Sunday, December 22, 2013

The UK "Porn" Filter Blocks Kids' Access To Tech, Civil Liberties Websites

It fell to the UK Tories to actually implement the Nanny State. Too bad Nanny Tory does not want kinds to read up on tech web sites, or civil liberties ones. Read on for a small sample of what the filter blocks, from a blocked-by-default tech writer.

[Updated 2x, scroll down]

Regular readers (at least those of you who also follow me on twitter) will know that I'm more than a little skeptical of censorship in general. And you may have seen, as evidenced by this tweet that I found the decision to implement a nationwide, on-by-default-but-possible-to-opt-out-of web filtering scheme in the UK to be a seriously stupid idea.

But then I was never very likely to become a UK resident or anything more than a very temporary customer of any UK ISP during visits to the country, so I did not give the matter another thought until today, when this tweet announced that you could indeed check whether your web site was blocked. The tweet points you to http://urlchecker.o2.co.uk/urlcheck.aspx, which appears to be a checking engine for UK ISP O2, which is among the ISPs to implement the blocking regime.

I used that URL checker to find the blocking status of various sites where I'm either part or the content-generating team or sites that I find interesting enough to visit every now and then. The sites appear in the semi-random order that I visited them on December 22, 2013, starting a little after 16:00 CET:

bsdly.net: I checked my own personal web site first, www.bsdly.net. I was a bit surprised to find that it was blocked in the default Parental control regime. Users of the archive.org Internet Wayback Machine may be able to find one page that contained a reference to a picture of "a blonde chick with a cute pussy", but the intrepid searcher will find that the picture in question in fact was of juvenile poultry and felines, respectively. The site is mainly tech content, with some resources such as the hourly updated list of greytrapped spam senders (see eg this blog post for some explanation of that list and its purpose).

nuug.no: Next up I tried the national Norwegian Unix Users' group web site www.nuug.no, with a somewhat odd result - "The URL has not yet been classified. If you would like it to be classified please press Reclassify URL". There was no Reclassify URL option visible in the web interface, but I would assume that in a default to block regime, the site would be blocked anyway. It would be nice to have confirmation of this from actual O2 customers or other people in the UK.

But NUUG hosts a few specific items I care about, such as my NUUG home page with links to slides from my talks and other resources I've produced over the years. Entering http://home.nuug.no and http://home.nuug.no/~peter/pf/ (the path to my PF tutorial material) both produced an "Invalid URL" message. This looks like bug in the URL checker code, but once again it would be nice to have confirmation from persons who are UK residents and/or O2 customers about the blocking status for those URLs.

usenix.org:Next I tried www.usenix.org, the main site for USENIX, the US-based but actually quite international Unix user group. This also turned out to be apparently blocked in the Parental control regime.

ukuug.org and flossuk.org: But if you're a UK resident, your first port of call for finding out about Unix-like systems is likely to be UK Unix User Group instead, so I checked both www.ukuug.org and flossuk.org, and both showed up as blocked in the Parental control regime (ukuug.org, flossuk.org).

So it appears that it's the official line that kids under 12 in the UK should not be taught about free or open source software, according to the default filtering settings.

eff.org: You will have guessed by now that I'm a civil liberties man, so the next site URL I tried was www.eff.org, which was also blocked by the Parental Control regime. So UK kids need protection from learning about civil liberties and privacy online.

amnesty.org.uk: A little closer to home for UK kids, I thought perhaps a thoroughly benign organization such as Amnesty International would somehow be pre-approved. But no go: I tried the UK web site, amnesty.org.uk, and it, to was blocked by the Parental Control regime. UK kids apparently need to be shielded from the sly propaganda of an organization that has worked, among other things for releasing political prisoners and against cruel and unusual punishment such as the death penalty everywhere.

slashdot.org: Next up in my quasi-random sequence was the tech new site slashdot.org, which may at times be informal in tone, but still so popular that I was somewhat surprised to find that it, too was blocked by the Parental Control regime.

