Netflix VPN detection - actual engineer needed
Cryptographrix
cryptographrix at gmail.com
Fri Jun 3 22:18:29 UTC 2016
"there is no reliable geo-location method for Netflix to use"
Any microprocessor that is connected to the Internet is subject to being
hacked - let's just turn off all of our computers, since we're talking in
absolutes.
>From the perspective of the "lawyers and MBA types that negotiate
agreements with Netflix and similar services" (to quote Eric), there
*are* reliable
methods within a specific risk profile, and those include (thanks to Google
and Apple, whom most of the content providers *also* have agreements with)
AGPS based on Wifi and other industry now-standard methods.
I don't think there _is_ a contractual requirement to attempt to block VPN
traffic. I think there's a contractual requirement to provide geographic
controls for content, which is a completely different discussion, and is
what those same cable and satellite TV providers (many of which _are_ the
ISPs for Netflix's customer base) provide.
As has been pointed out, Slingbox is an excellent proxy for over-the-air
and cable-tv video, but you don't see content providers pressuring
regulation on them because they limit their risk with the station or cable
TV provider.
On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund at medline.com> wrote:
> That is true. The problem is that traditionally the ISPs have to deal
> with customers that can’t get to the content they want. Netflix ridiculous
> detection schemes do nothing but create tons of work for the service
> provider which in turn creates stupid work-arounds and network
> configurations that are ill conceived. Myself, I had to shut off IPv6 at
> home to get things to work reliably several times for dumb reasons. Kind
> of hard to preach the v6 message when I had to shut it off myself several
> time to get my own stuff to work Ok. Netflix just decided that creating
> issues for a subset of their customers was better than having the real
> fight with the content providers.
>
> My point is that there is no reliable geo-location method for Netflix to
> use, at least there never has been yet. Good luck ever getting that to
> work behind the great firewall of China.
>
> Steven Naslund
> Chicago IL
>
> From: Cryptographrix [mailto:cryptographrix at gmail.com]
> Sent: Friday, June 03, 2016 4:56 PM
> To: Naslund, Steve; nanog at nanog.org
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Oh I'm not suggesting for a microsecond that any provenance of location
> can not be hacked, but I totally think that - until the content providers
> change their business model to not rely on regional controls - they could
> at least use a more accurate source for that information than my IP(4 or 6)
> address.
>
> I just don't think that this is an appropriate venue to discuss the value
> of their business model as that's something their business needs to work on
> changing internally, and fighting it (at least for the moment) will only
> land Netflix in court.
>
> In short, I'm pointing the finger at Netflix's developers for coming up
> with such a lazy control for geolocation.
>
> On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund at medline.com
> <mailto:SNaslund at medline.com>> wrote:
> Wifi location depends on a bunch of problematic things. First, your SSID
> needs to get collected and put in a database somewhere. That itself is a
> crap shoot. Next, you can stop google (and some other wifi databases) from
> collecting the data by putting _nomap at the end of your SSID. Lastly, not
> everyone has wifi or iOS or GPS or whatever location method you can think
> of. BTW, my apple TV is on a wired Ethernet, not wifi.
>
> Point is, for whatever location technology you want to use be it IP, GPS,
> WiFi location, sextant…..they can be inaccurate and they can be faked and
> there are privacy concerns with all of them. What the content producers
> need to figure out is that regionalization DOES NOT WORK ANYMORE! The
> original point was that they could have different release dates in
> different areas at different prices and availability. They are going to
> have to get over it because they will lose the technological arms race.
>
> There is no reason you could not beat all of the location systems with a
> simple proxy. A proxy makes a Netflix connection from an allowed IP,
> location or whatever and then builds a new video/audio stream out the back
> end to the client anywhere in the world. Simple to implement and damn near
> impossible to beat. Ever hear of Slingbox?
>
> Steven Naslund
> Chicago IL
>
> From: Cryptographrix [mailto:cryptographrix at gmail.com<mailto:
> cryptographrix at gmail.com>]
> Sent: Friday, June 03, 2016 3:42 PM
> To: Naslund, Steve; nanog at nanog.org<mailto:nanog at nanog.org>
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Apple TVs get their location indoors using the same method they use for
> other iOS devices when indoors - wifi ssid/Mac scanning.
