[HN Gopher] Malaysia started mandating ISPs to redirect DNS quer...
___________________________________________________________________
Malaysia started mandating ISPs to redirect DNS queries to local
servers
Author : uzyn
Score : 285 points
Date : 2024-09-07 04:50 UTC (18 hours ago)
(HTM) web link (thesun.my)
(TXT) w3m dump (thesun.my)
| Shank wrote:
| > Websites are only blocked when they are found to host malicious
| content, such as copyright infringements, online gambling, or
| pornography
|
| So I guess pornography is illegal in Malaysia?
|
| I guess this is a great time for Malaysian users to switch to
| DoH.
|
| Edit: Yes. Wikipedia:
|
| > Pornography is illegal in Malaysia with fines of up to RM10,000
| for owning or sharing pornographic materials
| CAP_NET_ADMIN wrote:
| Countries always fighting the most important battles :eyeroll:
| stackghost wrote:
| Porn is just the justification. It's easy to find something
| repugnant on whatever streaming video site and then start
| with the "protect the children" nonsense.
|
| The real issue is always control.
| RandomThoughts3 wrote:
| Backward countries being backward. The main flaw of modern
| liberal societies is that parts of them have stopped
| believing that liberalism is indeed progress. All hail the
| moral police and long live cultural relativism or whatever
| its currently trendy post-structural reconstruction is.
| yarg wrote:
| It doesn't help that the term 'liberal' has had its meaning
| so co-opted that it now refers to people who reject freedom
| of speech and belief.
| CaptainFever wrote:
| True, though I would say that is leftism. Leftists
| actually hate liberals and use it as a slur, believe it
| or not.
| BlueTemplar wrote:
| While they often go together, economic liberalism
| shouldn't be confused with social liberalism.
| seungwoolee518 wrote:
| My country (Korea, South) is also prohibited to get pornography
| service. (And they also terminate TLS using TLS HELLO)
|
| So, DoH should be work fine for now, but they'll (gov.)
| terminate HTTPS (or TLS) connection ASAP.
| christophilus wrote:
| The only hotel I remember from my visit to South Korea (20
| years ago) had a whole bookcase full of porno DVDs in the
| lobby. Were they just breaking the law in plain view?
| seungwoolee518 wrote:
| There are some movies out there (but it's not a porn.) as
| Ero(tic)-Movie.
|
| It's legal, but it's not a porn.
| kijin wrote:
| There are conditions a producer must meet to make their
| wares legal.
|
| Same as why a lot of Japanese people seem to have
| pixelated genitals. ;)
| csomar wrote:
| People break the law all the time, it's up to the
| government to enforce it and many times the government is
| unable to do that. See here in the case of Malaysia, it's
| not that Porn was legal, it's that they weren't competent
| enough to restrict it or know about DNS things.
| 38 wrote:
| You can spoof the TLS Hello since at least 2021
| HeatrayEnjoyer wrote:
| > My country (Korea, South) is also prohibited to get
| pornography service.
|
| Why? I've never heard of a non-Islamist nation banning
| content as benign as porn.
| tamirzb wrote:
| https://en.m.wikipedia.org/wiki/Pornography_laws_by_region
|
| It's really not that rare even for non-Muslim countries,
| especially in Asia
| timomaxgalvin wrote:
| Is porn benign?
| Muromec wrote:
| It's a thing of deprived bourgeoisie. So are drugs,
| alcohol and having a personal car.
| Biganon wrote:
| No, and neither is refined sugar. Your point?
| Muromec wrote:
| Ukraine still has soviet-era law criminalizing possession,
| distribution and production of porn. It's only enforced
| against local producers, but it's a thing.
| inferiorhuman wrote:
| Pornography was broadly illegal in the UK through the
| 1980s. It's still illegal in the Vatican, which is about as
| far from an "Islamist" country as you can get.
| seungwoolee518 wrote:
| So, they're not blocking only porn. They're blocking a wide
| range of sites with various reasons - for example: selling
| illegal drugs (including mental, abortion drugs),
| copyrighted sites (torrent, etc), praise about north korea,
| etc...
|
| When they've started to terminate TLS, the reason was to
| terminate illegally shared webtoon (web cartoon) sites.
|
| For more info: https://en.wikipedia.org/wiki/Internet_censo
| rship_in_South_K...
| harrygeez wrote:
| I'm Malaysian. They even messed up DoH for the popular DNS
| providers like Google and Cloudflare. I think they are routing
| 1.1.1.1 to their own DNS, so when you try to connect to DoH you
| get SSL_ERR_BAD_CERT_DOMAIN. The only option it seems is to VPN
| or play the cat and mouse game now to find a DNS that hasn't
| been rerouted yet
| defrost wrote:
| You _might_ get some joy from using Portmaster (windows OS)
| and|or the Foundation for Applied Privacy
|
| https://wiki.safing.io/en/Portmaster/App/DNSConfiguration
|
| https://applied-privacy.net/services/dns/
|
| There are non standard transports for DNS via non standard
| providers | DNS proxies - this tool and that foundation are a
| start.
| acheong08 wrote:
| Where are you? My DNS seems to work perfectly fine right now
| in Penang (with VPN off).
|
| It's sad that democracies are copying the playbook of China.
| Will definitely be using v2ray/X-ray while here
| harrygeez wrote:
| I'm in PJ. It seems that they have reversed the move after
| wide media coverage, claiming that it there has been a
| "confusion"
| kelnos wrote:
| > _It's sad that democracies are copying..._
|
| "Democracy" is a bit of a red herring here. Democracy
| doesn't mean the government can't censor you or restrict
| what information or media you can consume. Democracy just
| means that the voters have consented to whatever legal
| framework is in place, and to whatever their leaders want
| to do within that framework.
|
| And that's the thing: in many democracies around the world,
| if there was a referendum on the law to blocking copyright
| infringement, online gambling, or pornography at the ISP
| level, I think many would pass that law.
|
| (Certainly there are "democracies" out there that only pay
| lip service to the concept, and have fixed elections and
| repression of dissent or opposition. I'm not talking about
| those.)
| ProtoAES256 wrote:
| Sarawak here (on unifi). My network uses self setup multi
| DNS path with enforcing encryption so no biggie but I tried
| some nonetheless. Quad 8, 1 are fine atm, while Quad 9
| traceroute returned !X.
| harrygeez wrote:
| can you share a little on your setup?
| ProtoAES256 wrote:
| router DNS redir to pihole(Not the shitey FiberHome) ->
| pihole to internal(bind9 plain local to Adguard Proxy
| DoQ) -> self hosted tunneled whitelist DNS quicdoq DoQ,
| Adguard DNS DoQ (upstream quad 101, others.)
| harrygeez wrote:
| I have a similar setup, it will not be immune if they
| start implementing in your area. They were rolling out by
| areas before they reversed course. Your upstream will
| stop working unless you proxy it through another network
| eptcyka wrote:
| Are they rerouting traffic to port 443 and 853?
| CAP_NET_ADMIN wrote:
| I'm wondering if they thought about DoT, DoH and DNSCrypt.
| schoen wrote:
| I hope not!
| Joel_Mckay wrote:
| Or people setting the DNS IP on their routers and phones:
|
| Google 8.8.8.8 8.8.4.4
|
| Control D 76.76.2.0 76.76.10.0
|
| Quad9 9.9.9.9 149.112.112.112
|
| OpenDNS Home 208.67.222.222 208.67.220.220
|
| Cloudflare 1.1.1.1 1.0.0.1
|
| AdGuard DNS 94.140.14.14 94.140.15.15
|
| CleanBrowsing 185.228.168.9 185.228.169.9
|
| Alternate DNS 76.76.19.19 76.223.122.150
|
| https://github.com/yarrick/iodine =3
| hales wrote:
| This will not work if ISPs redirect DNS queries. Only the
| methods CAP_NET_ADMIN mentioned will work.
| Joel_Mckay wrote:
| DoH APIs at these endpoints:
|
| https://dns.google/dns-query - RFC 8484 (GET and POST)
|
| https://dns.google/resolve? - JSON API (GET)
|
| And tunneling obfuscated traffic is easy... =3
| stingraycharles wrote:
| These are being redirected by the Malaysian government as
| well.
| Joel_Mckay wrote:
| You do know what happens when people try to MiM SSL
| traffic correct?
|
| Even the UK/China firewall can be tunneled over, but the
| ramifications for those that do so can be dire. =3
| kelnos wrote:
| Yes, the connections fail, and most clients will fall
| back to regular ol' DNS on port 53, which then gets
| redirected to the government's DNS servers.
|
| So far clients have chosen availability instead of
| fighting this fight.
| Joel_Mckay wrote:
| Unless your local router tunnels the DNS traffic via
| other means. The clients may see slightly higher latency,
| but for <16 host hotspots it would be negligible.
|
| It is quite easy for example, to bonce traffic through a
| reverse proxy on a Tor tunnel, and start ignoring spoofed
| drop-connection packets (hence these bypass local DNS,
| tunnel to a proxy IP to obfuscate Tor traffic detection,
| and exit someplace new every minute or so.) This is a
| common method to escape the cellular LTE/G5 network
| sandbox.
|
| Ever played chase the Kl0wN? Some folks are difficult to
| find for various reasons.
|
| Have a nice day, =3
| kijin wrote:
| An easy solution would be for Google to host their DoH
| endpoints on the same domain(s) as their regular service,
| so that governments can't block DoH without blocking all
| of Google or YouTube. Using a dedicated domain like that,
| they're just begging to be blocked.
|
| I wonder if DoH requests can be easily proxied? So if I
| set up https://www.mydomain.com/dns-query on a U.S.-based
| cloud server and proxy_pass all requests to Google or
| Cloudflare, and point my browser at my server, will it
| work?
| Joel_Mckay wrote:
| Iodine will obfuscate the traffic using the redirected
| DNS hijack servers themselves.
|
| Perhaps someone will put a configured wifi router image
| together over Christmas holidays for demonstration
| purposes... because it is fun to ignore tcp drop DoS too.
|
| Tunneling well-obfuscated traffic is easier than most
| imagine... and IDS technology will fail to detect such
| things without an OS OSI layer snitch. =3
| kelnos wrote:
| > _An easy solution would be for Google to host their DoH
| endpoints on the same domain(s) as their regular service_
|
| That's not how that works. DoH resolvers need an IP
| address, not a domain name. Sure, Google could host DoH
| on www.google.com, www.youtube.com, etc. but most users
| are not going to be savvy enough to find those IPs and
| use them.
|
| Then again, perhaps users savvy enough to try to use DoH
| to bypass these blocks would also be fine with this.
