Italy is using its Piracy Shield law to go after Google, with a court ordering the Internet giant to immediately begin poisoning its public DNS servers. This is just the latest phase of a campaign that has also targeted Italian ISPs and other international firms like Cloudflare. The goal is aimed at preventing illegal football streams, but the effort has already caused collateral damage. Regardless, Italy's communication regulator praises the ruling and hopes to continue sticking it to international tech firms.
The Court of Milan issued this ruling in response to a complaint that Google failed to block pirate websites after they were identified by the national communication regulator, known as AGCOM. The court found that the sites in question were involved in the illegal streaming of Series A football matches, which has been a focus of anti-piracy crusaders in Italy for years. Since Google offers a public DNS service, it is subject to the site-blocking law.
Piracy Shield is often labeled as draconian by opponents because blocking content via DNS is messy. It blocks the entire domain, which has led to confusion when users rely on popular platforms to distribute pirated content. Just last year, Italian ISPs briefly blocked the entire Google Drive domain because someone, somewhere used it to share copyrighted material. This is often called DNS poisoning or spoofing in the context of online attacks, and the outcome is the same if it's being done under legal authority: a DNS record is altered to prevent someone typing a domain name from being routed to the correct IP address.
(Score: 5, Interesting) by ledow on Monday March 24, @12:48PM (12 children)
Does that even work now with DNSSEC, etc.?
Google faking a response will trigger warnings, but if you want to do it properly you'd have to do it at the national DNS level at least, and if it's a foreign domain... good luck with that.
There's a reason that I've set up DNSCrypt for various things I do and it's nothing to do with wanting to go on naughty websites. It's to do with the simple computer security fact that a website now tells you WHAT its DNS should be, who should be signing it, who can produce a certificate for it, etc. and the only way to reliable interrogate those records is over an encrypted medium because of DNS interception like this.
Sure, I bet you can force local ISPs to override things but many browsers will now just go ape if you do and sites (e.g. Google Drive) will just stop working if the browser detects tampering.
Things are too shared (e.g. CDN), balanced (e.g. CDN, IP Anycast, etc.) and secured (DNSSEC/DNSCRYPT/CAA/etc.) for things like this to work properly any more.
(Score: 5, Informative) by Username on Monday March 24, @01:51PM
I use dnsmasq to permanently route common trash domains to 127.0.0.1, only problem i had, was browsers going around my local dns, but I fixed that by blocking their dns ips.
(Score: 5, Funny) by janrinok on Monday March 24, @01:54PM
Aren't you trying to apply logic and common-sense to a judge's ruling? Just askin'
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 4, Interesting) by zocalo on Monday March 24, @03:21PM (5 children)
That's the theory, anyway. Just like all the other sites that are not exactly in keeping with copyright legislation, it's going to turn into a game of whack-a-mole, and there are any number of ways (certain CDNs, for a start) that pretty much guarantee the site operators have an easier deal of things than the copyright holders as long as they can maintain enough OpSec to avoid getting busted.
UNIX? They're not even circumcised! Savages!
(Score: 3, Interesting) by gnuman on Monday March 24, @09:04PM (4 children)
No, it does not ..
DNSSEC only allows SRVFAIL response if you want to spoof something -- basically you can only reply that your server doesn't work. You can't spoof anything else. You can't redirect anywhere else. And anyone that runs their own local recursor locally, they just bypass these restrictions. It's probably easier to blackhole the IP addresses of the sites than it is to block DNS responses protected by DNSSEC.
What this ruling demonstrates is that we should not rely on google or cloudflare for recursive DNS resolution. Why are we doing that in the first place?? Laziness!?
(Score: 5, Informative) by zocalo on Monday March 24, @10:03PM (1 child)
At least, that's what they're hoping. Of course, there are plenty of ways around that for both the site operators and users, including running your own resolver as you suggest, and just like the attempts to block torrent and other download sites, such workarounds will get used by anyone with half a clue. But I made that point in my second paragraph too.
UNIX? They're not even circumcised! Savages!
(Score: 2) by PiMuNu on Tuesday March 25, @12:38PM
> Of course, there are plenty of ways around that for both the site operators and users
Presumably the copyright breaching sites can only exist if they get enough income - by making it technically difficult to access these sites, they reduce the income stream and the number of streaming sites decreases potentially to 0...
(Score: 2) by Ox0000 on Tuesday March 25, @05:38PM (1 child)
Doesn't DNSSEC also allow for NXDOMAIN, i.e. "that domain doesn't exist", which is good enough to make sure the egress connection is never set up (because the client doesn't get an IP address to contact, just an NXDOMAIN). Typically apps and browsers then look at that response and go "must have been a typo in the domain name, *shrug* no biggy, on to the next thing to contact"...
(Score: 3, Informative) by gnuman on Tuesday March 25, @10:50PM
This is a signed response requiring the signing key of the domain. Like I wrote, the only valid answer without crypto shenanigans is SRVFAIL.
