Top spook: ISP black boxes NOT key to UK's web-snoop plan Government-funded black boxes that monitor the UK's internet traffic are not "the cornerstone" of the Home Office's web super-snoop plan, a top spook has told MPs and peers. Ex-MI6 man Charles Farr, who heads up the Office for Security and Counter-Terrorism, dismissed claims that Deep Packet Inspection (DPI) probes are the " …
If you and me setup a VPN with encrypted with a key we share then the ISP and the CSP don't have access to the unecypyted data. Only you and me.
There are apps free apps to setup private VPN's between friends already, often with gaming in mind.
I'm going to be generous then assume then that you mean a VPN provided by a CSP/ISP
Fair enough, but no my point was that using VPN to access a CSP would be pointless...
The VPN would shield you from a DPI on the ISP side(s), but if the CSP was willing/ forced by law to divulge their unencrypted data then the VPN doesn't really help...
For P2P/ non-CSP uses as you have suggested, VPNs would work well.
Very unlikely, a. given long established business needs for these, and b. given VPNs tunnelled using widely used ports and encryption methods and using appropriate padding and chaff will be indistinguishable from SSH remote admin and HTTPS traffic. Your security using these also depends partly upon where and with whom you trust your VPN endpoint, and partly on the extend to which plod is willing covertly to burgle your premises, install taps on your LAN and rootkits on your devices.
I'm all in favour of envelopes as well in preference to postcards most of the time, not because I have much to hide and not because steaming them open isn't possible, but because privacy is as much a convention as wearing clothes and steaming envelopes open and strip searches are sufficiently expensive for plod that these don't happen very often.
Same goes with the workarounds mentioned - sure they exist, but how much do they cost ? Make his enquiries a little more expensive and plod doesn't go on fishing expeditions, he has to restrict his more expensive espionage techniques to serious terrorism and organised criminality.
You make a very good analogy, sir.
Isn't this the 21st century equivalent of those activities carried out (under the pretext of "security", of course) in East Germany? Who do you say are going to run those boxes, the Ministry for State Security, perhaps?
I look forward to a UK remake of Das Leben der Anderen, although I'm not too sure this one will have a happy ending.
closely followed by as many companies that can, decamping their IT and core business admin out to countries where your price sensitive information can't be snooped on by every bent copper in the Met, without any form of monitoring.
Yet another "tackling unemployment" initative curtsey of the House of Clowns.
As with all information, the more information you store, the more you want and then the more you want becomes an obsession for control. Look at the local councils as an example.
The downside for them will be that there will be so much, so so so much information that it will be impossible to sift through. Eventually the amount of information is so great, there is overload and it becomes useless.
It would be quite easy to write a proportional bill.
Key clauses:
The spooks can only ask you to use the black boxes you already have and are using anyway, not install ones.
If something isn't traffic data from your point of view, it doesn't matter if it's traffic data to someone else.
We could go on to suggest that the spooks can see any relevant data you have, but can't demand any data you don't see a need for.
I'm not sure how effective a 90s Italio House band would be at doing that to be honest - I used to love that tune of their though with the bird who mimed - "'cus you're right on time... woah-oah-wo-oa-oh-woah-oah-oh-ah-oh-woah-hoa!"
Well if they have this access to the unencrypted data from the CSPs then rather pointless using VPNs...
Unless you're setting up your own personal mail server...
A few things
- The author seems to surprised that "Twitbook would be expected to retain unencrypted data on thier systems". How can they not? The only data items that will regularly be encrypted would be key things like passwords and card details, no CSP is going to encrypt and store anything else. And even if they do, it will be in a form that they themselves can easily decrypt and provide
- "It's very easy to separate content from commns data", really???
- "many CSPs were only too happy to cooperate", was this based on a court order, or as seemed to be the proposal here "signed-off by a senior member of the police force"
- "If you have the right kind of data, issues of anonymisation cease to be a problem" sounds... interesting
- "If people take greater efforts at anonymisation, it could become a problem", well you are driving them to it with laws like this
- "there will still be workarounds" but claimed by 2018 that that gap could be tightened with a new law", that says what exactly, a monitoring software on each PC a la China?
