Feeds

back to article Queen's Speech: 'Problem of matching IP addresses' to be probed

The Queen opened a new session of Parliament this morning and - as expected - Home Secretary Theresa May's Communications Data bill was absent from the government's upcoming programme of law-making for the next year. However, as indicated by Deputy Prime Minister Nick Clegg - who said late last month that the so-called Snoopers …

COMMENTS

This topic is closed for new posts.

Page:

What's the spooks' solution?

I wonder what the various max-surveillance types in the security services would actually like. Would they be want a China-style solution where you have to present your ID to get access to any kind of internet access?

5
0
Anonymous Coward

Re: What's the spooks' solution?

I vote for a single, nationwide DHCP server managed by Gov.UK that everyone is obliged to use. Much simpler than ID tokens.

;-)

5
0
Big Brother

Re: What's the spooks' solution?

shhh don't go giving them ideas or we'll all be required to login at access.the.internet.gov.uk before surfing/emailing/gaming.

2
0
Silver badge
Unhappy

Re: What's the spooks' solution?

No Big Brother worrier here, but in the U.S. you generally do have to provide ID to access the Internet. A credit card through your ISP and/or mobile carrier, and a valid govt issued ID or library card (which is tied to your ID) for library access. Same in most hotels, airports and bus stations as well. I suppose you could go around looking for free open wireless but that's providing fewer options daily.

All I'm saying is that the Internet isn't nearly as anonymous as people like to think, especially if the person who wants to pry has a warrant.

1
0
Facepalm

Re: What's the spooks' solution?

What like a Starbucks, or McDees, but they so hard to find!

1
0
Anonymous Coward

Re: What's the spooks' solution?

Surely it would be better to use static or DHCP reserved addresses rather than normal DHCP allocated ones (if they want to make traceability easier and not have to look through DHCP logs). Maybe a reserved DHCP lease based on your Identity Card, NI number (or even some new "Internet Licence Number") sent as the GUID in the request.

Otherwise use a national captive portal.

I am joking of course as I know this wouldn't work well and could easily be circumvented/spoofed etc - but I guess somewhere, somebody is thinking along these lines...so perhaps I shouldn't give them ideas. :-)

0
0
Flame

Re: What's the spooks' solution?

The solutiion is easy: Switch it off. No more smut then.

Likewise ban sugar, salt and all the other things that make people die. Outlaw alcohol, tobacco and cars. And sex, as you're at it.

Unfortunately then everyone (well, most people anyway) will find Spain or France so appealing that they will no longer fork out taxes to pay for the wages of home secretary or deputy prime minister.

Who the flying f'!$% voted for this bunch to waste resources on this?

12
0
Anonymous Coward

Re: What's the spooks' solution?

Next I suppose they want you to fill out some form in advance telling them where you plan to drive in your car, and how many passengers and why.

1
0
Gold badge
Unhappy

Re: What's the spooks' solution?

"Who the flying f'!$% voted for this bunch to waste resources on this?"

No one of course.

This was conceived at least 8 Home Secretaries ago as the Interception Modernization Programme. It's essentially an idea thought up by a group of former senior intelligence civil servants.

Naturally they are mostly PPE graduates (there was one with a degree in particle physics) with no remote idea of what they are asking for or the scale of the problem.

7
0
Joke

"And sex, as you're at it."

Can't you wait till I'm done?

0
0
Black Helicopters

If they rolled out IPv6

We could have them personally assigned, on providing our ID cards and DNA.

Oh..wait a moment...

/me wonders if we'll next hear an announcement from HMG that they're going to help fund the roll out of IPv6 for "the benefit of our e-economy". And nothing at all to do with copyright, intellectual property, terrorism & pron.

20
0
Silver badge
Thumb Up

Re: If they rolled out IPv6

If it speeds up the delivery of IPv6, I'll take it. Not like VPNs would suddenly cease to exist too.

5
0
Anonymous Coward

Re: If they rolled out IPv6

agree with you that personally I don't mind all of my data packets being made into digitally signed and certificated evidence (IPv6) with the MAC address of the packet origin device also signed evidence.

