Slashdot Mirror
GCHQ Planning UK-Wide DNS Firewall (thestack.com)
An anonymous reader writes: UK surveillance agency GCHQ is exploring the use of a national 'firewall' in its fight against cybercrime, according to the organisation's head of cybersecurity. Alongside BT, Talk Talk and Virgin Media, GCHQ will work to filter out websites and email campaigns which are known to contain malicious content. The intelligence organisation believes that the best to way to set up such a blockade would be to build a national domain name system (DNS). In a speech delivered at the Billington Cyber Security Summit in Washington DC, director general for cyber security at GCHQ, Ciaran Martin, said: 'We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?'
and then block porn / 3rd party candidates / free press.
The Good: if there are known threats that can be filtered, this is the most efficient level on which to do them.
The Bad: this will inevitably be extended to blocking torrent sites, Wikileaks and any web sites I administer.
The Ugly: it will create a false sense of security, "educating" users to be less educated about their machines.
Alternative Right.
You don't need DNS to visit a website. Also, there's nothing preventing you from running your own DNS.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
This will assist them in their budding mental hygiene program to prevent thought crimes, and of core protect "intellectual" property.
How many times do we have to say that 1984 was not an instruction manual?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
or 4.4.4.4
It's England. More than two parties is encouraged.
-- Make America hate again!
If they do this, I hope that they will allow an opt-out. Anything else would feel like an act of censorship, even if that may not be the intent.
Jumpstart the tartan drive.
what better way of providing national surveillance
Because, if for no other reason, the World will be controlling their Internets anyways.
Let them.
deleting the extra space after periods so i can stay relevant, yeah.
If this is just supplying a list of IPs, as Spamhaus, OpenBL and Dshield do, then it's nothing much to be concerned about. OTOH ...
https://www.spamhaus.org/drop/
http://www.openbl.org/
https://www.dshield.org/xml.ht...
How many times do we have to say that 1984 was not an instruction manual?
Evidently one more time as always.
This is a slippery slope and it's one of the reasons we shouldn't try to fix what isn't broken, by giving up control over domain assignments. We have more of a hands off tradition over here that other countries do not necessarily share.
You don't need DNS to visit a website.
I can think of two ways to visit a website without DNS, and both have serious drawbacks.
Add the IP address and name to the hosts file This breaks whenever the site's IP address changes. This file is traditionally editable only by root, and root access is often impractical to gain on any type of device other than a desktop or traditional laptop PC, especially a smartphone or a tablet computer running a smartphone operating system. (Finally, recommending the use of such a file summons him.) Enter the IP address in the URL instead of the hostname This also breaks whenever the site's IP address changes. In addition, it produces a certificate error, as certification authorities issue TLS certificates to operators of hostnames, not IP addresses. If you attempt to work around the certificate error by using legacy cleartext HTTP instead of HTTPS, you lose access to sensitive JavaScript features that browsers have begun to expose only to HTTPS sites, and a man in the middle can easily alter what you see. And either way, you can see only the first site on a given IP address, not other sites hosted on the same address using name-based virtual hosting.Also, there's nothing preventing you from running your own DNS.
Other than border security intercepting all outbound connections or datagrams on port 53.
.
This looks like the first step towards censorship to me. What will be next on the list of Things That Should Be Blocked?
Hadrian's Firewall
Hmm well if you understood what a DNS was you might feel differently. This would be easily circumvented but would protect the masses from malicious sites and for once it seems like a reasonable idea from a national agency.
So am I misunderstanding, or would it be easy enough to avoid this "firewall" by simply changing your DNS server settings?
"[W]hat better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"
What better way of allowing the UK government to censor what British people can see and hear on the Internet, without the huge majority of them having any idea that their Internet access is being censored?
And for those who have suggested this is no big deal, just wait. This is a case of "First they came for the communists", with a vengeance. Quite apart from the fact that this is exactly what the Chinese government has been doing with its "Great Firewall of China" - and getting it in the neck for alleged tyranny, totalitarianism and censorship.
Of course, how this policy would work out in practice does depend very much on who decides what constitutes "known malware and bad addresses [sic]". Previous draconian laws passed by the British Parliament were, we were solemnly promised, to be used only in the most serious of terrorist cases. A couple of years later, the powers were in fact being used by town councils to spy on what people put into their rubbish, how they kept their gardens, and other such personal and utterly non-vital matters.
