Slashdot Mirror
ISPs Violating Net Neutrality To Block Encryption
Dupple writes One of the most frequent refrains from the big broadband players and their friends who are fighting against net neutrality rules is that there's no evidence that ISPs have been abusing a lack of net neutrality rules in the past, so why would they start now? That does ignore multiple instances of violations in the past, but in combing through the comments submitted to the FCC concerning net neutrality, we came across one very interesting one that actually makes some rather stunning revelations about the ways in which ISPs are currently violating net neutrality/open internet principles in a way designed to block encryption and thus make everyone a lot less secure.
They block encryption they are violating the telecommunication laws. And so they are not a carrier anymore.
As long as the ISPs retain monopoly positions, they will be able to do as they please (or as the NSA pleases to make them do).
And once there is healthy competition among them, there will be no need for the rest of us to legislate every minutiae of their behavior.
In Soviet Washington the swamp drains you.
if someone is selling "internet access" at x throughput rate.... that should mean something.
if someone wants to sell http-only access, fine. But you can't call it "internet access".
THL phish sticks
This was discussed when we were writing the 802.11i security specs. If an attacker can selectively DoS the link/network/whatever when security is enabled, you can fool the user to conclude the security is the problem and turn it off, whereupon everything starts to work.
There is a collision of two principles
1) Silently drop bad packets.
2) Let the user know something bad is happening.
These are opposing goals. In the case of this attack, we want #2, because we know they have evil intent and plaintext is not ok and we need the user to not turn off TLS.
In other cases, like front door attacks (as opposed to MITM), #1 is the way.
This is why designing a good security protocol is hard and TLS still does the wrong thing at the wrong time.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Of these 3, I'm wondering which ones it is. Even if the majority of the tech savvy out there made a major stink made about this, since we can actively view what is or isn't working on the 'Net' (we have those tools...), we won't get the answers expected from ISP's technically explaining their reasoning and justification. It'll just be P.R. song and dance. OR, they won't answer at all, and that will an even bigger indicator of where this is coming from!
The Feds probably passed another secret rule, with an accompanying gag order, requiring ISPs to compromise encryption. "They're just following the law."
The article make it seem like they're blocking commands from/to the SMTP server. The banner (****) indicates they have a Cisco PIX in line doing the MiTM in the first place. Several ISPs (hotels in particular) do this to control outbound spamming.
Not a good thing, but a different kind of attack.
1. This information is regarding a unnamed "wireless broadband provider" so no one can even verify these claims.
2. This is only regarding SMTP. It is common practice for ISPs to block all access to 3rd party SMTP servers from their network to limit the amount of spam that originates from their network. This very well may just be another measure to curve spam being sent through their network.
3. The title of "ISPs Violating Net Neutrality To Block Encryption" is a bunch of bull honky. Currently the only legal "Net Neutrality" requirements are that ISPs publish a "transparency report" on their sites that their customers can access. This report says what type of bandwidth management practices are taken on the ISPs network. Though the requirement is very loose, so all the "transparency reports" you will read are a bit vague when in comes to some of the specifics.
Vodafone here in Europe is also blocking TLS when sending emails through their broadband services. They do so only when port 25 is used; they don't in other cases. My theory is that they want to be able to scan the emails for viruses and/or spam, and block the connection/notify the customer to avoid unpleasant bill suprises. At least that's what my optimistic POV wants to see.
How about blocking outbound spam going to port 25? Is that good behavior on the IPS's part, or bad behavior? This is not an easy question.
The log matches a Cisco firewall attempting to block malware and such being sent out.
It replaces all unknown / unsupported smtp commands with XXXXXX.
http://www.cisco.com/c/en/us/t...
I'm quite sure this is a cellular providers misdirected attempt to compress more data.
Lots of providers are doing "MiTM" on content over mobile networks to recompress images, text, video and such.
Encrypted content makes it impossible.
They're basically redirecting standard protocols to a cluster of "content accelerators" (transparent proxies that re-compresses data harder and with higher loss of quality)
Like this:
https://support.f5.com/kb/global/manual_images/MAN-0504-00_v2/swg_transparent_routed.png
Link to full page:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-secure-web-gateway-implementations-11-5-0/5.html
Most likely someone has configured it in a horrible way to allow emails to be compressed more..
Should be punishable with deathrow on the scale though..
