From james2 at jfirth.net Mon Jul 26 22:26:02 2010 From: james2 at jfirth.net (James Firth) Date: Mon, 26 Jul 2010 21:26:02 -0000 Subject: Here we go again - ISP DPI, but is it interception? Message-ID: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> Just saw this on The Register today. Talk Talk seem to me in the process of developing an unavoidable network feature which tracks the websites a subscriber visits with the aim of offering a malware protection service: http://www.theregister.co.uk/2010/07/26/talktalk_stalkstalk/ Aside from the obvious legal question - does this amount to interception - there of course is the practical question concerning whether a prosecution could ever be initiated given the Heller-esque nature of our current regime: one needs investigative resources to prove a crime has been committed, but the police are unable or unwilling to investigate unless one can bring sufficient proof that a crime has been committed. (Or at least this appears to be the case with at least one previous instance I'm familiar with.) Plus there are the obvious security issues - systems I'm familiar with track attempts at unauthorised access, either via IP mask or session cookie. This could at least have an impact on statistics when the shadow service attempts to access (*presumably* without the correct cookie/keys/session ID). Whilst one can see the obvious benefits to less technologically capable subscribers, I'm not at all comfortable with this approach. The Register report the system is operated at least in part by Chinese telco equipment manufacturer Huawei. James Firth From zenadsl6186 at zen.co.uk Tue Jul 27 00:15:01 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Mon, 26 Jul 2010 23:15:01 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> Message-ID: <4C4E16F5.10400@zen.co.uk> James Firth wrote: > Just saw this on The Register today. Talk Talk seem to me in the process > of developing an unavoidable network feature which tracks the websites a > subscriber visits with the aim of offering a malware protection service: > > http://www.theregister.co.uk/2010/07/26/talktalk_stalkstalk/ > > Aside from the obvious legal question - does this amount to interception - The only content they are making available is URLs, and insofar as these are traffic data it's not interception. However URLs are not entirely traffic data, and their modification of the network has are made the parts of the URLs which are not traffic data available (to themselves) - so yes, it's interception. The other legal question is whether it's illegal interception or not. Talk-talk are perhaps in a better position than Phorm were, as they can argue that their action is necessary to protect the network, like email virus or spam filtering. However I don't know whether that would pass a Judge or not (if it ever got to one). Also, if the system fails to block some nasty content, can a parent sue Talk-talk? If it blocks content it shouldn't, can the website sue Talk-talk? It has distinct negative implications for "pure-carrier" immunity. Can a website say "I don't want to be examined by TalkTalk", something comparable to the x-no-archive or NOARCHIVE tags? I'd think so, legally if not always technically. Suppose a "hidden" webpage has eg some copyright material on it, which the customer has the right to access but Talk-Talk don't. Suppose a site creates a new URL for each customer - Talk-talk are going to access each page, thereby doubling the site's traffic. Can the site sue for the extra traffic costs? It's a can of works I'd not open. > Whilst one can see the obvious benefits to less technologically capable > subscribers, Perhaps you can - I cannot. > I'm not at all comfortable with this approach. Nor am I. I don't know why Talk-Talk (and the rest) have this urge to do things with their customer's traffic, but they all seem to forget: it is their customer's traffic, and not theirs. -- Peter Fairbrother From zenadsl6186 at zen.co.uk Tue Jul 27 02:07:25 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 27 Jul 2010 01:07:25 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C4E16F5.10400@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> Message-ID: <4C4E314E.7000609@zen.co.uk> Peter Fairbrother wrote: > James Firth wrote: >> Just saw this on The Register today. Talk Talk seem to me in the process >> of developing an unavoidable network feature which tracks the websites a >> subscriber visits with the aim of offering a malware protection service: >> >> http://www.theregister.co.uk/2010/07/26/talktalk_stalkstalk/ >> >> Aside from the obvious legal question - does this amount to >> interception - > > The only content they are making available is URLs, and insofar as these > are traffic data it's not interception. However URLs are not entirely > traffic data, and their modification of the network has are made the > parts of the URLs which are not traffic data available (to themselves) - > so yes, it's interception. > > The other legal question is whether it's illegal interception or not. > Talk-talk are perhaps in a better position than Phorm were, as they can > argue that their action is necessary to protect the network, like email > virus or spam filtering. > > However I don't know whether that would pass a Judge or not (if it ever > got to one). Sorry. missed a bit here. It would be lawful interception under 3(3) if it was being done "for purposes connected with the .. operation of that (telecommunications) service" - but I don't think it is. It's certainly not necessary, as the network, and other networks, would work fine without it. I think it's (purportedly) being done in order to provide a safer service, or an extra service on top of the simple telecomms service (passing bits), and thus 3(3) doesn't apply. Can't think of anything else which might make it lawful either. > > > > Also, if the system fails to block some nasty content, can a parent sue > Talk-talk? If it blocks content it shouldn't, can the website sue > Talk-talk? > > It has distinct negative implications for "pure-carrier" immunity. > > Can a website say "I don't want to be examined by TalkTalk", something > comparable to the x-no-archive or NOARCHIVE tags? I'd think so, legally > if not always technically. > > Suppose a "hidden" webpage has eg some copyright material on it, which > the customer has the right to access but Talk-Talk don't. > > Suppose a site creates a new URL for each customer - Talk-talk are going > to access each page, thereby doubling the site's traffic. Can the site > sue for the extra traffic costs? > > It's a can of works I'd not open. > > >> Whilst one can see the obvious benefits to less technologically capable >> subscribers, > > Perhaps you can - I cannot. > > >> I'm not at all comfortable with this approach. > > Nor am I. > > I don't know why Talk-Talk (and the rest) have this urge to do things > with their customer's traffic, but they all seem to forget: it is their > customer's traffic, and not theirs. > > -- Peter Fairbrother > > From David_Biggins at usermgmt.com Tue Jul 27 15:27:34 2010 From: David_Biggins at usermgmt.com (David Biggins) Date: Tue, 27 Jul 2010 14:27:34 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C4E314E.7000609@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk><4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother > Sent: 27 July 2010 02:07 > To: UK Cryptography Policy Discussion Group > Subject: Re: Here we go again - ISP DPI, but is it interception? > > Suppose a "hidden" webpage has eg some copyright material on it, > which > the customer has the right to access but Talk-Talk don't. Or if they are indeed responsible for: http://tinyurl.com/387sbj6 ><> UPDATE 2:40pm ><> We've also seen some reports that the new system ><> confuses login sessions for certain websites and ><> web-based games that require a degree of IP ><> authentication, although at this stage it's ><> difficult to know if the problem is directly ><> related. D. From David_Biggins at usermgmt.com Wed Jul 28 11:22:45 2010 From: David_Biggins at usermgmt.com (David Biggins) Date: Wed, 28 Jul 2010 10:22:45 -0000 Subject: S49 notices rise by 50%, applied in more types of crime Message-ID: http://www.theregister.co.uk/2010/07/27/ripa_iii/ "In the 12 months to March 31 this year, government officials approved 38 notices under Part III of the Regulation of Investigatory Powers Act, compared to 26 in the previous year." "In 2008/09 they were served in relation to counter-terrorism, possession of indecent images of children and "domestic extremism" (a case involving activist attacks on animal testing labs). In the last 12 months, however, RIPA Part III was used to demand decryption in cases of insider dealing, illegal broadcasting, theft, excise duty evasion and aggravated burglary, the Chief Surveillance Commissioner Sir Christopher Rose said in his annual report." D. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chl at clerew.man.ac.uk Wed Jul 28 12:38:59 2010 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Wed, 28 Jul 2010 11:38:59 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C4E314E.7000609@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: On Tue, 27 Jul 2010 02:07:26 +0100, Peter Fairbrother wrote: > Sorry. missed a bit here. > > It would be lawful interception under 3(3) if it was being done "for > purposes connected with the .. operation of that (telecommunications) > service" - but I don't think it is. It seems that they are monitoring their outbound servers to compile lists of IP addresses to which stuff is being sent. That would be perfectly legal if used, for example, to fine-tune their routeing tables. But they go further by examining the port number and only including packets addressed to port 80 in their lists. That is trickier, but if they claim that part of the "telecommunications service" that they offer is blocking sites that dispense malware, spams, phishes, etc, then they might claim that this particular interception was for the purpose of providing that feature of their service. What they MUST NOT do is to record the sending address of those packets, or to correlate that sending address with anything else. But they explicitly deny that they are doing that. So basically, I think what they are doing is potentially a Good Thing, and most likely lawful. Once they have a list of addresses of sites, they they are perfectly entitled to visit those sites (as is anybody else) and to probe them for malware. If the site declines their probes, or demands some password that they don't know, then the site is perfectly entitled to do that. -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From james2 at jfirth.net Wed Jul 28 14:49:26 2010 From: james2 at jfirth.net (James Firth) Date: Wed, 28 Jul 2010 13:49:26 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: <00ee01cb2e5b$ad3dc800$07b95800$@net> > It seems that they are monitoring their outbound servers to compile > lists > of IP addresses to which stuff is being sent. That would be perfectly > legal if used, for example, to fine-tune their routeing tables. > > But they go further by examining the port number and only including > packets addressed to port 80 in their lists. That is trickier, More research is needed on this. I have server logs from sites I run that I can use to establish shadow visitors, and whether any - if found - go to the exact page (i.e. full URL) or just the top level website. > So basically, I think what they are doing is potentially a Good Thing, > and > most likely lawful. What if shadow visits to the site, hypothesising that the full URL is visited, caused undesired consequences such as repeat posting or triggered other state-changing behaviour in the destination website? > > Once they have a list of addresses of sites, they they are perfectly > entitled to visit those sites (as is anybody else) and to probe them > for > malware. If the site declines their probes, or demands some password > that > they don't know, then the site is perfectly entitled to do that. And herein could lie a flaw in such technology. Already I've seen posted online the alleged IP range for the servers used for the shadow visits. Sites hosting malware could easily use this information to block or send clean pages to the monitoring sites. And of course it would be far more questionable if the monitoring itself spoofed the IP address of the original visitor, leading to scenarios such as "you claim you accidentally visited a website hosting questionable content, but never returned, yet logs retrieved from the server in question show you made a second visit less than 2 minutes later." (OK that's a tad tenuous but hopefully explains a point). James Firth From lists at barnfather.net Wed Jul 28 17:02:36 2010 From: lists at barnfather.net (Paul Barnfather) Date: Wed, 28 Jul 2010 16:02:36 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C4E314E.7000609@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: > Peter Fairbrother wrote: >> >> Also, if the system fails to block some nasty content, can a parent sue >> Talk-talk? If it blocks content it shouldn't, can the website sue Talk-talk? >> >> It has distinct negative implications for "pure-carrier" immunity. >> >> Can a website say "I don't want to be examined by TalkTalk", something >> comparable to the x-no-archive or NOARCHIVE tags? I'd think so, legally if >> not always technically. It seems extremely unlikely that the system would be especially reliable at detecting "nasty content". The probes from the Huwaei servers are from fixed IP addresses and (presumably) use easily identifiable probes, These connections can be easily recognised (and blocked) or served apparently "legitimate" content; I believe malware sites already do this routinely when probed by known security firms. There are already perfectly good, well-maintained lists of malware sites out there - the ones used by the popular browsers seem reasonably effective. Why would TalkTalk go to all this effort and expense to build their own list? The benefits seem questionable and yet TalkTalk are risking another Phorm-style phiasco. Very strange. From zenadsl6186 at zen.co.uk Wed Jul 28 18:22:31 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 28 Jul 2010 17:22:31 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <00ee01cb2e5b$ad3dc800$07b95800$@net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <00ee01cb2e5b$ad3dc800$07b95800$@net> Message-ID: <4C50674C.1080801@zen.co.uk> James Firth wrote: >> It seems that they are monitoring their outbound servers to compile >> lists >> of IP addresses to which stuff is being sent. That would be perfectly >> legal if used, for example, to fine-tune their routeing tables. >> >> But they go further by examining the port number and only including >> packets addressed to port 80 in their lists. That is trickier, > > More research is needed on this. I have server logs from sites I run that I > can use to establish shadow visitors, and whether any - if found - go to the > exact page (i.e. full URL) or just the top level website. If they don't go to the full URL they won't be able to detect whether there is some bad stuff on the served page - and thus they won't be able to do the job they claim to be doing. >> So basically, I think what they are doing is potentially a Good Thing, >> and >> most likely lawful. > > What if shadow visits to the site, hypothesising that the full URL is > visited, caused undesired consequences such as repeat posting or triggered > other state-changing behaviour in the destination website? Extremely likely - for instance, another access to a session-cookied site will almost always change the server state. It's evil, and should not be allowed. > >> Once they have a list of addresses of sites, they they are perfectly >> entitled to visit those sites (as is anybody else) and to probe them >> for >> malware. If the site declines their probes, or demands some password >> that >> they don't know, then the site is perfectly entitled to do that. > > And herein could lie a flaw in such technology. Already I've seen posted > online the alleged IP range for the servers used for the shadow visits. > > Sites hosting malware could easily use this information to block or send > clean pages to the monitoring sites. And of course it would be far more > questionable if the monitoring itself spoofed the IP address of the original > visitor, leading to scenarios such as "you claim you accidentally visited a > website hosting questionable content, but never returned, yet logs retrieved > from the server in question show you made a second visit less than 2 minutes > later." > > (OK that's a tad tenuous but hopefully explains a point). Yes - and double charging for doubled access, and ... so on. It won't work, so it's not a good thing. It will do damage, so it's a bad thing. It's illegal anyway. So it should be stopped. -- Peter Fairbrother > > James Firth > > > > > > > > > > > From zenadsl6186 at zen.co.uk Wed Jul 28 18:23:09 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 28 Jul 2010 17:23:09 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: <4C50677C.60705@zen.co.uk> Charles Lindsey wrote: > On Tue, 27 Jul 2010 02:07:26 +0100, Peter Fairbrother > wrote: > >> Sorry. missed a bit here. >> >> It would be lawful interception under 3(3) if