[LINK] Fw: Fwd: [ PRIVACY Forum ] Brits' Failed Heavy Metal Censorship Attempt Disrupts Wikipedia Edits
kim.holburn at gmail.com
Tue Dec 9 09:11:59 EST 2008
On 2008/Dec/08, at 9:54 PM, Richard Chirgwin wrote:
> OK. Picking up something that got washed away in the other
> in the UK case, the filtering caused all traffic to come from a single
> apparent IP address.
> This seems to me to pose several "break the Internet"-style problems
> that are worth understanding.
> 1) With a large user base sharing a single IP address, regardless of
> whether or not it "slows down the Internet", at the very least a
> point of failure is created. This is bad for users.
That's how a normal proxy/cache works but I see no reason why the
proxy can't send on the referring host IP. This single point of
failure has always been a problem with proxies.
> 2) The concentration of user traffic would seem to me to also create
> vulnerabilities we don't want. For example, does the "single proxy"
> create an opportunity for DNS-based attacks on one side or the other
> the firewall?
Absolutely, although Hanlon's razor and Murphy's law would lead one to
expect stuff-ups in the single point of failure to be the thing to
most worry about.
> 3) The filter breaks end-to-end communications for everybody. We can
> only assume this is a good thing if we also assume that most users,
> merely a minority, wish to break the law. Otherwise, the broken
> model is
> an imposition on the entire user base as a means of restricting the
> activities of a few.
Cost benefit analysis? It also gives someone the ability to control
and monitor people's communication. Maybe that is worth more to the
Government than anything else. They've always had it after all with
the phone system. This internet thingy is getting out of hand.
> 4) The filter, paradoxically, helps hide user activities. Were it to
> happen that an entire country were hidden behind a single IP
> address, it
> would be very difficult from anywhere outside the filter to discover
> source of malicious traffic. So I submit that the filtering works
> against one of its own aims.
> 5) Interference with the DNS is one of the government's proposed
> approaches to filtering (this is contained in the RFP for filtering
> There is a serious problem here, since trust in addresses is a
> fundamental part of successfully operating the Internet.
They tried this in Italy - a judge ordered ISPs to block the DNS
resolution of the pirate bay. The block didn't work out too well
really.... You could always use a service like OpenDNS ;-)
> 6) Finally, the matter of privacy. The intrusion is far more than the
> old "nothing to hide, nothing to fear" argument. User communications
> the Internet are by nature private: Bob seeks to establish a
> to Alice, and the infrastructure provides Alice's address. Filtering
> assumes that all users commence their communication with evil intent,
> captures the attempt to establish a connection, and only allows those
> connections to pass that the filter deems acceptable. This is an
> intrusion on the majority of users, whose intent is nothing more
> than to
> look at YouTube or buy something or pay a bill. It is also capturable;
> the attempt to find something in the DNS, via the filter, means the
> filter is now a snoop-point not just for "evil" connections, but for
The internet is really more like sending postcards than letters in
paper envelopes. Or paraphrasing what Scott McNealy said: There never
was any privacy anyway, "get over it." Do you think governments that
have enough money don't do this already?
We just hope they have enough money and technical nous to do it fast
enough so we won't notice the slow down too much ;-)
> I would, of course, welcome correction on any of these from those who
> are better technologists than I am.
> The point is, the more I think about filtering, the less I like it. I
> have come around from a much more ambivalent stance some years ago
> to an
> increasing feeling that filtering is bad, full stop.
> Link mailing list
> Link at mailman.anu.edu.au
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link