More Government Idiocy: Internet Black Lists in [Market-Ticker]

Posted 2010-11-01 09:31
by Karl Denninger
in Technology

More Government Idiocy: Internet Black Lists

There's dumb - and then there's really dumb, predicated on people who simply don't understand what they're doing, and should be barred from authoring legislation until they consult with some people who do know what they're doing.

The Combating Online Infringement and Counterfeits Act (COICA) was introduced just one week ago, but it's greased and ready to move, with a hearing in front of the Judiciary Committee this Thursday. If people don't speak out, US citizens could soon find themselves joining Iranians and Chinese in being blocked from accessing broad chunks of the public Internet.

Help us stop this bill in its tracks! Click here to sign our petition.

COICA creates two blacklists of Internet domain names. Courts could add sites to the first list; the Attorney General would have control over the second. Internet service providers and others (everyone from Comcast to PayPal to Google AdSense) would be required to block any domains on the first list. They would also receive immunity (and presumably the good favor of the government) if they block domains on the second list.

The lists are for sites "dedicated to infringing activity," but that's defined very broadly -- any domain name where counterfeit goods or copyrighted material are "central to the activity of the Internet site" could be blocked.

This sounds ok, right? A site that is dedicated to stealing intellectual property isn't a good thing, and setting up a "blacklist" thus sounds pretty reasonable.

Well, it might be. If it could work.

But it won't, because it can't.

When you type http://www.pirate.me.a.movie into your browser what happens "behind the scenes" is as follows:

Your computer sends a request for an "A" record to your local DNS resolver. This "resolver" is set when you get your IP address (most computers nowdays on personal internet connections get them when they boot up from a protocol called DHCP - this protocol returns your DNS addresses at the same time it returns your IP address.)
The DNS resolver (typically running a program called "named", known in the bizness as "BIND"), looks up that domain name. To do this it starts at the right most address part and finds the authoritative server for that part and asks it for the next component to the left (it may already know some of the pieces; each request that is answered comes with a timeout, so the server doesn't have to ask again for a while if it gets a valid answer.) This continues right-to-left until it finally gets to the authoritative server for the left-most portion, at which point it has an IP address.
It passes that IP address, along with it's timeout (so your local machine doesn't have to ask again for a while) back to your client machine.
Your client machine (assuming a web browser) connects to that IP address, and then in the header of the HTTP request (for a web site) sends the site's domain name down to the server that is on the other end. This is done because there could be dozens - or even hundreds or thousands - of domains on one IP number.
The server looks at the request domain name, and if it is a server for that domain, returns the page requested.

This proposal attempts to interdict the process at point #2. That is, your internet provider would be required to verify the requested domain name against a "black list" and, presumably, either return a bogus (e.g. a government) response where it could return "you bad boy, that site is blocked" or return nothing (e.g. NXDOMAIN, "no such entry.")

Here's the problem: The site in question is still online.

Problem #2: It is trivially easy to override this.

On a Windows (or Unix-derived!) machine you could put a local "hosts" file on your system that contains the "bad" site name and its ip number. Your local machine will prefer the hosts file to the DNS system, which means voila - you have access to the so-called "bad" address again.

Guess what - this is exactly the method used by those with "rooted" Android phones to block advertising. You simply put the advertising domains in the local hosts file with a bogus IP number (e.g. 127.0.0.1, which is defined as your local computer) and all the ads disappear! Easy as pie!

I predict it will take about an hour after such a law is passed before someone enterprising will write a "shim" that will sit on Windows and Mac machines and intercept the DNS data stream, pointing at alternate resolvers that are not subject to this law - like, for instance, in The Netherlands. This too is trivially easy to do - in fact, 30 seconds with your computer will set your DNS resolvers manually. For performance reasons you probably don't want to do this for every site, thus, the shim - but in point of fact if you know of an open, public DNS resolver somewhere you can do this now.

There isn't much that can be done about that. ISPs could be directed to not allow UDP Port 53 (the standard for DNS) to go anywhere but to their servers, in an attempt to stop a bypass. It won't work though, since there's nothing prevent anyone from running a DNS resolver on any port nor is there anything preventing you from looking for one on some other port (if you know it's there.)

The right thing to do, of course, is for a rights-holder that finds a site that is "dedicated to infringing activity" to file a lawsuit and ask for an injunction to shut the site down - legally.

Unfortunately for the rights-holders, this sometimes doesn't work out all that well, because the site in question might physically be somewhere that doesn't give a damn about intellectual property - say, in China. Bonne chance on getting the Chinese to listen to an American subpoena or injunction.

Thus, this sort of "proposal" in a futile attempt to interdict something across a national boundary by intercepting the resolver request - an action that takes place here, in the United States, and where the baseball bat of the American Government can issue threats aimed at ISPs - and back them up at gunpoint.

