top | item 34968611

(no title)

> If the UK government really wants to follow through with their plans, they need to set up a Great Firewall - just like China - to block their citizens from accessing encrypted services like Tutanota.

We (the UK) already have a great firewall. Try to access thepiratebay.org or other pirate sites, or other sites that the UK gov deems inappropriate (CP obviously), etc. Its just a case of encroaching that same system just a little further, step by step.

People only tend to fight back when large sweeping one-off changes come in. If you consistently and repeatedly wear the other side down, you eventually get your way. How many times did the house of commons vote on brexit? How many times did the US congress vote on Kevin McCarthy becoming speaker? Yeah, as long as you just keep on and on about it, you get your way.

discuss

lapser|3 years ago

> Try to access thepiratebay.org or other pirate sites, or other sites that the UK gov deems inappropriate (CP obviously), etc.

I don't know about the "other sites", but tpb isn't part of any "Great Firewall". It's just ISPs have been required to update their DNS servers to _not_ resolve the DNS record. Even then, there are still quite a few ISPs that have not implemented it. It's why changing your DNS servers to something like Google or Cloudflare means you can easily access tpb.

So blocked websites in the UK are nowhere near on the same level as the Great Firewall.

My guess is those other sites are a bit more sophisticated, or if not, ISPs are willing to comply easier.

Renaud|3 years ago

How he block is implemented is not of any concern to the public at large. Whether it's a simple DNS block or stateful packet inspection, the vast majority of people won't be able to access.

Once any blocking requirement is in place, it's only a matter of moving the slider to more technical means of enforcement to plug the holes in the system.

So you're right, the UK is nowhere near China in terms of filtering, neither does it need to be to still become a digital island.

iLoveOncall|3 years ago

That's not true, at least for VirginMedia. I use Cloudflare DNS servers and I can't access ThePirateBay without a proxy or a VPN, it's more than just a blockage at the DNS level.

Cthulhu_|3 years ago

Wasn't there a law passed that you need to provide ID before your ISP will serve porn sites? Or was that just a proposal? Either way, the powers that be are thirsting for a Great Firewall, an end to net neutrality, and backdoors to encryption.

londons_explore|3 years ago

That is already the case on most ISP's. I don't think it's legally required, but most ISP's do it with a wink wink nod bid agreement with the government.

It helps that ISP's want to do a credit check on their subscribers because then they get paid by credit checking agencies (credit checking agencies love checks for utilities because it gives a strong address to name to payment bounced-or-not linkage, so will either do the check for free, or sometimes even pay the utility for it).

So now the ISP can do a credit check on the subscriber to know their true identity, and know they are over 18, before allowing them to access the checkbox to enable porn sites.

the_af|3 years ago

> Wasn't there a law passed that you need to provide ID before your ISP will serve porn sites?

What happens if you don't provide your ID, is there a blacklist that only gets disabled if you authenticate?

Do they also enquire about the type of porn, what you intend to do with it, how often, and whether it's wholesome, traditional, honest to goodness British porn or some unbearable thing with pesky foreigners?

pmyteh|3 years ago

There was a law passed (Digital Economy Act 2017, pt.3[0]) but it's basically been shelved anyway as impractical.

In the UK many laws don't take effect immediately, but only on 'commencement' (normally by government order). If you look at the Archives copy of the act in the link, you'll see that there are several sections marked 'prospective' (not yet commenced). Although it looks like section 14 (the operative one which puts a duty to prevent access to under 18s) has been commenced, if you look at the footnote it only has been 'for specified purposes' and if you click through to look at the commencement order it's only actually in force for the purposes of subsection (b) (the Secretary of State may make regulations to define 'commercial basis' for pornography).

Although this is terribly confusing for people trying to work out what the laws are, it isn't unusual. It'll probably sit in this limbo state on the statute book for a good length of time and then be cleaned up by repeal next time the government passes a law in a similar area.

Or it might just sit there. The Easter Act 1928[1] setting a semi-fixed date for Easter is still extant but not in force. There may be older laws yet.

[0]: https://www.legislation.gov.uk/ukpga/2017/30/part/3

[1]: https://en.wikipedia.org/wiki/Easter_Act_1928

Mindwipe|3 years ago

> Wasn't there a law passed that you need to provide ID before your ISP will serve porn sites? Or was that just a proposal? Either way, the powers that be are thirsting for a Great Firewall, an end to net neutrality, and backdoors to encryption.