Post yer picture of her and I'm sure someone will tell you ;)
I agree though, it's all content and communication and any attempt to seperate them is going to have a high failure rate. You can be damn sure that they'll be willing to risk more false positives than missed intel though
The replies I got from my MP & James Brokenshire MP (Parliamentary undersecretary for crime and security) basically state (http://forums.theregister.co.uk/forum/1/2012/05/21/JetSetJim_CCDP_response_from_MP/) that the new legislation is identical to the old legislation, but with the "outsourcing" component being to make ISPs capture this data. Where they can't capture it, they'll stick in DPI.
Ironically they still hold up the RIPA safeguards as examples of how the information isn't going to be abused/leaked.
It's worse.
With Twitter, for instance, the 'who' is embeded in a packet of JSON you send to the server. So the black box needs to parse that. And Twitter can change their format any time, never mind when a new service comes along...
But it's not about the technical details of why it wont work; it's about it being wrong to intercept everyones comms.
Innocent people have a right to privacy.
"Innocent people have a right to privacy."
Yeah but the Gov and their corporate scumbag mates know your "movements" worth a freaking mint, so stuff privacy when you're such a valuable little blighter!
The first step is to strip us of our rights and freedoms, next step is to bottle us up and plug us in to the grid as just another battery, ala The Matrix!
I very much doubt they're claiming they won't parse the data, the question is about what the algorithm parsing it spits out to investigators at the end, which means it's pretty easy to separate content out provided you have a parser per protocol, including higher level "protocols" like Twitter's AJAX interactions etc.
> Or stego. in youtube posts.
Terrorspam. Stego in pictures of asian "doctors" trying to sell you little blue pills.
You could send it to the bloke that's supposed to be investigating the bad guys - if it gets through his spam filter, he'll undoubtedly bin it without looking at it.
Vic.
"... needs to be signed off by a senior member of the police force."
Hmm ... would that be an elected (from a limited, pre-chosen few), party-political puppet of a Police Commisioner who will not have the knowledge of the law behind him (unlike a Judge should) and could easily be pressurised by the 'more knowledgable' requesting officers? This probably means the decision ocould be made in a completely biased way depending on the day of the week ...
This is not good.
-----BEGIN PGP MESSAGE-----
hIwDAgRLABzXpVEBA/93TN+SJhlB46hg53+MvMNmqM6LyPHrh0JKANlnI9wb
nv5jpFTOnn1uZ0KflUlKkJqrdXKDb7TmLOwmtiAIxAmeA7bF/fXGMcqhrH5U
eStOnZbzXMTeSW8r0VF4p9+9kXwNyZteWDjAePVmrUqT8KZFbs9V9rYmYBC4
5+VNjsepp6Q6BmSsG/nC6I77YYQE5CJ+XSLbMzqO/GfHJaPH7IK5RXnNby7t
AN2gxsyyWxV42ALupa2TMQVr8bLgyg==
=6J2b
-----END PGP MESSAGE-----
why "between 500 and 1,000 communication data requests could be submitted for an average murder investigation"? It's been a few years since I worked on ETSI Lawful Interception, but IIRC a request normally relates to some or all voice/data/position info for a particular number for a given period. Do you really have hundreds of suspects in a single case?
I think they call this a "drag net"... from what I can tell the idea is catching on... once up-on-a-time there was something called "evidence based investigation" which is hard for plod to do (right), so:
* build a national ID database
* build a DNA database
* build a communications intercept database
... you get the idea... or put another way "we're sleep walking in to a surveillance state" - perhaps what we need is a constitution to give us some protection from HMG?
So, the black boxes are required, and a key plank, unless you are using Talk Talk who already do DPI for something different ?
Or black boxes are only required if you wont give the spooks direct SSH access to the ISP mail cluster ?