it was being done "for >> purposes connected with the .. operation of that (telecommunications) >> service" - but I don't think it is. > > It seems that they are monitoring their outbound servers to compile > lists of IP addresses to which stuff is being sent. No they aren't. They are collecting full URLs as sent by their customers. Then they request the same pages, and check them for malware etc, or at least that's what they claim to be doing. > That would be > perfectly legal if used, for example, to fine-tune their routeing tables. Collecting IPs, perhaps - but not full URLs. > > But they go further by examining the port number and only including > packets addressed to port 80 in their lists. That is trickier, but if > they claim that part of the "telecommunications service" that they offer > is blocking sites that dispense malware, spams, phishes, etc, then they > might claim that this particular interception was for the purpose of > providing that feature of their service. They might, and probably will - but they could claim the same for filtering on political grounds, or any grounds they want to, RIPA says that they can intercept if it's for purposes connected with the provision or operation of their telecommunications service, which is defined as a service > > What they MUST NOT do is to record the sending address of those packets, > or to correlate that sending address with anything else. But they > explicitly deny that they are doing that. That may be in the DPA somewhere, which I'm not too familiar with - but there's nothing like that in RIPA. Sounds a bit more like wishing than legal reality though. > So basically, I think what they are doing is potentially a Good Thing, > and most likely lawful. It's neither a Good Thing, nor lawful. Technically it's not going to work, at all. It's a stupid idea, and malware sites can easily get around it. It cannot be a good thing, because it cannot work. And they are looking at full URLs, which is interception, and the reason doesn't fall under 3(3), so it's illegal too. > > Once they have a list of addresses of sites, they they are perfectly > entitled to visit those sites (as is anybody else) No, they aren't. The internet is not all accessible to the public, people frequently use secrets in their URLs for access control. They are entitled to do the same as anybody and access a publicly known site - but not to access secret URLs. There's more, but that enough by itself. It's plain evil - in fact it's probably theft or abstraction of data as well. Customer traffic data belongs to the customers, not the ISP. They should keep their greedy fingers off it. -- Peter Fairbrother and to probe them for > malware. If the site declines their probes, or demands some password > that they don't know, then the site is perfectly entitled to do that. > > --Charles H. Lindsey ---------At Home, doing my own thing------------------------ > > Tel: +44 161 436 6131 > Web: http://www.cs.man.ac.uk/~chl > Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. > > PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 > > > From james2 at jfirth.net Wed Jul 28 18:39:04 2010 From: james2 at jfirth.net (James Firth) Date: Wed, 28 Jul 2010 17:39:04 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C50677C.60705@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <4C50677C.60705@zen.co.uk> Message-ID: <018501cb2e7b$c0927570$41b76050$@net> Peter Fairbrother wrote: > It's neither a Good Thing, nor lawful. In better news today I extracted confirmation from Virgin Media that their plans to deploy Detica's CView DPI system were still on hold: http://www.slightlyrightofcentre.com/2010/07/trials-by-virgin-media-of-copyr ight.html Reading between the lines I personally don't think VM would deploy CView unless such monitoring became defined under the shambolic and misguided framework the Digital Economy Act defines. And many are doing their best to prevent this by explaining, human rights aside, that such monitoring will soon be a white elephant as the slow but sure move towards encryption continues. Seems I'm now vaguely involved as an interested party on the Digital Economy All Party Parliamentary Group, as are the Open Rights Group and COADEC and other sane lobbying groups. The chairman Eric Joyce MP and his deputy, Cambridge's Julian Huppert MP seem very amenable if anyone - Fipr - has a burning urge to get involved. James Firth From zenadsl6186 at zen.co.uk Wed Jul 28 18:40:18 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 28 Jul 2010 17:40:18 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C50677C.60705@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <4C50677C.60705@zen.co.uk> Message-ID: <4C506B81.1050507@zen.co.uk> Peter Fairbrother wrote: > Charles Lindsey wrote: >> On Tue, 27 Jul 2010 02:07:26 +0100, Peter Fairbrother >> wrote: >> >>> Sorry. missed a bit here. >>> >>> It would be lawful interception under 3(3) if it was being done "for >>> purposes connected with the .. operation of that (telecommunications) >>> service" - but I don't think it is. >> >> It seems that they are monitoring their outbound servers to compile >> lists of IP addresses to which stuff is being sent. > > No they aren't. They are collecting full URLs as sent by their customers. > > Then they request the same pages, and check them for malware etc, or at > least that's what they claim to be doing. > >> That would be perfectly legal if used, for example, to fine-tune their >> routeing tables. > > Collecting IPs, perhaps - but not full URLs. >> >> But they go further by examining the port number and only including >> packets addressed to port 80 in their lists. That is trickier, but if >> they claim that part of the "telecommunications service" that they >> offer is blocking sites that dispense malware, spams, phishes, etc, >> then they might claim that this particular interception was for the >> purpose of providing that feature of their service. > > They might, and probably will - but they could claim the same for > filtering on political grounds, or any grounds they want to, > > RIPA says that they can intercept if it's for purposes connected with > the provision or operation of their telecommunications service, which is > defined as a service ooops, missed out a bit here. ?telecommunications service? means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service); and ?telecommunication system? means any system (including the apparatus comprised in it) which exists (whether wholly or partly in the United Kingdom or elsewhere) for the purpose of facilitating the transmission of communications by any means involving the use of electrical or electro-magnetic energy. Now I could go into detail about this, yet again, but I've done it before - so I'll just say that I read that to mean they can only intercept for purposes connected to their ability to pass messages. TalkTalk's actions do not fall under 3(3) because they do not facilitate the transmission of communications. If it didn't happen then people would still be able to get web service as normal. Email spam and virus filtering arguably does fall under 3(3), because if it didn't happen then email would be unuseable. >> >> What they MUST NOT do is to record the sending address of those >> packets, or to correlate that sending address with anything else. But >> they explicitly deny that they are doing that. > > That may be in the DPA somewhere, which I'm not too familiar with - but > there's nothing like that in RIPA. Sounds a bit more like wishing than > legal reality though. > >> So basically, I think what they are doing is potentially a Good Thing, >> and most likely lawful. > > It's neither a Good Thing, nor lawful. > > Technically it's not going to work, at all. It's a stupid idea, and > malware sites can easily get around it. It cannot be a good thing, > because it cannot work. > > And they are looking at full URLs, which is interception, and the reason > doesn't fall under 3(3), so it's illegal too. >> >> Once they have a list of addresses of sites, they they are perfectly >> entitled to visit those sites (as is anybody else) > > No, they aren't. The internet is not all accessible to the public, > people frequently use secrets in their URLs for access control. > > They are entitled to do the same as anybody and access a publicly known > site - but not to access secret URLs. There's more, but that enough by > itself. > > > It's plain evil - in fact it's probably theft or abstraction of data as > well. Customer traffic data belongs to the customers, not the ISP. They > should keep their greedy fingers off it. > > -- Peter Fairbrother > > > and to probe them for >> malware. If the site declines their probes, or demands some password >> that they don't know, then the site is perfectly entitled to do that. >> >> --Charles H. Lindsey ---------At Home, doing my own >> thing------------------------ >> Tel: +44 161 436 6131 Web: >> http://www.cs.man.ac.uk/~chl >> Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 >> 3JU, U.K. >> PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 >> A4 AB A5 >> >> > > > From David_Biggins at usermgmt.com Thu Jul 29 10:39:49 2010 From: David_Biggins at usermgmt.com (David Biggins) Date: Thu, 29 Jul 2010 09:39:49 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <018501cb2e7b$c0927570$41b76050$@net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <4C50677C.60705@zen.co.uk> <018501cb2e7b$c0927570$41b76050$@net> Message-ID: > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto- > bounces at chiark.greenend.org.uk] On Behalf Of James Firth > Sent: 28 July 2010 18:39 > To: 'UK Cryptography Policy Discussion Group' > Subject: RE: Here we go again - ISP DPI, but is it interception? > > Peter Fairbrother wrote: > > > It's neither a Good Thing, nor lawful. > > In better news today I extracted confirmation from Virgin Media that > their > plans to deploy Detica's CView DPI system were still on hold: > > http://www.slightlyrightofcentre.com/2010/07/trials-by-virgin-media-of- > copyr > ight.html Hmmmm..... The other week, I requested some data from a SOAP web service... The XML response arrived, interestingly, broken, with javascript embedded in it. The client and server machines are both clean, and the server most assuredly does not send script in its responses. Regrettably, I didn't keep the response - deadlines loomed, so I repeated the request, which arrived clean. Virgin Media is my ISP, and the last time I saw something like this was during the Phorm trials. D. From David_Biggins at usermgmt.com Thu Jul 29 10:41:35 2010 From: David_Biggins at usermgmt.com (David Biggins) Date: Thu, 29 Jul 2010 09:41:35 -0000 Subject: Government monitoring requests rise for phone, email Message-ID: http://www.zdnet.co.uk/news/security-management/2010/07/29/government-mo nitoring-requests-rise-for-phone-email-40089682/ "The Interception of Communications Commissioner has revealed that police and other agencies made 21,000 more requests for citizens' communications data in 2009 than the previous year. "Sir Paul Kennedy disclosed in his annual report that in 2009, public authorities made 525,130 data requests to ISPs to view people's phone and email records. That figure compares with a total of 504,073 requests in 2008. D. -------------- next part -------------- An HTML attachment was scrubbed... URL: From chl at clerew.man.ac.uk Thu Jul 29 12:47:45 2010 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Thu, 29 Jul 2010 11:47:45 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C50674C.1080801@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <00ee01cb2e5b$ad3dc800$07b95800$@net> <4C50674C.1080801@zen.co.uk> Message-ID: On Wed, 28 Jul 2010 18:22:20 +0100, Peter Fairbrother wrote: > James Firth wrote: > If they don't go to the full URL they won't be able to detect whether > there is some bad stuff on the served page - and thus they won't be able > to do the job they claim to be doing. Actually, they might do better by going to the home page of the site and crawling from there, rather than just examining some particular page for malware. >> What if shadow visits to the site, hypothesising that the full URL is >> visited, caused undesired consequences such as repeat posting or >> triggered >> other state-changing behaviour in the destination website? > > Extremely likely - for instance, another access to a session-cookied > site will almost always change the server state. On the contrary, since TalkTalk won't be sending the proper 'cookie', they are most unlikely to mess up some ongoing transaction, and it they do, then it indicates that the site itself is badly designed and insecure, in which case it deserves all it gets. > It won't work, so it's not a good thing. It COULD work if performed in an intelligent manner. Whether TalkTalk have the necessary inteligence is a separate issue. You should not underestimate them based on the meafre information we have so far (note that they are not yet actually testing for malware - they are just debugging their address gathering machinery). -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From chl at clerew.man.ac.uk Thu Jul 29 12:53:08 2010 From: chl at clerew.man.ac.uk (Charles Lindsey) Date: Thu, 29 Jul 2010 11:53:08 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C506B81.1050507@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <4C50677C.60705@zen.co.uk> <4C506B81.1050507@zen.co.uk> Message-ID: On Wed, 28 Jul 2010 18:40:17 +0100, Peter Fairbrother wrote: > ?telecommunications service? means any service that consists in the > provision of access to, and of facilities for making use of, any > telecommunication system (whether or not one provided by the person > providing the service); and > > ?telecommunication system? means any system (including the apparatus > comprised in it) which exists (whether wholly or partly in the United > Kingdom or elsewhere) for the purpose of facilitating the transmission > of communications by any means involving the use of electrical or > electro-magnetic energy. > > > Now I could go into detail about this, yet again, but I've done it > before - so I'll just say that I read that to mean they can only > intercept for purposes connected to their ability to pass messages. So the transmission of communications is not "facilitated" by filtering out the bogus ones? > > TalkTalk's actions do not fall under 3(3) because they do not facilitate > the transmission of communications. If it didn't happen then people > would still be able to get web service as normal. > > Email spam and virus filtering arguably does fall under 3(3), because if > it didn't happen then email would be unuseable. Exactly. But are you now arguing that it is perhaps legal to filter email, but it is not legal to filter web sites that purvey malware? Or to perform actions that might "facilitate" such filtering? -- Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------ Tel:?+44?161?436?6131? ???Web:?http://www.cs.man.ac.uk/~chl Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K. PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5 From james2 at jfirth.net Thu Jul 29 14:34:07 2010 From: james2 at jfirth.net (James Firth) Date: Thu, 29 Jul 2010 13:34:07 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <4C50677C.60705@zen.co.uk> <018501cb2e7b$c0927570$41b76050$@net> Message-ID: <005001cb2f22$b47633b0$1d629b10$@net> David Biggins wrote: > Hmmmm..... > > The other week, I requested some data from a SOAP web service... > > The XML response arrived, interestingly, broken, with javascript > embedded in it. > > The client and server machines are both clean, and the server most > assuredly does not send script in its responses. > > Regrettably, I didn't keep the response - deadlines loomed, so I > repeated the request, which arrived clean. > > Virgin Media is my ISP, and the last time I saw something like this was > during the Phorm trials. The last 2 cases of this I investigated turned out to be down to Norton Internet Security running on the client machine. I assume you've already considered this and will keep my ear to the ground. James Firth From zenadsl6186 at zen.co.uk Thu Jul 29 16:23:34 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 29 Jul 2010 15:23:34 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <00ee01cb2e5b$ad3dc800$07b95800$@net> <4C50674C.1080801@zen.co.uk> Message-ID: <4C519CF3.1020005@zen.co.uk> Charles Lindsey wrote: > On Wed, 28 Jul 2010 18:22:20 +0100, Peter Fairbrother > wrote: > >> James Firth wrote: > >> If they don't go to the full URL they won't be able to detect whether >> there is some bad stuff on the served page - and thus they won't be >> able to do the job they claim to be doing. > > Actually, they might do better by going to the home page of the site and > crawling from there, rather than just examining some particular page for > malware. > >>> What if shadow visits to the site, hypothesising that the full URL is >>> visited, caused undesired consequences such as repeat posting or >>> triggered >>> other state-changing behaviour in the destination website? >> >> Extremely likely - for instance, another access to a session-cookied >> site will almost always change the server state. > > On the contrary, since TalkTalk won't be sending the proper 'cookie', Why not? Cookies are often in URLs, and