David Segal is right to raise the alarm on this issue. Where he's wrong is the belief that this will do anything to stop online piracy - or anything else.

The tools necessary to interdict pirate sites legally already exist for web sites that are hosted in the United States. For sites beyond the United States where US legal challenges are met with raucous laughter, this bill will do nothing at all, as it will be circumvented within literal seconds by anyone interested in the material.

This is just a demonstration of the intellectual vapidity in our so-called legislative process. I, along with thousands of others who know how DNS and The Internet work, could have told these fine legislators that this was totally idiotic and would do nothing - if Senator Leahy, the bill's sponsor, or the 16 co-sponsors, had bothered to ask.

This much I guarantee you: They didn't and all seventeen of them are too stupid to know what they don't understand.

These are the people we trust to write laws in this country? smiley

Discussion below (registration required to post)

Main Navigation

Full-Text Search & Archives

Archive Access

Blogtalk 3:30 CT Mondays

Items To Look At

Discuss The Capital Markets along with daily technical analysis with our Gold Donor program.

Where We Are, Where We're Heading (2013) - The annual 2013 Ticker

Links and Blogroll

Our policy on reciprocal links: Send us an email with your information and why you think your blog or news site would make a good addition - in most cases reciprocal link requests will be granted.

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Looking for "The Best of Market Ticker"? Check out Ticker Classics.

Visit the forum to discuss this and other investing-related topics; see the FAQ on the forum for information about Gold Donor status including access to our technical analysis video server.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Leads on stories of current economic and political interest are always welcome. Our fax tip line is 850-897-9364; please include contact information with your transmission.

