From pwt at iosis.co.uk Sat Dec 3 17:25:42 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sat, 03 Dec 2011 17:25:42 +0000 Subject: Reporting scam emails to Met Police Message-ID: <4EDA5B96.3000503@iosis.co.uk> For some time the Met Police have been inviting the forwarding of scam emails to National Fraud Authority . I have just now sent them one, having not sent any for a while. PlusNet (which I use for sending, but I receive by clicking through to another ISP that hosts my incoming email service) has been very actively blocking reporting of them when Cloudmark has already picked up and banned the URL of the malevolent web site that the body of the email sends you to - but today one got through to actionfraud, and I got the response copied below: Thank you for your email. Reporting scam emails has changed and we are no longer taking emails through email at actionfraud.org.uk. If you would like to report a scam email, a fraud or need guidance on fraud and how to protect yourself, please go to www.actionfraud.org.uk. Action Fraud is the UK's national fraud reporting centre. To report a crime that is not fraud related please contact your local police. Police force contact details can be found at www.police.org.uk. To make an anonymous crime report please phone Action Fraud on 0300 123 2040. The email from actionfraud suggests that you can report a scam email on their web site, but my reading of their web site process is that they only want to know if you have been a victim or have come close to being a victim but either your system's protection or your own actions averted the disaster. I wonder why the change has occurred and how we are combating scammers now (but the answers may be something that should not be posted on a list such as this one). Peter From ukcrypto at originalthinktank.org.uk Sun Dec 4 03:10:35 2011 From: ukcrypto at originalthinktank.org.uk (Chris Salter) Date: Sun, 04 Dec 2011 03:10:35 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDA5B96.3000503@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> Message-ID: <4EDAE4AB.3060604@originalthinktank.org.uk> On 03/12/2011 17:25, Peter Tomlinson wrote: [snip for the purposes of this reply only] > I wonder why the change has occurred and how we are combating scammers > now (but the answers may be something that should not be posted on a > list such as this one). For the narrower scam category of 'Phishing', a reporting facility that can be mentioned here is the APWG (Anti-Phishing Working Group). http://www.apwg.org/ -- Chris Salter http://www.originalthinktank.org.uk/ http://www.post-polio.org.uk/ From peter at pmsommer.com Sun Dec 4 07:45:44 2011 From: peter at pmsommer.com (Peter Sommer) Date: Sun, 04 Dec 2011 07:45:44 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDA5B96.3000503@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> Message-ID: <4EDB2528.5040602@pmsommer.com> The cyber security strategy document published on 25 November shows the longer term aims of the NCSP: 4.33 In parallel we are taking action to make sure that it is simple and straightforward for members of the public to report cyber crimes. Of course this should include being able to do so online. 4.34 Over half of all police forces already provide a facility for the public to report crime online, though these range from basic systems for certain crime types to fully integrated crime reporting tools. We will support forces to move to full online crime reporting by helping them identify good practice. 4.35 People are already encouraged to report fraud, including cyber fraud, through the internet, using the Action Fraud tool. We will make it easier for people to do this by improving its accessibility and functionality. Crime reports can currently take up to 30 minutes to complete online. We will aim to reduce that time by a half. 4.36 As well as allowing the police to follow up directly on individual crimes, better reporting will help build our intelligence picture through the National Fraud Intelligence Bureau, improving the targeting of enforcement resources and feeding into crime prevention advice. These are, of course,ambitions... Peter Sommer On 03/12/2011 17:25, Peter Tomlinson wrote: > For some time the Met Police have been inviting the forwarding of scam > emails to National Fraud Authority . I have > just now sent them one, having not sent any for a while. PlusNet > (which I use for sending, but I receive by clicking through to another > ISP that hosts my incoming email service) has been very actively > blocking reporting of them when Cloudmark has already picked up and > banned the URL of the malevolent web site that the body of the email > sends you to - but today one got through to actionfraud, and I got the > response copied below: > > Thank you for your email. > > Reporting scam emails has changed and we are no longer taking emails > through email at actionfraud.org.uk. > > If you would like to report a scam email, a fraud or need guidance > on fraud and how to protect yourself, please go to > www.actionfraud.org.uk. Action Fraud is the UK's national fraud > reporting centre. > > To report a crime that is not fraud related please contact your > local police. Police force contact details can be found at > www.police.org.uk. > > To make an anonymous crime report please phone Action Fraud on 0300 > 123 2040. > > From pwt at iosis.co.uk Sun Dec 4 14:15:07 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 04 Dec 2011 14:15:07 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDB2528.5040602@pmsommer.com> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> Message-ID: <4EDB806B.4040302@iosis.co.uk> Thanks, Peter. I had read only the summary of that document. But of course what I'm looking for (and I think we had it for a few months) is pro-active action to block access to the phishing sites. Although I had read somewhere that such access really needs to be blocked within an hour of the messages starting to be sent to us targets... However, in PlusNet's hands, Cloudmark is being used to inspect all outgoing mail, without knowing if it is malicious or an honest attempt to combat criminality. Is the mere act of sending a phishing or other scam email a criminal offence? If so, we ought to be able to report it through actionfraud, but it appears that they don't want that. Peter On 04/12/2011 07:45, Peter Sommer wrote: > The cyber security strategy document published on 25 November shows > the longer term aims of the NCSP: > > 4.33 In parallel we are taking action to make sure that it is simple > and straightforward for members of the public to report cyber crimes. > Of course this should include being able to do so online. > 4.34 Over half of all police forces already provide a facility for the > public to report crime online, though these range from basic systems > for certain crime types to fully integrated crime reporting tools. We > will support forces to move to full online crime reporting by helping > them identify good practice. > 4.35 People are already encouraged to report fraud, including cyber > fraud, through the internet, using the Action Fraud tool. We will make > it easier for people to do this by improving its accessibility and > functionality. Crime reports can currently take up to 30 minutes to > complete online. We will aim to reduce that time by a half. > 4.36 As well as allowing the police to follow up directly on > individual crimes, better reporting will help build our intelligence > picture through the National Fraud Intelligence Bureau, improving the > targeting of enforcement resources and feeding into crime prevention > advice. > > These are, of course, ambitions... > > > Peter Sommer > > > On 03/12/2011 17:25, Peter Tomlinson wrote: >> For some time the Met Police have been inviting the forwarding of >> scam emails to National Fraud Authority . I >> have just now sent them one, having not sent any for a while. PlusNet >> (which I use for sending, but I receive by clicking through to >> another ISP that hosts my incoming email service) has been very >> actively blocking reporting of them when Cloudmark has already picked >> up and banned the URL of the malevolent web site that the body of the >> email sends you to - but today one got through to actionfraud, and I >> got the response copied below: >> >> Thank you for your email. >> >> Reporting scam emails has changed and we are no longer taking emails >> through email at actionfraud.org.uk. >> >> If you would like to report a scam email, a fraud or need guidance >> on fraud and how to protect yourself, please go to >> www.actionfraud.org.uk. Action Fraud is the UK's national fraud >> reporting centre. >> >> To report a crime that is not fraud related please contact your >> local police. Police force contact details can be found at >> www.police.org.uk. >> >> To make an anonymous crime report please phone Action Fraud on 0300 >> 123 2040. >> >> > > From ukcrypto at originalthinktank.org.uk Sun Dec 4 16:06:52 2011 From: ukcrypto at originalthinktank.org.uk (Chris Salter) Date: Sun, 04 Dec 2011 16:06:52 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDB806B.4040302@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> Message-ID: <4EDB9A9C.5020100@originalthinktank.org.uk> On 04/12/2011 14:15, Peter Tomlinson wrote: > Thanks, Peter. I had read only the summary of that document. > > But of course what I'm looking for (and I think we had it for a few > months) is pro-active action to block access to the phishing sites. > Although I had read somewhere that such access really needs to be > blocked within an hour of the messages starting to be sent to us > targets... > > However, in PlusNet's hands, Cloudmark is being used to inspect all > outgoing mail, without knowing if it is malicious or an honest > attempt to combat criminality. > > Is the mere act of sending a phishing or other scam email a criminal > offence? If so, we ought to be able to report it through > actionfraud, but it appears that they don't want that. I would have thought Phishing is a global issue requiring global cooperation to combat it. The APWG appears to be a global response as can be seen from its list of members and research partners. http://www.apwg.org/sponsors.html#sponsors Scanning down the list you will find APACS (The UK Payments Association) and its public information site, Bank Safe Online. http://www.ukpayments.org.uk/ http://www.banksafeonline.org.uk/ You can report scams (including Phishing) via their site or by email. http://www.banksafeonline.org.uk/report_scam.html From the above: All emails reported to us will be processed by automated systems that analyse the contents for new incidents. The results are then used by our global network of anti-phishing partners to protect Internet users by: * Identifying and shutting down web sites, domain names and email addresses used by fraudsters * Improving user protection systems like anti-phishing toolbars and anti-spyware products * Improving anti-spam filters so that fewer spam emails get through End Quote. Given that APACS/BankSafeOnline are research partners to APWG it seems reasonable to assume Phishing sources are passed on to APWG. Action Fraud appears to be the public site of the National Fraud Authority, who don't appear to have their own site, rather they come under the Home Office (not researched in depth so I may be wrong). http://www.homeoffice.gov.uk/agencies-public-bodies/nfa/ According to the above the NFA leads the implementation of "Fighting Fraud Together". http://www.homeoffice.gov.uk/publications/agencies-public-bodies/nfa/fighting-fraud-tog/fighting-fraud-together?view=Binary or http://preview.tinyurl.com/d6gcp9v Unfortunately "Together" appears to be limited to the UK. In addition, a search of the above document for either "Phishing" or "email" produced 0 results. So, personally, although I monitor Action Fraud's news items (which cover a wide range of UK specific 'fraud events') via an RSS feed, as far as Phishing is concerned I will continue to report it direct to APWG. > > On 04/12/2011 07:45, Peter Sommer wrote: >> The cyber security strategy document published on 25 November shows >> the longer term aims of the NCSP: >> >> 4.33 In parallel we are taking action to make sure that it is >> simple and straightforward for members of the public to report >> cyber crimes. Of course this should include being able to do so >> online. 4.34 Over half of all police forces already provide a >> facility for the public to report crime online, though these range >> from basic systems for certain crime types to fully integrated >> crime reporting tools. We will support forces to move to full >> online crime reporting by helping them identify good practice. 4.35 >> People are already encouraged to report fraud, including cyber >> fraud, through the internet, using the Action Fraud tool. We will >> make it easier for people to do this by improving its accessibility >> and functionality. Crime reports can currently take up to 30 >> minutes to complete online. We will aim to reduce that time by a >> half. 4.36 As well as allowing the police to follow up directly on >> individual crimes, better reporting will help build our >> intelligence picture through the National Fraud Intelligence >> Bureau, improving the targeting of enforcement resources and >> feeding into crime prevention advice. >> >> These are, of course, ambitions... >> >> >> Peter Sommer >> >> >> On 03/12/2011 17:25, Peter Tomlinson wrote: >>> For some time the Met Police have been inviting the forwarding of >>> scam emails to National Fraud Authority >>> . I have just now sent them one, having >>> not sent any for a while. PlusNet (which I use for sending, but I >>> receive by clicking through to another ISP that hosts my incoming >>> email service) has been very actively blocking reporting of them >>> when Cloudmark has already picked up and banned the URL of the >>> malevolent web site that the body of the email sends you to - but >>> today one got through to actionfraud, and I got the response >>> copied below: >>> >>> Thank you for your email. >>> >>> Reporting scam emails has changed and we are no longer taking >>> emails through email at actionfraud.org.uk. >>> >>> If you would like to report a scam email, a fraud or need >>> guidance on fraud and how to protect yourself, please go to >>> www.actionfraud.org.uk. Action Fraud is the UK's national fraud >>> reporting centre. >>> >>> To report a crime that is not fraud related please contact your >>> local police. Police force contact details can be found at >>> www.police.org.uk. >>> >>> To make an anonymous crime report please phone Action Fraud on >>> 0300 123 2040. >>> >>> >> >> > > -- Chris Salter http://www.originalthinktank.org.uk/ http://www.post-polio.org.uk/ From peter at pmsommer.com Sun Dec 4 16:33:14 2011 From: peter at pmsommer.com (Peter Sommer) Date: Sun, 04 Dec 2011 16:33:14 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDB806B.4040302@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> Message-ID: <4EDBA0CA.8050307@pmsommer.com> On 04/12/2011 14:15, Peter Tomlinson wrote: > Is the mere act of sending a phishing or other scam email a criminal > offence? If so, we ought to be able to report it through actionfraud, > but it appears that they don't want that. Fraud Act, 2006, s 2: "fraud by false representation" Part of the problem at the moment that PCeCU, SOCA e-crime and the City of London Police all claim jurisdiction over these offences - it is this confusion that the new government strategy is supposed to overcome. However all that is being said is that there will be a consolidation, not how it will be achieved. Peter Sommer From lists at internetpolicyagency.com Sun Dec 4 16:45:28 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 4 Dec 2011 16:45:28 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDBA0CA.8050307@pmsommer.com> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <4EDBA0CA.8050307@pmsommer.com> Message-ID: In article <4EDBA0CA.8050307 at pmsommer.com>, Peter Sommer writes >> Is the mere act of sending a phishing or other scam email a criminal >>offence? If so, we ought to be able to report it through actionfraud, >>but it appears that they don't want that. > >Fraud Act, 2006, s 2: "fraud by false representation" > >Part of the problem at the moment that PCeCU, SOCA e-crime and the City >of London Police all claim jurisdiction over these offences - it is >this confusion that the new government strategy is supposed to >overcome. Surely they all could have jurisdiction, but they might be contending for who is the "lead authority". >However all that is being said is that there will be a consolidation, >not how it will be achieved. It's worth considering reinstating the function of the NHTCU, being both an adviser to local forces, but also investigating the whole range of issues (not just the "serious" ones). -- Roland Perry From ukcrypto at sourcetagged.ian.co.uk Sun Dec 4 16:47:55 2011 