| kijin wrote:
| > _most users are not going to be savvy enough to find
| those IPs and use them._
|
| Very few people configure DoH on their own. It's up to
| the DoH-enabled client software (mostly browsers) to
| obtain lists of resolver IPs and keep them up to date.
|
| If Cloudflare, for example, really wanted to make their
| DoH traffic indistinguishable from other HTTPS traffic,
| they could literally host DoH on any domain or IP under
| their control and rotate the list every now and then.
| noncoml wrote:
| thats exactly what the redirection is trying to fight...
| Joel_Mckay wrote:
| They are going to have to ban around 3000 proxies as well
| to make any impact on users. =3
| schoen wrote:
| "Any" impact on users?
|
| It sounds like you're working with a model in which most
| users are conscious that they're very offended or
| inconvenienced by censorship, and want to research
| technical means of circumventing it. I wish that were
| true, but I doubt it's nearly as common as your intuition
| suggests.
| Joel_Mckay wrote:
| Motives are complicated at times, but traditionally
| despotic movements are always hostile toward sources of
| truth that contradict official narratives.
|
| However, one could be correct in that people may prefer
| to be ignorant. As YC karma is often negatively impacted
| by facts. QED =3
| stackghost wrote:
| Why do you keep signing your comments with '=3'?
| Joel_Mckay wrote:
| Don't worry about it friend =3
| kelnos wrote:
| 3000 proxies seems like no big deal for the government to
| ban.
|
| "Any" impact is weird phrasing, though. Only a very small
| percentage of people will be savvy enough to attempt to
| circumvent these bans.
| Joel_Mckay wrote:
| Except the lists often change every minute, and some
| types of proxies are just a compromised script/page
| sitting on commercial, private, and government servers.
|
| > Only a very small percentage of people will be savvy
| enough to attempt to circumvent these bans.
|
| There are several one-button vpn/proxy+tor apps for
| unrooted phones already, and they are dodgy on a good
| day. =3
| bazzargh wrote:
| I'm in the UK; my ISP hijacks dns requests on port 53 so
| nope, none of that works. They're not alone doing this https:
| //en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_... For
| the most part this is not noticeable; but addresses to a
| bunch of my _work_ stuff don't resolve on whatever hacky dns
| replacement they offer, if I'm not on the work vpn.
|
| They also block port 853 (so no DoT), and https to well-known
| dns servers; so you can't use DoH to google, but others may
| work.
|
| If you're on a vpn they never see the traffic, you can also
| bypass them using a pihole with unbound to proxy dns to a DoH
| server - as long as they haven't blocked it.
|
| Ironically the corporate vpn I use also hijacks dns (but
| locally only), which bypasses all the ISP issues but makes
| debugging work DNS problems awkward
| Joel_Mckay wrote:
| The UK government IPs show up on our ban lists often for
| illegal theft of service, and CVE scans. Have you tried a
| Bind9 relay with iodine/vpn tunnels for local transparent
| network traversal across the hostile sandbox?
|
| i.e. obfuscate the traffic using the hijacking DNS servers
| themselves.
|
| Just a thought =3
| ekianjo wrote:
| what do you mean they hijack the port 53? this is a local
| setting on your OS. they cant hijack the DNS call if you
| set it to something else.
| PhilipRoman wrote:
| They can do anything unless constrained by cryptography.
| I assume it just means redirecting all port 53 traffic
| which 99% of time will be DNS regardless of IP.
| inkyoto wrote:
| They absolutely can and _some_ do. The destination UDP
| port number of a UDP packet traversing the core network
| of an ISP can be inspected and acted upon as one pleases.
| Joel_Mckay wrote:
| Unless it is tunneled over an binary obfuscation layer,
| and wrapped in a purposely weakened cryptography to
| booby-trap their parser.
|
| There is also the global satellite uplinks... so its
| ultimately a pointless game to keep people ignorant, that
| is unless they plan to follow people around like a hot-
| air balloon villain from Pokemon Go. lol =3
| ekianjo wrote:
| my point is you can point a call to 53 on a machine on
| your own network and you isp cant do shit about that
| chgs wrote:
| I configure my router to divert all UDP/53 to my pi hole.
| The advertising industry hates this type of behaviour,
| but it means ever an IoT device using hard coded dns
| (rather than what I tell them from my dhcp or nd
| settings)
|
| This is a feature. That some people choose terrible ISPs
| is a trivial problem to avoid, far easier than avoiding
| terrible user agents which are beholden to their
| advertising masters.
| bazzargh wrote:
| the isp blocks/redirects the traffic outside my network.
| so if you just try to send normal udp/tcp port 53
| externally, it won't get there. This is why I mention a
| pihole; by setting my dns server to something on my local
| network and then having that use DoH I can get past the
| block. I can't configure every device to use eg DoT or
| DoH directly, but I usually can configure their port 53
| nameserver, directly or via DHCP
|
| the vpn provider, it's just a split tunnel thing; since
| that is a local process, yes they can hijack it.
| Originally when we switched to our current vpn provider
| it didn't even let us use localhost or loopback dns, but
| we needed that for the way we use docker in development,
| so now it's just anything except those being redirected.
| ekianjo wrote:
| port 53 requests are not limited to external requests.
| thats what I was implying in my comment.
| glitchcrab wrote:
| Out of interest, which ISP do you use?
| bazzargh wrote:
| Virgin Media. At the time I switched I needed more
| bandwidth for work - dealing with multi-gigabyte blobs
| all day; I was with BT, but BT wouldn't let me upgrade to
| a gigabit fibre connection, and the City Fibre network
| which is now everywhere wasn't yet in my street.
| pixelpanic360 wrote:
| You can go to VM dashboard to disable the adult content
| filtering. It will then not block DoT and DoH.
| chgs wrote:
| Why don't you change ISP?
|
| You choose an isp with those features that's on you. It's
| not like the UK is a backwards country with a monopoly of
| one or two ISPs for a given location.
| bazzargh wrote:
| I had just switched to this one when I discovered the
| problem, so was under contract for the next couple of
| years, and it's not like they advertise this as a feature
| where you'd have made that choice beforehand. Also, I
| didn't just need "an ISP" I needed a high speed
| connection and at the time my previous provider said they
| didn't offer that to existing customers, while the
| handful of others appeared to only offer 1/10 of the
| speed I wanted or only offered it bundled with tv/sport
| packages (I don't watch tv)
|
| Since then City Fibre completed their rollout and I'm no
| longer an existing customer with BT so now I _do_ have a
| choice.
|
| But bigger picture here: I mentioned my setup on a thread
| where a country is mandating all of their ISPs do this.
| Sometimes you don't have a choice.
| Joel_Mckay wrote:
| If you need decent speed, than could also try this:
|
| https://www.stunnel.org/downloads.html
|
| with the optional:
|
| https://github.com/bfix/Tor-DNS.git
|
| or go with the more modern:
|
| https://github.com/erebe/wstunnel
|
| Best regards, =3
| SoftTalker wrote:
| Comcast/Xfinity does that in the USA, at least if you use
| the newer modem/routers that they provide. If you use your
| own router you can still set your own DNS provider. DoH is
| a workaround for web browsing.
| tsimionescu wrote:
| I think most countries that do this also block/redirect the
| major DoH providers like CloudFlare or Google. Of course, you
| can always hide your DoH traffic by going to other servers or
| worse case using an HTTP proxy and avoid that.
|
| There are even countries that MITM all HTTPS traffic, and your
| choices are to install the government MITM root certificates
| into your trust store, or not use HTTPS.
| kelnos wrote:
| > _There are even countries that MITM all HTTPS traffic, and
| your choices are to install the government MITM root
| certificates into your trust store, or not use HTTPS._
|
| Are there? When Kazakhstan announced they were going to do
| this, all the major browser vendors blocked their CA... so
| they backed down. What other countries do this and get away
| with it?
| lemme_tell_ya wrote:
| South Korea has some requirement like this for banking if I
| recall correctly https://palant.info/2023/02/06/weakening-
| tls-protection-sout...
| happyopossum wrote:
| As a network guy, the fact that I can transparently redirect DNS
| on my network to wherever I need to is a nice feature.
|
| As a user of the public internet, it feels like a bug.
|
| As much hassle as things like DoH can be for securing and
| enforcing policy on a network, it's about time it became
| ubiquitous enough that governments can't leverage DNS for their
| own purposes anymore.
| vFunct wrote:
| DoH won't solve redirects. DoH only gets you to a secure query,
| it won't help you if the government decides to give you a
| falsified query. For that you'll need DNSSec, which maintains a
| cryptographic chain of authenticity to the root DNS servers.
| And DNSSec is even more rare than DoH.
| xnyanta wrote:
| DoH will prevent government from hijacking your query in the
| first place. These blockades are only possible because of DNS
| being clear text and suceptible to MITM
| vFunct wrote:
| That's one level of security, but even for DoH, it's
| possible for entities to attack and control an HTTPS
| server, returning falsified DNS queries, and now the
| antigovernment.com website you logged in to talk about
| anti-government politics is actually run by government. The
| only way to prevent that is via DNSsec to make sure that
| antigovernment.com goes to a real antigovernment.com
| server.
| yegle wrote:
| Wait what do you mean? They can have an HTTPS server and
| MITM, but how can they get a certificate for the DoH
| server I use?
| labcomputer wrote:
| They only need a certificate signed by an authority
| trusted by your resolver. And, unlike for the website
| itself, your browser does not show certificate
| information for the DoH server.
|
| DoH also does not solve the problem of where the DNS
| server you use gets _its_ information from: A government
| can compromise the other side as well.
| yegle wrote:
| So, like, you are assuming someone using a resolver that
| ignores the certificate chain of trust, as an evidence
| that DoH is not useful?
|
| Do your program language _show_ you the certificate
| information when you use an http library to connect to an
| HTTPS service?
|
| Sure the other end of the DNS query may not be encrypted,
| but I can easily decide which government to trust, and
| run my DoH server there.
| kelnos wrote:
| > _your browser does not show certificate information for
| the DoH server._
|
| It doesn't _show_ it, but I expect it would put up an
| error message if the DoH server 's cert is invalid.
| tsimionescu wrote:
| This makes no sense whatsoever.
|
| If the government can transparently MITM your HTTPS
| connections with the DoH server, they can just as well
| MITM your connection to the real antigovernment.com
| server regardless of what DNS you use. And in fact, if
| they _can 't_ MITM your connection to the real
| antigovernment.com, they also can't trick you to talk to
| their fake antigovernment.com regardless of intercepting
| your DNS: you will connect to the attacker IP, the
| attacker IP will give you a bogus certificate, your
| browser will refuse to connect.