Some other users may occasionally like to have a bit more pseudonimity, journalists, HMRC whistleblowers (google Osita Mba) etc - what privacy enhancing tools will they be able to use? (and I don't (yet) class ToR as being a safe tool for hazardous circumstances)

I disagree slightly in that VPN may well be 'virtual' - but they increasingly fail to be 'private' as the ease of snooping the data using multipurpose 'special' PKI certificates is no longer just at State level, but increasing at Enterprise level too. Sometimes that too can be OK, but do we just "get over it"? or do 'we' have to build our own nitrogen pressurised fibreoptic crypto systems with keydump on loss of pressure to swap great LOLcatz pics?

1
3
Silver badge

Re: If they rolled out IPv6

I disagree slightly in that VPN may well be 'virtual' - but they increasingly fail to be 'private' as the ease of snooping the data using multipurpose 'special' PKI certificates

You're telling me that Enterprises can watch what's happening inside an SSH link?

I think a lot of people might like to have a little chat with you.

0
0
Anonymous Coward

MAC address in packet - not that myth again!

"I don't mind all of my data packets being made into digitally signed and certificated evidence (IPv6) with the MAC address of the packet origin device also signed evidence."

Not that myth again (I wonder if Snopes or Adam and Jamie could be pursued to address this....).

Yes, at one point there was the consideration to make the bottom 48 bits of the IPv6 address be the MAC address of the device, to simplify stateless autoconfiguration. Then EVERYBODY pointed out the obvious security flaws in that idea, and the idea of using the MAC address to form the publicly routeable address was DROPPED. AXED. KILLED. REMOVED. That idea is not pinin' for the fjords, it is PASSED ON.

Even the idea of using the MAC address for the link local addresses has been made OPTIONAL, and alternatives to allow link local addresses to be created randomly have been defined.

7
0
Facepalm

Re: If they rolled out IPv6

We can only hope this will speed up the rollout of IPv6 before we're all forced behind CGN :(

1
0
Anonymous Coward

Re: If they rolled out IPv6

You're telling me that Enterprises can watch what's happening inside an SSH link?

Of course they can. And do.

F'rinstance

http://www.phoenixdatacom.com/products/monitoring-visibility-into-ssl-traffic-up-to-3-5-gbps/

0
0
Thumb Up

Re: If they rolled out IPv6

Fortunately, IPv6 can help your privacy: RFC4941.

0
0
Silver badge

Seeing inside an SSH/SSL link

Only the issuer of the certificate/key can see inside the link - that would include the possibility that those who issue SSL certificates like Verisign are cooperating with various governments. If you must use a properly issued certificate rather than self-signed and want to minimize the chance your own government can decrypt your traffic, you might want to choose a CA based in a country that's on less than friendly terms with your own. In the US we might want to see if there are any options in Venezuela, for instance. In the UK, you're probably pretty safe if you can find an Argentinian CA :)

You can't ever discount the possibility that the NSA and their friends in the UK have broken the encryption scheme you're using, but even if they have done so, the decryption won't be free, so it couldn't be done en masse unless they're so far ahead they have working quantum supercomputers. Assuming they can't do it for everyone, they'd have to take a special interest in you to decrypt your traffic. If they do, you probably have much bigger problems than insecure encryption once they send a black bag squad over to bug your computers, your house, your car, and your cat.

Even if the NSA doesn't decrypt your traffic in real time, that doesn't mean some of it isn't getting saved somewhere so it can be decrypted later just as the Boston investigation has proven phone calls to be.

The worries about your place of your decrypting your traffic are nil. If you're accessing your home SSH server or email server using self signed/created certificates, they can't possibly do this. Nothing stops them from having keylogger software on your work issued computer, of course, so if you're paranoid about this, you may want to inquire about their BYOD policy :)

1
0
Silver badge

Re: copyright, intellectual property, terrorism & pron.

None of those things are things that I worry about.

0
0

Clegg ... a tough nut to crack

0
0
Anonymous Coward

I think you have the words in the wrong order. 'Clegg- a cracked nut'. And where the 'tough' comes in I'm not sure,except when he's claiming his EU pension.

1
1
ACx

Its all those "tough decisions" they have to keep taking, out of choice... Oh, no, its all the previous governments fault.

1
1
Silver badge

If more proof were needed...

That the political class has even less understanding of the Internet than the general public, this has to be it.

Endless argument and billions spent on solutions to non-existent problems that don't even work and will never even work.

Unless everybody is bolted to a fixed IP address and massive router flap happens when they connect via a wifi hotspot, there is never going to be a way to guarantee IP level traceability, and NAT rules anyway.

