"It's a trap! Reported phishing or malware site" : who?

[Mike Rogers]

Joe,

Thanks for the ultraquick response. I have tried UrlVoid and it is clean as of 1 minute ago. Also, Web Of Trust reports things are good. I do not have access to the actual error page as we are on the east coast and not using sonic. I have asked our customers who experience the issue to submit the "Tell Us" form.

What else can we do to get this resolved? We are a legitimate business with a long history and quality service. You can contact me directly at mrogers at our domain name.

Thanks!

[Guest]

Dane,

This issue in NOT about protecting us. The issue is TELLING us that you are blocking some website and not allowing us to easily bypass the block. You're acting like our parent and, honestly, that is NOT what I want in an ISP. The government is trying to do that enough already. Remember, I pay YOU to give me unfettered access to the WHOLE internet, not just what you believe is safe. Let me decide what is safe. I've been in this business almost 25 years so I know my way around.

When we configure our routers, why don't you simply ASK which DNS service we want. Let us decide whether we want the free "protection". How about just telling us about this "feature"! Instead, Sonic acts like we should all be thankful you watch our browsing for us, stopping us from being bad boys and girls. How insulting. It makes me sick.

I chose Sonic because I believed it respected its customers and did not spy on us (as much as the "other guys"). I was a former long term AT&T customer who had enough with the monitoring. Now I see you ARE spying on us "for our safety". Honestly, most people would not want this "free service" because we don't know the process for blocking a site and we don't trust "Big Brother", whether its AT&T, the NSA or Sonic.

Sadly, I will be looking for a new ISP again, someone who does not track me, monitor me, "protect" me and disrespect me. And I am on the boards of a number of influential internet companies and you can be sure that this little lesson will be widely disseminated. Sonic's formerly great reputation may go down a few pegs.

A very disgruntled customer (soon to be "former")

[Guest]

Sadly, I will be looking for a new ISP again, someone who does not track me, monitor me, "protect" me and disrespect me.

Good luck with that.

[darrylo]

This issue in NOT about protecting us. The issue is TELLING us that you are blocking some website and not allowing us to easily bypass the block.

It's not exactly a secret, although they don't go out of the way to tell you about it. The block is easily bypassed -- you just have to use alternative DNS servers, such as Google's. The only real issue is that DNSSEC and the anti-phishing protections are lumped together; turn off sonic's anti-phishing, and you don't get DNSSEC. Bypassing the blocks is documented:

https://wiki.sonic.net/wiki/DNSSEC#How_ ... feature.3F

(However, I think google's DNS provides DNSSEC, but they probably won't give out nearby CDN servers, just generic ones.)

[jrodman]

This "service" is erratic, harmful, and wrong-headed. Domains you claim are "phishing" one moment are claimed to be fine an hour later, than back to phishing. How can that be possible?

A domain that redirected as phishing from one of my hosts is not phishing from another!

Clearly you're actually doing inspection of the traffic and from there poisoning the the DNS responses you provide by client. The configuration, software, or yourselves are not trustworthy.

This whole idea is insane, meanwhile. ssh doesn't go to a webpage. If it suddenly breaks because your RBZ and malwware inspection software has gone haywire, then I don't get a prompt to ask me to explain to you that you're breaking my damn ssh sessions.

And the opt-out is a joke. We can choose among: DNSSEC with malware, or poisonable DNS without malware. Neither is a reasonable option!

Meanwhile due to your horrid page, it's entirely unclear what's going on. I thought surely the anit-phishing *had* to be done by the browser, or the operating system, because that would *make any sense at all*, instead of my isp. Firefox even already has antiphishing features that seem to work correctly a much higher percentage of the time. It took me months to finally realize that it was actually my ISP that was breaking my software. Great going, guys.

[bear]

Okay, this is just about the angriest Sonic.net has ever made me.

Filtering is

A. done with prior, informed, consent. You never told me you were going to do this and you never asked my permission.

B. clearly identifies in channel who is doing the filtering and what is blocked. The page you put up gave no indication of who was doing the blocking or what reason prompted them to block that particular page.

C. provides an easy way to reach the filtered content. Yeah, there was no "go there anyway" link on that page either.

What you did here was implement a MITM attack by spoofing DNS. This is exactly the attack that DNSSEC was supposed to protect us from. And your "opt-out" servers are crippled; they do not implement DNSSEC. So, is it really the case that we either accept your attack or abandon our protections against everybody else's attacks? Oh, no, wait, there's a third option, isn't there.... but it doesn't involve continuing to do business with Sonic.net.

I've had the "mousetrap page" popping up for months, and been annoyed by it and assumed it was some overeager plugin that had defaulted to "ON", spent an hour here and there trying to figure out which one and turn it OFF, and then given up and gone to the sites anyway using my phone, which is a total pain in the ass because phones have no privacy whatsoever. I mean, hell, my browser runs in a chroot jail on a Linux box with up-to-date software, and has absolutely no access to any passwords or email; I don't expect any malware site out there to give me a problem. Moreover, if somebody does get one of my passwords, she will find that it is used absolutely nowhere else. My phone, on the other hand, I cannot defend. Every time I enter a password on my phone, I assume that it is compromised and change that password the instant I can get back to the site on my desktop box.

But that's beside the point. I have NEVER -- not ONCE -- found a real malware/phishing site at the other end. I have found the same forums I'd been using. I have found the same webcomics I'd been reading. I have found the same financial services and analysis businesses. I have found the same blogs I'd been reading. This so-called service, as far as I have seen, is one hundred percent false alarms, and allows trolls and bad actors to censor anybody they don't like by reporting their site as malware or phishing. As far as I can tell, the only sites that are getting blocked are people who pissed off some butthurt internet troll and businesses who have unscrupulous competitors.