Sadly no one of the committee new enough to ask him what will happen when the CA for the spoofed SSL certificates is removed from every ones browser...
I think you'll find that "they" have several intermediate certificates "legitimately" issued by major CAs so that they can insert a new cert signed by an intermediate (that they "own") from the same originating CA... at least that's what a man from Detica said ;-)
Ergo... there is no "spoof CA" that you can delete to fix this problem... we're all doomed I tell you!
there's an obvious dichotomy inherent in the governments plans.
If they can intercept and read everything then clearly e-commerce will die. If banks can't rely on the technology used to be secure, then they can't offload the liability onto the customer. The second that happens it's end of game.
If they have to leave some parts secure, in order to assuage the worries of the banks, then there is always the option to use *that* channel for your secret surfing.
The *real* purpose of this law though, like the extreme porn law, or various swathes of anti "terror" legislation, is to give the state a tool they can use to deal with people they don't like. Since Magna Carta, inventing reasons to lock people up (and in most cases execute them) has been frowned upon. So successive governments have carefully (what, you though they were incompetent when they were drafting those laws ? A parliament full of lawyers ?) drafted laws that can catch most people out, if they step out of line.
By "comms data" they mean "Joe Bloggs sent a message to John Smith at (date/time)". The sort of thing equivalent to checking telephone records to see that number x called number y.
This is different from intercepting the content of the communication (the equivalent of tapping the phone call).
Banks only care that the content of the messages are private, not that the details of the communications are private.
"If CSPs refuse to provide those authorities with access to such data, a black box would be placed on a network where such information could be hoovered up."
CSP was defined as Facebook/Google rather than ISPs earlier.
So if Facebook/Google wont give in to a UK court order, and we know Google does refuse them, then every one in the country has to be wire tapped ? What 'logic' ...
"we are not proposing this law on the grounds that it will provide 100 per cent coverage of the communications data in this country"
Yep and you can guarantee the missing per cent will be the important terrorist communications...... or at least that will be the defending argument when there is an incident they failed to detect and they have to justify the ridiculous amounts of money that will be spent.
It's likely also to include my £15/month Virtual Machine server, capable of running a variety of encrypted services. I'm not expecting plod to ask for access to my email logs any time soon, but if he does, I'll want to be sure the request is legal and required under the law before I comply, otherwise I might be breaking the Data Protection Act by acceding to a bogus request. If plod wants to put a DPI black box on the network of the ISP hosting the VM or use other techniques e.g. to obtain access to the VM filesystem on the VM host, that's up to them. If I were bothered enough about this, I'd find a virtual server host in a country with different laws.
Securing direct real time access for plod seems more likely for larger CSPs than small ones like yours truly. Going after the minnows is going to be much more expensive and generally slower. So if you want plod to have to ask politely and have his credentials checked carefully when he asks, choose a smaller CSP in preference to Gmail or Hotmail or Facebook.
If i'm reading the draft bill correctly then you are considered a 'telecommunications operator' and hence come under the scope of the bill. On the upside, again if I am reading it right, there will be some funds available to help you monitor your VM and retain all that lovely traffic and user data...
(I was checking because I don't like the idea of blanket monitoring and wanted to reply to the consultation, but I also run an email service both at home over dsl and on a VM which is deliberately overseas but not in the US.)
21. Subsection (1) provides for the Secretary of State by order (subject to the affirmative
resolution procedure – see clause 29(2)) to ensure or otherwise facilitate the availability of
communications data from telecommunications operators so that it can be obtained by relevant
public authorities in accordance with Part 2. The term ‘telecommunications operator’ is
defined in clause 28 as a person who controls or provides a telecommunication system, or
provides a telecommunications service. The term ‘communications data’ is also defined in
clause 28. In summary it is information such as telephone numbers dialled, times of calls,
details of callers and receivers, and website addresses. It is not the content of the
communication. The Annex provides an illustration of what communications data means for
particular forms of communication.
