sake. The UK is a tiny little nation. That is why, HELLO?, it runs better than the US which is a, wait for it, a great big nation. Dee Yew Aitch!

Re:politicians (hock...patoooiiiii)

[BenoitRen]

The real world has changed a lot in the past 50 years. There's such a thing called globalisation.

Re:politicians (hock...patoooiiiii)

[Attila+Dimedici]

Brought about by increased government regulation.

Re:politicians (hock...patoooiiiii)

[BenoitRen]

That doesn't defeat my point, though. :)

Re:politicians (hock...patoooiiiii)

[Attila+Dimedici]

Your original point was the Corporate America was an example of how the less government there is the more people have freedom to screw you. My point is that Corporate America illustrates the opposite of that: the more government there is the more corporations have the power to screw you. Nothing you have posted since has in any way countered that. As government regulation has increased, corporate power has increased. Your solution to corporations having too much power seems to be more of what gave them that power in the first place.

Re:politicians (hock...patoooiiiii)

[BenoitRen]

Your point doesn't make any sense. The less regulation there is, the more power corporations have because there are no regulations to stop them from exercising too much power. Explain to me how more government regulation gives corporations more power. As it stands now, you only have a single proposition, and to that I can simply say: correlation is not causation.

Ever heard of Superfund sites? Minimum wage? Work and safety compliance?

All of these are government regulations that limit corporate power.

Re:politicians (hock...patoooiiiii)

[Attila+Dimedici]

The reason that corporations have more power as government regulations increase is because government regulations make it harder for smaller businesses to compete. Companies have to pay someone to fill out the paperwork that says they are in compliance with the regulations.
Good grief, you use minimum wage as an example of government regulations that limit corporate power. Minimum wage is a perfect example of a government law that helps larger companies at the expense of smaller companies and the unskilled. Look at unemployment of teens. Every time minimum wage goes up the number of jobs available for teens goes down.
Look at banking, every time a new set of regulations over the banking industry are introduced, they are immediately followed by a spate of smaller banks being swallowed up by larger banks. I will repeat, people have been saying since the 1800s that more government regulation is needed to rein in the power of corporations and more government regulations have been repeatedly passed. Yet, corporations today are more powerful than ever...maybe the reason that corporations are so powerful today is because all of the smaller businesses that would have limited their power have been forced out of business by government regulation.
Insanity has been defined as doing the same thing over and over and expecting different results. People have been calling for more government regulation of business to reduce the power of business for generations and getting more government regulation. Yet each generation sees corporations as even more powerful than ever before. Maybe it is time to try something different? Increasing government regulation has not only failed to reduce the power of corporations, but has seen it increase.

Idiots

[governorx]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Re:Idiots

[moj0joj0]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Say rather that the users who are interested will quickly learn.

ISPs will not be able to improve DNS security using DNSSEC, a system for cryptographically signing DNS records to ensure their authenticity, as the sort of manipulation mandated by PROTECT-IP is the type of interference DNSSEC is meant to prevent.

We shouldn't forget the massive amounts of users that are oblivious to nearly any of this. DNS, IP Addresses, Routing protocols and all the rest of the "magic" of the Internet is well past their horizon. Please keep in mind how reasonable this would appear to the average Jane and Joe Six-Pack.

The measure allows courts to require Internet service providers to redirect or block queries for a domain deemed to be infringing on IP laws.

On the surface this looks like a great thing. Understanding the technology or anything past double-clicking the blue "e", or perhaps clicking a link in their e-mail, is not something a more advanced user should expect. While we can understand the potential difficulties and pitfalls that come with this sort of meddling, I don't think we should see them as so obvious that the basic user will also see them.

Re:Idiots

[rrohbeck]

You don't need to understand how it works. All that is needed is a website with a few screenshots that show how to change the DNS server. Even grandma can do that.

Re:Idiots

[RobbieThe1st]

That may be true, but I've seen otherwise relatively technically-illiterate users solve problems - like the ones this may cause - by simply following tutorials. They may not *understand* what a dns server does, but if they can follow instructions, they can fix the problem.
Also, don't underestimate the power of friends providing help - One semi-knowledgable user + Google can help dozens of users to make the switch if needed.

As such, I think most freeloaders & normal users will end up changing DNS if needed(i.e. if something they try to do stops working), even if they don't really understand what they're doing.

Re:Idiots

[fuzzyfuzzyfungus]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Unfortunately, some unknown; but nontrivial, number of them will learn to set their DNS providers by obtaining from an incrementally more clueful friend and running "l33tt0rr3ntz_DNS_Crack.exe". This will, in fact, recofigure their system's DNS settings to point to somewhere in the free world; but it might, well, invite a few buddies in...

Re:Idiots

[black3d]

How can that be a good thing by any means? "Deemed to be infringing" is extremely broad. I've had cease and desists sent to my own website for MP3s of my own music which I own entirely. With this law, they don't even need to attempt to prosecute me. They just file notice with the court that my domain is "infringing" and suddenly my hits go to 0. I have no right of reply as I've never been served.

I intend no personal insult, but you seem to forget that what the US courts deem as "infringing" draws no parallels to actual international copyright law. For example, a site which contains no pirated material but contains links to it, is considered as infringing under US copyright laws (see DMCA). If you haven't noticed, the MPAA and RIAA will stop at nothing and have no qualms about how many people they inconvenience. Baidu.cn contains an MP3 section. Does it host MP3s? No. Does that matter to a court which orders all ISPs to block access to Baidu as a result? Of course not.

This law like this gives the MPAA the legal right to have Google.com blocked until it removes all links to pirated material. I don't believe they'd hesitate for a second. Although TBH, they probably need it, in order to search for more meta sites which may or may not link to "deemed infringing" material. Like my personal music.

While of course, this horrific scenario may not occur, the point is, this will allow the MPAA to go nuts. They don't care if they knock out 10,000 sites like my own. They don't have to serve me, so there's no case to win. And when they get it wrong, I can't sue the MPAA, because the MPAA didn't make the "ruling", the court did.

They'll happily have Metacafe block because some video has a soundtrack they own, or have any NNTP Usenet provider closed because, despite all their legal offerings, they can be deemed to be serving infringing material. A Safe-Harbour doesn't apply here as they're not actually filing a DMCA takedown. They're just having the court look at all the pirated material and say "this means ISPs have to block them." Goodbye Giganews. I'm sure such sites can go through and remove all material deemed infringing, but exactly how do you go about doing this? MPAA doesn't care - they only have to prove one instance of pirated material. Yet before, say, Giganews can file an appeal, they have to go about removing all potentially infringing material from their usenet mirror? For that matter, how does Google go about removing all links to "potentially infringing" material from their servers?

Re:Idiots

[moj0joj0]

My point is that they will not see the need.

Re:Idiots

[c0lo]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

One good reason to actually go ahead and try to screw the net. For this very reason, I wonder if it wouldn't actually worth encouraging them to do it.

Re:Idiots

[AmberBlackCat]

My nieces and nephews all got MacBooks issued to them from their school. Just like the ones in that webcam scandal. So the school had a firewall installed that was supposed to block inappropriate sites. It was amazing how fast people, who had never owned a computer before, learned how to use a proxy, and learned to put that s on the end of https because apparently the firewall didn't filter sites using ssl. And one of the first things they learned was electrical tape defeats the webcam.

Cousins got iPhones. It was amazing how people who didn't even know what firmware was learned the concept of jailbreaking. No, they didn't all know how to do it. But they knew how to go on Facebook and ask "does anybody know how to jailbreak an iPhone"?

The moral of this story is, if you try to take it away and there is a way to get it back, they'll find it even if they have no idea how to do it right now. It's not that they're incapable of learning. It's they have had no reason to up until now.

Re:Idiots

[whiteboy86]

It looks like PROTECT-IP will force Google to delist those sites anyway, once off the indexes, it will be very hard to find them, DNS blacklisted or not. That could cause a secondary underground internet to rise, with their own "black DNS" servers and search engines.

Re:Idiots

Silence, child. Passing laws which try and fail to prevent the potential loss of potential profit is of utmost importance. Who cares about collateral damage? Who cares about users?

Re:Idiots

[nzac]

Don't over sensationalise it you will just go to a site that links (possibly using the direct ip address) to another site that has no 'illegal' content but is outside the US that has an IP link to the desired site. Provided the IP is static enough no DNS is ever needed. Just add more links as the law tries to catchup.

I would think this process could be made automatic with various scripts. Inventing a new DNS standard will not be fast enough to catch up with some obvious and already implemented web 'standards' and they will become the standard method of bypassing it.

I think the phone book analogy is pretty good here. It makes it easy but there are ways to bypass it like ringing up a mate who has the useful numbers written down

Re:Idiots

[1u3hr]

Say rather that the users who are interested will quickly learn.

There will be simple one-click apps to do it for the rest. And shortly after, Trojans masquerading as such.

Re:Idiots

[wvmarle]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Say rather that the users who are interested will quickly learn.

And the ones that are hit by such filtering are probably also the ones that are interested to route around it. If only by posting on their local message board "The Internetz seem broken, I can't reach The Pirate Bay any more!", likely quickly replied to by someone giving some overseas DNS and telling them how to change their settings to use that one. The ones that aren't affected will not change their settings, but then they're not affected to begin with so no reason for them to change it in the first place.

Re:Idiots

Your first mistake is assuming the Common Law === Common Sense.

Re:Idiots

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Unfortunately, some unknown; but nontrivial, number of them will learn to set their DNS providers by obtaining from an incrementally more clueful friend and running "l33tt0rr3ntz_DNS_Crack.exe". This will, in fact, recofigure their system's DNS settings to point to somewhere in the free world; but it might, well, invite a few buddies in...

Why go to those lengths? If you're running the DNS server, you can just wait for a specific client to request a specific site, say their online bank, and then returned a fully custom-crafted poisoned DNS record which sends them to your phishing site, which is a transparent https proxy.

Re:Idiots

[1u3hr]

My point is that they will not see the need.

When the content they want is blocked, they will. They'll complain in whatever forums, social media they use and will be directed to a how-to to fix it.

In no time there will be Firefox plugins, etc to make it completely painless.

Re:Idiots

We shouldn't forget the massive amounts of users that are oblivious to nearly any of this. DNS, IP Addresses, Routing protocols and all the rest of the "magic" of the Internet is well past their horizon.

Which is just as it should be.
You don't have to know the specifics of an internal combustion engine to drive a car. Nor do you need to now the specifics of DNS/Routing/HTTP to use a web browser.

How many millions of people used Napster? How many millions use Bittorrent?
So why can't the same program which connects you to [insert favorite file-sharing tech] also change your DNS settings?

The end user doesn't even have to be aware the problem exists - because the mere act of installing their favorite file sharing program already fixed it for them.

Re:Idiots

Changing DNS does you no good when the ISPs start filtering at the IP level. Some countries already do, Italy for instance.
The goal is to raise the bar so high that most people won't care to bypass the hurdles. Not when they have to spend more money for VPN's over an already high ISP monthly charge. Same thing for Usenet. Etc... Its a losing proposition in the long term for the common man.
The only viable solution is to "transfer" all the interesting bits of content in the www to some other network, i2p or osiris or some other kind of p2p network.
Any kind of decentralized network that is resistant to censorship. The www is dying, other nwtworks not so much. So perhaps higher censorship will spur a much needed devolpment activity for other solutions.

Re:Idiots

[shentino]

My college (and according to rumor, a few ISPs) block outbound DNS to anyone except their own filtered servers.

Re:Idiots

There are protocols that don't need DNS, because they are doing it themselves (see HTTP proxy). If anyone is blocking DNS, he is potentially evil and should be avoided. DNS is a critical part of security and communication in the entire internet. That's why it has to be protected and not manipulated.

