Many years ago, I used to work for Vodafone - and had some responsibility for their filtering stuff.
One of the main problems was that, at the time, it was all managed by Blue Coat. As they were a US company, many of the "violations" that they picked up just weren't considered problematic for a UK / EU audience.
Similarly, they would use blanked keyword blocking. So sex education resources would frequently get blocked. Although, again, that may have been by puritanical design.
Anything which looked like it might be used to bypass their filters (VPN, proxies, etc) were also blocked.
Ultimately, the customer isn't the user. It is the network who are terrified that Johnny's parent is going to go to the papers screaming about how the evil phone company corrupted their innocent child. That's all it is there for - to protect the network.
Before HTTPS was all but required for everything, an intranet site would get blocked in one particular office at 11pm every night. We tracked it down to a night-shift employee signing in, whose last name contained "shit". After pleading fruitlessly against that office's IT policies we solved the problem permanently by eating the overhead and turning on HTTPS.
I once debugged an email delivery issue which turned out to be a similar filter which included email headers while scanning, ending up blocking any email that passed through an SMTP server called foo.sussex.bar.hp.com (or maybe it was Essex, my memory is hazy).
The later (TV-Show) is actually based on the former (twitter feed) but couldn't retain the name in the US. It would probably have been perfectly fine as is in the UK.
I never understand that kind of (often self) censorship where the meaning is intentionally left clear. It could be malicious compliance with keyword-based filters but people do it voluntarily even in places where no such filters exist.
I make a point to mention that my cat’s full name is Robert. I enjoy the reactions: person either looks at me like I’m a moron for thinking this is something worth spending the energy to say out loud, or they really enjoy it. I digress.
It likely originated in rhyming slang where words that rhyme are used as replacement[0]. It isn't the only example in nick names. Bill is a nickname for William and Bob is a nickname for Robert.
The nickname for John is Jack, actually. Jack and Dick both belong to a class of nicknames that all end in "ck" or "k" sounds, but for which the original doesn't have a k sound.
The standard of counting as "Tiffany" is strange. He's not happy with Θεοφανώ or Theophania, but he's perfectly happy to count (French) Tiphaine, Thifaine, Thiephaine, and (English) Tephany as being "obviously" the modern name. But the difference between Tephany and Theophania is down to the "Th" at the beginning. Why agonize over the difference between the very well-attested Greek Theophania and modern Tiffany if it's so clear that medieval Tephany matches the modern form? It's a better match for the Greek form!
Ultimately, the customer isn't the user. It is the network who are terrified that Johnny's parent is going to go to the papers screaming about how the evil phone company corrupted their innocent child. That's all it is there for - to protect the network.
You're not kidding. The biggest fear is a parent complaining because a library or school filter fails. People really don't give a damn what a hard problem it is nor do they care that browsers are starting to add counter measures to skip over ISP filtering. Doesn't matter if you don't have control of the laptop, you are still to blame. At this point, I wonder what the next generation of filtering software is going to do.
Oddly enough, vodafone filtering is less restrictive in other ways. For instance, they never blocked The Pirate Bay, but I just switched ISP from vodafone and my new ISP (Sky) blocks the site via some TLS tricks. It's odd because while adult content blocks are purely a per-ISP choice (they offer it as a service/choice to customers), I had thought that TPB was blocked because of court orders. So how come one ISP blocks it, and other doesn't?
> "I had thought that TPB was blocked because of court orders.
> So how come one ISP blocks it, and other doesn't?"
The court order[1] had 6 defined defendants:
- BRITISH SKY BROADCASTING LIMITED
- BRITISH TELECOMMUNICATIONS PLC
- EVERYTHING EVERYWHERE LIMITED
- TALKTALK TELECOM GROUP PLC
- TELEFÓNICA UK LIMITED
- VIRGIN MEDIA LIMITED
The court order only affected the listed ISPs (at that time, 94% share of the consumer ISP market). Other ISPs were under no obligation to do the same.
No obligation? The DA could sue immediately in the public interest, or if not it could be the original plaintiff, and then the remaining ISPs would have the opportunity to defend their cause themselves.
> The DA could sue immediately in the public interest…
It's not in the public interest to block TPB. The DA would be suing for the sake of private interests, against the public, and at the public's expense.