Time Warner is just as predatory and absurd. When you subscribe to their service, you'll receive almost weekly reminders to "bundle" your service together with cable TV and phone. Opting out from this advertising is almost impossible As a cable internet user, when you set up your open source router to block ICMP traffic and recurse your own DNS, you'll be instantly branded as abberant. IRC and VPN traffic ive found also trigger this reaction. Time Warner DNS servers will then redirect to a page accusing you of sending unwanted traffic. If you want to continue using Time Warner DNS you'll need to complete the electronic equivalent of an apology and sign up for an email address. You'll then be presented with their software and the DHCP assigned DNS servers will begin responding normally again. I returned to my own setup almost immediately after being forced into this.
Eventually my DNS recursor and irc client stopped functioning entirely, so i was forced to tunnel this traffic over to my VPS and the phonecalls started about my "unwanted" traffic. Explaining why you're doing this is pointless, but the calls are harmless so long as you pay the bills on time. In the age of cutthroat capitalism you're supposed to subscribe, bundle, consume, and repeat. My experience with Verizon was just as draconian with the exception that they also block all SMTP traffic and, should you null-route their advertising CDN used to inject targeted content, they become very interactive. Customer service will call you within a day asking to set up a service appointment for a connectivity problem theyve "detected."
Good people go to bed earlier.
This is why I think that the Netflix debacle amounts to a bait-and-switch on the part of the ISPs. If they advertise a connection to the 'Internet' at a given speed, then fail to deliver on that speed when the party on the other end has provided the necessary capacity, they are committing straight-up false advertising.
When the original article cites as its first example of network tinkering the already thoroughly debunked "faster Netflix through my VPN" video, the level of technical credibility to the article is already set at "abysmal". There's no argument that the VPN tunnel was faster (obviously), but the alleged reason (which many sites, including this fine establishment, got on the bandwagon for, even though they should know better) was horseshit.
Second, the article demonstrates the problem with a connection to tcp/25. Unless the customer is running a mail *server* on their residential ISP line, they should be connecting to tcp/587. The wireless provider in question here is absolutely within their bounds to say "they don't want you running an SMTP MTA on the wifi", but that running a normal MUA is fine. Is there any evidence that this problem also exists for connections to tcp/587?
I believe this is spot on. I also think that services stuck behind a NAT should not be sold as 'Internet' either. This seems like a perfect stick for the FCC to keep ISPs in line with. Do whatever you want, but if your product is inferior we won't let you advertise it as 'Internet'
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Google "250-XXXXXXXA asa cisco starttls" and you'll find this is almost certainly an ASA preventing TLS as configured on the device. Since it doesn't want TLS traffic, the config is to just mangle the packets. Well known effect, been around for years (5+). The FW admin needs to correctly deploy fixup, allow TLS or simply not inspect esmtp. Simple fix, documented in Cisco doc 118550, among many other places.
There exist more people than IPv4 addresses. This means that by your definition, some people just can't be on the IPv4 Internet. Is it honest to call a service that provides routable IPv6 but NATted IPv4 "Internet"?
Less Spam vs Open Internet? That's an easy question for me.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
...they'll eventually become utilities.
Well, I hope you're not singling him out. I've been watching the same thing for a very long time with many different actors. But the one thing remains as true as it ever has, the blame lies squarely on the shoulders of the voters, and nowhere else.
“He’s not deformed, he’s just drunk!”
It used to be that my sister couldn't connect to Efnet using her 4g on her phone. I helped her bypass it by finding a server with SSL support and encrypting the connection to Efnet.
A few months ago, this quit working too. I was puzzled- how did Verizon know it was IRC traffic? The port was a standard HTTP port...
She found that turning SSL back OFF made the problem go away- she can get on IRC just fine now. It seems they no longer block IRC but block SSL? I didn't really investigate further, but this seems to explain it.
To which such people are you referring as voting for? I mean, I realize from some of your foolish hyperbole that you vote right wing and therefore against your own economic interests, but the Republicans are even MORE in favor of a corporatocracy than their opposition. They are dead set against net neutrality AND increased competiton. Competition lowers profits you know.
BTW, a lot of us who voted for Obama did so simply because he was not Romney. Most of us are disappointed in him for doing what people like you would want economically, and you go off on him like he's some kind of antitrust act enforcing purveyor of new deal era policies. I really wish that were true. The country was a lot better off without the enormous wealth redistribution from the middle class to the rich and corporate we've had these last few administrations.
Is that techdirt did virtually no research on the issue, they just passed along what Golden Frog said in their filing.
Which brings me to the *really* scary part.
A company which provides VPN service should reasonably expect to have a clue when it comes to network operations.
Not only did this company not have the chops to figure out that 'someone may have incorrectly configured a firewall!', oh no. They decided to compound their inadequacy by including it in a filing to the god damn FCC.
