Re: Netflix VPN detection - actual engineer needed

[Cryptographrix <cryptographrix () gmail com>]

> 1.        Device needs to have GPS, WiFi, or both.  A lot don’t.

Doesn't need to be mandatory, but it's elective to use and yes - AGPS/Wifi
is much more accurate than IP geolocation where available, by a long shot
https://gigaom.com/2012/08/17/how-much-better-is-gps-over-wi-fi-positioning-yelp-knows/


IP Geolocation is accurate to the city, at best, and is often completely
off if you live in a metropolitan area

> 2.       SSID needs to be in a database.  What is the ratio of SSIDs in
the databases vs total SSIDs worldwide.  Bet a large percentage are not
there.

This isn't even an issue in the US - what do you think those Google cars
collect besides pictures?:
https://www.wired.com/2014/04/threatlevel_0401_streetview/

> 3.       People can change an SSID or WiFi AP at any time.  How long
exactly until I get my database entry updated.

Yes they can change SSIDs, which is why Wifi-based geolocation doesn't
profile a location based on individual SSIDs or *just* SSIDs (many also
include MAC addresses to - see the aforementioned court case).

> 4.       Any indoor area that does not have WiFi coverage cannot be
located, period, end of story.

Wireless-ISPs are now a thing. You can be in the mountains of Colorado and
have your location established better with Wifi than your IP geolocation
will provide.

You'd be surprised how many wireless SSIDs you'll receive in the most
remote places.

Then again, there are places in metropolitan areas where there is
absolutely no wifi.

Sure, fall back to IP geolocation there.

You're trying to find edge cases - I get it - but in most places your edge
cases don't exist.

If you have a device with wifi on it and it is connected to the internet
even with Ethernet, in the US you have no assurance that it can not use
Wifi to determine your location much more precisely than IP geolocation.

Period.



On Fri, Jun 3, 2016 at 6:35 PM Cryptographrix <cryptographrix () gmail com>
wrote:

