Security Consultants Warn About PROTECT-IP Act

epee1221 writes "Several security professionals released a paper raising objections to the DNS filtering(PDF) mandated by the proposed PROTECT-IP Act. The measure allows courts to require Internet service providers to redirect or block queries for a domain deemed to be infringing on IP laws. ISPs will not be able to improve DNS security using DNSSEC, a system for cryptographically signing DNS records to ensure their authenticity, as the sort of manipulation mandated by PROTECT-IP is the type of interference DNSSEC is meant to prevent. The paper notes that a DNS server which has been compromised by a cracker would be indistinguishable from one operating under a court order to alter its DNS responses. The measure also points to a possible fragmenting of the DNS system, effectively making domain names non-universal, and the DNS manipulation may lead to collateral damage (i.e. filtering an infringing domain may block access to non-infringing content). It is also pointed out that DNS filtering does not actually keep determined users from accessing content, as they can still access non-filtered DNS servers or directly enter the blocked site's IP address if it is known. A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.' Paul Vixie, a coauthor of the paper, elaborates in his blog."

Decay?

[wsxyz]

When was the Internet anything other than a "lawless wild west"?

typical users

[buback]

15 years ago, 'typical users' didn't know how to use napster. 6 years ago, 'typical users' didn't know how to bittorrent.

This kind of argument shows how little they've learned.

Idiots

[governorx]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

In summary:

[fuzzyfuzzyfungus]

Laundry list of distinguished security researchers: "This is a terrible plan, it won't achieve what you want, and it will set back the state of internet security quite dangerously."

MPAA Flack: "Shut up, nerd, the health and security of the internet is not even a secondary objective here."

ISP Blocking?

[AlphaWolf_HK]

Interesting that they mention ISP's would block your ability to use other DNS servers. I don't think that, in the end, there is really anything the ISP could do to completely stop you. The worst they could do is block UDP port 53, but that wouldn't stop you from using any kind of tunneling software, especially if you did that tunneling over a secure socket.

Re:Idiots

[moj0joj0]

The typical users will quickly learn how to set their DNS providers if this comes to pass.

Say rather that the users who are interested will quickly learn.

ISPs will not be able to improve DNS security using DNSSEC, a system for cryptographically signing DNS records to ensure their authenticity, as the sort of manipulation mandated by PROTECT-IP is the type of interference DNSSEC is meant to prevent.

We shouldn't forget the massive amounts of users that are oblivious to nearly any of this. DNS, IP Addresses, Routing protocols and all the rest of the "magic" of the Internet is well past their horizon. Please keep in mind how reasonable this would appear to the average Jane and Joe Six-Pack.

The measure allows courts to require Internet service providers to redirect or block queries for a domain deemed to be infringing on IP laws.

On the surface this looks like a great thing. Understanding the technology or anything past double-clicking the blue "e", or perhaps clicking a link in their e-mail, is not something a more advanced user should expect. While we can understand the potential difficulties and pitfalls that come with this sort of meddling, I don't think we should see them as so obvious that the basic user will also see them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Idiots

[black3d]

How can that be a good thing by any means? "Deemed to be infringing" is extremely broad. I've had cease and desists sent to my own website for MP3s of my own music which I own entirely. With this law, they don't even need to attempt to prosecute me. They just file notice with the court that my domain is "infringing" and suddenly my hits go to 0. I have no right of reply as I've never been served.

I intend no personal insult, but you seem to forget that what the US courts deem as "infringing" draws no parallels to actual international copyright law. For example, a site which contains no pirated material but contains links to it, is considered as infringing under US copyright laws (see DMCA). If you haven't noticed, the MPAA and RIAA will stop at nothing and have no qualms about how many people they inconvenience. Baidu.cn contains an MP3 section. Does it host MP3s? No. Does that matter to a court which orders all ISPs to block access to Baidu as a result? Of course not.

This law like this gives the MPAA the legal right to have Google.com blocked until it removes all links to pirated material. I don't believe they'd hesitate for a second. Although TBH, they probably need it, in order to search for more meta sites which may or may not link to "deemed infringing" material. Like my personal music.

While of course, this horrific scenario may not occur, the point is, this will allow the MPAA to go nuts. They don't care if they knock out 10,000 sites like my own. They don't have to serve me, so there's no case to win. And when they get it wrong, I can't sue the MPAA, because the MPAA didn't make the "ruling", the court did.

They'll happily have Metacafe block because some video has a soundtrack they own, or have any NNTP Usenet provider closed because, despite all their legal offerings, they can be deemed to be serving infringing material. A Safe-Harbour doesn't apply here as they're not actually filing a DMCA takedown. They're just having the court look at all the pirated material and say "this means ISPs have to block them." Goodbye Giganews. I'm sure such sites can go through and remove all material deemed infringing, but exactly how do you go about doing this? MPAA doesn't care - they only have to prove one instance of pirated material. Yet before, say, Giganews can file an appeal, they have to go about removing all potentially infringing material from their usenet mirror? For that matter, how does Google go about removing all links to "potentially infringing" material from their servers?