| mfenniak wrote:
| DoH uses HTTPS; it solves redirects because you can use a
| trusted server, and not have the request intercepted and the
| response spoofed.
| sublinear wrote:
| https://dl.acm.org/doi/10.1145/358198.358210
|
| I don't really trust many DNSes and neither do many yet we
| all have few choices
|
| The lack of MitM isn't much comfort
|
| Neither are guarantees of the chain of trust
| tsimionescu wrote:
| DNSSec is entirely useless here. The government has two goals
| here: block you from accessing certain sites, and perhaps
| prosecute you for the attempt. DNSSec does exactly nothing to
| help against either of these , even if perfectly deployed.
|
| DNSSec can help protect from fraudsters or others that might
| try to transparently direct you to a different site than the
| one you wanted to access. But the government here has no
| intention of serving you a fake porn site, they want to stop
| you accessing porn and log the fact that you were trying to
| access it.
| raverbashing wrote:
| Honestly I never got the backlash against DoH.
|
| Sounded more like a kneejerk reaction and a meme for something
| that's an improvement. UDP at this day and age? Come on
| AnthonyMouse wrote:
| The backlash against DoH is that the implementations switch
| your DNS server without asking to a centralized one which is
| presumably data mining the queries, default ignoring the one
| you configured in your operating system or DHCP server.
|
| There is also nothing wrong with using UDP for DNS. And the
| latency can be better, and in this context that matters. The
| real problem is that the UDP DNS protocol isn't encrypted.
| But there is no reason it couldn't be, except that then
| nobody gets a new source of DNS queries to data mine, which
| is where the money comes from to push DoH.
| JoshTriplett wrote:
| ISPs regularly data-mine their users' traffic. Meanwhile,
| some of the major DoH servers specifically _don 't_. (See,
| for instance, the deals Mozilla has with their default DoH
| providers.)
| jjav wrote:
| > Meanwhile, some of the major DoH servers specifically
| don't.
|
| You can't possible make that assertion, because all it
| takes is one NSL and they will log and share it all.
| belorn wrote:
| The policy that Mozilla ask providers to follow does not
| prohibit data-mining the traffic. Providers are requested
| to not store or share personal information, but any data-
| mining that removes personal identifiable information are
| allowed.
|
| For example, accidentally leaked internal network queries
| from companies are up to grabs. As is market data like
| what people are querying, how much, when, from where
| (geographical for example) and to whom, and so on.
|
| The quality of the anonymization of private information
| are also not guarantied.
| Drawde wrote:
| > See, for instance, the deals Mozilla has with their
| default DoH providers.
|
| Like the one they had that just circled back around to
| the ISPs that regularly data-mine their users' traffic?:
| https://arstechnica.com/tech-policy/2020/06/comcast-
| mozilla-...
| chgs wrote:
| My ISP doesn't but the people who run the increasingly
| centralised internet have a long track record of mining
| my data for commercial reasons.
|
| I'll trust my ISP over Google or Cloudflare or Microsoft
| or DuckDuckGo any day.
| A4ET8a8uTh0 wrote:
| I think reasonable people these days don't really trust a
| provider even if they have explicit contract stating
| something. Personally, I just trust my ISP a little more
| than google when it comes to data. But I absolutely do
| not dream for one moment that they do not want to play
| with analyzing/monetizing/god knows what else with that
| data.
| tremon wrote:
| I'm sorry, but this is an argument straight out of the
| totalitarian's playbook, and I'm going to call you out on
| it.
|
| Some <bad people> abuse <x>, therefore it is totally
| justified for us to impose a wholesale replacement of <x>
| with a solution that we can control centrally. It's for
| your own safety!
|
| Never mind all the people that don't have data-mining
| ISP's, and to hell with end-user consent. We don't need
| that, we're working for the good of everyone. My piety
| trumps all!
| 55555 wrote:
| > The backlash against DoH is that the implementations
| switch your DNS server without asking to a centralized one
| which is presumably data mining the queries, default
| ignoring the one you configured in your operating system or
| DHCP server.
|
| With, say, a proxy app on MacOS, I don't see how they could
| do this without consent?
| AnthonyMouse wrote:
| It's not that there is no way to turn it off, it's that
| you have to take affirmative steps to turn it off, so now
| people are having their queries sent to a central server
| by default and you have to go out of your way to stop it.
| And then most people don't even know that it's happening,
| much less what to do about it.
| diogocp wrote:
| > The backlash against DoH is that the implementations
| switch your DNS server without asking
|
| Actually they do ask, by querying use-application-dns.net.
| AnthonyMouse wrote:
| The default is not for this to respond in a way that
| disables changing your DNS server, therefore they're
| changing the default without asking.
|
| Notice that you could do this the other way: Query a
| value in the existing (local) DNS or DHCP that not only
| allows you to enable DoH but also specify which server
| all the local devices should use. Then if the DNS server
| _chosen by the local administrator /user_ supports DoH,
| it could respond by saying so and you could use the
| protocol without changing your DNS server. But that's not
| how they did it.
| watermelon0 wrote:
| > UDP at this day and age? Come on
|
| I assume this is a joke, since DoH3 (DNS over HTTP/3) uses
| QUIC which is UDP based.
| tsimionescu wrote:
| If DNS were running a full session-based encrypted protocol
| over UDP, like QUIC does, then no one would complain. But
| running anything that isn't streaming over plain UDP is
| basically a bad idea.
| zeta0134 wrote:
| I feel like you've conflated "UDP" with "unencrypted."
| This is false; you can perfectly well encrypt data
| transmitted over UDP, and you can also perfectly well run
| connections "in the clear" over TCP, which is the thing
| you generally use instead of UDP. What you don't get with
| UDP is guaranteed packet delivery, which generally means
| the application layer is in charge of acknowledgements
| and retransmits. It's great for game servers where low
| latency is highly important.
| tsimionescu wrote:
| Let me put it like this: for a modern day protocol that
| should be deployed widely over the internet, the protocol
| should be expected to have (1) encryption, and (2)
| session management. Ideally, dedicated protocols should
| be used for these, for proper separation of concerns, but
| doing it at the application layer directly can also be
| acceptable.
|
| Deploying an application protocol that does neither, such
| as DNS, directly over UDP is a bad idea. If you were to
| run DNS over DTLS (TLS over UDP), that would be a
| different beast, and probably ok.
|
| And to clarify, encryption is important to prevent
| tampering and preserve users's privacy. Session
| management is important to protect agains redirect
| attacks with spoofed source IP, or session hijacking.
| zeta0134 wrote:
| Okay, but DoH is DNS over HTTPS, which itself runs over
| TCP/IP, which *does not implement encryption.* (The TLS
| part of HTTPS is doing that.) You're still mixing the
| layers here :)
|
| I'm not against the core part of your argument, just
| against the blaming of a particular choice of transport
| layer, which is fundamentally irrelevant. Encryption is
| great. Meanwhile DNS doesn't really need the concept of a
| session, does it? At the end of the day it's just a
| single lookup which can very well be fire and forget.
| That we're encrypting the request (ideally) and also the
| response (ideally) is no reason to add in loads more
| complexity.
| tsimionescu wrote:
| DoH means running DNS over HTTP over TLS over TCP. TCP
| does session management, TLS does encryption, HTTP is
| there just for "plausible deniability".
|
| DoH3 means running DNS over HTTP over QUIC over UDP. Here
| QUIC does both session management and encryption.
|
| In both cases, we are running a simple application
| protocol (DNS) over other protocols that handle the
| Internet-level problems I raised, so all is good.
|
| The problem is with running your application protocol
| directly and strictly over UDP and nothing else.
|
| And related to sessions, there are two things. For one,
| in reality today, you typically do a whole host of DNS
| requests even to load a single site (many common sites
| have upwards of 20 domains they use, and that's before
| loading any ads). So having a persistent session to send
| all of those requests on would not change much, even if
| it's not technically necessary. Secondly, even if you
| really want to avoid sessions, you then still need some
| other mechanism to prevent source IP spoofing.
|
| Any protocol which allows a host to send a small request
| to a server and cause that server to send a large
| response to the src IP of that request is a major problem
| for the health of the internet. Requiring a handshake to
| solve this is one simple way to avoid the problem
| entirely. DNS implementations have had to find all sorts
| of other mitigations to address this (I believe they now
| typically don't allow responses more than a factor of
| 1.something larger than the request, or something like
| that? Which of course brings in all sorts of extra
| problems and unnecessary traffic)
| kelnos wrote:
| > _If you were to run DNS over DTLS (TLS over UDP), that
| would be a different beast, and probably ok._
|
| Yes, and the person you're replying mentioned that it was
| perfectly possible to encrypt data over UDP. Presumably
| they meant DTLS. So what's your concern?
| tsimionescu wrote:
| I was explaining that saying "don't run DNS over UDP" is
| a completely different thing than saying "don't run DNS
| over anything that ultimately runs over UDP". It's not
| that I don't know you can encrypt things over UDP, it's
| that I wasn't talking about that.
| kelnos wrote:
| My home router is running a (regular, port 53) DNS server
| that blocks requests to ads, scams, malware, etc. I have
| rules set up on the router so any port 53 traffic that tries
| to go to the public internet gets redirected to my router's
| DNS server.
|
| A device on my network that decides to use DoH without my
| knowledge or consent gets to bypass all that. I can try to
| block a list of the DoH providers I know of, but I'm not
| going to get them all. And it's just regular HTTPS traffic on
| port 443, with nothing to distinguish it from someone
| accessing a website.
| growse wrote:
| An antagonistic device on your network that wants to
| resolve names doesn't need to use DNS at all.
|
| DoH isn't "magic". It's just a simple, standardised
| protocol. It's existence makes it no more or less easy for
| adversarial actors to do name resolution.
| chgs wrote:
| The choice of DoH is not set from dhcp or the OS, it's
| set by the application developer. And that's wrong.
|
| DNS should be an OS level tool which is consistent to all
| applications, not an application by application setting.
|
| As the device owner I expect dns to be ck distant whether
| I run Firefox, chromium, zoom, curl, steam, ping, or he
| dozens of other programs I run.
| HeatrayEnjoyer wrote:
| Why should it be system wide? That's a broad and
| imprecise policy vs app by app.
| ruthmarx wrote:
| The bigger issue is that it should be an OS level
| setting. Different apps having a different option isn't
| the issue, it's any app being able to trivially override
| a user choice, sometimes without notification.
| growse wrote:
| Again, the existence of DoH has zero bearing on whether
| or not software written by someone else chooses to use
| the OS networking stack or even respect your desires when
| it comes to name resolution.