> But wait, content providers *do that.*
>
> *Microsoft too...for illegal copies of Outlook, even...*
>
> How do we know they do that?
>
> Because your ISP can be held liable if they are contacted by a content
> provider and do not follow graduated response guidelines either issued by
> the nation the ISP resides in or governed by industry agreements and *do
> not* shut off your service if you are found to be pirating content.
>
> But all of this is moot against the point you mentioned: Netflix authored
> a broken process.
>
> There are at least 3 much more accurate ways to establish regional
> provenance for any packet - and of course all of them can be hacked - but
> those same content providers have established in their audit requirements
> that they're perfectly willing to accept the risks involved.
>
>
>
>
>
> On Fri, Jun 3, 2016 at 6:18 PM Cryptographrix <cryptographrix () gmail com>
> wrote:
>
> > "
> > there is no reliable geo-location method for Netflix to use"
> >
> > Any microprocessor that is connected to the Internet is subject to being
> > hacked - let's just turn off all of our computers, since we're talking in
> > absolutes.
> >
> > From the perspective of the "lawyers and MBA types that negotiate
> > agreements with Netflix and similar services" (to quote Eric), there
> > *are* reliable methods within a specific risk profile, and those include
> > (thanks to Google and Apple, whom most of the content providers *also* have
> > agreements with) AGPS based on Wifi and other industry now-standard methods.
> >
> > I don't think there _is_ a contractual requirement to attempt to block
> > VPN traffic. I think there's a contractual requirement to provide
> > geographic controls for content, which is a completely different
> > discussion, and is what those same cable and satellite TV providers (many
> > of which _are_ the ISPs for Netflix's customer base) provide.
> >
> > As has been pointed out, Slingbox is an excellent proxy for over-the-air
> > and cable-tv video, but you don't see content providers pressuring
> > regulation on them because they limit their risk with the station or cable
> > TV provider.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 6:08 PM Naslund, Steve <SNaslund () medline com>
> > wrote:
> >
> > > That is true.  The problem is that traditionally the ISPs have to deal
> > > with customers that can’t get to the content they want.  Netflix ridiculous
> > > detection schemes do nothing but create tons of work for the service
> > > provider which in turn creates stupid work-arounds and network
> > > configurations that are ill conceived.  Myself, I had to shut off IPv6 at
> > > home to get things to work reliably several times for dumb reasons.   Kind
> > > of hard to preach the v6 message when I had to shut it off myself several
> > > time to get my own stuff to work Ok.  Netflix just decided that creating
> > > issues for a subset of their customers was better than having the real
> > > fight with the content providers.
> > >
> > > My point is that there is no reliable geo-location method for Netflix to
> > > use, at least there never has been yet.  Good luck ever getting that to
> > > work behind the great firewall of China.
> > >
> > > Steven Naslund
> > > Chicago IL
> > >
> > > From: Cryptographrix [mailto:cryptographrix () gmail com]
> > > Sent: Friday, June 03, 2016 4:56 PM
> > > To: Naslund, Steve; nanog () nanog org
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > Oh I'm not suggesting for a microsecond that any provenance of location
> > > can not be hacked, but I totally think that - until the content providers
> > > change their business model to not rely on regional controls - they could
> > > at least use a more accurate source for that information than my IP(4 or 6)
> > > address.
> > >
> > > I just don't think that this is an appropriate venue to discuss the
> > > value of their business model as that's something their business needs to
> > > work on changing internally, and fighting it (at least for the moment) will
> > > only land Netflix in court.
> > >
> > > In short, I'm pointing the finger at Netflix's developers for coming up
> > > with such a lazy control for geolocation.
> > >
> > > On Fri, Jun 3, 2016 at 4:58 PM Naslund, Steve <SNaslund () medline com
> > > <mailto:SNaslund () medline com>> wrote:
> > > Wifi location depends on a bunch of problematic things.  First, your
> > > SSID needs to get collected and put in a database somewhere.  That itself
> > > is a crap shoot.  Next, you can stop google (and some other wifi databases)
> > > from collecting the data by putting _nomap at the end of your SSID.
> > > Lastly, not everyone has wifi or iOS or GPS or whatever location method you
> > > can think of.  BTW, my apple TV is on a wired Ethernet, not wifi.
> > >
> > > Point is, for whatever location technology you want to use be it IP,
> > > GPS, WiFi location, sextant…..they can be inaccurate and they can be faked
> > > and there are privacy concerns with all of them.  What the content
> > > producers need to figure out is that regionalization DOES NOT WORK
> > > ANYMORE!  The original point was that they could have different release
