But wait, content providers *do that.* *Microsoft too...for illegal copies of Outlook, even...*
How do we know they do that? Because your ISP can be held liable if they are contacted by a content provider and do not follow graduated response guidelines either issued by the nation the ISP resides in or governed by industry agreements and *do not* shut off your service if you are found to be pirating content. But all of this is moot against the point you mentioned: Netflix authored a broken process. There are at least 3 much more accurate ways to establish regional provenance for any packet - and of course all of them can be hacked - but those same content providers have established in their audit requirements that they're perfectly willing to accept the risks involved. On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix <[email protected]> wrote: > " > there is no reliable geo-location method for Netflix to use" > > Any microprocessor that is connected to the Internet is subject to being > hacked - let's just turn off all of our computers, since we're talking in > absolutes. > > From the perspective of the "lawyers and MBA types that negotiate > agreements with Netflix and similar services" (to quote Eric), there *are* > reliable > methods within a specific risk profile, and those include (thanks to Google > and Apple, whom most of the content providers *also* have agreements > with) AGPS based on Wifi and other industry now-standard methods. > > I don't think there _is_ a contractual requirement to attempt to block VPN > traffic. I think there's a contractual requirement to provide geographic > controls for content, which is a completely different discussion, and is > what those same cable and satellite TV providers (many of which _are_ the > ISPs for Netflix's customer base) provide. > > As has been pointed out, Slingbox is an excellent proxy for over-the-air > and cable-tv video, but you don't see content providers pressuring > regulation on them because they limit their risk with the station or cable > TV provider. > > > > > On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <[email protected]> > wrote: > >> That is true. The problem is that traditionally the ISPs have to deal >> with customers that can’t get to the content they want. Netflix ridiculous >> detection schemes do nothing but create tons of work for the service >> provider which in turn creates stupid work-arounds and network >> configurations that are ill conceived. Myself, I had to shut off IPv6 at >> home to get things to work reliably several times for dumb reasons. Kind >> of hard to preach the v6 message when I had to shut it off myself several >> time to get my own stuff to work Ok. Netflix just decided that creating >> issues for a subset of their customers was better than having the real >> fight with the content providers. >> >> My point is that there is no reliable geo-location method for Netflix to >> use, at least there never has been yet. Good luck ever getting that to >> work behind the great firewall of China. >> >> Steven Naslund >> Chicago IL >> >> From: Cryptographrix [mailto:[email protected]] >> Sent: Friday, June 03, 2016 4:56 PM >> To: Naslund, Steve; [email protected] >> Subject: Re: Netflix VPN detection - actual engineer needed >> >> Oh I'm not suggesting for a microsecond that any provenance of location >> can not be hacked, but I totally think that - until the content providers >> change their business model to not rely on regional controls - they could >> at least use a more accurate source for that information than my IP(4 or 6) >> address. >> >> I just don't think that this is an appropriate venue to discuss the value >> of their business model as that's something their business needs to work on >> changing internally, and fighting it (at least for the moment) will only >> land Netflix in court. >> >> In short, I'm pointing the finger at Netflix's developers for coming up >> with such a lazy control for geolocation. >> >> On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <[email protected] >> <mailto:[email protected]>> wrote: >> Wifi location depends on a bunch of problematic things. First, your SSID >> needs to get collected and put in a database somewhere. That itself is a >> crap shoot. Next, you can stop google (and some other wifi databases) from >> collecting the data by putting _nomap at the end of your SSID. Lastly, not >> everyone has wifi or iOS or GPS or whatever location method you can think >> of. BTW, my apple TV is on a wired Ethernet, not wifi. >> >> Point is, for whatever location technology you want to use be it IP, GPS, >> WiFi location, sextant…..they can be inaccurate and they can be faked and >> there