Re:Idiots

[Barefoot+Monkey]

Don't over sensationalise it you will just go to a site that links (possibly using the direct ip address) to another site that has no 'illegal' content but is outside the US that has an IP link to the desired site. Provided the IP is static enough no DNS is ever needed. Just add more links as the law tries to catchup.

Name-based hosting makes it a little more complicated, since (as far as I am aware - please correct me if I'm wrong) URL's don't currently have a way of specifying the domain and the IP address at the same time. You can get a link to the correct host, but because you used an IP address instead of a domain name the server will present the wrong website.

Re:Idiots

[nzac]

You are right (i now remember reading something) but would think there would be workarounds if there is reasonable demand to bypass DNS. I think any site with https has to have its own ip address and IPv6 may make this less of an issue.

Trying it out I would think websites may have to be modified or use browser add-ons, you can reach the website but it wont let you browse using the IP.

Re:Idiots

[Hal_Porter]

The ISPs could block any DNS server but their own.

Re:Idiots

[MadMaverick9]

recofigure their system's DNS settings to point to somewhere in the free world;

and since more and more countries are blocking / censoring the internet, the free world is getting smaller and smaller by the day.

so where in this world is the DNS server that still provides unhampered access to the internet?

Re:Idiots

[Opportunist]

They will. Why? Because something that worked stopped to work and they know that it did work and want it to work again.

So what will they do? Simply shrug and go "oh well, 'twas great while it worked"? I kinda don't think so. Instead, they'll go to the board they frequent (which isn't in any way a "filesharing" board, just some ... whatever, parent's info exchange board, go to the offtopic section and ask what's wrong with their computer 'cause they can't see movies anymore. Since they not only do not know how the whole thing works but they also most likely don't even know that what they do might be illegal, they'll simply and bluntly ask. And equally simply and bluntly they'll get an answer, either directly or as pointers to places where a detailed description to get their content back is hosted.

If they ask one more thing it is probably whether they, as computer illiterates, can do it and they'll get a positive reply.

Re:Idiots

[Opportunist]

Erh... you know an ISP that has the resources to block every single "open" DNS server out there? I mean, you ARE aware that pretty much any IP address could host one, right? That it's trivial to run one on your server and that it's equally trivial to use it? ISPs would be quite busy catching up with their blocklists and keeping them up to date as DNS servers pop up and close down.

Plus, it's virtually useless. Should for some odd reason they find a way to block "rogue" DNS servers, some tool will come into existence to let you run a) a DNS server on your own machine and b) getting DNS info from a free DNS server in an encrypted connection on an arbitrary port, preferably one used for VPN.

Re:Idiots

[Hal_Porter]

You could block the requests by port not by IP address. E.g.

http://forum.pfsense.org/index.php?PHPSESSID=acve3puv31mdfooc1b4ckuvq94&topic=9396.msg62747#msg62747

Of course you could avoid that by setting up a VPN tunnel and doing everything over that.

At that point they'd need to block all VPN connections to stop you getting at bad content and that does seem to be non trivial.

Re:Idiots

[master_p]

You present removal of links to pirated material as a negative thing. Why? it would be quite good to actually remove any pirated material from the internet.

Re:Idiots

[Opportunist]

Mmhmm... blocking VPN will certainly get a few companies banging at the walls of the ISPs because their workers cannot access their mail anymore and can't get to their computers at work. Not to mention the few other tidbits like remote server administration and such.

And how about programs that by themselves try to create a secure connection, from HTTPS to other SSH traffic? Want to keep a white list for all of them?

Re:Idiots

[Opportunist]

Here's an implementation that I couldn't really see how to block. A program that has to run on your machine that does a few things:

a) It provides a DNS server, so you have to point your DNS server entry to localhost. Could easily be done during the installation of said program automatically.
b) It creates a secure connection to a free name service provider. If need be it can even be done on a random port, and should the need arise it can be done distributed akin to P2P. There you get a list of sites blocked around the globe, and as a neat side effect you get a very interesting list of very interesting servers.
c) The locally hosted DNS service forwards all requests it cannot handle to your ISPs DNS, if it has an entry itself it will provide that.

All of this can be used by a computer illiterate, since everything "technical" is neatly tucked away. The use of the local DNS server is adjusted during install, the service gets started as an automatic service at startup, connecting and server list retrieval (along with retrieval of a list of DNS peers) is done automatically.

Re:Idiots

So the instructions will just say "Open C:/Windows/System 32/drivers/etc/host" in a text editor, add this line "$ip_address $site_name", save and browse to $site_name in your browser - the server gets the name of the correct site to serve and its only a little more complicated than telling someone to go to the IP address in their browser. We used to do this all the time in ye olden days when DNS outages were a lot more common (just have your favourite sites commented out in the file, if you think the DNS is screwed go and uncomment it and try again). We'll probably even see custom host files with a bunch of pre-configured warez sites for real ease of use - which in a way will be worse because it might alert people to sites they never even knew existed...

Re:Idiots

[bzipitidoo]

Don't say such things so glibly. It's not as easy as you imply. Lots of reasons why.

What of all the innocents who will be harmed by mistaken removals? The systems that will be made less reliable and trustworthy, and the collateral damage that will cause? You think screwing up a public good is a trivial matter? And then to contemplate such a thing for an idea we already know will not work!

Sometimes you can't tell whether it is a case of piracy. The link could be misnamed, broken, out of date. The material could be a parody. Or out of copyright. Or is legitimate because the rights holders gave permission.

And if it really is pirated content? It can't be just removed from the Internet. Copies could be everywhere, encrypted, under different names. Removing links is just security through obscurity. Shouldn't even ask that of us. That's like removing the phone numbers of sex offenders from phone books.

Re:Idiots

[perryizgr8]

naah, i think it would be a sad day for humanity when i wouldn't be able to download an mp3 of any song i like, for free. also, movies and games.

Re:Idiots

[perryizgr8]

google public dns.

Re:Idiots

[perryizgr8]

My nieces and nephews all got MacBooks issued to them from their school. Just like the ones in that webcam scandal. So the school had a firewall installed that was supposed to block inappropriate sites. It was amazing how fast people, who had never owned a computer before, learned how to use a proxy, and learned to put that s on the end of https because apparently the firewall didn't filter sites using ssl. And one of the first things they learned was electrical tape defeats the webcam.

why not just uninstall the firewall? why do all this circumvention stuff?

Re:Idiots

[fuzzyfuzzyfungus]

My suspicion is that any one DNS server will be increasingly unlikely to provide 'unhampered access to the internet'(to the degree that there even remains a 'the internet' as opposed to great-firewall-of-$COUNTRY-ed intranets with limited commercial interconnects...); but that an ugly hack will continue to work fairly well:

Different countries flip out about different aspects of the internet. As long as each national blocking scheme(or major ISP implementation) has a predictable response to a DNS query for a forbidden domain(ie. a false NXDOMAIN or a redirect to some scary ICE page) your local DNS proxy can query multiple servers, in multiple jurisdictions that care about different things, and then return to local clients the cream of the results. Brutally ugly, won't help DNS latency at all, makes baby Vixie cry, etc; but its results should be fairly close to a 'real' picture of the internet, so long as the enforcement priorities of the world's states don't overlap too much.

Ultimately, the bigger threat is probably the fact that(barring assorted hackery that raises the difficulty level a fair bit and requires cooperation at both ends) DNS traffic isn't exactly rocket surgery to identify and either terminate or rewrite in flight. Just modifying the DNS server is the cheap and easy way, and gets it done much of the time; but if your ISP modifies their DNS server and then starts blocking DNS traffic from your IP that isn't going to your assigned nameserver, Have A Nice Day... Pending DNSSEC, any ISP willing to spend the cash could also just rewrite the DNS responses on their way back to you. That is hardly impossible to get around(SSH tunnel would do it in about a second, if you have suitable access to a host not suffering under such a policy, albeit at the cost of being a bit 'un-consumer' looking of you. If you needed to be stealthy, you could do something absolutely horrible like use an SSLed webapp, with your local DNS proxy issuing lookups encapsulated in xmlhttprequests, and the server doing the lookups, and then sending the results back down. Architecturally gross; but it'd be indistinguishable from a zillion stupid-but-legitimate 'web2.0' interfaces as far as your ISP is concerned...)

Re:Idiots

[LocalH]

Because there's probably some terms in the code of conduct stating that the student can be punished for modifying such "security" features. Using proxies and https isn't "modifying" the firewall like removing it would.

Re:Idiots

[GameboyRMH]

black search engine:

http://yacy.de/

I just made some changes to my home server over the weekend to prepare it for becoming a YaCY peer.

Re:Idiots

[dwandy]

They don't care if they knock out 10,000 sites like my own.

...and you're not even collateral damage -- you're a target.
The only safety is to give your music over to the MAFIAA; their sites alone are authorised to have music ...

Re:Idiots

[perryizgr8]

that is fucked up. when my uni gave me a laptop, its just like a laptop you bought yourself, just that we got nice ms office pro for (almost) free.

Re:Idiots

[phorm]

"does anybody know how to jailbreak an iPhone"

So what will happen, is that the new laws will make asking on facebook about how to "circumvent protection" or "access illicit material" just as illegal as linking...

Re:Idiots

[itsenrique]

If they can't access their TPB they'll see the need.

Re:Idiots

[anyGould]

You present removal of links to pirated material as a negative thing. Why? it would be quite good to actually remove any pirated material from the internet.

This is true in theory; so is "it would be quite good to remove all criminals from the streets" or "it would be quite good if none of us had to work". Sounds great on paper, butthe implementation will be troublesome.

Re:Idiots

[anyGould]

Say rather that the users who are interested will quickly learn.

There will be simple one-click apps to do it for the rest. And shortly after, Trojans masquerading as such.

Barring that, people will start handing out IP numbers directly. It's worked for phone numbers (ip4 is 12 digits in convenient groupings; I have to dial 10 digits today to call anyone.)

Re:Idiots

[black3d]

No, I don't think I did present that. What I presented was all the collateral damage that causes at no cost to the MPAA but at huge cost to the infrastructure of the internet.

Re:Idiots

[snadrus]

The Internet is about search for most users. No Internet Search== No business incoming investment in the country for vastly many fields.

What an opportunity!

A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server

I'm going to get rich, starting now to create an innovative program named "DNS-server-changer". Everybody will buy it, I can patent-troll IBM and Microsoft and I also get money from Anonymous to redirect everybody through their network.

typical users

[Joce640k]

Experts: "they can still access non-filtered DNS servers or directly enter the blocked site's IP address if it is known"

MPAA: "typical users lack the expertise to select a different DNS server"

Dear MPAA,

What about the other half of the expert's statement? Typical users are perfectly capable of typing in four numbers with periods between them. Web links and bookmarks can be IP addresses. etc.

Kay Bailey Hutchison defends PROTECT-IP

[paulsnx2]

I sent my senator a short message detailing many of these concerns about the PROTECT-IP bill. You might be interested in her response.... WARNING: Don't read any further if you still have hope that senators can understand and address technology issues....

Dear Friend:
Thank you for contacting me regarding the Federal Communications Commission's actions relating to the openness of the Internet. I welcome your thoughts and comments.

The Internet is a valuable tool that facilitates business, education, and recreation for millions of Americans. In 2009, an estimated 198 million Americans had access to the Internet. I am committed to ensuring that consumers continue to benefit from the Internet as an open platform for innovation and commerce.

Instrumental to the success of the Internet is the long-standing policy of keeping the Internet as free as possible from burdensome government regulations. Increased investment in upgrading and expanding America’s communications infrastructure, and, in particular, new broadband networks, will ensure that all Americans have access to affordable high-speed Internet. However, in my judgment, intensified regulation of the Internet, such as government-mandated treatment of data, would stifle competition and would decrease the incentive for network operators to invest in critical infrastructure.