User Info	More Government Idiocy: Internet Black Lists in forum [Market-Ticker]
Dashingdwl Posts: 9806 Incept: 2007-06-26 los angeles	Leahy? Figures. Another nanny state global warmer statist idiot trying to 'help'. ---------- When you are hard and disciplined, you can be principled. People fear you because they have no leverage against you. It's the truest form of Liberty. 2010-11-01 09:37:53 Permalink
Asimov Posts: 104615 Incept: 2007-08-26 East Tennessee Eastern Time	n/m ---------- It's justifiably immoral to deal morally with an immoral entity. If you trade based on what other people say, you will lose money. Especially what I say. I won't be held responsible. Festina lente. Last modified: 2010-11-01 10:02:39 by asimov 2010-11-01 09:43:32 Permalink
Rickcaird Posts: 80 Incept: 2009-08-17 Boynton Beach, Fl	Ah, I had trouble understanding the stupidity of the Senate until you mentioned Leahy. Then it became clear, immediately. It is hard to believe that no one working in the Senate does not understand name resolution and how it works. Nor is it at all clear how the Senate proposes to disable /etc/hosts resolution. Further proof that no nothings are in charge of our government. We really need to have a host of people point fingers and laugh at Leahy. It would be even better if those people came from Vermont. 2010-11-01 09:44:50 Permalink
Abn0rmal Posts: 9261 Incept: 2009-01-10	Genesis wrote.. Where he's wrong is the belief that this will do anything to stop online piracy - or anything else. I'd guess that 95% of computer users do not have the ability nor desire to alter their DNS settings. This blacklist won't do anything to hinder those who are knowledgeable and motivated enough to do so, but it's sufficient to reduce the fraction of the public that will view politically-inconvenient sites. 2010-11-01 09:47:39 Permalink
Icanhasbailout Posts: 9939 Incept: 2009-03-10 Imaginationland	Quote: It is hard to believe that no one working in the Senate does not understand name resolution and how it works. Nor is it at all clear how the Senate proposes to disable /etc/hosts resolution. That's not at all hard to believe, actually. Is there a single person in the Senate with anything even close to an IT background? Or the House, even? ---------- 2010-11-01 09:48:31 Permalink
Genesis Posts: 131401 Incept: 2007-06-26	Bah. Back before the advent of automated DHCP/PPP (when you had to use a SLIP dialer) everyone who dialed into an ISP had to do this manually. It takes 30 seconds to show someone how on a Windows machine. It takes even less time when you find some site that has a "click to fix site not found error" program on it. ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* Last modified: 2010-11-01 09:49:09 by genesis 2010-11-01 09:48:42 Permalink
Truthseeker Posts: 8505 Incept: 2007-10-07 NorCal	Typo alert: Second from last line. What they "don't" understand. Great piece, btw. What a crock of ***. ---------- "...But people better realize that the worst-case scenario could actually happen.9/11 happened. This can happen. An economic 9/11, the likes of which we've never seen." Gerald Celente 2010-11-01 09:49:00 Permalink*
Bishop2k Posts: 3 Incept: 2010-01-15 Brisbane, Australia	There are a few errors in this. Firstly your PC doesn't typically get the DNS server addresses via DHCP on boot. On a broadband connection at least it sets the local router IP as the DNS resolver. The point to this is that the shim isn't required at the host level, just put in alternate DNS server addresses on the router. There are also ways (we implement them here) using packet inspection on telco-grade routers in hardware to examine EVERY port for DNS traffic and block the return packets. In short, an ISP -can- implement this effectively for the vast majority of their clients. Normally it causes a backlash, but if it's a law, where are their customers going to run to? I'm not saying it's right and agree it's impractical, but saying it does 'nothing' simply isn't true. We have had to do this very thing on a University level due to legislative requirements regarding copyright infringement. Of course there are ways around it, but the technical knowledge of the average punter makes it a) not worth the time and bother and b) easier to pick up the activity as the work-around is often easier to detect and we simply blacklist their machines at network layer. 50,000 hosts doesn't even break the appliances into a sweat. Just my 2c. Last modified: 2010-11-01 10:01:14 by bishop2k Reason: Clarity. 2010-11-01 09:51:58 From PDA Permalink
Asfg3 Posts: 158 Incept: 2008-08-29 South Florida	Why are they trying to do this now? Are they setting the beginning stages of internet/information control under the guise of protecting "us" from piracy? don't know....smell that smell. 2010-11-01 09:56:16 Permalink
Icanhasbailout Posts: 9939 Incept: 2009-03-10 Imaginationland	@bishop, so techies simply come up with a way to do it encrypted so that inspecting packets is useless. What then? There's no way for the law to successfully apply itself to Internet space without actually cutting off parts of the network or physically shutting nodes down. And even if you do that, you have to remember, this network was designed to route around damage, anticipating a nuclear attack. ---------- 2010-11-01 09:57:39 Permalink
Genesis Posts: 131401 Incept: 2007-06-26	Quote: There are a few errors in this. Firstly your PC doesn't typically get the DNS server addresses via DHCP on boot. Yes it does. I suggest you read the DHCP RFC some time, or just put a packet sniffer on the wire and look at the optional fields returned in the DHCP ACK. Quote: There are also ways (we implement them here) using packet inspection on telco-grade routers in hardware to examine EVERY port for DNS traffic and block the return packets. In short, an ISP -can- implement this effectively for the vast majority of their clients. No you can't. There's nothing preventing even a trivial cipher being used by the shim, assuming the other end is cooperating. That makes the traffic just appear to be a random bunch of bytes. It's also trivially easy to make it appear to be a legitimate web request too, or any other sort of traffic you would otherwise permit. This is an arms race you, as a carrier, will lose - every time. You can "win" in a corporate environment where you can lock the user's ability to load software (E.g. Windows domain control) but not in the real world of consumer machines. If you actually work for a carrier in Austrialia in a technology-related part of the operation and don't understand how this stuff works, well.... go join Leahey. Circumventing this sort of idiocy will take literal minutes, and attempted countermeasures such as you describe won't stop the circumvention either - those too are trivially circumvented. PS: I've been implementing IP networks from single-building to national-scale for close to 20 years. Argue with me if you want, but you'll lose those arguments on the facts. ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2010-11-01 09:59:06 Permalink
