Has everyone seen this? The author of the SOPA bill is a copyright violator himself! Texas Congressman Lamar Smith had originally used a photograph taken by DJ Schulte<http://www.flickr.com/photos/oxherder/4189641199/in/pool-89888984@N00>as the background of hisofficial campaign website<http://www.texansforlamarsmith.com/>and did not even credit the photographer. http://www.vice.com/read/lamar-smith-sopa-copyright-whoops On Thu, Jan 12, 2012 at 11:03 AM, Nicolas Adam <[log in to unmask]>wrote: > don't know how technical this is gonna get, but ... > > A few technical arguments against SOPA/PIPA [taken from the Internet > History list referenced by me earlier]: > > At base, the crux of those points is to say that technical solutions won't > solve social problems and that those tech solutions are burdensome, risky, > ineffective, worst than the illness: > > [from Paul Vixie: > > mandated dns blocking is not an effective method of halting the distribution of > objectionable materials (whether child abuse materials, or stolen > copyrighted material, or sale of brand infringing material). it will not > be effective, on its best day. but a law requiring it be done, and the > infrastructure necessary to implement such a law, would completely > change the assumptions that a DNSSEC initiator (such as an > edge-validating browser using DANE to authenticate a self-signed X.509 > cert) must be able to make when faced with a missing or invalid > signature. as you (john) know, the error path is paramount in all > security work. > > no good, and much harm, is what would come from mandated DNS filtering > at the ISP level. that fact remains no matter whether the domain being > blocked is doing web service for child abuse materials, or anything > else. there are no corner cases here. the facts remain no matter what > the content is and no matter what the law is.] > > + > is congress gonna write the config files for the DNS providers? > > [see this exchange b/w vixie (green and blue ==> against SOPA) and bennet > (orange and purple ==> pro-SOPA): > > On 12/19/2011 9:43 PM, Paul Vixie wrote: > > On 12/20/2011 3:51 AM, Richard Bennett wrote: > > See comments in-line. > > ok. i'm not sure why you're responding privately; these issues deserve > sunlight and oxygen. feel free to share, including publication. > > > On 12/19/2011 6:39 PM, Paul Vixie wrote: > > Date: Mon, 19 Dec 2011 12:35:28 -0800 > From: Richard Bennett<[log in to unmask]> <[log in to unmask]> > To: [log in to unmask] > > ... > > > The implications of adopting a law that requires U. S. ISPs to alter > their response to certain DNS lookups depends to a great extent on the > expected user response to a lookup failure, which is a very interesting > discussion but not really technical. > > that's... utterly... fantastical. > > the response of the operating systems, libraries, and applications that > users on the internet will be running at the time that a mandated dns > response (or mandated nonresponse) occurs is both interesting AND > technical. and it's central to understanding whether the adoption of > SOPA or PIPA in its proposed form would preempt DNSSEC in the > marketplace. therefore it's the place we'd have to start any serious > inquiry. > > assuming for the purpose of this message that you were not serious, > let's proceed. > > There are facts to be had that help answer this question, most > significantly a Berkman Center study of user responses to DNS > filtering in the many nations that require it. Their survey finds that > 97% or so of affected parties don't engage in any circumvention > measures. [berk2010] > > that study does not answer this question. the question is, what happens > when lookups fail? very little about circumvention tools is relevant in > that discussion. circumvention happens in response to many other inputs. > most of the time lookups succeed but tcp/ip to port 80 fails. the reason > this question is technical (i'm disputing you here) is that much of the > user's reaction depends on the application's, library's, and operating > systems' reactions. and many of the things in the berkman report are > related to circumvention of non-dns federal blocking systems. > > > If you think this is "utterly fantastical" I suggest you take it up > with the Berkman people. > > no, sir, i'm taking it up with you, because you claimed it was not a > technical issue. it is a technical issue, and the technical issues will > influence the non-technical ones, so, i claim that we have to study the > technical issues first. > > > The bill is based on > the RPZ feature in BIND9 that allows a DNS administrator to attach > policy to DNS queries. This feature is controversial in some > quarters in > its own right, but there's not much of an issue with its current > implementation and DNSSEC. When BIND9 finds a user looking up a signed > domain, it simply bypasses the RPZ logic and gives a straight answer. > > ... > first, if you're right