The case for additional broadband regulatory authority, or “net neutrality,” has not effectively been made. Broadband investment began to truly flourish when the Federal Communications Commission (FCC) made a decision in 2002 to remove advanced communications technologies from the antiquated common carrier regulatory framework. However, advocates of a larger regulatory footprint have continued to call for net neutrality since 2006.

Unfortunately, the FCC chose to respond by beginning a new proceeding that would reverse the 2002 decision to treat advanced communications services with a "light touch" regulatory approach. On December 21, 2010, by a 3-2 vote, the FCC adopted new rules meant to impose a net neutrality regime on broadband services. I believe these new regulations represent an unprecedented power grab by the Commission to claim regulatory jurisdiction without Congressional authority. This FCC action threatens investment and innovation in broadband systems, places valuable American jobs at risk, and may subject communications companies to new legal liability in the management of their networks.

In response to the FCC's heavy-handed order, I intend to explore every option available to me to keep the Internet free from such burdensome regulations, including introducing a resolution of disapproval in an effort to repeal the new rules. As the Ranking Member of the Senate Commerce, Science, and Transportation Committee, which has jurisdiction over the FCC, I will continue to work to prohibit further net neutrality-based regulations.

I appreciate hearing from you, and I hope that you will not hesitate to contact me on any issue that is important to you.

Sincerely,
Kay Bailey Hutchison
United States Senator

284 Russell Senate Office Building
Washington, DC 20510
202-224-5922 (tel)
202-224-0776 (fax)
http://hutchison.senate.gov/

PLEASE DO NOT REPLY to this message as this mailbox is only for the delivery of outbound messages, and is not monitored for replies. Due to the volume of mail Senator Hutchison receives, she requests that all email messages be sent through the contact form found on her website at http://hutchison.senate.gov/?p=email_kay .

If you would like more information about issues pending before the Senate, please visit the S

Re:Kay Bailey Hutchison defends PROTECT-IP

[ilumits]

I think she sent you the wrong form response. What's amusing is that if she's against government regulation of the Internet, then undoubtedly she should oppose the PROTECT-IP Bill.

I'm guessing that's not the case.

Re:Kay Bailey Hutchison defends PROTECT-IP

[rrohbeck]

I think she wouldn't know the difference and this is the form response to any complaint about the tubes.

Re:Kay Bailey Hutchison defends PROTECT-IP

For the record, I emailed Dianne Feinstein (D-CA) and she's in support of the bill. She's in the "we need to strengthen copyright to protect creators" camp. Sad...

Re:Kay Bailey Hutchison defends PROTECT-IP

I have always been amused at how opponents of net neutrality have the idea of it all wrong. They think that a law that prohibits laws from regulating and controlling the internet by special interests and corporate lapdogs is somehow 'controlling and stifling' and then propose laws that do exactly that under the claims of 'keeping the internet free and unregulated'. In the words of Inigo Montoya, 'You keep using that word. I do not think it means what you think it means.'

Net neutrality is like putting a Bouncer outside a nightclub. His job is to make sure the club stays safe and enjoyable, but doesn't actually know or care what is going on or who is doing or saying what inside the club until he's called to do his job. Otherwise, he keeps his meat hooks off the club. It works by the patrons knowing there is someone out there who will step in when things truly get out of hand but isn't constantly making sure your dance steps are exactly correct or that you drink exactly the amount of liquor prescribed by law and that you only dance with officially provided partners.

Opponents of Net Neutrality are like locking a henhouse with a paperclip, allowing anyone and everyone with a big enough stick to come in and guard the henhouse, hoping that the very idea of such flimsy and useless locks and fear of the big stick will somehow stop the fox, and acting surprised when the foxes get at the hens. This only works as long as the fox remains ignorant of the huge gaping holes in the sides of the henhouse.

Re:Kay Bailey Hutchison defends PROTECT-IP

[DigiShaman]

She's a Democrat from California. Did you really anything different from her?

Re:Kay Bailey Hutchison defends PROTECT-IP

We (the rest of the world) really don't care. We already do not use backup services or cloud services based in the US because of your government. There are lots of alternatives. Soon we won't use DNS with US based roots.

At some point only US citizens will be hampered, held back, and harassed by their funny little leaders and their funny little laws.

Re:Kay Bailey Hutchison defends PROTECT-IP

Your second sentence a verb missing.

Re:Kay Bailey Hutchison defends PROTECT-IP

Understanding of what is at stake: FAIL
Understanding of the terms: FAIL
Understanding of the bill: FAIL
Understanding of which side means what: FAIL
And this is probably even more worrying than corrupt politicians, the politicians on 'our side' not knowing what's they're trying to defend.
At least she didn't say it was a bunch of tubes...
On a side note about the main post, they're right, most internet users wouldn't know how to get around it, but it would only take a handful to figure out a way around the block or to make an add-on to do so automatically, then for it to be reposted to anybody who wants to know.

Re:Kay Bailey Hutchison defends PROTECT-IP

[kent_eh]

We (the rest of the world) really don't care. We already do not use backup services or cloud services based in the US because of your government. There are lots of alternatives. Soon we won't use DNS with US based roots. At some point only US citizens will be hampered, held back, and harassed by their funny little leaders and their funny little laws.

Unfortunately, some of our politicians (Like the current Canadian Prime Minister) seem to think that we will be a so much better country if we simply do every stupid thing that the American government has already done, no matter if it actually worked. "it's an American idea, it has to be good for us".
I fear the next 4 years.

Re:Kay Bailey Hutchison defends PROTECT-IP

Your "rest of the world" should have an asterisk to indicate that it excludes places like China, Australia and the growing list of countries that are implementing filtering policies like this. While I fully realize that, as an American, my country is usually a global leader in idiotic policies, blazing a trail in the wrong direction to show the rest of the world the error of their wisdom, but in this case we're following a well-trodden path.

Re:Kay Bailey Hutchison defends PROTECT-IP

It's far more likely that her "administrative assistant" (who was probably ridiculously hung over from drinking alone the night before, which is now most likely a habit formed to combat the insecurity and hopelessness felt on a daily basis from working for a very driven although very stupid woman on the Hill) picked the wrong canned response out of a list of 329 other ones.

It's the small things that let you know they care.

Re:Kay Bailey Hutchison defends PROTECT-IP

Or perhaps the senators are trolling you better.

Re:Kay Bailey Hutchison defends PROTECT-IP

[Hal_Porter]

Your post a verb missing.

Re:Kay Bailey Hutchison defends PROTECT-IP

[Opportunist]

Dear Senator, thank you for your reply.

It certainly affirmed my hunch that you don't have a clue what you're talking about or trying to regulate. In case you didn't notice, PROTECT-IP doesn't have anything to do with net neutrality. My guess is that your henchman just saw "oh, teh intarnets" and sent out the matching form letter, neither understanding what was said nor understanding what he or she sent as a reply. I suggest firing him or her and using a program as replacement that checks for certain catchwords and -phrases and sends back the matching form letter.

But probably you are way ahead of me in this matter and that's already what I got. Impersonal "shut up, voting drone, and serve your queen bee" drivel, spewed out by a form script engine. At least I hope so. If this was actually written by you, I guess we should fire you and replace you with a small script.

It would be so much cheaper for the country and so much better for the economy you seem to care so much about.

Re:Kay Bailey Hutchison defends PROTECT-IP

[thomst]

I sent my senator a short message detailing many of these concerns about the PROTECT-IP bill. You might be interested in her response.... WARNING: Don't read any further if you still have hope that senators can understand and address technology issues....

First of all, let me extend to you my deepest sympathies on your unfortunate status as a Texan. We're all hoping for your speedy recovery from this tragedy.

Secondly: "Kay Bailey Hutchison" is all you need to read to know that your carefully-phrased attempt at intelligent communication with your elected Senator was a thoroughgoing waste of time and effort. Texas Republican, former governor, and "honest politician" (i.e. - she stays bought).

Of course, it could have been worse ... you could have tried to reason with Michele Bachmann, instead.

Re:Kay Bailey Hutchison defends PROTECT-IP

[perryizgr8]

wtf did she even say? where did net-neutrality come in? how does net-neutrality represent a 'power grab' by the fcc? doesn't neutrality mean no person/agency has power on the internet? and what about the topic at hand?

In summary:

[fuzzyfuzzyfungus]

Laundry list of distinguished security researchers: "This is a terrible plan, it won't achieve what you want, and it will set back the state of internet security quite dangerously."

MPAA Flack: "Shut up, nerd, the health and security of the internet is not even a secondary objective here."

Re:In summary:

[Daniel+Dvorkin]

Yep. And here's what the powers-that-be will hear:

Laundry list of distinguished security researchers: "Blah blah nerd stuff neep neep neep."

MPAA Flack: "We wear suits. And we have money. By the way, Senator, how's that third vacation home working out for you?"

Re:In summary:

[slashqwerty]

While the researchers make some good points from a technical perspective there really are more fundamental issues with PROTECT-IP. The proposed law would grant the government power to selectively censor websites without due process. Those are some pretty basic violations of the constitution and a huge threat to freedom of speech. And the reality is, the government is already doing this without the PROTECT-IP act.

Re:In summary:

[Kotiya]

I could not agree more with you. This is the more worrisome part of this whole thing. First censorship without due process for websites--how far could similar attacks go on other aspects of society? Once it is deemed lawful for suspected websites, it can be lawful for other "inconveniences" once it's phrased and lobbied properly. This isn't the kind of lawmaking that should be allowed to start in the first place.

Something that particularly irks me is that our government is pretty much deciding for us that the profits of a single NON-ESSENTIAL industry are far more important than for an entire NATION (--world?) to exercise basic constitutional rights (though this is pretty standard government policy by now). Under this act, any content may be censored whether or not it is actually infringing copyright, and they don't even get to defend themselves. Are movies and TV shows really THAT important for Americans? We're just going to Sharpie over whole lines in the Bill of Rights for f*cking Twilight? If so, then we deserve to stay on our current road to third world oppressed obscurity.

If people realized AND cared enough, they should just not even watch these programs anymore, at all. They're essentially paying a private industry to whittle away their rights, even if it seems like a pointless little thing now. I personally can't even enjoy movies anymore, knowing what disgusting, appalling legislature I've financially contributed to.

Hollywood demands

[Voline]

that we break the internet. Get to it!

Lawless wild west

[Datamonstar]

Yes! Once they get trains going over 50 MPH on the wild frontier of the Information Superhighway tubes then you have all sorts of stuff going on, like women's uteri being ripped right out of em. We can't have that. It's the internet and we need porn on it. For that we need women with intact uteri.

Re:Lawless wild west

Apparently we're watching two very different types of porn.

Re:Lawless wild west

[Opportunist]

There's some joke in there where I should call you a fag, but I guess in the name of good taste I'll refrain from making it.

"Typical Users" Learn..

[goruka]

Downloading a torrent client is not much more difficult than downloading a small app or browser extension that sets up alternate DNS lookups.
"Typical Users" can learn..

ISP Blocking?

[AlphaWolf_HK]

Interesting that they mention ISP's would block your ability to use other DNS servers. I don't think that, in the end, there is really anything the ISP could do to completely stop you. The worst they could do is block UDP port 53, but that wouldn't stop you from using any kind of tunneling software, especially if you did that tunneling over a secure socket.

Re:ISP Blocking?

[yeshuawatso]

What's really sad is that as of right now, you couldn't get more than 20% of all Facebook users to understand what secure tunneling is, so those that do understand it will just make it a one-click-fix for the other 80%, bypassing all of the ISPs' hard work.

