Sounds like they used the technology behind Zaphod Beeblebrox's favourite sunglasses
At the first hint of trouble they turn totally black to prevent you from seeing anything that might alarm you.
Virgin Media customers were hit by an annoying network cockup on Saturday, after the cable company's smut-filtering Web Safe system stupidly blocked lots of websites. Subscribers complained about the snafu on Twitter, where many people claimed that they could barely access anything over Virgin Media's network. Reg reader Red …
The difference is, Openreach don't even see inside your packets - just like in the dialup era, there's just a data flow between you and your ISP's access routers. Openreach don't even have the *ability* to filter your traffic on that level, let alone a system that could do that accidentally!
It's a shame. If they put their minds to it, Virgin could offer a decent service - instead, they waste money importing a censorship system from China (paid for by all their customers, opted out or not), spam customers to arm-twist them into using it to placate Nanny Perry - then force it on everyone by mistake anyway.
(I'd been a customer of theirs - and before the merger, Telewest too; there was a time when they actually had an edge. Now, they just claim silly peak throughput their choked-up backbone can never deliver, even when it isn't falling over entirely.)
Downvote explanation:
"waste money importing a censorship system"
Cameron basically said to the big four ISPs (BT, Sky, TalkTalk and Virgin) that if they don't implement censorship, the gov will legislate for it. While pointing at a consultation survey to say there was a demand.
Example question (paraphrased from consultation survey):
"Should everyone have their internet connection censored, or just people who live with children?"
This legislation was rejected by the Lib Dems. Labour has said they would introduce a mandotry BBFC style system. Don't blame VM for scummy censorship when it's our political masters who made the decision (or implied menacingly that they would).
"Openreach don't even see inside your packets"
As you know, Openreach is not a consumer ISP. It's the companies that buy services from Openreach that are introducing the filters. Such as (i dunno hmmmm let me think) BT, Sky and Talk Talk.
From Wiki article:"Default filtering of existing customers will be implemented by all four major ISPs during 2014 with the aim of ensuring that the system applies to 95% of all households by the end of the year"
"spam customers to arm-twist them into using it"
I have recieved precisely 2 emails on the subject. One with the announcment, and one with the big ON/OFF buttons. Hardly arm twisting.
"force it on everyone by mistake anyway"
It is not by mistake. It is part of the threatened law. Again, that is not VMs fault. (looks meaningfully at Tory voters). If you've not turned it off from the email, it can be turned off via the ISP dashboard (under my apps->web safe).
1. I would never use the DNS system of a provider which considers it as an outsource-able expense instead of a core service which is essential to doing business. NTL (it was still called this way), outsourced DNS maintenance as far back as 2003? or 4. Forgot the exact date, if I dig through my mail archive from those days, I may find it.
2. I would never use smut filter driven by an SP which does not have a clue how to implement _ANY_ services - all services provided by Virgin are either resold or outsourced.
So looking at the named.conf.options on my house server there is a key statement there:
forwarders {
212.113.0.3;
212.113.0.4;
8.8.8.8;
};
The first two are Level3, the third is Google. People who actually have some modicum of clue how to run a service (not something you will find @ Dumb (NTL) or Dumber (BT Retail).
So rather unsurprisingly, everything here works :)
Rules to follow:
1. Where possible use your own kit with the ISPs hardware in modem mode. Their stuff is often poorly configured tat or just plain shite but you often need to use it for support reasons. Avoids changing any settings when you give them the flick and bring on the next incompetent.
2. Always use your own choice of DNS servers and never the ISPs. I have never found ISP DNS to be in any way reliable and that is from providers across two continents.
Whether you want it or not, there is not going to be any fappenings in VM residences from now on... You guys have no idea how lucky you are, it was horrible and I mean downright nasty...
Give VM some Facebook likes or Twitter tweeties for having them save you from the montrosity.
Quote from one of the greatest cinema monologues of all time ( well nearly, my excuses Mr Brando).
"I’ve seen horror, horror that you’ve seen. But you have no right to call me a fappener. You have a right to fap me. You have a right to do that, but you have no right to judge me. It’s impossible for words to describe what is necessary to those who do not know what horror means."
"...is what at least one subscriber probably said."
And the answer would have been "They're all still working for us here at Virgin Media."
What I found most annoying about their smut filter was that every damned time I logged in to see my bill I was prompted to check my settings for it - given that only a few select cookies are allowed to remain on my computer from one session to the next, I assume that was how they were (very stupidly) determining whether or not the customer had decided whether or not to use the filter. However, I noticed that I wasn't prompted last week - so they've finally seen the error of their ways on that one, and stored that in the account (or just stopped prompting people).
As a matter of interest, though, if all innocent traffic was being blocked by the filter - was 'guilty' traffic being let through?
As I mentioned up thread. These filters were put in place to pre-empt legislation that the tories were going to bring in (that the Lib Dems objected to). Labour has said they would bring in similar laws via a BBFC style system.
So the this thing that should be illegal, will also be manditory pretty darn soon.
If the ISP is transparently proxying/redirecting DNS which can be done - it has no protection against that. I was MiM-ing DNS regularly as a corporate admin, it is trivial. By the way, there are ISP home routers that _ARE_ configured to do that out there too.
