back to article Great British Block-Off: GCHQ floats plan to share its DNS filters

Officials with GCHQ are said to be mulling a plan that would extend the UK government's network security tools to private-sector ISPs. GCHQ director general for cyber security Ciaran Martin has been in Washington, DC, pitching the plan to arm the ISPs with firewall updates aimed at blocking off known bad actors. The project, …

  1. MrDamage

    How long?

    > Though characterised in press reports as another "Great Firewall," the project appears to be almost entirely focused on catching cyber attacks, rather than gathering intelligence or censoring content.

    And given the way Ms May is going, how long before it morphs from protection against cyber attacks, to "protection from the rest of the world, and yourself."?

    All hail the Glorious Leader of the DPRUK

    1. Anonymous Coward
      Anonymous Coward

      Re: How long?

      Yep, mission/function creep of this is inevitable..

      Opt-out my arse........

      Yet another way to get the dissidents on a central list.

    2. Anonymous Coward
      Anonymous Coward

      Re: How long?

      All hail the Glorious Leader of the UPRE

      There fixed it for you.

      {Undemocratic Plebs Republic of England}

      1. Rich 11

        Re: How long?

        Shouldn't it be ARSE?

        Autocratic Republic of South-eastern England. The rest of us are just part of its protectorate (and duly grateful for every scrap from the high table tossed our way).

        1. Richard 12 Silver badge

          Re: How long?

          It was the plebs up North that voted for this, for the most part.

          I presume this was mostly because Londoner plebs have seen unbridled Westminster.

          Throw off the yoke of the EU! Hand unlimited POWER to your Westminster overlords!

  2. Anonymous Coward
    Anonymous Coward

    Rather than censoring?

    No mention of the other project which is deleting emails with spoofed addresses before you receive them?

    1. AMBxx Silver badge
      Big Brother

      Re: Rather than censoring?

      There was a very garbled article in The Times that confused DNS and spam.

      Sounds a lot like the promotion of ID cards - a plethora of very minor benefits to distract from the privacy/spying issues.

  3. RogerT

    What happenswhen a DNS appears on the blacklist in error?

    So what happens when a DNS appears on the blacklist in error? The thought of having to deal with an organisation like GCHQ fills me with horror. To me it sounds like a nightmare for some unfortunates.

    1. Anonymous Coward
      Anonymous Coward

      Re: What happenswhen a DNS appears on the blacklist in error?

      What happens when a DNSSEC entry appears on the blacklist?

  4. Andre Carneiro

    Toxic reputation

    The inital idea may actually be laudable and even mission creep notwithstanding, GCHQ have such a toxic reputation you'd have to be a fool to be seen in business with them.

    I, for one, wouldn't touch them with a barge pole (if I actually had the choice, that is).

    1. John Smith 19 Gold badge
      Gimp

      Re: Toxic reputation

      Indeed.

      "Known bad actors."

      Well for normal people that would be GCHQ as well, wouldn't it?

    2. alain williams Silver badge

      Re: Toxic reputation

      I thought that, but it would be a shame to not take advantage of the huge amounts of tax-payer money that they soak up; also we do have to recognise that they do have expertise. However: there is that smell about them, how far to trust them?

      The best way of dispelling a smell is lots of fresh air. So if what they released was Open Source and could be readily checked - then we have a chance of keeping them honest.

      I would be cautious, but I would like to talk to them further.

      I would also like to see them putting effort into dealing with some of the problems that many of us have, eg cold calling scams. Lots of small sums add up to a lot - in total more than the bigger issues that GCHQ is tasked to deal with.

      1. Ian Mason

        Re: Toxic reputation

        And if a scorpion asked you for a lift across the river and promised not to sting you, you, I take it, would trust them?

      2. Crazy Operations Guy

        "Open Source and could be readily checked"

        I'd imaging the easiest thing to do would be set up their own DNS server that doesn't return A records for offending domains and has a TXT record added with some kind of identifier for looking up the reason why it was blocked. They could then release the zone files so that anyone can read it, check it, and deploy it by just downloading a single plain-text file.

    3. Yet Another Anonymous coward Silver badge

      Re: Toxic reputation

      >I, for one, wouldn't touch them with a barge pole

      But if you don't use their approved list you must be a pedo(*)-terrorist-communist

      (ie a shoe bomber)

  5. Dan 55 Silver badge
    Black Helicopters

    I wonder which DNS entries will point to a transparent proxy in Gloucestershire?

    1. Rich 11

      No need. They've already got everything tapped.

  6. Anonymous Coward
    Anonymous Coward

    Hadrian Firewall

    1. Anonymous Coward
      Anonymous Coward

      Which, oddly enough, is the name of BT's firewall team

  7. Anonymous Coward
    Thumb Down

    So we're all in agreement..