Really it reminds me of Sony and the PS3 all over again. Most of Sony's PS3 gamers don't know the ins and outs of security hacking, yet Sony managed to piss off that 1% of users that do and open the flood gates for another 20% to follow a video tutorial on YouTube.

When will these giant corporations learn that you can't take a sledge hammer to a pin and think you're going to accomplish something. If you want piracy to drop, make your content more easily accessible. I'm guilty of using a torrent to download a TV episode or two, but only after I can't "one click to buy it" on Amazon or iTunes. $1.99 for 21-45 minutes of entertainment isn't going to break me, I'm just tired of paying $100+/month for access to that 21-45 minutes a week I want because the providers are too stubborn to put the damn content online where I can easily purchase it without having 20+ accounts at 20+ different websites.

Re:ISP Blocking?

No, they could rewrite the replies for all flows who's UDP packets start with a payload of 2 random bytes proceeded by 01 00 00 01 00 00 00 00 00 00, regardless of destination address. It is trivial these days with off the shelf equipment because you are basically doing boolean logic on a stream with fixed offsets.

A lawyer can argue that this is not looking at the data (which would be the actual DNS lookup) but just the protocol or addressing information.

Eventually even with a secure socket, you won't be able to reach a unfiltered DNS server (unless the socket is to the actual name server) as most the infrastructure is owned by big telco...

And, would you trust this alternate DNS provider? I recall back in the 90's an adware provider that gave you access to the unofficial .kids, .xxx and other TLDs.

Furthermore, circumventing makes things easier for govt. because they only have to pay attention to traffic to known name resolution providers to know who to add to a watch list.

They don't even need to look at the contents of your packets - they just need to look at the routing to know the connection is used for deliberately(now you are going out of your way) accessing the content of concern, at which point they can obtain a warrant, replace/use the firmware on your router, get the MAC address used to obtain the content, and drive up a truck that will triangulate the wifi source signal to the person in front of the computer (or follow the cable if its hard wired)

The problem with standard protocols is they seem to follow protocol very well. So predictable.
The problem with people is they don't understand everything they think they do and believe they have the freedom to do whatever they want. On both sides.

In related news, I am selling tin-foil hats.

Re:ISP Blocking?

[Opportunist]

And this is exactly why there is little, if anything, one can do about this problem. All it takes is ONE person who knows how to bypass, crack, circumvent or otherwise nullify tools and schemes of protection, blocking or other meant to keep users from doing what they want. Outlawing creation or use of such tools is not going to change much either besides making everyone a criminal. Who in turn will then just care less about legality because when you broke one law, why bother with the rest? If you already broke the law when you used a tool to bypass a blocking filter, why care about copyright altogether? Even if you used the tool for other reasons than trying to access content against the terms of usage.

Abolish Freedom. Endorse Tyranny. Embrase Slavery.

That is your future. Face it. The global tyranny will prevail.

lack expertise?

[arbiter1]

"A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West." if you type in google for example "how to change dns servers" how many tutorials will come back with exactly How to change them? Just cause some people are not smartest people in the world with a computer there is always an article or tutorials out there written in the "how to for dummies" way.

Re:lack expertise?

[reiisi]

And, of course, the skripped quiddees will be passing around "applications" to do that with "just the press of a button".

Re:lack expertise?

"A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West."

if you type in google for example "how to change dns servers" how many tutorials will come back with exactly How to change them? .

Note- Devil's Advocate time, I'm not in support of the Thugs.

MPAA reply:
"This is exactly the type of lawless behavior this law will address. Sites like Google will be required to filter and strip phrases such as 'how to change DNS' from results, much like they already do for child porn which we all know is a slightly lesser evil than copyright violation. ISP's will of course be required to block the DNS of such 'hacking' sites which promote Sin and Lawlessness by posting information on how to alter DNS settings."

Re:lack expertise?

When the whole issue of DNS blocks arose in Germany - along with the same bogus arguments of censorship-proponents - people started posting tutorials left and right. 30-60 second how-to videos were quite popular as they demonstrated how ridiculously easy the process is. AFAIR even a German politician who opposed filtering made one of those.

Of course these tutorials also included a list of non-ISP DNS servers that wouldn't be filtered.

Re:lack expertise?

[Opportunist]

Uh... sir, the ISPs are complaining that they are drowning in calls from users that can't reach any video service or message board anymore.

8 year olds now know how to set Alt. DNS

Dear **AA,
I have taught my children how to change to an alternate DNS server.
Game over.
Sincerely,
Think of the Children

direct IP addresses

[reiisi]

No, their use is not particularly harder to track.

Geez, we are so underestimated..even the non-geeks

Typical users also lack the the knowledge to un-check the default "use [firewall company]'s secure DNS servers" from the install that their son or other relation e-mailed them.

CASE AND POINT

Typical

73 KJ4IPS CL

Dumb fucks

[Legion303]

"A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server"

I would argue that any user who lacks the expertise to change DNS servers also lacks the expertise to configure an FTP or torrent client. I would also argue that the MPAA is full of inbred morons.

Re:Dumb fucks

[wvmarle]

Of course they can configure it, if they know what it is to begin with.

DNS is pretty deep down in the Internet configuration, not something the general user should have to deal with. Bittorrent is so commonplace these days that most users at least know about bittorrent, and many may even actively use it. Now of course if a law like this gets implemented then that may change very quickly.

Re:Dumb fucks

[Opportunist]

Well, there's a saying in my language: Devil thinks as he is. Meaning, everyone thinks that everyone has the same level of knowledge that he himself does.

Tells you something about what the MPAA droids know about the internet. Maybe we should send them a plunger. Ya know, just in case their tubes get clogged.

Re:Dumb fucks

[Opportunist]

You think it would be an impossible feat for the average computer use to type "how to change your name server" into Google?

Let's assume it is. How hard do you think it would be for them to ask their ICQ friends or the discussion board they frequent how to do it? And that nobody there would have an answer?

Ask anyone living in a country that is filtering how long it took even the most braindead user to find out how to bypass those filters and get back what they wanted to have.

Re:Dumb fucks

[wvmarle]

The problem as I indicated is not as much that they do not know how to change it, but don't know what a DNS is to begin with. Then it becomes hard to search for settings.

Re:Dumb fucks

[Opportunist]

As I pointed out elsewhere, they at least know 2 things:

a) Something they want to does not work anymore.
b) It used to work.

So they will start to look for the problem. Of course, by themselves they won't get far, but they'll ask on the message board of their choice (which needn't even be some "filesharing" board but whatever discussion place they frequent, I could well see something pop up in the offtopic section of the board akin to "I have a strange problem lately, I cannot access X"). Someone who also uses this board will know at the very least what the problem is, and even if handing out informative pointers could somehow be outlawed, how do you want to outlaw informing someone that it's not a bug but working as intended? And it's only a small step from "Sorry, we have to block this site" to googling "how to circumvent block to reach $site".

Re:Dumb fucks

[FoolishOwl]

Deep down?

ISPs usually explain how to set DNS in their initial setup instructions. The settings are easily accessible from the connection status indicator visible in any GUI on any OS. It's no more difficult than dialing a telephone. Anyone can do it in seconds.

Re:Dumb fucks

[vgerclover]

Well, it would be pretty hard to find other ICQ users :)

Re:Dumb fucks

[anyGould]

Heck, my wireless router has a drop-down list of public DNS on the same screen as the "what's your DNS" settings. Don't get much easier than a dropdown box.

Maybe, possibly, we will finally

[countertrolling]

FORK DNS!

I can't think of a better thing for the internet at large.. for now

Re:Abolish Freedom. Endorse Tyranny. Embrase Slave

[c0lo]

How "Freedom and liberty for all" looks like lately:

Freedom - I may not agree with what you say, but I respect your right to be punished for it.

Liberty - the price of freedom keeps going up, but the quality keeps deteriorating.

"Typical user" here...

I just read /. for the articles. I swear! I have no clue what "Port Forwarding" really does or how it really works, but I can do it. The only reason why I care to know at all is to make my torrents run faster. Thank you, Google! Part of the process of doing this meant learning other crap non-typical user techies take for granted such as what an IP address is and how to use an IP number to access my router, and what a DNS server is and how to manually set one so that I can have a fixed IP that works with my ISP. If all you have to do to circumvent this is to manually set a different DNS server or enter a numerical IP address, that is not going to stop the "typical user" of BT at all! What do they think it is, 1999?

Wrong, there are laws, and this breaks one of them

[SuperKendall]

When was the Internet anything other than a "lawless wild west"?

The internet is the wild west, but it is far from lawless... it just so happens that there are very few laws.

One of those laws is the trustworthiness of DNS. The proposal at hand is actually one that makes the internet MORE lawless, not less, as DNS falls utterly as the (relatively) trustworthy backbone of the internet it has been until today.

Who would knowingly point to a DNS server that might mislead them after this is passed? I sure wouldn't.

It pertains

[SuperKendall]

I think she sent you the wrong form response.

Yes and no.

Yes her staffer misread whatever his complaint was.

But no, she did not send the wrong response. If PROTECT-IP does not pass, how better to advance the same cause than to add it as further regulation under the umbrella of net neutrality? Once you are mandating how an ISP run "Ze Tubes" it's a very short hop away indeed from telling them they also need to obey a blacklist of IP addresses to be provided by the government... indeed that's probably the other prong of a two-part attack, since PROTECT-IP is all about not being able to find something, whereas an IP blacklist would prevent you from visiting it even if you used an alternate DNS.

A new DNS system is urgent

[Lord+Juan]

A fork of the DNS system is something that I can't wait to see happening. I believe that the changes that ICANN is doing are precisely mean to obstruct the adoption of additional independent TDLs, and honestly if the DNS is not forked soon, attempting to do it later is going to create fragmentation and confusion, specially when ICANN sell some of the independent TLDs that belong to the alternative DNS systems nowadays. I am also, mmm, I'll go with angry, at the ICE taking away domains of companies that operate legally in their own countries (rojadirecta), and I simply don't think that ICANN or the US can be trusted anymore with the control of this vital component of Internet. The RIAA/MPAA have way so much control over the government, and the government have way so much control over ICANN, and ICANN have complete control of the DNS system.

Precisely

[Sycraft-fu]

In particular, because these sorts of things would get asked about and talked about. People would learn "Just enter these numbers under DNS and stuff will work again," and they'd do it. Setting DNS servers is not complex, users can easily be taught how to do it, just nobody bothers because they needn't do so. DHCP hands them out and it makes sense to use the ones your ISP provides as they are usually the fastest for you. However it isn't some major technical feat to enter the numbers in the box. There would be sites out there listing unfiltered DNS servers and people would just copy and paste.

Re:Precisely

[DarkOx]

1. That would would for like a week until someone id10t in CONgress decides ISPs simply have to redirect all tcp/53 or udp/53 traffic to a compliant DNS server. which will of course give rise to plenty of shareware/donationware DNS proxy applications that let you point your system nss library resolver at localhost, and then that app turns around runs DNS on some other port, perhaps even with an SSL layer to thwart packet inspection.

2. The other issue is DNSSec. I don't don't agree with the TFA that this prevents ppl from using DNSSEC. DNSSEC is record level authenticity and integrity. Its not system level. If I am molesting your DNS in a DNSSEC world, I can't tell you www.google.com points to 64.220.36.5, without your being able to see the signature is not correct. If I send you SERVFAIL though even if you can't easily distinguish that from adulterated record with most software in use. Even when you can what do about it? Your local resolve should say SERVFAIL when the DNSSEC record is invalid, application stops, my DNS server refuses to tell you the address application stops, sure you might know better and know that names out there but what can do about it? Return to part 1?

Re:Precisely

Honestly I think you're making it too complex. Browsers and other programs could just come with a list of alternative DNS and fall back to them on either explicit request or for any DNS response they do not like.
At least partially that kind of thing already exists to work around ISPs that redirect all lookups to non-existing domains to their own "search" page.