I wonder what the disconnect is that causes people to blame Vodafone for content requested over their network, but not Royal Mail for the content that arrives in their mailbox, or Google/Chrome for the content of webpages, or Dunder Mifflin for content printed on paper. Has that ever actually happened, or is it just corporate risk aversion?
Is this filtering an extra feature like parental controls or corporate filtering? Or was this just blanket filtering applied to all Vodafone customers?
A number of my personal sites end up blocked by corporate firewalls. It’s slightly infuriating. Even my own company. I got in a literal fight with IT needing to justify the why in why I needed access to my own website. Like I can live without it, but it’s nothing but my blog where I rant about tech. The why should be why is it blocked to begin with. The default state should not be blocked.
Default approach of a firewall. When it doubt, block it. But IT has really outdone itself and grew to something that could be the largest threat to an open internet.
The same could happen to mail, where you can only use "certified provider" or you will just be filtered out. Spam and phishing are a problem, sure, but recent IT strategies are highly questionable in this regard.
Considering the landscape of spam, phishing, and malicious actors poking around what's your alternative solution to how firewall rules (and category lists generated and maintained by companies like Palo Alto) are currently applied? The IT side of things has limited tools (and budget) with which to control and secure the internal environment.
IMO there's also a failure of government here to both ensure an open internet and to come down on people abusing the system. A related example might be the phone spam calls everyone in the US gets - it's an administrative, legal, and regulatory problem, not a technical one.
My context may be a bit skewed though since I'm a sysadmin turned cybersecurity and I've seen the large numbers of people clicking on the absolute stupidest things. Given the "average" computer use that IT has to deal with I'm much more sympathetic to their plight.
but recent IT strategies are highly questionable in this regard.
I think it of as a result of high profile hacks. Either a company is hacked once and they go way overboard trying to ensure it doesn't happen again. Or, some high profile company gets hacked, some C*O's see it, overreact and decide they're not going to be next.
The word "model" as in "Data Model" or "Mathematical Model" is blocked at my work. Why? Because otherwise people might look up clothing models or something... This impacts multiple programming divisions and has not been lifted even after it was raised.
The only reaction to something that dysfunctional and stupid is to go the other direction. Make lots of complaints about every normal English word you can think of by using it in a search and finding questionable results. Rule 34 says this should not be hard. Watch management crumble when the whole internet gets unusable because everything is blocked.
Also: polish up your resume and start sending it out.
> just braindead blocking software purchased by incompetent managers.
Having been that IT person early in my career, responsible for
networks, firewalls and policies, what you say sounds cruel. But I
could not agree more. Today there is a tragic de-skilling in ICT. When
I speak to modern corporate or academic IT people I make the best
faith assumptions. I assume they are like we were in the early 90s and
speak to them accordingly with technical respect. Then I discover they
cannot configure a mail or web server, cannot compile a program, or
even use a package manager... they don't know how to read logs or
change permissions on a directory.... the mind boggles. I've had
senior IT people tell me that they're "not technical" and it turns out
they've arrived on some "management track" from an arts-history
background.
I'm not knocking arts history, or being "elitist" I hope, but this
raises serious concerns for me. What is going on in IT? Have cloud
services, tick-box webmin interfaces and packaged solutions led to a
brain drain?
One could argue that modern IT people don't need "geeky computer
skills" any more, because Google and Microsoft have solved everything.
But that doesn't pan out, because when simple things go wrong they
cannot fix them (which is their job). Right now I am dealing with an
international university whose impeccable pedigree is bedrock in
computing history - and their IT people cannot fix a simple email
issue, to the extent the staff and students have to set up their own
servers. The fact is, they just don't have control over it any
longer. I think the entire senior ranks are just marking time till
they can retire.
Regarding braindead blocking software and incompetent managers - all blocking software is braindead and what's worse, opaque (good luck finding out why a site is blocked, the devs don't care). Us incompetent managers often end up purchasing them do tick a check box required by the insurance company and/or the government, neither of which care that it's all snake oil.
Any exception to the firewall policy requires supporting documentation. IT may just be covering their own ass/literally doing their job properly when they ask for the justification.
As a manager, I've noticed people tend to overthink the "business justification" field on forms and get themselves all worked up that they are being told no because they know what to put, but in reality all you normally need to do is string together a handful of words that vaguely makes sense to the person processing the request so they can check a box.