linuxtoday.com: Another popular tech news site is linuxtoday.com, with, as the name says, has a free and open source software slant. Like slashdot, this one was also blocked by the Parental Control regime.

bsdly.blogspot.com: Circling back to my own turf, I decided to check the site where I publish the most often, bsdly.blogspot.com. By this time I wasn't terribly surprised to find that my writing too has fallen afould of something or other and is by default blocked by the Parental Control regime.

nostarch.com: Blocking an individual writer most people probably haven't heard about in a default to block regime isn't very surprising, but would they not at least pre-approve well known publishers? I tried nostarch.com (home of among others a series of LEGO-themed tech/science books for kids as well as Manga guides to various sciences, as well as various BSD and Linux books). No matter, they too were blocked by the Parental Control regime.

blogspot.com: Along the same lines as in the nostarch.com case, if they default to block they may well have an unknown scribe blocked, but would they block an entire blogging site's domain? So I tried blogspot.com. The result is that it's apparently registered that the site has "dynamic content" so even the "default safety" settings may end up blocking. But of course, another one that's blocked by the Parental Control regime.

arstechnica.com: I still couldn't see any clear logic besides a probable default to block, so I tried another popular tech news site, arstechnica.com. I was a bit annoyed, but not too surprised that this too was blocked by the Parental Control regime.

The last four I tried mainly to get confirmation of what I already suspected:

www.openbsd.org: What could possibly be offensive or subversive about the most secure free operating system's website? I don't know, but the site is apparently too risky for minors, blocked by the Parental Control regime as it is.

undeadly.org: The site undeadly.org is possibly marginally better known under the name OpenBSD Journal. It exists to collect and publish news relevant to the OpenBSD operating system, its developers and users. For Nanny only knows what reason, this site was also blocked by the Parental Control regime.

www.freebsd.org: www.freebsd.org is the home site of FreeBSD, another fairly popular free BSD operating system (which among others Apple has found useful as a source of code that works better in a public maintenance regime). I thought perhaps the incrementally larger community size would have put this site on Nanny's horizon, but apparently not: FreeBSD.org remains blocked by the Parental Control regime.

www.geekculture.com: How about a little geek humor, then? www.geekculture.com is home to several web comics, and The Joy of Tech remains a favorite, even with the marked Apple slant. But apparently that too, is too much for the children of the United Kingdom: Geekculture.com is blocked by the Parental Control regime.

www.linux.com: And finally, the penguins: By now it should not surprise anyone that www.linux.com, a common starting point for anyone looking for information about that operating system, like the others is blocked by the Parental Control regime.

So summing up, checking a semi-random collection of mainly fairly mainstream and some rather obscure tech URLs shows that far from focusing on its stated main objective, keeping innocent children away from online porn, the UK Internet filter shuts the UK's children out of a number of valuable IT resources, was well as several important civil liberties resources.

And if this is the true face of Parental Controls, I for one would take using controls like these as a sufficient indicator that the parents in question are in fact not qualified to do their parenting without proper supervision.

If this is an indicator of how the collective of United Kingdom Internet Nannies is to maintain their filtering regime, they are most certainly part of a bigger problem than the one they claim to be working to solve.


If you are a UK resident or other victim of automated censorship, I would like to hear from you. Please submit your story in comments or send me an email at blockage@bsdly.net


Update 2013-12-23 13:05 CET: A reader alerted me to the fact that the URL Checker is down, and that URL now leads to a page that claims the operators are "in the process of reviewing and updating" their offerings.

Update 2013-12-24 19:30 CET: O2 contacted me via twitter direct message, pointing me to their FAQ at http://news.o2.co.uk/2013/12/24/parental-control-questions-answered/. As non-responsive responses go, it was fairly useful, if not entirely constructive. The most useful bit of information is possibly that the service as presented is apparently specific to O2 customers, not the frequently cited national, Tory-backed regime.

As the FAQ document clearly demonstrates, the underlying problem is that some of their customers, for whatever reason, have chosen to leave the monitoring and mentoring of their children's reading to an automated service.