Yes, but it was never enacted because it is being combined into the Online Safety Bill, the same legislation that Signal are discussing here.

And not just porn sites - effectively every site on the internet will have to age verify under the legislation as stands, or make their content suitable for young children.

mnd999|3 years ago

It’s not even a Uk wide block, it only applies to a set of named ISPs.

switch007|3 years ago

For context, it’s BT, Sky, TalkTalk and Virgin which is 85% of all home broadband customers.

So fairly UK-wide

raverbashing|3 years ago

A weak DNS block is not a "great firewall"

Not sure about SNI sniffing as other commenter mentioned and IP block block (erm) I guess it depends on ISP and it's not so clear cut (everybody does it, especially if there's too much abuse from a certain block)

CommanderData|3 years ago

Incorrect not just a DNS block. IP based aswell.

orblivion|3 years ago

Just to throw a wrench into this conversation - I applaud Tutanota on this (I was curious where Signal sees the line between Iran and the UK). However:

> (CP obviously)

Are there options on the table for dealing with this in a freedom-respecting way? Even if freedom were your only priority, the worse the problem gets, the more political capital the politicians have to shut it down. If it gets worse and worse, it strikes me as inevitable that encryption will be curbed, even in the United States.

Alternately, is there a really compelling argument that CP is not a real problem? Mind you that whatever arguments are out there, I'm going to be looking out for motivated reasoning. It seems like so long as freedom-enhancing technology increases, bad actors doing worse things is inevitably going to be a problem. I'm concerned about this, because (in addition to CP being bad) if it's true, proponents of encryption would be shooting themselves in the foot by being in denial.

someNameIG|3 years ago

> Are there options on the table for dealing with this in a freedom-respecting way? Even if freedom were your only priority, the worse the problem gets, the more political capital the politicians have to shut it down. If it gets worse and worse, it strikes me as inevitable that encryption will be curbed, even in the United States.

What Apple was going to do with the on device hashes?

dom96|3 years ago

> Try to access thepiratebay.org or other pirate sites

Both my home ISP (hyperoptic) and mobile network (Vodafone) allow me to access it.

gadders|3 years ago

The whole internet has a "great firewall". Kiwi Farms (whatever you think of them) was taken off the internet for a while due to (I think) backbone networks blocking/not resolving the DNS address. Any power that can be used for you can be used against you.

ClumsyPilot|3 years ago

While I agree with the sentiment, we need to distinguish between violent crimes and financial disputes.

Like police have the right to break into your house to stop a murder, but not if you have a payment dispute with someone

aembleton|3 years ago

> Try to access thepiratebay.org

That works for me in the UK on Shell Energy broadband

emptyfile|3 years ago

[deleted]

moremetadata|3 years ago

I have no problems accessing the piratebay.org, or even tor, in fact I know the MOD get to monitor all internet access so they can even tell what you are looking at or buying on the darkweb!

However I do have great difficulty accessing rt.com I usually get ERR_NAME_NOT_RESOLVED in MS Edge, like right now!

Why are they so scared of Russia? Has the Oligarch money run dry?

Now if its any endorsement for Kasperky AV Internet suite, it picked something up on my machine a few years back, so I booted from the supplied recovery ISO burnt to cd, and it needs to download the latest AV definitions. It was unable to connect to Kasperky's servers, in order to do an offline scan and removal, ergo I was unable to wipe the malware from my machine.

In the past, when I have had my systems so locked down so I can account for every packet of data coming in and going out, my internet connection just goes down so I cant get online. I've even had bios passwords reset locking me out of machines.

On the point of being worn down, it would seem shouting the loudest, or controlling the media outlets works [1]

A suggestion for @ tutanota.com, I've made this to other online email providers, but no one seems interested.

Having a delayed send from servers located around the world.

If anyone is aware of traffic shaping, and traffic profiling, they will know its possible to determine what type of data it is despite it being encrypted.

For example, youtube will send from multiple servers to your device in bursts, its not one continuous stream of data from one server. Obviously this also enables Google/Youtube to work out your exact physical location based on the time the different bursts of data arrives at the device and get reassembled.