| TacticalCoder wrote:
| A huge shitload of the Internet is the Web.
|
| The reason I force DNS over UDP to my own DNS resolver is
| not so that chinese-internet-of-shitty-insecure-device
| (which I don't own) cannot phone home: I do it so that
| I'm in control of what the _browsers_ can access over
| HTTPS (my browsers are all HTTPS-only).
|
| > or not software written by someone else chooses to use
| the OS networking stack or even respect your desires when
| it comes to name resolution
|
| Then meet firewalls. The users accounts running browsers
| on my setup can access HTTPS over port 443 and query UDP
| to my local DNS resolver. A webapp (i.e. a software
| written by someone else) is not bypassing that
| "networking stack" that easily.
|
| Regarding name resolution: except some very rare cases
| where https shall work directly with IP addresses, a
| browser using https only will only work for domains that
| have valid certificates. Which is why blocking hundreds
| of thousands --or millions-- of domains at the DNS level
| is so effective.
|
| And if there are known fixed https://IP_address addresses
| with valid certificate that are nefarious, they're
| trivial to block with a firewall anyway.
|
| I'm in control of my LAN, my router, and my machines and
| webapps written by others either respect HTTPS or get the
| middle finger from my firewall(s). Not https over port
| 443? No network for you.
|
| Reading all your nitpicking posts you make it sound like
| firewalls and local DNS intercepting and blocking DNS
| requests aren't effective. But in practice it is hugely
| effective.
| jasonjayr wrote:
| I hope you can appreciate that DoH is meant to protect
| against a nefarious intermediary between the
| device/application and the server it's trying to reach.
|
| The crux of the problem is that the device/application
| can't tell if the interference is friend or foe.
|
| All the techniques you can legitimately use on your local
| network, and that network operators have used in the
| past, can all be used one hop beyond the network you
| control.
|
| And, sadly, in 2024, most OS vendors are "in the game" of
| making sure they can 100% control the link and execution
| environment between themselves and their servers, without
| interference from the network operators along the way, OR
| the device owner.
| ruthmarx wrote:
| Again, the point is it should be an OS level setting and
| apps should respect it. Just because apps can be hostile
| to user intentions doesn't mean we should allow or worse
| advocate for that.
| growse wrote:
| I don't see anyone advocating for hostility. Merely the
| observation that wishing it away is naive.
| Brian_K_White wrote:
| This is silly and not well thought out.
|
| The knowledge of what ip address correlates to some
| hostname is just data like any other data. There is
| nothing magically specially different about it, and no
| way to differentiate it from any other random data that
| every single process processes.
|
| It's a meaninless wish for something that you can't have,
| that we all agree would be nice, but is silly to expect.
|
| An app can simply include it's own hard coded list of ips
| if it wants, or some totally home grown method for
| resolving a name to a number from any source. It's just
| key=value like all the infinite other data that every app
| processes. normal dns and doh are nothing but standards
| and conveniences, they don't actually control or dictate
| anything.
|
| You wish apps couldn't do that? So what? Do you also want
| a pony?
| ruthmarx wrote:
| > This is silly and not well thought out.
|
| I'd say the same for this unnecessary ad hominem.
|
| > The knowledge of what ip address correlates to some
| hostname is just data like any other data. There is
| nothing magically specially different about it, and no
| way to differentiate it from any other random data that
| every single process processes.
|
| This is a basic truth that has no bearing on what I said
| above.
|
| > It's a meaninless wish for something that you can't
| have, that we all agree would be nice, but is silly to
| expect.
|
| It's how it worked for personal computing almost since it
| became popular in the 90s.
|
| Most apps would use the OS set DNS setting. Apps choosing
| to ignore that and do their own queries is a much more
| recent thing.
|
| > An app can simply include it's own hard coded list of
| ips if it wants, or some totally home grown method for
| resolving a name to a number from any source.
|
| Yes. This also has no bearing on my point.
|
| > You wish apps couldn't do that? So what? Do you also
| want a pony?
|
| Wishing apps are not hostile to user intentions is not a
| fantastical or ignorant desire. Just because apps can be
| hostile to user intentions does not mean we should accept
| that as normal or advocate for it.
| A4ET8a8uTh0 wrote:
| Because, as an example, as a person responsible for
| network at my house, I do not want to check whether my
| child installed another app and check each app one by one
| ( and that check has to be done and redone every time
| something changes or someone touches the app ). I want
| one global setting that says 'Non possumus'.
|
| edit: Unless, naturally, I am no longer an admin and any
| control I have over my hardware is merely an illusion.
| Brian_K_White wrote:
| I hate to break it to you, but there is nothing special
| about hostnames and ips. They are just a tiny bit of
| key=value data that can be stored or transmitted
| infinitely different ways. dns and doh are nothing but
| convenient standards that no one and no app actually has
| to use.
|
| It doesn't matter how much you might want otherwise. It
| doesn't matter how important and virtuous the reason you
| want it is. Even invoking the mighty untouchable power of
| "my daughter" does not change such a simple fact of life.
| A4ET8a8uTh0 wrote:
| It seems like we are arguing for the same outcome. I want
| to be able to control things within my control. Based on
| what your wrote, it seems you would support that?
| Brian_K_White wrote:
| The question has no meaning. "control things within your
| control" is like a truism, grammatically and logically
| valid yet says nothing.
|
| The point was that it's pointless to even think in terms
| of "apps and devices going around my choke point" because
| there never was a choke point in the first place.
|
| If you want to prevent an app or device on your network
| from accessing an IP, you must 1: Ensure the app or
| device has no wifi or cell or any other possible physical
| connection of it's own that could allow it to reach the
| internet without going through your router. 2: Block the
| ip, by ip, in your router, and also any other ip that
| could serve as a proxy or relay.
|
| It is impossible to know what all those IPs are, so what
| is possible instead is whitelisting instead of
| blacklisting.
|
| You could do that, but was it useful or interesting to
| even say? Didn't you and everyone else already know all
| that?
| A4ET8a8uTh0 wrote:
| << It is impossible to know what all those IPs are, so
| what is possible instead is whitelisting instead of
| blacklisting.
|
| << The point was that it's pointless to even think in
| terms of "apps and devices going around my choke point"
| because there never was a choke point in the first place.
|
| I am not sure why I detect snark. Either it is possible
| or it is not possible. You argue that we can only assume
| that things are not communicating with outside world is
| if there is no network to begin with, which is not
| completely unreasonable position to take knowing what we
| know -- cat and mouse gaming being what it is. But even
| that is slowly becoming less of an option.
|
| << You could do that, but was it useful or interesting to
| even say?
|
| Are you suggesting that this conversation is pointless? I
| don't see it that way. edit: after all, I am
| participating in this exchange.
| buro9 wrote:
| DoH helps us against governments, but doesn't help us against
| advertisers, i.e. what stops Google or an app maker talking to
| their own DNS endpoint via DoH and avoiding local measures to
| block malware and tracking.
|
| DoH is a double edged thing, advertisers are a more present and
| pervasive threat to most than their own government
| logicchains wrote:
| If by most people you mean most people globally, governments
| are absolutely a bigger threat; only a minority of the
| world's population live in countries with benevolent
| governments who don't censor the internet to hide the
| government's misdeeds.
| whatwhaaaaat wrote:
| don't forget the us federal government paid twitter and
| Facebook to remove speech it didn't like (speech that
| turned out to be true).
| chmod775 wrote:
| You could argue against seatbelts the same way: seatbelts can
| cause abrasion of the skin during everyday driving, which is
| a more present and pervasive threat to most than car crashes.
|
| In both instances it turns out that the difference in
| magnitude of those threats makes the direct comparison
| misleading.
| FireInsight wrote:
| I've never heard of seatbelt skin abrasion, but car crashes
| are an exceptionally commom danger.
| megous wrote:
| Community based FOSS OSes/distros stop all this and avoiding
| the corporate SW/services.
| HeatrayEnjoyer wrote:
| How do I install a Foss OS to my TV or my kid's tablet? And
| without breaking DRM attestation?
| BlueTemplar wrote:
| If you use services requiring DRM, you _are_ one of the
| bad actors, why should we care about what you think ?
| megous wrote:
| Pinetab2 as a tablet, or some x86_64 tablet of which
| there are many.
|
| For TV, use it as a dumb display for some FOSS TV box,
| running something like libreelec.
|
| As for DRM attestation, that's not the responsibility of
| anyone but the DRM vendor, so ask them.
| dspillett wrote:
| _> DoH helps us against governments_
|
| And bad ISPs0.
|
| And a small subset of MitM attacks.
|
| _> advertisers are a more present and pervasive threat to
| most than their own government_
|
| That is true for me1 but I'd not agree with "most" globally.
| And while stalky corporates and the people who will get hold
| of my data subsequently due to lax security are my main
| concern, there are other ways to mitigate them. Less
| convenient ways, sure, and I loose a security-in-depth step
| of ashtray using them anyway, but I consider that
| inconvenience for me2 to be less of an issue than the more
| serious problems DoH might mitigate for others.
|
| ----
|
| [0] some people don't have a simple "just go elsewhere"
| option
|
| [1] relatively speaking: I don't consider my government
| _that_ trustworthy, and will do so even less in future if the
| Tories get back in without major changes in their moral core,
| and I 'm sure many Americans feel similarly if they consider
| the implications of Project2025.
|
| [2] both as an end user wanting to avoid commercial stalking
| and as someone who sometimes handles infrastructure for a B2B
| company that uses DNS based measures as part of the security
| theater we must present to clients when bidding for their
| patronage
| tzs wrote:
| An ISP could effectively bypass DoH. Block outgoing
| requests to IP addresses that the ISP has not whitelisted,
| and automatically whitelist IP addresses that were obtained
| from non-DoH DNS requests.
| mcpherrinm wrote:
| As an infrasec person, DoH is great because we can config
| manage all the corp devices to use DoH servers run by the
| company whether not a device is on VPN. Good visibility into
| what devices are looking up, easy internal domains, and
| ensuring malware domains are blocked on and off network.
|
| At least the companies I've been working for have a lot more
| laptops at coffee shops and weworks, and probably not on a VPN
| half the time either. DoH has been a way bigger win than a
| hassle for me.
| sidewndr46 wrote:
| how would you ever get online at a coffee shop? Almost all of
| this use a captive portal that redirects DNS to some internal
| webpage making you click a button that says "I agree to your
| completely absurd terms and conditions"
| jeremyjh wrote:
| I can use a mobile hotspot on my phone basically everywhere
| I go. Public Wifi is most often garbage throughput compared
| to 5g.