The security services will always want more powers. I'm not sure whether this law will pass in its present form, whether it will be struck down or a compromise reached. However, if it is defeated a new law would likely be introduced in a few years time under a more amenable Labour government. It is a bad law. For a start they are proposing they have the option to record the information on the outside of letters & postcards, though they won't use it!
I have come to a firm conclusion that any "security" services anywhere in the world are just self-serving mafia parasites. Their value to society is precisely zero. None of the "terrorists" they from time to time "catch" turn out to be terrorists, while real terrorists blow themselves up at will (when they are bright enough to be able to press the correct button).
Looking back to the Cold War years, when these charlatans declared themselves the saviours of the world order (on both sides of the Curtain) all they ever did was occasionally murdering their counterparts, torturing each other on suspicion of being turncoats and claiming great insights into what the other side was doing, while in reality knowing absolutely bugger all about it. There was absolutely nothing they ever did or could do that could have changed the course of history or had anything to do with "security" with the exception of their interference in the political power play inside their own countries.
Parasitic vermin - that's what they all are.
If terrorist attacks such as the Beslan atrocity, 9/11, the Lockerbie bombing etc had never occurred, I'd have to agree with you more than I do.
To the extent similar plots are foiled based on convictions obtained through cross-examined evidence presented in open court, and reasonable valuations can be placed on lives saved, and based on other evidence of use of state-intelligence services against organised crime, newer and more advanced democracies are going to budget for such activities to an extent based upon objective grounds. The fact that all democracies which have suffered such atrocities provide for such services speaks for itself - no sovereign state is obliged to fund these spies.
Bruce Shneier has given many counter examples in his blog where politically and hysterically based funding and ineffective and expensive security measures (security theatre) have been state funded. But if politicians on the committees which supervise and fund these services are doing their jobs well, it is possible to construct an objective case for some of these activities.
...I'd be hiding communications in plain sight.
The last thing you want to be doing is drawing attention to yourself using a VPN. Sure, there are loads of people using corporate VPNs, but I'd imagine GCHQ can filter out all of those using IP/reverse DNS.
How many people are are using VPNs for private use? Genuine question. I do for bittorrent, but how many other paranoid/sensible torrenters are out there?
Me. I have the VPN server enabled on my NAS at home and use it whenever I'm doing something vaguely private on a public wi-fi. Is that seen as "suspicious"? VPN is also a useful tool to authenticate instead of encrypt, so I can access any of my data at home remotely. Does this qualify as "suspicious"?
Hiding comms in plain site (steganography) is a good point though. Truecrypt also offers hidden volumes disguised as random data which blurs into the same field.
Steganography is likely to be the big growth industry - even simply to protect commercially confidential information. Along with one time pad techniques.
These government measures will simply catch the innocent and the stupid. Particularly since we know exactly what they are likely to be.
"We could in theory accept that there is a communication service used by criminals where we cannot access any data. But that is not the view of this government,"
Or in other words, the view of this government is that they can access any data. And it doesn't matter whose.
Nice to know for sure that they are only paying lip service to the concept of privacy.
From the uninteligent service.....
"If people take greater efforts at anonymisation, it could become a problem... but I'm satisfied by the techniques being developed. Many workarounds can be defeated... we are not proposing this law on the grounds that it will provide 100 per cent coverage of the communications data in this country."
Means the following.....
"If people take greater efforts at anonymisation, it could become a problem."
where people = criminals with a higher IQ than the idiots proposing this
"provide 100 per cent coverage of the communications data in this country.",
except for people defined as above, therefore, 100% coverage of honest law abding citizens, which can then be used for mud slinging by AC at the Cabinet Office when the civil servant proves the government is lying, or sold to NewsCorp by bent coppers.
And all for a mere £2Bn, if it runs to budget, so make that £6Bn to £8Bn in real life.
Let us assume that the spooks have a working DPI black box which logs data contained in SSL to its hard disk. As soon as this is done, the disk of the black box turns into a shiny little gold-mine of sensitive information including banking details and the like. The following non-inclusive list of people would definitely want to get their hands on it:
1) Script kiddies, who will already be honing their tools (read, downloading different lame bash scripts) to try to break into these devices. They likely won't get in, but will cause a security problem in trying to do so.