Re:typical users

[TubeSteak]

The typical user knows exactly as much as they need to (or slightly less) in order to go about their business.
When schools and businesses started filtering video/social networking/etc the "typical" user was introduced to web based proxies.
If the **AA manages to push through DNS tampering, the typical user will be introduced to alternative DNS servers and even more proxies.

The internet routes around damage.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Wrong, there are laws, and this breaks one of t

[wvmarle]

The vast majority of Internet users doesn't know their DNS, they probably don't even know what DNS is. They just open their browser (better known as "the Internet"), enter www.slashdot.org and expect to be able to read News for Nerds, Stuff that matters. Maybe not the best example but I bet you get the point.

typical users lack the expertise to select a different DNS server

is definitely a true statement.

Re:Wrong, there are laws, and this breaks one of t

[Anonymous Coward]

the point is that will change in about 3 days across the USA if the USA tries this. It's not the first country to try DNS filtering, and perhaps despite what recent history might lead one to believe, americans aren't significantly more stupid than people in other countries, which nowadays routinely route around incompetent government/corporate attempts to censor the net.

Re:Wrong, there are laws, and this breaks one of t

[c0lo]

typical users lack the expertise to select a different DNS server

is definitely a true statement for the present.

FTFY.

And it is so just because the DNS infrastructure worked by very unsophisticated rules - good enough for everybody - unsophistication which allowed the rules remain hidden. Break them and more people will start looking into how to mend them in their own way - one may not like some ways of mending.

Re:Wrong, there are laws, and this breaks one of t

[greenbird]

typical users lack the expertise to select a different DNS server

is definitely a true statement.

What it is is bullshit. There would be directions floating around everywhere written at a second grade level on how to do it. If they couldn't figure it out from there they'd ask that tech suave friend or relative to do it. Linux would come pre-configured to hit OpenDNS.

Where in the problem lies is that half the instructions floating around would be pointing to compromised servers. Thus by eliminating the trust aspect that is key to DNS working and making DNSSEC essentially illegal they're going to create exactly what they claim to be trying to prevent, turning the internet into a lawless wild west. I find it absolutely amazing that congress is going to pass a law that will make implementing security measures on the internet illegal. Tells you how deep our government representatives are in the pockets of the RIAA/MPAA crowd.

Re:Wrong, there are laws, and this breaks one of t

[EdIII]

True statement? Really?

A statement by the MPAA disputes these claims, arguing that typical users lack the expertise to select a different DNS server and that the Internet must not be allowed to 'decay into a lawless Wild West.'

Hmmmmmmm. Let me rephrase that differently.....

An inter-office memo from Microsoft was recently released with a statement by an executive arguing that the typical user lacks the expertise to choose a different browser and that apathy and ignorance will allow the Internet to continue to be dominated by Internet Explorer and that the Internet will not devolve into a Wild West of open source competitors taking away market share and that governments and states will not get involved via lawsuits and legislation to affect Microsoft negatively .

You screw around with DNS too hard and you will find that people will fight back. Of course their warnings about fragmentation will most likely be true very quickly. How much of an excuse does China need to form its own root servers and DNS? It would certainly only help them to create and control DNS resolution and to ban all DNS queries to outside networks period. The EU will probably form its own, and interestingly, will probably pick up well over half the US market.

Seriously? Would you choose a DNS "network" that bypasses due process and exposes you to impossible business risks for you and your customers, or a DNS "network" operated without such risks?

When installing IE9 now I can see options on changing default search engines. You can choose default programs now too. Did you think you would see that 5 years ago?

I am willing to bet that if it gets bad enough, even router manufacturers will start giving choices and that open source browsers themselves will start making it easy to configure a computer to use alternate DNS servers, even if it is just for the browser itself.

So far, they have not affected enough people yet, not all that many in actuality, but how much are we arguing about it right now? All they have done is stare at the hornets nest, just wait till they actually throw a rock.

Re:Wrong, there are laws, and this breaks one of t

[KahabutDieDrake]

Typical users lack the expertise, because up until now, they didn't need it. I assure you, they will gain this expertise rather shockingly fast. The only way to motivate "typical [l]users" to learn something new is to block something they want. Years ago typical users didn't know how to download HTTP warez, because they didn't understand ZIP files. Years ago typical users didn't know how to access Napster/Kazaa/whatever. Years ago typical users didn't know what a Bit Torrent client was, or why they needed one. Users learn what they need to in order to get what they want.