If a law is passed establishing a "Great Firewall of Britain", we can be quite sure that within a couple of years literally thousands of government employees - from the Prime Minister to town hall clerks - will be contributing "bad addresses" to the cumulative DNS blacklist. Just like the current Homeland Security watch lists in the USA, thousands of items will be added every month, and nothing will ever be removed.
Indeed, people living in Britain may well find that, one day in the not-too-distant future, they are no longer able to read or contribute to Slashdot. After all, just think of all the contentious issues and worrying statements that are to be found on its pages! Some government functionary - or, perhaps more likely, an instance of that classic responsibility-diffusing mechanism, a committee - will take the view that it would perhaps be for the best if this rather dubious Web site were no longer to be accessible from the UK.
I am sure that there are many other solipsists out there.
with the Chinese, I'm sure they'll give you a copy of their firewall.
Are they going to just redirect all DNS attempts? Or are people using 8.8.8.8 or other public DNS servers affected?
Browsers already block known attack sites, including GCHQs, so GCHQs list would be smaller (excluding their own malware). It adds nothing, it takes it away.
It doesn't prevent attack, because a DDNS attacker does not query every time for the DNS address, and there's no reason for malware to reference a known address or even reference it by DNS name.
So the claimed purpose does not match the technical basis. More likely bulk surveillance of Brits.
The only reason only a women is made Home Secretary is because men have Porn surfing histories and GCHQ monitors/ can leverage that. So since they started their illegal 'Mastering the Internet' domestic surveillance program, all Home Secs have been women. It was Theresa May, currently it's "Amber Rudd".
Without surveillance Theresa May would likely not have been Home Secretary, and from that position she magically leveraged her way into the PM slot, shortly after pushing Snoopers Charter through the House of Commons. i.e. she's not elected as PM, and as Home Secretary she had access to surveillance data not available to her rivals. It is implausible that a group acting against British interests (GCHQ), with a ludicrous interpretation of UK laws, didn't help her with all this surveillance data it happened to be collecting on Britains, including all of her rivals.
She is not our PM, she is their's. Until she faces a fair election without GCHQs bulk surveillance, she is not the PM, she is a puppet. When will she hold an election? Cameron has resigned, she needs to go to the people and get elected.
Don't they have anything better to do than imitate bad Bond villain plots?.
"First they came for the slanderers and i said nothing."
This proposal reminds me of the 1960 obscenity trial of Penguin Books for the publication of "Lady Chatterley's Lover" by D.H. Lawrence. The chief prosecutor, Mervyn Griffith-Jones, caused some merriment but also revealed his deep prejudices by asking if it were the kind of book "you would wish your wife or servants to read". (If they have time on their hands, readers are encouraged to compile a full list of the ways in which that remark was patronising and bigoted).
If this proposal is taken up by the UK government, it will means that - more than fifty years after the "Lady Chatterley" trial, in an era that prides itself on its freedom of expression - government officials will be asking themselves, in the privacy of their offices, "Is this the kind of Web site you would wish your wife or servants to read?" As it is so very much easier to be safe than sorry, no doubt the answer will very often be, "Actually, no, old man, it isn't" - and off will go another batch of "bad addresses" to the Black List, never ever again to be seen.
I am sure that there are many other solipsists out there.
Providing a national DNS service with nanny filtering sounds too easy to workaround (just point to Google's DNS, OpenDNS etc. instead - just any non-UK reliable DNS service would do). Wouldn't they also have to have the ISPs blocking those other DNS services as well?
Like all these blocking services, they'll never publish the full list of what they block, hiding behind the claim that it's either proprietary or will give people clues as where the dodgy sites are. Problem is, this means they can block all sort of sites incorrectly and it's hard to know they've done it until someone has to go and kick up a fuss about it in the media.
...in VPN providers and anyone else who provides secure, private internet access ;) I think aunty GCHQ's values and priorities may differ significantly and substantially from my own and probably many other people's and we'll disagree on what should and shouldn't be blocked.
and then block porn / 3rd party candidates / free press.
Which of the remaining 11 parties after the first two currently in the house of commons do you consider to be the third one? And to which party to you count the cross bench peers in the Lords?
SJW n. One who posts facts.
...Because this is how you get Balkanization. Why have just one pesky uncontrollable "World Wide" Web, when we could have 196 of them, all slightly different?
