Slashdot Mirror
ISPs Violating Net Neutrality To Block Encryption
Dupple writes One of the most frequent refrains from the big broadband players and their friends who are fighting against net neutrality rules is that there's no evidence that ISPs have been abusing a lack of net neutrality rules in the past, so why would they start now? That does ignore multiple instances of violations in the past, but in combing through the comments submitted to the FCC concerning net neutrality, we came across one very interesting one that actually makes some rather stunning revelations about the ways in which ISPs are currently violating net neutrality/open internet principles in a way designed to block encryption and thus make everyone a lot less secure.
They block encryption they are violating the telecommunication laws. And so they are not a carrier anymore.
As long as the ISPs retain monopoly positions, they will be able to do as they please (or as the NSA pleases to make them do).
And once there is healthy competition among them, there will be no need for the rest of us to legislate every minutiae of their behavior.
In Soviet Washington the swamp drains you.
if someone is selling "internet access" at x throughput rate.... that should mean something.
if someone wants to sell http-only access, fine. But you can't call it "internet access".
THL phish sticks
This was discussed when we were writing the 802.11i security specs. If an attacker can selectively DoS the link/network/whatever when security is enabled, you can fool the user to conclude the security is the problem and turn it off, whereupon everything starts to work.
There is a collision of two principles
1) Silently drop bad packets.
2) Let the user know something bad is happening.
These are opposing goals. In the case of this attack, we want #2, because we know they have evil intent and plaintext is not ok and we need the user to not turn off TLS.
In other cases, like front door attacks (as opposed to MITM), #1 is the way.
This is why designing a good security protocol is hard and TLS still does the wrong thing at the wrong time.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Vodafone here in Europe is also blocking TLS when sending emails through their broadband services. They do so only when port 25 is used; they don't in other cases. My theory is that they want to be able to scan the emails for viruses and/or spam, and block the connection/notify the customer to avoid unpleasant bill suprises. At least that's what my optimistic POV wants to see.
The log matches a Cisco firewall attempting to block malware and such being sent out.
It replaces all unknown / unsupported smtp commands with XXXXXX.
http://www.cisco.com/c/en/us/t...
Time Warner is just as predatory and absurd. When you subscribe to their service, you'll receive almost weekly reminders to "bundle" your service together with cable TV and phone. Opting out from this advertising is almost impossible As a cable internet user, when you set up your open source router to block ICMP traffic and recurse your own DNS, you'll be instantly branded as abberant. IRC and VPN traffic ive found also trigger this reaction. Time Warner DNS servers will then redirect to a page accusing you of sending unwanted traffic. If you want to continue using Time Warner DNS you'll need to complete the electronic equivalent of an apology and sign up for an email address. You'll then be presented with their software and the DHCP assigned DNS servers will begin responding normally again. I returned to my own setup almost immediately after being forced into this.
Eventually my DNS recursor and irc client stopped functioning entirely, so i was forced to tunnel this traffic over to my VPS and the phonecalls started about my "unwanted" traffic. Explaining why you're doing this is pointless, but the calls are harmless so long as you pay the bills on time. In the age of cutthroat capitalism you're supposed to subscribe, bundle, consume, and repeat. My experience with Verizon was just as draconian with the exception that they also block all SMTP traffic and, should you null-route their advertising CDN used to inject targeted content, they become very interactive. Customer service will call you within a day asking to set up a service appointment for a connectivity problem theyve "detected."
Good people go to bed earlier.
This is why I think that the Netflix debacle amounts to a bait-and-switch on the part of the ISPs. If they advertise a connection to the 'Internet' at a given speed, then fail to deliver on that speed when the party on the other end has provided the necessary capacity, they are committing straight-up false advertising.
When the original article cites as its first example of network tinkering the already thoroughly debunked "faster Netflix through my VPN" video, the level of technical credibility to the article is already set at "abysmal". There's no argument that the VPN tunnel was faster (obviously), but the alleged reason (which many sites, including this fine establishment, got on the bandwagon for, even though they should know better) was horseshit.
Second, the article demonstrates the problem with a connection to tcp/25. Unless the customer is running a mail *server* on their residential ISP line, they should be connecting to tcp/587. The wireless provider in question here is absolutely within their bounds to say "they don't want you running an SMTP MTA on the wifi", but that running a normal MUA is fine. Is there any evidence that this problem also exists for connections to tcp/587?
I believe this is spot on. I also think that services stuck behind a NAT should not be sold as 'Internet' either. This seems like a perfect stick for the FCC to keep ISPs in line with. Do whatever you want, but if your product is inferior we won't let you advertise it as 'Internet'
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Google "250-XXXXXXXA asa cisco starttls" and you'll find this is almost certainly an ASA preventing TLS as configured on the device. Since it doesn't want TLS traffic, the config is to just mangle the packets. Well known effect, been around for years (5+). The FW admin needs to correctly deploy fixup, allow TLS or simply not inspect esmtp. Simple fix, documented in Cisco doc 118550, among many other places.
Well, I hope you're not singling him out. I've been watching the same thing for a very long time with many different actors. But the one thing remains as true as it ever has, the blame lies squarely on the shoulders of the voters, and nowhere else.
“He’s not deformed, he’s just drunk!”
It used to be that my sister couldn't connect to Efnet using her 4g on her phone. I helped her bypass it by finding a server with SSL support and encrypting the connection to Efnet.
A few months ago, this quit working too. I was puzzled- how did Verizon know it was IRC traffic? The port was a standard HTTP port...
She found that turning SSL back OFF made the problem go away- she can get on IRC just fine now. It seems they no longer block IRC but block SSL? I didn't really investigate further, but this seems to explain it.
Is that techdirt did virtually no research on the issue, they just passed along what Golden Frog said in their filing.
Which brings me to the *really* scary part.
A company which provides VPN service should reasonably expect to have a clue when it comes to network operations.
Not only did this company not have the chops to figure out that 'someone may have incorrectly configured a firewall!', oh no. They decided to compound their inadequacy by including it in a filing to the god damn FCC.
So many levels of failure involved in this.
When I was administrator in small ISP (about 100 customers) we solved that by monitoring rate of outgoing connections to port 25. Too many connections in 10 minutes - start blocking and call the customer to confirm if this is legit. If yes (happened exactly one time) customer got whitelisted, otherwise we would send somebody to help them with antivirus setup and cleaning up their machine. We also had transparent Squid http cache - not mandatory, but since traffic from cache was delivered at full LAN speed, almost everybody wanted it. The point is that it is possible to take care of the network without treating customers like irritating pests, it just needs a little extra effort.
We used to use a similar solution when we were similarly sized.
At ~16k residential customers, we had to resort to less work-intensive methods. Transparent proxies are a good one. Though we don't try to mess with the end users' attempt at encrypting their sessions. I suspect that's either a mistake on the part of the ISP, or a limitation in the software/hardware they're using.
The alternative, is to just do what most large ISPs do- block outbound SMTP entirely.
"Republicans are even MORE in favor of a corporatocracy than their opposition"
Don't bother. there is no functional or philosophical difference between the leadership of the two major parties. Making that point labels you as blinded by your own partisanship, and perpetuating the root problem - our political system is co-opted by lobbies of various constituents, industries, and others. A wholly owned subsidiary of interests that do not have our best interests at heart.
Really. if you don't get this, you don't get IT. At all.
deleting the extra space after periods so i can stay relevant, yeah.