Re:Wrong, there are laws, and this breaks one of t

[wvmarle]

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter www.slashdot.org and expect to be able to read News for Nerds, Stuff that matters. Maybe not the best example but I bet you get the point.

typical users lack the expertise to select a different DNS server

is definitely a true statement.

Wow. fucked up morons.

[unity100]

A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.

dns filtering came to turkey 5 years ago.

EVERYONE knows how to bypass it now. and i mean everyone who is using internet - the equivalent of the 'mom in idaho' knows how to bypass it. her son, relatives, someone from neighborhood comes and bypasses it for her. people learned what 'opendns' means here. the term 'proxy' have become an everyday term, even in among the tech illiterate crowd. people ask about 'good proxy' to each other. (people learned about it when the courts started to ban i.p.s).

so, random 'mom in turkey' is able to do that, but the organization that represents all movie producers in america shits about otherwise ?

really. what kind of people are you letting you run your country and corporations and corporations' lackey organizations ? idiots ? morons ? bastards ? i think the last one is more likely. (i am not able to bring myself to say ngo regarding mpaa after that kind of idiocy)

Re:Wow. fucked up morons.

[Zancarius]

really. what kind of people are you letting you run your country and corporations and corporations' lackey organizations ? idiots ? morons ? bastards ? i think the last one is more likely. (i am not able to bring myself to say ngo regarding mpaa after that kind of idiocy)

Can I say "all of the above?"

Actually, I can think of a few more colorful metaphors to describe the individuals in power here in the US, but they're highly inappropriate in mixed company. I'm also not so sure they'd adequately describe how I feel about our "leadership."

Re:Wow. fucked up morons.

It's pretty much bastards all the way down. They'll say whatever thing they think will make them the most money in the short term. Ethics are a thing to joke about.

Re:Wrong, there are laws, and this breaks one of t

the point is that will change in about 3 days across the USA if the USA tries this. It's not the first country to try DNS filtering, and perhaps despite what recent history might lead one to believe, americans aren't significantly more stupid than people in other countries, which nowadays routinely route around incompetent government/corporate attempts to censor the net.

Re:Wrong, there are laws, and this breaks one of t

Rule #1 of the Internet: Don't Break DNS.
Rule #2 of the Internet: Don't Break DNS The Other Way.
(Rule #3 of the Internet: Don't Break BGP - but that's not relevant here)

There may be a few more, but those are the big ones that I can think of. Violating Rules #1 and #2 indicate that you either have no clue how the Internet works, or you know just enough to be dangerous. Either way, Don't Do That.

Re:Wrong, there are laws, and this breaks one of t

[c0lo]

When was the Internet anything other than a "lawless wild west"?

The internet is the wild west, but it is far from lawless... it just so happens that there are very few laws.

One of those laws is the trustworthiness of DNS. The proposal at hand is actually one that makes the internet MORE lawless...

Indeed. Funny thing, this requires judges and lawyers being woven into the fabric of internet - I don't like the idea.

Browser plug-in

[Mr.+Underbridge]

They won't even need to know what a DNS is. They'll just download the 'get your free music' extension for firefox. Which will, of course, require them to download a browser that isn't IE, but their nephew/sister/uncle/cool geek in their dorm knows how to do that stuff so its OK.

Sort of lowers the technical bar for circumventing this crap. It'll also move the fight from DNS to the browser level, which will be fuggin' awesome.

Re:Wrong, there are laws, and this breaks one of t

[c0lo]

typical users lack the expertise to select a different DNS server

is definitely a true statement for the present.

FTFY.

And it is so just because the DNS infrastructure worked by very unsophisticated rules - good enough for everybody - unsophistication which allowed the rules remain hidden. Break them and more people will start looking into how to mend them in their own way - one may not like some ways of mending.

Doesn't have to conflict with DNSSEC

[kasperd]

Technically it doesn't have to conflict with DNSSEC.

First of all ISPs have to stop lying about the A record when you look up a filtered domain (Seems like an oversight if that practice is even legal). Instead they need to send an error response back to the user. I'd suggest a server error message (since "your government don't want you to see this" wasn't included as an error code when DNS was designed).

What the client will do when getting this error is to use the DNS search path provided by the DHCP server along with the DNS server IP. Since the ISP controls the search path, they can ensure it is a domain under which they can provide valid DNSSEC protected domains. Then they make it so that every filtered domain exists as a subdomain under the DNS search path and other domains don't exist there.

Re:Doesn't have to conflict with DNSSEC

[ace123]

Why aren't search paths disabled by default? They seem like a huge security hole. I don't want to be getting "google.com.mitm.comcast.net" when I type in "google.com".

Search paths should be enabled explicitly, since I've only ever seen them legitimately used on corporate networks where they control all the computers anyway.

Re:Doesn't have to conflict with DNSSEC

They don't need to send an error response back to the user - they need to send the feds around to haul them off to jail!

Re:Doesn't have to conflict with DNSSEC

[aaaaaaargh!]

Fine. But what if somebody in response to "Protect IP" builds a distributed anonymous DNS system on top of, say, Gnunet? Perhaps an implementation with a simple one-click installer? Heck, someone might even write a Firefox extension for it.

Of course, I'm speaking hypothetically here, because the idea of creating a decentralized DNS system with one-click installation is so crazy and absurd that nobody would ever pursue it, right?

Re:Doesn't have to conflict with DNSSEC

[JesseMcDonald]

What the client will do when getting this error is to use the DNS search path provided by the DHCP server along with the DNS server IP.

The search path isn't used for fully-qualified domains (anything ending in ".", e.g. "example.com."), so the solution is simple: stop abusing relative domain references when the full domain is known. The browser can also help by always showing the full domain name returned by the resolver, and not just the portion entered by the user.

It wouldn't hurt to make "server failed" messages more painful, either—for example, whenever a server reports an internal failure of that sort, the resolver could refuse to use it for the next five minutes or so (or until DNS is reconfigured). That should make any ISP reluctant to generate fake failure messages, without causing too much additional trouble when a server really fails.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

Why aren't search paths disabled by default?

Probably for historical reasons. For a computer that connects to networks not under your own control, there is little benefit from using those networks' DNS paths. Though a few common names do tend to make sense to look up under the search path. For example www and news are names that tend to be meaningful. But in most cases the search path isn't helpful. In particular for https it is pointless as you'll just end up with a certificate warning due to a mismatch between the short and the long names.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

I'm not saying a DNS filter is a good idea. Just that the DNSSEC argument isn't the real problem with it. Frankly I'd rather see DNS filters made illegal as it is interception of private communication between two parties that have not accepted such measures.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

stop abusing relative domain references when the full domain is known.

When was the last time you saw a URL with a trailing dot in the hostname? Using relative names with the expectation of them being treated as a full domain name is in fact the norm. But I agree it might be something we should try to change.

The browser can also help by always showing the full domain name returned by the resolver, and not just the portion entered by the user.

Agreed.

It wouldn't hurt to make "server failed" messages more painful, either—for example, whenever a server reports an internal failure of that sort, the resolver could refuse to use it for the next five minutes or so

That would hurt. Lets say you type in http://example.com/ in your browser, but the DNS server responsible for example.com is down. Thus the recursive resolver will never get the reply it needs and will time out and send a server error message back to the browser. If the browser stops using the recursive resolver in that case it will quickly run out of recursive resolvers and will thus be unable to resolve any domain name.

In effect you have made a system that is trivial to perform a DoS attack against.

Re:Doesn't have to conflict with DNSSEC

They don't need to send an error response back to the user - they need to send the feds around to haul them off to jail!

Got somebody you want to frame?

Re:Doesn't have to conflict with DNSSEC

[JesseMcDonald]

That would hurt. Lets say you type in http://example.com/ in your browser, but the DNS server responsible for example.com is down. Thus the recursive resolver will never get the reply it needs and will time out and send a server error message back to the browser.

You're right. I run my own recursive resolver, and was thinking more along the links of avoiding only the specific server that originated the error. Since most people depend on their ISP for that function they only have the ISP's server to blame, no matter where the error originates. Short of requiring DNS servers to sign their error messages, there is no way to prove that the ISP was or was not responsible the failure to resolve the domain.

On the bright side, at least with DNSSEC they can't outright lie to you and claim NXDOMAIN when the domain actually exists.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

Short of requiring DNS servers to sign their error messages

Even that wouldn't help the slightest. If you wanted a signature on the error message send by the recursive resolver when it doesn't get an answer from the authoritative DNS server, then that would have to be signed by the recursive resolver. But it is the recursive resolver, which you don't trust, so a signature from the recursive resolver doesn't help. (Such a signature wouldn't fit in the DNSSEC model anyway as keys are tied to domains, not to resolvers.)

When the recursive resolver is unable to communicate with the authoritative DNS server, there is no way for the client to know which of the two or the network in between is responsible. In fact even the recursive resolver can't know who is responsible for the communication failure. It is trivial to provoke a communication failure in order to trigger a legitimate error message.

at least with DNSSEC they can't outright lie to you and claim NXDOMAIN when the domain actually exists.

I don't know enough details about DNSSEC to know if that is true. Obviously you cannot pregenerate signatures on every possible domain for which you would ever want to send an NXDOMAIN. There are other ways to achieve it though. The simpler solutions would then make it possible to enumerate all domains in the zone, something you might not want, and something which wasn't possible with plain old DNS. You can pregenerate a commitment to a database that will allow you to open both existing and nonexisting keys without revealing the size of the database. However that involves cryptography a bit more advanced than what I think was appropriate for DNSSEC.

Dynamically generating signatures on NXDOMAIN answers would require the key to be online, which would make the system less secure as you are removing one layer of defence. If you were to put the key online, a security vulnerability in the DNS server could allow an attack to get a copy of the keys. If the key was offline, an attacker could only get a copy of all the valid signed records.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

The simpler solutions would then make it possible to enumerate all domains in the zone, something you might not want

I did a bit of search and found out about the NSEC record (next secure). It is a record that contains information about two existing subdomains and the signature on this record confirms that no records exist in the interval between those two subdomains. If you use this you are in fact allowing enumeration of the complete zone. The alternative is to have the key online (with the key online NSEC records could dynamically be generated for intervals short enough to make an enumeration impossible).

Zone administrators get to choose between two approaches with different security drawbacks, that is either permit enumeration or keep the key online. Or you could opt not to provide signatures on NXDOMAIN in which case you will produce lots of errors instead of valid NXDOMAIN responses. But at least you could keep stats of which subdomains are requested and occasionally produce signatures offline to be able to provide NXDOMAIN responses for those subdomains. None of these solutions are particular desirable. If at least a separate key had been used for authenticating NXDOMAIN responses you could have kept that key online such that leaking that key would only allow DoS attacks by forging NXDOMAIN responses and not allow producing actual forged records.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

None of these solutions are particular desirable.

Sorry to answer my own post again, but the first page I found was a bit outdated. It turns out the problem was addressed in RFC 5155, which introduced NSEC3 records that chains hashed values of the domains rather than the domains themselves. It also involves salting to counter dictionary attacks. You can still estimate the size of a zone by requesting a bunch of random subdomains and see what the distance between the hashes are, but at least you cannot find out what the exact subdomains are, and the solution is much simpler than one which would hide the size of the zone. If you consider the exact size to be secret, you can always add more hashes to make the zone look bigger than it is.

Re:Doesn't have to conflict with DNSSEC

[kasperd]

This should be my last reply to my own posts. I read a bit more and found concerns that NSEC3 still allows an attacker to send queries that will in effect collect all the hash values, which can then be used in an offline dictionary attack to reveal the hostnames. This is a valid concern, but one that I believe can easily be handled. I didn't find any discussions of solutions for this problem, so I put an article on my website discussing a possible solution, which can be implemented in signing+authoritative server without any changes to the protocol or the resolver code.

Re:Wrong, there are laws, and this breaks one of t

[greenbird]

typical users lack the expertise to select a different DNS server

is definitely a true statement.

What it is is bullshit. There would be directions floating around everywhere written at a second grade level on how to do it. If they couldn't figure it out from there they'd ask that tech suave friend or relative to do it. Linux would come pre-configured to hit OpenDNS.

Where in the problem lies is that half the instructions floating around would be pointing to compromised servers. Thus by eliminating the trust aspect that is key to DNS working and making DNSSEC essentially illegal they're going to create exactly what they claim to be trying to prevent, turning the internet into a lawless wild west. I find it absolutely amazing that congress is going to pass a law that will make implementing security measures on the internet illegal. Tells you how deep our government representatives are in the pockets of the RIAA/MPAA crowd.

Re:Wrong, there are laws, and this breaks one of t

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter www.slashdot.org and expect to be able to read News for Nerds, Stuff that matters. Maybe not the best example but I bet you get the point.

typical users lack the expertise to select a different DNS server

is definitely a true statement.

Not very true at all. Changing DNS to a 3rd party server is trivial, there are all kinds of posts all over the internet especially in gaming and hacking/pirating forums. If they start trying to push this type of system, "how-to" docx and websites will pop up all over the place, and people will start running underground, shady DNS servers.

I'm fairly cynical regarding the average user's ability to tie their shoes, let alone do anything with a computer. But a shitload of people managed to get Kazaa installed and share music and movies, and to be blunt that's more involved than browsing to a local network IP, entering a default password, and typing one IP address into the DNS settings on your router.

they really think your(we) all stupid

funny....maybe 12 years ago they might a got away with it , but not now.....

Re:they really think your(we) all stupid

[Opportunist]

Not even 12 years ago.

The point is that every automated blocking can be circumvented with a tool. And using a tool means being able to double click an icon on your desktop, an ability that I guess everyone has.

People won't know this tool exists? They will. Boards, friends, even YouTube how-to videos will exist within seconds of this blocker's launch. If infrastructure is needed, like free DNS servers, it will exist long before this blocker becomes active.

The whole system is doomed to be useless. Maybe it will even keep a fraction of a percent of the filesharers out of the loop, while blowing a huge hole into DNS security and stability. The price is simply too high.

hosts file

lol enjoy

Re:Wrong, there are laws, and this breaks one of t

[BlueStrat]

When was the Internet anything other than a "lawless wild west"?

The internet is the wild west, but it is far from lawless... it just so happens that there are very few laws.

One of those laws is the trustworthiness of DNS. The proposal at hand is actually one that makes the internet MORE lawless...

Indeed. Funny thing, this requires judges and lawyers being woven into the fabric of internet - I don't like the idea.

And politicians.

Don't forget the damned politicians.

Politicians, lawyers, and judges.

The Unholy Trinity.

Of course, it was inevitable that a source of such wealth, information, and power available to the unwashed such as the internet would become a target for control for such as they.

It had to happen. They by their very nature are unable to tolerate anything that empowers regular people unless it's been made "safe"..."safe" from use against *them* by the people, and "safe" against regular people using it to communicate information, ideas, and wealth created independently from, and unmonitored by, those in power.

I'm surprised the freedom of the internet hasn't been attacked more intensely and with more determination than it has at this point in the 'net's history.

I guess looting the country and the citizens while trying to turn it into a Third-World hellhole takes most of their attention. It must be really hard work, too, judging by the number of vacations they take on the taxpayer's dime.

Strat

Re:Wrong, there are laws, and this breaks one of t

[c0lo]

Indeed. Funny thing, this requires judges and lawyers being woven into the fabric of internet - I don't like the idea.

And politicians.

I wasn't forgetting them... just that they seem to be already entangled in/with the internet - ever since the somebody "explained" them the internet is like a series of tubez. To date, on purpose or not, the confusion persists.

The judges and lawyers would be new additions.

Re:Wrong, there are laws, and this breaks one of t

[BlueStrat]

You're correct, of course. I just didn't want the Unholy Trinity to go unmentioned and possibly be missed by someone not already well aware.

I thought about going for the "series of tubes" thing, but decided the straighter, more philosophical(?) approach might be more effective.

But, who am I really kidding? This is Slashdot, that needs a car analogy for nearly every concept. :)

Strat

bye-bye Google

[tebee]

So if they do force Google to de-list, what is to stop Google continuing to list them on it's local sites outside the US? So everyone switches to using Google.co.uk? Or Google could move it's .com servers outside the US like it did with China.

You can be sure Google will be dong it's best to let people find those sites, as not only does this censorship go against the Google creed but it also knows that if people can't find what the want on Google they will switch to another search provider and bang go Google's advertising revenues.

There may be new search providers who appear out of the ether to fill the gap, and while they can ban these too, one thing you can be certain of, they will not be based in the US. One more nail in the coffin of the US as the major internet player.
 

Re:bye-bye Google

[MadMaverick9]

Or Google could move it's .com servers outside the US like it did with China.

and if more and more countries are going to do this, then where are you going to move the servers to? the moon? mars?

I've asked the question before and I'll ask it again now ...

Is there any country left on this earth, where there's mutual trust between government and its citizens and therefor no need to monitor internet and phone traffic?

Re:bye-bye Google

[TheGratefulNet]

I wonder if the islands down where anydvd (slysoft) is located; cayman? I forget..

they develop a 'bad bad program' (actually, good good one!) but they have not been bombed by the US. yet.

perhaps they have freedom there?

Re:Wrong, there are laws, and this breaks one of t

The statement is true, however it does not fit the context, these specific users aren't the type that know where to find warez normally.

or:

[justforgetme]

People will just move to namecoin, first site admins and then the general populus (just as it happened 35 years ago with ip protocol) and centrally operated DNS will just become obsolete...

DNS is dead
Long live namecoin!

Re:or:

namecoin makes centralized DNS obsolete. This is good if you want an open and free internet. This is bad if you want a tightly controlled and "investment-friendly" internet.

Re:or:

[justforgetme]

Well, you really have to be thick to think that an open and free Internet will be investment unfriendly.

The only people that would lose from that are people invested in 18th century capitalism (see: modern day politicians and economic values merchants) and since those people exist only for the purpose of perpetuating their lineage it its quite a safe assumption that humanity could do away with them.

Re:or:

[jp10558]

I'm not sure how this works exactly, but if it's anything like the Freenet hashes you use as URIs, it's a big FAIL due to being slow and flaky as to whether you can resolve anything.

Re:Wrong, there are laws, and this breaks one of t

Typical Users do NOT need to know DNS or how to alter their DNS servers from a hole in the ground.
Google standard HTML links (which have been there the beginning) will guide them to Piratebay or whatever. Of course this means the politicians are making scammers and crooks jobs that much easier...

what about the root servers?

[polle404]

I'm worried about the 'regular' DNS servers out there, sure, but what scares the crap out of me is the root servers.
If this act will require tampering on the root servers, we're all f*cked.

as to the normal DNS blocking, Denmark has had this for a few years, and it's a travesty, innocent domains land on the filter list all the time, and it's virtually impossible to get off it, and the list isn't public, so you're forced to all kinds of shenanigans to find out if you ARE on there or not.

Re:what about the root servers?

[Opportunist]

Soon DNS-Servers will come into existence located in some country the name of which ends in -stan where the law enforcement doesn't give a shit about IP laws that will carry those names with the correct target. Put that server into your resolution list on top and you'll always get the correct location.

Of course, this opens you to DNS poisoning attacks. But then again, how this idea is a big blow to security on the internet is the whole point of this thread.

Gives China some moral ground

Okay maybe political repression is more evil than crass economic repression. But it does give some China some excuse to say, "Hey, we're only censoring the Internet to give our country peace and stability. You're just censoring it to protect your bottom line."

Re:Gives China some moral ground

[Aphoxema]

Okay maybe political repression is more evil than crass economic repression. But it does give some China some excuse to say, "Hey, we're only censoring the Internet to give our country peace and stability. You're just censoring it to protect your bottom line."

With thought-provoking statements like that it's a shame you post as AC.

Re:Wrong, there are laws, and this breaks one of t

[Eraesr]

But everyone has a family member or acquaintance who does have that knowledge, and they won't hesitate to ask "hey can you fix the pirate bay for me".

Typical users vs typical ISP

[dbIII]

Meanwhile a typical network admin on their first day at work is perfectly capable of redirecting all DNS traffic to their server even if the user is asking for DNS information from Google at 8.8.8.8. Some internet service providers already do this and use it to insert annoying advertisements instead of the expected error messages when an address is not found.

Re:Wrong, there are laws, and this breaks one of t

[EdIII]

True statement? Really?

A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.'

Hmmmmmmm. Let me rephrase that differently.....

An inter-office memo from Microsoft was recently released with a statement by an executive arguing that the typical user lacks the expertise to choose a different browser and that apathy and ignorance will allow the Internet to continue to be dominated by Internet Explorer and that the Internet will not devolve into a Wild West of open source competitors taking away market share and that governments and states will not get involved via lawsuits and legislation to affect Microsoft negatively .

You screw around with DNS too hard and you will find that people will fight back. Of course their warnings about fragmentation will most likely be true very quickly. How much of an excuse does China need to form its own root servers and DNS? It would certainly only help them to create and control DNS resolution and to ban all DNS queries to outside networks period. The EU will probably form its own, and interestingly, will probably pick up well over half the US market.

Seriously? Would you choose a DNS "network" that bypasses due process and exposes you to impossible business risks for you and your customers, or a DNS "network" operated without such risks?

When installing IE9 now I can see options on changing default search engines. You can choose default programs now too. Did you think you would see that 5 years ago?

I am willing to bet that if it gets bad enough, even router manufacturers will start giving choices and that open source browsers themselves will start making it easy to configure a computer to use alternate DNS servers, even if it is just for the browser itself.

So far, they have not affected enough people yet, not all that many in actuality, but how much are we arguing about it right now? All they have done is stare at the hornets nest, just wait till they actually throw a rock.

Re:Wrong, there are laws, and this breaks one of t

[jez9999]

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter www.slashdot.org and expect to be able to read News for Nerds, Stuff that matters.

I enter 216.34.181.45, you insensitive clod!

Re:Wrong, there are laws, and this breaks one of t

[KahabutDieDrake]

Typical users lack the expertise, because up until now, they didn't need it. I assure you, they will gain this expertise rather shockingly fast. The only way to motivate "typical [l]users" to learn something new is to block something they want. Years ago typical users didn't know how to download HTTP warez, because they didn't understand ZIP files. Years ago typical users didn't know how to access Napster/Kazaa/whatever. Years ago typical users didn't know what a Bit Torrent client was, or why they needed one. Users learn what they need to in order to get what they want.

If you can't control it, break it

[lexsird]

A pesky thing, a big information network the free people of the world can use, if you are trying to control them all. So why not break it and fragment it with idiot laws? It will not take long to control it completely once it's properly "broken". They aren't as dumb as you think they are.

Re:Wrong, there are laws, and this breaks one of t

[Serpents]

Tells you how deep our government representatives are in the pockets of the RIAA/MPAA crowd.

That and that they're clueless when it comes to tech more advanced than a biface

Please Trust Them

[Akima]

Only terrorists don't want to protect intellectual property.

The best way to protect us from the terrorists, save the children and ensure corporate profits (so we can keep our economy in the good condition it is today) is to get rid of the DNS. Think about all the terrible information that DNS technology facilitates access too. We need some kind of new DNS system that is designed by politicians and outsourced to a trustworthy company like Lockheed Martin to implement.