    //filter*["This is a wonderful idea that couldn't possibly be used for //remove*[nefarious government] //inject*[foreign terrorist] acts" //*block[http://anywebsiteweplease.com]]

  8. Tony Pott

    < sealing off those addresses previously associated with attacks. >

    Which will be any tor exit node, thus killing the usability of tor to access uk sites.

    1. Ben Liddicott

      Don't be daft. They want you to use Tor.

      Tor is a honeypot and always has been. The point is to provide a false sense of security while simultaneously identifying people with something to hide.

      For example: http://www.theregister.co.uk/2007/09/10/misuse_of_tor_led_to_embassy_password_breach/

      TBB bugs are for the FBI. The NSA can de-anonymise any Tor user just based on their overall view of global network traffic.

      Why would you think a project planned, founded, and paid for by the US government - the Navy[*] specifically - would protect you from the US government? That's some seriously wishful thinking there.

      The question of legitimacy is all about what they do with the information. As long as the culture within the organisation does not permit it to be used except for national security, the ordinary person is safe. That ship has sailed in the UK - this is used for Serious Crime, which includes child prostitution. And fraud. And pot dealing. And copyright violation. And tax evasion. Pretty much everything which isn't a driving offence actually.

      [*] The head of the NSA is an admiral of the USN. Possibly coincidentally.

      1. Mayhem

        Re: Don't be daft. They want you to use Tor.

        The head of the NSA is an admiral of the USN. Possibly coincidentally

        I'd say that emerged from the early days of signal intelligence, which were primarily Naval. The army usually had a secured line of communication, and the Air Force were based well behind the lines.

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't be daft. They want you to use Tor.

        Tor is a honeypot and always has been.

        It's a tool just like any other. If you want to obscure your location from the destination site, it works fine. If you want to come at a route from different angles to diagnose network problems, it's excellent. Absolute security? No.

        1. A Ghost

          Re: Don't be daft. They want you to use Tor.

          Exactly.

          I would never use TOR in a million years to do something nefarious. Not that I do anything particularly nefarious, but there you go.

          I use it to have a little anonymity in relation to the website I am visiting, knowing all the time I'm wide open to the greater powers. But the website on the other end? Not so much.

      3. Crazy Operations Guy

        Re: Don't be daft. They want you to use Tor.

        The heads of Intelligence agencies are always retired senior officers from the various military branches. The reason is that they would already have the appropriate security clearances, know what military personnel in the field need in terms of intel, have strong relationships with those who will be acting on the intelligence, and are conditioned to follow whatever the President and their cronies say and thus tow the party line.

        This is how its always been, and how it will always be...

  9. Tom 64
    Black Helicopters

    Cattleprod disguised as an olive branch

    GCHQ are trying to kill two birds with one stone here; make them look like the good guys, while creeping their mission. Sleazebags.

    And all the while, the internet gets more and more carved up.

    Oh, and how long before a tax hike is announced so that you may cover the cost of the inevitable engineering tits-up that follows.

  10. Anonymous Coward
    Anonymous Coward

    blocking off known bad actors

    nothing to do with countless terrorists stealing big studio contents and funding their own unspeakable crimes and depriving those big studios of hard-earned tax-free gains?

  11. Anonymous Coward
    Anonymous Coward

    I dont trust them, these are the same people "security sevices" who funds so-called "moderate rebels" to help fight their stupid proxy wars, I wouldn't trust this lot to make me a sandwich, they don't have my interests at heart, only their corporate buddies

    1. A Ghost

      It's called M.I.M.E - the Military-Industrial-Media-Entertainment complex.

      They're all in it together.

      See Tom and Hugh playing big time Arms dealers, living the life. And they want you to pay for this shit?

      Fuck off.

  12. Arthur the cat Silver badge

    I misread that at first

    As "GCHQ float plan", which made me think the government was going sell GCHQ on the Stock Exchange. After flogging off "Qinetiq", which was simply the Scientific Civil Service back when I worked for it, nothing would surprise me.

    1. Yet Another Anonymous coward Silver badge

      Re: I misread that at first

      >made me think the government was going sell GCHQ on the Stock Exchange.

      The prospectus - "For carrying on an undertaking of great advantage; but nobody to know what it is."

      Only on el'reg do you get to make obscure C18 financial crises references before breakfast

  13. Version 1.0 Silver badge

    Who uses the ISP DSN anyway?

    The first thing I do on any setup it to ditch the ISP DNS servers and use multiple DNS servers from different organizations. Google, OpenDNS etc.

    1. RAMChYLD Bronze badge

      Re: Who uses the ISP DSN anyway?