The world contains a multitude of dangers, and most of us, in the UK or elsewhere, would agree that it is a parent's duty both to protect their offspring and to educate them in how to avoid danger or handle problems they encounter.


Ignorance has yet to help anyone solve a problem

There are several ways to protect and educate, and I feel that the approach offered by O2's service is the wrong approach in several important ways. First off, by limiting children's access to information, it strongly recommends choosing ignorance instead of education as the main defense against the perceived evils of the world.

If a person would advise that you chain your children to the wall and burn their library cards, you as a responsible parent would perhaps be reluctant to accept that advice as valid. But O2 has no qualms about offering a commercial service that does just that, only via digital means.

But the engineer in me also compels me to point out that the "Parental Control" is designed only to attack a specific symptom of a wider problem, and it fails to address that problem. And making matters slightly worse, the proposed solution is to apply a technical solution to a human or perhaps social problem.

The real problem is that some number of parents do not feel up to the task of mentoring and educating their children in safe and sensible use of their gadgets and the information that is accessible through the gadgets. Parents failing, or perceiving that they may be failing, to adequately educate or mentor their children is the real problem here. Fix that problem, and your symptoms go away.

If a significant subset of O2's customers feel they are unable to handle their parenting duties, the problem may very well be that society is failing to adequately support parents' needs during their child-rearing years.

The solution may well be political, and may very well involve matters that are best resolved by making a proper choice at the ballot box after well reasoned debates. In the meantime, O2 is only making matters worse by answering the needs of persons who feel the symptoms of the deeper problem by catering to a perhaps understandable, but in fact utterly counterproductive, drive for ignorance.

Ignorance never helped anybody solve a problem. Children need to be nurtured, educated, mentored and stimulated to explore. Please do not force them into ignorance instead.

Monday, December 16, 2013

Three Books You Too Should Read This Year (Or Early 2014)

For the holiday season, The Grumpy Reader fishes out a selecton of recent books you should read even if you think you're too busy.

I'm sure you've had that feeling too: There are times when there's too much coming your way when you're already busy, so some things just fall by the wayside for too long. In my case the victims of my unpredictable schedule were books that publishers sent me for review in one form or the other, and those reviews just never got written as I wanted to in between other projects that were likely less interesting to the public at large.

But enough about me, here by way of making up for not getting around to this before are my slightly compressed thoughts about some important books released this year, just in time for your holiday shopping:


The Practice of Network Security Monitoring: The Best Surveillance Book You'll Read Anytime Soon

When I first heard that Richard Beijtlich was working on a No Starch Press title quite some months back, I immediately told my contacts at No Starch that I'd love to have a review copy, the sooner the better.

If Richard's name does not ring a bell, you may not have followed Internet security writing too closely and you could do worse than head over to Richard's blog at Tao Security and browse his online articles. In addition to prolific blogging and consulting activities, he is also the author of several highly acclaimed books in the field, and every now and then it's possible to sign up for his classes (see the blog reference for links).

The Practice of Network Security Monitoring is one of those books that I've very much enjoyed reading, but also one that for various reasons I found surprisingly difficult to review in a way that I feel does the book and its author justice.

It reads well. Richard spends enough time on basic concepts of network security monitoring early that the novice will be encouraged to go on, and once the basic concepts are laid out, the text alternates nicely between short expositions of theory and follow-on hands on sections that offer enough detail that the techies will have enough pointers to start exploring further but are hopefully not extensive enough to scare off those readers who really want most of all to follow the logic of the may sub-activities in the network security monitoring field.

It offers a lot of useful information in a reasonably compact format. But interesting and useful in this context on a technical level also means that you, dear reader, may be entering an area with a large set of legal pitfalls.

The network security monitoring system described in The Practice of Network Security Monitoring (all of it free software, fortunately) is designed to capture and store all network traffic passing through designated interfaces. That certainly has its uses, and the book offers a few delightful examples of analysis, including one scenario that reconstructs the exact sequence of events in a targeted malware attack.