Counterpoint: The sole purpose of a business network is to execute the requirements of the business. Any extraneous activity on the network is at least noise, and at most a direct threat to the business. The #1 way in which networks get infected is through phishing and employee downloads.
On a corporate network, it can make total sense to block non-business sites by default. As someone who used to help manage the proxies at a bank, some of the arbitrary decisions annoyed me (like blocking gTLDs of all sorts by default) but at the end of the day, it was an inconvenience. There were mechanisms to request access if needed.
To me, it starts to get more shady with behavioral analytics software on terminals that measure your known patterns of access and look for aberrations. It becomes intrusive and creepy in its move from "passive" filtering to active, personalized monitoring.
---
All that is irrelevant here, because an ISP fucking with my TLS connection and throwing up warnings is awful.
Yes, it is a bureaucratic pain for IT to request access to download a tool for testing, etc. and in many places that may be overkill.
Again, prior experience, we had brainstormed the idea of denying any executable downloads by frontline workers, while permitting it for IT, since frontline workers both were less likely to need to download random EXEs, and less likely to know how to spot phishing or grayware sites.
But if your tool is a non-licensed piece of software that then puts the company on the hook because you used it without people whose purview it is to know these things can cause problems.
I 100% understand the frustration of working in a place where lawyers "introduce drag". Lawyer's job isn't to make your job harder/easier, but to protect the company from whatever. Sometimes whatever turns out to be the "well intended" employee. Part of the friction in these situations are very zealous people wanting to do things while they are so scoped in on their task that they are unawares of the larger consequences to the company no matter how well intentioned they may be. As I've become older, I can corrolate that friction with youth. That coefficient of friction becomes smaller with age/experience. It has nothing to do with levels of caring/apathy, but from experiencing the negative affect of "move fast, break things" and being willing to tap the breaks a little bit while changing altitude to see a bigger picture.
Oh definitely, and I wish I hadn't implied a value judgment. I've been happy at places with strict policies but easy admission, so I'm not opposed to the concept.
I occasionally link to my blog articles when I am trying to make a point. It is often better to reference my well-thought-out and composed arguments rather than typing them out again on-demand with less thought.
We've been working home for 2 years. They want us to run all traffic through the VPN that applies the same filtering. Please excuse me if I forget to turn it on.
Personally I run the VPN in a VM on my private device and I would recommend to do that to everyone. You have a VPN without split tunneling within the VM, it is containerized from your other OS and separates work and leisure and you can use your normal WAN connection to access the internet at full speed.
With how verbose and talkative applications today are it wouldn't be appropriate to route their traffic through the company line anyway.
Of course that decreases the security that deactivating split tunneling offers to a degree, but I think we have to live with that. All this security is ineffective anyway if 99% of attacks come through the inbox. That will never be change and people need to be educated and have to trust IT that they don't blame the user since it can happen to everyone and nobody is on guard to 100%. With decent backups the damage can usually be completely mitigated without a lot of expensive security measures.
One would hope you still have separate personal device(s) which you can use without connecting through their VPN, in addition to the corporate-owned ones used for work. Or do they want you to run all your personal traffic through the VPN as well?
Vodafone is a mess. I bought a 24Gb pre-paid sim which was supposed to last 2 years but they 'lost' my plan after 6months and 2Gb of data use. Spent an hour on chat with them telling me that no such plan had ever existed until I told them I had all the receipts and evidence of how much data I had used and threatened to take them to the small claims court with expenses at £60/hr for my time. They capitulated quickly after that and restored it, then 'lost' my plan again the next month.
I've had problems with billing glitches with four utility companies in the UK now and I am starting to suspect that overcharging people and hoping they don't notice is actually a common business strategy in the industry and if they get caught they blame bad IT but really their systems are configured to do this on purpose.
I think it's semi deliberate. They put systems in place to catch errors that cost them money but they don't go looking for errors that cost their customers. The result is inevitable but there is enough plausible deniability to avoid any serious consequences for the company.
daniel.haxx.se is Daniel Stenberg's blog (famously known as curl maintainer), and would best be displayed with the subdomain as daniel.haxx.se rather than haxx.se, similar to how substacks include the subdomain to make it clear at a glance what the source is.
