My trivia league was blocked by Heathrow's airport wifi because of "games/sports". I contacted Boingo, who told me they don't block websites (? okay, so then your client operates a rogue blocklist that uses Boingo headers for the error page -- that's even worse). I also tried contacting some sort of pseudo-government safe browsing list to see if it was their blocklist being used by Heathrow and got no response.
The annoying thing is not the false positives: these things happen, and mostly it's not all that urgent to resolve immediately. The annoying thing is a total lack of obvious appeals process to resolve a false positive. At least the OP's example is on GitHub and thus can easily be issued.
My static home IP was blocked by my new energy supplier.
It took almost 4 months to get through to someone who would accept my problem wasn't forgetting my password.
In the end, I was pointed to their third provider and told "sort it out yourself, not our problem". Thankfully that other company had a reasonable-ish appeals process...
...obviously I got relisted in their db a few times but things seem to have calmed down now.
Ah, "Reputation" and "Threat Intelligence". One of the things I didn't expect but should have after BeyondCorp and Zero Trust is that some people would decide they need to go the exact opposite direction.
Instead of designing our systems as though they all face the hostile public Internet like Google, why not instead police all of the public Internet as though it's our internal network? That way we don't need to adopt any actual security practices. What could go wrong?
As you saw, basically everything, all the time.
I actually moved energy supplier a few months ago. I had a good quote from a new supplier, and when I tried to sign in to see how close the quote from my old supplier was their site wouldn't load in my browser, tried again a day later, no joy. OK cool, bye then.
One of my coworkers ended up blocked because Amazon maintains a block list of bot like users and our WAF was subscribed to it. This coworker was using scrapers for find GTX 3080s.
Surprisingly, Amazon does not block customers they put on this list.
A place I worked blocked Github for "hacking tools." Each new software developer hire had to request access and get it approved by their manager, a process that took a few hours.
The company I work for blocks Google Translate. IT claims it's the default that comes with the filtering software it uses.
Fortunately, since I build multi-lingual web sites, I was able to get an exemption from the security department.
(No, I don't use Google Translate to translate web sites. The company has three internal and two external professional translators for that. But sometimes when I'm copying-and-pasting between versions, I like a little reassurance that what I'm pasting is what I think it is.)
Hah! I have used Google Translate to do some naïve translations. Was creating portlet code that supported i18n, and took a crack at a few of the labels. Much to the amusement of the folks I demoed to, I used the French word for a person's back, not back in the context of navigation.
The funny thing is that they often are blocking the well known sites but don’t block less known and potentially shady sites. I always notice this when I try to download a software I need. Popular sites are blocked but very questionable sites are open.
Ofcom (the UK’s coms regulator) has just announced a review of net neutrality [1]. Which will have some big companies aiming to give themselves more “flexibility”.
Currently however, providers are bound by EU mandates to treat every packet the same (roughly speaking).
Yeah, the airport provides the Internet uplink and contractually it can be as locked-down and broken as they like. Boingo just manages the WiFi infrastructure and payment/login. Usually they're extremely lazy and just use a DNS service with business-style blocking rules and unblock popular stuff one at a time when people notice and complain.
I've worked with several kinds of public blocking lists and one thing I learned is that they are all full of false positives. For whatever reason, I would not be surprised if just nobody ever noticed the mistake.
Yeah, that's a given because they're not constructed manually ie. no manual verification.
Give them some time to react. My wife complained to me she could not visit a website (I run Pi-Hole on our network, and our mobile devices get routed to it even on external networks). I looked through the logs, figured the offending rule, contacted the maintainer, and they fixed it within a few hours.
Yeah, same here, I run OPNsense and make use of Unbound's blacklist feature to similar (and surprisingly potent!) effect, along with Suricata and Sensei. I have had to manually whitelist some stuff though.
False-positives, things that are good defaults but advanced users should be able to bypass, or just plain unfortunately necessary workarounds are certainly all issues though. I think user available fallbacks can be useful sometimes for that reason. Like at a site using 802.1x auth, set it up so users can append "-noblock" to their login and then it'll change them into a different VLAN which can just point at a different DNS (or alternately Unbound supports views for split-brain DNS).
I don't want to educate my wife about how to circumvent the blockade with an all or nothing decision. I mean, its possible, and I taught her to update Google Play over 4G because else it does not work (on Nvidia Shield and Google Pixel 3a it does not; on all my other devices it works, not sure why). The reason I don't want to teach her that, is that the measure helps her (and our) privacy and security. By temporarily giving that up, we open up the whole attack surface for that time, which is kinda OK if you remember to switch back immediately but people tend to forget... The correct way to solve the problem is by fixing the blacklist and/or whitelist, (temporary) collateral damage be damned.
I use Pi-Hole on EdgeOS with a second server with Docker as backup. I also have NextDNS as fallback. I'll probably switch to OPNsense at some point though.
