Slashdot Mirror
ISPs Violating Net Neutrality To Block Encryption
Dupple writes One of the most frequent refrains from the big broadband players and their friends who are fighting against net neutrality rules is that there's no evidence that ISPs have been abusing a lack of net neutrality rules in the past, so why would they start now? That does ignore multiple instances of violations in the past, but in combing through the comments submitted to the FCC concerning net neutrality, we came across one very interesting one that actually makes some rather stunning revelations about the ways in which ISPs are currently violating net neutrality/open internet principles in a way designed to block encryption and thus make everyone a lot less secure.
They block encryption they are violating the telecommunication laws. And so they are not a carrier anymore.
As long as the ISPs retain monopoly positions, they will be able to do as they please (or as the NSA pleases to make them do).
And once there is healthy competition among them, there will be no need for the rest of us to legislate every minutiae of their behavior.
In Soviet Washington the swamp drains you.
if someone is selling "internet access" at x throughput rate.... that should mean something.
if someone wants to sell http-only access, fine. But you can't call it "internet access".
THL phish sticks
This was discussed when we were writing the 802.11i security specs. If an attacker can selectively DoS the link/network/whatever when security is enabled, you can fool the user to conclude the security is the problem and turn it off, whereupon everything starts to work.
There is a collision of two principles
1) Silently drop bad packets.
2) Let the user know something bad is happening.
These are opposing goals. In the case of this attack, we want #2, because we know they have evil intent and plaintext is not ok and we need the user to not turn off TLS.
In other cases, like front door attacks (as opposed to MITM), #1 is the way.
This is why designing a good security protocol is hard and TLS still does the wrong thing at the wrong time.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Of these 3, I'm wondering which ones it is. Even if the majority of the tech savvy out there made a major stink made about this, since we can actively view what is or isn't working on the 'Net' (we have those tools...), we won't get the answers expected from ISP's technically explaining their reasoning and justification. It'll just be P.R. song and dance. OR, they won't answer at all, and that will an even bigger indicator of where this is coming from!
The Feds probably passed another secret rule, with an accompanying gag order, requiring ISPs to compromise encryption. "They're just following the law."
The article make it seem like they're blocking commands from/to the SMTP server. The banner (****) indicates they have a Cisco PIX in line doing the MiTM in the first place. Several ISPs (hotels in particular) do this to control outbound spamming.
Not a good thing, but a different kind of attack.
1. This information is regarding a unnamed "wireless broadband provider" so no one can even verify these claims.
2. This is only regarding SMTP. It is common practice for ISPs to block all access to 3rd party SMTP servers from their network to limit the amount of spam that originates from their network. This very well may just be another measure to curve spam being sent through their network.
3. The title of "ISPs Violating Net Neutrality To Block Encryption" is a bunch of bull honky. Currently the only legal "Net Neutrality" requirements are that ISPs publish a "transparency report" on their sites that their customers can access. This report says what type of bandwidth management practices are taken on the ISPs network. Though the requirement is very loose, so all the "transparency reports" you will read are a bit vague when in comes to some of the specifics.
Vodafone here in Europe is also blocking TLS when sending emails through their broadband services. They do so only when port 25 is used; they don't in other cases. My theory is that they want to be able to scan the emails for viruses and/or spam, and block the connection/notify the customer to avoid unpleasant bill suprises. At least that's what my optimistic POV wants to see.
How about blocking outbound spam going to port 25? Is that good behavior on the IPS's part, or bad behavior? This is not an easy question.
The log matches a Cisco firewall attempting to block malware and such being sent out.
It replaces all unknown / unsupported smtp commands with XXXXXX.
http://www.cisco.com/c/en/us/t...
I'm quite sure this is a cellular providers misdirected attempt to compress more data.
Lots of providers are doing "MiTM" on content over mobile networks to recompress images, text, video and such.
Encrypted content makes it impossible.