| SoftTalker wrote:
| I have found that fewer places seem to be doing captive
| portals and are just going back to open wifi or maybe a
| well-posted password. Maybe they are realizing there's not
| a lot of value to it as almost all browser traffic is
| encrypted these days.
| grishka wrote:
| A good implementation of DoH/DoT would use regular DNS in
| these situations.
| chupasaurus wrote:
| If you have any Windows devices they are leaking DNS requests
| no matter the setup as long as they are getting DNS servers
| from DHCP that aren't yours.
| inkyoto wrote:
| Even if DNS is redirected, where DNS lookup request goes to
| next depends on the next hop, which is - for the prevailing
| majority of the internet users - the ISP.
|
| Deep packet inspection hardware appliances have proliferated in
| their numbers in recent years, they are cheap, the hardware is
| highly performant, and they are capable of the highly sustained
| throughput. Redirecting DNS queries in UDP port 53 to any other
| destination of choice is what they can do without blinking an
| eye (if they had one). Or dropping / blackholing it.
|
| Only a VPN tunnel can get through, however modern DPI
| appliances can also scan for VPN and VPN-like signatures in the
| traffic and drop those, too. The only viable and guaranteed to
| work solution to resist the tampering with the traffic is a VPN
| tunnel wrapped into a Shadow Socks tunnel that obfuscates
| traffic signatures and constantly changes ports it operates on
| to avoid detection.
| ruthmarx wrote:
| DoH is sufficient to mitigate DPI.
| ikt wrote:
| Co-incidentally Mullvad recently mentioned they're fighting
| back
|
| https://mullvad.net/en/blog/introducing-defense-against-
| ai-g...
| DanAtC wrote:
| And now available for macOS and Linux
| https://mullvad.net/en/blog/defense-against-ai-guided-
| traffi...
| profmonocle wrote:
| > As much hassle as things like DoH can be for securing and
| enforcing policy on a network, it's about time it became
| ubiquitous enough that governments can't leverage DNS for their
| own purposes anymore.
|
| A caveat of encrypted DNS is that it has to be bootstrapped via
| traditional, unencrypted DNS or via a well-known set of IPs.
| Currently, most clients using DoH/DoT use one of a small
| handful of providers. Cloudflare, Google, Quad9, etc. A
| motivated government could block those endpoints pretty easily.
|
| Of course, a client using encrypted DNS could just refuse to
| work when encryption is blocked, rather than falling back to
| traditional DNS. But that could mean the client is unusable in
| the country implementing the block.
|
| This sort of reminds me of when Kazakhstan announced they were
| going to MITM all TLS sessions within the country, and all
| citizens would need to manually install a root cert. Google,
| Apple, and Mozilla chose to completely block their root cert,
| so it would be unusable even if users chose to go along with
| it. https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-
| middle_a... Seems like the browser devs won that political
| standoff, but would they fight the same battle if DoH/DoT was
| blocked?
| klingoff wrote:
| If we make sure clients support proxies what are they going
| to do about all the proxies that may allow the DoH server
| list and may be the only way to do something else?
| zarzavat wrote:
| This is the way. Few governments have the resources to play
| cat and mouse with OS or browser devs. Just look at the fuss
| over manifest v3, it shouldn't be a big deal - just fork
| chromium and patch manifest v2 back in again - but it _is_
| because there's no "just patching" chromium, it's like a
| train.
| moi2388 wrote:
| I still don't see the issue with v3. I hear a lot of
| complaints, but you can pretty much offer all the same
| functionality in v3 as in v2
| Timshel wrote:
| Humm, no: https://github.com/uBlockOrigin/uBOL-
| home/wiki/Frequently-as...
| moi2388 wrote:
| Uhm, yes. You can still apply rules with regard to all
| requests and then dynamically adept them.
|
| You just can't do it before the request hits the browser,
| so you can't pretend to be a vpn inside the browser.
|
| Blocking or redirecting all requests, based on dynamic
| values, adapting all headers through webrequest and not
| showing any ads and removing them from the page is still
| possible with service workers and content scripts.
|
| The only issue is with regards to "static" rules and
| modifying them before they hit the browser. After that
| you can still do everything you could before. The only
| issue is bandwidth, but this should always have been an
| app to intercept all network requests instead of
| something inside the browser (like a vpn adblocker)
| zarzavat wrote:
| If you use a VPN^ to block ads then the VPN needs to be
| able to see inside your TLS session. Moreover, you still
| need an adblocker inside the browser process to do DOM
| manipulation, etc. For example, the element picker.
|
| It's technically possible to bifurcate an adblocker like
| that but it's an ugly setup and you would only do it if a
| gun was held to your head by an ad monopoly.
|
| That said, it may be a good idea in the current
| situation.
|
| ^ This is really stretching the meaning of 'VPN'!
| moi2388 wrote:
| But you can totally still block ads based on element
| picker and do DOM manipulation. That's not an issue.
|
| The only two things you cannot do is declare them as
| static rules (well you can but not unlimited), and look
| and modify every header before it hits the browser.
|
| And yes, you could have an app with a browser extension
| like Adblock already did for years without issues.
|
| You could also have only a browser extension and have all
| the user functionality you have now, the only difference
| being it just slightly slower, and you still having the
| network load the ads (but not the page you're on).
|
| A bit annoying? Sure. But it's hardly the severe problem
| it's being made out to be.
| em-bee wrote:
| _A caveat of encrypted DNS is that it has to be bootstrapped
| via traditional, unencrypted DNS or via a well-known set of
| IPs. Currently, most clients using DoH /DoT use one of a
| small handful of providers. Cloudflare, Google, Quad9, etc. A
| motivated government could block those endpoints pretty
| easily._
|
| not if DNS is hosted on the same servers as eg google search
| itself. then they would have to block google search in order
| to block DNS.
| brookst wrote:
| ...or use higher-level packet analysis to filter DoH.
| ronsor wrote:
| That kind of DPI is computationally expensive to the
| point China doesn't even do it much.
| myrandomcomment wrote:
| OMG, they very much do. It is not on 100% of the traffic
| but at any given time a more then smaller % is subject to
| DPI.
| zamadatix wrote:
| With HTTP/3 there isn't much higher level packet analysis
| to do between anything useful in the headers being
| encrypted and the session being reused. All you see is
| there is a 443 UDP session to a Google server and
| encrypted packets keep getting sent back and forth...
| which looks exactly like any other HTTP/3 session to a
| Google server.
|
| I think the weak points are wholly untechnical e.g.
| Google would often give in to protect the $$$ they make
| in a region.
| toast0 wrote:
| Packet size (i forget if http/3 does padding) and packet
| rates are still available, dns looks a lot different than
| most http content.
| BlueTemplar wrote:
| Then they will block Google Search and blame it on Google ?
| TacticalCoder wrote:
| > As a network guy ...
|
| Then transparently redirect the DNS request from all your
| machines at home to your own DNS resolver (so that you're in
| control of what gets resolved and what doesn't, like malware,
| phishing sites, porn so that kids don't get to see that, etc.)
| and have your own DNS resolver use DoH.
|
| But asking for browsers to "make DoH ubiquitous" (they would
| force DoH and DoH only) is not a good thing. It also probably
| would clash with corporate policies, so it'd make the browser
| picking that path unusable in corporate settings (leaving the
| corporate market to competitor browsers).
| aussieguy1234 wrote:
| In this case, the "malicious sites" that the government approved
| DNS providers block almost certainly includes life saving LGBT
| resources. It will not stop there however, expect anything anti
| government to be blocked. Democracy does not have a good track
| record in Malaysia.
|
| Of course there are still ways around this. Use a good VPN like
| Proton.
|
| This is still for sure going to be copied by authoritarian
| regimes worldwide.
| csomar wrote:
| Malaysia doesn't have a stellar democratic record but it's
| still a democracy. Also, a stellar democratic Malaysia will
| still vote for this. Don't confuse Democracy with Liberal
| values.
| aussieguy1234 wrote:
| Whatever they vote for, if uncensored information is not
| available, they are not making an informed decision and are
| likely only hearing one sides arguments.
| graemep wrote:
| Most countries have some sort of censorship. RT is banned
| (broadcasts and streams not allowed, and website blocked)
| in the UK. Libraries will not stock books with certain
| points of view reflecting the views of those who fund or
| run them (AFAIK LGBT stuff in some American schools, gender
| critical views in some British public libraries). Mein
| Kampf used to be effectively banned in Germany and has been
| actually banned in a few places.
| stop50 wrote:
| Tgey used copyright to prevent that simeone makes new
| copies. Old copies were not affected.
| kmlx wrote:
| > RT is banned (broadcasts and streams not allowed, and
| website blocked) in the UK.
|
| no VPN, rt.com works just fine in the UK, no issues.
|
| i think they banned the live TV in the EU and UK. and i
| think they also banned the website in the EU, but
| apparently it's not enforced?
| https://www.rferl.org/amp/russia-rt-sputnik-eu-access-
| bans-p...
|
| haven't found anything about rt.com being banned in the
| UK thou.
| qingdao99 wrote:
| Blocked for me! Virgin Media is my ISP. Maybe your ISP is
| less restrictive/compliant (not sure if the block is
| actually mandated).
| ruthmarx wrote:
| > Most countries have some sort of censorship.
|
| This is a notable area where the US is an exception, and
| is significantly more free than other western countries.
| No need to worry about art or materials being censored
| here, at least outside of specific contexts like some
| states banning books from schools.
| chgs wrote:
| No it's not. The US is consistently banning free speech -
| including are you rightly say banning books in schools.
|
| It's just that the restrictions the US has are determined
| by Americans to be the right levels and other
| restrictions (for example laws against glorifying nazism)
| are the wrong levels.
|
| The sad thing is Americans believe the propaganda that
| they have freedom and nowhere else does and therefore
| their restrictions on speech aren't real but others are.
| j-bos wrote:
| When was the last time someone in the US was arrested for
| hate speech?
| Hizonner wrote:
| The US "levels" are quite a bit lower than almost anybody
| else's "levels".
| throwaway48476 wrote:
| My school library didn't have any of the hardy boys. Was
| it banned?
| ruthmarx wrote:
| > No it's not. The US is consistently banning free speech
| - including are you rightly say banning books in schools.
|
| Some states are doing that at a state level in limited
| contexts. Individuals are still free to post or publish
| whatever they want.
|
| > It's just that the restrictions the US has are
| determined by Americans to be the right levels and other
| restrictions (for example laws against glorifying nazism)
| are the wrong levels.
|
| No, it's that in the US this kind of freedom is
| significantly more protected and culturally important.