So many levels of failure involved in this.
Most of us are disappointed in him for doing what people like you would want economically, and you go off on him like he's some kind of antitrust act enforcing purveyor of new deal era policies. I really wish that were true. The country was a lot better off without the enormous wealth redistribution from the middle class to the rich and corporate we've had these last few administrations.
Most of that wealth redistribution is completely voluntary. People have been spending their money like crazy, even going into debt for many times their annual income, just to live a certain lifestyle. We are paying the 1%ers interest, just to join our national mass delusion for movies, cable tv, sports games, computers, toys, and other entertainment.
The politicians we elect are just another symptom, not the cause.
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
It would be nice to punish these ISPs that block traffic by switching to a different one, but ohh wait, it's the only ISP in my area. #monopoly. From my point of view, I pay my ISP for internet access assuming they will correctly manage traffic and accommodate traffic growth. This is including Netflix. If they refuse, then they refuse to do their job.
Common firewalls do exactly what was described in a default configuration.
I'm not saying the ISP couldn't be doing it intentionally, but it's not valid as an automatic conclusion without confirmation.
There's a firewall on one end or the other manipulating traffic.
ISPs commonly block or filter port 25 as a spam prevention measure.
It's not a network neutrality violation, because the port is blocked regardless of what app or service is using it.
Also, you can likely use port 587 and it will probably work just fine
When I was administrator in small ISP (about 100 customers) we solved that by monitoring rate of outgoing connections to port 25. Too many connections in 10 minutes - start blocking and call the customer to confirm if this is legit. If yes (happened exactly one time) customer got whitelisted, otherwise we would send somebody to help them with antivirus setup and cleaning up their machine. We also had transparent Squid http cache - not mandatory, but since traffic from cache was delivered at full LAN speed, almost everybody wanted it. The point is that it is possible to take care of the network without treating customers like irritating pests, it just needs a little extra effort.
Except it's always "up to" a given speed. Them providing you with no internet access is within the terms of the contract. I believe bullshit like that should be illegal, but what's a random person to do? I did pay more for a non-shared Verizon connection compared to cable through Comcast...
We used to use a similar solution when we were similarly sized.
At ~16k residential customers, we had to resort to less work-intensive methods. Transparent proxies are a good one. Though we don't try to mess with the end users' attempt at encrypting their sessions. I suspect that's either a mistake on the part of the ISP, or a limitation in the software/hardware they're using.
The alternative, is to just do what most large ISPs do- block outbound SMTP entirely.
This article is full of hyperbole
This is scary. If ISPs are actively trying to block the use of encryption, it shows how they might seek to block the use of VPNs and other important security protection measures, leaving all of us less safe.
This article and the write up are misrepresenting what's happening. You're trying to talk to an SMTP server, not the whole Internet. For some reason the SMTP server isn't supporting STARTTLS which is dumb, stupid and down right naive. They don't mention which broadband carrier but it would be nice to know so we could all do a Nelson and go "ha! ha!" The simple answer is allow them to fix their problem or just use another SMTP service that respects your transmission privacy preferences to all services they provide to you. They're not responsible for providing security to other services not under their control.
Since this is a wireless carrier you do have some protections regarding the network encryption already supporting your connection back to them. I won't get into CAVE or GSM security and any flaws but this is just a stupid ISP with one service not accepting TLS. What happens if you say try that at a GMAIL or YAHOO server instead on the same network? I don't see that scenario played out in the article. I for one know what happens there, it would have just been nice if these guys would have done a bit more investigation.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
And then all the companies will rename their consumer plans, at the very least, "web" or "data" like the mobile companies do. And practically nobody will notice or care.
(T>t && O(n)--) == sqrt(666)
"Republicans are even MORE in favor of a corporatocracy than their opposition"
Don't bother. there is no functional or philosophical difference between the leadership of the two major parties. Making that point labels you as blinded by your own partisanship, and perpetuating the root problem - our political system is co-opted by lobbies of various constituents, industries, and others. A wholly owned subsidiary of interests that do not have our best interests at heart.
Really. if you don't get this, you don't get IT. At all.
deleting the extra space after periods so i can stay relevant, yeah.
I would like a military strong enough to not have to worry about enemies knowing our secrets.
I would rather pay a little to manage secrets than a lot to build a huge military infrastructure.
In other words any hostile action of any type against the US would mean certain elimination of the region issuing the attack.