Even if you stuck a MAC address in the packet, that too can be hacked away.

Of COURSE it would be simple if every single message could be uniquely tagged to an end user or piece of physical kit. It would be simple if we all had chips embedded in our foreheads uniquely identifying who we are so that our movements could be recorded in real time on Stasi Central's computers. "we note that you and your neighbour's wife's GPS are coincident in her bedroom for over three hours: vote Stasi or your wife gets to hear".

Like all grandiose and lazy political schemes, it will cost a fortune, wont work, and will simply irritate people.

16
1
Anonymous Coward

H

My forehead would be the one with a H on it. Hammond organ recital any one?

1
0
Silver badge
Trollface

Re: If more proof were needed...

"That the political class has even less understanding of the Internet than the general public, this has to be it."

Oh, come off it -- they have Martha Lane Fox on board , an expert on all things internet.

1
0
Facepalm

Re: If more proof were needed...

True - but there are people out there dumber than the politicians.

The average child murderer or terrorist bomber does seem incapable of emptying (much less wiping) their Internet browsing history and cache - let alone fathom VPNs, anonymous proxies, MAC obfuscation etc.

This does give the illusion that a mega-log of everything an ISP sees could be trawled for suspicious activity.

2
0
Anonymous Coward

Re: If more proof were needed...

Dot1x + Radius....

0
0

Re: If more proof were needed...

"The average child murderer or terrorist bomber that actually gets caught does seem incapable of emptying (much less wiping) their Internet browsing history and cache - let alone fathom VPNs, anonymous proxies, MAC obfuscation etc."

Fixed.

(Although, I accept your point; there aren't that many unsolved bombings / child murders.)

1
0
Anonymous Coward

Re: If more proof were needed...

"(Although, I accept your point; there aren't that many unsolved bombings / child murders.)"

It seems that a lot (most?) intelligence led "terrorist" arrests seem to end up without any terrorist offence to prosecute. Others have been prosecuted for having accessed freely available material that was once the knowledge of any half-intelligent schoolboy.

There was that raid where a man was accidentally shot. Eventually the Police said that even though they hadn't found any evidence for a terrorist charge - there were other offences. The major one specifically being kiddie pr0n. Finally they had to admit the latter was one alleged thumbnail in a cache - insufficient for any charge.

2
0
Silver badge

Re: If more proof were needed...

"(Although, I accept your point; there aren't that many bombings / child murders that don't get pinned on someone.)

Fixed that for you, too.

0
0
Silver badge

Sir

Hearing the Queen talk about IP addresses is like listening to a budgie discuss quantum physics.

Weird.

27
0
Silver badge
Unhappy

Re: Sir

I wouldn't be surprised if Her Majesty knows a damn sight more about IP addresses than the Govtards who will be formulating this legislation.

18
0
Silver badge
Happy

Re: Sir

I'll go further. I'd be surprised if she didn't know more than the numpties. She has a long history of being well informed.

9
0
Stop

Re: Sir

But... "cyberspace"!

0
0
Anonymous Coward

Re: Sir

The queen "has a long history of being well informed".

In fact, there is a long history of assorted sycophants and spin doctors asserting that she is well-informed (and possesses a large number of other virtues to boot).

I'd rather converse with Sir Runcible's budgie.

3
11

This post has been deleted by its author

I suspect that they're merely humouring each Home Secretary each time this comes up, safe in the knowledge that each minister won't last long enough in the job to chase them up on it.

Could've been worse, Theresa May could well have demanded Batman's sonar phones from the Dark Knight.

3
0
Silver badge
Unhappy

Arrrgh!

Please give prior warning before mentioning that woman's name.

0
0
Anonymous Coward

This "problem" will only get worse

BT are running tests on carrier-grade NAT so one IP address will support many users simultaneously, making it much harder to match subscribers (let alone users) to online activity.

Unfortunately, this will also break many of the interesting things you might want to do online.

1
0
Silver badge

Re: This "problem" will only get worse

What's so hard?

BT have a record of which customer was getting which packet, BT are more than happy to help the government by handing over any data , with or without a warrant.

A more serious IP problem is that it doesn't uniquely record which site you visited. Your machine access 100.200.100.200 to download a thumbnail from an advertiser on el'reg. That server also hosts the Grimethorpe Ferret Lovers secret photo archive - so the fair and wise ms May has a recordt hat you accesssed a site showing images of under-age ferrets

1
0

Re: This "problem" will only get worse

Most (httpd)server logging assume that the IP address the request came from is enough to track its owner. With NATs the (httpd)server also has to log the TCP Port number.