if TalkTalk send the URL to the site they will send the cookie too. > they are most unlikely to mess up some ongoing transaction, and it they > do, then it indicates that the site itself is badly designed and > insecure, in which case it deserves all it gets. > >> It won't work, so it's not a good thing. > > It COULD work if performed in an intelligent manner. I disagree. It's far too easy for a malware site to evade it. -- Peter Fairbrother Whether TalkTalk > have the necessary inteligence is a separate issue. You should not > underestimate them based on the meafre information we have so far (note > that they are not yet actually testing for malware - they are just > debugging their address gathering machinery). > > --Charles H. Lindsey ---------At Home, doing my own thing------------------------ > > Tel: +44 161 436 6131 > Web: http://www.cs.man.ac.uk/~chl > Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. > > PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 > > > From zenadsl6186 at zen.co.uk Thu Jul 29 16:29:45 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Thu, 29 Jul 2010 15:29:45 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <4C50677C.60705@zen.co.uk> <4C506B81.1050507@zen.co.uk> Message-ID: <4C519E67.1050708@zen.co.uk> Charles Lindsey wrote: > On Wed, 28 Jul 2010 18:40:17 +0100, Peter Fairbrother > wrote: > >> ?telecommunications service? means any service that consists in the >> provision of access to, and of facilities for making use of, any >> telecommunication system (whether or not one provided by the person >> providing the service); and >> >> ?telecommunication system? means any system (including the apparatus >> comprised in it) which exists (whether wholly or partly in the United >> Kingdom or elsewhere) for the purpose of facilitating the transmission >> of communications by any means involving the use of electrical or >> electro-magnetic energy. >> >> >> Now I could go into detail about this, yet again, but I've done it >> before - so I'll just say that I read that to mean they can only >> intercept for purposes connected to their ability to pass messages. > > So the transmission of communications is not "facilitated" by filtering > out the bogus ones? I don't think TalkTalk will be filtering out bogus transmissions, even if their system worked. A bit of malware is not a bogus communication - the sender means to send it to the recipient. >> >> TalkTalk's actions do not fall under 3(3) because they do not >> facilitate the transmission of communications. If it didn't happen >> then people would still be able to get web service as normal. >> >> Email spam and virus filtering arguably does fall under 3(3), because >> if it didn't happen then email would be unuseable. > > Exactly. But are you now arguing that it is perhaps legal to filter > email, but it is not legal to filter web sites that purvey malware? Yes. -- Peter Fairbrother > > --Charles H. Lindsey ---------At Home, doing my own thing------------------------ > > Tel: +44 161 436 6131 > Web: http://www.cs.man.ac.uk/~chl > Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. > > PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 > > > From clive at davros.org Fri Jul 30 11:15:02 2010 From: clive at davros.org (Clive D.W. Feather) Date: Fri, 30 Jul 2010 10:15:02 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: <20100730101500.GC46989@davros.org> Charles Lindsey said: > Once they have a list of addresses of sites, they they are perfectly > entitled to visit those sites (as is anybody else) and to probe them for > malware. No they aren't. You may recall that, a couple of years ago, someone was convicted of computer misuse because he probed a site for malware - to be precise, he put "/.." on an URL. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From nbohm at ernest.net Fri Jul 30 11:39:03 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 30 Jul 2010 10:39:03 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <20100730101500.GC46989@davros.org> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> Message-ID: <4C52ABC6.5080908@ernest.net> Clive D.W. Feather wrote: > Charles Lindsey said: > >> Once they have a list of addresses of sites, they they are perfectly >> entitled to visit those sites (as is anybody else) and to probe them for >> malware. >> > > No they aren't. You may recall that, a couple of years ago, someone was > convicted of computer misuse because he probed a site for malware - to be > precise, he put "/.." on an URL. Useful point: do you have a reference? Nicholas -- Contact and PGP key here From chris-ukcrypto at lists.skipnote.org Fri Jul 30 11:47:55 2010 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Fri, 30 Jul 2010 10:47:55 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52ABC6.5080908@ernest.net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> Message-ID: On Fri, 30 Jul 2010, Nicholas Bohm wrote: | Clive D.W. Feather wrote: | > Charles Lindsey said: | > | >> Once they have a list of addresses of sites, they they are perfectly | >> entitled to visit those sites (as is anybody else) and to probe them for | >> malware. | >> | > | > No they aren't. You may recall that, a couple of years ago, someone was | > convicted of computer misuse because he probed a site for malware - to be | > precise, he put "/.." on an URL. | | Useful point: do you have a reference? I suspect Clive's refering to the case involving Daniel Cuthbert aka the "Tsunami Hacker" http://www.pmsommer.com/CLCMA1205.pdf From peter at pmsommer.com Fri Jul 30 11:49:11 2010 From: peter at pmsommer.com (Peter Sommer) Date: Fri, 30 Jul 2010 10:49:11 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52ABC6.5080908@ernest.net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> Message-ID: <4C52AE1B.6020908@pmsommer.com> R v Daniel Cuthbert (2005) http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ One of my instructions... Peter Sommer On 30/07/2010 11:39, Nicholas Bohm wrote: > Clive D.W. Feather wrote: > >> >> No they aren't. You may recall that, a couple of years ago, someone was >> convicted of computer misuse because he probed a site for malware - to be >> precise, he put "/.." on an URL. >> > Useful point: do you have a reference? > > Nicholas > From bdm at fenrir.org.uk Fri Jul 30 11:51:11 2010 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 30 Jul 2010 10:51:11 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52ABC6.5080908@ernest.net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> Message-ID: <20100730115101.00007a9e@surtees.fenrir.org.uk> On Fri, 30 Jul 2010 11:39:02 +0100 Nicholas Bohm wrote: > Clive D.W. Feather wrote: > > Charles Lindsey said: > > > >> Once they have a list of addresses of sites, they they are > >> perfectly entitled to visit those sites (as is anybody else) and > >> to probe them for malware. > >> > > > > No they aren't. You may recall that, a couple of years ago, someone > > was convicted of computer misuse because he probed a site for > > malware - to be precise, he put "/.." on an URL. > > Useful point: do you have a reference? Dan Cuthbert. He was trying to make a donation to a Tsunami relief charity web site and noted that the site was very slow and thought perhaps he might be being phished, so he truncated the URL back to just the host name. He was prosecuted for purely that action, possibly because as an IT professional the police thought he should realise that such an action would be unauthorised. -- Brian Morrison From nbohm at ernest.net Fri Jul 30 12:03:53 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 30 Jul 2010 11:03:53 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> Message-ID: <4C52B198.3060109@ernest.net> Chris Edwards wrote: > On Fri, 30 Jul 2010, Nicholas Bohm wrote: > > | Clive D.W. Feather wrote: > | > Charles Lindsey said: > | > > | >> Once they have a list of addresses of sites, they they are perfectly > | >> entitled to visit those sites (as is anybody else) and to probe them for > | >> malware. > | >> > | > > | > No they aren't. You may recall that, a couple of years ago, someone was > | > convicted of computer misuse because he probed a site for malware - to be > | > precise, he put "/.." on an URL. > | > | Useful point: do you have a reference? > > I suspect Clive's refering to the case involving Daniel Cuthbert > > aka the "Tsunami Hacker" > > http://www.pmsommer.com/CLCMA1205.pdf > Thanks to Chris and Peter for their pointers. The decision of a magistrate isn't of course binding as a precedent, but it's a good real-world example, and one must wonder whether Talk Talk have overlooked it. Their public responses do suggest that they