>
> Non-iOS devices are often capable of this as well.
>
> (As someone that spends >67% of his time underground and whose Apple TV
> requests my location from my underground bedroom and is very accurate)
>
> On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund at medline.com
> <mailto:SNaslund at medline.com><mailto:SNaslund at medline.com<mailto:
> SNaslund at medline.com>>> wrote:
> Their app could request your devices location. Problem is a lot of
> devices (like TVs, Apple TVs, most DVD player, i.e. device with built in
> Netflix) don't know where they are and it cannot easily be added (indoor
> GPS is still difficult/expensive) and even if they could should they be
> believed. I think the bigger issue is whether any kind of regional
> controls are enforceable or effective any more.
>
> Steven Naslund
> Chicago IL
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org<mailto:nanog-bounces at nanog.org
> ><mailto:nanog-bounces at nanog.org<mailto:nanog-bounces at nanog.org>>] On
> Behalf Of Cryptographrix
> Sent: Friday, June 03, 2016 3:21 PM
> To: Spencer Ryan
> Cc: North American Network Operators' Group
> Subject: Re: Netflix VPN detection - actual engineer needed
>
> Come now, content providers really just care that they have access to
> regional controls more so than their ability to blanket-deny access (ok,
> minus the MLB who are just insane).
>
> And part of those regional controls deal with the accuracy of the location
> information.
>
> If their app can request my device's precise location, it doesn't need to
> infer my location from my IP any more.
>
> As a matter of fact, it's only detrimental to them for it to do so,
> because of the lack of accuracy from geo databases and the various reasons
> that people use VPNs nowadays (i.e. for some devices that you can't even
> turn VPN connections off for - OR in the case of IPv6, when you can't reach
> a segment of the Internet without it).
>
>
> On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan at arbor.net<mailto:
> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>> wrote:
>
> > There is a large difference between "the VPN run at your house" and
> > "Arguably the most popular, free, mostly anonymous tunnel broker service"
> >
> > If it were up to the content providers, they probably would block any
> > IP they saw a VPN server listening on.
> >
> >
> > *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net<mailto:
> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>> *Arbor
> > Networks*
> > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > www.arbornetworks.com<http://www.arbornetworks.com><
> http://www.arbornetworks.com>
> >
> > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix
> > <cryptographrix at gmail.com<mailto:cryptographrix at gmail.com><mailto:
> cryptographrix at gmail.com<mailto:cryptographrix at gmail.com>>>
> > wrote:
> >
> >> I have a VPN connection at my house. There's no way for them to know
> >> the difference between me using my home network connection from Hong
> >> Kong or my home network connection from my house.
> >>
> >> Are they going to disable connectivity from everywhere they can
> >> detect an open VPN port to, also?
> >>
> >> If they trust my v4 address, they can use that to establish
> >> historical reference. Additionally, they can fail over to v4 if they
> >> do not trust the
> >> v6 address.
> >>
> >>
> >>
> >>
> >> On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan at arbor.net<mailto:
> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>> wrote:
> >>
> >>> There is no way for Netflix to know the difference between you being
> >>> in NY and using the tunnel, and you living in Hong Kong and using the
> tunnel.
> >>>
> >>>
> >>> *Spencer Ryan* | Senior Systems Administrator | sryan at arbor.net
> <mailto:sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>
> >>> *Arbor Networks*
> >>> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >>> www.arbornetworks.com<http://www.arbornetworks.com><
> http://www.arbornetworks.com>
> >>>
> >>> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix
> >>> <cryptographrix at gmail.com<mailto:cryptographrix at gmail.com><mailto:
> cryptographrix at gmail.com<mailto:cryptographrix at gmail.com>>
> >>> > wrote:
> >>>
> >>>> Same, but until there's a real IPv6 presence in the US, it's really
> >>>> annoying that they haven't come up with some fix for this.
> >>>>
> >>>> I have no plans to turn off IPv6 at home - I actually have many
> >>>> uses for it, and as much as I dislike the controversy around it,
> >>>> think that adoption needs to be prioritized, not penalized.