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Sun, 4 Dec 2011 16:47:55 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDB806B.4040302@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> Message-ID: <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> On 4 Dec 2011, at 14:15, Peter Tomlinson wrote: > Is the mere act of sending a phishing or other scam email a criminal > offence? If so, we ought to be able to report it through > actionfraud, but it appears that they don't want that. Under English law all attempts at committing criminal offences are themselves criminal offences. Collectively with conspiracy to commit and incitement to commit, these are known as inchoate offences. It is highly likely that a court would regard the sending of an email, with intent to commit fraud, as reaching the standard necessary to commit a criminal attempt, even if the substantive offence of fraud never actually occurs. Ian From peter at pmsommer.com Sun Dec 4 17:09:43 2011 From: peter at pmsommer.com (Peter Sommer) Date: Sun, 04 Dec 2011 17:09:43 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> Message-ID: <4EDBA957.2060403@pmsommer.com> True, but s 2 Fraud Act obviates the need to go the inchoate route, the email's false representation is the offence: Fraud by false representation (1)A person is in breach of this section if he? (a)dishonestly makes a false representation, and (b)intends, by making the representation? (i)to make a gain for himself or another, or (ii)to cause loss to another or to expose another to a risk of loss. (2)A representation is false if? (a)it is untrue or misleading, and (b)the person making it knows that it is, or might be, untrue or misleading. (3)?Representation? means any representation as to fact or law, including a representation as to the state of mind of? (a)the person making the representation, or (b)any other person. (4)A representation may be express or implied. (5)For the purposes of this section a representation may be regarded as made if it (or anything implying it) is submitted in any form to any system or device designed to receive, convey or respond to communications (with or without human intervention). On 04/12/2011 16:47, Ian Mason wrote: > Under English law all attempts at committing criminal offences are > themselves criminal offences. Collectively with conspiracy to commit > and incitement to commit, these are known as inchoate offences. It is > highly likely that a court would regard the sending of an email, with > intent to commit fraud, as reaching the standard necessary to commit a > criminal attempt, even if the substantive offence of fraud never > actually occurs. Peter Sommer From clive at davros.org Sun Dec 4 17:15:16 2011 From: clive at davros.org (Clive D.W. Feather) Date: Sun, 4 Dec 2011 17:15:16 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDBA957.2060403@pmsommer.com> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> <4EDBA957.2060403@pmsommer.com> Message-ID: <20111204171516.GA90640@davros.org> Peter Sommer said: > Fraud by false representation > (1)A person is in breach of this section if he? > (a)dishonestly makes a false representation, and > (b)intends, by making the representation? > (i)to make a gain for himself or another, or > (ii)to cause loss to another or to expose another to a risk of loss. Note that you need to show real loss, not just damage to reputation or something like that: 5. (1)The references to gain and loss in sections 2 to 4 are to be read in accordance with this section. (2)"Gain" and "loss" - (a)extend only to gain or loss in money or other property; (b)include any such gain or loss whether temporary or permanent; and "property" means any property whether real or personal (including things in action and other intangible property). (3)"Gain" includes a gain by keeping what one has, as well as a gain by getting what one does not have. (4)"Loss" includes a loss by not getting what one might get, as well as a loss by parting with what one has. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From mozolevsky at gmail.com Sun Dec 4 16:21:29 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sun, 4 Dec 2011 16:21:29 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDB806B.4040302@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> Message-ID: On 4 December 2011 14:15, Peter Tomlinson wrote: > Is the mere act of sending a phishing or other scam email a criminal > offence? If so, we ought to be able to report it through actionfraud, but it > appears that they don't want that. The explanatory notes to the Fraud Act 2006 at [16] make it quite plain that such activities may fall within the offences under that act. Cheers, -- Igor :-) From mozolevsky at gmail.com Sun Dec 4 17:53:59 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sun, 4 Dec 2011 17:53:59 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <20111204171516.GA90640@davros.org> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> <4EDBA957.2060403@pmsommer.com> <20111204171516.GA90640@davros.org> Message-ID: On 4 December 2011 17:15, Clive D.W. Feather wrote: > Peter Sommer said: >> Fraud by false representation >> (1)A person is in breach of this section if he? >> (a)dishonestly makes a false representation, and >> (b)intends, by making the representation? >> (i)to make a gain for himself or another, or >> (ii)to cause loss to another or to expose another to a risk of loss. > > Note that you need to show real loss, not just damage to reputation or > something like that [snip] No, you merely need to show that `another' has been exposed to a risk of loss (second alternative in ?(2(1)(b)(ii)); loss includes not getting something that one might get (note `might' not `will') (?5(4)). One may argue that damaged reputation exposes the person whose reputation was damaged to a risk of loss as a consequence. Whether that would work, I don't know, I don't know of any authority to say one way or another... Cheers, -- Igor :-) From pwt at iosis.co.uk Sun Dec 4 17:56:59 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Sun, 04 Dec 2011 17:56:59 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <20111204171516.GA90640@davros.org> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com><4EDB806B.4040302@iosis.co.uk><50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk><4EDBA957.2060403@pmsommer.com> <20111204171516.GA90640@davros.org> Message-ID: <4EDBB46B.9000207@iosis.co.uk> So, if its OK for me to try to summarise, it seems that the police wish to have evidence of an actual gain or loss (as appropriate) but without that evidence they do not want to be pro-active in blocking either phishing emails or those scam emails that offer you loadsamoney if only you reply. It is therefore left to the internet community (via organisations such as Cloudmark) to do the pro-active work. I think that we deserve better. Meanwhile I still want PlusNet to stop blocking my attempts to report phishing emails to the banks whose customers they are tickling up (but I do restrict that to the banks that I use) and to HMRC when its an attack on taxpayers. But thanks for the APWG information, and I will try reporting to them (although their site does indicate that using their online form might be the best way). Peter On 04/12/2011 17:15, Clive D.W. Feather wrote: > Peter Sommer said: >> Fraud by false representation >> (1)A person is in breach of this section if he? >> (a)dishonestly makes a false representation, and >> (b)intends, by making the representation? >> (i)to make a gain for himself or another, or >> (ii)to cause loss to another or to expose another to a risk of loss. > Note that you need to show real loss, not just damage to reputation or > something like that: > > 5. > (1)The references to gain and loss in sections 2 to 4 are to be read in > accordance with this section. > (2)"Gain" and "loss" - > (a)extend only to gain or loss in money or other property; > (b)include any such gain or loss whether temporary or permanent; > and "property" means any property whether real or personal (including > things in action and other intangible property). > (3)"Gain" includes a gain by keeping what one has, as well as a gain by > getting what one does not have. > (4)"Loss" includes a loss by not getting what one might get, as well as a > loss by parting with what one has. > From clive at davros.org Sun Dec 4 20:07:53 2011 From: clive at davros.org (Clive D.W. Feather) Date: Sun, 4 Dec 2011 20:07:53 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> <4EDBA957.2060403@pmsommer.com> <20111204171516.GA90640@davros.org> Message-ID: <20111204200753.GB90640@davros.org> Igor Mozolevsky said: >> Note that you need to show real loss, not just damage to reputation or >> something like that > > [snip] > > No, you merely need to show that `another' has been exposed to a risk > of loss (second alternative in ?(2(1)(b)(ii)); loss includes not > getting something that one might get (note `might' not `will') > (?5(4)). One may argue that damaged reputation exposes the person > whose reputation was damaged to a risk of loss as a consequence. I disagree. Claiming that a damaged reputation leads to financial loss is too remote. The court will interpret the Act on the basis that that wording is significant, and on your interpretation it is nugatory. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From lists at internetpolicyagency.com Sun Dec 4 20:30:27 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Sun, 4 Dec 2011 20:30:27 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <4EDBB46B.9000207@iosis.co.uk> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> <4EDBA957.2060403@pmsommer.com> <20111204171516.GA90640@davros.org> <4EDBB46B.9000207@iosis.co.uk> Message-ID: In article <4EDBB46B.9000207 at iosis.co.uk>, Peter Tomlinson writes >Meanwhile I still want PlusNet to stop blocking my attempts to report >phishing emails to the banks whose customers they are tickling up Is that using their own mail relays, or any mail relays. Hopefully not ones you have wrapped with TLS (on topic at last!) -- Roland Perry From mozolevsky at gmail.com Sun Dec 4 22:34:06 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Sun, 4 Dec 2011 22:34:06 +0000 Subject: Reporting scam emails to Met Police In-Reply-To: <20111204200753.GB90640@davros.org> References: <4EDA5B96.3000503@iosis.co.uk> <4EDB2528.5040602@pmsommer.com> <4EDB806B.4040302@iosis.co.uk> <50879A79-A34D-48E0-9C82-D1CE0068FF08@sourcetagged.ian.co.uk> <4EDBA957.2060403@pmsommer.com> <20111204171516.GA90640@davros.org> <20111204200753.GB90640@davros.org> Message-ID: On 4 December 2011 20:07, Clive D.W. Feather wrote: > Igor Mozolevsky said: >>> Note that you need to show real loss, not just damage to reputation or >>> something like that >> >> [snip] >> >> No, you merely need to show that `another' has been exposed to a risk >> of loss (second alternative in ?(2(1)(b)(ii)); loss includes not >> getting something that one might get (note `might' not `will') >> (?5(4)). One may argue that damaged reputation exposes the person >> whose reputation was damaged to a risk of loss as a consequence. > > I disagree. Claiming that a damaged reputation leads to financial loss is > too remote. The court will interpret the Act on the basis that that wording > is significant, and on your interpretation it is nugatory. Not sure what you mean by my interpretation, I said that you don't need to prove loss but merely intent to expose to a risk of loss, which is what the act says and is supported by Archbold [2012] at [21-370]... Secondly there are authorities (granted, in a different context), including the House of Lords ones, which recognise that damaged reputation may lead to causal losses (e.g., Malik v. Bank of Credit and Commerce Intl SA [1], where employees' future employment was affected by employer's bad reputation). Like I said in my original message, I don't know whether applying same reasoning, mutatis mutandis, to fraud would work. 1. [1998] AC 20, http://www.bailii.org/uk/cases/UKHL/1997/23.html Cheers, -- Igor :-) From james2 at jfirth.net Mon Dec 12 06:34:01 2011 From: james2 at jfirth.net (James Firth) Date: Mon, 12 Dec 2011 06:34:01 -0000 Subject: GCHQ _Can you crack it? Message-ID: <001501ccb898$09483a50$1bd8aef0$@net> The competition, reportedly a recruitment drive, at canyoucrackit.co.uk was meant to close at midnight last night. Did anyone try solve it? Turns out not crypto knowledge required - but a lot of computer science/software engineering is involved: http://blog.opendigital.org/2011/12/solution-for-gchq-can-you-crack-it.html James Firth From anish.mohammed at gmail.com Mon Dec 12 06:53:26 2011 From: anish.mohammed at gmail.com (Anish Mohammed) Date: Mon, 12 Dec 2011 06:53:26 +0000 Subject: GCHQ _Can you crack it? In-Reply-To: <001501ccb898$09483a50$1bd8aef0$@net> References: <001501ccb898$09483a50$1bd8aef0$@net> Message-ID: Funnily when u crack it u be offered a job at 31k per annum :( Anish Mohammed Twitter: anishmohammed http://uk.linkedin.com/in/anishmohammed On 12 Dec 2011, at 06:34, "James Firth" wrote: > The competition, reportedly a recruitment drive, at canyoucrackit.co.uk was > meant to close at midnight last night. > > Did anyone try solve it? Turns out not crypto knowledge required - but a > lot of computer science/software engineering is involved: > > http://blog.opendigital.org/2011/12/solution-for-gchq-can-you-crack-it.html > > James Firth > > > From tharg at gmx.net Tue Dec 13 01:57:03 2011 From: tharg at gmx.net (Caspar Bowden) Date: Tue, 13 Dec 2011 02:57:03 +0100 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> Message-ID: <018c01ccb93a$82e68950$88b39bf0$@gmx.net> >Behalf Of Ian Batten http://www.levesoninquiry.org.uk/hearing/2011-12-12am/ The gist of Thomas' evidence to Leveson Inquiry was that it was all their external counsel 's fault that the ICO investigated no journos. The barrister said the cases would have been too expensive for the ICO to pursue. The Inquiry's counsel was harshly incredulous that this judgement was within the competence of an external adviser - it must have been a response to instructions. Thomas could not recall the meeting at which their former investigator says he was warned off pursuing journos, that there was no policy on whether or not to do so, and he hadn't seen the legal advice until unearthed last week by ICO. He said the reason ICO later definitely dropped any idea of prosecuting journos was because a sample prosecution of an private investigator was bungled by the CPS unbeknownst to them, and only got a suspended sentence. Leveson asked (amusingly) whether Thomas knew that in the ICO's own Legal Note of the trial the judge asked why there weren't any journos in the dock. Thomas said he had not seen that at the time either, and also was only unearthed by the ICO last week. Leveson welcome's to Thomas at the beginning of his evidence commented on the "obvious care that you've taken in .(six) statements which form the basis of your account of these events" Caspar -------------- next part -------------- An HTML attachment was scrubbed... URL: From igb at batten.eu.org Tue Dec 13 12:50:56 2011 From: igb at batten.eu.org (Ian Batten) Date: Tue, 13 Dec 2011 12:50:56 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <018c01ccb93a$82e68950$88b39bf0$@gmx.net> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> Message-ID: <476402FC-F96B-4E26-BA4D-88C95589A2DB@batten.eu.org> > The gist of Thomas' evidence to Leveson Inquiry was that it was all their external counsel?s fault that the ICO investigated no journos. The barrister said the cases would have been too expensive for the ICO to pursue. The Inquiry's counsel was harshly incredulous that this judgement was within the competence of an external adviser ? it must have been a response to instructions. It seems like a pretty complete failure of governance. Unminuted meetings being reconstructed from memory and loose notes? This was, unless there's some massive scandal we've not yet heard about, the biggest decision the ICO had to take. Ultimately, the IC is paid to take those decisions, supported by his staff and (presumably, although we'd have to read their governance documents) his board. It appears that in this case the decision was taken by a combination of sofa government --- literally, given it appears some of the meetings took place in people's houses --- and palming it off onto external people. What were the criteria used to judge that it was too expensive? Who set those criteria? I've often said that one of the problems of the public sector is that a threat to obtain a letter written by a man who once met a solicitor in a pub is accorded the same respect as a judgement by the Supreme Court. This seems to be a variation on the same thing: an external counsel expressed an opinion which even if factually correct was outside what the counsel was asked to advise on, and which relies on parameters (essentially, how much is too much) which the external counsel doesn't have, and yet the IC took it as something he had no choice but to go along with. Being charitable, it's amateur hour on stage at a provincial working men's club. Being less charitable, it's regulator capture on a grand scale. There's also an interesting section in the transcript Caspar links to [1] which screams "governance failure" (p.46 on p.12). Some of these topics are the legitimate purview of the Information Commissioner qua Information Commissioner (a post that, like the DPP, has some legal standing). Some of them are things that the ICO corporately might take a view on. Some of them are the stuff of an office manager or a COO, not a man with legal responsibilities. That the IC was, or that argues later that he was, concerned with office moves, bogus agencies and the IT system is something that a board should have intervened over. > 3 I was -- we had the major debate about identity > 4 cards just starting. I was seeking to reorganise the > 5 office at that time. We were establishing offices in > 6 Belfast, Edinburgh and Cardiff. Major preparations for > 7 freedom of information. A big programme to simplify our > 8 approach to data protection. A brand new employment > 9 code of practice which had been heavily criticised in > 10 the press and elsewhere. We had a major problem with > 11 bogus agencies, people purporting to be our office and > 12 receiving money from other organisations. We had an IT > 13 system which was causing us trouble, which was being > 14 installed. We had a major row with the audit commission > 15 about the way they were carrying out their functions. ian [1] http://www.levesoninquiry.org.uk/wp-content/uploads/2011/12/Transcript-of-Morning-Hearing-9-December-2011.