Our third party self destructed a couple of years ago and our second party is in process of self destruction.
I am TheRaven on Soylent News
1. gee, if there were only a way to find out TL;DC : 8.8.8.8, 8.8.4.4 not 4.4.4.4
2. you're just trading the NSA for GCHQ, you patriotic American, you.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
OK, so lets say this is done, and ISP's are required to have the DNS servers IP as their DHCP autoconfig response.
Questions:
1/ Who will own and operate this DNS service?
2/ What will their DNS request logging retention look like?
3/ Who will have access to those records and with what authentication?
4/ Why are you now thinking this is something from George Orwell's 1984?
Our third party self destructed a couple of years ago and our second party is in process of self destruction.
England's main parties you mean.. in Scotland the Scottish National Party is first by several country miles in terms of both Westminster and Holyrood elected representatives numbers.
What could go wrong? I mean really, who the fuck trusts a consortium of GCHQ and several mega-corps to neutrally and impartially protect them from "known malware and bad addresses"? Incidentally, I have to wonder - do those 'bad addresses' include sites that are critical of the government and/or the companies in question? Might they include 'non-approved' IP telephony services? Sites that promote Scottish independence?
The opportunities for abuse are endless. This is a very bad idea.
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Perhaps a family with an R in front of thier name knows more about whats happening in the banks and on the internet than you all. I wonder why? Hmm...
If the U.N. gets control of the internet DNS service they will need a defense.
You can't let the MBH's coalition own thier country, just yours.
And the reason for the Lib Dem destruction is in propping up a coalition government that nobody liked. The electorate punished them and not the larger partner of the coalition. Strange. Or maybe demonstration of just how much control the right wing media has over a large portion of the electorate.
The implosion of Labour is hilarious. The party is collapsing because it's got too many MPs who wanted to be in the Conservative Party but somehow joined Labour, presumably by mistake.
The Conservatives may be divided over Brexit but the upcoming constituency boundary changes mean we're going to have a Conservative government for another 20 years or more. Just have to prepare to get health insurance when they finally get to dismantle the NHS and I should be fine.
So isil.org would be blocked, but wearenotterroristsnothingtoseehere.org would not be.
Oh, also, https://142.235.76.22/ would also not be blocked, since it doesn't use DNS
Where are we going and why are we in a handbasket?
...and sheep sites in Scotland.
“We shall meet in the place where there is no darkness.” George Orwell, 1984
So, they're more or less copying China's Great Firewall. Just need to add something to inject RST packets to interfere with connections to banned IPs.
English politics are strange.
Conservatives and Lib Dems set up a coalition, Conservatives do a lot of bad things and Lib Dems only prevent some of them: Lib Dems collapse.
Conservatives and Labour jointly try to run a campaign to stay in the EU, to deal with the mess that the Conservatives created: Labour collapse.
Finally! A year of moderation! Ready for 2019?
Ok, ipv6, and any malicious website can quickly exhaust hardware capabilities of such "firewalls" on 1G+ speeds. ACL entries are costly on such speeds.
Well, nationally too. The SNP don't make it into fourth place nationally. They're barely ahead of the Green party ffs.
Well, apply recursion to the process and the simple answer is 'all of them'.
I'm so tired of this crap. If you fuck with DNS people will just use IP literals or invent separate control channels to replace DNS.
Security strategies that "solve" a current problem while ignoring the fact your adversaries are thinking humans with a mind just like yours only lead to collateral damage while not solving the original problem.
There is still quite a lot of low hanging fruit still left to be plucked in terms of human factors and system design that would actually be effective beyond screwing with deck chairs of sinking vessels.
If governments really gave a shit they would pitch in resources to effect positive outcomes rather than their panopticon bullshit to monitor and control information flows. Of course they don't so they won't.
And the reason for the Lib Dem destruction is in propping up a coalition government that nobody liked. The electorate punished them and not the larger partner of the coalition. Strange.
Not really that strange. As far as I can tell, they got delayed punishment for going into a coalition with the Conservatives in the first place, rather than aligning with Labour as most Lib Dem voters would have expected. The fury at that cannot be understated; I believe their membership dropped considerably immediately after that fateful decision. Their rout at the following general election was only to be expected. Clegg destroyed that party.
