British politicians sign off on surveillance law, now it's over to the Queen The UK's Investigatory Powers Bill has completed its passage through parliament and now only awaits Her Majesty's stamp of approval before becoming law. Also known as the Snoopers' Charter, the legislation has been criticised as being among the most onerous in the world upon the civilian population, and will require British …
Really..the government could not give a shit about terrorists...they have more to fear from losing elections, or the people eventually finding-out that they have been selling them down the road from year one. The scandal of the expensesgate, where people found out that they were paying for floating birdhouses on ponds, lawn drainage installation and flats for mistresses has now faded, and that information is now no longer available. Now it's payback time....peoples memories are short.
Once upon a time we had care.data.....well, we still have it, it's just gone underground for now. And all your identifiable hospital data has already been sold anyway....
This is not about protecting people, keeping your children secure (capita has your childrens data....secure? !!) or protecting you from bombs on the underground....
It's not just the government. Despite being really jolly cross about the IPB, peers just waved it through in the end too. Not because they had to - they could have made all sorts of trouble by using the processes of parliament to obstruct the bill indefinitely - but because it would be bad form.
After the last few months, you do have to wonder what the point of democracy is.
@ Primus Secundus Tertius
I believe you're wrong there. A Chinese slurp is better for several reasons:
1) If you exercise reasonable precautions (and don't use your Android phone for banking or business secrets) there's not a lot the Chinese can do to you. Unless you give them the means to get at your money or company secrets (and if you're doing that on an operating system written by a marketing company you really have nobody but yourself to blame) you're out of their jurisdiction and they are not interested in you. Plus, for the price of their slurping, they have to pay a translator to be bored shitless; which isn't justice, exactly, but is nonetheless somehow vaguely pleasing.
2) The data bill covers every machine; not just one already shonky OS.
3) It's done by our own side by people who have powers to make your life crap for no reason at all.
4) It *will* be abused
As with everything the UK government tries to do with computers, it will be an unmitigated disaster.
They have no idea of the sheer volume of data they'll be trying to harvest. The clueless overpaid software shysters will sell them all sorts of worthless "analysis" software to comb through the vast amounts of data they'll collect, and after they raid a few schools for children connecting to inappropriate websites, they'll quietly drop the nonsense after squandering squillions of quid of our money.....
it's much easier to focus your attention on those on VPN, than on browsing of the whole nation. So why exactly are you so keen on protecting your privacy, Mr Abhani of 32 Terror Close, that makes you so keen to pay for such services each month, eh?! Inquisitive minds want to know, and now they have VARIOUS vectors of approach to find out :/
Perhaps you're paying for a VPN service because you don't trust open wifi hotspots?
Or perhaps you're using a free service you get when you pay for Giganews usenet access. But VyprVPN do at least log when you're connected and what IP address you're assigned for time you're connected, mainly so they can pass on the blame to you in the case of DCMA stuff and I wouldn't doubt they log a lot more.
I still have a few scripts I knocked up ages ago for causing chaff to echelon.
They take a a file with a lost of words / phrases to search for.
Went through file, pinged the searches at a search engine & randomly went to one of the inks.
When end of file hit, start again
It repeated ad infinitum (or until parameter based limit reached)
Similar scripts running on lots of machines generates a lot of haystacks with no genuine needles.
Chaff variation:
Submarine ELF stations are always transmitting random data when not transmitting actual messages, so no assumptions can be made from transmission bursts.
In a similar way, I'll be running 24x7 a random IP address generator that will then, for a random number of minutes, do a random number of GETs to that IP address and any subpages that are returned..... both massively increasing and poisoning the haystack with random data, and obscuring my actual surfing.
When I've previously suggested doing this en-masse, someone suggested that this would only damage the ISPs rather than the government, and prices would then rise due to the need to store that extra data..... the market can only support a max price per subscriber. Once the ISPs' costs/subscriber rise above that max price/subscriber then ISPs are running at a loss; their CEOs will apply so much pressure to the Home Office that they will have to repeal at least the "retention of sites visited" part of this law, if not the whole thing.