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: From james2 at jfirth.net Thu Dec 15 16:26:18 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 16:26:18 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering Message-ID: <00d801ccbb46$475920b0$d60b6210$@net> It came quicker than I anticipated. The MPAA told a meeting I was at that it was in the process of obtaining injunctions on other ISPs to widen the block on the Newzbin website under ss97A of the CDPA. The expansion to Sky raises some important questions: 1. Did they fight the order? 2. Was the order modified in any way to take into account that the blocking technology at Sky is, as far as I understand, significantly different to BTs? On point (1), Sky could be forgiven for rolling over easily. BT were hit by a potentially massive costs ruling. Full analysis here: http://ejf.me/pB Long URL: http://www.slightlyrightofcentre.com/2011/12/sky-blocks-newzbin-important-le gal-and.html James Firth --- CEO, Open Digital Policy Organisation www.opendigital.org From fjmd1a at gmail.com Thu Dec 15 16:36:48 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 15 Dec 2011 16:36:48 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <00d801ccbb46$475920b0$d60b6210$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: NB: There was nothing in the original order that required the list of blocked URL's to be kept secret, nor is there likely to be anything that requires any subsequent order to be secret. As a result there'd be nothing wrong with publishing a disclosure of them if you can persuade someone to make one. -- Francis Davey From clive at davros.org Thu Dec 15 16:43:35 2011 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 15 Dec 2011 16:43:35 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <00d801ccbb46$475920b0$d60b6210$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: <20111215164335.GB79276@davros.org> James Firth said: > On point (1), Sky could be forgiven for rolling over easily. BT were hit by > a potentially massive costs ruling. But, as I read the final judgement, the costs were for unsuccessfully appealing the original decision on the order, not for fighting the order in the first place. They were given their costs for doing that so that the issues could be examined by the court. Furthermore, my reading of the final decision that ISPs were *expected* to fight such orders rather than nod them through. Ah, here we are. Paragraph 53: "In my judgment, the starting point is that, even though the Studios are enforcing their legal rights, including their right to an injunction under Article 8(3), the rather unusual nature of the remedy under Article 8(3) means that it was reasonable for BT to require the matter to be scrutinised ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ by the court. BT was entitled to a court order for its own protection, and ^^^^^^^^^^^^ it was reasonable for BT to require the Studios to adduce sufficient evidence to establish both that the court had jurisdiction to make the order and that it was appropriate in the exercise of the court's discretion to do so. Accordingly, I consider that the costs of the application down to 16 December 2010 should be borne by the Studios." So it seems to me that Sky should have opposed the application for an order and asked for their costs in doing so. Furthermore, if it was expensive for them to do the blocking, they could ask for the cost of implementation: 32: "the cost to BT ''would be modest and proportionate''" 33: "I do not rule out the possibility that in another case the applicant may be ordered to pay some or all of the costs of implementation," -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From james2 at jfirth.net Thu Dec 15 16:54:11 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 16:54:11 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <20111215164335.GB79276@davros.org> References: <00d801ccbb46$475920b0$d60b6210$@net> <20111215164335.GB79276@davros.org> Message-ID: <001401ccbb4a$2c5f2a30$851d7e90$@net> Clive Feather wrote: > James Firth said: > > On point (1), Sky could be forgiven for rolling over easily. BT were > hit by > > a potentially massive costs ruling. > > But, as I read the final judgement, the costs were for unsuccessfully > appealing the original decision on the order, not for fighting the > order in > the first place. I had read that section several times, in fact I've previously blogged on that *and* had discussions with a legal expert along those lines, although I can't say in relation to what. But it was my understanding that BT would have found it hard to challenge on a point-by-point basis to the extent they did whilst maintaining a "neutral" stance. I have no specific knowledge of BT's thinking so you may well be right. In fact I hope you're right, and I hope other ISPs will walk unafraid in this area. James From clive at davros.org Thu Dec 15 16:59:23 2011 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 15 Dec 2011 16:59:23 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <001401ccbb4a$2c5f2a30$851d7e90$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <20111215164335.GB79276@davros.org> <001401ccbb4a$2c5f2a30$851d7e90$@net> Message-ID: <20111215165923.GF79276@davros.org> James Firth said: > I have no specific knowledge of BT's thinking so you may well be right. In > fact I hope you're right, and I hope other ISPs will walk unafraid in this > area. I hope a few will too. Because the first few were fought, ISPs expect to get their costs when obeying a Norwich Pharmacal order *and* lack of active defence doesn't mean they admit the validity of the request - the order should still be scrutinized by a court to see if it's proportionate and necessary. Hopefully we'll get to a similar situation: the ISP shouldn't have to fight explicitly and the court should require the applicant to prove proportionality etc. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From james2 at jfirth.net Thu Dec 15 17:08:43 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 17:08:43 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <20111215165923.GF79276@davros.org> References: <00d801ccbb46$475920b0$d60b6210$@net> <20111215164335.GB79276@davros.org> <001401ccbb4a$2c5f2a30$851d7e90$@net> <20111215165923.GF79276@davros.org> Message-ID: <001701ccbb4c$34089cb0$9c19d610$@net> Clive Feather wrote: > Because the first few were fought, ISPs expect to get their costs when > obeying a Norwich Pharmacal order *and* lack of active defence doesn't > mean > they admit the validity of the request - the order should still be > scrutinized by a court to see if it's proportionate and necessary. > > Hopefully we'll get to a similar situation: the ISP shouldn't have to > fight > explicitly and the court should require the applicant to prove > proportionality etc. The problem I'm hearing (second hand) is lack of knowledge of specific technical issues on all sides - counsels and the judiciary. The "truth" cannot be established without hearings and calling expert witnesses. The net result is that assertions made by the applicants risk going unchallenged (for fear of costs). I'm less optimistic than you because I'm hearing, on all accounts, it's a bloody mess. Exacerbated if rights holders continue their established theme of arguing black is white. No-one really has a grasp on how far this will go, both with Newzbin wrt other ISPs and, potentially, with other sites. Good point on public disclosure of the blocking list. James Firth From mozolevsky at gmail.com Thu Dec 15 17:10:44 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Thu, 15 Dec 2011 17:10:44 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <00d801ccbb46$475920b0$d60b6210$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: On 15 December 2011 16:26, James Firth wrote: > It came quicker than I anticipated. ?The MPAA told a meeting I was at that > it was in the process of obtaining injunctions on other ISPs to widen the > block on the Newzbin website under ss97A of the CDPA. > > The expansion to Sky raises some important questions: > 1. Did they fight the order? This is rather surprising especially given that just recently in Scarlet v. SABAM ECJ said that there is nothing to suggest that IP rights must be absolutely protected (at [43]) and a fair balance between other rights and interests must be struck (at [45,46]). 1. http://curia.europa.eu/juris/liste.jsf?language=en&num=C-70/10 Cheers, -- Igor M. From clive at davros.org Thu Dec 15 17:12:03 2011 From: clive at davros.org (Clive D.W. Feather) Date: Thu, 15 Dec 2011 17:12:03 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <001701ccbb4c$34089cb0$9c19d610$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <20111215164335.GB79276@davros.org> <001401ccbb4a$2c5f2a30$851d7e90$@net> <20111215165923.GF79276@davros.org> <001701ccbb4c$34089cb0$9c19d610$@net> Message-ID: <20111215171203.GG79276@davros.org> James Firth said: > The problem I'm hearing (second hand) is lack of knowledge of specific > technical issues on all sides - counsels and the judiciary. The "truth" > cannot be established without hearings and calling expert witnesses. The > net result is that assertions made by the applicants risk going unchallenged > (for fear of costs). Hmm. This is an area that ISPA should be leading on. > Good point on public disclosure of the blocking list. Not my point, but I agree it was a good one. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From lists at internetpolicyagency.com Thu Dec 15 17:16:00 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 15 Dec 2011 17:16:00 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <00d801ccbb46$475920b0$d60b6210$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: I was interested in the comments about IP addresses, and the possibility of them being recycled to an innocent user who would then be denied service. Various address blocks are already barred (from otherwise large blocks) because of strange things happening within them. eg it's unlikely anyone will be issued with 1.2.3.0-1.2.3.255 as a result of it containing 1.2.3.4 which is a spurious traffic magnet for obvious reasons. Current Newzbin.com as viewed from here is on a block of addresses in Sweden. The first question to consider is whether the *ISP* which is Netcamp AB (aka Availio), is likely to reallocate the IP addresses to anyone else, as they are sure to know the provenance, let alone someone buying the /19 (8k addresses) block off Netcamp and subsequently assigning a totally random other user that address. And even then, it would quickly become apparent that there was something amiss, this is bread and butter down at the NOC. Elsewhere, Newzbin have eight IP addresses (from a /14 block of 256k) via Easynet. Same arguments apply. Of course, if the website were available on ipv6 this would be a non-discussion, as re-use is extremely unlikely. ps I wonder if Cleanfeed etc are ipv6 enabled yet? -- Roland Perry From james2 at jfirth.net Thu Dec 15 17:17:18 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 17:17:18 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <20111215171203.GG79276@davros.org> References: <00d801ccbb46$475920b0$d60b6210$@net> <20111215164335.GB79276@davros.org> <001401ccbb4a$2c5f2a30$851d7e90$@net> <20111215165923.GF79276@davros.org> <001701ccbb4c$34089cb0$9c19d610$@net> <20111215171203.GG79276@davros.org> Message-ID: <001a01ccbb4d$67a62780$36f27680$@net> > Not my point, but I agree it was a good one. Sorry Francis, and thanks for chipping in. From james2 at jfirth.net Thu Dec 15 17:23:07 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 17:23:07 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: <001d01ccbb4e$37881490$a6983db0$@net> Igor Mozolevsky wrote: > This is rather surprising especially given that just recently in > Scarlet v. SABAM ECJ said that there is nothing to suggest that IP > rights must be absolutely protected (at [43]) and a fair balance > between other rights and interests must be struck (at [45,46]). Opinions of two senior practicing lawyers would not agree with you there, although I got them to divulge opinion on condition I would not attribute it. The SABAM case is fundamentally different, in that monitoring of traffic is a central part of the blocking order. In Newzbin it's secondary - to check URLs, an action which could be seen as minimising the risk of "overblocking". Arnold J said this explicity, more or less, in his October ruling (6 from memory). All the issues of proportionality and compatibility have been addressed by Arnold, J. Another judge might come to a different conclusion but the thinking I'm hearing is that Newzbin will not be affected SABAM. If anyone wants to pay us to get a formal legal opinion we're accepting donations ;-) James From james2 at jfirth.net Thu Dec 15 17:27:26 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 17:27:26 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: <002001ccbb4e$d1a13cf0$74e3b6d0$@net> Roland Perry wrote: > Current Newzbin.com as viewed from here is on a block of addresses in > Sweden. > Elsewhere, Newzbin have eight IP addresses (from a /14 block of 256k) > via Easynet. Same arguments apply. And the sites "whose sole or predominant purpose is to enable or facilitate access to the Newzbin[2] website" (para 10, October ruling)? It is these sites I'm really worried about. Newzbin, apparently, have developed a client capable of bypassing blocks. Any site set up e.g. for the purpose of distributing this client could find themselves blocked. Surely these are far more likely to be pushed out via more transient hosting arrangements, and herein lies a very real risk of recycling and over-blocking. James From wendyg at pelicancrossing.net Thu Dec 15 17:35:09 2011 From: wendyg at pelicancrossing.net (Wendy M. Grossman) Date: Thu, 15 Dec 2011 12:35:09 -0500 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <002001ccbb4e$d1a13cf0$74e3b6d0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> Message-ID: <4EEA2FCD.3010006@pelicancrossing.net> On 12/15/2011 12:27 PM, James Firth wrote: > Roland Perry wrote: > >> Current Newzbin.com as viewed from here is on a block of addresses in >> Sweden. > >> Elsewhere, Newzbin have eight IP addresses (from a /14 block of 256k) >> via Easynet. Same arguments apply. > > And the sites "whose sole or predominant purpose is to enable or facilitate > access to the Newzbin[2] website" (para 10, October ruling)? > > It is these sites I'm really worried about. Newzbin, apparently, have > developed a client capable of bypassing blocks. Any site set up e.g. for > the purpose of distributing this client could find themselves blocked. > Surely these are far more likely to be pushed out via more transient hosting > arrangements, and herein lies a very real risk of recycling and > over-blocking. I wonder if it would be worth invoking the history of Scienteology vs the Net here. (Wired, 1995 - alt./scientology.war) The UK could easily find itself re-enacting the business of Scientology critics posting the "sikrit documents" at randomly changing IP addresses. Granted, the way you found the docs was through a mini-search engine at a stable location, but there are so many more ways now to broadcast the day's - hour's - IP address (even if you shut down Twitter accounts good luck shutting down a Twitter hashtag). Does the UK govt want to look as stupid and be as jeered and mocked as Scientology did/was? wg -- www.pelicancrossing.net <-- all about me Twitter: @wendyg From fjmd1a at gmail.com Thu Dec 15 17:46:21 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 15 Dec 2011 17:46:21 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <001d01ccbb4e$37881490$a6983db0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: 2011/12/15 James Firth : > (apologies for poor quoting) > The SABAM case is fundamentally different, in that monitoring of traffic is a central part of the blocking order. ?In Newzbin it's secondary - to check URLs, an action which could be seen as minimising the risk of "overblocking". ?Arnold J said this explicity, more or less, in his October ruling (6 from memory). > That's right the Scarlet Extended case involved an indefinite (in time) requirement for the ISP to use fairly expensive software on *all* traffic to examine the contents of that traffic. That is very considerably more awful than the Newzbin block where: - BT's evidence was that it would cost a few thousand pounds to implement - most packets are unexamined - packets going to specific IP addresses are sent through the Cleanfeed proxy and then only the requested URL is inspected As for the costs of the hearing, I think Richard Arnold was wrong to ask each party to bear its own costs for the final part of the proceedings - really sorting out the form of order. It seems to me that might be interpreted as a precedent that will cost ISP's at least their own costs for dickering over the details of the order. And *that* is where all the difficulty is. Trust me one of the most important and difficult (and also fun) parts of injunction hearings is the wording of the order. Here there is no practice direction standard, so its a blank sheet of paper. And the order itself is pretty poor. Any lawyer's heart should sink at having to begin a line "for the avoidance of doubt". That's almost as bad as putting assert()'s all over your code. There is also no clear way to review what is on the list. > > If anyone wants to pay us to get a formal legal opinion we're accepting donations ;-) > Out of interest, who is "us"? -- Francis Davey From mozolevsky at gmail.com Thu Dec 15 17:59:36 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Thu, 15 Dec 2011 17:59:36 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <00d801ccbb46$475920b0$d60b6210$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: Another thing that comes to mind is that Sky's internet business is really an extension of Sky's satellite entertainment business so making too much fuss may be viewed shooting self in the foot (exclusives with the American studios &c)... Igor From blindcyclistsunion at gmail.com Thu Dec 15 17:04:38 2011 From: blindcyclistsunion at gmail.com (blindcyclistsunion) Date: Thu, 15 Dec 2011 17:04:38 +0000 Subject: GCHQ _Can you crack it? In-Reply-To: <001501ccb898$09483a50$1bd8aef0$@net> References: <001501ccb898$09483a50$1bd8aef0$@net> Message-ID: <46134680-54E3-4BBD-9C1F-0D568E66F6E3@gmail.com> On 12 Dec 2011, at 06:34, James Firth wrote: > The competition, reportedly a recruitment drive, at canyoucrackit.co.uk was > meant to close at midnight last night. > > Did anyone try solve it? Turns out not crypto knowledge required - but a > lot of computer science/software engineering is involved: Tried, and indeed succeeded. And what fun it was! However, as I come to write bits of it up, I'm looking at a bit of the disassembly listing from the first stage, which for the most part looks exactly like an RC4 stream cipher implementation, but for just one thing : 80480c3: inc al ;; i = ( i+1 ) 80480c5: add bl,BYTE PTR [esi+eax*1] ;; j = ( j + S[i] ) 80480c8: mov dl,BYTE PTR [esi+eax*1] ;; 80480cb: mov dh,BYTE PTR [esi+ebx*1] ;; swap S[i] and S[j] 80480ce: mov BYTE PTR [esi+eax*1],dh ;; 80480d1: mov BYTE PTR [esi+ebx*1],dl ;; 80480d4: add dl,dh ;; t = (S[i]+S[j]) 80480d6: xor dh,dh 80480d8: mov bl,BYTE PTR [esi+edx*1] ;; Should be : K = S[t] ;; Actually : j = S[t] ;; Since S[t] is stored ;; in bl which is used ;; as j above. 80480db: mov dl,BYTE PTR [edi] 80480dd: xor dl,bl ;; xor to get plain 80480df: mov BYTE PTR [edi],dl ;; write plain text byte 80480e1: inc edi 80480e2: dec ecx 80480e3: jne 80480c3 ( also at https://gist.github.com/1481580) Key scheduling is per the description given in Applied Cryptography, but in the actual stream part, j seems to be set equal to K at the end of each iteration. Most likely, this program was hand coded in assembler, so it may well be a mistake. Unfortunately, my 'mad crypto skillz' don't quite yet stretch to working out what, if any, deleterious effect this will have on the resulting stream, other than to render it different to reference implementations of RC4. Certainly once we have run through a single iteration, we then know what j is at the top of the algo, but past they I am, as yet, a bit stumped. Certainly appreciate any comments from crypto boffins, even (perhaps especially) if it's just : "it's just broken, now stop playing with it and do something useful". BTW, on the off chance that this does introduce a weakness, I'd appreciate it if no one tells me what it actually is, rather spoils the fun :-) @blindcyclists From lists at internetpolicyagency.com Thu Dec 15 19:03:06 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 15 Dec 2011 19:03:06 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <002001ccbb4e$d1a13cf0$74e3b6d0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> Message-ID: In article <002001ccbb4e$d1a13cf0$74e3b6d0$@net>, James Firth writes >> Current Newzbin.com as viewed from here is on a block of addresses in >> Sweden. > >> Elsewhere, Newzbin have eight IP addresses (from a /14 block of 256k) >> via Easynet. Same arguments apply. > >And the sites "whose sole or predominant purpose is to enable or facilitate >access to the Newzbin[2] website" (para 10, October ruling)? > >It is these sites I'm really worried about. Newzbin, apparently, have >developed a client capable of bypassing blocks. Any site set up e.g. for >the purpose of distributing this client could find themselves blocked. >Surely these are far more likely to be pushed out via more transient hosting >arrangements, and herein lies a very real risk of recycling and >over-blocking. I was attempting to address the "recycling" issue, which I think isn't a huge problem. There are thousands of spammers whose addresses have been blocked one way or another over the last decade or more, and that hasn't yet shown up as a recycling problem. There are occasional "issues", but they get resolved. -- Roland Perry From james2 at jfirth.net Thu Dec 15 20:11:07 2011 From: james2 at jfirth.net (James Firth) Date: Thu, 15 Dec 2011 20:11:07 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: <000c01ccbb65$ae958fb0$0bc0af10$@net> Francis Davey wrote: > Out of interest, who is "us"? Open Digital; but it was, to be honest, mostly a flippant remark. I have had some valuable advice already, it was just the people advising weren't happy to go on the record unless I paid for a more thorough analysis. Also this really is a case where one would expect the remaining ISPs, or indeed ISPA as previously noted, to take the lead in a formal capacity; leaving us noisy bloggers to pull together threads and stir a few pots. James From mozolevsky at gmail.com Thu Dec 15 21:35:24 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Thu, 15 Dec 2011 21:35:24 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <001d01ccbb4e$37881490$a6983db0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: On 15 December 2011 17:23, James Firth wrote: > Opinions of two senior practicing lawyers would not agree with you there... So what? I'm sure BT and the others had opinions of senior practicing lawyers that differed from the opinions of senior practicing lawyers that MPAA had... > The SABAM case is fundamentally different, in that monitoring of traffic > is a central part of the blocking order. ?In Newzbin it's secondary - to check > URLs, an action which could be seen as minimising the risk of "overblocking". >?Arnold J said this explicity, more or less, in his October ruling (6 from memory). Given that ECJ deals with the interpretation of law and not application of that law to the facts of a particular case, fundamentally different facts aren't as important as the meaning of the law, so long as that law is applicable. Applying the structure set out at [38] in the ECJ judgment (unless I fundamentally misunderstand how Cleanfeed works) to what the ISP is required to do is this: 1. Identify, within all of the electronic communications of all its customers, the packets relating to HTTP; 2. Identify, within that traffic, the URLs supplied by the Applicants (MPAA); and 3. Block access to those URLs. I don't think that it matters whether 2&3 are done by the ISP or on ISP's behalf by a third party. I don't see how an ISP would know whether to pass a well-formed HTTP session to Cleanfeed without a general catch-all filtering first. HTTP vs P2P argument makes no difference either: in both cases you need to actively and indiscriminately monitor the network layer and based on that monitor the application layer to decide whether to block content or not. Or is that not how Cleanfeed works? Would this amount to interception or surveillance under Directive 2000/31? Further, the BT injunction is not limited in time either, is it? > All the issues of proportionality and compatibility have been addressed by > Arnold, J. ?Another judge might come to a different conclusion but the thinking > I'm hearing is that Newzbin will not be affected SABAM. The three paragraphs that address the proportionality are very thin and appear to be based on the fact that the cost to BT would not be too high since BT already used Cleanfeed. Although to me, it seems bizarre that the judge made explicit references to Cleanfeed in the order (whereby arguably showing judicial endorsement), instead of a generic blocking mechanism... The judge made no assessment of the rights of privacy of BT's users as a whole, merely he was "satisfied" that the curtailing of Art. 10 rights was proportionate. For example, I wouldn't be surprised if Cleanfeed logs every referral regardless of whether that referral is subsequently blocked. Surely the more appropriate and proportionate course of action in the BT case would have been for the MPAA to seek an order against the upstream ISP of Newzbin, as the latter would be more effective, involve a direct action against the wrong-doer and not unnecessarily burden intermediaries? -- Igor M. From fjmd1a at gmail.com Thu Dec 15 22:11:09 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 15 Dec 2011 22:11:09 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: 2011/12/15 Igor Mozolevsky : > > 1. Identify, within all of the electronic communications of all its > customers, the packets relating to HTTP; > 2. Identify, within that traffic, the URLs supplied by the Applicants > (MPAA); and > 3. Block access to those URLs. No, that's not how it works (as I understand anyway). First there is a filter on IP addresses, then those that match the IP list are passed through to a proxy that filters on specific URLs. Sure, that is a general filter, but only on IP address, which the ISP needs to know anyway for routing purposes. > > Would this amount to interception or surveillance under Directive 2000/31? > Seems unlikely given that its authorised by court order. > Further, the BT injunction is not limited in time either, is it? > Yes - though there is liberty to apply if circumstances change (and third parties have a right to apply for variation if they are affected). > > The three paragraphs that address the proportionality are very thin > and appear to be based on the fact that the cost to BT would not be > too high since BT already used Cleanfeed. Although to me, it seems > bizarre that the judge made explicit references to Cleanfeed in the > order (whereby arguably showing judicial endorsement), instead of a No, that's entirely understandable. The preference is for court orders to be as clear as possible and, in particular, for it to be clear what the person targeted by the order must do. Tying the order to a particular technology makes it easy for BT to know what to do in compliance. > generic blocking mechanism... The judge made no assessment of the > rights of privacy of BT's users as a whole, merely he was "satisfied" > that the curtailing of Art. 10 rights was proportionate. For example, > I wouldn't be surprised if Cleanfeed logs every referral regardless of > whether that referral is subsequently blocked. Hmmmm. BT almost certainly have to log traffic data and then have to destroy it after a fixed period of time under the data retention directive. I'm not sure what Cleanfeed logs or may lawfully log. This is where Richard Clayton would be useful to us. > > Surely the more appropriate and proportionate course of action in the > BT case would have been for the MPAA to seek an order against the > upstream ISP of Newzbin, as the latter would be more effective, > involve a direct action against the wrong-doer and not unnecessarily > burden intermediaries? Well, courts do not usually second guess a property owner's choice of enforcement mechanism. From the point of view of the court it has to decide whether to make a s97A injunction or not. There are obviously other problems with going after upstream ISP's. All moot though since https appears to get around the block (if not, I'd be interested to know, I'm taking a particularly keen interest in website blocking at the moment). -- Francis Davey From mozolevsky at gmail.com Thu Dec 15 23:04:19 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Thu, 15 Dec 2011 23:04:19 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: On 15 December 2011 22:11, Francis Davey wrote: > 2011/12/15 Igor Mozolevsky : >> >> 1. Identify, within all of the electronic communications of all its >> customers, the packets relating to HTTP; >> 2. Identify, within that traffic, the URLs supplied by the Applicants >> (MPAA); and >> 3. Block access to those URLs. > > No, that's not how it works (as I understand anyway). First there is a > filter on IP addresses, then those that match the IP list are passed > through to a proxy that filters on specific URLs. But you can't `know' what IP addresses you need to filter without looking at all address+port pairs (you certainly wouldn't pass non HTTP traffic to an HTTP proxy, for example), having done that, you pass those packets that match criteria to the proxy to do packet assembly (remember that packets may be fragmented, out of order, or corrupt) followed by application layer inspection (looking through HTTP headers like GET and Host:). Like I said, I think it makes no difference if 2 & 3 are outsourced to be performed on behalf of cf. the ISP itself. > Sure, that is a general filter, but only on IP address, which the ISP > needs to know anyway for routing purposes. The situation is different with routing: you only look at IP addresses, you don't care what order packets come in or go out >> Would this amount to interception or surveillance under Directive 2000/31? >> > Seems unlikely given that its authorised by court order. I was thinking of Sky's situation here, the order is only against the BT, right? >> The three paragraphs that address the proportionality are very thin >> and appear to be based on the fact that the cost to BT would not be >> too high since BT already used Cleanfeed. Although to me, it seems >> bizarre that the judge made explicit references to Cleanfeed in the >> order (whereby arguably showing judicial endorsement), instead of a > > No, that's entirely understandable. The preference is for court orders > to be as clear as possible and, in particular, for it to be clear what > the person targeted by the order must do. Tying the order to a > particular technology makes it easy for BT to know what to do in > compliance. I see what you are saying, but the judicial feature creep into the function of a private entity that was set up, apparently, solely for the purpose of filtering child porn and membership in which is entirely voluntary seem strange. A few more features and I'm guessing people will start arguing that IWF is a `Datafin' public authority ;-) If IWF was created by statute then that would be different, of course... Also, I'm not entirely certain that if the order only applies to BT, Cleanfeed could/would only perform the block on BT traffic... [snip] > ... https appears to get around the block (if not, > I'd be interested to know, I'm taking a particularly keen interest in > website blocking at the moment). You could potentially collude with "trusted" CAs to provide fake SSL certs for the purpose of filtering illegal content... Whether CAs would