Abn0rmal Posts: 9261 Incept: 2009-01-10	Genesis wrote.. It takes 30 seconds to show someone how on a Windows machine. I think your background is causing you to underestimate the fraction of the population that would get confused and angry if someone changed the home page setting in their web browser because they wouldn't know how to fix it, even after having been shown. Then again, I might be overestimating the size of that population based on the horrors of doing tech support for relatives. 2010-11-01 10:01:47 Permalink
Snowman Posts: 1802 Incept: 2009-03-09 avoiding yellow snow	Maybe revert to old methods. A friend of mine has an awesome jazz collection abt 70gb. I sent him a portable drive, he burned copy sent it back. Just used regular USPS. 2010-11-01 10:05:17 From PDA Permalink
Bishop2k Posts: 3 Incept: 2010-01-15 Brisbane, Australia	Gen, the point I'm making is that sure, -technically- this is all correct, but on the ground the results aren't always so clear cut. For example, how many $20 Netgear routers actually implement DHCP according to the RFC? Somewhere between few and none, so quoting it doesn't really give me much faith in using it to rely on real-world behavior. OK, show your post to 90% of the general population and watch their eyes glaze over. I fully agree with you, but the typical schmuck will just accept it as being 'what's 'best'' and change the channel. I do work on the technical side of this, but also in the real world side of it and see new and exciting ways students try to circumvent systems every day, and have been here for more than a decade. TOR? Sure. And when a host starts sucking down bucketloads of encrypted traffic, it just flags them all the faster. Policy (like stupid laws) take care of that. Last modified: 2010-11-01 10:38:59 by bishop2k Reason: Typo. 2010-11-01 10:06:57 From PDA Permalink
Genesis Posts: 131401 Incept: 2007-06-26	No, someone who wants to access "pir8" stuff will simply load the shim and be done with it. Consider the simplest case - they run TOR - one-button. ---------- I don't care* if it makes sense -- only if it makes money. -- Me* Bank (n): See scam, fraud and theft. *Eat a bankster -- they're low-carb.* *What part of "shall not be infringed" was unclear?* 2010-11-01 10:08:03 Permalink
Janedeaux Posts: 287 Incept: 2009-09-16 Mississippi	I signed the protest, but I have no more hope of our congress listening to their constituents than they did on obamacare or anything else. Plain and simple, they don't represent us! ---------- A nation of sheep breeds a government of wolves.-anon 2010-11-01 10:12:22 Permalink
Abn0rmal Posts: 9261 Incept: 2009-01-10	Genesis wrote.. someone who wants to access "pir8" stuff will simply load the shim and be done with it. There is no way this law can successfully solve the problem it claims to solve, but how many laws actually do? It does solve the problem of government agents not having a handy "internet kill switch". It's not a perfect kill switch, but it could be used to keep a site from being viewed from the majority of internet users, especially if they get the search engine operators to cooperate and not index sites on the blacklist. 2010-11-01 10:18:30 Permalink
Bagbalm Posts: 4321 Incept: 2009-03-19 Just North of Detroit	This site will go on the 'starter' list. Along with zero hedge and other sites using the word fraud frequently. 2010-11-01 10:27:29 Permalink
Goldbrick Posts: 2946 Incept: 2008-01-23 Indiana	I use Google for my DNS server, 8.8.8.8 It's so simple even a caveman could do it. ---------- "The higher I go, the crookeder it gets." --Michael Corleone "Instead of cursing the darkness, light a CONgressman." 2010-11-01 10:42:09 Permalink
Mtdm Posts: 215 Incept: 2009-07-23	Although I agree with Gen's comments if the intent is to block knowledgeable users and pirates -- including script kiddies who take a few moments to figure out or go browse and find out one of a number of suitable workarounds... ...I tend to think that this is more likely a trojan horse which is not seriously intended for its ostensible purpose, but rather as a framework to permit blocking of political and "terroristic" speech, at a later date. In that, it could be quite successful, because the average Joe will not seek out and implement a workaround, nor will they readily be able to implement that workaround if they are using locked down consumer devices which they have had no occasion to root -- and let's face it, more and more J6Ps will be using cellphones and TVs and set top boxes and kiosk PCs and so forth to browse in the years ahead than will be using full fledged PCs over which they have open admin privs. 2010-11-01 10:55:16 Permalink
Sondergaard Posts: 692 Incept: 2007-07-13 Big Trees	Quote: A friend of mine has an awesome jazz collection abt 70gb. I sent him a portable drive, he burned copy sent it back. Glad I'm not trying to make a living as a jazz musician... ---------- And it won't make one bit of difference if I answer right or wrong; when you're rich, they think you really know. --Fiddler on the Roof 2010-11-01 11:01:45 Permalink
Rbarreira Posts: 2826 Incept: 2009-05-27 Portugal -> Sweden	Quote: Glad I'm not trying to make a living as a jazz musician... If you were, you'd probably get much more money from playing concerts than from selling records anyway (in which case piracy would probably help you if you're any good). Not so good if you're in the recording industry I guess... ---------- In Soviet Russia, the government regulates the banks. 2010-11-01 11:08:17 Permalink
Icanhasbailout Posts: 9939 Incept: 2009-03-10 Imaginationland	Quote: Glad I'm not trying to make a living as a jazz musician... Fun fact: the vast majority of proceeds from recorded/copyrighted music goes to the industry and does not pass through to the artists. Artists make almost all of their money from live performance, the albums are mostly useful to artists in terms of increasing their popularity. No artist who thinks the situation through and doesn't have an unusually favorable deal with the industry has a good reason to oppose sharing, even in violation of copyright. Also, if you're a jazz musician in the first place, chances are extremely good that money wasn't on your mind when choosing a career. I'd wager that your typical jazz musician has more innate mathematical talent than your typical Goldman MBA. ---------- 2010-11-01 11:16:59 Permalink
Fatherofreds Posts: 401 Incept: 2010-01-07	Mtdm has a good point. The senate turds don't have the brains to write this bill. Who wrote it and what was their intent? Where is this going? Gen, any ideas on how this bill could be expanded on in the future? Father of Reds ---------- My wife complains I fart all night long. I passed gas for thirty years and she wants me to change now? 2010-11-01 11:26:43 Permalink

Genesis wrote..

Quote:

Quote:

Quote:

Genesis wrote..

Genesis wrote..

Quote:

Quote:

Quote: