What's the spooks' solution?
I wonder what the various max-surveillance types in the security services would actually like. Would they be want a China-style solution where you have to present your ID to get access to any kind of internet access?
The Queen opened a new session of Parliament this morning and - as expected - Home Secretary Theresa May's Communications Data bill was absent from the government's upcoming programme of law-making for the next year. However, as indicated by Deputy Prime Minister Nick Clegg - who said late last month that the so-called …
Surely it would be better to use static or DHCP reserved addresses rather than normal DHCP allocated ones (if they want to make traceability easier and not have to look through DHCP logs). Maybe a reserved DHCP lease based on your Identity Card, NI number (or even some new "Internet Licence Number") sent as the GUID in the request.
Otherwise use a national captive portal.
I am joking of course as I know this wouldn't work well and could easily be circumvented/spoofed etc - but I guess somewhere, somebody is thinking along these lines...so perhaps I shouldn't give them ideas. :-)
No Big Brother worrier here, but in the U.S. you generally do have to provide ID to access the Internet. A credit card through your ISP and/or mobile carrier, and a valid govt issued ID or library card (which is tied to your ID) for library access. Same in most hotels, airports and bus stations as well. I suppose you could go around looking for free open wireless but that's providing fewer options daily.
All I'm saying is that the Internet isn't nearly as anonymous as people like to think, especially if the person who wants to pry has a warrant.
The solutiion is easy: Switch it off. No more smut then.
Likewise ban sugar, salt and all the other things that make people die. Outlaw alcohol, tobacco and cars. And sex, as you're at it.
Unfortunately then everyone (well, most people anyway) will find Spain or France so appealing that they will no longer fork out taxes to pay for the wages of home secretary or deputy prime minister.
Who the flying f'!$% voted for this bunch to waste resources on this?
"Who the flying f'!$% voted for this bunch to waste resources on this?"
No one of course.
This was conceived at least 8 Home Secretaries ago as the Interception Modernization Programme. It's essentially an idea thought up by a group of former senior intelligence civil servants.
Naturally they are mostly PPE graduates (there was one with a degree in particle physics) with no remote idea of what they are asking for or the scale of the problem.
We could have them personally assigned, on providing our ID cards and DNA.
Oh..wait a moment...
/me wonders if we'll next hear an announcement from HMG that they're going to help fund the roll out of IPv6 for "the benefit of our e-economy". And nothing at all to do with copyright, intellectual property, terrorism & pron.
agree with you that personally I don't mind all of my data packets being made into digitally signed and certificated evidence (IPv6) with the MAC address of the packet origin device also signed evidence.
Some other users may occasionally like to have a bit more pseudonimity, journalists, HMRC whistleblowers (google Osita Mba) etc - what privacy enhancing tools will they be able to use? (and I don't (yet) class ToR as being a safe tool for hazardous circumstances)
I disagree slightly in that VPN may well be 'virtual' - but they increasingly fail to be 'private' as the ease of snooping the data using multipurpose 'special' PKI certificates is no longer just at State level, but increasing at Enterprise level too. Sometimes that too can be OK, but do we just "get over it"? or do 'we' have to build our own nitrogen pressurised fibreoptic crypto systems with keydump on loss of pressure to swap great LOLcatz pics?
I disagree slightly in that VPN may well be 'virtual' - but they increasingly fail to be 'private' as the ease of snooping the data using multipurpose 'special' PKI certificates
You're telling me that Enterprises can watch what's happening inside an SSH link?
I think a lot of people might like to have a little chat with you.
Only the issuer of the certificate/key can see inside the link - that would include the possibility that those who issue SSL certificates like Verisign are cooperating with various governments. If you must use a properly issued certificate rather than self-signed and want to minimize the chance your own government can decrypt your traffic, you might want to choose a CA based in a country that's on less than friendly terms with your own. In the US we might want to see if there are any options in Venezuela, for instance. In the UK, you're probably pretty safe if you can find an Argentinian CA :)
You can't ever discount the possibility that the NSA and their friends in the UK have broken the encryption scheme you're using, but even if they have done so, the decryption won't be free, so it couldn't be done en masse unless they're so far ahead they have working quantum supercomputers. Assuming they can't do it for everyone, they'd have to take a special interest in you to decrypt your traffic. If they do, you probably have much bigger problems than insecure encryption once they send a black bag squad over to bug your computers, your house, your car, and your cat.