> > > dates in different areas at different prices and availability.  They are
> > > going to have to get over it because they will lose the technological arms
> > > race.
> > >
> > > There is no reason you could not beat all of the location systems with a
> > > simple proxy.  A proxy makes a Netflix connection from an allowed IP,
> > > location or whatever and then builds a new video/audio stream out the back
> > > end to the client anywhere in the world.  Simple to implement and damn near
> > > impossible to beat.  Ever hear of Slingbox?
> > >
> > > Steven Naslund
> > > Chicago IL
> > >
> > > From: Cryptographrix [mailto:cryptographrix () gmail com<mailto:
> > > cryptographrix () gmail com>]
> > > Sent: Friday, June 03, 2016 3:42 PM
> > > To: Naslund, Steve; nanog () nanog org<mailto:nanog () nanog org>
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > Apple TVs get their location indoors using the same method they use for
> > > other iOS devices when indoors - wifi ssid/Mac scanning.
> > >
> > > Non-iOS devices are often capable of this as well.
> > >
> > > (As someone that spends >67% of his time underground and whose Apple TV
> > > requests my location from my underground bedroom and is very accurate)
> > >
> > > On Fri, Jun 3, 2016 at 4:36 PM Naslund, Steve <SNaslund () medline com
> > > <mailto:SNaslund () medline com><mailto:SNaslund () medline com<mailto:
> > > SNaslund () medline com>>> wrote:
> > > Their app could request your devices location.  Problem is a lot of
> > > devices (like TVs, Apple TVs, most DVD player, i.e. device with built in
> > > Netflix) don't know where they are and it cannot easily be added (indoor
> > > GPS is still difficult/expensive) and even if they could should they be
> > > believed.  I think the bigger issue is whether any kind of regional
> > > controls are enforceable or effective any more.
> > >
> > > Steven Naslund
> > > Chicago IL
> > >
> > > -----Original Message-----
> > > From: NANOG [mailto:nanog-bounces () nanog org<mailto:
> > > nanog-bounces () nanog org><mailto:nanog-bounces () nanog org<mailto:
> > > nanog-bounces () nanog org>>] On Behalf Of Cryptographrix
> > > Sent: Friday, June 03, 2016 3:21 PM
> > > To: Spencer Ryan
> > > Cc: North American Network Operators' Group
> > > Subject: Re: Netflix VPN detection - actual engineer needed
> > >
> > > Come now, content providers really just care that they have access to
> > > regional controls more so than their ability to blanket-deny access (ok,
> > > minus the MLB who are just insane).
> > >
> > > And part of those regional controls deal with the accuracy of the
> > > location information.
> > >
> > > If their app can request my device's precise location, it doesn't need
> > > to infer my location from my IP any more.
> > >
> > > As a matter of fact, it's only detrimental to them for it to do so,
> > > because of the lack of accuracy from geo databases and the various reasons
> > > that people use VPNs nowadays (i.e. for some devices that you can't even
> > > turn VPN connections off for - OR in the case of IPv6, when you can't reach
> > > a segment of the Internet without it).
> > >
> > >
> > > On Fri, Jun 3, 2016 at 4:17 PM Spencer Ryan <sryan () arbor net<mailto:
> > > sryan () arbor net><mailto:sryan () arbor net<mailto:sryan () arbor net>>> wrote:
> > >
> > > > There is a large difference between "the VPN run at your house" and
> > > > "Arguably the most popular, free, mostly anonymous tunnel broker
> > > service"
> > > > If it were up to the content providers, they probably would block any
> > > > IP they saw a VPN server listening on.
> > > >
> > > >
> > > > *Spencer Ryan* | Senior Systems Administrator | sryan () arbor net
> > > <mailto:sryan () arbor net><mailto:sryan () arbor net<mailto:sryan () arbor net>>
> > > *Arbor
> > > > Networks*
> > > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > > > www.arbornetworks.com<http://www.arbornetworks.com><
> > > http://www.arbornetworks.com>
> > > > On Fri, Jun 3, 2016 at 4:09 PM, Cryptographrix
> > > > <cryptographrix () gmail com<mailto:cryptographrix () gmail com><mailto:
> > > cryptographrix () gmail com<mailto:cryptographrix () gmail com>>>
> > > > wrote:
> > > >
> > > > > I have a VPN connection at my house. There's no way for them to know
> > > > > the difference between me using my home network connection from Hong
> > > > > Kong or my home network connection from my house.
> > > > >
> > > > > Are they going to disable connectivity from everywhere they can
> > > > > detect an open VPN port to, also?
> > > > >
> > > > > If they trust my v4 address, they can use that to establish
> > > > > historical reference. Additionally, they can fail over to v4 if they
> > > > > do not trust the
> > > > > v6 address.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Fri, Jun 3, 2016 at 4:05 PM Spencer Ryan <sryan () arbor net<mailto:
> > > sryan () arbor net><mailto:sryan () arbor net<mailto:sryan () arbor net>>> wrote:
> > > > > > There is no way for Netflix to know the difference between you being
> > > > > > in NY and using the tunnel, and you living in Hong Kong and using
> > > the tunnel.