aren't very clear about the difference between data protection and interception, as they seem to be justifying the interception on the basis that they haven't collected any personal information about their customers. Nicholas -- Contact and PGP key here From james2 at jfirth.net Fri Jul 30 12:37:38 2010 From: james2 at jfirth.net (James Firth) Date: Fri, 30 Jul 2010 11:37:38 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52B198.3060109@ernest.net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <4C52B198.3060109@ernest.net> Message-ID: <00e101cb2fdb$9a4c0e10$cee42a30$@net> Nicholas Bohm wrote: > > I suspect Clive's refering to the case involving Daniel Cuthbert > > > > aka the "Tsunami Hacker" > > > > http://www.pmsommer.com/CLCMA1205.pdf > > > > Thanks to Chris and Peter for their pointers. > > The decision of a magistrate isn't of course binding as a precedent, > but > it's a good real-world example, and one must wonder whether Talk Talk > have overlooked it. As a professional who works often on security-related web stuff this conviction has always made me feel uncomfortable. Firstly the speed in which a large firm can get the police to act contrasts starkly with the experience of many smaller server owners/operators who suffer serious prolonged and sophisticated attacks. And secondly this type of "attack" should really only be viewed as an attack if prolonged multiple requests are made using well-known attack vectors (such as including the quote characters ` and ' as per an SQL "injection" attack). But as memory serves me a conviction was somewhat inevitable in this case because the defendant via a somewhat circuitous argument showed intent because as a self-proclaimed security researcher he should have known his actions could cause data loss or downtime. But it happens all the time. I run a URL shortening service and also host a microsite used by the Telegraph for publication of school league tables. I get URL "attacks" nearly every day, most of them probably from curious types who wouldn't dream in a lifetime that what they're doing could be criminal. They're just seeing what's on my servers, how the servers work, and, as sometimes is the case, having a sneaky check to see if they server is vulnerable to common attacks. (I'm sure there are people on this list far more familiar with the Cuthbert case than me.) James Firth From nbohm at ernest.net Fri Jul 30 14:20:37 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Fri, 30 Jul 2010 13:20:37 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52B804.3010505@pelicancrossing.net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <20100730115101.00007a9e@surtees.fenrir.org.uk> <4C52B804.3010505@pelicancrossing.net> Message-ID: <4C52D1A3.7080602@ernest.net> Wendy M. Grossman wrote: > Brian Morrison wrote: >> On Fri, 30 Jul 2010 11:39:02 +0100 >> Nicholas Bohm wrote: >> >>> Clive D.W. Feather wrote: >>>> Charles Lindsey said: >>>> >>>>> Once they have a list of addresses of sites, they they are >>>>> perfectly entitled to visit those sites (as is anybody else) and >>>>> to probe them for malware. >>>>> >>>> No they aren't. You may recall that, a couple of years ago, someone >>>> was convicted of computer misuse because he probed a site for >>>> malware - to be precise, he put "/.." on an URL. >>> Useful point: do you have a reference? >> >> Dan Cuthbert. He was trying to make a donation to a Tsunami relief >> charity web site and noted that the site was very slow and thought >> perhaps he might be being phished, so he truncated the URL back to just >> the host name. He was prosecuted for purely that action, possibly >> because as an IT professional the police thought he should realise that >> such an action would be unauthorised. >> > > How did they find out? I think we've all often done that kind of thing. As a result of an intrusion detection system - see http://www.pmsommer.com/CLCMA1205.pdf. I'm surprised that truncating a URL would set off an IDS. If a page won't load properly, I often try truncating the URL to get back to a home page. I assume that going back to the site's root folder will just load the index file in that folder (or throw an error message if there isn't one). None of this has ever resulted in any response whatever, let alone a police interview. And of course it's disappointing that the District Judge, while regretting that he could not avoid convicting the defendant, failed to give him an absolute discharge to indicate his views on the appropriateness of the prosecution. Nicholas -- Contact and PGP key here From wendyg at pelicancrossing.net Fri Jul 30 15:56:20 2010 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Fri, 30 Jul 2010 14:56:20 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <20100730115101.00007a9e@surtees.fenrir.org.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <20100730115101.00007a9e@surtees.fenrir.org.uk> Message-ID: <4C52B804.3010505@pelicancrossing.net> Brian Morrison wrote: > On Fri, 30 Jul 2010 11:39:02 +0100 > Nicholas Bohm wrote: > >> Clive D.W. Feather wrote: >>> Charles Lindsey said: >>> >>>> Once they have a list of addresses of sites, they they are >>>> perfectly entitled to visit those sites (as is anybody else) and >>>> to probe them for malware. >>>> >>> No they aren't. You may recall that, a couple of years ago, someone >>> was convicted of computer misuse because he probed a site for >>> malware - to be precise, he put "/.." on an URL. >> Useful point: do you have a reference? > > Dan Cuthbert. He was trying to make a donation to a Tsunami relief > charity web site and noted that the site was very slow and thought > perhaps he might be being phished, so he truncated the URL back to just > the host name. He was prosecuted for purely that action, possibly > because as an IT professional the police thought he should realise that > such an action would be unauthorised. > How did they find out? I think we've all often done that kind of thing. wg From zenadsl6186 at zen.co.uk Fri Jul 30 16:57:11 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 30 Jul 2010 15:57:11 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <20100730115101.00007a9e@surtees.fenrir.org.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <20100730115101.00007a9e@surtees.fenrir.org.uk> Message-ID: <4C52F657.7030501@zen.co.uk> Brian Morrison wrote: > On Fri, 30 Jul 2010 11:39:02 +0100 > Nicholas Bohm wrote: > >> Clive D.W. Feather wrote: >>> Charles Lindsey said: >>> >>>> Once they have a list of addresses of sites, they they are >>>> perfectly entitled to visit those sites (as is anybody else) and >>>> to probe them for malware. >>>> >>> No they aren't. You may recall that, a couple of years ago, someone >>> was convicted of computer misuse because he probed a site for >>> malware - to be precise, he put "/.." on an URL. >> Useful point: do you have a reference? > > Dan Cuthbert. He was trying to make a donation to a Tsunami relief > charity web site and noted that the site was very slow and thought > perhaps he might be being phished, so he truncated the URL back to just > the host name. He was prosecuted for purely that action, possibly > because as an IT professional the police thought he should realise that > such an action would be unauthorised. I don't get it. If I want to find out whether a site allows directory traversal - some sites do, some don't - how else am I going to find out other than adding a "/.." ? And the idea that it could cause damage is ludicrous. -- Peter Fairbrother From chris-ukcrypto at lists.skipnote.org Fri Jul 30 17:06:18 2010 From: chris-ukcrypto at lists.skipnote.org (Chris Edwards) Date: Fri, 30 Jul 2010 16:06:18 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52F657.7030501@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <20100730115101.00007a9e@surtees.fenrir.org.uk> <4C52F657.7030501@zen.co.uk> Message-ID: On Fri, 30 Jul 2010, Peter Fairbrother wrote: | I don't get it. | | If I want to find out whether a site allows directory traversal - some sites | do, some don't - how else am I going to find out other than adding a "/.." ? And it seems the tsunami hacker didn't even add "/.." - he simply truncated the URL, to find a parent or root page. Which seems even more unlikey to do damage! From bdm at fenrir.org.uk Fri Jul 30 17:15:55 2010 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 30 Jul 2010 16:15:55 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <20100730115101.00007a9e@surtees.fenrir.org.uk> <4C52F657.7030501@zen.co.uk> Message-ID: <20100730171548.00001417@surtees.fenrir.org.uk> On Fri, 30 Jul 2010 17:06:15 +0100 (BST) Chris Edwards wrote: > On Fri, 30 Jul 2010, Peter Fairbrother