With the Port number and time, then the NATs logs (in theory) can be checked to see which customer (unless that is also a NAT; say an open wifi) the request came from.

1
0
Silver badge

Re: This "problem" will only get worse

A great many NAT systems don't provide that sort of logging and the logs would be horrendous in volume anyway. Each socket you open would need to be separately logged. Then there would be the issue of stacked NAT. You'd need to correlate the logs of each level to get a fix.

So are they going to enact legislation that bans NAT systems that don't automatically log each translation?

I run quite a few connections where we stick a Linux box at the front end and it'll do all the NAT you want, but adding a couple of lines to your iptables config ain't going produce logs of what packets originate from which of your internal addresses. Then there is the matter of identifying the internal addresses. My youngest managed to find out how to change the MAC address on his phone at the age of ten, in a vain attempt to get around his "bedtime WiFi blocking" (hopefully he's not reading this) but if he'd chosen to spoof to the MAC address of another device in the house he'd have probably succeeded.

I'm afraid the boy Clegg hasn't got a clue about what he's talking about. He's in the normal politician's state of mind where he is only hearing what he wants to hear. Add to that the fact he's surrounded by people who only get paid if they tell him what he wants to hear and we end up at the mess they usually leave us in.

2
0
Anonymous Coward

Re: This "problem" will only get worse

"With the Port number and time, then the NATs logs (in theory) can be checked to see which customer (unless that is also a NAT; say an open wifi) the request came from."

A browser instance usually makes four TCP connections in parallel. In the old days each connection was discarded after downloading an HTML element - and a new one was opened for the next element. Modern HTTP keeps the TCP connections open for longer.

These are usually closed when: a new page URL is accessed; the connection has been idle for a couple of minutes; a busy HTTP server/proxy decides it doesn't want a potentially idle connection once the element request is fulfilled.

In practice that means any particular NAT source port is only assigned to a particular end user for a very short time. A source port number has to be put back into the active pool quite quickly given the fast turnover of a large ISP's NAT connections.

There are only a maximum of 65k+ source port numbers. So the NAT TCP stack implementation has either to have one global pool of source port numbers shared by all connections - or several pools differentiated with some additional connection criteria.

1
0

So we'll be getting individual tokens issued and every packet we send will be signed using our private key on the token. It's the only thing I can think of.

ofcourse, one wonders how much the copyright lobbyists have had their say on this matter.

1
0
Silver badge
FAIL

This from a government that can't move on from IE6 ?

I really wouldn't worry about it, I really wouldn't.

11
0
Anonymous Coward

Guilty until proved innocent

In other words, we assume you are guilty, and reserve the right to infringe your liberties, and if we accidentally accuse you of being a terrorist or pervert, then you can sort it out yourself.

7
0
FAIL

The police are as bad

I was contacted by our local police force to assist with the identification of stolen equipment. One of their senior bods had heard that you could trace machines via IP address and wanted me to let them know how they could match up devices (PS3s, Xboxs and phones) with IPs so they could return them to the owner.

I told them that they each device would have a MAC address that was unique (I didn't go into spoofing) but that the IP would change depending upon which network it was connected to. They could cross reference the MAC address against information ISPs help about which MAC address had been assigned which IP address. The police were adamant that this wasn't the case and that the IP was the only piece of information they needed to identify the device.

I tried to explain that the laptop I was emailing them on was picking up xxx.xxx.xxx.xxx at work but it picked up yyy.yyy.yyy.yyy when I was at home and zzz.zzz.zzz.zzz when I was connected to a different network. I gave them a brief overview of DHCP and DNS and they were still fixated on IPs and IPs alone as the single identifying factor.

I advised them to contact their IT department to corroborate what I had told them and to get back to me if they wanted further clarification. They never got back to me.

2
0
ACx

Re: The police are as bad

They are probably still trying to understand what you said to them.

4
0
Devil

Re: The police are as bad

Or they have been dialling xxx.xxx.xxx.xxx to try to reach you at work.

When they got no reply they tried calling you at yyy.yyy.yyy.yyy in case you were at the office...

10
0

Page:

This topic is closed for new posts.