|
| > The sad thing is Americans believe the propaganda that
| they have freedom and nowhere else does and therefore
| their restrictions on speech aren't real but others are.
|
| I would say the sad thing is anti-US sentiment can be so
| high that people won't debate something like this in good
| faith and look at the various cases and histories.
| stoperaticless wrote:
| Isn't it too early to declare anti-US sentiment here?
|
| Challenge one: Could it be that previous commenter
| touched certain dogma? (One possible definition from
| Wikipedia: "Dogma, in its broadest sense, is any belief
| held definitively and without the possibility of reform")
|
| Challenge two: please try to stretch the definition of
| "censorship" a bit till you can say that USA has SOME
| censorship, maybe in disguise. (One possible definition
| from Wikipedia: "Censorship is the suppression of speech,
| public communication, or other information.")
|
| (No need to report results or reply / just try the
| exercise for elasticity of the mind)
|
| BTW. A bit related, hopefully interesting, random fact
| you did not ask for:
|
| "Freedom" is defined quite differently by people in
| different countries. While the U.S. often focuses on
| freedom from government interference, in France, freedom
| also includes the idea that the government has a role in
| ensuring social justice and protecting individual rights,
| and in Baltic countries the freedom usually means freedom
| from a certain country.
| fragmede wrote:
| Holocaust denial or vaccines have microchips or other
| nonsense is one thing. The two things that are censored
| so I can't post them (not that I want to) are CSAM and
| Disney Movies.
| immibis wrote:
| That is simply incorrect. Did you see the indictment
| against several unregistered Russian foreign agents to
| put them in jail for posting Russian propaganda to
| YouTube?
| cubefox wrote:
| He said "the US is [...] significantly more free than
| other western countries". Do you deny this is true?
| stoperaticless wrote:
| Yes.
|
| Change "significantly" to "technically" or at least to
| "", and then I will agree with the statement.
| ruthmarx wrote:
| The US dismantling a company they allege was being used
| as a weapon by a hostile country is different from the
| government preventing access to content that whoever is
| in charge doesn't personally like.
| jltsiren wrote:
| Only in the narrow sense, where freedom of speech is only
| about the lack of government censorship. But in the wider
| sense, where censorship may also be due to business
| interests or cultural and societal pressure, I haven't
| seen any real differences between freedom of speech in
| the US and the European countries I'm familiar with.
| ruthmarx wrote:
| What would be some examples of voluntary censorship from
| large organizations due to business interests or cultural
| and societal pressure and not due to government
| censorship?
| jltsiren wrote:
| Consider the content policies for popular social media
| platforms. Consider the platform unilaterally closing
| your account, which may be tied to many aspects of your
| life. Remember the cancel culture people used to talk
| about a few years ago. Think about the controversy around
| the Gaza war, with people on both sides being afraid to
| speak their minds due to potential consequences.
|
| While the government may not arrest you, the consequences
| of expressing your opinions can still be excessive.
| stoperaticless wrote:
| First thing comming to mind :
| https://en.m.wikipedia.org/wiki/Cancel_culture
| EasyMark wrote:
| I think countries have the right to ban disinformation
| and lies dedicated to social unrest. If England did ban
| it, that would probably be the reason, "news" presented
| as facts and reporting, shouldn't be outright lies.
| timomaxgalvin wrote:
| Most people want censorship.
| seydor wrote:
| Also dont confuse elections with democracy
| dyauspitr wrote:
| What could possibly be "life saving"? On the scale of things,
| it's a relatively moderate Islamic country so the best you're
| going to get is if you're gay and keep it quiet, no one is
| really going to bother you.
| aussieguy1234 wrote:
| PreP is near 100% effective at preventing HIV. For sure I
| could see access to information about PreP or other HIV
| prevention methods being blocked by an overzealous
| government.
| dyauspitr wrote:
| PreP is not exclusive to LGBT communities (though they are
| at significantly higher risk than the general population).
| It's free at (some) government clinics in Malaysia.
| ETH_start wrote:
| Ironic that my comment was censored on a thread complaining
| about censorship.
| HeatrayEnjoyer wrote:
| No one has censored you... are you talking about your
| comment being flagged? That's from user votes, not HN
| directly.
| jtbayly wrote:
| "The algorithm decided it. That's not censorship."
|
| "The majority decided it. That's not censorship."
|
| "The law decided it. That's not censorship."
|
| "The users decided it. That's not censorship."
|
| "You were just scared your neighbors would kill you, so
| you didn't say anything. That's not censorship."
|
| I'm having trouble drawing lines.
| Twistyfiasco wrote:
| The comment was made and still stands.
| jtbayly wrote:
| Censorship by the majority is still censorship.
|
| I'm not opposed to all censorship. I'm just opposed to
| refusing to acknowledge it for what it is.
|
| If you have your comment flagged by a couple of people,
| and removed, that is censorship. Plain and simple.
| wordofx wrote:
| So... censorship. Just because you don't like what
| someone said does not make what they said wrong. Flagging
| comments is censorship. Plain and simple. You're trying
| to remove opinions you don't agree with.
| defrost wrote:
| I read your comment about _maybe_ "censoring STI
| prevention information" _might_ reduce the frequency of
| gay males having sex.
|
| Seems unlikely, not suprising it got flagged to death,
| however it's there for anyone with ShowDead enabled to
| read.
| potamic wrote:
| Quite plausibly, mental health resources. I assume connecting
| with like minded individuals and communities can go a long
| way in helping you understand yourself and reconcile your
| differences with broader society.
| becquerel wrote:
| Awareness and acceptance on LGBT matters can have a big
| impact on suicide rates.
| jtbayly wrote:
| Is that why the average suicide rate is lower in majority
| Muslim countries? Awareness presumably increases suicide?
|
| I know you were implying the opposite, but how many
| suicides are you going to prevent by making Malaysia's rate
| (6/100k) similar to the US (14/100k)?
|
| These are generalized rates, of course, but in point of
| fact, your claim is not substantiated by any real data.
| mthoms wrote:
| You're unaware of data to support the claim that social
| acceptance of LGBTQ people (particularly children) lowers
| their suicide rates? Really? This fact is well
| established and also makes perfect sense logically
| speaking.
|
| https://onlinelibrary.wiley.com/doi/abs/10.1002/ajcp.1255
| 3
|
| https://www.sciencedirect.com/science/article/pii/S027795
| 362...
|
| https://www.thetrevorproject.org/survey-2022/#support-
| youth
|
| There's plenty more if you care to just Google it.
|
| The rest of your comment is ridiculous because
| _obviously_ there is more than one contributing factor to
| suicide. Including (perhaps) latitude.
|
| https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9822839/
| qwytw wrote:
| > Is that why the average suicide rate is lower in
| majority Muslim countries? Awareness presumably increases
| suicide?
|
| Either you think that the majority of the population in
| Malaysia or the US identify identify as LGBT+ or you're
| really struggling with basic statistics and reasoning.
|
| > prevent by making Malaysia's rate (6/100k) similar to
| the US (14/100k)?
|
| Presumably the idea would be to reduce it to some number
| lower than 6. Or do you believe the majority of people in
| the US are killing themselves because of "Awareness and
| acceptance on LGBT matters"?
| praptak wrote:
| Trans people suicide rate increases if they are left without
| help.
| ekianjo wrote:
| democracy as a word means nothing at all. there are democracies
| in Europe where its fine to jail people for what they write
| online.
| chgs wrote:
| Same in the US too.
| ruthmarx wrote:
| That's simply not true.
| ekianjo wrote:
| not true _yet_.
| chgs wrote:
| https://www.law.cornell.edu/uscode/text/18/373
| ruthmarx wrote:
| What point are you making with this link?
| gray_-_wolf wrote:
| Well did they not _tried_ to jail Trump for what he wrote
| online in January after loosing the election?
| diggan wrote:
| I don't know exactly what you're referring to, I don't
| know the details of the events.
|
| But is there a possibility there is a distinction between
| "I can freely share my political opinions about things"
| versus "I can ask/cheer on people to commit crimes
| without consequence"?
| qwytw wrote:
| Did they? Can you share the text of the indictment
| instead of asking meaningless low effort questions?
| immibis wrote:
| https://www.cnn.com/2024/09/04/politics/doj-alleges-
| russia-f...
| ruthmarx wrote:
| A government dismantling a corporation being used as a
| weapon by a hostile country is not the same as a
| government blocking individuals access to websites they
| don't approve due to conservative values.
| Wytwwww wrote:
| So? Your point is what exactly?
|
| They were charged for money loundering...
| kelnos wrote:
| > _This is still for sure going to be copied by authoritarian
| regimes worldwide._
|
| I think that ship has sailed. Malaysia certainly isn't the
| first to pull this.
| andai wrote:
| Surprised VPNs are legal in Malaysia. Usually censorship and
| blocking VPNs goes together.
| kazinator wrote:
| Maybe the time to start a grassroots network for exchanging giant
| /etc/hosts files.
| emersonrsantos wrote:
| https://winhelp2002.mvps.org/hosts.htm
| boredhedgehog wrote:
| It wouldn't have to be giant. Ideally, it would just include
| those entries that are censored for political reasons sorted by
| location.
| sulandor wrote:
| the dns-block block-list
|
| loving it
| diggan wrote:
| > It wouldn't have to be giant. Ideally, it would just
| include those entries that are censored for political reasons
| sorted by location.
|
| I think you're underestimating the amount of stuff being
| blocked everywhere. Even in Spain where I live the list of
| blocked domains would be pretty big already, and it's just
| one country.
|
| OONI gives a good overview: https://explorer.ooni.org/
| system2 wrote:
| Starlink sells and works there, will they block it? Also, how are
| they going to punish people with vpns and proxies?
| abdullahkhalids wrote:
| The purpose of banning VPNs is repressing political opponents.
| The police doesn't have to go around finding people who use
| VPNs. It's just that when the police arrest someone at a
| protest or for some trumped up charge, and the police also
| finds a VPN on the person's phone or computer, it is an easy
| charge to tack on - one that is certain to get punishment.
| sneak wrote:
| Starlink has to comply with local laws in places it is sold.
| It's like any other business.
| protocolture wrote:
| Starlink always complies with all ISP laws in every country.
| Its not some magic anti censorship button.
|
| Shit mostly it exits a country via ground stations in that
| country or a compatible legal jurisdiction. Its not even
| magically flying out of the country via satellite. +
| Discussions about its ability to skirt censorship in this
| fashion with any significant capacity sort of paint it as a bad
| move, maybe that starlink 2.0 nonsense.
| MrThoughtful wrote:
| Do FireFox, Chrome and Safari still use unencrypted channels for
| DNS queries?