Send an email to hn@ycombinator.com He usually reply the same day. IIRC they only show subdomains for sites that have a lot of posts, but it's not a hard rule so he may make an exception.
Good! curl is a dangerous tool that can be used to circumvent deep link protections for corporate intellectual property. Imagine the kinds of evil that can be done by pirates if they are able to construct a URL and then simply fetch it using this so called haxx (hacks, aka hackers) tool.
Can’t think what the “ha” would stand for in their analysis, but the se and xx can be indicators of adultness when you have a naive algo for dealing with bot spam domains for adult-content-as-spam:
Some even started using multiple X's (i.e. XX, XXX, etc.) to give the impression that their film contained more graphic sexual content than the simple X rating. In some cases, the X ratings were applied by reviewers or film scholars, e.g. William Rotsler, who wrote "The XXX-rating is for Hardcore, the XX-rating is for Softcore, and an X-rating is for comparatively cool films." — https://en.wikipedia.org/wiki/X_rating
That said if they think the domain is a soft hit they should look at content, site age and classification in e.g. bluecoat, etc., which would counter the soft domain indicator. If the site allows comments and doesn’t always successfully moderate or filter out adult bot spam links, that can make even clean content sites get filtered. To be clear, not! aware of any spam at this site, but as a heads up to anyone w/ open commenting, comment engines that allow a website link are often bot-bait.
Somehow that seems worse. Don't apply automatic filters to sketchy, fly-by-night spam sites that pop up and disappear, but do apply purely automatic filters to sites with a significant enough amount of legitimate traffic?
That seems to be exactly backwards of the way things should be done if it wasn't mostly security theater.
It's also how machine-learning based "malware detections" work - they don't run in real time on users computers so you can create a fresh executable and it won't be flagged but once enough users run it and their anti-virus software uploads it will get scanned and receive a made-up virus name (and this can and often does happen even if the executable is not malicious).
- Have to consider the domain is a string, not a hierarchy. Too many premier domains have had subdomains with spam, malware, etc., running on some random thing in their namespace, trying to draft on the domain rep.
- Legit traffic + comment forms + web links are a thing spam and adult "se.xx 2nite?" bots target. They seek out the ranked traffic to boost their clicks and good rep to boost their SERPs, so -- perhaps counterintuitive -- scoring traffic + rep as an indicator (to be combined with other indicators of course) is sensible.
That's because Vodafone believes that daniel.haxx.se implies that "Daniel Has Sex" and is clearly a pornographic web-site un-suitable for its celibate and holy network.
Sigh Automatic classification of material as "adult" has always sucked. I remember watching a news report where schools filters had classified webpages referencing the current Super Bowl (Super Bowl XXX) as adult content due to XXX typically being associated with adult material.
The opposite happens too - see Elsagate. The newest version of Elsagate material, which I've only seen one person talking about, is weird/inappropriate stories aimed at children but disguised as baking videos - https://youtu.be/HfcKCk6vPCE?t=295
Yikes, this is so much worse than merely weird, though it definitely is that.
Here's the transcript from a couple, both of which are played over top of those "5-minute craft" style (faked) baking videos:
> > Someone knocked on the front door. I opened it and saw a strange tiny man standing there with a creepy smile on his face and he smells really good.
> > He said "Hi I'm Noah I'm looking for your dad, is he home?"
> > I replied "No he's out there looking for a stupid job."
> > I was about to close the door in his face when he suddenly pushed it back open. I screamed, I thought he was going to hurt me. He took off his glasses and told me to stay calm. He looked a lot less intimidating without his glasses on and his face was softer.
> > After one of my live youtube videos one of my viewers sent a message asking if we could meet. It was a bit strange for someone to be so insistent, especially after what my brother was doing so I ignored him at first. Then, a few days later, he messaged me again. He said he knew how to deal with my brother. He believed me. I agreed to meet him but I was nervous. What if it's just a stupid prank, I wondered. I went to the coffee shop he had asked me to go to. I didn't even know his name.
> And in that story he turns out to be a handsome knight in shining armor who rescues her from all her troubled home life problems.
The thing that gets me with the elsagate material is that it is weird. More weird than offensive. Is this just machine written content that has gone a bit nuts?
