Slashdot Mirror

← Back to Stories (view on slashdot.org)

GCHQ Planning UK-Wide DNS Firewall (thestack.com)

Posted by msmash on from the big-brother-and-his-van dept.

An anonymous reader writes: UK surveillance agency GCHQ is exploring the use of a national 'firewall' in its fight against cybercrime, according to the organisation's head of cybersecurity. Alongside BT, Talk Talk and Virgin Media, GCHQ will work to filter out websites and email campaigns which are known to contain malicious content. The intelligence organisation believes that the best to way to set up such a blockade would be to build a national domain name system (DNS). In a speech delivered at the Billington Cyber Security Summit in Washington DC, director general for cyber security at GCHQ, Ciaran Martin, said: 'We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?'

10 of 194 comments (clear)

  1. and then block porn / 3rd party candidates / free by Joe_Dragon · · Score: 5, Insightful

    and then block porn / 3rd party candidates / free press.

  2. Good, Bad And Ugly by alternative_right · · Score: 5, Insightful

    The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.

    The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.

    The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.

    --
    Alternative Right.
    1. Re:Good, Bad And Ugly by amxcoder · · Score: 3, Insightful

      Not much good in this at all. There are already alternative DNS providers that will block most of this stuff selectively by each user. I use OpenDNS myself for this purpose. This is effectively censoring by the government, and nothing less.

      Yes, it will eventually used to block torrent sites, the Pirate Bay, etc. It will be used to block any of the other downloading sites that are available whether they are torrent trackers or straight downloads or streaming sites.

      Even more, if riots break out, or dissension protests start up, all of a sudden Twitter and FB will be temporarily blocked to prevent coordination by participants. The US has already done similar to this, for instance in bay area BART stations where they shutdown the cell phone repeaters to prevent communication in the stations when Oakland had riots/protests going on. If UK can do it by simply blocking DNS to these sites, the same results will happen.

      Who decides what is considered "MalWare"? What are the criteria? Malware could be the typical kind, but could also include hacking software, keygen apps, apps that the RIAA/MPAA and big-media doesn't like? Everyones idea of what is malware, is probably slightly different. Viruses yes, but not all the others are malware. I know most virus scanners pick up keygen's and other cracking software as a virus even if it's not, but because want to scare away people from using them.

  3. Won't work. by BarbaraHudson · · Score: 4, Insightful

    You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    1. Re:Won't work. by Anonymous Coward · · Score: 2, Insightful

      Agreed.

      The Internet was designed to route around disruptions in the network. Censorship one type of disruption.

      If an end user doesn't like what GCHQ is doing, they can:
          1. Install a DNSSEC-enabled nameserver software on their end device or home network to bypass the firewalls and detect man-in-the-middle rewrties.
          2. Utilize another open recursive server - there are millions to choose from.
          3. Utilizea a VPN to get out of the country and utilize Google or OpenDNS or whatever recursive server via their tunnel endpoint.

      All this system would do is make Internet access more difficult/intrusive for UK citizens who don't want to be sheep.

  4. People's Republic of Great Britain by Errol+backfiring · · Score: 5, Insightful

    How many times do we have to say that 1984 was not an instruction manual?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  5. FTFY GCHQ by Anonymous Coward · · Score: 2, Insightful

    what better way of providing national surveillance

  6. Re:Well.... by Anonymous Coward · · Score: 2, Insightful

    Hmm well if you understood what a DNS was you might feel differently. This would be easily circumvented but would protect the masses from malicious sites and for once it seems like a reasonable idea from a national agency.

  7. The Great Firewall of Britain! by Archtech · · Score: 5, Insightful

    "[W]hat better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"

    What better way of allowing the UK government to censor what British people can see and hear on the Internet, without the huge majority of them having any idea that their Internet access is being censored?

    And for those who have suggested this is no big deal, just wait. This is a case of "First they came for the communists", with a vengeance. Quite apart from the fact that this is exactly what the Chinese government has been doing with its "Great Firewall of China" - and getting it in the neck for alleged tyranny, totalitarianism and censorship.

    Of course, how this policy would work out in practice does depend very much on who decides what constitutes "known malware and bad addresses [sic]". Previous draconian laws passed by the British Parliament were, we were solemnly promised, to be used only in the most serious of terrorist cases. A couple of years later, the powers were in fact being used by town councils to spy on what people put into their rubbish, how they kept their gardens, and other such personal and utterly non-vital matters.

    If a law is passed establishing a "Great Firewall of Britain", we can be quite sure that within a couple of years literally thousands of government employees - from the Prime Minister to town hall clerks - will be contributing "bad addresses" to the cumulative DNS blacklist. Just like the current Homeland Security watch lists in the USA, thousands of items will be added every month, and nothing will ever be removed.

    Indeed, people living in Britain may well find that, one day in the not-too-distant future, they are no longer able to read or contribute to Slashdot. After all, just think of all the contentious issues and worrying statements that are to be found on its pages! Some government functionary - or, perhaps more likely, an instance of that classic responsibility-diffusing mechanism, a committee - will take the view that it would perhaps be for the best if this rather dubious Web site were no longer to be accessible from the UK.

    --
    I am sure that there are many other solipsists out there.
  8. Re:and then block porn / 3rd party candidates / fr by rubycodez · · Score: 4, Insightful

    Thoughtcrime, Winston Smith. It's all doubleplusungood thoughtcrime.