2) Corrupt Indian techies. The service will likely be outsourced to save on costs, and given the paucity of cheap talent in India, it will be easy for a crook over there to get hired for a sensitive job where he/she can get at the data and sell it on.
3) Corrupt civil servants. The civil service is chronically underpaid, and comically bad at IT. A good IT techie is almost impossible to find on those wages, so a decent mole ought to be able to infiltrate the systems very easily indeed.
4) Burglars. If you can't get hold of the data by electronic or bureaucratic means, just break into the ISP's buildings and physically steal it. Most ISPs are secure enough to defeat Joe Random Chav, but if a local Mr Big gets involved then a raid involving simultaneous power supply sabotage, firearms and heavy plant machinery is entirely possible.
5) Corrupt ISP staff. The black box hard drive is very easily stolen, if you know where to look and have access.
6) Smart terrorists. Admittedly smart terrorists are rarer than incorruptible bankers or sane politicians, but one might eventually turn up and have a bright idea: steal a black box, and make a demand with the threat that the black box data will be revealed if the demand isn't met.
7) Smart pranksters. Claim to have downloaded the contents of a black box and put up an encrypted container of the supposed contents on bit torrent. Warn all customers of the ISP that on a certain date the key will be revealed, so they'd better amend their banking details, etc.
Logging sensitive data is a bad idea. Logging it to local disks in an ISP is a spectacularly idiotic idea that will cause no end of trouble, both for the ISP and for the Government, and won't actually catch any criminals since there are many ways around the thing.
Sorry, can someone explain something to me -
I am still seeing numerous mentions of ISP's using these black boxes for DPI - but I still don't get it - I thought SSL was secure - it couldn't be intercepted part way through?
Any communications websites these days use SSL as default, as do all the mobile versions of those apps.
With regards to VPN - I use VPN for a number of reasons:
1) it provides me with access to my internal network when I am outside my network, this is useful for restarting servers and getting VNC access to a computer.
2) It provides me with access to my 16 camera DVR CCTV system.
3) It ensures that when I use public wifi somewhere, my internet traffic is being routed back to Scotland and out over my own internet connection - so I don't need to worry about other people on the public wifi sniffing for credentials of the various apps running in the background on my phone. Better to be safe than sorry.
Eseentially all 3 reasons come down to the same thing though - direct access to my own network from outside it.
This post has been deleted by its author
SSL works on trust. If you can prove that you are the owner of google.com a CA will generate a certificate for it.
If you check your OS/Browser CA list you will see lot's of interesting already trusted CA's in there (including governments)
All it takes is for one of them to produce a certificate or give the gov the ability to generate certs and all your data can be decrypted by a MITM
This post has been deleted by its author
Well, first off assume all present encryption systems are compromised.. You ony have to look at Phil Zimmerman's new enterprise to see that he has clearly been 'gotten to'.
Second, treat all internet activity as if you were sending the information on a postcard and act accordingly.
Third, if you want to talk to someone securely have them bundled into a white van, blindfolded, driven round in circles for a few hours before being presented at the rendezvous place. then use the mark I voice box to manually exchange ideas in a room you have made secure.
Meanwhile, create a cool new program to spew out reams of meaningless triply encrypted junk through VPNs, ISPs.. Lets see if there really is a blank cheque to fund this when they have skyscrapers full of hard drives full of meaningless data mine.
Believe me.. if you want to piss me off by prying into my browsing habits I am going to make the work of those who are spying on us all much more difficult.
In Canada we were fortunate that the MP who introduced a similar bill had trouble keeping his pants on. The fact that he wasn't sure of what was actually in the bill didn't help his cause either. So, we're okay for now but they'll be trying again soon. Mind you, the bill proposed in Canada would only have legitimized what is already happening. It would have made the evidence gathered by this usable in court.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