      You can't switch DNS on a smartphone tho.

      Sure, you can on a jailbroken or rooted cellphone, but when you can't root or jailbreak for warranty or technical reasons, it's SOL.

    2. JohnG

      Re: Who uses the ISP DSN anyway?

      "The first thing I do on any setup it to ditch the ISP DNS servers and use multiple DNS servers from different organizations. Google, OpenDNS etc."

      Some ISPs (e.g. BT) intercept DNS requests (regardless of their destination) and redirect them to their own DNS servers, supposedly to improve performance. This becomes apparent if you try to reach a website on their naughty list: the IP address returned from a DNS query (directed to DNS servers at OpenDNS or Google) will be to the BT server hosting the message about this site being "blocked by order of the high court". In summary, regardless of what DNS servers you set on your broadband router or your local PC, BT will intercept all your DNS queries.

      You might consider using DNSCrypt instead.

      1. Anonymous Coward
        Anonymous Coward

        Re: Who uses the ISP DSN anyway?

        sorry to be paranoid, but I *was* using DNSCrypt and I suffered an attack that made me think it was likely that DNSCrypt was being used to arm payloads against me, based on what I was surfing & when.

        DNS is rather a lot of juicy metadata; who owns/watches the DNSCrypt servers?

        actually, Github thinks they aren't all 5eyes

        https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

      2. Marcel

        Re: Who uses the ISP DSN anyway?

        Wouldn't that be illegal with a Net Neutrality law?

  14. Roo
    Windows

    First they came for our DNS entries...

    Then they will come for our IP addresses because websites will continue to exist and operate without working DNS addresses just fine and people will continue to be pwned by drive-bys. It would be nice if they worked on helping folks use the internet securely rather than playing www-whack-a-mole at the tax payers expense. I'd love GCHQ to do stuff like out products that do stupid and insecure things such as rendering the contents of random files in ring 0, or adding leaky as a sieve virtualization features to silicon come to mind.

  15. Anonymous Coward
    Anonymous Coward

    Who decides who is bad!?

    IF (and its a big if), if there was a separate/independent council that agreed which 'actors' were bad then fine, but we know damn that will be GCHQ....so it fucked from the start

  16. Anonymous Coward
    Anonymous Coward

    I'll Try It

    More than willing to give this a try if it is opt-in. Cyber attacks are an ever increasing problem and at least GCHQ are looking at ways to reduce the problem. I have long been a fan of DNS filtering (opendns) and one that is advert free looks like a sound idea to me. If GCHQ are after my dark browsing history then I could just send them a list of my favourite PRON sites anyway. Perhaps they will reciprocate with a few suggestions.

  17. Blotto Silver badge

    BluTac

    seems like the BluTac lists you can get for your home media sampling system.

    Great idea, can see many many government and commercial entities mandating its use over other block lists just because its GCHQ and should help audits sail through.

  18. Doctor Syntax Silver badge

    The intent might be genuine. The technical plan might be good. But even if both are true the scheme depends on trust and that is long gone.

  19. NanoMeter

    I wouldn't touch GCHQ with a remote controlled arm.

  20. Omgwtfbbqtime
    Big Brother

    First step in privatising GCHQ?

    Not surprised they are pushing out a product that can be monetised.

    Let's think this through.

    Charge £x to each ISP for access to the filter database or £y a lower amount for routing the traffic through the GCHQ's already in place firewall, of course we won't look at the data without just cause.

    The only surprise is that this is not being rolled out as mandatory for .gov, .nhs, .police etc or that its not being offered as "protect your home network for £10 a year, just set your dns to point to us and we'll "take care of you"!" to the general populace/sheeple.

  21. Fr. Ted Crilly Silver badge

    No, honestly its for your own good...

    what a wonderful censorship tool.

    Better than Gerry Adams being denied the sound of his voice on the telly...

    I mean well, you know, there are bad men eh.

  22. Anonymous Coward
    Anonymous Coward

    Other efforts .... protecting connected devices such as smart meters

    Because the risks involved in smart meters weren't pointed out at the initiation of the project so there was no lost opportunity to make them secure by design.

    Oh, hang on.

  23. Mike Shepherd
    Meh

    Fix

    "This will allow the public to be protected from malware or state-sponsored attacks..."

    Add: "and anything the Ministry of Informaiton would prefer you not to read".

  24. Pascal Monett Silver badge

    "allow the public to be protected from [..] attacks that have already been spotted by GCHQ"

    Sorry, but what attacks have the GCHQ spotted up to now ?

    Apart from those the NSA told them about ?

    I don't think a blind man is the best thing to warn me about obstacles on the road.