> > > > > > *Spencer Ryan* | Senior Systems Administrator | sryan () arbor net
> > > <mailto:sryan () arbor net><mailto:sryan () arbor net<mailto:sryan () arbor net>>
> > > > > > *Arbor Networks*
> > > > > > +1.734.794.5033 (d) | +1.734.846.2053 (m)
> > > > > > www.arbornetworks.com<http://www.arbornetworks.com><
> > > http://www.arbornetworks.com>
> > > > > > On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix
> > > > > > <cryptographrix () gmail com<mailto:cryptographrix () gmail com><mailto:
> > > cryptographrix () gmail com<mailto:cryptographrix () gmail com>>
> > > > > > > wrote:
> > > > > >
> > > > > > > Same, but until there's a real IPv6 presence in the US, it's really
> > > > > > > annoying that they haven't come up with some fix for this.
> > > > > > >
> > > > > > > I have no plans to turn off IPv6 at home - I actually have many
> > > > > > > uses for it, and as much as I dislike the controversy around it,
> > > > > > > think that adoption needs to be prioritized, not penalized.
> > > > > > >
> > > > > > > Additionally, I think that discussing content provider control over
> > > > > > > regional decisions isn't productive to the conversation, as they
> > > > > > > didn't build the banhammer (wouldn't you want to control your own
> > > > > > > content if you had made content specific to regional laws etc?).
> > > > > > >
> > > > > > > I.e. - not all shows need to have regional restrictions between New
> > > > > > > York (where I live) and California (where my IPv6 /64 says I live).
> > > > > > >
> > > > > > > I'm able to watch House in the any state in the U.S.? Great -
> > > > > > > ignore my intra-US proxy connection.
> > > > > > >
> > > > > > > My Netflix account randomly tries to connect from Tokyo because I
> > > > > > > forgot to shut off my work VPN? Fine....let me know and I'll turn
> > > > > > > *that* off.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sryan () arbor net
> > > <mailto:sryan () arbor net><mailto:sryan () arbor net<mailto:sryan () arbor net>>>
> > > wrote:
> > > > > > > > I don't blame them for blocking a (effectively) anonymous tunnel
> > > > > > > > broker. I'm sure their content providers are forcing their hand.
> > > > > > > > On Jun 3, 2016 3:46 PM, "Cryptographrix"
> > > > > > > > <cryptographrix () gmail com<mailto:cryptographrix () gmail com><mailto:
> > > cryptographrix () gmail com<mailto:cryptographrix () gmail com>>>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Netflix needs to figure out a fix for this until ISPs actually
> > > > > > > > > provide IPv6 natively.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper
> > > > > > > > > <blair.trosper () gmail com<mailto:blair.trosper () gmail com><mailto:
> > > blair.trosper () gmail com<mailto:blair.trosper () gmail com>>
> > > > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Confirmed that Hurricane Electric's TunnelBroker is now blocked
> > > > > > > > > > by Netflix.  Anyone nice people from Netflix perhaps want to
> > > > > > > > > > take a
> > > > > > > > > crack at
> > > > > > > > > > this?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hyde1 () gmail com<mailto:
> > > mike.hyde1 () gmail com><mailto:mike.hyde1 () gmail com<mailto:
> > > mike.hyde1 () gmail com>>> wrote:
> > > > > > > > > > > Had the same problem at my house, but it was caused by the
> > > > > > > > > > > IPv6
> > > > > > > > > > connection
> > > > > > > > > > > to HE.  Turned of V6 and the device worked.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > >
> > > > > > > > > > > Sent with Airmail
> > > > > > > > > > >
> > > > > > > > > > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (
> > > > > > > > > matthew () matthew at<mailto:matthew () matthew at><mailto:
> > > matthew () matthew at<mailto:matthew () matthew at>>)
> > > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > Every device in my house is blocked from Netflix this evening
> > > > > > > > > > > due
> > > > > > > > > to
> > > > > > > > > > > their new "VPN blocker". My house is on my own IP space, and
> > > > > > > > > > > the
> > > > > > > > > outside
> > > > > > > > > > > of the NAT that the family devices are on is 198.202.199.254,
> > > > > > > > > announced
> > > > > > > > > > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my
> > > > > > > > > house
> > > > > > > > > > > should show that I'm no farther away than Santa Cruz, CA as
> > > > > > > > > microwaves
> > > > > > > > > > > fly.
> > > > > > > > > > >
> > > > > > > > > > > Unfortunately, when one calls Netflix support to talk about
> > > > > > > > > > > this,
> > > > > > > > > the
> > > > > > > > > > > only response is to say "call your ISP and have them turn off
> > > > > > > > > > > the
> > > > > > > > > VPN
> > > > > > > > > > > software they've added to your account". And they absolutely
> > > > > > > > > refuse to
> > > > > > > > > > > escalate. Even if you tell them that you are essentially your
> > > > > > > > > > > own
> > > > > > > > > ISP.
> > > > > > > > > > > So... where's the Netflix network engineer on the list who
> > > > > > > > > > > all of
> > > > > > > > > us can
> > > > > > > > > > > send these issues to directly?
> > > > > > > > > > >
> > > > > > > > > > > Matthew Kaufman