And, come on, be serious. An obvious spoof page appears in your browser, with no identifying information and (because DNS is now obviously spoofed) absolutely no indication of where the web form on it will report it to, and it asks for your email address and gives you a form to tell them why you think you ought to be able to access the site? In the first place no sane security-conscious person will EVER fill out that form unless trying to track down the attacker as I did last night, and in the second place, That looks exactly like a puppy box, doesn't it? Give 'em a place to yap so they get the yapping out of their system and don't go to somebody who might actually catch the attacker.

So, finally, last night, I decided it was time to KILL this thing whatever it was, and one by one I uninstalled every last browser plugin -- which are mostly security things like HTTPS-everywhere and Adblock. And it continued happening. Holy crap, I thought -- it's a genuine MITM attack, it is behaving exactly the way I'd expect censorship-for-hire to behave by blocking sites someone has a financial motive to block, and somebody has subverted the DNSSEC servers at Sonic to do it! At that point, I was thinking, okay, time to pull out all the stops, this is TOTAL WAR. And I dug in, tracing logs and querying DNS in different places to identify differences, until finally, two hours later, I discovered that the spoof page doesn't just LOOK like it's coming from Sonic.net due to the spoofing... No, it's ACTUALLY coming from Sonic.net! From the very same DNSSEC servers, in fact! At that point I was mad enough to chew horseshoes and spit nails.

I have been a Sonic.net customer for twenty years. But this is a complete betrayal of trust. This is not filtering, this is censorship. You guys never asked my permission or got my consent to do this. You never even admitted to me that you were doing it until I ****ing tracked the attack down MYSELF, and called you on it! And now with your crippled "opt-out" offer you're making DNSSEC unavailable to me unless I allow random internet trolls and scammers to censor the sites I'm allowed to read by reporting them as malware sites?

What the hell, dudes? Who are you and what have you done to the honorable people I used to deal with?

[bear]

For the record....

http://www.youtube.com/watch?v=-uX_bB_4VJk

The largest public sale of Bitcoin in history happened at exactly the same time all the Bitcoin financial analysis and financial services sites were blocked by your phishing trap.

Are you seriously claiming that the reports that got *ALL* of those sites blocked to Sonic customers at once, keeping buyers who could not access information out of the market and so keeping the competition for this sale down, weren't bought and paid for?

I'm not saying *you* sold it, understand ... but putting the blocks on a bunch of sites because of a coordinated Sybil attack by a Botnet master that made some black-hat a few tens of thousands of dollars? Uh, yeah, that would be no more than one could expect if you're responding to lists that allow anybody to report a malware/phishing site.

Bear

deeply disappointed in what used to be a security-conscious ISP.

[desertflyer]

If you guys are having so many problems, why not switch your DNS servers? I use OpenDNS and it works great. No ads anymore either.

[bear]

Still no response?

A nine million dollar buy wall appears in a thinly traded, volatile, and somewhat illiquid market, at a price well below the recent equilibrium. The asset will be sold literally as fast as thousands of small investors get the news and get their cash to market. Because it happens on a weekend, and because AML/KYC laws are being constantly reinterpreted regarding bitcoin so financial services are uncerrtain what to do, getting money to the market is extra-challenging.

Within two hours, your "anti-phishing" page is being used to execute a Denial of Service against 50 to 75% of the bitcoin financial services sites.

This is not a coincidence.

You got pwned by someone who wanted to keep others out of the market until they could get their money into it, and your customers suffered losses.

It's even worse than that though; Because you were not acting as a common carrier with respect to DNSSEC, you are not entitled to common carrier protections from prosecution. You are probably legally liable for these damages.

You ceased to be a common carrier with respect to DNSSEC the minute you got into the business of making decisions about which traffic you would allow your DNSSEC to carry -- based on content. Remember that the common carrier exceptions are there specifically to protect against censorship. Because YOU, and not your customers, made the final decision about what your DNSSEC would carry, and you made it based on content, you are engaging in censorship and therefore not entitled to common carrier protection.

And this is the reasoning behind the three standards I already mentioned for what meets the legal requirements of a filtering service.

You could argue that it was your customers' decision if you had evidence of our prior informed consent - but you don't.

You could argue that the final decision was left in your customers' hands if you had provided a 'click through to the content anyway' link - but you didn't.

You could argue that your customers had the power to opt out, if the page you diverted them to had told them that their DNSSEC was being diverted by the ISP and what the opt-out servers were - but it didn't. You aren't even providing any opt-out DNSSEC servers. The opt-out servers you say you're providing do not have that service.

So this is not a filter that you can add to the service and retain your common carrier status. This is censorship and that makes you liable for crimes that get committed using your service.

All this is the opinion of a lay person based on a cursory examination of the statutes involved. I'm not an attorney, and I don't intend to prosecute or sue. If I had any losses, they'd be too small for court anyway.

But seriously, you do need to talk to an attorney about your legal exposure with this. You made a mistake.

And you need to talk to me about reestablishing trust.

[Guest]

Unfortunately for Sonic I AM a lawyer, and what they have allowed to happen is 100% actionable. Somebody at Sonic appointed themselves a security expert and now Sonic will be paying dearly for their admitted and intentional violations of law.

Not only did Sonic cause financial damage to it's users with this sophomoric decision, they will also be liable for damages incurred by the legitimate sites that they erroneously blocked.

This is a corporate security and ethics failure of a major scale.

If I were to give any free advice it would be to immediately cease the "We are protecting you" dogma and commence a major mea culpa campaign.