> >>>>
> >>>> Additionally, I think that discussing content provider control over
> >>>> regional decisions isn't productive to the conversation, as they
> >>>> didn't build the banhammer (wouldn't you want to control your own
> >>>> content if you had made content specific to regional laws etc?).
> >>>>
> >>>> I.e. - not all shows need to have regional restrictions between New
> >>>> York (where I live) and California (where my IPv6 /64 says I live).
> >>>>
> >>>> I'm able to watch House in the any state in the U.S.? Great -
> >>>> ignore my intra-US proxy connection.
> >>>>
> >>>> My Netflix account randomly tries to connect from Tokyo because I
> >>>> forgot to shut off my work VPN? Fine....let me know and I'll turn
> >>>> *that* off.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan at arbor.net<mailto:
> sryan at arbor.net><mailto:sryan at arbor.net<mailto:sryan at arbor.net>>> wrote:
> >>>>
> >>>>> I don't blame them for blocking a (effectively) anonymous tunnel
> >>>>> broker. I'm sure their content providers are forcing their hand.
> >>>>> On Jun 3, 2016 3:46 PM, "Cryptographrix"
> >>>>> <cryptographrix at gmail.com<mailto:cryptographrix at gmail.com><mailto:
> cryptographrix at gmail.com<mailto:cryptographrix at gmail.com>>>
> >>>>> wrote:
> >>>>>
> >>>>>> Netflix needs to figure out a fix for this until ISPs actually
> >>>>>> provide IPv6 natively.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper
> >>>>>> <blair.trosper at gmail.com<mailto:blair.trosper at gmail.com><mailto:
> blair.trosper at gmail.com<mailto:blair.trosper at gmail.com>>
> >>>>>> >
> >>>>>> wrote:
> >>>>>>
> >>>>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked
> >>>>>> > by Netflix. Anyone nice people from Netflix perhaps want to
> >>>>>> > take a
> >>>>>> crack at
> >>>>>> > this?
> >>>>>> >
> >>>>>> >
> >>>>>> >
> >>>>>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1 at gmail.com<mailto:
> mike.hyde1 at gmail.com><mailto:mike.hyde1 at gmail.com<mailto:
> mike.hyde1 at gmail.com>>> wrote:
> >>>>>> >
> >>>>>> > > Had the same problem at my house, but it was caused by the
> >>>>>> > > IPv6
> >>>>>> > connection
> >>>>>> > > to HE. Turned of V6 and the device worked.
> >>>>>> > >
> >>>>>> > >
> >>>>>> > > --
> >>>>>> > >
> >>>>>> > > Sent with Airmail
> >>>>>> > >
> >>>>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
> >>>>>> matthew at matthew.at<mailto:matthew at matthew.at><mailto:
> matthew at matthew.at<mailto:matthew at matthew.at>>)
> >>>>>> > > wrote:
> >>>>>> > >
> >>>>>> > > Every device in my house is blocked from Netflix this evening
> >>>>>> > > due
> >>>>>> to
> >>>>>> > > their new "VPN blocker". My house is on my own IP space, and
> >>>>>> > > the
> >>>>>> outside
> >>>>>> > > of the NAT that the family devices are on is 198.202.199.254,
> >>>>>> announced
> >>>>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my
> >>>>>> house
> >>>>>> > > should show that I'm no farther away than Santa Cruz, CA as
> >>>>>> microwaves
> >>>>>> > > fly.
> >>>>>> > >
> >>>>>> > > Unfortunately, when one calls Netflix support to talk about
> >>>>>> > > this,
> >>>>>> the
> >>>>>> > > only response is to say "call your ISP and have them turn off
> >>>>>> > > the
> >>>>>> VPN
> >>>>>> > > software they've added to your account". And they absolutely
> >>>>>> refuse to
> >>>>>> > > escalate. Even if you tell them that you are essentially your
> >>>>>> > > own
> >>>>>> ISP.
> >>>>>> > >
> >>>>>> > > So... where's the Netflix network engineer on the list who
> >>>>>> > > all of
> >>>>>> us can
> >>>>>> > > send these issues to directly?
> >>>>>> > >
> >>>>>> > > Matthew Kaufman
> >>>>>> > >
> >>>>>> >
> >>>>>>
> >>>>>
> >>>
> >
>
More information about the NANOG
mailing list