Even if the NSA doesn't decrypt your traffic in real time, that doesn't mean some of it isn't getting saved somewhere so it can be decrypted later just as the Boston investigation has proven phone calls to be.
The worries about your place of your decrypting your traffic are nil. If you're accessing your home SSH server or email server using self signed/created certificates, they can't possibly do this. Nothing stops them from having keylogger software on your work issued computer, of course, so if you're paranoid about this, you may want to inquire about their BYOD policy :)
"I don't mind all of my data packets being made into digitally signed and certificated evidence (IPv6) with the MAC address of the packet origin device also signed evidence."
Not that myth again (I wonder if Snopes or Adam and Jamie could be pursued to address this....).
Yes, at one point there was the consideration to make the bottom 48 bits of the IPv6 address be the MAC address of the device, to simplify stateless autoconfiguration. Then EVERYBODY pointed out the obvious security flaws in that idea, and the idea of using the MAC address to form the publicly routeable address was DROPPED. AXED. KILLED. REMOVED. That idea is not pinin' for the fjords, it is PASSED ON.
Even the idea of using the MAC address for the link local addresses has been made OPTIONAL, and alternatives to allow link local addresses to be created randomly have been defined.
That the political class has even less understanding of the Internet than the general public, this has to be it.
Endless argument and billions spent on solutions to non-existent problems that don't even work and will never even work.
Unless everybody is bolted to a fixed IP address and massive router flap happens when they connect via a wifi hotspot, there is never going to be a way to guarantee IP level traceability, and NAT rules anyway.
Even if you stuck a MAC address in the packet, that too can be hacked away.
Of COURSE it would be simple if every single message could be uniquely tagged to an end user or piece of physical kit. It would be simple if we all had chips embedded in our foreheads uniquely identifying who we are so that our movements could be recorded in real time on Stasi Central's computers. "we note that you and your neighbour's wife's GPS are coincident in her bedroom for over three hours: vote Stasi or your wife gets to hear".
Like all grandiose and lazy political schemes, it will cost a fortune, wont work, and will simply irritate people.
True - but there are people out there dumber than the politicians.
The average child murderer or terrorist bomber does seem incapable of emptying (much less wiping) their Internet browsing history and cache - let alone fathom VPNs, anonymous proxies, MAC obfuscation etc.
This does give the illusion that a mega-log of everything an ISP sees could be trawled for suspicious activity.
"The average child murderer or terrorist bomber that actually gets caught does seem incapable of emptying (much less wiping) their Internet browsing history and cache - let alone fathom VPNs, anonymous proxies, MAC obfuscation etc."
Fixed.
(Although, I accept your point; there aren't that many unsolved bombings / child murders.)
"(Although, I accept your point; there aren't that many unsolved bombings / child murders.)"
It seems that a lot (most?) intelligence led "terrorist" arrests seem to end up without any terrorist offence to prosecute. Others have been prosecuted for having accessed freely available material that was once the knowledge of any half-intelligent schoolboy.
There was that raid where a man was accidentally shot. Eventually the Police said that even though they hadn't found any evidence for a terrorist charge - there were other offences. The major one specifically being kiddie pr0n. Finally they had to admit the latter was one alleged thumbnail in a cache - insufficient for any charge.
This post has been deleted by its author
BT are running tests on carrier-grade NAT so one IP address will support many users simultaneously, making it much harder to match subscribers (let alone users) to online activity.
Unfortunately, this will also break many of the interesting things you might want to do online.
What's so hard?
BT have a record of which customer was getting which packet, BT are more than happy to help the government by handing over any data , with or without a warrant.
