Previous month:
July 2012
Next month:
September 2012

August 2012

A Chain Saw is a Poor Choice for Surgery and for Blocking Web Content

The Internet creates extraordinary opportunities for large populations to monitor and influence politics and lawmaking. Engaged citizens have raised firestorms against antipiracy bills, while powerful lobbies urged politicians to mandate the use of technical measures to protect copyrights. Demonstrators have blogged or tweeted about anti-government protests from rally sites, circumventing governments’ best efforts to prevent the news media from reporting on these events.

In these scenarios, lobbyists and governments looked at the technical measures enterprises and ISPs had used to control user access to or remove content, and they hastily concluded, “This works for them. Why not for us?”

There are several scenarios where the motives to block or remove access are controversial. In some cases -- when technical measures to block access or remove content are incorporated badly into laws -- you end up choosing a chain saw for surgery where a laser or scalpel would suffice. Worse, you often don’t accomplish what you intended.

Yar! Pirates!

In the alphabet soup of antipiracy and content protection legislation, the Stop Online Piracy Act and Protect IP Act are poster children for incorporating technology into law badly. These bills would have mandated the use of DNS filtering to combat illegal use or distribution of intellectual property and copyrighted material.

These bills targeted rogue Websites offering access to copyrighted material. Specifically, they would have given the US attorney general the power to ask federal courts to order ISPs to prevent users from accessing rogue sites hosted outside the US by blacklisting the domain name (“DNS filtering”) and redirecting users to a page telling them the site violated copyrights.


This looks very similar to how an enterprise might configure its DNS servers when using a block list to filter spam domains. Those behind bills like SOPA see that this works for the enterprise, and they conclude it would also work at a national level. The difference is that an enterprise imposes the policy uniformly for all of its users and only for its users. The proposed bills targeted sites hosted outside the US. If they had passed, their mandated technical measures would have ultimately proven ineffective, because:

  1. The removal orders could be issued only to US ISPs.
  2. The orders would not compel hosting providers to remove content.
  3. The orders would not compel non-US ISPs to change their DNS servers to block rogue sites or redirect pirate domain names to the attorney general's notice.

The bottom line is that the content would remain there to be found, and determined users could use a non-US ISP’s resolver to circumvent DNS filters. In fact, workarounds became available as anti-SOPA sentiments intensified.

Great walls of fire


If SOPA had become law, it would have caused Internet users to receive different answers from the DNS depending on which resolver the user queried. This is exactly the kind of behavior that organizations with mobile workforces encounter when their people travel to countries where access to content is restricted.

In such countries, IP address blocking and URL or keyword filtering are used in conjunction with DNS filtering or redirection techniques to ensure that only state-sanctioned material is available to the population and visitors. The DNS measures are applied today on domain names, but the addition of the XXX top-level domain has caused other nations to investigate whether it is practical to block top-level domains in their entirety. The worry is not whether nations will block TLDs, but what technical measures they would use, how these measures would affect the global DNS, and whether the global Internet will eventually balkanize.

DNS is a critical component of your infrastructure, and some of the issues I’ve been discussing may cause you to think more about how you’re providing name service to your users. (See: Preventing Access or Removing Content: Laser, Scalpel, or Saw? and Shutdowns, Suspensions, & Seizures… Oh, My!) For example, when you consider how DNS blocking is used today, you might include “we’ve been blocked” scenarios as risk factors. My guess is you’ll realize it’s important to stay familiar with pending legislation and know how to remedy false positives.

You should also be thinking about measures you can take to ensure universal resolvability of domain names for your users, especially your mobile workforce. Configuring end points you administer to use name servers or resolvers that you operate or have managed on your behalf may be a proper course for your organization.


Originally posted at The Champion Community 9 May 2012

Photos by StartAgain, robotson, redmind, LividFiction, teach42

How to Disable Java on Safari Browser Version 6

How-To-Geek has published an article, Java is Insecure and Awful, It’s Time to Disable It, and Here’s How. The article does a satisfactory job of explaining why you should be concerned about running the Java Run Time Environment - or even keeping it installed. It then explains how to remove or disable Java RTE from popular browsers, but it doesn't show how Safari users might do this.

Fortunately, it's straightforward:

Launch Safari

From the Safari menu, pulldown and choose Preferences...

Choose the Security tab

Uncheck the box labeled Enable Java

Close the Preferences Window

This is essentially the same information you'll find at Apple Support, under the title How to disable the Java web plug-in in Safari. The image capture Apple uses is different from what you'll see if you're running Safari Version 6.0 (8536.25 or  7536.25) but disabling Java is unchanged.