Maybe UPS and all delivery compagnies should not be allowed, because one can send a knife and use it to kill people ?
Maybe water should not be allowed because rapists can drink it ?
Maybe using IP as identifier is wrong (it does not work since more than 20 years) and doing any kind of IP-based policy in 2024 is a sick behavior that shall be cured in specialized hospitals ?
Why would you "filter TCP/IP except by IP" ? When I download a file, what is important is the content of the file. Not the pipe it came in.
When I buy something on amazon, what is important is the stuff delivered, not the delivery man.
You would filter packages from entering home based on the delivery man ? Insane ? Yes this is an insane behavior. As if one delivery man were dedicated per home, as it was in 1994. INSANE.
The delivery guy knowingly delivers drugs, it's written on the package, and the authorities told him to stop doing that.
Then what to do ?
Remove the license of that most specific delivery guy.
That's what they try to do (though it would be easier if the delivery guy would collaborate of course).
Not saying that blocking internet hosts is a good thing, but I don't see what else they can do, if the counterparty is not compliant :|
(DNS blocking doesn't work anymore as browsers provide circumvention methods by default, and blocking the whole BGP peer has too much side-effects because it blocks all the legitimate delivery guys too)
You would not filter based on the delivery man but based on the sender. If you know someone sends bombs or drugs in the mail but you cannot stop them initiating parcels, you would find ways to stop the parcels halfway. Physical mail is scanned in the real world, and customs stop stuff from entering the country - so the analogy is already reality!
In theory this would also work for IPs if not for the IP laundering OOP criticised.
Cloudflare chooses to hide thousands of IPs on a single IP - this is a technical choice, not a system necessity. There are of course many reasons for those and many of them legitimate, but it doesn't mean this is the right approach (and with IPv6 certainly other options are possible...)
Cloudflare chooses to hide thousands of IPs on a single IP - this is a technical choice, not a system necessity.
Well, if you want "CDN", then you must break the TCP connection. That is, you must have one TCP connection from client to CDN, and then one from CDN to the backend.
Unless you are against CDNs (they do serve a real-world purpose, tho), then it is a system necessity;
Counterexample: If a set of IPs consistently and intentionally run DDoS to shut down small sites or e.g. newspapers, should the government not intervene? If they cannot stop, say, the russian government from running such attacks would it not be the only route to block such IPs?
I'm sure there are better ways to deal with this.
You have to be careful with this because sometimes the people who create the solution (censorship) are also the ones creating the problem. I'm not saying that's the case.. But if we don't want a completely censored internet in the next few years we have to be careful.
There is a possibility of doing it. Or better said I had an idea the last few months on how to possibly do this. I have written a detailed explanation here if anybody wants to see it:
The idea basically is to block all ip's which weren't resolved by the dns server in past specific time period (for example in the last 3 minutes). So all static ip's would be blocked by default. When a domain get's resolved by the dns server, the ip address gets to the whitelist for a specific amount of time.
There is some issues. For example if somebody downloads something, the ip address might only get resolved once but the download happens by directly connecting to the ip address. But I think these issues are definitely solvable.
Would be interested to hear other peoples thoughts on this.
edit: of course this is for home network filtering purposes. If governments did this we are not in a good position.
It could work, as it's pretty rare for IP addresses to be used directly and not through DNS, but that also defeats the purpose of the mechanism: it doesn't add anything of value if everyone is using DNS. Even malware writers will purchase several domain names (several for redundancy from government take downs) so that they can rotate command servers easily.
yeah kinda true. But if you had a whitelist (i know this would be very hard to maintain etc) instead of a blacklist, you could have the most secure network blocker ever created for consumers. Malware could still leak from some of the "safe" domains but it would definitely be A LOT safer than any conventional ip or dns blocking.
Ultimately this is something that needs to be understood by lawmakers.
Web technology is increasingly designed to make this kind of meddling harder, not easier, for the sake of user security and counter surveillance across the web.
There is no magic bullet for stopping piracy. The anti piracy companies will happily burn down the world to support their business model. There are always tradeoffs, and there are always ways of pirating things, because there will inevitably be a guy willing to point a camcorder at his TV screen.
I think most people here believe that we shouldn’t break the web so that some anti piracy companies can sell their tools.
If people want to investigate crimes, it has never been easier. The reality is that the public is not interested in collectively fining everybody who watches football on a streaming site. Instead we get garbage that breaks people’s internet so that it’s a little bit harder to pirate things.
The best to do is to encourage broader access to legal offers (and support the good ones!).
Like it has happened with Netflix, or with Spotify, and even YouTube (which used to be a major illegal streaming website, before signing partnerships with most of the music majors).
Users who don't have money would continue to do piracy anyway, and the others pick convenience.
In few countries (Japan, France, Slovenia, etc) it's even mandatory to fund the public TV.
-> If you own a screen, even just a computer, they consider you may be able to watch TV with it
-> Instead, you could decide to allocate this money to a private streaming platform (12 EUR / month for France!)
(it's a plague to be forced to fund TV shows you never watch, so better allocate somewhere else)
Regarding the Italians, I understand in some ways why they decided to block the IPs.
The host of the mirror of the content (Cloudflare) doesn't do what they ask, and they are +/- out of the Italian jurisdiction so one of the most reasonable solution they could do was to block the most specific host they could find.