I also think cars should be banned. Some people use cars for delivering drugs... and drugs are bad. If your not a drug dealer why do you need your own transport? Why not use buses and planes? Is it because you don't want to go through the naked body scanners and have your bombs and drugs revealed?

Really what we need are huge jails for everyone except CEOs and high ranking politicians. That would be safest... think of all the terrible things people can do given the opportunity to freely walk around outside. Surely if you don't plan to do these terrible things then you don't need to leave your assigned jail. Everything you need to live can be safely and lovingly supplied by the politicians and CEOs... direct to your jail. We could also, each have a microchip implanted under our skin with a unique ID stored within it. The government can then figure out exactly what our needs are and care for us even better.

Re:Please Trust Them

Even jails give people too much freedom. Drugs and violence are rife in our prisons. What we need are individual containment pods that provide a nutrient rich diet - something akin to the system in the Matrix. Only not networked, that's where they went wrong.

Typical users lack the knowledge. That's true

[Opportunist]

But they don't need that knowledge. Their tool will have it for them. So you cannot access TPB? No problem. Within nanoseconds a tool will spring into existence that uses a non-filtered DNS server for you, provide the IP-Address and feed it to your application. Hell, why not make it a browser plugin? And if that fails, how about wedging it into the DNS request routine?

In short, this will accomplish nothing while being a gapping security hole in the making. First for the already mentioned problem with DNSSEC, rendering this (much needed) service utterly useless. But how about the users that will (have to) install software to bypass this filter? As mentioned above, they do not have the knowledge, but they will outsource this problem to some program. And not having the knowledge to find out how to bypass that DNS filter, they won't have the knowledge to determine whether the tool they use is benign or malicious.

In future: IP address circumvention ruled illegal?

"It is also pointed out that DNS filtering does not actually keep determined users from accessing content, as they can still access non-filtered DNS servers or directly enter the blocked site's IP address if it is known."

Obviously that's why they call it the "PROTECT-IP" act, because IP addresses will still work fine :-) :-)

Calling such users "determined" is kind of like calling the people who held the shift key down to avoid audio CD DRM elite hackers. But you're not supposed to tell any of this to the fools trying to implement this stuff!

Re:Wrong, there are laws, and this breaks one of t

[Yvanhoe]

Tenderfoot in the wild west then. They should have chosen their sheriffs more wisely.

Re:Wrong, there are laws, and this breaks one of t

[MadMaverick9]

Have you actually tried this, you insensitive clod?

wget -O /dev/null "http://216.34.181.45/"
--2011-07-18 17:39:41-- http://216.34.181.45/
Connecting to 216.34.181.45:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://slashdot.org/ [following]
--2011-07-18 17:39:42-- http://slashdot.org/
Resolving slashdot.org (slashdot.org)...

this ip address simply re-directs to "slashdot.org".

so this does not solve the problem.

going too far

[SkunkPussy]

If there is dodgy content on the internet, then the courts should get an injunction against the content's uploader and force him to remove it!

We don't close the roads to a shopping centre because there is someone walking around selling pirated dvds.

typical users lack the expertise to follow laws

[Gunstick]

e.g. copyright law

Re:Wrong, there are laws, and this breaks one of t

Most people won't have to change their DNS settings. They will simply download and install a program that does it for them. Or a browser plugin.

When drugs were made illegal...

[Kookus]

You got drug dealers.
Maybe I can make some sweet money selling "hook-ups" (aka access) to servers with infringing content!

I can be a digital access dealer, a dad!

Re:Wrong, there are laws, and this breaks one of t

[sgt+scrub]

A few ISPs don't give you the choice (Warner Bros is one that actively does). All ISPs have the means to. If this passes, even if your ISP does not want to they will not have a choice or it will be done upstream. Transparent redirecting/hijacking unencrypted DNS traffic is trivial.

http://www.dnsleaktest.com/what-is-transparent-dns-proxy.php

Re:Wrong, there are laws, and this breaks one of t

[perryizgr8]

won't stay true for long if random websites get blocked.

Re:Wrong, there are laws, and this breaks one of t

[perryizgr8]

then how do you find out the true ip? this seems scary!

Re:Wrong, there are laws, and this breaks one of t

[sgt+scrub]

90% of public school students between the grades 4-12 actively switch DNS settings on machines when they receive a block page. I know because for the last 8 years my job has been to provide content restriction, content monitoring, and data protection technology and support. The majority of my clients are US school systems. I seriously doubt that schools I haven't worked with vary more than .1%. Encrypted traffic is the ONLY pathway to protecting privacy and even THAT is now compromised by several filtering products actively used by schools, cities, and businesses. Your vast majority numbers must exclude the US.

Re:Wrong, there are laws, and this breaks one of t

[afidel]

You know what, the way to route around this damage is to include a caching resolver with the browser (and peer to peer client, ftp client, etc) so that even users without any technical knowledge can be free of this stupidity. Sure, your DNS times will go up by a few tens of ms but that's better than relying on utterly broken infrastructure.

Re:Wrong, there are laws, and this breaks one of t

It's our job to write small tools that quickly change the DNS settings and provide all sorts of documentation on why.

The users listen to the geeks. The geeks need to make sure they help the users thwart big brother at any cost.

The same way gearheads tell the public which cars were well built and which ones are junk. They warn the public when automakers try to slip in cost cutting changes that make vehicles worse. The company thinks "Oh, no one understands the difference, yank it", but the gearheads make them regret that decision.

Same with hackers.

Re:Wrong, there are laws, and this breaks one of t

[EdZ]

My secondary school had a generic internet filter on all school machines. It didn't take particularly long for everyone to figure out how to use free proxies to bypass it, and once those too began to be blocked, for a few of us to set up proxies on our home machines.
Yes, if school children set up remote proxies with ease to bypass filtering, your average consumer will have no trouble switching their DNS server if it becomes inconvenient not to do so.

Re:Wrong, there are laws, and this breaks one of t

[BenoitRen]

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter slashdot into Google (which is likely the homepage), click on the first result and expect to be able to read News for Nerds, Stuff that matters.

Fixed!

Re:Wrong, there are laws, and this breaks one of t

[misexistentialist]

Clearly the government needs to protect the population by blocking those websites too.

Edit one simple file.

[sparkeyjames]

Find ip of banned server. edit /etc/hosts to include it. Done. /etc/hosts is far more permanent than having to change
the DNS server several times. Because as sure as shit the Government would
cow most of them into complying.

Whether your in Linux or Windows or Mac OSX /etc/hosts is searched first before
DNS is consulted.

FYI in Windows it's... C:\WIndows\system32\drivers\etc\hosts
In Mac OSX its ... /private/etc/hosts

Re:Edit one simple file.

[Aphoxema]

Or just change your DNS server to one not located in the US, which I expect will become practice for some after this bullshit passes.

Wow, what a joke

" typical users lack the expertise to select a different DNS server"

That's amazing. Obviously the users in question are not average. That's like taping a fake lock onto the front of the bank vault and saying as long as no one tries to break in, the money's perfectly safe.

Re:Wow, what a joke

[Aphoxema]

" typical users lack the expertise to select a different DNS server"

That's amazing. Obviously the users in question are not average. That's like taping a fake lock onto the front of the bank vault and saying as long as no one tries to break in, the money's perfectly safe.

It's more like placing a combination lock on a box full of free music, video and games and saying your average person doesn't know and probably won't be able to learn how to open it no matter how much time they're given.

HTTP

[Compaqt]

That is the true IP address. After it's told to redirect to slashdot.org, it looks up slashdot.org, which is 216.34.181.45.

me@foo:/tmp$ wget 216.34.181.45
[Excerpted for lame filter]
Connecting to 216.34.181.45:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://slashdot.org/ [following]
--2011-07-18 19:35:18-- http://slashdot.org/
Resolving slashdot.org... 216.34.181.45
[Excerpted]
Saving to: `index.html'

No, it's not a circular path.

In the first instance, you're asking for the HTTP server at 216.34.181.45 .

In the second, you're asking the HTTP server at 216.34.181.45 for the virtual site "slashdot.org".

me@blah:/tmp$ telnet 216.34.181.45 80
Trying 216.34.181.45...
Connected to 216.34.181.45.
Escape character is '^]'.
GET / HTTP/1.1
Host: slashdot.org

Re:HTTP

[perryizgr8]

but then if slashdot.org is dns blocked, you won't be able to access slashdot even if you enter the ip address. is this true or do i just not understand this stuff?

Re:HTTP

[dgatwood]

This is true, but I guess nobody gave Slashdot's IT guys the memo.

It gets even uglier when virtual hosting (multiple hostnames on a single IP) comes into play. The only real solution would be a browser plug-in that allows you to spoof DNS records in some way.

Re:HTTP

[Compaqt]

Scenarios:

1) They ban slashdot.org using PROTECT-IP. I.e., they direct your ISP's DNS server not to return 216.34.181.45 when a client (you) asks what "slashdot.org" is.

In that case, you can (hopefully) use OpenDNS or Google DNS instead of your ISP's DNS. So, you use an alternative DNS, and find out slashdot.org is 216.34.181.45.

You can still access 216.34.181.45 because mucking with DNS isn't the same as banning access to the IP address (though they might do that separately).

I.e., they're preventing access to the directory service, not preventing you from dialing a specific phone number.

2) Your ISP also intercepts and redirects DNS requests anywhere (including to OpenDNS). If so, that's tough. Possibly you might be able to access an encrypted DNS server.

3) Your ISP intercepts and prevents access to 216.34.181.45. In this case, you have to do what Iranians and Chinese do: use a proxy server.

Re:HTTP

[omnichad]

Browser plug-in? You mean /etc/hosts?

Re:HTTP

[perryizgr8]

You can still access 216.34.181.45 because mucking with DNS isn't the same as banning access to the IP address (though they might do that separately).

but if i enter 216.34.181.45, and it redirects to slashdot.org, like it does, then i won't be able to get to slashdot. unless of course i have changed my dns to google or opendns.

Re:HTTP

[andymadigan]

You're half-correct, the browser would need to be modified to send the Host: slashdot.org header, while accessing it directly at the given IP. The quickest way is to change the hosts file.

Re:HTTP

[Compaqt]

Yeah, that's correct. You'd have to use OpenDNS (or something), but after that (if they're not intercepting IP packets), you're good to go.

This is a special case for Slashdot, because it has a bunch of other virtual sites (apple.slashdot.org, etc.). For many sites, you can can go directly to the main site with just the IP address.

Re:HTTP

[Adriax]

A browser plugin can easily use a adblock-like list subscription to keep updated.
Someone maintains a list of the dns blocks put forth by this law, browsers check the list before DNS, internet functions normally for them.

Re:HTTP

[dgatwood]

No, I mean something that doesn't involve you providing investigators with a detailed list of the specific banned sites that you frequent.

Re:Wrong, there are laws, and this breaks one of t

[Gripp]

both you and the article point out that it will somehow work via obscurity... that the "typical user" simply doesn't have the knowledge to circumvent such a system. while that maybe true at the moment it will very rapidly change. people learn what they need to learn to do what they want. and the best part is that they don;t even have to "understand" anything - users will follow cookbook how-to's, learn to use apps that happen to accomplish the desired result or even simply have that one computer literate buddy of theirs set them up.....

point being, it will NOT be effective. because regardless of what people know NOW they are capable of adapting.

Good use of "biface" in your post.

[Medievalist]

The elected representatives in my area could certainly be described as "two faced stone tools".

Re:Wrong, there are laws, and this breaks one of t

[h4rr4r]

Why do they have the ability to do that? Make them login as an unprivileged user.
Stop blocking at the DNS level, just drop packets at the border router.

