How is it "egregious" that people are obtaining content to use for their own purposes from a resource intentionally established as a repository of content for people to obtain and use for their own purposes?
Because nobody who opens a public library does so intending, nor consenting, for random companies to jam the entrance trying to cart off thousands of books solely to use for their own enrichment.
Years and years ago I shared a cubicle with a woman named Tracy. A couple times a month Tracy would get lunch at the Mongolian BBQ place down the road (all you can eat stir fry that has nothing to do with Mongolian food for anyone unfamiliar).
Anyhow, Tracy would put a gallon sized ziplock bag into her purse, and at the restaurant shovel half a dozen plates worth of food into it. Then she'd work the afternoon eating out of her purse like it's a bowl, just sitting there on the desk.
Requests to physical servers over physical media are not free. Someone needs to pay for providing and maintaining the infrastructure etc etc. Finite resources are still getting used up by people not paying for them. That's what this thread and the analogy are about.
$25 million a year is not remotely a lot for a non-profit doing any kind of work at scale. Wikimedia's budget is about seven times that. My local Goodwill chapter has an annual budget greater than that.
> Your snipping is making it look broader than it is: you can’t misrepresent someone as being supportive of your product or cause, and you can’t distribute software that makes, or make yourself, likenesses of other people without their prior consent.
This sounds like it would effectively ban photography in public places. Or at least ban the manufacture/sale of cameras or software that takes photos.
> In a pentest scenario, you sometimes have a shell on a system which has no route to the internet, and you lack permissions for a web proxy or you don't have access to one.
How would using a proxy masquerading as SMTP be any more viable in this situation than a proxy masquerading as HTTPS?
> Your next best bet is probably tunneling over DNS with Iodine or something similar.
DNS typically does not involve bidirectional transfer of large volumes of encrypted traffic. Doing this over DNS would stick out like a sore thumb to anyone doing traffic analysis, whereas this is exactly what you'd expect to see over HTTPS.
> Many internal DNS servers resolve external host names.
Sure, but the internal DNS in this scenario would typically be either forwarding external DNS requests to an outside resolver determined by its own configuration, or is itself hosting a full DNS table. How would you be able to use your own proxy masquerading as DNS in this situation?
The goto tool that practically anyone doing any DNS tunneling uses is dnscat2 (https://github.com/iagox86/dnscat2). It works fine through recursive/forwarding resolvers because those resolvers must recurse out to the authoritative nameserver for a given domain in order to resolve the name request. With dnscat2 you use the server component "hosting" a "zone" using a domain name you own / control (so that you can point the authoritative nameserver record to the dnscat2 server component). You then use the dnscat2 client to packages up TCP traffic into DNS specially crafted DNS requests to the domain you control where the server is listening. The design is very clever and has to solve a lot of tricky technical problems.
As for detection, you're entirely right that sending large volumes of traffic over DNS is both incredibly slow, and incredibly obvious to any network defenders paying attention to DNS.
Cloudflare provides a very large haystack for this, but even for an nginx server with no CDN, it's still useful to prevent the hostname from being sent in the clear before the TLS connection is negotiated. This still hides the hostname from casual eavesdroppers, who now only know what IP you're connecting to, and would need need out-of-band information to map the IP back to a hostname. And they couldn't ever be 100% sure of that, because they wouldn't know for certain whether there are additional vhosts running on a given server.
I don't think that's correct. Prices for retail goods aren't usually even attached to the product in interstate commerce, and are shown locally on store shelving.
reply