Re: Filtering "Illegal" Video

[Scott Fisher via NANOG <nanog () nanog org>]

I think the majority of services focus on the hosting providers since they are managing the data at-rest, typically 
through maintaining a list of file hashes. 
Examples:
https://www.iwf.org.uk/
https://stopncii.org/ 

And then there’s the recognition stuff the big orgs do:
https://www.microsoft.com/en/digitalsafety/moderation-and-enforcement/content-review/
https://blog.google/technology/safety-security/how-we-detect-remove-and-report-child-sexual-abuse-material/


We have a community offering for hosting providers to mitigate fraudulent users & payment (SAFE) and we have discussed 
ways we could expand it... possibly in mitigating illegal content. If anyone from the hosting world thats on the list 
has some ideas, please hit me up directly. 

Thanks, 
Scott Fisher
Team Cymru 

> On Feb 23, 2025, at 1:00 AM, Jay <mysidia () gmail com> wrote:
>
> On Thu, Feb 20, 2025 at 10:30 PM Mike Hammett <nanog () ics-il net> wrote:
> > However, the one I talked to more or less has a team whose purpose is to search out
> > the content as if you were a user,  build a signature, and push the signature out.
>
> Sure. That is the approach of most web filters. It is an interesting
> and probably very useful strategy only if you are not an ISP, but a
> company network tasked w/blocking access to questionable websites.
>
> Scanning from a user's point of view and categorizing or classifying
> resources works great with a default deny policy.  Most firewall
> vendors have devices that can block based on that kind of data feed.
>
> You can also use IP geolocation databases to deny packets based on a
> lookup result
> to all destinations outside your country, or which are listed as "residential",
> but it seems like none of these practices would be acceptable for an ISP.
>
> At this point what you have is not a sensor capable of blocking IPTV
> at all; you have some provider which might be claimining that they give
> an equivalent,  But you are paying just for a data feed attempting to
> classifying IP addreses or domains and their protocol endpoints as
> suspected IPTV, and taking actions based on a suspected nature of
> traffic with certain endpoints,  and Are not blocking or allowing
> based on anything reliably known or determined.
>
> Websites of this nature would often move frequently,
> and their classification would quickly be out of date.
> IP addresses and domain names also repurposed and
> re-assigned frequently  leading to more issues with
> categorization using "signatures" or a lookup database.
>
> > Obviously, that won't stop individual Plex, FTP, etc. servers,
> > but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up.
>
> I believe this principle of effort applies more to the media services
> themselves and network service providers.
>
> Make the content users are looking available more easily
> through approved methods, and there's hardly any motivation
> for an end user to go further than necessary which
> require more difficult methods of finding it.
>
> If not; most people will likely keep trying and end up
> surpassing whatever method of detection.
> Every protocol you would be looking to identify
> had new enhancements and tools developed
> in order to deter or prevent efforts of network devices
> to ID even the specific protocol.
>
> Something tells me private Discord servers or Cloud drives
> in a private space on shared provider's webservers (such as Microsoft)
> would be the  more popular access road than private FTP servers.
> Namely that FTP is rarely used anymore.
>
> Those types of resources would be distributed within communities.
> Which can possibly be very large and still exclusive enough to prevent
> an appliance
> vendor from finding it on a web search or slipping in to gather
> intelligence on endpoints.
>
> For sure it's not possible to "scan the internet and categorize every host".
>
> > Mike Hammett
> --
> -J