wrote: > > | I don't get it. > | > | If I want to find out whether a site allows directory traversal - > some sites | do, some don't - how else am I going to find out other > than adding a "/.." ? > > And it seems the tsunami hacker didn't even add "/.." > > - he simply truncated the URL, to find a parent or root page. > > Which seems even more unlikey to do damage! As ever, in certain circumstances insane decisions are reached in court, usually because they can be.... -- Brian Morrison From peter at pmsommer.com Fri Jul 30 17:28:43 2010 From: peter at pmsommer.com (Peter Sommer) Date: Fri, 30 Jul 2010 16:28:43 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52F657.7030501@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <20100730115101.00007a9e@surtees.fenrir.org.uk> <4C52F657.7030501@zen.co.uk> Message-ID: <4C52FDB0.6000903@pmsommer.com> If you read the article that Chris Edwards pointed to: http://www.pmsommer.com/CLCMA1205.pdf you'll get a better idea of why the District Judge came to that particular finding. He wasn't impressed that Dan Cuthbert had tried to blag his way out of the situation instead of being immediately straight-forward with the police. As Nick Bohm says, this was a decision in a lower court on the facts; it doesn't set a precedent. You'll see that I had two Computer Misuse cases running at the same time; I had anticipated "persuading" in the case of Cuthbert and failing in the case of Lennon. In fact it was the other way around - though Lennon lost on appeal. Peter Sommer >> Dan Cuthbert. He was trying to make a donation to a Tsunami relief >> charity web site and noted that the site was very slow and thought >> perhaps he might be being phished, so he truncated the URL back to just >> the host name. He was prosecuted for purely that action, possibly >> because as an IT professional the police thought he should realise that >> such an action would be unauthorised. > > -- THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND LEGALLY PRIVILEGED. IT IS INTENDED ONLY FOR THE ADDRESSEE NAMED ABOVE. IF YOU ARE NOT THE ADDRESSEE ANY DISTRIBUTION, COPYING OR DISCLOSURE OF THIS E-MAIL IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED IT IN ERROR PLEASE NOTIFY THE SENDER BY E-MAIL IMMEDIATELY AND DESTROY THE ORIGINAL From zenadsl6186 at zen.co.uk Fri Jul 30 18:07:11 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 30 Jul 2010 17:07:11 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C52B198.3060109@ernest.net> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net> <4C52B198.3060109@ernest.net> Message-ID: <4C5306BF.70302@zen.co.uk> Nicholas Bohm wrote: > Chris Edwards wrote: >> On Fri, 30 Jul 2010, Nicholas Bohm wrote: >> >> | Clive D.W. Feather wrote: >> | > Charles Lindsey said: >> | > >> | >> Once they have a list of addresses of sites, they they are perfectly >> | >> entitled to visit those sites (as is anybody else) and to probe them for >> | >> malware. >> | >> >> | > >> | > No they aren't. You may recall that, a couple of years ago, someone was >> | > convicted of computer misuse because he probed a site for malware - to be >> | > precise, he put "/.." on an URL. >> | >> | Useful point: do you have a reference? >> >> I suspect Clive's refering to the case involving Daniel Cuthbert >> >> aka the "Tsunami Hacker" >> >> http://www.pmsommer.com/CLCMA1205.pdf >> > > Thanks to Chris and Peter for their pointers. > > The decision of a magistrate isn't of course binding as a precedent, but > it's a good real-world example, and one must wonder whether Talk Talk > have overlooked it. > > Their public responses do suggest that they aren't very clear about the > difference between data protection and interception, as they seem to be > justifying the interception on the basis that they haven't collected any > personal information about their customers. Yes, seems rather silly. They are breaking CMA and RIPA, but "not the DPA" ... Or maybe it's not so silly. CMA and RIPA are enforced by the Police, who don't seem willing to act against large companies, whereas DPA is enforced by the IC, who does seem willing to act, even if his powers are comparatively limited. -- Peter Fairbrother > > Nicholas From zenadsl6186 at zen.co.uk Fri Jul 30 19:55:18 2010 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 30 Jul 2010 18:55:18 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C519CF3.1020005@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <00ee01cb2e5b$ad3dc800$07b95800$@net> <4C50674C.1080801@zen.co.uk> <4C519CF3.1020005@zen.co.uk> Message-ID: <4C532015.8070601@zen.co.uk> Peter Fairbrother wrote: > Charles Lindsey wrote: >> On Wed, 28 Jul 2010 18:22:20 +0100, Peter Fairbrother >> wrote: >> >>> James Firth wrote: >> >>> If they don't go to the full URL they won't be able to detect whether >>> there is some bad stuff on the served page - and thus they won't be >>> able to do the job they claim to be doing. >> >> Actually, they might do better by going to the home page of the site >> and crawling from there, rather than just examining some particular >> page for malware. Can someone answer a question for me please - how does crawling work? How does the crawler find different pages? Thanks, -- Peter Fairbrother didn't mention frames once ... ooops! From jon+ukcrypto at unequivocal.co.uk Fri Jul 30 21:44:31 2010 From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens) Date: Fri, 30 Jul 2010 20:44:31 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: <4C532015.8070601@zen.co.uk> References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> <00ee01cb2e5b$ad3dc800$07b95800$@net> <4C50674C.1080801@zen.co.uk> <4C519CF3.1020005@zen.co.uk> <4C532015.8070601@zen.co.uk> Message-ID: <20100730204430.GI29810@snowy.squish.net> On Fri, Jul 30, 2010 at 07:55:17PM +0100, Peter Fairbrother wrote: > Can someone answer a question for me please - how does crawling work? > How does the crawler find different pages? By following links from other pages, generally speaking. From igb at batten.eu.org Sat Jul 31 08:37:17 2010 From: igb at batten.eu.org (Ian Batten) Date: Sat, 31 Jul 2010 07:37:17 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: > > The probes from the Huwaei servers are from fixed IP addresses and > (presumably) use easily identifiable probes, These connections can be > easily recognised (and blocked) or served apparently "legitimate" > content; I believe malware sites already do this routinely when probed > by known security firms. Although for every site that is deliberately serving bad stuff, there are any number of sites that have been cracked and modified to serve bad stuff. It's less likely those will be in a position to play complex "block this range, serve good stuff to this range, serve bad stuff to the rest" so I don't think it's _entirely_ worthless. ian From maryhawking at tigers.demon.co.uk Sat Jul 31 09:23:50 2010 From: maryhawking at tigers.demon.co.uk (Mary Hawking) Date: Sat, 31 Jul 2010 08:23:50 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: Message-ID: In message , ukcrypto-request at chiark.greenend.org.uk writes >On Fri, 30 Jul 2010, Peter Fairbrother wrote: > >| I don't get it. >| >| If I want to find out whether a site allows directory traversal - >some sites | do, some don't - how else am I going to find out other >than adding a "/.." ? > >And it seems the tsunami hacker didn't even add "/.." > >- he simply truncated the URL, to find a parent or root page. I'm not sure I can get my head around the laws making this illegal - but I am sure that if truncating a URL to find a home page *is* illegal, the majority of ordinary internet users are criminals! I do it all the time - and it is often the *only* way to find the home page if you have been sent the URL for a document on a website, rather than the website itself. In addition, if a page URL gives an Error message, is it illegal to knock off bits of the URL until you reach a loadable page? Who brought the prosecution? I.e. was it a public or police prosecution or a private one, and did the site owner (who does own a website for these legal purposes?) claim damages and if so on what grounds? Is the identity of the organisation launching the particular appeal in the public domain? I would have thought that the potential reputational damage to their future activities would have far outweighed any desire to make a test case example of one individual for doing what everyone else does all the time ... Mary Hawking (I realise that this list is in the public domain...;-<) -- Mary Hawking From lists at barnfather.net Sat Jul 31 11:28:17 2010 From: lists at barnfather.net (Paul Barnfather) Date: Sat, 31 Jul 2010 10:28:17 