[liberationtech] SOPA and DNS-level Censorship Circumvention

Jordan McCarthy jrmccarthy at stanford.edu
Mon Jan 9 18:17:44 PST 2012 

As I was reading your email, it occurred to me that one of the (many) 
detrimental by-products of this whole SOPA/PROTECT IP debacle may be to 
severely exacerbate the U.S.'s already-nasty malware problem.  As you 
point out, the second any legislation of this kind is enacted, a host of 
circumnavigation tools are going to immediately hit the market.  While 
the ones you describe (and have been so kind as to implement) are 
obviously well-intentioned, I can't imagine that it'll take more than 
three seconds for scam-artists of all stripes to jump on the bandwagon, 
and start putting out their own "auto-configuration anti-censorship 
utilities" based on their own poisoned DNS servers (ie, ones that direct 
wellsfargo.com to wellsfargo.com.%34%63%22...).  Of course, they've 
already done this sort of thing in various ways, but it seems very, very 
likely that SOPA will only make the phenomenon a whole lot worse.

For the purposes of this discussion, though, I suppose my main point is 
that any system of the kind under consideration should optimally have 
some sort of VERY easy-to-understand trust/authentication mechanisms 
built-in, and be accompanied by an extensive public-awareness campaign, 
to prevent unwitting users from being duped into sending their credit 
card numbers straight to the blackhats' databases (to an even greater 
extent than they already are).

Nevertheless, I'm exceedingly grateful that people are starting to think 
about and code up some of these utilities.  It looks like we might need 
them.


- Jordan


My PGP Public Key <http://www.stanford.edu/%7Ejordanrm/pubkey.asc>
Sent from a computer running Free and Open Source Software

On 01/09/2012 04:41 PM, Griffin Boyce wrote:
> Hey all,
>
>   With the SOPA vote on the horizon, now seems to be a good time to 
> talk about censorship at the DNS level.
>
> Computers use Domain Name Servers to make the connection to websites. 
> These large servers act as online address books for websites, telling 
> computers where the site they want to visit is located.  So the flow 
> is typically /Website Address -> DNS Server -> Website's Host/. If 
> SOPA passes, sites alleged to be infringing copyright will be blocked 
> from visitors in the US: /Website Address -> US DNS Server -> Block Page/.
>
>   You can customize which servers your computer uses to fetch 
> addresses, and bypass these types of blocks entirely. A good tutorial 
> on how to do that is here: 
> http://code.google.com/speed/public-dns/docs/using.html Though keep in 
> mind that the server addresses mentioned on that tutorial are located 
> in the United States.  So anyone looking to bypass /American/ 
> censorship will need to use servers in an uncensored country like 
> Iceland or Belgium.
>
>   Another good option is using a browser plugin.  For FireFox, there 
> are two currently: Soapy and DeSopa.  DeSopa automatically fetches 
> server details for websites, but relies on a website that is likely to 
> be blocked once SOPA goes into effect. However, it does work until 
> blocked. I made Soapy with all of the rules it needs to function built 
> into it. With Soapy, every site that is enabled must have redirection 
> rules created for it, but it's also quite light (<50kb, each site is 
> ~200bytes) and easily updated with new sites.
>
> DeSopa: https://addons.mozilla.org/en-US/firefox/addon/desopa/
> Soapy: http://griftastic.com/soapy.html
>
>   These browser plugins are really quick hacks designed to get into 
> people's hands quickly. (And there aren't any for Chrome, Opera, 
> Safari, or IE yet).  There has to be a more elegant and robust 
> solution that we can create for people affected by this type of 
> censorship -- not just in the US, but around the world.  It's 
> completely possible to run censorship-resistant DNS servers in 
> uncensored countries, but the critical missing element is a highly 
> usable piece of software that will adjust the user's network settings 
> without a major hassle.  DnsJumper might work, but isn't open-source 
> and users have to find unblocked servers to use.
>
>   What do you all think about this?
>
> All the best,
> Griffin Boyce
>
> -- 
> "I believe that usability is a security concern; systems that do
> not pay close attention to the human interaction factors involved
> risk failing to provide security by failing to attract users."
> ~Len Sassaman
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120109/c8b6189d/attachment.html>

More information about the liberationtech mailing list