They're basically redirecting standard protocols to a cluster of "content accelerators" (transparent proxies that re-compresses data harder and with higher loss of quality)
Like this:
https://support.f5.com/kb/global/manual_images/MAN-0504-00_v2/swg_transparent_routed.png
Link to full page:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-5-0/5.html
Most likely someone has configured it in a horrible way to allow emails to be compressed more..
Should be punishable with deathrow on the scale though..
Time Warner is just as predatory and absurd. When you subscribe to their service, you'll receive almost weekly reminders to "bundle" your service together with cable TV and phone. Opting out from this advertising is almost impossible As a cable internet user, when you set up your open source router to block ICMP traffic and recurse your own DNS, you'll be instantly branded as abberant. IRC and VPN traffic ive found also trigger this reaction. Time Warner DNS servers will then redirect to a page accusing you of sending unwanted traffic. If you want to continue using Time Warner DNS you'll need to complete the electronic equivalent of an apology and sign up for an email address. You'll then be presented with their software and the DHCP assigned DNS servers will begin responding normally again. I returned to my own setup almost immediately after being forced into this.
Eventually my DNS recursor and irc client stopped functioning entirely, so i was forced to tunnel this traffic over to my VPS and the phonecalls started about my "unwanted" traffic. Explaining why you're doing this is pointless, but the calls are harmless so long as you pay the bills on time. In the age of cutthroat capitalism you're supposed to subscribe, bundle, consume, and repeat. My experience with Verizon was just as draconian with the exception that they also block all SMTP traffic and, should you null-route their advertising CDN used to inject targeted content, they become very interactive. Customer service will call you within a day asking to set up a service appointment for a connectivity problem theyve "detected."
Good people go to bed earlier.
This is why I think that the Netflix debacle amounts to a bait-and-switch on the part of the ISPs. If they advertise a connection to the 'Internet' at a given speed, then fail to deliver on that speed when the party on the other end has provided the necessary capacity, they are committing straight-up false advertising.
When the original article cites as its first example of network tinkering the already thoroughly debunked "faster Netflix through my VPN" video, the level of technical credibility to the article is already set at "abysmal". There's no argument that the VPN tunnel was faster (obviously), but the alleged reason (which many sites, including this fine establishment, got on the bandwagon for, even though they should know better) was horseshit.
Second, the article demonstrates the problem with a connection to tcp/25. Unless the customer is running a mail *server* on their residential ISP line, they should be connecting to tcp/587. The wireless provider in question here is absolutely within their bounds to say "they don't want you running an SMTP MTA on the wifi", but that running a normal MUA is fine. Is there any evidence that this problem also exists for connections to tcp/587?
Oh, I am voting for such people alright. But the last couple of elections I was overruled by the inane majority, who consider the color of a candidate's skin more important, than his qualifications.
Our "affirmative action" President plays golf with big cable CEO(s), and the rest of his party is in the big media's pocket as well.
Meanwhile, the rank-and-file partisans are encouraged to hate the Kochs brothers...
In Soviet Washington the swamp drains you.
I believe this is spot on. I also think that services stuck behind a NAT should not be sold as 'Internet' either. This seems like a perfect stick for the FCC to keep ISPs in line with. Do whatever you want, but if your product is inferior we won't let you advertise it as 'Internet'
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Google "250-XXXXXXXA asa cisco starttls" and you'll find this is almost certainly an ASA preventing TLS as configured on the device. Since it doesn't want TLS traffic, the config is to just mangle the packets. Well known effect, been around for years (5+). The FW admin needs to correctly deploy fixup, allow TLS or simply not inspect esmtp. Simple fix, documented in Cisco doc 118550, among many other places.
There exist more people than IPv4 addresses. This means that by your definition, some people just can't be on the IPv4 Internet. Is it honest to call a service that provides routable IPv6 but NATted IPv4 "Internet"?
Less Spam vs Open Internet? That's an easy question for me.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
...they'll eventually become utilities.