Well, nationally too. The SNP don't make it into fourth place nationally. They're barely ahead of the Green party ffs.
the changes at Holyrood kinda makes a point that image eh?
2010 's Westminster seats in Scotland
and after the 2015 election the electoral map looked like this
Also... just ahead of the greens?.. quite an achievement considering they only stand for election in Scottish seats and have no need or interest in campaigning in English/Welsh or Irish seats. They have the votes of the vast majority of Scots but i suppose that doesn't count as if it's of any importance eh?
Thoughtcrime, Winston Smith. It's all doubleplusungood thoughtcrime.
It's England.
Well, the UK. For now.
systemd is Roko's Basilisk.
Aw, c'mon! Now I'm just feeling sad.
--USA person
Manager: I'm sorry, but if you don't come up with that money by tomorrow, the bank is going to take your house.
Homer: Well, good luck finding it, because I'm going to take the numbers off tonight!
Manager: Well, we'll look for the house with no numbers.
Homer: Then I'll take off the numbers on my neighbor's house.
Manager: Then we'll look for the house next to the house with no numbers.
Homer: [...] All right, you'll get your money...
systemd is Roko's Basilisk.
There is really only one party. They all serve the same masters.
“Common sense is not so common.” — Voltaire
"wearenotterroristsnothingtoseehere.org" until some one puts it on the list, there are third party vendors that classify websites including "violence or terrorism" and so its not far fetched by any means.
as to the second part... of course not its an DNS list unless they start filtering by content by providing a content filter and not just DNS filter.
Obviously, these people think that the Chinese are handling online free-speech and free access to information just right and want to copy their success-story. Sure, people can still get around this (DNS filtering and blocking is the cheapest, least-secure option), but that can simply be made illegal. In the end, the UK "Internet" will end up as a "walled garden" where only content deemed appropriate by the "authorities" is easy and legal to access. Rogue browsing will be treated according to another success-story, namely the treatment of people that listened to non-German radio stations during the 3rd Reich: Send them to concentration camps.
Sure, the UK has been unfortunate so far to not have had any direct experience with totalitarianism and fascism, but your intrepid politicians are hard at work to correct that historic oversight.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The SNP have more representation in Westminster per vote than any other party. Maybe more than every other party ever.
So no, getting more votes in Scotland than everybody else counts for fuck all. It's still not democratic.
I do also seem to recall them losing the vote they really cared about. No wonder Sturgeon's scared shitless of calling another referendum, for all her bleating about the supposed need for one.
I tried to mention tools like yours, but even including your initials in my comment caused it to trip Slashdot's lameness filter.
I bet they will ban Stormfront...
why would they block the first Dresden files book
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Javascript required.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
The GCHQ was still trying to get paper files into computers into the 1970's. The US went fully digital via plain text databases thanks to better much hardware funding, staff funding and different collection issues.
When the UK was able to fully fund the GCHQ again following massive 1960's Skynet satellite https://en.wikipedia.org/wiki/... costs and many other very expensive upgrades and creative cash flow issues, collect it all was again seen as a solution for Ireland and the world.
The NSA always got the hardware to collect it all domestically and globally. But had to hide the domestic part from the US press and some very smart lawyers who wondered about the real origins of federal and state trials.
The problem for the UK is the GCHQ/NSA sold US consumer junk encryption too well globally and the UK actually has too much US consumer hardware and software as part of its own sensitive dual use networks. Nobody wanted the secret of all consumer crypto been junk to get out so UK govs just ordered ever more junk US brands in and used junk standards for decades.
Telling the UK to remove the US consumer junk kind of gives the collect it all game away so a huge new national firewall to try and protect the low quality US code and useless hardware at a national level is now the only solution.
Filling your own nation with the junk software and weak encryption that allows the NSA and GCHQ to spy on the rest of world without any later issues was unexpected as all the focus was on collection and who to share the product with. Only the NSA and GCHQ had to be kept safe as everyone else was of great interest under collect it all.
US, EU trade deals and standardization, privatization has come back to haunt once hardened UK networks. The UK is now as wide open as all the other nations it collects all from thanks to having no UK only telco policy.
Vast, fast, wide open networks now sit on the very edge or coexist with the UK's most sensitive mil and gov networks thanks to decades of fully out sourced contractor design.