The most likely action is that Cloudflare is going to migrate:
1) legit customers to other IPs
2) high-risk customers to specific batches of IPs
and then this is going to resolve the side-effects.
It seems that Internet was also considered as "potential to watch TV", like you can watch TV online, and/or through services provided by set-top-boxes like Freebox.
> The most likely action is that Cloudflare is going to migrate:
> 1) legit customers to other IPs
> 2) high-risk customers to specific batches of IPs
Or they could tell Italy to jump in a lake (maybe a sea?). If you want to make dumb decisions with your country's internet I don't see why other people should bend over backwards to support your stupidity. If I were CF I'd consider monitoring for any of my IPs being blocked and then migrate all Italian government/etc sites using CF to that IP.
Hopefully Italy will stick to its guns here and block anything that facilitates piracy, and that includes Cloudflare. If that means Italy becomes an internet backwater, all its tech companies and professionals leave, and its economy collapses so it's in the economic league of nations like Somalia, that's OK. It will serve as an example.
34 comments
[ 3.3 ms ] story [ 98.1 ms ] threadMaybe water should not be allowed because rapists can drink it ?
Maybe using IP as identifier is wrong (it does not work since more than 20 years) and doing any kind of IP-based policy in 2024 is a sick behavior that shall be cured in specialized hospitals ?
When I buy something on amazon, what is important is the stuff delivered, not the delivery man.
You would filter packages from entering home based on the delivery man ? Insane ? Yes this is an insane behavior. As if one delivery man were dedicated per home, as it was in 1994. INSANE.
The delivery guy knowingly delivers drugs, it's written on the package, and the authorities told him to stop doing that.
Then what to do ? Remove the license of that most specific delivery guy.
That's what they try to do (though it would be easier if the delivery guy would collaborate of course).
Not saying that blocking internet hosts is a good thing, but I don't see what else they can do, if the counterparty is not compliant :|
(DNS blocking doesn't work anymore as browsers provide circumvention methods by default, and blocking the whole BGP peer has too much side-effects because it blocks all the legitimate delivery guys too)
In theory this would also work for IPs if not for the IP laundering OOP criticised.
Cloudflare chooses to hide thousands of IPs on a single IP - this is a technical choice, not a system necessity. There are of course many reasons for those and many of them legitimate, but it doesn't mean this is the right approach (and with IPv6 certainly other options are possible...)
Unless you are against CDNs (they do serve a real-world purpose, tho), then it is a system necessity;
So it's a good thing that they're clowns at this.
Also called "URSS", where kind people read your mail and inspect your stuff etc.
Perfect;
https://discuss.privacyguides.net/t/why-did-nobody-do-this-d...
The idea basically is to block all ip's which weren't resolved by the dns server in past specific time period (for example in the last 3 minutes). So all static ip's would be blocked by default. When a domain get's resolved by the dns server, the ip address gets to the whitelist for a specific amount of time.
There is some issues. For example if somebody downloads something, the ip address might only get resolved once but the download happens by directly connecting to the ip address. But I think these issues are definitely solvable.
Would be interested to hear other peoples thoughts on this.
edit: of course this is for home network filtering purposes. If governments did this we are not in a good position.
You joke, but this is a significant part of the justification given for denying water to millions right now (in Gaza).
Web technology is increasingly designed to make this kind of meddling harder, not easier, for the sake of user security and counter surveillance across the web.
There is no magic bullet for stopping piracy. The anti piracy companies will happily burn down the world to support their business model. There are always tradeoffs, and there are always ways of pirating things, because there will inevitably be a guy willing to point a camcorder at his TV screen.
I think most people here believe that we shouldn’t break the web so that some anti piracy companies can sell their tools.
If people want to investigate crimes, it has never been easier. The reality is that the public is not interested in collectively fining everybody who watches football on a streaming site. Instead we get garbage that breaks people’s internet so that it’s a little bit harder to pirate things.
Like it has happened with Netflix, or with Spotify, and even YouTube (which used to be a major illegal streaming website, before signing partnerships with most of the music majors).
Users who don't have money would continue to do piracy anyway, and the others pick convenience.
In few countries (Japan, France, Slovenia, etc) it's even mandatory to fund the public TV.
-> If you own a screen, even just a computer, they consider you may be able to watch TV with it
-> Instead, you could decide to allocate this money to a private streaming platform (12 EUR / month for France!)
(it's a plague to be forced to fund TV shows you never watch, so better allocate somewhere else)
Regarding the Italians, I understand in some ways why they decided to block the IPs.
The host of the mirror of the content (Cloudflare) doesn't do what they ask, and they are +/- out of the Italian jurisdiction so one of the most reasonable solution they could do was to block the most specific host they could find.
The most likely action is that Cloudflare is going to migrate:
1) legit customers to other IPs
2) high-risk customers to specific batches of IPs
and then this is going to resolve the side-effects.
https://www.gouvernement.fr/actualite/fin-de-rideau-pour-la-...
It seems that Internet was also considered as "potential to watch TV", like you can watch TV online, and/or through services provided by set-top-boxes like Freebox.
> 1) legit customers to other IPs
> 2) high-risk customers to specific batches of IPs
Or they could tell Italy to jump in a lake (maybe a sea?). If you want to make dumb decisions with your country's internet I don't see why other people should bend over backwards to support your stupidity. If I were CF I'd consider monitoring for any of my IPs being blocked and then migrate all Italian government/etc sites using CF to that IP.