But the level of detail recorded by these tools, including the content of all traffic, comes with a big warning: While the details will vary from jurisdiction to jurisdiction, setting up and using the tools as described here outside of a strictly controlled lab environment for pure research purposes is likely to be unconditionally illegal or at least require you to obtain specific permission from the relevant authorities or to be a member of a government that has already acquired a specific warrant.

The fact that the book was published at more or less the same time the various revelations about NSA's surveillance activities became public may have helped it sales, but the somewhat charged atmosphere those revelations created also made it a little harder to write this review. The trickle of leaked documents looks set to go on for a while more, but I feel rather confident that The Practice of Network Security Monitoring is likely to be the best technical book about surveillance you read this year or the next.

The Practice of Network Security Monitoring: Understanding Incident Detection and Response by Richard Bejtlich, No Starch Press, July 2013, 376 pp. ISBN: 978-1-59327-509-9. Available Here and at better bookstores.


Sudo Mastery: You're Doing It Wrong, But Not For Want Of Trying

If you're a system administrator or a user of Unix-like systems, you're likely to at least know about the sudo command, which lets ordinary users execute commands with other than usual permissions and privileges. But it's a program that comes with its own set of quasi-mythological misunderstandings.

In fact, as this book aptly demonstrates, most people who use sudo on a daily basis more likely than not are doing it wrong. Contrary to common belief, sudo is not actually 'the program that gets you root access'.

There were no good books about sudo around, so Michael W. Lucas set out to write one as part of his Mastery series (I've covered some of the titles in the series before, see my reviews of SSH Mastery and DNSSEC Mastery).

Like the other titles in the series, Sudo Mastery is a compact book (the PDF version comes to 135) that focuses on an important tool in the sysadmin's toolbox. It's clearly written for a sysadmin audience, but Michael does walk the reader through the basics of the Unix users, groups and permissions based security model and discusses some of its problems before he dives into how to make sudo do its best for you.

The book's subtitle is User Access Control for Real People, and this thinking shows through clearly in the text. Sudo Mastery is written with the working sysadmin in mind, and at most times the description of a new feature comes with an anecdote that clearly stems from practical experience.

At the end of the book, you will have been exposed to the bulk of sudo's features, and you will have learned how to construct your own access system that for all practical purposes, Role Based Access Control system. Or, at the very least, a system that will be more logical and maintainable than what you started with, and one that is far superior the binary root/not root game sysadmins and their users play all too often.

Like anything else Michael has written, this comes highly recommended. You can get your copy of Sudo Mastery directly from Tilted Windmill press here or through good bookstores.

Sudo Mastery: User Access Control for Real People, Tilted Windmill Press, November 2013 ISBN-10: 1493626205 ISBN-13: 978-1493626205


Absolute OpenBSD, 2nd, edition: The Book About My Favorite Operating System

Regular readers will know that I have a favorite operating system, and it's called OpenBSD. Until April of this year, the most recent widely known book about OpenBSD was Michael W. Lucas' 2003 title Absolute OpenBSD. Then, finally, the much refreshed Absolute OpenBSD, 2nd edition was published.

I was close enough to the project myself as that book's technical editor that I was a little shy about writing much about the title myself when it came out, but after not looking at it for some months I can say that the result is definitely worth your time.

I even think that it would be a good idea to hand this book and an OpenBSD CD set to students as their first Unix. OpenBSD is a lot more compact and logically structured than a lot of the competition, and with Michael's 2nd edition to supplement the included man pages and FAQ, there's even a chance they will learn to expect that the system defaults are set to sane values and that there is a perfectly logical reason for everything your system does.

Absolute OpenBSD, 2nd Edition: Unix for the Practical Paranoid by Michael W. Lucas No Starch Press, April 2013, 536 pp. ISBN: 978-1-59327-476-4. Available from the publisher here and through good bookstores.

If you still haven't done your geek holiday shopping, these are my season's recommendations. Even if you read this some time past the holidays, all of these titles will be valuable additions to the actively used parts of your tech library.