As for crypto shenanigans, the only thing you can do is replace the signing key at the registrar level (so like the .com or .de level). But doing that, you can't do it just for one region. It's a global change. And a registrar that does this would not be trusted again. It's akin of issuing a google.com certificate to some entity by a CA.
(Score: 2) by mcgrew on Monday March 24, @04:07PM (3 children)
If I were Google I'd just tell Italy to fuck off after moving my equipment and personnel out of Italy, and set up a page for inquiries from Italy's addresses politely telling its users that their government outlawed Google in their country.
See how long the arrogant fools running that country stay in office!
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 4, Funny) by Username on Monday March 24, @04:55PM
Italy would probably define access to Google a human right, and sue for violating Italian's human rights.
(Score: 2) by Ox0000 on Tuesday March 25, @05:42PM (1 child)
Are you suggesting that google should disrespect the sovereignty of an internationally recognized nation? Italy might do the opposite: cut google off from Italy and put a big warning sign up for anyone going to google.com (or affiliated domains) with a listing of all the ways in which google abuses Italy and Italians...
I'm not saying what Italy is doing is good, I'm not saying what they are requesting is reasonable, I'm just saying that that specific comment of yours is ... unwise, arrogant, and illuminating in a very unflattering way.
I wonder what google's footprint in Italy is. Italy may be better off with google not operating there...
(Score: 2, Insightful) by mcgrew on Wednesday March 26, @08:40PM
Are you suggesting that google should disrespect the sovereignty of an internationally recognized nation?
Are YOU suggesting that I follow SHARIA LAW? As long as I am not physically in Italy their laws have no effect on me, nor should they. Most nations outlaw owning a firearm without a permit, but the right to bear arms is in our Constitution.
Should I in Illinois follow Texas' abortion laws?
I'm just saying that that specific comment of yours is ... unwise, arrogant, and illuminating in a very unflattering way.
Italy's are the arrogant actions! I'm not the one making demands of others, they are. And they have absolutely no right to tell a foreign company or person what to do!
Italy may be better off with google not operating there...
Google ain't what it used to be. I've been waiting for a better replacement for years. Maybe if Google leaves Italy an Italian can develop a search engine that WORKS that puts Google out of business!
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 5, Interesting) by DadaDoofy on Monday March 24, @02:21PM (7 children)
"a DNS record is altered to prevent someone typing a domain name from being routed to the correct IP address."
Do they really believe someone intent on stealing a football game is too lazy or stupid to type in an IP address?
(Score: 1, Touché) by Anonymous Coward on Monday March 24, @05:42PM (1 child)
(Score: 0, Touché) by Anonymous Coward on Tuesday March 25, @05:44PM
I don't think that statement applies to DadaDoofy :P
(Score: 2) by mrpg on Monday March 24, @08:40PM (3 children)
And something else, if people can't have it for free, will they be willing to pay for it? I think most people want it free or nothing.
(Score: 4, Informative) by Joe Desertrat on Tuesday March 25, @01:22AM (2 children)
As someone who grew up being able to watch MLB, NFL, AFL, NBA, ABA, NHL, NASCAR, USAC and numerous other sports for free* over broadcast TV, I still think that should be the standard (yeah, yeah, get off my lawn). I went along for a while with cable requiring payment to watch, but that got too expensive for the product received. When you start adding up what the various streaming services cost now, I've completely lost interest. I occasionally read the various sports headlines and check results, but if it all disappeared I wouldn't miss it.
*We had to watch commercials, but that was all we knew so we accepted it. As soon as they started adding the commercials to pay TV (supposedly the benefit was no commercials) it lost a lot of its appeal.
(Score: 2, Interesting) by anubi on Tuesday March 25, @11:47AM (1 child)
I consider the lion's share of the cost of any financial transaction over the Internet is the surrender of financial account credentials required. The amount of the purchase pales in the light of the risk I assume by revealing payment information.
I mostly hit the "close" button when presented with an "I agree" button. No sense opening up possible litigation by agreeing to hold anyone harmless for what they do.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 1, Informative) by Anonymous Coward on Tuesday March 25, @01:16PM
> the lion's share of the cost of any financial transaction over the Internet is the surrender of financial account credentials required.
My personal work-around -- I have a separate credit (not debit) card with a low credit limit that I reserve just for buying things online. If a seller is cracked and the card info is available for fraud, the most I'm going to be out is an amount that I can afford.
Similar for banking, I have a low balance bank account--that's the one I tie to a PayPal account and give out for various direct deposits and withdrawals.
(Score: 1, Interesting) by Anonymous Coward on Tuesday March 25, @05:47PM
They wouldn't have to just type in the IP address, they'd also have to type in the Host header name... on every ... single ... request...! And that's just for starters.
The days of "one domain per IP" have been over many, many tens of moons ago.