Re:Wrong, there are laws, and this breaks one of t

[h4rr4r]

DNSSEC fixes that, like you said encryption is the solution.
So does doing all your lookups via an ssh tunnel to a machine with a good dns server to look at.

Re:Wrong, there are laws, and this breaks one of t

[anyGould]

I'm sure someone will find the relevant Dilbert comic, but are you honestly expecting your filtering to stand against the combined will of people to find p0rn?

packet tracking

[Compaqt]

>you can rest assured the src and dst IPs on every single one of those packets is recorded and linked to your account.

Really? What kind of storage space would be required to keep track of every single packet, src, dest, + time and size?

Why stop there? Why not record the entire contents of every IP conversation?

I'd think it would be easier to do a usage = usage + x every few packets or so to keep track of usage.

Re:packet tracking

[scdeimos]

Never said the packets themselves were recorded. Src IP and dst IP, packet size and time stamp - that's all that's needed. Note that this happens for ingress and egress traffic - the src and dst IPs are switched in one direction.

Re:packet tracking

[Compaqt]

No, I realize the packets weren't being recorded (yet).

But still, for a 1Mbs connection, just recording src, dest, size and time is a huge amount of space compared to just incrementing "bytes downloaded/uploaded" counters.

Laweless Internet

A statement by the MPAA [said] that the Internet must not be allowed to 'decay into a lawless Wild West.'

This is the kind of statement that makes me pine for the days when tarring and feathering was considered acceptable behavior. Likewise, senators who support such laws as PROTECT IP remind me that hanging, drawing and quartering was once considered appropriate punishment for those who were guilty of treason.

It works, but you're using wget wrong.

this ip address simply re-directs to "slashdot.org".

so this does not solve the problem.

wget: you're doing it wrong. Try doing this instead to get the site index:

wget -O - --header="Host: slashdot.org" "http://216.34.181.45"

You need the header because nearly everyone uses name-based virtual host to host multiple sites from a single IP address. (Here's Apache's documentation on it.) The webserver looks at what site the browser requests in the "Host: example.com" section of the HTTP headers and serves content based on that.

A workaround is easy:

echo "order hosts,bind" > /etc/host.conf; echo "216.34.181.45 slashdot.org" >> /etc/hosts

Type in "slashdot.org" into browser and it should use the IP given in the host file, without a DNS lookup, but still have "Host: slashdot.org" in the http header. You could also set up a line pointing the yro, linux, and other subdomains to the right IP (216.34.181.48) and everything should work as expected.

This is pretty basic stuff that hasn't changed in years.

Re:Wrong, there are laws, and this breaks one of t

[hairyfeet]

Oh friend you wouldn't even need instructions! Since the vast majority is on Windows and DNS settings can be changed by the registry all one would have to do is post a zipped reg files to mediafire and the like and voila! The majority can bypass the bullshit as easy as "clicky clicky reboot". I'm sure there are plenty of guys like me if they break DNS with this bullshit that will be happy to flood the download hosts with re files set up to switch the clueless to functionality again.

But what do we expect when the government has been whoring itself to big business without pretense for over a decade and a half now. The will of the people is no longer being heard or listened to, only the will and desires of the rich elites. Hell look at how the right wing's answer to everything is "give teh rich more MONIES nom nom nom" when data shows that higher taxes on the rich leads to lower unemployment and increased job growth yet those writing the checks don't want that, so we get the "give teh rich more MONIES nom nom nom" policy.

So it doesn't matter how many of you wrote, sign petitions, all the things one was taught to do to change the system, because all you got was the same form letter I did from my congress whores which was bullshitese for "I don't listen to peasants".

Reply from (IL) Richard Durbin

[Aphoxema]

Did the EFF thing a while ago, actually wrote my own message but I doubt the response wasn't the usual boilerplate:

Dear (Aphoxema):

Thank you for contacting me to express your concern about the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property (PROTECT IP) Act of 2011, S. 968. I appreciate hearing from you on this issue.

The bipartisan PROTECT IP Act, which was based on last year's Combating Online Infringement and Counterfeits Act, which passed unanimously in the Senate Judiciary Committee, would authorize the Department of Justice to pursue court orders to take action against websites that are dedicated to selling pirated and counterfeit goods.

It is important to note that this legislation seeks to address a serious problem without inappropriately restricting Internet freedom. The Justice Department currently lacks tools to effectively enforce anti-piracy and counterfeiting laws against websites that are dedicated to distributing material in violation of these laws.

This legislation seeks to address this problem by enabling the Justice Department to target these websites through court orders, while also providing the websites with the opportunity to petition a court to lift an order. The bill is narrowly tailored so as not to include legitimate websites and it includes important procedural protections to prevent misuse of this authority. For a court order to be issued, the Justice Department must show that the website in question is directed at customers in the United States and that it harms holders of U.S. intellectual property. In addition, the Department is required to promptly serve notice of the action after the filing.

S. 968 provides a narrower definition of a website "dedicated to infringing activities" than the Combating Online Infringement and Counterfeits Act. In addition, while the PROTECT IP Act would authorize the Attorney General and rights holders to bring actions against online infringers operating a rogue website or domain, the remedies are limited to blocking financial gains of the site but not blocking access. Also, this bill ensures that third-parties (e.g. Internet service providers, payment processors, advertising networks) are not overly burdened to comply with an order beyond what is feasible and reasonable.

In May 2011, this bill was approved unanimously by a voice vote in the Senate Judiciary Committee and was reported to the Senate floor for further consideration.

Effective enforcement of intellectual property laws is critical to the encouragement of innovation and the creation of jobs. In recent years, we have seen a proliferation of Internet websites that are devoted to the unauthorized distribution and sale of pirated and counterfeit goods. These websites deprive innovators and businesses of revenue and result in the loss of American jobs. In addition, these websites present a public health concern when they sell counterfeit, adulterated, or misbranded pharmaceutical products.

I will keep your views in mind as the Senate considers this issue in the coming months.

Sincerely,
Richard J. Durbin
United States Senator

RJD/vy

-----

It's not a bad response but it shows a failure to understand the technical impracticality of "DNS blocking". That's the problem; since an individual can't learn everything about everything, it is impossible to elect someone as a lawmaker who knows intimately the details of the laws they may face or even what someone needs to know to be a good counsel.

There should be a third congressional house; The Senate, The House of Representatives and The Rational and Scientific Place of People Who Understand The Technical Ramifications of Stupid Laws.

Re:Wrong, there are laws, and this breaks one of t

[Karl+Cocknozzle]

I wish there was a moderation type called "You're reading my mind."

Wild Wild West

"the Internet must not be allowed to 'decay into a lawless Wild West.'"

You mean, like corporate America?

Re:Wrong, there are laws, and this breaks one of t

[greenbird]

Since the vast majority is on Windows and DNS settings can be changed by the registry all one would have to do is post a zipped reg files to mediafire and the like and voila! The majority can bypass the bullshit as easy as "clicky clicky reboot".

Good point. And once again half such files would point to bogus DNS servers with obvious results.

DNSBL, if implemented vs. malware such as

Norton DNS does http://nortondns.com/ can be a GREAT thing to help stall, or even stop, the malware problem online.

They filter on "malware-in-general" such as KNOWN bad sites/servers/hosts-domains, botnet C&C servers, & even bogus DNS servers by default (and their updates every few minutes for continuously updated protection are here http://safeweb.norton.com/buzz with site-checkers & even a removal appeals process etc./et al... IF a site does "clean up its act" etc. )

Another decent set of these are:

---

ScrubIT DNS -> http://www.scrubit.com/

&

Open DNS -> https://store.opendns.com/get/basic (with built in phishing protection even in the FREE basic model)

---

I use all 3 @ once in my NAT stateful packet inspecting Linksys/CISCO router + my IP stack setup for my Local Area Connection here... in layered security fashion!

* Each as a write up on how they work, why they help, & more... enjoy!

APK

P.S.=> Between the layering of Filtering DNSBL utilizing DNS servers listed above, because I use them ALL in "layered-security fashion" in both my routers & IP stack setup here in Windows, in combination with:

---

1.) A custom HOSTS file ( currently with 1,494,865++ entries of known bad sites/servers/hosts-domains, botnet C&C servers, & even rogue DNS servers blocked in it currently & growing "automagically" from 17 reputable & reliable sources for that type of data for HOSTS as well as DNSBL lists here from a Python script that does so for me),

and

2.) IP addressed threats inserted into my router & software firewalls

3.) And lastly, system security-hardening, in depth -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE

---

?

I haven't caught a "malware of any kind" infection/infestation since, oh, around 1996 or so in fact!

"Layered security", the best thing we have going currently, really WORKS!

... apk

They don't know how because they don't need to yet

[Tyr07]

Okay, average user who acquires software or music, anything that infringes on IP may not exactly know how to change their DNS server or figure out right away that they can entire the IP directly.. That's because so far, they've had no reason to learn that information and put it to use. Give them a reason, and just like the knowledge of using a torrent it will spread and common users will know how to do it. "Herpa derp, I can't access this site. Oh hi joe can you access it still? Oh you can? How do you do it? Oh I have to do what? google for dns server? Hmm..let me read that...oh, that's easy, just hit properties and enter in a new dns server manually..oh that was easy..oh hello TPB!" I will herp and I will derp and blow all your computers down!

Re:Wrong, there are laws, and this breaks one of t

[hairyfeet]

Ya know you'd think that would be the case, wouldn't you? But I guess since the malware guys have gotten so good at tricking users with "Iz_Not_Viruz_Iz" social engineering stuff like "The new Limewire" (I've seen that one quite a lot lately) and the security tool "ZOMG U Got Viruz!" trick that honestly I haven't seen an infected reg file in awhile.

Most of the reg files are written in human readable format with nice little readmes that you can use to check what it is supposed to do with the description. I've found most of the reg files are written by.....well by guys like me, little repair shop guys that find a niggler of a problem and write a reg file to deal with it and then when they find others on some forum with the same problem they drop it on mediafire. I have one I found that way that is frankly a little lifesaver for fixit guys, it is a little reg file that tosses the Windows Sound Server settings and then replaces them with the default values. If you have ever installed Windows or installed a sound driver only to have "No Device" show up under the Sound CPL applet? This fixes it, no matter which kind of soundchip you have. Just clicky clicky reboot and if anybody needs it feel free to email me.

So while I'm sure you'll probably see one or two assholes, after all what is the Internet without assholes, like Goatse trolls they are just part of the experience, like TPB I'm sure the good reg files will quickly rise to the top through word of mouth and will be written in an easily read format complete with comments. There are just too many little fixit guys like me that hate to see the government fuck up something as fundamental as DNS so the RIAA can show how their little PPT says if they made X last year then they should make X*Y this year, regardless of the economy or whether their product is extra shitty this year or not.

Mark my words, after they pull this shit and their sales don't go through the roof? First they'll claim it is Darknets, that Joe average has hooked into this vast dark web and THAT is how they are keeping from buying the *.AA precious, and then they'll most likely have themselves declared "Too big to fail" and along with perpetual copyrights they'll just take the money straight from your check each month. Isn't capitalism grand?

Re:Wrong, there are laws, and this breaks one of t

Tells you how deep our government representatives are in the pockets of the RIAA/MPAA crowd.

Or most of them are completely clueless, remember your government classes strong encryption as a munition and thus places restrictions on the export of some encryption software.

N.B. I don't actually know the current status of encryption being classed as a munition in the US or current restrictions, but the point is that shouldn't have happened in the first place.

Re:Wrong, there are laws, and this breaks one of t

[jp10558]

That's all right, Comodo and other security software already offer to set your DNS to a "secure" DNS server (I can't comment on how true that statement is, but it's a different DNS server anyway) - and I'll bet they'll be advertising DNSSEC or whatever on the DNS serves they're using as another feature pretty quick...