A more serious IP problem is that it doesn't uniquely record which site you visited. Your machine access 100.200.100.200 to download a thumbnail from an advertiser on el'reg. That server also hosts the Grimethorpe Ferret Lovers secret photo archive - so the fair and wise ms May has a recordt hat you accesssed a site showing images of under-age ferrets
Most (httpd)server logging assume that the IP address the request came from is enough to track its owner. With NATs the (httpd)server also has to log the TCP Port number.
With the Port number and time, then the NATs logs (in theory) can be checked to see which customer (unless that is also a NAT; say an open wifi) the request came from.
A great many NAT systems don't provide that sort of logging and the logs would be horrendous in volume anyway. Each socket you open would need to be separately logged. Then there would be the issue of stacked NAT. You'd need to correlate the logs of each level to get a fix.
So are they going to enact legislation that bans NAT systems that don't automatically log each translation?
I run quite a few connections where we stick a Linux box at the front end and it'll do all the NAT you want, but adding a couple of lines to your iptables config ain't going produce logs of what packets originate from which of your internal addresses. Then there is the matter of identifying the internal addresses. My youngest managed to find out how to change the MAC address on his phone at the age of ten, in a vain attempt to get around his "bedtime WiFi blocking" (hopefully he's not reading this) but if he'd chosen to spoof to the MAC address of another device in the house he'd have probably succeeded.
I'm afraid the boy Clegg hasn't got a clue about what he's talking about. He's in the normal politician's state of mind where he is only hearing what he wants to hear. Add to that the fact he's surrounded by people who only get paid if they tell him what he wants to hear and we end up at the mess they usually leave us in.
"With the Port number and time, then the NATs logs (in theory) can be checked to see which customer (unless that is also a NAT; say an open wifi) the request came from."
A browser instance usually makes four TCP connections in parallel. In the old days each connection was discarded after downloading an HTML element - and a new one was opened for the next element. Modern HTTP keeps the TCP connections open for longer.
These are usually closed when: a new page URL is accessed; the connection has been idle for a couple of minutes; a busy HTTP server/proxy decides it doesn't want a potentially idle connection once the element request is fulfilled.
In practice that means any particular NAT source port is only assigned to a particular end user for a very short time. A source port number has to be put back into the active pool quite quickly given the fast turnover of a large ISP's NAT connections.
There are only a maximum of 65k+ source port numbers. So the NAT TCP stack implementation has either to have one global pool of source port numbers shared by all connections - or several pools differentiated with some additional connection criteria.
I was contacted by our local police force to assist with the identification of stolen equipment. One of their senior bods had heard that you could trace machines via IP address and wanted me to let them know how they could match up devices (PS3s, Xboxs and phones) with IPs so they could return them to the owner.
I told them that they each device would have a MAC address that was unique (I didn't go into spoofing) but that the IP would change depending upon which network it was connected to. They could cross reference the MAC address against information ISPs help about which MAC address had been assigned which IP address. The police were adamant that this wasn't the case and that the IP was the only piece of information they needed to identify the device.
I tried to explain that the laptop I was emailing them on was picking up xxx.xxx.xxx.xxx at work but it picked up yyy.yyy.yyy.yyy when I was at home and zzz.zzz.zzz.zzz when I was connected to a different network. I gave them a brief overview of DHCP and DNS and they were still fixated on IPs and IPs alone as the single identifying factor.
I advised them to contact their IT department to corroborate what I had told them and to get back to me if they wanted further clarification. They never got back to me.
Would the ISP know the MAC addresses of devices connected to the LAN? You are not going to connect an xbox directly to the internet, you connect it via a router of some description. Phones might get connected directly to the internet, but they have an IMEI number that could be used to identify the owner.
I'm fairly certain that my telco has been inside my adsl router via their maintenence backdoor - they conceivably have been able to map my devices, or just sniff all my local ipv6 packets. i suppose i have to consider throwing DD-WRT on to my adsl modem/router one year.