do that or not is a separate issue... The idea of blocking sites, at least technically, is rather naive and only serves to drive illegal activity from being detectable and actionable to underground by extension in-actionable. -- Igor M. From fjmd1a at gmail.com Thu Dec 15 23:17:06 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Thu, 15 Dec 2011 23:17:06 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: 2011/12/15 Igor Mozolevsky : > > But you can't `know' what IP addresses you need to filter without > looking at all address+port pairs (you certainly wouldn't pass non As I understand it, Cleanfeed work by having a first list of "suspect" IP addresses. Only those addresses are passed to the second stage. That is a process which is implicit in the order as I understand it - i.e. the MPAA will have to pass an IP list with suspect URL's associated. > HTTP traffic to an HTTP proxy, for example), having done that, you > pass those packets that match criteria to the proxy to do packet > assembly (remember that packets may be fragmented, ?out of order, or > corrupt) followed by application layer inspection (looking through > HTTP headers like GET and Host:). Like I said, I think it makes no > difference if 2 & 3 are outsourced to be performed on behalf of cf. > the ISP itself. Right, but from a legal perspective, proxying http by looking at GET requests is much less invasive than matching on the body of the return http result. Sure, *private* information travels in GET etc requests (I doubt very much if this is properly understood by the legal establishment yet, but I try to get the message out when I'm giving talks about it) but I assume that only very simple URL's will be in the list supplied to BT by the order. The open-ended nature and lack of supervision are bigger problems. > > I was thinking of Sky's situation here, the order is only against the BT, right? > The order I was talking about, yes. I understand that Sky has received another. I don't know what's in it. If anyone cares to dig it out of the Court Service, that will be excellent. > > I see what you are saying, but the judicial feature creep into the > function of a private entity that was set up, apparently, solely for > the purpose of filtering child porn and membership in which is > entirely voluntary seem strange. A few more features and I'm guessing > people will start arguing that IWF is a `Datafin' public authority ;-) I'm sure the IWF is a datafin public authority, but the IWF have nothing to do with this order. Cleanfeed is a mechanism that can be used to implement an IWF block, but its not mandated. > If IWF was created by statute then that would be different, of > course... Also, I'm not entirely certain that if the order only > applies to BT, Cleanfeed could/would only perform the block on BT > traffic... This is an RTFM right? The wording of the order is: "In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise ...". If you read the body of the judgment you'll see that BT apply Cleanfeed to some of their traffic but not to all of it. The order requires the block to be used exactly where Cleanfeed is. All of that traffic is "BT traffic" because the order is directed at BT and no-one else, but of course some of that traffic might "belong" to others in some sense. i.e. its not just BT Home customers. > > You could potentially collude with "trusted" CAs to provide fake SSL > certs for the purpose of filtering illegal content... Whether CAs Yes, indeed. Though that would open another can of worms. > would do that or not is a separate issue... The idea of blocking > sites, at least technically, is rather naive and only serves to drive > illegal activity from being detectable and actionable to underground > by extension in-actionable. Oh yes. Its an insane idea. It all is. I'm afraid I don't have the expertise to dissuade policy makers from mad ideas. All I can do is tell people what certain laws will do (and try to persuade judges to make them do that). -- Francis Davey From mozolevsky at gmail.com Fri Dec 16 00:20:03 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Fri, 16 Dec 2011 00:20:03 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net>

Message-ID: On 15 December 2011 23:17, Francis Davey wrote: >> But you can't `know' what IP addresses you need to filter without >> looking at all address+port pairs (you certainly wouldn't pass non > > As I understand it, Cleanfeed work by having a first list of "suspect" > IP addresses. Only those addresses are passed to the second stage. > That is a process which is implicit in the order as I understand it - > i.e. the MPAA will have to pass an IP list with suspect URL's > associated. [snip] > Right, but from a legal perspective, proxying http by looking at GET > requests is much less invasive than matching on the body of the return > http result. Sure, *private* information travels in GET etc requests > (I doubt very much if this is properly understood by the legal > establishment yet, but I try to get the message out when I'm giving > talks about it) but I assume that only very simple URL's will be in > the list supplied to BT by the order. I think we better take this offline, I was trying to put what was necessary for BT to do in terms that ECJ put it in Scarlet. You seem to be saying that because Cleanfeed doesn't look at what is sent and received as a whole, but only at a proportion of what is sent, is less invasive? > I'm sure the IWF is a datafin public authority, but the IWF have > nothing to do with this order. Cleanfeed is a mechanism that can be > used to implement an IWF block, but its not mandated. Indeed, for some reason I was under the impression that IWF was running Cleanfeed, it appears that they only provide `filtering pattern'. In a sense then, BT appears to be already prejudiced by the fact that they had _some_ content filtering and this order was nothing more than a feature creep into BT's internal system. > This is an RTFM right? The wording of the order is: > > "In respect of its customers to whose internet service the system > known as Cleanfeed is applied whether optionally or otherwise ...". If > you read the body of the judgment you'll see that BT apply Cleanfeed > to some of their traffic but not to all of it. The order requires the > block to be used exactly where Cleanfeed is. That's how I read it, just was wondering about customers of customers of BT, if you see what I mean (ISPs who piggy-back their service off BT wholesale, for example), and incidental traffic to which BT chooses to apply Cleanfeed. I have no idea about how Cleanfeed is applied by BT, btw. Can one freely (not as in beer) find out if their connection to the Internet is subject to Cleanfeed? -- Igor From fjmd1a at gmail.com Fri Dec 16 08:21:41 2011 From: fjmd1a at gmail.com (Francis Davey) Date: Fri, 16 Dec 2011 08:21:41 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net>

Message-ID: 2011/12/16 Igor Mozolevsky : > > I think we better take this offline, I was trying to put what was > necessary for BT to do in terms that ECJ put it in Scarlet. You seem > to be saying that because Cleanfeed doesn't look at what is sent and > received as a whole, but only at a proportion of what is sent, is less > invasive? I think at least that a court would find it less invasive. In its current incarnation its not going to be looking at the content of what is being transmitted, nor to interfere with what is transmitted on the basis of that content. Scarlet is different. There the ISP would be looking at every image or sound file that you sent and would make automatic decisions on the basis of content, notwithstanding that it can't know whether you are using the material lawfully or not. Other factors came into play such as expense and interference. Audible Magic is going to slow things down a lot more than IP re-routing + occasional blocking. > > Indeed, for some reason I was under the impression that IWF was > running Cleanfeed, it appears that they only provide `filtering > pattern'. In a sense then, BT appears to be already prejudiced by the > fact that they had _some_ content filtering and this order was nothing > more than a feature creep into BT's internal system. Yes. That was a big factor. TalkTalk don't run Cleanfeed (for instance) and that may affect the nature of any order against them. Already having a blocking system built-in makes a big difference. > > That's how I read it, just was wondering about customers of customers > of BT, if you see what I mean (ISPs who piggy-back their service off > BT wholesale, for example), and incidental traffic to which BT chooses > to apply Cleanfeed. I have no idea about how Cleanfeed is applied by > BT, btw. Can one freely (not as in beer) find out if their connection > to the Internet is subject to Cleanfeed? > From james2 at jfirth.net Fri Dec 16 08:24:04 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 16 Dec 2011 08:24:04 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> Message-ID: <003601ccbbcc$135fcdf0$3a1f69d0$@net> Roland Perry wrote: > I was attempting to address the "recycling" issue, which I think isn't > a > huge problem. On the contrary. The analogy you make to spam blocking doesn't hold because the IP addresses covered by this order aren't well known (a point Francis Davey made earlier). Also IP blacklisting services all provide a removal mechanism. From igb at batten.eu.org Fri Dec 16 11:12:16 2011 From: igb at batten.eu.org (Ian Batten) Date: Fri, 16 Dec 2011 11:12:16 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> Message-ID: Roland writes: > Of course, if the website were available on ipv6 this would be a non-discussion, as re-use is extremely unlikely. > > ps I wonder if Cleanfeed etc are ipv6 enabled yet? Several pieces of entertainment spring to mind. Firstly, as of today, there are very few residential and SME customers within the reach of UK courts who have "native" IPv6. There are a larger, but still small, set of people who have IPv6 via a tunnel broker. Were Newsbin to set up shop on IPv6, blocking access would involve not only blocking IPv6, but also doing DPI into tunnel traffic to block tunnelled IPv6. I can imagine that being redolent with legal problems, because the tunnel broker, to whom the traffic is addresses at the IPv4 layer, is not a party to the action and is almost certainly not a UK company. If one of the tunnel brokers fancied a ruck, they could then offer IPSec, stand back, and watch the fun. Secondly, imagine for the sake of argument someone plans to run an IPv6 hosting service (I'm sure they exist, but I've not seen one yet). The standard allocation for an IPv6 residential or small business customer is a /64, because 2^64 IP addresses is enough for most households and you only need a larger allocation if you're planning to run multiple networks. But that's not because anyone expects home users to user 2^64 addresses, it's just that it's a good fit with with EUI64 auto-configuration [1]. But there are some privacy concerns about that, and randomly generating IPv6 addresses is perfectly legitimate too [2]. However, there's no reason for a small hosting company to allocate each customer a /64, and equally there's nothing in the standards stopping an IPv6 endpoint changing its address very quickly. There's a proposal using this designed to make DoS attacks on VPN servers difficult [3] So if I'm told by my hosting provider to "sit in that /64 and play nicely with the other children", I've got a lot of options, none of them nice for the blocking systems. I can change my IPv6 address every minute and rely on the DNS to keep up. If a client connects, I keep that address on the interface (but not in the DNS) until the connection completes. That requires the blocker to continuously poll my DNS, and it wouldn't be hard for me to escalate that arms race by blocking requests from any client that queries too frequently. But more entertainingly, and ob.crypto, I can share with all my friends a key, and then generate IPv6 addresses by taking that key, combining it with the time and using 64 bits of that as my IPv6 address (with the same caveat as above about keeping in-use addresses live). Given time-sync +/- 20ms is hardly difficult today, I could flux my IPv6 addresses every few hundred milliseconds, provided I keep a window of n+1, n and n-1 in use. . Occasionally I'll collide with someone else in the data centre, but assuming there are a million other customers (which is unlikely) and I switch my address every 100ms I will collide with one of them once in fifty thousand years, which seems a reasonable interval of time to tolerate 100ms's traffic loss. The blocker then has to block and cleanfeed-proxy the entire /64 which, assuming there's at least one co-lo customer in the same /64 using https, is going to be massively disruptive. The requirement to keep old addresses that have active clients on them in user can be removed by a bit of outbound NAT on the clients which is hardly difficult to sketch out, and of course the same module can flux the outbound address from the client at the same rate (although only within the client's /64, of course). Frequency-agile IPv6 communications, with blocking entire /64s the only option for the blocker. Fun for all the family. ian [1] put your 64 bit prefix in the top 64 bits, put a simple transformation of your MAC address in the bottom 64 bits then do some magic if by some ill-chance you've got duplicate MAC addresses on your home network. [2] take the 64 bit prefix, then generate the next 64 bits (ish) randomly, and then try against if by some incredible ill-chance you collide with someone else (that's a grotesque simplification of RFC4941). [3] http://vtip.org/availableTech/technology.php?id=418423 From passiveprofits at yahoo.com Fri Dec 16 09:31:13 2011 From: passiveprofits at yahoo.com (Passive PROFITS) Date: Fri, 16 Dec 2011 01:31:13 -0800 (PST) Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <000c01ccbb65$ae958fb0$0bc0af10$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> <000c01ccbb65$ae958fb0$0bc0af10$@net> Message-ID: <1324027873.62905.YahooMailNeo@web125702.mail.ne1.yahoo.com> http://www.occupydrones.com/p/global-occupydrones-swarm-targeting.html ? Whilst some refuse to talk ... and try to get elected to govern; some build democracy.? As it's just been 'got' by GlobalRevolutionLive 5 min ago (by accident) ... Give it a spin At least John Young & another kind soul gave some support.? I hope these ideas also find some support in this place, even if not with your self Mr Firth. Best, PP "The man who owns a slave, or lives by exploiting others, whether slave or not, is not himself a free man. He is a man who must look over his shoulder all the time, in fear. True freedom lies in a deep concern for the freedom of others, and if this is accepted it should make every man, out of pure selfishness, the ardent devotee of the freedom of his neighbor." -Leonard Wibberly, 1776 - And All That (1975), p. 72. ________________________________ From: James Firth To: 'UK Cryptography Policy Discussion Group' Sent: Thursday, December 15, 2011 8:11 PM Subject: RE: Sky blocks Newzbin, important legal and technical questions need answering Francis Davey wrote: > Out of interest, who is "us"? Open Digital; but it was, to be honest, mostly a flippant remark.? I have had some valuable advice already, it was just the people advising weren't happy to go on the record unless I paid for a more thorough analysis. Also this really is a case where one would expect the remaining ISPs, or indeed ISPA as previously noted, to take the lead in a formal capacity; leaving us noisy bloggers to pull together threads and stir a few pots. James -------------- next part -------------- An HTML attachment was scrubbed... URL: From mozolevsky at gmail.com Fri Dec 16 11:52:51 2011 From: mozolevsky at gmail.com (Igor Mozolevsky) Date: Fri, 16 Dec 2011 11:52:51 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net>