Its also possible for the 5eyes+X (5EX) operators to work out if you are typing or reading an email, and when you click send, there is a very small window in which to work out where that email is going.

So if the email comes back into the UK, they will know what email server its being routed to. In time, its possible to work out more stuff which I wont elaborate on, but they can then carry out impersonation attacks on the entity in both directions in order to solicit more information.

Lets face it, how many people get to speak to the same person in a call centre? And do call centre staff remember and recognise their routine customers?

So could your email system have a delayed send built into it, perhaps something like X users from the UK, click send to send an email and these emails could be sent from some of your servers which would ideally be located around the globe?

eg. I log into your service by connecting to the German server, I click send after composing an email and the email is routed in a batch with other users to say the US server before it gets delivered, well after I've logged off and delivered in a randomly delayed timeframe, because most people dont need emails to hit other peoples inboxes straight away, they are busy doing other things. In fact being able to send now could be an opt in, like those times when on the phone to someone and you need to send them an email at the same time, because the 5EX workers will know you are already communicating with someone, and what can they gain from knowing about an email being sent at the same time?

With VPN's the easiest way to work out where VPN traffic is going, is slow down your targets VPN connection and the 5EX operators look for other encrypted VPN traffic that also slows down elsewhere. This is how the 5EX workers can work out what websites you are visiting.

Likewise a VPN that can also include Chaff [2] when the connection goes idle, will also get to hide the type of data passing over the VPN, again affording the user of VPN's some privacy, where currently there are no VPN's affording this. I know some do VPN tunnelling ie a vpn running inside a vpn for double encryption, but that still gives out the type of data and where its going to when you have an infrastructure overview of the internet in the 5EX countries.

And if the VPN service connects to a proxy server that can keep the 2nd and subsequent relays/legs still downloading, the VPN company gets to find out who the 5EX workers might be targeting. At the very least, it would reduce their existing level of intelligence, and expose what secret court orders might be in place with infrastructure company's like At&T's Room 641a[3]

All's fair in love and war!

I'll also point out the obvious, people tend to visit websites that are in their language, this then narrows down the websites and data centres to look at.

However if someone is multi lingual which would have been obtained by the state during the school and college years through lessons learnt and/or by association of being born or raised by parents who are not native speakers of the country they reside in, or are multi lingual, the scope for the websites that could be visited can increase, introducing more legal doubt.

Anyway an insight into 5EX internet surveillance, what GCHQ would call looking for the needle in the haystack, and example can be found here [4].

Its probably best to think of the internet like monitor vehicle movements, you can see trucks moving around, but you don't know what's in them initially, but over time, you can work it out, which is why the EU & UK have agreed the Windsor framework, namely Squid Game Green light Red light [5] customs between NI & GB.

[1] https://www.dailymail.co.uk/sciencetech/article-2333165/The-...

[2] https://en.wikipedia.org/wiki/Chaff_(countermeasure)

[3] https://en.wikipedia.org/wiki/Room_641A

[4] https://cryptome.org/2013-info/09/nsa-br-mx-2/nsa-br-mx-2.ht...

[5] https://youtu.be/sH4Y450PSVM?t=29

danaris|3 years ago

> However I do have great difficulty accessing rt.com I usually get ERR_NAME_NOT_RESOLVED in MS Edge, like right now!

> Why are they so scared of Russia?

This is a mystery for the ages! What reason could there possibly be, in 2023, for blocking a major Russian propaganda/state news outlet?

I mean, I could understand it if there was a war going on, with Russia desperately spreading propaganda specifically to try to get NATO states to see Russia's aggression as being totally understandable and actually our fault, so that we stop sending money and materiel to the people they are frantically trying to murder in order to get them to stop resisting their takeover of their entire country...

6LLvveMx2koXfwn|3 years ago

Works on JANET [1]

1.https://en.wikipedia.org/wiki/JANET

aembleton|3 years ago

rt.com works for me on Shell Energy broadband using Firefox.

mytailorisrich|3 years ago

Every country should have their own "Great Firewall" in order to control what's accessible (countries have their own laws) and to protect themselves against attacks, including by cutting themselves off from the internet.

In any case, as you mention many countries can already block specific websites and services from being accessed from within their borders.

pjc50|3 years ago

Similarly, every user should have a good extra-territorial VPN so they can ignore all of that.