that this bill really is based on RPZ, then i am > extremely impressed. RPZ came out in summer 2010 and for it to reach the > level of attention where authors of federal legislation in any country, > especially in the U.S., would be impacted by it, astounds me. i thought > it was a coincidence, as in, folks wanted to do this for a long time, > but they couldn't see mandating it if the only dns filtering in > existence was a commercial product (hello nominum!), and when RPZ came > out, it was sort of like a door opened, allowing in what had been > previously kept out. > > The discussion about a bill of this type started in late 2009 when DNS > blackholes and Nominum were known phenomena. By the time the bill was > drafted, RPZ had validated DNS blacklisting and made it easy for the > drafters to include such a method. > > is this first hand knowledge on your part, or are you reading some > calendar-related tea leaves here? rpz validates aligned-interests dns > blocking, but does nothing to validate the goals or approach taken by > PIPA or SOPA. if someone really did act the way you're describing, then > they were fools or they were misled by their technical consultants. > > > second, in the manager's amendment to SOPA, allowance is made for an ISP > to "not resolve" which broadly means "don't answer at all, just time > out." i think this would be bad engineering, even if it wasn't politics > (and thus not engineering at all). but since RPZ is based on a rulesets > containing a lot of<trigger,action> tuples i'd like to state for the > record that no "action" triggerable by RPZ includes "just drop the > query, don't answer." so if the SOPA folks were really basing their bill > on RPZ, they've gone outside the box with the manager's amendment. > > No, there's more than that. The amended bill contains a stipulation > that the DNS providers don't have to do anything that would undermine > DNS Security. Whether they don't respond, respond with a signed > pointer to the AG's web site, respond with Next Secure Domain, or > simply resolve the query is an exercise left to the reader. Congress > isn't writing the config files for the DNS providers at this stage. > > and yet "not respond" is not an RPZ feature, so if SOPA really is based > on RPZ as a "reasonable measure" then SOPA is simply wrong to offer "not > respond" as an option. and you should be in a position to know that > "respond with Next Secure Domain" is not an option since the responding > server will not possess the proper DNSSEC key for signing such a > message. nor is "respond with a signed pointer to the AG's web site" > since the responding server will not possess the key necessary for such > a signature. "simply resolve the query" is outside the box since it does > not comply with the law, unless you think an ISP could prevail in court > if they say simply "there was no reasonable technical measure, so i did > nothing." (i do not believe an ISP could prevail, since they could not > afford the legal fees necessary to keep up with the MPAA people in terms > of pretrial briefs and other filings.) > > what this means is not that i'm asking congress to write a config file, > but rather, i am pointing out that there is no such possible config > file; what congress is demanding here intersects rather badly with the > null set. they may as well demand faster than light travel, because my > answer would have the same form: "the laws of physics don't work that way." > > > this is a problem in the design, and we're still trying to figure out > what to do about it. if a bad guy with a bad domain can drive right > through the RPZ just by signing his bad domain, then that'll either make > DNSSEC very successful (since many domains are "throw aways" used only > for e-crime) or it will make RPZ a total failure. on the risk that > DNSSEC market success will not be the result of this missing feature in > RPZ, i feel like some better answer is needed. but one thing i won't be > putting into RPZ is a way to break DNSSEC -- as SOPA would require for > effectiveness. if SOPA and PIPA were to be revised to say that any > criminal who signs their infringing web site's domain name with DNSSEC > shall be exempt from blocking under this law, then we'd really have > something to talk about. > > third, you're right, no signed answer is affected by RPZ at present. > Right, criminal domains and DNSSEC are on a collision course that will > need to be headed off in order for DNSSEC to live up to its claims. I > expect that can be done in a few different ways. > > this is nonresponsive, sir. congress has not said "if a bad guy signs > their domain with DNSSEC then there is no need for ISP's to block access > to that domain", and until they say that, they cannot use RPZ as an > example of a "reasonable technical means" to comply with the law. this > again is an intersection with the null set; it's a void concept; it's > "crazy". > > > Congress needs to know