I'm very much of the opinion that such filtering should be opt-in rather than opt-out. Now don't get me wrong, it should be trivial for a parent to opt in if they want to but I fundamentally don't agree that it should be the default to child-proof the internet.
Otherwise ISPs are basically collecting a list of self-identified internet deviants by whatever definition they have. I mean at least make them do a bit of work to process my DNS history to figure that out...
Not to mention the point of the article, that the filtering is often overzealous and captures the weirdest things.
im always chuffed and fascinated when tech companies cloister themselves in the robes of moral arbiter. Twitter does this now, albeit it seems like a cheap excuse to pump user numbers by forcing authentication.
Why 18? why not 21? or 23? What qualifies as explicitly "adult" content? violence perhaps could disqualify most military recruiting sites from my vodaphone. Alcohol? its certainly a moral vice in the UAE but in germany even a fourteen year old can order a bier with their parents. Sex? its a sensitive subject for even the most conservative among us until we touch upon religious texts, which seem to enjoy free reign.
what i wonder most is...what is the altruistic moral source of truth used as litmus by Voda and others? or is it driven largely by a small but vocal minority or is the board pushing this as some sort of nineteenth century neo-victorian purity charge.
These content filtering schemes are usually legally mandated, and the age of 18 is set by law.
More likely than not, this got caught up in a regular job that scans DNS zones for new domains to "filter". It's just a matter of time before this catches anything related to Scunthorpe[0].
> These content filtering schemes are usually legally mandated, and the age of 18 is set by law.
It's also worth adding that 18 is typically the age when someone is considered legally accountable for their actions as an adult. We shouldn't be surprised that this age pops up in so many laws because of that, even though it is an arbitrary line in most cases.
It makes users who previously accessed a site anonymously create accounts or leave. For some sites, the increase in users signed-in may be worth the loss of other users (and bots).
Parents want parental controls on their children’s devices, and that becomes part of their decision on which provider to choose for their children’s phone contracts. Vodafone is reacting to market desire for an optional feature, there isn’t some evil spooky ulterior motive at play.
The people responsible for making and distributing this type of software and filters for it are mediocre minds, it's as simple as that. It gives them (usually an overzealous IT person) power and thus identity over smarter engineers, turning it a sadistic spectacle sport for them. The only answer is to remove their power by using end-to-end encryption with programs like Tor and simply laugh at their pathetic antics.
UK citizen here - yeah, it's supper annoying. It's to verify you're over 18 as that's the age at which you can obtain a credit card.
You can though ring the mobile phone provider and tell them to turn off the block - and we can blame our conservative government for pushing this through (and looking to go even further in the future).
It's ECH now, Chromium/Google are actively working in it. So soon™
In addition to that we need ODoH and NTS as well. It's pretty clear neither countries or ISPs (not to mention attackers) can keep their grubby fingers out of anything unencrypted. MITM should be visible or impossible.
Yes, we really need that. Glad we have TLS and questionable ambitions show that it doesn't even reach deep enough.
Although the way the web works a web request to domain.xy doesn't mean much anyway but people still believe in it.
Also MITM attacks in IT security should be shunned and I believe the users need to be informed about it when they happen. IT could potentially steal banking information. I believe this to be highly illegal in my country and still a data breach even if an employee wasn't allowed to do the transaction because it was private.
It's maddening that there's no audit trail or public record you can use to debug "why?".
I had my domain put on a phishing blacklist due to DNS caching. During a 30 minute cache window, I decommissioned a server and a bad actor picked up the recycled server's IP address. The IP reverse lookup showed my domain due to the cache.
I have a Virgin Media subscription for my phone and a while back I discovered that sometimes Reddit didn't load. It took me a while to figure out that it was on 4G and happened because I'd been using Virign's DNS servers. This is a similar "adult filter", that most UK ISPs implement.
AFAIK the filtering isn't legally mandated, but something the ISPs decide on together based on a some government memo. In any case it's dead simple to bypass and a very blunt tool. For example, why does Virigin block Reddit, but not Twitter? Both sites feature adult content, in fact so does Google image search.
The silver lining in all this stupidity is perhaps that it creates a more technically talented population. I don't expect most teenagers know or want to know about DNS, but if that's what stands between them and adult content I'm sure they'll learn.