It used to be that my sister couldn't connect to Efnet using her 4g on her phone. I helped her bypass it by finding a server with SSL support and encrypting the connection to Efnet.
A few months ago, this quit working too. I was puzzled- how did Verizon know it was IRC traffic? The port was a standard HTTP port...
She found that turning SSL back OFF made the problem go away- she can get on IRC just fine now. It seems they no longer block IRC but block SSL? I didn't really investigate further, but this seems to explain it.
Is that techdirt did virtually no research on the issue, they just passed along what Golden Frog said in their filing.
Which brings me to the *really* scary part.
A company which provides VPN service should reasonably expect to have a clue when it comes to network operations.
Not only did this company not have the chops to figure out that 'someone may have incorrectly configured a firewall!', oh no. They decided to compound their inadequacy by including it in a filing to the god damn FCC.
So many levels of failure involved in this.
Then suddenly this is groundlessly expanded to a plot by multiple ISPs to block encryption. Never mind the fact that the peering point between Netflix's backbone provider and verizon becomes congested uses has nothing to do with encryption. Here is an analogy to highlight the fallacy TFA is making. Hans Riser, a linux developer, murdered his wife. There are also traffic jams during peak commuting hours in Los Angeles. Therefore linux developers are secretly plotting to murder their wives, so the police should keep them under constant surveillance.
It would be nice to punish these ISPs that block traffic by switching to a different one, but ohh wait, it's the only ISP in my area. #monopoly. From my point of view, I pay my ISP for internet access assuming they will correctly manage traffic and accommodate traffic growth. This is including Netflix. If they refuse, then they refuse to do their job.
Common firewalls do exactly what was described in a default configuration.
I'm not saying the ISP couldn't be doing it intentionally, but it's not valid as an automatic conclusion without confirmation.
There's a firewall on one end or the other manipulating traffic.
ISPs commonly block or filter port 25 as a spam prevention measure.
It's not a network neutrality violation, because the port is blocked regardless of what app or service is using it.
Also, you can likely use port 587 and it will probably work just fine
Take your meds and/or seek psychiatric help. This didn't really happen. You are being delusional. They also can't read your brainwaves, nor do they talk about you on the radio or tv.
When I was administrator in small ISP (about 100 customers) we solved that by monitoring rate of outgoing connections to port 25. Too many connections in 10 minutes - start blocking and call the customer to confirm if this is legit. If yes (happened exactly one time) customer got whitelisted, otherwise we would send somebody to help them with antivirus setup and cleaning up their machine. We also had transparent Squid http cache - not mandatory, but since traffic from cache was delivered at full LAN speed, almost everybody wanted it. The point is that it is possible to take care of the network without treating customers like irritating pests, it just needs a little extra effort.
Except it's always "up to" a given speed. Them providing you with no internet access is within the terms of the contract. I believe bullshit like that should be illegal, but what's a random person to do? I did pay more for a non-shared Verizon connection compared to cable through Comcast...
We used to use a similar solution when we were similarly sized.
At ~16k residential customers, we had to resort to less work-intensive methods. Transparent proxies are a good one. Though we don't try to mess with the end users' attempt at encrypting their sessions. I suspect that's either a mistake on the part of the ISP, or a limitation in the software/hardware they're using.
The alternative, is to just do what most large ISPs do- block outbound SMTP entirely.
This article is full of hyperbole
This is scary. If ISPs are actively trying to block the use of encryption, it shows how they might seek to block the use of VPNs and other important security protection measures, leaving all of us less safe.
This article and the write up are misrepresenting what's happening. You're trying to talk to an SMTP server, not the whole Internet. For some reason the SMTP server isn't supporting STARTTLS which is dumb, stupid and down right naive. They don't mention which broadband carrier but it would be nice to know so we could all do a Nelson and go "ha! ha!" The simple answer is allow them to fix their problem or just use another SMTP service that respects your transmission privacy preferences to all services they provide to you. They're not responsible for providing security to other services not under their control.