Message-ID: On 16 December 2011 08:21, Francis Davey wrote: > 2011/12/16 Igor Mozolevsky : >> >> I think we better take this offline, I was trying to put what was >> necessary for BT to do in terms that ECJ put it in Scarlet. You seem >> to be saying that because Cleanfeed doesn't look at what is sent and >> received as a whole, but only at a proportion of what is sent, is less >> invasive? > > I think at least that a court would find it less invasive. In its > current incarnation its not going to be looking at the content of what > is being transmitted, nor to interfere with what is transmitted on the > basis of that content. Scarlet is different. From lists at internetpolicyagency.com Fri Dec 16 11:59:38 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 16 Dec 2011 11:59:38 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <003601ccbbcc$135fcdf0$3a1f69d0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> <003601ccbbcc$135fcdf0$3a1f69d0$@net> Message-ID: In article <003601ccbbcc$135fcdf0$3a1f69d0$@net>, James Firth writes >How would one go about writing to the rights holders or the High Court to >tell the ISPs to remove IP addresses no longer being used for the "sole or >predominant purpose" of providing access to Newzbin? It would be helpful if part of the court order process put an obligation upon the ISPs doing the blocking to periodically inspect the [Regional] IP registry entries of the number ranges in question to determine if they have been de-allocated from the original holder, which is an inevitable consequence of any transfer. >When we have a dozen sites covered by injunctions, a hundred or so "primary" >IP addresses and URLs, perhaps a thousand "facilitator" sites and >injunctions covering 9 ISPs each managing their own lists under instruction >from rights holders... I can't see this ending well at all. There isn't such a shortage of IP addresses that a few thousand (or even tens of thousand) put into quarantine makes much difference. There are hundreds of millions of addresses squirreled away for other reasons that need to be mopped up first. -- Roland Perry From james2 at jfirth.net Fri Dec 16 12:46:39 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 16 Dec 2011 12:46:39 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net>

Message-ID: <006d01ccbbf0$c25b72e0$471258a0$@net> Ian Batten wrote: > ... there's no reason for a small hosting company to allocate each > customer a /64 ... AFAIU there is. RFC2373 reserves those bits for interface identifiers (obviously a privacy nightmare) and RIPE IPv6 Address Allocation and Assignment Policy (ss5.4.1) states "The size of the assignment is a local decision for the LIR or ISP to make, using a minimum value of a /64 (only one subnet is anticipated for the End Site)." Therefore it would be reasonable for any network blocking of IPv6 to block with a mask of /64. > Frequency-agile IPv6 > communications, with blocking entire /64s the only option for the > blocker. Fun for all the family. See above. James Firth From james2 at jfirth.net Fri Dec 16 12:53:26 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 16 Dec 2011 12:53:26 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> <003601ccbbcc$135fcdf0$3a1f69d0$@net> Message-ID: <007001ccbbf1$b4fa8090$1eef81b0$@net> Roland Perry wrote: > It would be helpful if part of the court order process put an > obligation > upon the ISPs doing the blocking to periodically inspect the [Regional] > IP registry entries of the number ranges in question to determine if > they have been de-allocated from the original holder, which is an > inevitable consequence of any transfer. Agreed, but Arnold, J said exactly the opposite: http://www.bailii.org/ew/cases/EWHC/Ch/2011/2714.html#para12 " In saying this, I do not mean that BT will be obliged to check IP addresses or URLs notified by the Studios. It will be the Studios' responsibility accurately to identify IP addresses and URLs to be notified to BT." (Note nothing about removal) > There isn't such a shortage of IP addresses that a few thousand (or > even > tens of thousand) put into quarantine makes much difference. But there is still the business of identifying them of being in quarantine in the first place, and maintaining this list (adding/removing). 9 reasonably-sized ISPs in the UK, plus potentially other countries. Systems for managing spam blacklists have evolved over the last 20(?) years. This is new and is driven by a different set of motives. James Firth From lists at internetpolicyagency.com Fri Dec 16 15:38:55 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 16 Dec 2011 15:38:55 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <007001ccbbf1$b4fa8090$1eef81b0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> <003601ccbbcc$135fcdf0$3a1f69d0$@net> <007001ccbbf1$b4fa8090$1eef81b0$@net> Message-ID: <5Ey3j9tPY26OFAEP@perry.co.uk> In article <007001ccbbf1$b4fa8090$1eef81b0$@net>, James Firth writes >> It would be helpful if part of the court order process put an >>obligation upon the ISPs doing the blocking to periodically inspect >>the [Regional] IP registry entries of the number ranges in question >>to determine if they have been de-allocated from the original holder, >>which is an inevitable consequence of any transfer. > >Agreed, but Arnold, J said exactly the opposite: > >http://www.bailii.org/ew/cases/EWHC/Ch/2011/2714.html#para12 > >" In saying this, I do not mean that BT will be obliged to check IP >addresses or URLs notified by the Studios. It will be the Studios' >responsibility accurately to identify IP addresses and URLs to be notified >to BT." > >(Note nothing about removal) But that's in the context of adding new IP addresses if the target shifts. >> There isn't such a shortage of IP addresses that a few thousand (or >>even tens of thousand) put into quarantine makes much difference. > >But there is still the business of identifying them of being in quarantine >in the first place, and maintaining this list (adding/removing). 9 >reasonably-sized ISPs in the UK, plus potentially other countries. There's no umbrella list required, all it needs is for hosting ISPs to refrain from reallocating a small address range to a new customer when they know very well that their original customer got blocked. If they ever sell/transfer the block containing that address range (which seems unlikely at the moment, I suspect it's un-used ranges which are being traded), then the fact it contains such a blocked IP should be part of the due diligence. The ISP could make this simpler by adding a note to the registration in the public database for such blocked IP ranges. >Systems for managing spam blacklists have evolved over the last 20(?) years. >This is new and is driven by a different set of motives. ISPs are full of clever people. They'll cope. -- Roland Perry From james2 at jfirth.net Fri Dec 16 16:40:56 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 16 Dec 2011 16:40:56 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <5Ey3j9tPY26OFAEP@perry.co.uk> References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> <003601ccbbcc$135fcdf0$3a1f69d0$@net> <007001ccbbf1$b4fa8090$1eef81b0$@net> <5Ey3j9tPY26OFAEP@perry.co.uk> Message-ID: <00cf01ccbc11$7d061bc0$77125340$@net> Roland Perry wrote: > There's no umbrella list required, all it needs is for hosting ISPs to > refrain from reallocating a small address range to a new customer when > they know very well that their original customer got blocked. Do they? How? We're talking about the server host, who probably hasn't seen a copy of the injunction because the MPAA are currently targeting intermediaries. Furthermore, the injunction allows rights holders to directly notify the intermediaries (UK ISPs). There's no reason the host's service provider should be ware. And, as I've said numerous times in my posts under this subject, my primary worry is not the IP addresses used by Newzbin or any other host blocked. It's the "any other site whose sole or predominant" blah blah blah. I stand by my original assertion that this is a problem and represents a very real risk of overblocking as more sites, more ISPs and more IP addresses are added to the block list. Nothing you've said would in my opinion, given specific knowledge of the types of data systems used in hosting companies make this problem go away,. James Firth From lists at internetpolicyagency.com Fri Dec 16 17:10:11 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Fri, 16 Dec 2011 17:10:11 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <00cf01ccbc11$7d061bc0$77125340$@net> References: <00d801ccbb46$475920b0$d60b6210$@net> <002001ccbb4e$d1a13cf0$74e3b6d0$@net> <003601ccbbcc$135fcdf0$3a1f69d0$@net> <007001ccbbf1$b4fa8090$1eef81b0$@net> <5Ey3j9tPY26OFAEP@perry.co.uk> <00cf01ccbc11$7d061bc0$77125340$@net> Message-ID: <4DtHSu2zt36OFA07@perry.co.uk> In article <00cf01ccbc11$7d061bc0$77125340$@net>, James Firth writes >> There's no umbrella list required, all it needs is for hosting ISPs to >> refrain from reallocating a small address range to a new customer when >> they know very well that their original customer got blocked. > >Do they? How? We're talking about the server host, who probably hasn't seen >a copy of the injunction because the MPAA are currently targeting >intermediaries. Their customer will either complain that "mysteriously" their hosting no longer seems to work, or they'll see their customer cancelling the contract and when asking them "why" will get told "because it's blocked". -- Roland Perry From igb at batten.eu.org Fri Dec 16 19:57:55 2011 From: igb at batten.eu.org (Ian Batten) Date: Fri, 16 Dec 2011 19:57:55 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <006d01ccbbf0$c25b72e0$471258a0$@net> References: <00d801ccbb46$475920b0$d60b6210$@net>

<006d01ccbbf0$c25b72e0$471258a0$@net> Message-ID: <08608244-F727-4B0C-851D-4413748DE67C@batten.eu.org> On 16 Dec 2011, at 1246, James Firth wrote: > Ian Batten wrote: >> ... there's no reason for a small hosting company to allocate each >> customer a /64 ... > > AFAIU there is. RFC2373 reserves those bits for interface identifiers > (obviously a privacy nightmare) Why would it be a privacy nightmare in a co-lo? And outside a co-lo, RFC4941 solves the problem and is the default on both OSX (10.7 and on; you have to enable it on 10.6) and on XP SP3 onwards. I presume Linux gets it right (/proc/sys/net/ipv6/conf/all/use_tempaddr). > and RIPE IPv6 Address Allocation and > Assignment Policy (ss5.4.1) states > > "The size of the assignment is a local decision for the LIR or ISP to make, > using a minimum value of a /64 (only one subnet is anticipated for the End > Site)." > > Therefore it would be reasonable for any network blocking of IPv6 to block > with a mask of /64. But there's no reason for a hosting company to use blocks at all. As of today, if you buy a simple hosting arrangement, you get a single IP number for your single host. Why would you expect, or need, more than a single IP number within your co-lo's network? They might opt to give you a /64, they might opt to allocate IP numbers within a /64. Otherwise IPv6 because essentially 64 bit, rather than 128 bit, addressing, as the top 64 bits are used to allocate /64s and the bottom 64 bits are used to allocate one host. ian From james2 at jfirth.net Fri Dec 16 20:36:15 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 16 Dec 2011 20:36:15 -0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <08608244-F727-4B0C-851D-4413748DE67C@batten.eu.org> References: <00d801ccbb46$475920b0$d60b6210$@net>

<006d01ccbbf0$c25b72e0$471258a0$@net> <08608244-F727-4B0C-851D-4413748DE67C@batten.eu.org> Message-ID: <001501ccbc32$5bd1e210$1375a630$@net> Ian Batten wrote: > Why would it be a privacy nightmare in a co-lo? And outside a co-lo, > RFC4941 solves the problem and is the default on both OSX (10.7 and on; > you have to enable it on 10.6) and on XP SP3 onwards. I presume Linux > gets it right (/proc/sys/net/ipv6/conf/all/use_tempaddr). > > > But there's no reason for a hosting company to use blocks at all. As > of today, if you buy a simple hosting arrangement, you get a single IP > number for your single host. Why would you expect, or need, more than > a single IP number within your co-lo's network? I had this argument at the IPv6 "launch party" in London (an industry bash designed to push IPv6 adoption). It was explained to me then, by people who should know, that the original intention was to merge MAC and IP addresses. Hence the rightmost 64 bits - the "interface identifier" are reserved for the MAC address or equivalent, and IPv6 addresses are designed to be allocated in blocks of /64. That's why no end "customer" should ever get less than a /64. Now I hear you cry, since MAC addresses are in theory unique, there's no need to give every customer a /64... But there is, really. MAC fiddlers, etc. An obvious privacy nightmare standards have emerged such as RFC 3041; which I think, Ian, might describe similar behaviour to that mentioned in your earlier post. James Firth From igb at batten.eu.org Sat Dec 17 18:05:07 2011 From: igb at batten.eu.org (Ian Batten) Date: Sat, 17 Dec 2011 18:05:07 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: <001501ccbc32$5bd1e210$1375a630$@net> References: <00d801ccbb46$475920b0$d60b6210$@net>

<006d01ccbbf0$c25b72e0$471258a0$@net> <08608244-F727-4B0C-851D-4413748DE67C@batten.eu.org> <001501ccbc32$5bd1e210$1375a630$@net> Message-ID: <98CD9266-0594-4821-A534-6F5FA3A8FB13@batten.eu.org> On 16 Dec 2011, at 20:36, James Firth wrote: > > Hence the rightmost 64 bits - the "interface identifier" are reserved for > the MAC address or equivalent, and IPv6 addresses are designed to be > allocated in blocks of /64. That's why no end "customer" should ever get > less than a /64. > > Now I hear you cry, since MAC addresses are in theory unique, there's no > need to give every customer a /64... But there is, really. MAC fiddlers, > etc. > > An obvious privacy nightmare standards have emerged such as RFC 3041; which > I think, Ian, might describe similar behaviour to that mentioned in your > earlier post. Just to clarify, 3041 that you refer to is obsoleted by 4941 which I referred to. They're very similar. The use-case only really applies for mobile devices. The concern it addresses is the case where a device (say, a laptop) is mobile between networks. Today, it'll get allocated a fresh IP number by the local DHCP server, which even if it's not NAT-ed at the border anyway won't be in any way correlated between networks. Therefore, of itself, the allocated address does not provide a means of linking two network addresses as pointing to the same device. That's not true with IPv6 stateless auto-configuration. The algorithm there is to form the bottom 64 bits by taking the MAC address, splitting it it two, padding the two halves apart with FF:FE and inverting bit 7. You then probe for someone else using the same address and do some magic if you hit a clash. That makes the bottom 64 bits (usually) constant for a given device, and hence trackable from prefix to prefix. So 4941 allows you to instead form an address at random, probe to see if it's in use, and assuming it's free use that. But for fixed devices, that's pretty pointless. It's not a surprise that, say, a.root-servers.net. is at 2001:503:ba3e::2:30, nor is there any reason why the operators of a.root-servers.net would mind me knowing that over the long term. And there's no reason why 2001:503:ba3e::2:31 should be off-limits: clearly, ::2:31 hasn't been formed by splitting a mac address, inserting ff:fe and inverting bit seven, nor has it (one would guess) been formed with 64 random bits. It's been formed by hand, just like 2001:7fd::1 (another of the roots). And that argument extends to any fixed address of a fixed machine, especially one that needs its PTR records to work correctly. So if I'm a small co-lo running IPv6, RFC 6177 says my registry should be willing to give me more than a /64 but (potentially) less than a /48. If I've got a /56, say, I'm going to be nervous about giving my customers /64s, because I've only got 256 of them. In any event, the last thing a co-lo customer is going to want to happen is the IPv6 address of their machine change because it's had a motherboard swap, or because it's been moved from VMware host to VMware host, or whatever. They're going to want a fixed IPv6 address, just like they have a fixed IPv4. I'm going to be pretty annoyed if the IPv6 address of the authoritative nameserver for my domain changes, because it's in the glue records; it's not enough that the top 64 bits are constant, the bottom 64 need to be constant as well. Given that's going to apply to most people in co-los, why wouldn't the co-lo operator allocate multiple addresses in the same /64 to different customers? They're not going to be using stateless autoconfiguration, after all. ian From james2 at jfirth.net Tue Dec 20 14:09:56 2011 From: james2 at jfirth.net (James Firth) Date: Tue, 20 Dec 2011 14:09:56 -0000 Subject: Absolutely groundbreaking legal approach to takedown Message-ID: <005901ccbf21$0efed730$2cfc8590$@net> This really is worth reading from law professor Andrew Murray at LSE. It's a novel privacy order to reduce online availability of stolen sexually explicit pictures to protect a non-celebrity from harassment. The idea is to identify and serve orders on torrent seeders. Not sure what I think about this, it's obviously a worthy aim, is sensitive to free speech etc, but will have ramifications and I'm not sure whether it will have any effect on availability via other means from sources outside UK jurisdiction. There's also a risk of some kind of backlash, although Andrew hopes for no "Streisand Effect". Worth a read: http://ejf.me/pX Full URL: http://theitlawyer.blogspot.com/2011/12/new-approach-to-privacy-amp-v-person s.html James Firth CEO, Open Digital Policy Organisation www.opendigital.org From zenadsl6186 at zen.co.uk Wed Dec 21 09:53:26 