|
| What is the state of DNS over HTTPS?
| profmonocle wrote:
| `sudo tcpdump port 53` says yes, they do use unencrypted DNS.
|
| AFAIK Chrome has a hardcoded list of DNS servers which offer
| encrypted DNS. I.E. if your DHCP server tells your PC to use
| 8.8.8.8, 1.1.1.1, 9.9.9.9, (or the IPv6 equivalents) it will
| instead connect to the equivalent DNS-over-HTTPS endpoint for
| that DNS provider. This is a compromise to avoid breaking
| network-level DNS overrides such as filtering or split-horizon
| DNS. It's not limited to public DNS providers either, ISP DNS
| servers are in there. (I've seen it Chrome connect to Comcast's
| DNS-over-HTTPS service when Comcast's DNS was advertised via
| DHCP.)
|
| Of course, this is pretty limited. Chrome obviously can't
| hardcode ever DNS server, and tons of networks use private IPs
| for DNS even though they don't do any sort of filtering /
| split-horizon at all. (My Eero router has a local DNS cache, so
| even if my ISP's DNS servers were in Google's hardcoded list,
| it wouldn't use DNS-over-HTTPS, because all Chrome can see is
| that my DNS server is 192.168.4.1)
| TacticalCoder wrote:
| > Do FireFox, Chrome and Safari still use unencrypted channels
| for DNS queries?
|
| Firefox for sure has a "corporate" setting which guarantees
| that DNS queries are unencrypted, using port 53 (virtually
| always UDP although technically I take it TCP over port 53 is
| possible but a firewall only ever allowing UDP over port 53 for
| a browser works flawlessly).
|
| AFAIK Chrome/Chromium also has such a setting and making sure
| that setting is on bypasses DoH.
|
| I force all my browsers / wife / kid's browser to my own DNS
| resolver over UDP port 53 (my own DNS resolver is on my LAN but
| it could be on a server if I wanted to).
|
| That DNS resolver can then, if you want, only use DoH.
|
| To me it's the best of both worlds: "corporate" DNS setting to
| force UDP port 53 and then DoH from your own DNS resolver.
|
| The benefit compared to directly using DoH from your browser is
| that you get to resolve to 0.0.0.0 or NX_DOMAIN a shitload of
| ads/telemetry/malware/porn domains.
|
| You can also, from all your machines (but not from your DNS
| resolver), blocklist all the known DoH servers IPs.
| caymanjim wrote:
| I don't want my browser ignoring my DNS settings. I went
| through a lot of effort to set up Pihole in front of a local
| BIND server with split-horizon DNS for my VPS subdomains and my
| local subdomains, with caching and control over upstream
| resolvers, routed through Wireguard to avoid ISP
| snooping/hijacking.
|
| It's bad enough that so many devices and applications already
| ignore DNS settings or hard-code IPs. I want everything going
| through my DNS.
| userbinator wrote:
| ...and again the number of people who know what a VPN is
| increases.
| sixthDot wrote:
| > online gambling (39 per cent)
|
| well well well. People on HN will be surprised to know that the
| internet is a complete shit hole. "I thought the internet was
| made for the good of humanity".
| giorgioz wrote:
| > online gambling (39 per cent)
|
| It's 39% of the IPs banned by the DNSs of the ISPs of Malaysia.
| It's not 39% of the internet.
| sixthDot wrote:
| yes, that was well understood. A country decides to filter
| because the least poor citizen, those who have internet
| access, prefer to gamble online to make money.
| ghnws wrote:
| Make money gambling?
| protocolture wrote:
| I am not surprised by there being gambling on the internet, its
| not exactly hiding.
| rasz wrote:
| Malaysia, the land of:
|
| >'You have shown determination': Malaysian PM praises Putin,
| pledges closer ties 2 days ago"
|
| reminder
| https://en.wikipedia.org/wiki/Malaysia_Airlines_Flight_17 43
| Malaysians killed by Putin.
| blackeyeblitzar wrote:
| Reminder: Malaysia is an _officially_ Islamic country. It is
| strange given its location, but Islamization also took over other
| South and East Asian places as well, like the Maldives and
| Indonesia.
|
| Malaysia has had a history of religious discrimination from both
| the state and citizens, despite there being a freedom to practice
| whatever religion you want. Their notion of religious freedom is
| also strange, since in order to be considered a Malay you MUST be
| Muslim. And Malays get all sorts of additional rights and
| privileges (such as affirmative action). The country also has
| Sharia law courts - and this is a very real problem for personal
| freedom, because the Sharia court prevents Muslims from
| converting to other religions typically, and this forces people
| to have secret double lives, where privacy is critical.
|
| Restrictions on Internet access or violations of
| privacy/anonymity are a serious problem for those who may run
| into trouble due to religious discrimination built into
| Malaysia's culture and law. Do not accept official explanations
| like protecting people from harm or stopping misinformation -
| control over the internet will be abused.
| rognjen wrote:
| > is strange given its location,
|
| Strange in the current context that it's not in the Middle East
| but not strange when you look at the map and see that it's a
| straight shot for a trading ship from the Middle East a
| thousand years ago.
| GreenWatermelon wrote:
| And the entirety of India (until the Brits arrived) was
| "controlled" by the Mogul Empire, which was mainly Muslim.
|
| Even Spain/Iberia had a huge Muslim population, until the
| Reconquesta Kingdoms committed large scale genocide and
| deportions of Muslims and Jews.
|
| And speaking of Unexpectedly Muslim, the Golden Hord (AKA
| Tattars) which existed on the Crimean region as one of the
| offshoots from Genghis Khan's conquests, was Muslim. In fact,
| they allied with the Mamluk kingdom of Egypt against Holugu,
| leader of another Mongol horde, Ilkhanate.
| ValentineC wrote:
| > _Strange in the current context that it 's not in the
| Middle East but not strange when you look at the map and see
| that it's a straight shot for a trading ship from the Middle
| East a thousand years ago._
|
| Funny enough, it wasn't a trading ship from the Middle East,
| but the then-Chinese empire:
|
| https://www.scmp.com/week-asia/article/2006222/chinese-
| admir... (no paywall link: https://archive.ph/f8622)
| blackoil wrote:
| Balkanization of the Internet is inevitable. As more and more
| people join it, there will be conflict between beliefs, values,
| and politics. Large markets like EU, India can keep companies
| aligned, but for smaller nations it will be easier to just
| selectively block global platforms and have local/compliant
| alternatives. China has shown it is possible and profitable.
| prpl wrote:
| intronet
| profmonocle wrote:
| I'm honestly surprised that the US doesn't have a legal
| framework to force ISPs to block IPs / DNS hostnames. I've been
| expecting that for 10+ years now, but it hasn't happened.
| anal_reactor wrote:
| It's because the US is so powerful they can take down any
| controversial website. See how literally all services with
| more than 10 users say in their terms of service "we don't
| want anything that might violate US law".
| HeatrayEnjoyer wrote:
| Isn't that just code for "don't post CSAM"?
| andai wrote:
| Is that also sites operated outside the US?
| diggan wrote:
| Obviously no, other websites follow the laws of their
| business entity/where servers are hosted usually. Not
| sure what parent is talking about.
| chgs wrote:
| US will use all manner of tools to extradite foreign
| citizens who have never been to the US because they broke
| US law.
|
| Nobody has to worry about breaking Thai laws around
| defaming the King because Thailand isn't a superpower
| with the ability to enforce its will beyond its borders.
|
| Everyone has to be worried about breaking US law.
| diggan wrote:
| Except what you wrote only applies to countries with
| extradition treaties with the US (meaning the government
| in those countries have agreed that US law can apply in
| their country too).
|
| Not every country has this, so no, not "everyone has to
| be worried about breaking US law".
|
| Regarding Thailand specifically, they have a principle of
| "double criminality", so people are only extraditable if
| what they're accused of is a crime both in Thailand and
| the country they're being extradited to. So maybe not the
| best example.
|
| Besides, other countries have extradition treaties with
| other countries than the US too, even non-super power
| ones.
| throwaway48476 wrote:
| Double criminality applies in every extradition case.
| kelnos wrote:
| I think for the most part because it's not needed. Anything
| hosted on a .com, .net, .org (or any other TLD where the
| TLD's root DNS is managed by a US company) can be taken down
| with a court order. There's no need to involve ISPs.
|
| In general they're not going to bother with IP blocking; once
| they've killed DNS, they're satisfied that most people will
| not be able to access it.
|
| And for the most part, that's good enough. There's perhaps an
| argument that the US gov't should be blocking IPs/DNS of
| things like hacking rings and malware distributors that are
| hosted elsewhere, on TLDs out of their reach (where ISP
| blocking would probably be the only or at least best way),
| but they mainly only care about e.g. sites that threaten the
| copyright cartels, when it comes to legal takedowns, anyway.
| And for sites that host illegal content, they seem happy only
| prosecuting US residents who access them.
| bamboozled wrote:
| "the cat's out of the bag" on internet censorship so to speak.
| wyager wrote:
| We were very fortunate to live through the aberrant time period
| in which there was a truly global data network. It feels almost
| like an inevitable fact of entropy that eventually the
| bureaucrats and petty fiefdoms would catch on to the existence
| of the system and demand their slice of the pie.
| hunglee2 wrote:
| The tension between borderless internet vs national sovereignty
| is one of most important meta-conflicts occurring in the world
| today. What can be critiqued as draconian authoritarianism on one
| hand, can be defended as digital sovereignty on the other.
| protocolture wrote:
| authies always fall back on appeals to sovereignty why would
| fucking with the internet be any different
| BlueTemplar wrote:
| And those that look down on national sovereignty are suspect
| of being shills for imperialism (whether they realize it or
| not), which is an even worse kind of authoritarianism.
| nubinetwork wrote:
| > protection provided by the local ISP's DNS servers and that
| malicious sites are inaccessible to Malaysians.
|
| I'd really be curious if said "protection" is actually real...
|
| Between dynamic domain name generation (ala malware), and
| (potentially) a lack of public review... this sounds more like
| smoke and mirrors.
|
| Hopefully there is a way for users to set up a VPN and get access
| to a better DNS server without triggering the redirect.
| lemme_tell_ya wrote:
| > It has been falsely claimed that the measure undertaken by MCMC
| is a draconian measure. We reiterate that Malaysia's
| implementation is for the protection of vulnerable groups from
| harmful online content.
|
| That's how it _always_ starts out, the "its for your own good,
| trust me" excuse.
| 1oooqooq wrote:
| "think of the children" is never out of style.