If you're talking about the Green Party site, there is explanation at the bottom of the GitHub issue. It appears they were either compromised at some point in the past and used as a relay for spam ads or somebody with legitimate authority to edit the site abused their privileges and ran a spam ad operation on the side.
In either case, blocklistproject interprets spam ad vendors as damage and routes around them.
I can no longer visit End-To-End encrypted sites anymore at work. It sucks because I use ProtonMail and end up having to use my phone to forward things from there or to my Google email, which I wanted to stop using entirely.
Probably doing MITM SSL inspection. Basically, a corporate security appliance with trusted certs on the endpoint sits in the middle of everything to inspect for malware/viruses/blocked content.
A relatively common corporate practice, honestly. It's a shame more people aren't aware of it.
I had a problem once when I was testing setting up a central VPN for all my devices to go through, but I forgot to exclude the work laptop. So I got a call by security that they got an alert of somebody trying to connect using my credentials on an overseas location.
I explained the guy on the other line the reason why that happened and he told me not to worry about it, but warned me that they were going to monitor my traffic by protocol for a few hours, so I should avoid looking at porn in the meantime. I replied that I wouldn't look at porn on the work laptop, and he told me that the warning was also routine and that I wouldn't believe what people watch during working hours.
Probably not, judging by the gp's use of the term "end to end encrypted". Nearly every site uses HTTPS, so if they were really doing MITM, either everything would be broken (because the root certs aren't installed), or everything works. My guess is that his employer's network has some sort of network filter installed, and "end to end encrypted" is a classification category for sites that is blocked for whatever reason.
As I mentioned before, the methodology requires publishing a trusted cert to endpoints. This is done with GPOs or whatever RMM tool is used to manage workstations + MDM to push to mobile.
You will find this implemented in nearly any high-security network environment (finance, government, etc.), primary schools, and a lot of miscellaneous businesses.
Also love the way it's signed, the persons online profile is "I'm Black Hat SEO Expert" if anyone wants to write any Green policy I guess contact them?
This is just streaming spam and any site that accepts user-generated content is susceptible to it.
Having been on their side it can sometimes be very difficult to mitigate without manual approval. This is not automated - it's done by humans and they adjust their patterns against any automatic mitigation attempts.
It looks like they allow user generated posts on a calendar, and every site that allows user generated content regularly gets used for phishing, spam, etc.
I read an interesting article on the Big Lie over the weekend and it mentioned an example from 2016 where private non-profit conservative groups were involved in promoting Green and Independent candidates with the intention of diluting vote for Dem candidates.
By that logic, any site that allows to display third party content is a phishing/spam site and should be blocked - including twitter, facebook, HN and of course gmail.
I have found during Canadian election seasons that green party signs and posters are the only ones consistently vandalized. The people who think the Green party is stealing 'their' votes are unbelievably entitled. If only they knew how much that does to make them not my second choice either.
I am from Brazil, and once there was a Green Party candidate with a real shot at presidential elections, she ended in third, because the candidate that ended being in second made a heavy campaign asking people to vote for him and not "waste" votes on the Green Party that was "never going to win anyway".
They missed their chance though, because after that election the candidate in question tried to appeal to everyone by being so ambiguous that instead made everyone not trust her anymore (for example spousing communist policies and at same time choosing the richest banker in the country as vice-president).
> she ended in third, because the candidate that ended being in second made a heavy campaign asking people to vote for him and not "waste" votes on the Green Party that was "never going to win anyway".
This always happens in single vote systems. Any options who draw from the same subset of voters will divide the vote and weaken their own, and one anothers, chances of success. It's one reason many countries have a few large parties, with internal "subparties" rather than lots of seperate parties that differ only slightly.
Ranked choice voting solves this problem beautifully. It's a real shame it's not widely used for elections.
In our case elections work by having two "rounds", in the first one the top 2 candidates go to the second round, and then people vote for one or the other.
This means that the "vote division" thing is not really an issue... If you end in second place, you still get a shot to get all the votes of whoever doesn't want to vote for the first place.
Thus basically any candidate in second place trying to campaign saying the vote will be "divided" is basically bullshitting the voter base in an attempt to secure his second place.
The first place DO want to concentrate votes though, if you end with more than 50% of the votes (and Brazil has mandatory voting, so basically 50% of voters) then you win outright, so sometimes parties DO attempt to do this by pooling all their votes toward one candidate (for example several xxx-wing parties choosing only one candidate among them all and campaigning all of them for that same guy).
Don't forget scaring away most of her leftist supporters by getting too cozy with megachurches; At least it sounds like you're talking about Marina Silva lol
Given the last 10 years of political "discourse" and third party election interference calling it "paranoia" seems like a very naive view of the world.
The annoying thing is not the false positives: these things happen, and mostly it's not all that urgent to resolve immediately. The annoying thing is a total lack of obvious appeals process to resolve a false positive. At least the OP's example is on GitHub and thus can easily be issued.