
Dont Worry Government, I Got This Porn Filter Sorted - petemcc
http://sicksad.com/blog/2013/07/28/dont-worry-government/
======
sehrope
> Any request that is denied by OpenDNS is then allowed by our DNS server, and
> any request allowed by OpenDNS is blocked by us.

The most interesting part of this to me is using multiple DNS providers to
determine which category the site is in. It's both simple and effective.

If they actually go ahead with this plan in the UK and it's implemented
similarly (eg. via DNS rather than IP blocking), somebody should make a list
of what's blocked. Go through the top N sites and for each run a DNS lookup
from both a filtering DNS server and also a couple non-filtered ones (ex:
Google DNS[1]) then compare the results[2].

Bonus points if someone builds a way to crowd source the data so that it gets
logged from multiple DNS servers round the world.

[1]: [https://developers.google.com/speed/public-
dns/](https://developers.google.com/speed/public-dns/)

[2]: This would need to do more than a plain A == B as each address could
resolve to multiple IP addresses.

~~~
rmc
They can't and _don 't_ do it with just a DNS, it'll have to be DNS + HTTP
URL. Otherwise porn hosted on one large shared hosting would block everything.
(e.g. imagine if the Amazon EC2 DNS got blocked).

The current UK ISP filter (the one that already filtered Wikipedia), used DNS
& HTTP. IP addresses that needed filtering were redirected to their HTTP
server by sending back their IP address, and then a HTTP proxy was used to
filter specific URLs. This allowed them to block certain URLs. It was initally
detected because lots of wikipedians noticed a lot of edits (basically lots of
the UK) coming from a small amount of IP addresses (the IP addresses of the
proxies)

~~~
cmircea
They CANNOT use HTTP filtering as that would break on HTTPS.

~~~
icebraining
Nope, the domain is always visible on HTTPS, due to SNI. They can just block
it.

~~~
mrweasel
Older Win XP machines doesn't support SNI, so you could get around it with an
older machine. Of cause that's a problem that will go away over time.

~~~
icebraining
To connect to an HTTPS site without SNI, the IP can only host a single domain,
so they can just block the whole (IP:443) combination without affecting any
other site.

~~~
cmircea
What if the IP is dynamic? Say an Azure Cloud Service.

~~~
mpyne
I think the problem is that you'd need a different X.509 certificate for TLS,
for each and every single IP.

~~~
cmircea
The certificate is issued for the domain, not the IP.

------
joeblau
Pretty comical video, one quick tip. If you typed a command on the terminal
and you get the "Operation not permitted." You can run the last command
prepending _sudo_ like this:

    
    
      sudo !!

~~~
dclowd9901
You just gave me 2 more years back.

~~~
joeblau
Heh, no problem here are 2 more _bang_ tricks. !<charachters> runs the last
command you ran that starts with the characters you type.

    
    
      !gre      # will run the last command starting with gre (so probably grep)
    

If you type _history_ , then !<number to the left of the history command>, the
shell will execute that command.

    
    
      $ history # shows command history
      $ !200    # executes command 200

~~~
gburt
Keep them coming, imagine the manyears you're recovering!

------
calpaterson
The section with William Hague (UK Foreign Secretary) at the end of the video
is priceless.

------
vukmir
... ask not what your country can do for you — ask what you can do for your
country ... JFK would be proud.

~~~
gautamsomani
hehehe. Good one.

------
gojomo
Awesome. Advanced assignment: build a search engine which for each
jurisdiction only contains results blocked-in-Google-by-legal-threats in that
jurisdiction.

------
kordless
No comments? I guess Hacker News gets blocked when you install it. :)

------
pvnick
Step 1: Put your dic (delete)

pns.py

I was cracking up. Brilliant!

------
milesokeefe
He should have made the server run on port 69.

------
Hello71

      sudo ss -lpu 'sport = 53'

------
allinzen
Brilliant! Now only if there was a cat filter that only showed cats and cat
related material.

~~~
nickik
I thought that filter was called a web browser.

------
harrytuttle
Absolutely wonderful. Well done!

------
laurent123456
Slightly NSFW, could someone add the tag to the title?

------
lewq
+1 for using Twisted