Some generic chinese phones on ebay used to have an imei of all zeros, not sure if they actually worked in the 'free world'
Unless your computer is connected directly to the ISP via ethernet, its network card MAC never leaves the house. (And if you do connect via ethernet, it has to be 'native' and not some PPPoE setup)
Even if you don't use any sort of wan facing nat/router modem, if you connect via ADSL or via cable, your outgoing connections will not use your pc MAC. The 'virtual interface' created to tunnel the connection may have a 'virtual MAC' but that's not the same. In the case of cable, the cable modem will have its own MAC which is what some cable-isps use to authenticate you.
TL;DR: Even if you don't use a NAT router/modem your computers MAC address is never likely to be 'leaked' anywhere unless on (say) a corporate network or maybe a student/university network. So MAC tracing for home users is a silly thing to think useful - and that's even before you get into how easy it is to spoof MAC
The mac address is persistent on a device, the multiple IP addresses it or the router it attaches to are assigned are not persistent which is the point I was making to the police. Two xboxes may have at one time connected to the internet via the same IP address, both could later have been nicked, if the police wanted to use the IP address to identify them then it wouldn't work. If they could cross reference this against MAC addresses they might have a chance of identifying it.
There isn't an easy way of identifying a stolen device if the owner hadn't already taken down its serial number, imei number or scrawled "pRoperTy of Doug" in tippex on it. I was asked who they could identify them via IP, I tried to steer them in a way that may help.
quote "just makes it possible for the evidence to be used in a court of law."
That'd be great if the snooping was intended to be used in court, however the current problems are that the large amount of snooping that is done can never be mentioned in court, as otherwise the defence would have the right to view all the intercepts. So it's purely used for spooks, and I suppose some crumbs are lent to the police - provided they don't actually use this intercept stuff as 'evidence'
All we're talking about it's just background 'evidence', that is never shown to the judicial processes and therefore doesn't really exist?
Damn these problems that keep popping up unexpectedaly, oh if only the interent powers that be didn't change the way they address computers on a network every other day, oh hang on thats right they don't, they been using the same system since the internet started, and NOW they realise the have a problem, just before we all switch to IPV6, lol.
Not true. NAT and DHCP are relatively new to the internet. Before them, every system had a static IP address, even if it was not permanently connected.
On dialup/broadband, changing your IP would cause your service to stop working.
On fixed networks, you could only change your IP to an unused one that falls within the range allocated to your lan.
The problem with IP addresses is not in identifying the user. Normal people's poor understanding of computing is open to massive abuse as we have seen with media companies harrassing end users with no proof. A list of IPs is not evidence, it is completely open to tampering or total fabrication as well as hacking or spoofing. Even a signed log (which is rarely done) is only as trustworthy as whoever owns the box. The idea that if data came from a computer it must be correct and unrefutable needs to be drummed out of the legal system before you can put in place any fair mechanism.
There is nothing wrong with authorities using appropriate methods to provide national security. There is no God given right to privacy on the internet or with phone conversations. Who came up with that false belief? Almost any bloke can monitor phone conversations or e-mail contents. Is this a revelation to the naive?
Theres no god given right, but we've established repeatably with case-law based on the human right of privacy for correspondence that uk gov does tend to have been rather over-snoopy on communications in the past. With meaningful safeguards, like - shudder - the French have , we ought to be able to snoop proportionately for nat sec purposes, and maybe use half of the gchq domestic intercept product for real policing, getting away from "heresay" &" we never snoop" absurdities.
Outlawing IPv4 devices, CGNAT, NAT, VPNs, proxies, and MAC cloning...?
Meanwhile, necessitating mandatory registration of all IP enabled devices and associated DHCP IP address assignments... including all portable devices brought into the country, IP entabled tellies, cars, fridges, CCTV, etc etc.
That should keep the Home Office tied up for years...
... but does this mean that the government are going to ban VPNs & Tor? How does it effect free wi-fi hotspots (even the pizza shop I work in offers this!)? Does it mean that either each device will have to be registered & logged before you start using free wi-fi? If your next door neightbour uses your wi-fi either with or without your knowledge would you get prosecuted? Will each person in your household have their own unique ID number? How far will the government go with this?