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk> <4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: On 31 July 2010 08:37, Ian Batten wrote: >> >> The probes from the Huwaei servers are from fixed IP addresses and >> (presumably) use easily identifiable probes, These connections can be >> easily recognised (and blocked) or served apparently "legitimate" >> content; I believe malware sites already do this routinely when probed >> by known security firms. > > Although for every site that is deliberately serving bad stuff, there are > any number of sites that have been cracked and modified to serve bad stuff. > ?It's less likely those will be in a position to play complex "block this > range, serve good stuff to this range, serve bad stuff to the rest" so I > don't think it's _entirely_ worthless. Good point, Ian. I had overlooked the fact that known-good sites can suddenly turn "bad" as a result of being hacked. I suppose this method could detect such sites in a timely manner. So yes, it's not necessarily *entirely* worthless... Question: why don't TalkTalk instead just record the IP of visited addresses (as I understand they are currently required to do anyway), then spider those addresses in the usual way (in accordance with robots.txt)? Would this be problematic in any way? Sneaky, yes - but presumably legal? From nbohm at ernest.net Sat Jul 31 11:37:31 2010 From: nbohm at ernest.net (Nicholas Bohm) Date: Sat, 31 Jul 2010 10:37:31 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: Message-ID: <4C53FCE9.1090809@ernest.net> Mary Hawking wrote: > In message > , > ukcrypto-request at chiark.greenend.org.uk writes > >> On Fri, 30 Jul 2010, Peter Fairbrother wrote: >> >> | I don't get it. >> | >> | If I want to find out whether a site allows directory traversal - >> some sites | do, some don't - how else am I going to find out other >> than adding a "/.." ? >> >> And it seems the tsunami hacker didn't even add "/.." >> >> - he simply truncated the URL, to find a parent or root page. > > I'm not sure I can get my head around the laws making this illegal - > but I am sure that if truncating a URL to find a home page *is* > illegal, the majority of ordinary internet users are criminals! > > I do it all the time - and it is often the *only* way to find the home > page if you have been sent the URL for a document on a website, rather > than the website itself. > In addition, if a page URL gives an Error message, is it illegal to > knock off bits of the URL until you reach a loadable page? > > Who brought the prosecution? I.e. was it a public or police > prosecution or a private one, and did the site owner (who does own a > website for these legal purposes?) claim damages and if so on what > grounds? It seems to have been a conventional police/CPS prosecution following a complaint. Nothing suggests there was any claim for compensation. > Is the identity of the organisation launching the particular appeal in > the public domain? If I follow the report, BT as the operator of the site reported the intrusion and the police did the rest. > I would have thought that the potential reputational damage to their > future activities would have far outweighed any desire to make a test > case example of one individual for doing what everyone else does all > the time ... Regrettably such hopes seem vain ... Nicholas -- Contact and PGP key here From pwt at iosis.co.uk Sat Jul 31 14:46:43 2010 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 31 Jul 2010 13:46:43 -0000 Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?) In-Reply-To: References: Message-ID: <4C54293C.1000901@iosis.co.uk> Mary Hawking wrote: > In message > , > ukcrypto-request at chiark.greenend.org.uk writes > >> On Fri, 30 Jul 2010, Peter Fairbrother wrote: >> >> | I don't get it. >> | >> | If I want to find out whether a site allows directory traversal - >> some sites | do, some don't - how else am I going to find out other >> than adding a "/.." ? >> >> And it seems the tsunami hacker didn't even add "/.." >> >> - he simply truncated the URL, to find a parent or root page. > > I'm not sure I can get my head around the laws making this illegal - > but I am sure that if truncating a URL to find a home page *is* > illegal, the majority of ordinary internet users are criminals! > > I do it all the time - and it is often the *only* way to find the home > page if you have been sent the URL for a document on a website, rather > than the website itself. > I find it unbelievable that its illegal, if only because it is so easy to do by mistake - so I do not even support the conditional discharge, because the prosecution should never have been brought. I suppose that the physical world analogue is that you are tampering with a locked door if you send that message - but really you are just trying a doorknob, and thus the prosecutor should have to provide evidence that you have malicious intent. So you need to find an internet police person and report that somebody is tampering with your internet access - fat chance. Recently I was at an IAAC Working Group about being safe on the internet, and there the nature of the internet (wild and woolly) was discussed, and whether it could be made tame. Having thought about it both then and later, I'm of the opinion that the protection should be in both web server and user system, and that it should be routinely installed and configured in both, and be ubiquitous in its operation. So protection against inadvertent illegality needs to be there in the protection software in the user system, and the web server's system should protect against a user doing the illegal thing. Its rather like you having to have both working brakes and crashworthy bodywork on your car if you drive it on the highway. Peter From wendyg at pelicancrossing.net Sat Jul 31 14:50:48 2010 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Sat, 31 Jul 2010 13:50:48 -0000 Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?) In-Reply-To: <4C54293C.1000901@iosis.co.uk> References: <4C54293C.1000901@iosis.co.uk> Message-ID: <4C542A2C.5010706@pelicancrossing.net> Peter Tomlinson wrote: > Mary Hawking wrote: >> In message >> , >> ukcrypto-request at chiark.greenend.org.uk writes >> >>> On Fri, 30 Jul 2010, Peter Fairbrother wrote: >>> >>> | I don't get it. >>> | >>> | If I want to find out whether a site allows directory traversal - >>> some sites | do, some don't - how else am I going to find out other >>> than adding a "/.." ? >>> >>> And it seems the tsunami hacker didn't even add "/.." >>> >>> - he simply truncated the URL, to find a parent or root page. >> >> I'm not sure I can get my head around the laws making this illegal - >> but I am sure that if truncating a URL to find a home page *is* >> illegal, the majority of ordinary internet users are criminals! >> >> I do it all the time - and it is often the *only* way to find the home >> page if you have been sent the URL for a document on a website, rather >> than the website itself. >> > I find it unbelievable that its illegal, if only because it is so easy > to do by mistake - so I do not even support the conditional discharge, > because the prosecution should never have been brought. I suppose that > the physical world analogue is that you are tampering with a locked door > if you send that message - but really you are just trying a doorknob, > and thus the prosecutor should have to provide evidence that you have > malicious intent. So you need to find an internet police person and > report that somebody is tampering with your internet access - fat chance. It's not even trying a doorknob. It's more like finding two pages stuck together in a magazine and separating them, or finding a public street blocked and taking a detour to get to the street you're trying to get to. wg From colinthomson1 at o2.co.uk Sat Jul 31 15:28:56 2010 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Sat, 31 Jul 2010 14:28:56 -0000 Subject: Here we go again - ISP DPI, but is it interception? In-Reply-To: References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk><4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk> Message-ID: <6D193B7653CC4D508C785DFD18021F0B@your41b8d18ede> > Question: why don't TalkTalk instead just record the IP of visited > addresses (as I understand they are currently required to do anyway), > then spider those addresses in the usual way (in accordance with > robots.txt)? A single IP address can host many web sites; each has its own robots.txt file. If all you have is the IP you have neither the site root URLs nor those of the robots.txt files so an IP address alone doesn't give you a start point for spidering. M.