[LINK] Fw: Fwd: [ PRIVACY Forum ] Brits' Failed Heavy Metal Censorship Attempt Disrupts Wikipedia Edits

Kim Holburn kim.holburn at gmail.com
Tue Dec 9 09:11:59 AEDT 2008


On 2008/Dec/08, at 9:54 PM, Richard Chirgwin wrote:
> OK. Picking up something that got washed away in the other  
> discussions:
> in the UK case, the filtering caused all traffic to come from a single
> apparent IP address.
>
> This seems to me to pose several "break the Internet"-style problems
> that are worth understanding.
>
> 1) With a large user base sharing a single IP address, regardless of
> whether or not it "slows down the Internet", at the very least a  
> single
> point of failure is created. This is bad for users.

That's how a normal proxy/cache works but I see no reason why the  
proxy can't send on the referring host IP.  This single point of  
failure has always been a problem with proxies.

> 2) The concentration of user traffic would seem to me to also create
> vulnerabilities we don't want. For example, does the "single proxy"
> create an opportunity for DNS-based attacks on one side or the other  
> of
> the firewall?

Absolutely, although Hanlon's razor and Murphy's law would lead one to  
expect stuff-ups in the single point of failure to be the thing to  
most worry about.

> 3) The filter breaks end-to-end communications for everybody. We can
> only assume this is a good thing if we also assume that most users,  
> not
> merely a minority, wish to break the law. Otherwise, the broken  
> model is
> an imposition on the entire user base as a means of restricting the
> activities of a few.

Cost benefit analysis?  It also gives someone the ability to control  
and monitor people's communication.  Maybe that is worth more to the  
Government than anything else.  They've always had it after all with  
the phone system.  This internet thingy is getting out of hand.

> 4) The filter, paradoxically, helps hide user activities. Were it to
> happen that an entire country were hidden behind a single IP  
> address, it
> would be very difficult from anywhere outside the filter to discover  
> the
> source of malicious traffic. So I submit that the filtering works
> against one of its own aims.
>
> 5) Interference with the DNS is one of the government's proposed
> approaches to filtering (this is contained in the RFP for filtering
> trials:
> http://www.dbcde.gov.au/__data/assets/pdf_file/0006/89160/technical-testing-framework.pdf) 
> .
> There is a serious problem here, since trust in addresses is a
> fundamental part of successfully operating the Internet.

They tried this in Italy - a judge ordered ISPs to block the DNS  
resolution of the pirate bay.  The block didn't work out too well  
really....  You could always use a service like OpenDNS ;-)

> 6) Finally, the matter of privacy. The intrusion is far more than the
> old "nothing to hide, nothing to fear" argument. User communications  
> on
> the Internet are by nature private: Bob seeks to establish a  
> connection
> to Alice, and the infrastructure provides Alice's address. Filtering
> assumes that all users commence their communication with evil intent,
> captures the attempt to establish a connection, and only allows those
> connections to pass that the filter deems acceptable. This is an
> intrusion on the majority of users, whose intent is nothing more  
> than to
> look at YouTube or buy something or pay a bill. It is also capturable;
> the attempt to find something in the DNS, via the filter, means the
> filter is now a snoop-point not just for "evil" connections, but for  
> all
> connections.

The internet is really more like sending postcards than letters in  
paper envelopes.  Or paraphrasing what Scott McNealy said: There never  
was any privacy anyway, "get over it."  Do you think governments that  
have enough money don't do this already?

We just hope they have enough money and technical nous to do it fast  
enough so we won't notice the slow down too much ;-)

> I would, of course, welcome correction on any of these from those who
> are better technologists than I am.
>
> The point is, the more I think about filtering, the less I like it. I
> have come around from a much more ambivalent stance some years ago  
> to an
> increasing feeling that filtering is bad, full stop.
>
> RC
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request









More information about the Link mailing list