Posts Tagged ‘dns’

Now reachable again on my GNOME alias

Tuesday, January 8th, 2013

Public service announcement: If you tried to contact me via email on my @gnome.org alias within the last three weeks, the email eventually bounced and didn’t get through. Now things should be back to normal.

I just realised that I wasn’t able to receive mail due to some fuckups on my side. I was told that sending email to me was a bit difficult but only from people I know where using a deprecated address that I stopped using a while ago. So I replied that they should update their addressbook instead of complaining. But I then I was told that sending to my gnome.org address was also difficult. I didn’t really realise that I was not receiving mail since December 18th! Well, I did think that I got way less email than usual, but I blamed the festive season…

What did finally happen? Easy: The @gnome.org alias was set up to forward to my deprecated address and eventually the domain expired. I didn’t know that I had the alias set up to my deprecated address and no-one told me that all of a sudden all the mail was bouncing.

Anyway, now things should be operational again. Except that I have to re-register with all the mailinglists that I was probably thrown off of due to the bounces.

Private Censorship in Germany

Thursday, April 23rd, 2009

Last Friday, 5 major ISPs signed a contract to commit themselves to forge DNS answers for names given by the federal police.

According to this article (which probably has it’s information from heise) Deutsche Telekom, Vodafone/Arcor, Hansenet/Alice, Telefonica/O2 and Kabel Deutschland are voluntarily implementing the censorship through DNS. The signing parties share 75% of the german ISP market. According to Netzpolitik.org, Freenet, 1&1 and Versatel have denied to even talk about this censorship if there isn’t a legal foundation, i.e. a law which explicitly requires the ISPs to implement the censorship. While I don’t know the contract and according to the press conference, it remains secret. But it must be more or less like the leaked draft.

So the ISPs now have to implement DNS filter within six months and have to update the filter as soon as the federal police sends them a new list of to be blocked domains. The weird and absurd thing is, that *nobody* is allowed to access this list (because illicit content is explicitly referenced)! So you can’t control what exactly is banned and whether political enemies are censored as well. So it happened in Finland: A site, discussing the censorship, is on the list itself!

In the same period Wikileaks published the Finnish Internet censorship list. The Finnish National Bureau of Investigation has requested executive assistance from United States, but it is not known what precisely has been requested – whether the concern is only removing the list or whether they are trying to find out who leaked it. The list still includes the critical Finnish anti-censorship site lapisporno.info.

But, making it harder to access “child pornography” justifies the restriction of the constitutional rights, right? Well. Firstly, we mustn’t use “child pornography” when we want to discuss this issue seriously. We should use “documentation of child molesting” or something more technical. Secondly, we see, that it’s pretty simple to circumvent thus it’s only slightly harder to access the desired information. So it helps pretty much nothing in blocking the access, *but* offends 75% of the german internet population. I don’t consider this proportionate!

But the less a person watches children being molested, the less children she’ll molest, right? Because they get addicted and everything… Well. Besides the fact that we’re talking about a sexual disposition and not about drugs of any kind, this is just a claim with no justification whatsoever. An equally good argument is, that doing that virtually actually *prevents* people from doing that in real life. Also, the content available on the net is decades old, which might testify, that there is no need to produce more and thus newer content! By actually blocking access, you might risk people demanding newer stuff and a big market emerges.

Also, no child is molested through the internet. This is probably always done in the families! So blocking access doesn’t save a single child. Instead, fighting the roots would help. scusi analysed, where the blocked domains are actually hosted. It turns out, that pretty much every blocked domain is in a legislation that allows prosecution of child abuse. Including various servers in Germany! I propose, that it’s easier, more effective and less dangerous to actually ask the ISPs to shut the domains down and to prosecute the owners of these sites. Instead, the attitude of “once it’s blocked, we don’t have to care about anymore” is encouraged. Of course that doesn’t help anything, because the content is *still there* and people can circumvent cencorship to access it!

It is obvious, that other interest groups, like the music industry, will ask and fight for adding sites they don’t like to that blocking list. The technical implementation doesn’t and can’t know what’s “right” and what’s “wrong”. It blocks what it’s told to. So with that censorship being deployed, you introduce a general censor mechanism for pretty much everything you desire. Today it’s child pornography, but it is clear that this’ll change, like e.g. in Australia where a dentist has been blocked as well…

While I tried to argue against the official reasons for the “access blocking”, other people did it as well. There is a good article at Netzpolitik, which actually destroys nearly every exiting argument. Of course, heise has a pretty good article, too, which I really urge you to read.

What now? Well, first of all, you can quit your current contract with your ISP or sue them. Then you can use alternative dns server. As of writing, the list includes

  • 85.214.73.63 (anonymisierungsdienst.foebud.org)
  • 204.152.184.76 (f.6to4-servers.net, ISC, USA)
  • 2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC)
  • 194.150.168.168 (dns.as250.net; anycast DNS!)
  • 213.73.91.35 (dnscache.berlin.ccc.de)
  • 80.237.196.2
  • 194.95.202.198

Of course, the parliament has free access and universities shall have unlimited access, too, so you might want to use their DNS servers as well, e.g. 132.187.1.1 or 129.187.5.1.
But again: The point is not, that the technical measure is nearly useless to filter content. The point is that censorship infrastructure is rolled out *now* and that it can (and my prophecy is, that it will) be (ab)used for other content as well.

For further information, there is  herdict.org which maps the current cencorship situation worldwide. For Germany, you might want to have a look at de-zensiert.de or ak-zensur.de.

What about a consensus DNS resolver you install locally? It would ask, say, three different DNS servers and responds with the answer given the most. It could show a warning widget if it recognizes inconsistencies or if a DNS server fails to answer. The user then knows, that something’s fishy and can act appropriately, i.e. update the DNS server list or ask his provider whether it censors.

To summarize: The current  child pornography histeria is based on assumptions that are evidently wrong or can’t be proved. The methods to fight against child abuse have no meaningful effect besides deploying a general purpose censoring infrastructure (and help the people involved to improve their public image). Nobody is allowed to check whether the access block list includes any non illegal entry and political enemies can thus be eliminated. Circumventing is (still?) easy. We can further improve anti blocking mechanisms.

DJB rewards $1000 for bug in TinyDNS

Thursday, March 5th, 2009

Matthew Dempsky found a bug in TinyDNS and the author, Daniel Julius Bernstein, has a  Security Guarantee that rewards the first who finds an exploitable bug with $1000 and he says, he is going to make it happen! I love this guy…