  25. Marcel
    Black Helicopters

    Easy to avoid

    Cybercriminals could:

    - use IP-addresses instead of domain names (which they already do)

    - use other people's computers (which they already do)

    So basically it will not work, while creating yet another secret real-time website blacklist.

  26. Anonymous Coward
    Anonymous Coward

    Safe Internet for all!

    Or the slow lane, you too can chose soon.

    Obviously networking resources will need to be focused on the GCHQ compliant traffic to ensure all good citizens see the benefit of adopting safe, compliant browsing.

    Those who chose not to use the government approved name servers will enjoy the 2% of bandwidth allocated to them by 2020. You see you will still have choice and if you have plenty of time will probably be able to resolve all those old unregulated sites you used to.

  27. DCLXV

    I look forward

    to seeing what sort of decentralized replacements the inventive Britons will come up with to fill the coming void. I always enjoyed reading about the glory days of pirate radio in the UK, it will be interesting to see the methods by which those who wish to communicate freely will challenge the dominance of the corporatised web.

    1. A Ghost
      WTF?

      Re: I look forward

      I wouldn't look too far forward to it. There's a law against that, with increasing severity of penalties the more impotent they are to protect against it.

      The way I see it (and I'm no network guru) the greater powers have it all stitched up - hook line and sinker.

      Sure, they now have more data to sift, sure it's not meant to prevent paedophilia, sure it's not meant to protect against terrorist attacks. It's meant to stamp the Digital Imprimatur on things.

      https://www.fourmilab.ch/documents/digital-imprimatur/

      Forget about encryption (I'm no crypto guru either), there's a back door/tap for that.

      Forget about it all.

      The truth is, we have already been harvested. TOR for one - the biggest honeypot in the world. Remember Silk Road? They let it run, harvesting the punters, and then skimming all the profits - 4 million bit coins was it? Ta very much!

      Talking of TOR, set up by Naval Intelligence. Yeah, conspiracy theory. Remember Silk Road?

      They are not going to tell you there is a back door in it. Remember when people were called paranoid for claiming there was a key in windows for the NSA? Paranoid, yeah, paranoid as Andy Grove - only the paranoid survive right? Andy's done alright for himself hasn't he? CPUs that can change state with the computer turned off, all via Ethernet. Bloody hell, now that is what I call paranoia.

      And that is just what we know about, what they are telling us.

      One thing is for sure, software and the whole shenanigans involved with it has reached such a state of complexity, that even those that work on high-end stuff don't know wtf is going on. Remember Ken Thompson and the compiler thing? People are still asking if it is still a threat. Try explaining that to Doris at no.46 who just uses Facefuck to sell time in her 'properly equipped dungeon'.

      And talking of honey pots, and talking of the NSA - fuck it - we're still being harvested - as we have been for the last 10 years or more - let me tell you this, something very interesting I came across the other day:

      I started using Opera Developer edition to check out the VPN built in to it. Some people said it wasn't a proper VPN, and I can dig that, but it was handy for testing and interesting to play with.

      I did an Alexa type check on a website I was curious about, just to see what traffic was like lately, and lo and behold, even though I was supposedly using an IP address from the Netherlands, the bloody server was in the fucking NSA data center in Utah! Ditto for the American IP that was an option in it as well.

      Ok, it was actually less than a hundred miles up the road in a small unassuming building, that obviously had a server farm (and was a known quantity) - so there you go for plausible deniability. It wasn't in Holland though.

      I went a bit mad with the IP tracing, and the whole whois shebang. Honeypot!

      Shortly after, my internet started cutting out, and the Opera Developer edition stopped working altogether - it's fucked totally now. Just for me. Great idea - provide a free 'VPN' and have the servers in Utah in the NSA fucking data center - genius - you have to hand it to them. Not that they couldn't have got the information anyway, by other means, but that was bold. Must have been a reason for it.

      I don't know much about it, and maybe I made a mistake, but what are the odds of that? Doesn't that seem fishy to you? You think you have a Netherlands IP, but the server is a few miles down the road from the NSA HQ? Ditto the American IP.

      Maybe an innocent explanation. I only discovered it by chance, but still.

      All the same, if you made a comment on the Guardian newspaper and had it deleted by a radical feminist, your name has been harvested. I wonder what they plan to do with all this information?

      There can't be enough jack-booted nazis to carry out door to door exterminations can there?

      I wasn't paranoid before, but I am now. That means, I can't really be paranoid, because paranoid people always deny they are paranoid. So maybe I'm not that paranoid after all.

      No wonder most people don't want to face up to the shit that's going down at the moment. And the tech savvy especially. Now, I imagine you could get really paranoid if you knew what you were doing (thankfully I don't).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like