It is not totally clear from the article, but it appears Vodafone blocks a site as 'for 18+' when really it is a case of an incorrect certificate. To get round it you need to register with Vodafone.
At least google allows me to click away such warnings (while warning that doom is imminent).
Isn't the certificate "incorrect" only because Vodafone block the site and intercept the TLS connection? That's why the "incorrect" TLS cert presented mentions Vodafone's "solution" for traffic filtering. That's my read of things.
UK mobile data is filtered by default, while fixed-line isn't. I suspect this is an artifact of "adult" premium rate phone lines - access to those numbers must be limited to those verified to be over 18, and while I've not done the research to back this up it wouldn't surprise me at all if it's the application of this rule over the years that has led to this situation.
Of course a mobile telephony provider is going to be a lot more certain which phone numbers attract the specific premium rate categories to need to be blocked than they are which random domains should be blocked :P.
For once I am happy to live in a third-world country. This wouldn't fly here, thanks to the telecommunications law:
ARTICLE 57. - Network neutrality. Prohibitions. Service Providers shall not:
a) Block, interfere, discriminate, hinder, degrade or restrict the use, sending, reception, offering or access to any content, application, service or protocol except by court order or express request of the user.
I worked for over a decade as a DBA for one of the largest private data warehouse companies, and it was hilariously fun to get the so-called "naughty word list" for customer suppression reasons. I learned so many creative slurs based on where people live or were born.
Australians, in particular, have an amazing amount of curse words/racial slurs.
> isn't this something that certificate transparency should help solve?
No. CT is meant to help find illegitimate server certificate issuance by participating CAs, but it cannot help the user-agent get past illegitimate server certs.
Besides, the whole point here is to make the user-agent fail to load the page, therefore the network operator's firewall's CA would not participate in CT (nor be a CAB member), and the network operator does not just not mind that the illegitimate server certificate is noticed, they want it noticed.
> CT is meant to help find illegitimate server certificate issuance by participating CAs, but it cannot help the user-agent get past illegitimate server certs.
That's the point though. I'd rather the user-agent tell me that the certificate is invalid. That's as far as it's currently going anyway when a certificate is, for example, self-signed.
> Besides, the whole point here is to make the user-agent fail to load the page,
That's exactly the minimum that should happen, yes. User-agent sees that the certificate isn't correctly issued for the domain and refuses to send the HTTP request (though SNI is already sent...)
> the network operator does not just not mind that the illegitimate server certificate is noticed, they want it noticed.
More than just noticed: the network operator wants the user to inappropriately act on the illegitimate server certificate.
How else could they let the end user know what's going on? Due to pinning, it's either present a phony certificate, or completely fail the connection and give the user no indicationo why.
Of course, accepting the phony certificate will immediately leak your cookies to the middlebox, along with giving it permission to read any credentials out of local storage. So as an end user you should not accept it.
If you were a school or other institutional user using this filtering service (which isn't just marketing to service providers like Vodafone), you'd probably have their root CA installed so your users see the filter error page instead of just an SSL error.
My own blog (Cyber Security related) was also blocked by a couple of mobile operators in the UK the last time I checked. The internet has been dead for some years now.
I'd bet it's because the filtering vendor (Allot) sells a simple interface to the customer (Vodafone) that mostly consists of allowlist/blocklist entries manually added by support agents when someone complains.
There's probably a policy to dictate what content should be filtered, but in practice: a ticket is filed to block a site, someone looks at the ticket, in all likelihood it is added to the blocklist, and then probably ends up there forever until complaints are raised.
You could be correct that the presence of multiple x's in the URL makes it more likely for support agents to think "yep, this is probably sketchy, there's no harm adding it to the blocklist" - I doubt it's the original reason though.
One of the main problems was that, at the time, it was all managed by Blue Coat. As they were a US company, many of the "violations" that they picked up just weren't considered problematic for a UK / EU audience.
Similarly, they would use blanked keyword blocking. So sex education resources would frequently get blocked. Although, again, that may have been by puritanical design.
Anything which looked like it might be used to bypass their filters (VPN, proxies, etc) were also blocked.
Ultimately, the customer isn't the user. It is the network who are terrified that Johnny's parent is going to go to the papers screaming about how the evil phone company corrupted their innocent child. That's all it is there for - to protect the network.