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 21 Dec 2011 09:53:26 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <018c01ccb93a$82e68950$88b39bf0$@gmx.net> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> Message-ID: <4EF1AC96.9010406@zen.co.uk> Caspar Bowden wrote: > *>Behalf Of *Ian Batten > > > > http://www.levesoninquiry.org.uk/hearing/2011-12-12am/ > > > > The gist of Thomas' evidence > > to Leveson Inquiry was that it was all their external counsel?s > fault > that the ICO investigated no journos. Does anyone know, was it the same counsel (Bernard Thorogood) who advised the previous Met Commissioner that in order to get convictions the Police would have to prove that telephone voice messages were intercepted before being "read" (listened to) by their intended recipients? Thx, -- Peter Fairbrother From tugwilson at gmail.com Wed Dec 21 10:06:39 2011 From: tugwilson at gmail.com (John Wilson) Date: Wed, 21 Dec 2011 10:06:39 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <4EF1AC96.9010406@zen.co.uk> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> <4EF1AC96.9010406@zen.co.uk> Message-ID: On 21 December 2011 09:53, Peter Fairbrother wrote: [snip] > Does anyone know, was it the same counsel (Bernard Thorogood) who advised > the previous Met Commissioner that in order to get convictions the Police > would have to prove that telephone voice messages were intercepted before > being "read" (listened to) by their intended recipients? The Bar Directory only shows one Bernard Thorogood John Wilson From zenadsl6186 at zen.co.uk Wed Dec 21 11:50:15 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 21 Dec 2011 11:50:15 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> <4EF1AC96.9010406@zen.co.uk> Message-ID: <4EF1C7F7.1010405@zen.co.uk> John Wilson wrote: > On 21 December 2011 09:53, Peter Fairbrother wrote: > [snip] > >> Does anyone know, was it the same counsel (Bernard Thorogood) who advised >> the previous Met Commissioner that in order to get convictions the Police >> would have to prove that telephone voice messages were intercepted before >> being "read" (listened to) by their intended recipients? > > > The Bar Directory only shows one Bernard Thorogood Yes, but did he so advise the ex Met Commissioner, or was that someone else? Thanks, -- Peter Fairbrother > > John Wilson > > From richard at highwayman.com Wed Dec 21 12:23:29 2011 From: richard at highwayman.com (Richard Clayton) Date: Wed, 21 Dec 2011 12:23:29 +0000 Subject: Sky blocks Newzbin, important legal and technical questions need answering In-Reply-To: References: <00d801ccbb46$475920b0$d60b6210$@net> <001d01ccbb4e$37881490$a6983db0$@net> Message-ID: <7u3dNiTB$c8OFA2o@highwayman.com> In article , Francis Davey writes >No, that's not how it works (as I understand anyway). First there is a >filter on IP addresses, then those that match the IP list are passed >through to a proxy that filters on specific URLs. That's a correct description of BT's "CleanFeed" ... in fact all of the UK ISPs who filter out sites on the (ever-decreasing) IWF list currently operate two stage systems with URL-specific proxies; they differ in how they arrange for traffic to reach those proxies. >> Further, the BT injunction is not limited in time either, is it? > >Yes - though there is liberty to apply if circumstances change (and >third parties have a right to apply for variation if they are >affected). An important part of the injunction is that if Newzbin moves (for example to another IP address or hostname) then the movie studios can tell BT the new location and BT will add that to their CleanFeed mechanisms... ... AIUI (from private conversations) the rather patchy blocking so far has been due to some IP address mobility by Newzbin -- but that changes of what newzbin.com resolves to will now be tracked rather more promptly; and I am certainly hearing that blocking is rather easier to detect. Note that the blocking is solely on port tcp/80, so changing "http" to "https" is sufficient to entirely evade the BT scheme. Other ISPs generally use a DNS poisoning approach, so if you are one of these other ISPs then using an alternative DNS server (eg Google's 8.8.8.8, or even BT's recursive resolvers (which are currently openly available for general use!)) will prevent your traffic reaching the other ISP's proxy, and there will be no blocking. On these other ISPs, https will probably also evade blocking. >> generic blocking mechanism... The judge made no assessment of the >> rights of privacy of BT's users as a whole, merely he was "satisfied" >> that the curtailing of Art. 10 rights was proportionate. For example, >> I wouldn't be surprised if Cleanfeed logs every referral regardless of >> whether that referral is subsequently blocked. BT have generally avoided generating any logs on the CleanFeed system so that they do not have to deal with the policy and PR issues involved if they were approached by Law Enforcement asking for copies of the logs. However, they do seem to have some anonymised information (useful I've no doubt for troubleshooting when systems fail). They have in the (rather distant) past reported on the total number of accesses that pass through their proxies -- the numbers were absurdly high, probably because of the complexity of the pages accessed (rendering a single page can often involve dozens of HTTP accesses) combined with the use of banners from bad places on (relatively) good sites -- and of course various prefetch mechanisms. >Hmmmm. BT almost certainly have to log traffic data and then have to >destroy it after a fixed period of time under the data retention >directive. I'm not sure what Cleanfeed logs or may lawfully log. There is no statutory obligation to log traffic on a web proxy. http://www.legislation.gov.uk/uksi/2009/859/made/data.pdf >This >is where Richard Clayton would be useful to us. I do my best :) >All moot though since https appears to get around the block (if not, >I'd be interested to know, I'm taking a particularly keen interest in >website blocking at the moment). I understand (again from private conversations) that the ineffectiveness of CleanFeed has been noticed by the movie studios. We may see them suggesting that IP-based blocking would be more effective (it's still of course straightforward to evade, but not inanely so). I wonder how that will square with the judge's view that he didn't actually care if the mechanism works in general provided that it blocks just one view... -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From tugwilson at gmail.com Wed Dec 21 19:32:54 2011 From: tugwilson at gmail.com (John Wilson) Date: Wed, 21 Dec 2011 19:32:54 +0000 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <4EF1C7F7.1010405@zen.co.uk> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> <4EF1AC96.9010406@zen.co.uk> <4EF1C7F7.1010405@zen.co.uk> Message-ID: On 21 December 2011 11:50, Peter Fairbrother wrote: > John Wilson wrote: >> >> On 21 December 2011 09:53, Peter Fairbrother >> wrote: >> [snip] >> >>> Does anyone know, was it the same counsel (Bernard Thorogood) who advised >>> the previous Met Commissioner that in order to get convictions the Police >>> would have to prove that telephone voice messages were intercepted before >>> being "read" (listened to) by their intended recipients? >> >> >> >> The Bar Directory only shows one Bernard Thorogood > > > > Yes, but did he so advise the ex Met Commissioner, or was that someone else? Sorry, I thought you knew the name of council who advised the Met. You could try an FoI request to get the name. John Wilson From cryptome at earthlink.net Thu Dec 22 16:33:39 2011 From: cryptome at earthlink.net (John Young) Date: Thu, 22 Dec 2011 11:33:39 -0500 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <005901ccbf21$0efed730$2cfc8590$@net> Message-ID: Iran GPS Spoofing and the RSA Cipher http://cryptome.org/0005/iran-rsa-cipher.htm From ukcrypto at sourcetagged.ian.co.uk Thu Dec 22 21:04:26 2011 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Thu, 22 Dec 2011 21:04:26 +0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: References: Message-ID: <7447658F-FA3E-4419-9EA4-269F9BF57832@sourcetagged.ian.co.uk> I do wish people would check their facts sometimes. The linked article asserts that "GPS (M-code) is protected against spoofing by the RSA cipher" - it is not, it's protected by a keyed PRNG. You don't have to be an ace cryptologist to figure this out, you just need to look up "GPS signal" on Wikipedia. On 22 Dec 2011, at 16:33, John Young wrote: > Iran GPS Spoofing and the RSA Cipher > > > http://cryptome.org/0005/iran-rsa-cipher.htm > > From cryptome at earthlink.net Thu Dec 22 22:17:19 2011 From: cryptome at earthlink.net (John Young) Date: Thu, 22 Dec 2011 17:17:19 -0500 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <7447658F-FA3E-4419-9EA4-269F9BF57832@sourcetagged.ian.co.u k> References:

Message-ID: The article source responds: [Quote] PRNG means Pseudo-Random Number Generator. Other sources that discuss GPS say simply "RNG". Another way of being equally ambiguous would be to call it a "keystream." Any cryptosystem can be used as a source PRNG. The PRNG for M-code GPS is RSA, tell this cryptographer that. RSA is the RNG keystream, GPS data is the plaintext, and the M code signal is the ciphertext. To turn the M code ciphertext into GPS plaintext you need to replicate independently the same RNG sequence used by the satellite to derive the GPS plaintext, to do this you use RSA in either symmetric or asymmetric mode (as per red-key or black-key M-code modes, respectively). [Unquote] ----- At 09:04 PM 12/22/2011 +0000, you wrote: >I do wish people would check their facts sometimes. The linked article >asserts that "GPS (M-code) is protected against spoofing by the RSA >cipher" - it is not, it's protected by a keyed PRNG. You don't have to >be an ace cryptologist to figure this out, you just need to look up >"GPS signal" on Wikipedia. > > >On 22 Dec 2011, at 16:33, John Young wrote: > >> Iran GPS Spoofing and the RSA Cipher >> >> >> http://cryptome.org/0005/iran-rsa-cipher.htm >> >> > From prunesquallor at proproco.co.uk Fri Dec 23 00:18:08 2011 From: prunesquallor at proproco.co.uk (John Brazier) Date: Fri, 23 Dec 2011 00:18:08 -0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: References:

Message-ID: <000601ccc108$592b2280$0b816780$@proproco.co.uk> Confused of Horsham: As I understand it, between block cyphers/stream cyphers/PRNGs (all of which seem to be different facets of the same thing) there is a wide range of systems that can extremely efficiently produce a 'random' sequence of bits, to any arbitrary level of 'randomness'. Why would anyone use RSA to generate a random bit stream? Its asymmetry gives benefits, but it's terribly inefficient. That's why it tends to be used as a key exchange protocol, not a data encryption one. Happy to learn, John B -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of John Young Sent: 22 December 2011 10:17 PM To: UK Cryptography Policy Discussion Group Subject: Re: Iran GPS Spoofing and the RSA Cipher The article source responds: [Quote] PRNG means Pseudo-Random Number Generator. Other sources that discuss GPS say simply "RNG". Another way of being equally ambiguous would be to call it a "keystream." Any cryptosystem can be used as a source PRNG. The PRNG for M-code GPS is RSA, tell this cryptographer that. RSA is the RNG keystream, GPS data is the plaintext, and the M code signal is the ciphertext. To turn the M code ciphertext into GPS plaintext you need to replicate independently the same RNG sequence used by the satellite to derive the GPS plaintext, to do this you use RSA in either symmetric or asymmetric mode (as per red-key or black-key M-code modes, respectively). [Unquote] ----- At 09:04 PM 12/22/2011 +0000, you wrote: >I do wish people would check their facts sometimes. The linked article >asserts that "GPS (M-code) is protected against spoofing by the RSA >cipher" - it is not, it's protected by a keyed PRNG. You don't have to >be an ace cryptologist to figure this out, you just need to look up >"GPS signal" on Wikipedia. > > >On 22 Dec 2011, at 16:33, John Young wrote: > >> Iran GPS Spoofing and the RSA Cipher >> >> >> http://cryptome.org/0005/iran-rsa-cipher.htm >> >> > From brg at gladman.plus.com Fri Dec 23 08:03:51 2011 From: brg at gladman.plus.com (Brian Gladman) Date: Fri, 23 Dec 2011 08:03:51 -0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <000601ccc108$592b2280$0b816780$@proproco.co.uk> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> Message-ID: <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> -----Original Message----- From: John Brazier Sent: Friday, December 23, 2011 12:18 AM To: 'UK Cryptography Policy Discussion Group' Subject: RE: Iran GPS Spoofing and the RSA Cipher Confused of Horsham: As I understand it, between block cyphers/stream cyphers/PRNGs (all of which seem to be different facets of the same thing) there is a wide range of systems that can extremely efficiently produce a 'random' sequence of bits, to any arbitrary level of 'randomness'. Why would anyone use RSA to generate a random bit stream? Its asymmetry gives benefits, but it's terribly inefficient. That's why it tends to be used as a key exchange protocol, not a data encryption one. ================================ I am NOT going to argue that this is the reason for using an RSA based keystream generator in this particular application but one potential advantage of such generators (see, for example, the Blum-Blum-Shub (BBS) generator) is that the n'th bit in the keystream can be calculated without having to run the generator up to this point. If a key stream generator is going to be run for a very long time without any re-initialisation and an approximate count of the current bit number is known, a resynchronisation can be established by calculating a sequence around this bit number and then locating this sequence in the stream to get an accurate bit number. Brian Gladman Happy to learn, John B -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of John Young Sent: 22 December 2011 10:17 PM To: UK Cryptography Policy Discussion Group Subject: Re: Iran GPS Spoofing and the RSA Cipher The article source responds: [Quote] PRNG means Pseudo-Random Number Generator. Other sources that discuss GPS say simply "RNG". Another way of being equally ambiguous would be to call it a "keystream." Any cryptosystem can be used as a source PRNG. The PRNG for M-code GPS is RSA, tell this cryptographer that. RSA is the RNG keystream, GPS data is the plaintext, and the M code signal is the ciphertext. To turn the M code ciphertext into GPS plaintext you need to replicate independently the same RNG sequence used by the satellite to derive the GPS plaintext, to do this you use RSA in either symmetric or asymmetric mode (as per red-key or black-key M-code modes, respectively). [Unquote] ----- At 09:04 PM 12/22/2011 +0000, you wrote: >I do wish people would check their facts sometimes. The linked article >asserts that "GPS (M-code) is protected against spoofing by the RSA >cipher" - it is not, it's protected by a keyed PRNG. You don't have to >be an ace cryptologist to figure this out, you just need to look up >"GPS signal" on Wikipedia. > > >On 22 Dec 2011, at 16:33, John Young wrote: > >> Iran GPS Spoofing and the RSA Cipher >> >> >> http://cryptome.org/0005/iran-rsa-cipher.htm >> >> > From ben at liddicott.com Fri Dec 23 09:28:24 2011 From: ben at liddicott.com (Ben Liddicott) Date: Fri, 23 Dec 2011 09:28:24 -0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> Message-ID: <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> That's true of any block cypher in CTR mode. Ben -----Original Message----- From: Brian Gladman Sent: Friday, December 23, 2011 8:03 AM I am NOT going to argue that this is the reason for using an RSA based keystream generator in this particular application but one potential advantage of such generators (see, for example, the Blum-Blum-Shub (BBS) generator) is that the n'th bit in the keystream can be calculated without having to run the generator up to this point. From ukcrypto at sourcetagged.ian.co.uk Fri Dec 23 13:08:59 2011 From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason) Date: Fri, 23 Dec 2011 13:08:59 +0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> Message-ID: <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> On 23 Dec 2011, at 09:28, Ben Liddicott wrote: > That's true of any block cypher in CTR mode. Indeed. > > Ben > -----Original Message----- From: Brian Gladman Sent: Friday, > December 23, 2011 8:03 AM > I am NOT going to argue that this is the reason for using an RSA > based keystream generator in this particular application but one > potential advantage of such generators (see, for example, the Blum- > Blum-Shub (BBS) generator) is that the n'th bit in the keystream can > be calculated without having to run the generator up to this point. The actual PRNG used by GPS for the M-code is classified. What is known is that it generates a bitstream at 5.115 MHz that is used as a DSSS spreading code. thus it has to be fast, and the time between successive chunks of the bitstream being available has to be deterministic (you can't hold up the modulation process waiting for your next bit of keystream). The period of this code is likely to be long, for example the older P-code is 6.1871 ? 