|
| but remember we have this (widespread from 90s to 2010) to this
| day in the USA, and they don't even bother with excuses. just
| shove advertising and hijack searches right on your face.
|
| google didn't force httpsdns on your browser for nothing. it
| was digging in THEIR pockets.
| pipes wrote:
| Not exactly the same thing, as it isn't a law.
| speedchess wrote:
| Which makes it worse in many ways. The entire tech,
| business, etc world has adopted the same censorship regime
| without government orders. So who is giving out the orders?
| linotype wrote:
| Shareholders.
| spacemanspiff01 wrote:
| Why does Google benefit from httpsdns?
| em-bee wrote:
| httpsdns in the chrome browser will by default go to
| googles dns servers allowing them to collect all the
| tracking data.
| selcuka wrote:
| They could've done that without httpsdns too.
| em-bee wrote:
| yes, but then they would have upset local admins for
| bypassing the local resolver. that is still an issue with
| httpdns, but now they have a better argument against
| using the local resolver as default.
|
| the ideal situation would actually be to implement
| httpdns on the OS/router level and allow the user/local
| admin choose the policy. i expect that this is going to
| happen soon in most linux distributions.
| brookst wrote:
| Surely they could just as easily report all DNS queries
| to Google under the guise of telemetry or search
| optimization or whatever. And of course let people
| disable that, which about 0.001% would do.
|
| Httpdns is too complex of a solution to the business goal
| you're suggesting. There are much simpler / less
| expensive ways of doing it.
| mensetmanusman wrote:
| Has anyone built the AI web browser yet? The one that redraws
| any image you might find offensive, rewords advertisements, and
| rephrases comments to be positive?
|
| That would be cool?
| A4ET8a8uTh0 wrote:
| Hah. It is still early morning so I let my mind run wild for
| a while. I am not aware of any public facing projects that do
| that, but in my minds eye I saw polymorphic browser adjusting
| its code to meet the new AI web that is constantly in flux.
|
| You want privacy? It stamps out any attempts at
| fingerprinting by attempting to be the most common browser
| (and config) out there, it spoofs any and all identifying
| data, it redraws pages without paywalls, without cookie
| notices and puts all pages in simple text output mode
| removing all other ads in the process, but keeps pictures for
| fora that use them.
|
| You want 1984? It won't let you see anything that is not
| approved by the party.
|
| Onwards, to our glorious future.
|
| edit:
|
| Valuemaxx edition. Store pages with discounts have
| bruteforced discounts found and added for maximum value.
|
| It already is crazy. I can't even begin to imagine it being
| more crazy.
| mensetmanusman wrote:
| This should exist. You could get to such low bandwidth with
| such a system. Every image could be replaced by a
| description. Etc.
| TacticalCoder wrote:
| > The one that redraws any image you might find offensive,
| rewords advertisements, and rephrases comments to be
| positive?
|
| You're kidding but I've already toyed with using AI models to
| analyze browsers' screenshots and determining if it's likely
| phishing or not and it works very well.
| jay-barronville wrote:
| > [...] I've already toyed with using AI models to analyze
| browsers' screenshots and determining if it's likely
| phishing or not and it works very well.
|
| Assuming the AI is comparing screenshots of real versus
| phishing, it can only figure it out for poorly done
| phishing websites.
|
| As phishing scams get more sophisticated with scam websites
| that look exactly like the real ones, the only things that
| truly matter are protocols (i.e., HTTP versus HTTPS),
| domains, URL's, certificates, _etc._
| keeda wrote:
| Very interesting, I'm working on exactly the same problem
| from a couple different angles, but I'm not having much
| luck. I have negligible background in AI/ML or computer
| vision however, so I'm most certainly Holding it Wrong
| (TM). My general approach has been trying to generate
| embeddings using smaller models like MobileNet and ResNet
| (not trained or finetuned or anything) and using similarity
| metrics like Cosine distance, but there's too many false
| positives. If you can disclose it, would you be willing to
| expand on what has worked for you?
| krona wrote:
| I would call it Soma in reference to Brave New World.
| echelon wrote:
| This would _kill_ Google if it caught on.
| kylebenzle wrote:
| This IS Google.
| kylebenzle wrote:
| That is 100% what Facebook and Google are doing now with
| targeted ads and search results.
|
| Most people already only see the web the way Google wants
| them to see it.
| brookst wrote:
| True, but to be fair this isn't Google being ideological.
| They're just responding to customer signals that
| _customers_ prefer content to be shaped. If there was more
| CLV in one-size-fits-all search results, Google would do
| that.
|
| There's an argument that Google should not cater to our
| preferences, but I don't think I buy it.
| Hizonner wrote:
| Google's _customers_ are advertisers, not you.
| rvba wrote:
| There was an article here 2 or 3 months ago about the
| person responsible for making google search so much
| worse.
|
| So arguably google does not respond to customers anymore.
| Shareholders? Maybe. But probably those who prefer short
| term gain, not long term value.
|
| https://news.ycombinator.com/item?id=40133976
| lincon127 wrote:
| Well, that sounds horrifying.
| causality0 wrote:
| In the past I've had fun with extensions that randomize
| genders and ethnicities.
| talldayo wrote:
| Yes: https://github.com/alganzory/HaramBlur
| jay-barronville wrote:
| > Yes: https://github.com/alganzory/HaramBlur
|
| No. This is more similar to an ad blocker, but focused on
| helping Muslims respect their religious standards while
| they browse the web. I'm not a Muslim, but it makes perfect
| sense to me. Good for them--I see no problem with it.
| stoperaticless wrote:
| Mixed feelings.
|
| Somebody installs it for him/her-self. Sure, power to
| you!
|
| Neibhour in non-muslim state installs it for their
| children: their right, but feels fishy regarding child
| right to truth.
| UristMcPencil wrote:
| Issue#92: boycott GitHub for Zionism
|
| Given the repo name, I shouldn't have been surprised
| aguaviva wrote:
| Unfortunately there is a very pertinent context to the
| concerns raised by that user: Microsoft
| has invested in a startup that uses facial recognition to
| surveil Palestinians throughout the West Bank, in spite
| of the tech giant's public pledge to avoid using the
| technology if it encroaches on democratic freedoms.
| AnyVision, which is headquartered in Israel but has
| offices in the United States, the United Kingdom and
| Singapore, sells an "advanced tactical surveillance"
| software system, Better Tomorrow. It lets customers
| identify individuals and objects in any live camera feed,
| such as a security camera or a smartphone, and then track
| targets as they move between different feeds.
|
| https://www.nbcnews.com/news/all/why-did-microsoft-fund-
| isra...
| thelittleone wrote:
| They seriously called this app Better Tomorrow. Just wow.
| dudeinjapan wrote:
| Startup idea #72831: Build "Nostalgia" browser which uses AI
| to convert every page to Web 1.0, complete with "Under
| Construction" banners and CGI visitor counters.
| linotype wrote:
| +1, I'd pay for a license.
| AStonesThrow wrote:
| "Guys, I am just pleased as punch to inform you that there
| are two thermo-nuclear missiles headed this way... if you
| don't mind, I'm gonna go ahead and take evasive action." --
| Eddie, the Shipboard Computer (Douglas Adams)
| BlueTemplar wrote:
| There have been a bunch of more or less jokey browser
| extensions over the years replacing some specific words by
| others.
| protomolecule wrote:
| Every power can be used for good or for evil.
| Aerbil313 wrote:
| No power used by humans exists in a vacuum. In the hands of
| human beings, most powers are heavily biased towards one
| extreme in the spectrum. Man doesn't shape the world with the
| tools of the time - technology shapes the world and the man.
|
| Jacques Ellul and/or Ted Kaczynski might be a starting point
| on this matter.
| chaostheory wrote:
| This is also coming from a country that's implemented apartheid
| cebert wrote:
| It's for the children! Don't you love children?
| consumerx wrote:
| ,,It's for our own good", lol. Don't buy it. Don't comply.
| djohnston wrote:
| Sad to see Malaysia relegate itself to yet another Islamist
| backwater. They had so much potential.
| timomaxgalvin wrote:
| Somewhat hyperbolic.
| ra wrote:
| Wouldn't this be trivial to get around by using DNS-over-TLS
| /QUIC?
|
| nonetheless, a slippery slope
| Eumenes wrote:
| I have no problem with this. They are a sovereign country. Third
| party DNS, like Google, the aggregation of DNS query data could
| be used for nefarious or for-profit purposes. I encourage
| everyone to setup unbound.
| Aissen wrote:
| How would unbound work if your recursive queries to
| authoritative servers are redirected to local ISP servers
| instead?
| Eumenes wrote:
| Oh I misunderstood. The government is redirecting requests to
| local servers, not local user machines.
| tryauuum wrote:
| yet another country decides to protect people from harmful
| information. What is harmful -- well, the government will decide
| throwaway48476 wrote:
| Does anyone host zone files for local dns?
| dudeinjapan wrote:
| Also in Malaysia (coincidentally around same time) MCMC hard
| blocking of SMS which contain URLs. Not clear if there's someway
| to whitelist certain URLs/domains--does anyone know? Broke our
| TableCheck reservation notifications.
|
| https://www.thestar.com.my/tech/tech-news/2024/09/02/mcmc-ba...
| nurettin wrote:
| This is just dns, so they don't get the entire url. I know,
| slippery slope and outrage and stuff, but at this point it is
| almost expected that any government in the world with access to
| sufficient IT skills would start political internet bans.
| grishka wrote:
| > pornography/obscene content (31 per cent), copyright
| infringement (14 per cent)
|
| > We reiterate that Malaysia's implementation is for the
| protection of vulnerable groups from harmful online content.
|
| Who could possibly be harmed by pornography or, even more
| ridiculous, copyright infringement? Feels like a lame excuse.
|
| Internet censorship in my country (Russia) started the same way
| -- "we're protecting children from suicide and drugs", but _for
| some reason_ you couldn 't opt out of the "protection" as an
| adult. To no one's surprise, over time, more and more things to
| non-consensually "protect" people from were added. In the end,
| unless you stick exclusively with local services, Russian-
| language content, and government-owned media, the internet is
| utterly broken without a VPN, packet fragmenter or other anti-
| censorship solution. Popular VPN protocols are also starting
| getting blocked, btw. All for your own safety, of course!
| consumer451 wrote:
| Birds of a feather...
|
| https://www.bloomberg.com/news/articles/2024-09-05/malaysia-...
|
| https://archive.is/lPbtj
| ronsor wrote:
| > copyright infringement
|
| I deeply implore you to think of the stakeholders!
___________________________________________________________________
(page generated 2024-09-07 23:01 UTC)