However, this is not the case
1. Virigin's level of understanding of DNS operation is less than that. Ditto for any other SP service (the same situation is in all large residential SPs, they are not alone in that).
2. They are not doing that - they are providing DNS as a service and dishing out a config where you by default use that service. The implementation of that service is distinctly dodgy because it is considered a cost center, not an essential part of the service provision. They also forgot to change that idea when they incorporated DNS into the censorship system which the UK government is shoveling down our throats thought its SP helpers. That is again - not surprising as you need to understand service operation for that.
So you can attribute malice here on the day when there will be a warm body in Virgin which can set-up (not shop-up) a set of anycast DNS servers and integrate them correctly for HA into their routing (this in my book is the "entry" clue level for a proper Service Provider DNS installation). It is more likely to see Lucipher snow-ploughing the street though.
"If the ISP is transparently proxying/redirecting DNS which can be done - it has no protection against that. I was MiM-ing DNS regularly as a corporate admin, it is trivial. By the way, there are ISP home routers that _ARE_ configured to do that out there too."
OpenDNS & DNSCrypt. They run DNS on non-standard ports, including 443 (SSL). And DNSCrypt is encrypted DNS, which doesn't look like DNS.
Doesn't help you when the ISP has IP level filters in place, so whilst you might be able to resolve correctly, your access to the URI/name may well be impeded anyway.
Or just run a VPN....
It means the major ISPs have agreed(*) to provide an option to filter "unsuitable" content (because - see icon). Some weeks I ago I had checked my own account settings I was very surprised to see that the default setting there was opt-out.
As one would expect the definition of "unsuitable" is suitably vague (at least whatever definitions I've seen have left me with more questions than answers).
I must admit that Virgin is my ISP. In my defence may I point out that my router's DNS settings point elsewhere and I appear to have been completely missed by this outage, reading about it on El Reg is the first I've known about it.
(*) for "agreed" read - "bullied by the, pure as driven snow, tabloid press".
What I never understood, is if they can block "unsafe" and "unsuitable" sites, why don't they have an option to block adverts. Or even better, some port blocking options. Less than 0.05% of users need access to inbound FTP, HTTP, RDP etc. They could massively reduce traffic and improve security by letting you choose which ports to open at an ISP level... basically an ISP level firewall. 95+% of people don't need ANY inbound ports open.
Blocking inbound FTP/HTTP/RDP isn't going to reduce any sort of level of traffic, beyond a few attempts at the first step of the three way handshake. That doesn't even register. Most people's routers will do exactly the same thing anyways.
Not entirely sure what your argument is here.
Looks like the "great wall of Hampshire" (or wherever they do this) problem is persisting today with non-adult sites still reporting problems -
The following error was encountered:
Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches. The most likely cause for this error is that:
The cache administrator does not allow this cache to make direct connections to origin servers, and
All configured parent caches are currently unreachable.
Your cache administrator is yahoo-dev-null@yahoo-inc.com.
"By using a different DNS service, I was able to work around the problem."
Surely you're not suggesting that their filters can be completely bypassed by the thing that any 6 year old can do - use different resolvers.
Sounds wildly pointless and you shouldn't let virgin babysit your kids for you.
By default you can't change the DNS servers that the Virgin 'Super' hub uses, you need to put it into modem mode and run your own router to change DNS
Why would you ever need to do that? Change it on the device. The fact that somebody changed DNS to get round the problem proves it isn't an issue when there is no problem. Ergo their babysitting service is worthless (at best).
So, all you folks enjoying a little schadenfreuder at the expense of a few inconvienienced VM users; a question: What sort of speeds do your providers peak at? 2mb? 10mb? a whopping 50mb maybe?
My VM runs solidly at 152mb. I like that.
Find me an ISP with a comparable speed that *never* has such issues and I will swap to them today.
Otherwise, TTFN haters.
My UK ISP provides me an unfiltered web feed - so no IWF filtering, no court ordered censorship - and thus will never have any issues with failed implementations of censorship.
The speed is 1000 Mbit, both up and down - let me know when your virgin gets up to those speeds.
Well I have a range of 100mb circuits from Colt, Level3, TDK and Orange scattered around Europe, and all of them at some stage have passed on polite little notes from the relevant local RIAA affiliate to complain about guests downloading movies*. So it really doesn't matter what tier your ISP is, the Powers That Be will get to them in time.
*To be fair, they don't do anything else, just pass them on. We have a quiet chuckle, and pass them on in turn to the short term storage device aka Recycle Bin.
Coo!
Who's your provider? Is that a corporate lease-line or into your home? Do you pay £35 a month for it? If it's, as I suspect, the bandwidth used by your business, I certainly have you beat in my workplace. If its into your home and a reasonable price then I'm allllll ears.
Just tried a few of those "blocked" sites....yeah, didn't take long to reach those either, not that I ever use torrents. Those are for n00bs.
VM user here. Didn't see any disconnection issues over the weekend. I don't have the filter, so that may be a reason.
Oh and by the way, VM is opt in not opt out. So they are not exactly "forcing in it everyone".
My broadband speed over the weekend was 87 down and 6 up (if test your broadband is in anyway accurate). Don't ask me why I was testing, but I do test regularly ;)