Or they'll redefine "hacking" as also "visiting a website with no intention of viewing that website"... that'll be fun watching the CPS try to prove that, or proving that the GET came from Powershell rather than my Browser.
> In a similar way, I'll be running 24x7 a random IP address generator that will then, for a random number of minutes, do a random number of GETs to that IP address and any subpages that are returned..... both massively increasing and poisoning the haystack with random data, and obscuring my actual surfing.
If you do, be very careful.
I did some work a little while back examining the effectiveness of cover traffic on encrypted links.
You'll need to pay attention to the size of the response body and adjust the time between that and the next page accordingly (but not proportionally).
The time a human takes to switch between pages isn't consistent (we might load a huge page, read 1 sentence and click off because it looks crap, or lead a tiny page and take 5 minutes to read because we went and made a cuppa). But that's very different to random intervals as there is some correlation between the amount of text and the amount of time we spend reading.
You also need to make sure that the start and end times of your cover traffic aren't particularly consistent. Having a sleep at the beginning of the script helps a little, but if the traffic always starts within 60 seconds of quarter past the hour, it quickly becomes identifiable
> In a similar way, I'll be running 24x7 a random IP address generat
Don't do that. You don't want it running 24x7, you want it vaguely aligned to your sleep/wake cycle (as well as taking into account things like you going to work all day). Any traffic generated when there's a high probability it wasn't you gives an observer further means to analyse your countermeasures.
If they decide they're going to capture HTTP Host headers (which really, they'll want to), simply connecting to a given IP and requesting pages isn't going to do anything except make the traffic identifiable too.
There's a lot of other things to be considered too.
When observed over time (which is what an ICR will effectively be) the little differences in behaviour between a script and the average human become readily identifiable, and that's when the traffic is using an encrypted link. It's even harder with plaintext (which, to some extent, includes HTTPS because things like SNI are in the clear)
TL:DR running effective cover traffic is fucking hard, assuming your aim is to thwart anyone with any more than a passing interest.
Is not all hacking offensive, can some types of hacking be in-offensive?
Penetration testing of systems that you own is pretty inoffensive.
Did not the last Labour Government try to bring similar laws into force? If so, why did they now abstain in the vote for this?
I would guess two reasons.
1) Current Labour hierarchy regards New Labour as the anti-Christ.
2) A bill which says "The government should have access to everyone's records, but should promise not to abuse it" doesn't sound at all scary when you are the government, but very scary when you're the opposition.
I only have one question …… Is anyone/anything exempted from surveillance ….. for such a facility will always be abused and taken advantage of for private and personal enrichment at the expense of others?
And/But surely there is nothing to be really worried about, for bad laws are never followed/obeyed and are always ignored by the smarter being and/or more enlightened citizen. The madness that abounds would be in the thinking that any such laws would make a great deal of difference.
The current elitist establishment systems of administration have much more of a burgeoning problem with sensitive secrets being openly shared randomly and spontaneously with everyone and their dogs, rather than with secrets and dirty deeds done dirt cheap being squirrelled away out of sight and sound on servers.
First of course is the fact that if you believe the bull about elections the two parties involved .. .Labour and Conservative ... have been chosen by the majority of the idiots of this country to decide such matters for them. These people make choices based on interesting factors (he has a nice smile, his suit doesnt fit properly) and deliberate lies (we have lower taxes than they do...). Personally I think restricting the voting to people with an iq greater than 1 and enough interest to see what their 'representatives' actually do would create a far smaller number of votes and a better caliber of ruler.
Second given the mealy mouthed way our politicians and civil servants act and the downright dishonesty of the police (we didnt beat the newspaper sales man to death, we dont jump and down on peoples cars when we stop them and we certainly dont cause mass deaths in football stadiums...) I wonder at the idea that the isp keeps it for 12 months in case it is wanted for investigation. Does that mean that everyone is placed under investigation every 11 months and all data requested from the isps and then stored by gchq or the police national computer service for ever and ever (like dna samples).
This post has been deleted by its author
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