whether doing so undermines Internet security, > impedes the deployment of DNSSEC, or threatens the Internet or DNS in > some way. > > The intent of SOPA is to have it follow the RPZ implementation, and > as stated above, if SOPA is counting on RPZ, then the proposed law needs > to say "and if criminals sign their domain names then they will not be > blocked under this law" or it needs to refer explicitly to the RPZ > specification, online at: > https://deepthought.isc.org/article/AA-00512/0 > > furthermore if they intend to be compatible with RPZ's actual > capabilities for unsigned domain names, they will have to state a > requirement that an unsigned NXDOMAIN, an unsigned CNAME, or an unsigned > replacement answer record set be sent in response to queries for domains > blocked under this law. > > Good idea, but they won't get any closer than a "such as." It's best > if Congress doesn't specify the code. > > as before i am not asking congress for source code, merely some set of > constraints that does not have a null result. if you're right that they > are basing their demands on the existence of RPZ then they are > responsible for staying within the capabilities of RPZ. they have not > done the latter so i claim that they have no claim on the former. please > be responsive to my specific complaints and claims, as i am doing for yours. > > > access to particular subdomains or even smaller units. That seems a bit > problematic from and overhead perspective so I'd rather not go there. > That seems to be going on in the Goodlatte amendment. > > The alternative to DNS-level filtering is to have ISPs use ACLs to block > i don't know any ISP who has core (that is, the high speed stuff) > equipment capable of singling out DNS messages and doing a deep dive on > them and modifying those that contain subdomains of a hundred or so > (estimated by the SOPA proponents) parent domains. any requirement to do > this would run afoul of the "any reasonable technical measures" wording. > (this "technical measure" would never be "reasonable".) > > I mean ACLs that block access to specific IP addresses, not to the DNS > messages. Routers can do that. BGP filtering would be another approach. > > you said "subdomains" which meant, to me, that you expected these ACL's > to be DNS-aware. which is it? > > moreover, if congress intends to allow ISP's to block by IP address > rather than by domain name, then how often must the ISP update their IP > filters to account for changes in the domain name -> ip address > mappings? if a criminal changes their IP address a thousand times per > day (as some criminals already do, so this would not be an innovation) > then would ISP's be remiss in their compliance with the law if they only > update their IP address ACL's once per day? be careful how you answer > because you're either placing an infinite burden on a non-conspirator or > you're allowing for the possibility that this whole package of law > achieves no effective result and ends up either being "just for show" or > being an historical joke. > > paul > > > + > > If your meeting goes on the subject of job loss through content infringement (the justification for the bills), having this argument chain <http://www.cato-at-liberty.org/how-copyright-industries-con-congress/> in mind could be useful. > > > > [crux of the argument chain is: > > > > i) please see US own GAO report that confirms that the loss numbers are bogus by a farcical order of magnitude > > ii) losses are not a societal losses as claimed, but rather an > industry specific loss: nothing suggests that the money > not spent on those goods is not spent elsewhere on the US economy. In fact, the > assumption that the displacement of activity likely stays for the most > part inside USA and occurs in other areas of *US* economic activity is the > correct assumption (presumably, furthermore, on goods and services more valued by > consumers, as free market economic theory would suggest) > > iii) even those losses specific to the entertainment industry are > dubious, as many people infringing a lot are in fact buying more (I only > buy movies I have already watched them, it would never occur to me to buy a > movie before i know it's a damn good movie) while most infringement cannot be > considered losses because it is demonstrated that people would not have > bought what they consume illegally. > > > > If your comfortable with the spinning of this line of thought, here is a > > iv) "there would be less theft and less fraud if the Internet were more > like Minitel. but i think there would also be less economic growth for > the world" (from paul vixie again -- ih list) > > > > Nicolas > > > On 12/01/2012 12:13 PM, Marc Perkel wrote: > > In 2 hours I'm going to see two congress critters. Nancy Pelosi and Mike > Honda at a fundraiser in Palo Alto. > > What is the most effective argument I can make to these people that will > result in changing their minds? > >