Domestic spying is now "Benign Information Gathering"
I voted Lib Dem a few times, but the coalition was a betrayal. Tory policies are so far removed from what the Libs stood for, and they got such a bad deal out of the negotiation... And look where it got us. Out of the EU and likely on the virge of the UK breaking up as Scotland and Gibraltar seek to remain in.
Labour is having an existential crisis. They want a leader with principals, but need a slimey piece of shit like Cameron to win an election.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
t was just a matter of time before someone came and spaffed over the keyboard with their hate..lol
As fro Sturgeon being scared? why would that be? are you sure? really sure? because you know... she/they may well be putting together a sound legal case instead of, much like yourself... opening the mouth and letting the belly rumble
it's not democratic??? Cederic.. I am fairly sure they are the only party, expecially of those with any power in the whole of these islands with a positive approval rating, the won 56 out of 59 seats in West and are the govt.. again.. third term in Scotland with the majority of elected representatives there being SNP. ... well NONE appeared by November 2015 and a lot of people are not very happy about that and they are not due for some time yet.. then there's the DEMOCRATIC deficit which has been shown time and time again..... even though Scotland voted solidly to stay in the EU.. England are dragging us out of it. and that actually does bring us to democratic deficit.. whereby it really doesn't matter what way Scotland votes or Ireland or Wales....the sheer numbers England has compared to Scotland etc means the what England votes happens really... .. they legal team especially are still investigating, dotting the I's and crossing the T's as it's a very complex constitutional issue and with their Westminster and Holyrood mandate which you so kindly acknowledge yet dismiss in the same breathe .. however thee plans take time to fully prepare but no... according to you she is crapping herself at the thought.... eh.. hardly.... .. such as being the only party EVER to get a majority govt at Holyrood where the system was designed to create coalitions and they actually got a majority. again and again... .. because they are MASSIVELY AHEAD of the greens , and i mean massively .. you claimed that the SNP were behond the greens....... erm.. Greens have 1 ,yes just ONE seat at Westminster... and the SNP..... 56 ... so how are the greens bigger? The greens have 6 MSP's in Scotland and the SNP... oh yeah they are the Scottish Govt and majority party, so without having any candidates sit outside Scotland they are bigger than the greens by a country mile and I mean MILE,. So you see Cederic.. you're just fuull of hatred, blatant hatred for Sturgeon and the SNP and at a guess Scotland too by extension.
Now you can spit and froth and foam but that doesn't change a thing.
as for losing the vote?.. yup, we did and it was close.. VERY close 45 to 55% BUT.. here the thing.... especially with the fact that ALL the promises made by the note no side(extra powers yadda yadda yadda for Scotland by November 2015)
Now as for her being scared... really? She appeared on TV and said straight that she and the ministerial team were fully investivating all possibilities including a fresh Independence referendum and
It just seems to me you are a bitter little man who just doesn't like or acknowledge the SNP and it's achievements
just bitter anyway
next point please caller!
You may want to seek assistance from an expert mental health professional.
You may want to seek assistance from an expert mental health professional.
yeah when you cannot refute, resort to ad hominem eh?
The problem is that the internet has too many idiots, and I have too little time.
You're one of the idiots.
The problem is that the internet has too many idiots, and I have too little time.
You're one of the idiots.
are you really THAT stuck for a rebuttal? aaaaaw.. diddums
You're the cuntface that started throwing words like 'bile' around and using capitals in response to a factual, calm and constructive comment.
Having firmly established your intellectual credentials at the level of 'dehydrated slug' you really expect me to take your points apart one by one?
No. Go lick a cow, it's about your level.
You're the cuntface that started throwing words like 'bile' around and using capitals in response to a factual, calm and constructive comment.
Having firmly established your intellectual credentials at the level of 'dehydrated slug' you really expect me to take your points apart one by one?
No. Go lick a cow, it's about your level.
and there we have it! :-)
as for licking cows... only portions when cooked
This site was once an anti-government screed and then an Osama bin Ladin fan site before becoming its current incarnation, a New Right/Alt Right blog.
It is still listed as a hate site for one of those earlier incarnations, meaning that it is blocked in most workplaces, and no amount of petitioning these services leads to it being permanently unblocked.
That is what we face: either user-reported or bureaucrat-driven censorship.
Alternative Right.
You'll be able to find some good ones at Carstairs. You're going to be real popular with the big boys there.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"