are privacy concerns with all of them. What the content producers >> need to figure out is that regionalization DOES NOT WORK ANYMORE! The >> original point was that they could have different release dates in >> different areas at different prices and availability. They are going to >> have to get over it because they will lose the technological arms race. >> >> There is no reason you could not beat all of the location systems with a >> simple proxy. A proxy makes a Netflix connection from an allowed IP, >> location or whatever and then builds a new video/audio stream out the back >> end to the client anywhere in the world. Simple to implement and damn near >> impossible to beat. Ever hear of Slingbox? >> >> Steven Naslund >> Chicago IL >> >> From: Cryptographrix [mailto:[email protected]<mailto: >> [email protected]>] >> Sent: Friday, June 03, 2016 3:42 PM >> To: Naslund, Steve; [email protected]<mailto:[email protected]> >> Subject: Re: Netflix VPN detection - actual engineer needed >> >> Apple TVs get their location indoors using the same method they use for >> other iOS devices when indoors - wifi ssid/Mac scanning. >> >> Non-iOS devices are often capable of this as well. >> >> (As someone that spends >67% of his time underground and whose Apple TV >> requests my location from my underground bedroom and is very accurate) >> >> On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <[email protected] >> <mailto:[email protected]><mailto:[email protected]<mailto: >> [email protected]>>> wrote: >> Their app could request your devices location. Problem is a lot of >> devices (like TVs, Apple TVs, most DVD player, i.e. device with built in >> Netflix) don't know where they are and it cannot easily be added (indoor >> GPS is still difficult/expensive) and even if they could should they be >> believed. I think the bigger issue is whether any kind of regional >> controls are enforceable or effective any more. >> >> Steven Naslund >> Chicago IL >> >> -----Original Message----- >> From: NANOG [mailto:[email protected]<mailto: >> [email protected]><mailto:[email protected]<mailto: >> [email protected]>>] On Behalf Of Cryptographrix >> Sent: Friday, June 03, 2016 3:21 PM >> To: Spencer Ryan >> Cc: North American Network Operators' Group >> Subject: Re: Netflix VPN detection - actual engineer needed >> >> Come now, content providers really just care that they have access to >> regional controls more so than their ability to blanket-deny access (ok, >> minus the MLB who are just insane). >> >> And part of those regional controls deal with the accuracy of the >> location information. >> >> If their app can request my device's precise location, it doesn't need to >> infer my location from my IP any more. >> >> As a matter of fact, it's only detrimental to them for it to do so, >> because of the lack of accuracy from geo databases and the various reasons >> that people use VPNs nowadays (i.e. for some devices that you can't even >> turn VPN connections off for - OR in the case of IPv6, when you can't reach >> a segment of the Internet without it). >> >> >> On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <[email protected]<mailto: >> [email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: >> >> > There is a large difference between "the VPN run at your house" and >> > "Arguably the most popular, free, mostly anonymous tunnel broker >> service" >> > >> > If it were up to the content providers, they probably would block any >> > IP they saw a VPN server listening on. >> > >> > >> > *Spencer Ryan* | Senior Systems Administrator | [email protected]<mailto: >> [email protected]><mailto:[email protected]<mailto:[email protected]>> *Arbor >> > Networks* >> > +1.734.794.5033 (d) | +1.734.846.2053 (m) >> > www.arbornetworks.com<http://www.arbornetworks.com>< >> http://www.arbornetworks.com> >> > >> > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix >> > <[email protected]<mailto:[email protected]><mailto: >> [email protected]<mailto:[email protected]>>> >> > wrote: >> > >> >> I have a VPN connection at my house. There's no way for them to know >> >> the difference between me using my home network connection from Hong >> >> Kong or my home network connection from my house. >> >> >> >> Are they going to disable connectivity from everywhere they can >> >> detect an open VPN port to, also? >> >> >> >> If they trust my v4 address, they can use that to establish >> >> historical reference. Additionally, they can fail over to v4 if they >> >> do not trust the >> >> v6 address. >> >> >> >> >> >> >> >> >> >> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <[email protected]<mailto: >> [email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: >> >> >> >>> There is no way for Netflix to know the difference between you being >> >>> in NY and using the tunnel, and you living in Hong Kong and using the >> tunnel. >> >>> >> >>> >> >>> *Spencer Ryan* | Senior Systems Administrator | [email protected] >> <mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> >> >>> *Arbor Networks* >> >>> +1.734.794.5033 (d) | +1.734.846.2053 (m) >> >>> www.arbornetworks.com<http://www.arbornetworks.com>< >> http://www.arbornetworks.com> >> >>> >> >>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix >> >>> <[email protected]<mailto:[email protected]><mailto: >> [email protected]<mailto:[email protected]>> >> >>> > wrote: >> >>> >> >>>> Same, but until there's a real IPv6 presence in the US, it's really >> >>>> annoying that they haven't come up with some fix for this. >> >>>> >> >>>> I have no plans to turn off IPv6 at home - I actually have many >> >>>> uses for it, and as much as I dislike the controversy around it, >> >>>> think that adoption needs to be prioritized, not penalized. >> >>>> >> >>>> Additionally, I think that discussing content provider control over >> >>>> regional decisions isn't productive to the conversation, as they >> >>>> didn't build the banhammer (wouldn't you want to control your own >> >>>> content if you had made content specific to regional laws etc?). >> >>>> >> >>>> I.e. - not all shows need to have regional restrictions between New >> >>>> York (where I live) and California (where my IPv6 /64 says I live). >> >>>> >> >>>> I'm able to watch House in the any state in the U.S.? Great - >> >>>> ignore my intra-US proxy connection. >> >>>> >> >>>> My Netflix account randomly tries to connect from Tokyo because I >> >>>> forgot to shut off my work VPN? Fine....let me know and I'll turn >> >>>> *that* off. >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <[email protected]<mailto: >> [email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: >> >>>> >> >>>>> I don't blame them for blocking a (effectively) anonymous tunnel >> >>>>> broker. I'm sure their content providers are forcing their hand. >> >>>>> On Jun 3, 2016 3:46 PM, "Cryptographrix" >> >>>>> <[email protected]<mailto:[email protected]><mailto: >> [email protected]<mailto:[email protected]>>> >> >>>>> wrote: >> >>>>> >> >>>>>> Netflix needs to figure out a fix for this until ISPs actually >> >>>>>> provide IPv6 natively. >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper >> >>>>>> <[email protected]<mailto:[email protected]><mailto: >> [email protected]<mailto:[email protected]>> >> >>>>>> > >> >>>>>> wrote: >> >>>>>> >> >>>>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked >> >>>>>> > by Netflix. Anyone nice people from Netflix perhaps want to >> >>>>>> > take a >> >>>>>> crack at >> >>>>>> > this? >> >>>>>> > >> >>>>>> > >> >>>>>> > >> >>>>>> > On Thu, Jun 2, 2016 at 2:15 PM, <[email protected]<mailto: >> [email protected]><mailto:[email protected]<mailto: >> [email protected]>>> wrote: >> >>>>>> > >> >>>>>> > > Had the same problem at my house, but it was caused by the >> >>>>>> > > IPv6 >> >>>>>> > connection >> >>>>>> > > to HE. Turned of V6 and the device worked. >> >>>>>> > > >> >>>>>> > > >> >>>>>> > > -- >> >>>>>> > > >> >>>>>> > > Sent with Airmail >> >>>>>> > > >> >>>>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman ( >> >>>>>> [email protected]<mailto:[email protected]><mailto: >> [email protected]<mailto:[email protected]>>) >> >>>>>> > > wrote: >> >>>>>> > > >> >>>>>> > > Every device in my house is blocked from Netflix this evening >> >>>>>> > > due >> >>>>>> to >> >>>>>> > > their new "VPN blocker". My house is on my own IP space, and >> >>>>>> > > the >> >>>>>> outside >> >>>>>> > > of the NAT that the family devices are on is 198.202.199.254, >> >>>>>> announced >> >>>>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my >> >>>>>> house >> >>>>>> > > should show that I'm no farther away than Santa Cruz, CA as >> >>>>>> microwaves >> >>>>>> > > fly. >> >>>>>> > > >> >>>>>> > > Unfortunately, when one calls Netflix support to talk about >> >>>>>> > > this, >> >>>>>> the >> >>>>>> > > only response is to say "call your ISP and have them turn off >> >>>>>> > > the >> >>>>>> VPN >> >>>>>> > > software they've added to your account". And they absolutely >> >>>>>> refuse to >> >>>>>> > > escalate. Even if you tell them that you are essentially your >> >>>>>> > > own >> >>>>>> ISP. >> >>>>>> > > >> >>>>>> > > So... where's the Netflix network engineer on the list who >> >>>>>> > > all of >> >>>>>> us can >> >>>>>> > > send these issues to directly? >> >>>>>> > > >> >>>>>> > > Matthew Kaufman >> >>>>>> > > >> >>>>>> > >> >>>>>> >> >>>>> >> >>> >> > >> >