That's not a statement about the strength of the military, it is a statement about the political willingness to use what military there is to eliminate any enemy. We could disband most of the military today and deal with every threat by simply placing a few nuclear weapons on the target. It would be a lot cheaper and take a lot fewer secrets to accomplish.
Imagine, the first Iraq war would be over in a couple of hours at most. The country would glow at night, but the threat would be gone. But, of course, others might see that as a threat to them, so they'd lob a few bombs our way, and we'd lob a few at them ...
Would you like to play a nice game of chess?
I really can't tell if you're for Competition or Monopolies. Most conservatives believe the government created monopolies are a bad thing, while liberals support Government regulated monopolies, because of, you know, regulations. Every regulation that increases the cost to enter into the market reduces competition, raises prices, and profits. Creating The very Corporatocracy that you claim you're against.
And voting for Obama because he wasn't Romney is why liberals are just plain stupid. They elected someone who has no experience doing anything, because he looked better on paper (having done nothing, including voting "present"). You're disappointed in him, but he has done EVERYTHING he said he was going to do, you were either too dumb or not paying attention what he was actually saying.
And how is the whole "spreading the wealth around" thing working out? These last six years has seen the wealthiest people getting richer, while the middle class is being bludgeoned by more taxes, more regulation, more government telling them what to do, more invasion of privacy, more scandals. I wonder if this was GWB (or Romney) how you guys would be apoplectic how evil he was.
You know it is bad when Cheney and Carter both say the same thing about Obama's foreign policy. Suck it up and admit that you can't fix this Obamanation, and actually vote for real change (Libertarian).
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Oh, I am voting for such people alright. But the last couple of elections I was overruled by the inane majority, who consider the color of a candidate's skin more important, than his qualifications.
Our "affirmative action" President plays golf with big cable CEO(s), and the rest of his party is in the big media's pocket as well.
Meanwhile, the rank-and-file partisans are encouraged to hate the Kochs brothers...
Do you honestly believe that someone would be allowed to run for president of the USA who wasn't in big media's pocket?
In the free world the media isn't government run; the government is media run.
I honestly believe, that if your (cynical) point of view was connected to reality, we wouldn't have seen the sort of media bias on display in the last two elections.
In Soviet Washington the swamp drains you.
I honestly believe, that if your (cynical) point of view was connected to reality, we wouldn't have seen the sort of media bias on display in the last two elections.
Its a single party system with big media trying to give the illusion of choice.
USA and North Korea have more in common than just taxing overseas income of their citizens...
In the free world the media isn't government run; the government is media run.
If every country did that the US would be the first to be wiped out.
How is that derangement syndrome thing working out for you?
If you have problems with your local internet (or cable) service provider, there is only one correct audience for your complaint. Competition is regulated LOCALLY, just like wars are handled NATIONALLY and family budgeting is a DOMESTIC issue. The FCC advises at https://www.fcc.gov/guides/cab... to direct complaints to local franchising authorities.
For example, with Comcast, they are required to plainly put this contact information on your bill. See for example this bill http://comcastbills.com/Compar... The franchise authority is on the bottom right. If you have unrequested upcharges on your bill and then the ISP fixes it, that is fine -- but you should also make a report to the LFA so they can see the pattern. You can also call the LFA first.
Talk of boycotts are not effective. Talking about Obama is not effective. Talking to your ISP is not effective. This is because you are not the customer. Your local regulatory commission is the customer. And they are not helping us because they do not understand the issues. They do not use pipe analogies and don't read slashdot. They worry about school funding, local taxes, AARP, and baking brownies. If you've read this far you already know what to do.
-- I was raised on the command line, bitch
To which such people are you referring as voting for?
He didn't bring up republicans. You did. He merely indicated he didn't vote for Obama. As far as anyone knows, when he voted for "the right people" he voted for himself.
I'm seriously sick of you fuckers with your D/R myopia.
On both PrivateInternetAccess and VyprVPN connections, either of which COULD handle my unthrottled connection at my maximum advertised download rate until the middle of this year, my 100Mbps connection is down to ~8-15Mbps while on either VPN. The VPN or overhead aren't the limiting factor. I see better speeds on McDonalds hotspots or mobile data through either VPN. I'd imagine, if they're doing it, it's a nice way of lying about data limit enforcement (I'm far over the throttling threshold any given month, but their site says data caps aren't currently enforced). Last time I spoke with support about it and tried to get an admission of culpability for my subpar encrypted internets, I told the "tech" that his request to move the modem to an outlet in another room would take a bit longer while I found an extension cord. He transferred me to sales, where I was asked if I would like to purchase an extension cord.