Since this is a wireless carrier you do have some protections regarding the network encryption already supporting your connection back to them. I won't get into CAVE or GSM security and any flaws but this is just a stupid ISP with one service not accepting TLS. What happens if you say try that at a GMAIL or YAHOO server instead on the same network? I don't see that scenario played out in the article. I for one know what happens there, it would have just been nice if these guys would have done a bit more investigation.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
And then all the companies will rename their consumer plans, at the very least, "web" or "data" like the mobile companies do. And practically nobody will notice or care.
(T>t && O(n)--) == sqrt(666)
Sorry Time Warner employee/shill
I would like a military strong enough to not have to worry about enemies knowing our secrets.
I would rather pay a little to manage secrets than a lot to build a huge military infrastructure.
In other words any hostile action of any type against the US would mean certain elimination of the region issuing the attack.
That's not a statement about the strength of the military, it is a statement about the political willingness to use what military there is to eliminate any enemy. We could disband most of the military today and deal with every threat by simply placing a few nuclear weapons on the target. It would be a lot cheaper and take a lot fewer secrets to accomplish.
Imagine, the first Iraq war would be over in a couple of hours at most. The country would glow at night, but the threat would be gone. But, of course, others might see that as a threat to them, so they'd lob a few bombs our way, and we'd lob a few at them ...
Would you like to play a nice game of chess?
If every country did that the US would be the first to be wiped out.
If you have problems with your local internet (or cable) service provider, there is only one correct audience for your complaint. Competition is regulated LOCALLY, just like wars are handled NATIONALLY and family budgeting is a DOMESTIC issue. The FCC advises at https://www.fcc.gov/guides/cab... to direct complaints to local franchising authorities.
For example, with Comcast, they are required to plainly put this contact information on your bill. See for example this bill http://comcastbills.com/Compar... The franchise authority is on the bottom right. If you have unrequested upcharges on your bill and then the ISP fixes it, that is fine -- but you should also make a report to the LFA so they can see the pattern. You can also call the LFA first.
Talk of boycotts are not effective. Talking about Obama is not effective. Talking to your ISP is not effective. This is because you are not the customer. Your local regulatory commission is the customer. And they are not helping us because they do not understand the issues. They do not use pipe analogies and don't read slashdot. They worry about school funding, local taxes, AARP, and baking brownies. If you've read this far you already know what to do.
-- I was raised on the command line, bitch
If they advertise a connection to the 'Internet' at a given speed, then fail to deliver on that speed when the party on the other end has provided the necessary capacity, they are committing straight-up false advertising.
Big help - that was legislated here, and the ISP's responded - now all their contract say "speed of 1Kbit/sec up to 100Mb/sec" for example
There is no way to enforce ISP actual speed, except to switch providers. In many locations that is difficult to impossible. Just recently moved and had the option of DSL and cable, but DSL actually was limited to 40Mb, so only cable was realistic. Luckily the cable company didn't know this....
reproducable tests that can be done, and fits their Corporate MO.
doesn't sound delusional at all.
On both PrivateInternetAccess and VyprVPN connections, either of which COULD handle my unthrottled connection at my maximum advertised download rate until the middle of this year, my 100Mbps connection is down to ~8-15Mbps while on either VPN. The VPN or overhead aren't the limiting factor. I see better speeds on McDonalds hotspots or mobile data through either VPN. I'd imagine, if they're doing it, it's a nice way of lying about data limit enforcement (I'm far over the throttling threshold any given month, but their site says data caps aren't currently enforced). Last time I spoke with support about it and tried to get an admission of culpability for my subpar encrypted internets, I told the "tech" that his request to move the modem to an outlet in another room would take a bit longer while I found an extension cord. He transferred me to sales, where I was asked if I would like to purchase an extension cord.
At the instruction of NSA no doubt to prevent encrypted emails getting through, worrying!