10^12 bits long. It's a requirement of codes used with DSSS to be able to hop around in the keystream to achieve correlation with the transmitted signal to demodulate it. Thus you need a PRNG that has the properties Brian has highlighted - the ability to get bit N from the keystream without first generating bits 0..N-1. The older P-code takes a week to repeat, you can't wait a week to try and get a lock on the transmitted signal! Yes, you can in theory construct a PRNG from RSA. You'd however have to be insane to try. RSA is highly computationally intensive, the time of each RSA calculation is variable and it has properties that will trip you up every time unless you are careful (e.g. if your message has few enough significant bits it will pass through RSA encryption essentially unencrypted). Using it this way is of a similar order of foolishness as constructing a cartwheel from toothpicks glued together when you've got a store full of well-seasoned timber waiting to be cut to shape. When one thinks of PRNGs one thinks of LFSRs and block ciphers in CTR mode or one of the feedback modes. I have NEVER seen anyone in the literature propose using RSA to construct a PRNG. From igb at batten.eu.org Fri Dec 23 15:33:11 2011 From: igb at batten.eu.org (Ian Batten) Date: Fri, 23 Dec 2011 15:33:11 +0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> <4FCEECE3-ADF1-406B-B75B-4CD950D79ECB@batten.eu.org> Message-ID: <897D6335-F048-4C24-8498-16E95B392A91@sourcetagged.ian.co.uk> On 23 Dec 2011, at 15:33, Ian Batten wrote: > > Leaving aside the practicalities of the algorithms, an asymmetric > system would be attractive for military-grade GPS, as it would mean > that the theft and complete analysis of a receiver would not provide > the key material for spoofing. There are a lot of military handsets > and by definition they are going to be used in hostile environments > with a risk of capture, so were it possible to engineer a system > where the handsets did not contain the transmission keys that would > be a desirable property. As you point out, it might prove very > difficult to achieve, but those problems would bring some value as > well. > > ian I see what you're getting at, but I think you haven't really thought it through or misunderstand the problem. Remember that the satellites are broadcasting to all receivers, not having a conversation with each GPS receiver individually. The satellite/receiver system would still need to share secret material as having one private key per receiver would be impractical. If nothing else it would require the satellite to speculatively transmit the current spreading code key wrapped in many different public keys. All the GPS satellites transmit simultaneously on the same frequency using a CDMA/DSSS modulation. The only way you can separate the signals from multiple satellites is to use a different spreading code for each satellite, both for satellite transmission and terrestrial reception. The spreading code is the bitstream output of a PRNG, also sometimes called a keystream when the intent is encryption. The receiver needs the spreading code to demodulate the transmitted signal, so it has to generate exactly the same spreading code as the sender is using just to detect the signal - a fundamentally symmetric relationship. For the public channels such as the C/A (Coarse/Acquisition) signal the the PRNG formulation (key+algorithmn) used to generate the spreading signal is well known, the key is the satellite number. The M- code channel is an anti-spoofing feature and also uses a secret and much longer spreading code to achieve the antispoofing characteristic. T'other Ian From tharg at gmx.net Fri Dec 23 19:26:41 2011 From: tharg at gmx.net (Caspar Bowden) Date: Fri, 23 Dec 2011 20:26:41 +0100 Subject: The Information Commission and the Leveson Inquiry In-Reply-To: <4EF1C7F7.1010405@zen.co.uk> References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> <4EF1AC96.9010406@zen.co.uk> <4EF1C7F7.1010405@zen.co.uk> Message-ID: <005001ccc1a8$cd6b75a0$684260e0$@gmx.net> This may be relevant http://www.publications.parliament.uk/pa/cm201012/cmselect/cmhaff/907/907we0 3.htm -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother Sent: 21 December 2011 12:50 To: UK Cryptography Policy Discussion Group Subject: Re: The Information Commission and the Leveson Inquiry John Wilson wrote: > On 21 December 2011 09:53, Peter Fairbrother wrote: > [snip] > >> Does anyone know, was it the same counsel (Bernard Thorogood) who >> advised the previous Met Commissioner that in order to get >> convictions the Police would have to prove that telephone voice >> messages were intercepted before being "read" (listened to) by their intended recipients? > > > The Bar Directory only shows one Bernard Thorogood Yes, but did he so advise the ex Met Commissioner, or was that someone else? Thanks, -- Peter Fairbrother > > John Wilson > > From tharg at gmx.net Fri Dec 23 19:34:25 2011 From: tharg at gmx.net (Caspar Bowden) Date: Fri, 23 Dec 2011 20:34:25 +0100 Subject: The Information Commission and the Leveson Inquiry References: <53FDAFC3-8EBC-4F6B-8BCC-ADE45E454DE2@batten.eu.org> <018c01ccb93a$82e68950$88b39bf0$@gmx.net> <4EF1AC96.9010406@zen.co.uk> <4EF1C7F7.1010405@zen.co.uk> Message-ID: <005201ccc1a9$e1bf5bb0$a53e1310$@gmx.net> Oops. Sent too soon Interesting. Via http://blogscript.blogspot.com/2011/07/idiots-guide-to-why-voicemail-hacking .html DPP Starmer attributes the decision to David Perry QC http://www.guardian.co.uk/media/2011/mar/13/phone-hacking-newspapers ...but this is inconsistent with Nick Davies memo http://www.publications.parliament.uk/pa/cm201012/cmselect/cmhaff/907/907we0 3.htm Caspar -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother Sent: 21 December 2011 12:50 To: UK Cryptography Policy Discussion Group Subject: Re: The Information Commission and the Leveson Inquiry John Wilson wrote: > On 21 December 2011 09:53, Peter Fairbrother wrote: > [snip] > >> Does anyone know, was it the same counsel (Bernard Thorogood) who >> advised the previous Met Commissioner that in order to get >> convictions the Police would have to prove that telephone voice >> messages were intercepted before being "read" (listened to) by their intended recipients? > > > The Bar Directory only shows one Bernard Thorogood Yes, but did he so advise the ex Met Commissioner, or was that someone else? Thanks, -- Peter Fairbrother > > John Wilson > > From zenadsl6186 at zen.co.uk Fri Dec 23 19:52:38 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Fri, 23 Dec 2011 19:52:38 +0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <897D6335-F048-4C24-8498-16E95B392A91@sourcetagged.ian.co.uk> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> Message-ID: <87boqzt4em.fsf@mid.deneb.enyo.de> * Ian Mason: > Yes, you can in theory construct a PRNG from RSA. You'd however have > to be insane to try. In the literature, RSA is frequently used to construct other primitives, followed by a proof that if those primitives lack certain properties (which allegedly make them secure), then you can break RSA. Blum-Blum-Shub (already mentioned) is a generator with such a proof. There is a hilarious paper by Koblitz and Menezes, "Another look at provable security II", , which covers Blum-Blum-Shub in section 6.1. Choice quote: | According to inequality (2), the BBS generator is secure against an | adversary whose time is bounded by ?2???. (Yes, that's a negative | sign!) In this case we get a "better" result from inequality (3), | which bounds the adversary?s time by 2????. (Yes, that's a negative | exponent!) From prunesquallor at proproco.co.uk Fri Dec 23 23:37:49 2011 From: prunesquallor at proproco.co.uk (John Brazier) Date: Fri, 23 Dec 2011 23:37:49 -0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <4EF4DC06.5040106@zen.co.uk> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> <4FCEECE3-ADF1-406B-B75B-4CD950D79ECB@batten.eu.org> <897D6335-F048-4C24-8498-16E95B392A91@sourcetagged.ian.co.uk> <4EF4DC06.5040106@zen.co.uk> Message-ID: <00a701ccc1cb$e1d5d170$a5817450$@proproco.co.uk> Dear all, I am now no doubt out of date, but one of the rules I learnt was that an encryption system only has to be as good as the timescale you're concerned about. So the Playfair was completely appropriate as a battlefield cypher in the First World War: even if you knew the system, it would take you at least an hour to derive the key, at which point the information was redundant. I would assume any of these drones is a technological compromise between flight time, control, and weapons delivery. The last probably being the most important, it would mean that they would, assuming their control system is cryptographically protected, go for the simplest possible system that gives them protection within the expected flight time. That, to me, would certainly exclude RSA as its computing baggage would be better directed towards things like targeting. But I'm not an expert in this domain. TTFN JB -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Peter Fairbrother Sent: 23 December 2011 7:53 PM To: UK Cryptography Policy Discussion Group Subject: Re: Iran GPS Spoofing and the RSA Cipher Ian Mason wrote: > > On 23 Dec 2011, at 15:33, Ian Batten wrote: >> >> Leaving aside the practicalities of the algorithms, an asymmetric >> system would be attractive for military-grade GPS, as it would mean >> that the theft and complete analysis of a receiver would not provide >> the key material for spoofing. There are a lot of military handsets >> and by definition they are going to be used in hostile environments >> with a risk of capture, so were it possible to engineer a system >> where the handsets did not contain the transmission keys that would >> be a desirable property. As you point out, it might prove very >> difficult to achieve, but those problems would bring some value as well. >> >> ian > > I see what you're getting at, but I think you haven't really thought > it through or misunderstand the problem. Remember that the satellites > are broadcasting to all receivers, not having a conversation with each > GPS receiver individually. The satellite/receiver system would still > need to share secret material as having one private key per receiver > would be impractical. If nothing else it would require the satellite > to speculatively transmit the current spreading code key wrapped in > many different public keys. I'm with t'other other Ian on this - an enemy finding a receiver could then use it to locate themselves, and if they could extract the key (a big if - it's hard enough to extract the key from the chip in a bank card) they could build more receivers (until the key is changed), but if it's RSA protected they couldn't use the key they found to spoof other receivers. Brian's property, being able to calculate bit x without having to calculate bits 1 ...x is probably essential, but it isn't exactly hard to do, and it doesn't require RSA. Anything which can reset a simplish PRNG every second or so could also be used. Pure speculation: Although it's somewhat inefficient, it is doable. ..a bit of theory goes in here, multichannel datastream, XOR of subset of datastreams gives real individualised ciphertext, XOR again plus key for real plaintext .. you can switch off the signal to any individual receivers which are known to be in enemy hands. You can also spoof a few captured or cloned receivers at once as well. Getting back to the actual drone, I know very little about it. Is it autonomous or controlled by a satellite signal link? I have heard a whisper that for at least some drones which have such a link, the remote setup of that control link is protected by RSA. But then the USAF isn't exactly famous for getting codes right, or even for using codes at all. It wouldn't surprise me terribly if there were some unencrypted links around. Maybe this one: > > All the GPS satellites transmit simultaneously on the same frequency > using a CDMA/DSSS modulation. The only way you can separate the > signals from multiple satellites is to use a different spreading code > for each satellite, both for satellite transmission and terrestrial reception. That's true if the receivers are all in one place and omnidirectional, but if you have several receivers which are well-seperated then you can seperate the signals from the satellites (and find the prngstream, and transmit that to your equipment). That sounds like something a country could easily do over it's own territory. Doesn't matter what the encryption scheme used for the CDMA/DSSS modulation was, the keystream is just plaintext against that attack. Now I'm not sure if the keystream would be particularly useful for everyday equipment, as it's maybe half a second or so out of date, but if a receiver can keep half a second's worth of raw data .. > The spreading code is the bitstream output of a PRNG, also sometimes > called a keystream when the intent is encryption. The receiver needs the > spreading code to demodulate the transmitted signal, so it has to > generate exactly the same spreading code as the sender is using just to > detect the signal - a fundamentally symmetric relationship. > > For the public channels such as the C/A (Coarse/Acquisition) signal the > the PRNG formulation (key+algorithmn) used to generate the spreading > signal is well known, the key is the satellite number. The M-code > channel is an anti-spoofing feature and also uses a secret and much > longer spreading code to achieve the antispoofing characteristic. Merry Christmas! -- Peter Fairbrother From cryptome at earthlink.net Sat Dec 24 15:11:53 2011 From: cryptome at earthlink.net (John Young) Date: Sat, 24 Dec 2011 10:11:53 -0500 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: <87boqzt4em.fsf@mid.deneb.enyo.de> References: <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk>

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> Message-ID: And the original author's response to latest UK Crypto messages: [Quote] Thanks for these interesting comments. I dunno exact details about RSA's use in GPS', and I know absolutely nothing about the architecture of GPS' PKI, etc.; that Princeton PowerPoint is my only source of knowledge about RSA's use, so it is nice to read the more educated speculations of others. [Unquote] PowerPoint that mentions GPS' use of RSA: http://grothserver.princeton.edu/~groth/frs144s06/Presentations/Andrew_Pres entation.ppt An article which elaborates on the topic, citing Lockheed Martin, also a target of ComodoHacker, as the drone manufacturer (DE): http://www.tech-blog.net/comodohacker-gps-spoofing-durch-den-iran-rsa/ And, the original author comments on the Tech-Blog article: [Quote] Lockheed Martin & Boeing make the satellites: http://en.wikipedia.org/wiki/USA-206 http://en.wikipedia.org/wiki/USA-213 [Unquote] Another reader points to the US Army's GPS FAQ: https://gps.army.mil/gps/customcontent/gps/faq.htm The Cryptome file has added a link to UK Cryptography archives. From igb at batten.eu.org Sat Dec 24 15:30:43 2011 From: igb at batten.eu.org (Ian Batten) Date: Sat, 24 Dec 2011 15:30:43 +0000 Subject: Iran GPS Spoofing and the RSA Cipher In-Reply-To: References: <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk>

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> Message-ID: <8444CCCA-AD73-44A7-92E0-A823E795E347@batten.eu.org> On 24 Dec 2011, at 15:11, John Young wrote: > > PowerPoint that mentions GPS' use of RSA: > > > http://grothserver.princeton.edu/~groth/frs144s06/Presentations/Andrew_Pres > entation.ppt Slide 12 in that deck implies that it used to be symmetric, but that asymmetric encryption is either desirable or pending or recently deployed. The mention of RSA is consistent, as there are several slides talking about asymmetric encryption and its benefits. ian From zenadsl6186 at zen.co.uk Sat Dec 24 21:00:04 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Sat, 24 Dec 2011 21:00:04 +0000 Subject: S spoofing. In-Reply-To: <00a701ccc1cb$e1d5d170$a5817450$@proproco.co.uk> References:

<000601ccc108$592b2280$0b816780$@proproco.co.uk> <63FC0C21755B4775BCACEBE582FB06D8@MobileSlave> <170B1C40FFF147F7885A604C2B0AFF75@ROCKET> <17A0772A-9FD7-4AE4-BFDD-D4AF11EBCAC0@sourcetagged.ian.co.uk> <4FCEECE3-ADF1-406B-B75B-4CD950D79ECB@batten.eu.org> <897D6335-F048-4C24-8498-16E95B392A91@sourcetagged.ian.co.uk> <4EF4DC06.5040106@zen.co.uk> <00a701ccc1cb$e1d5d170$a5817450$@proproco.co.uk> Message-ID: <4EF63D54.6080205@zen.co.uk> John Brazier wrote: > Dear all, > > I am now no doubt out of date, but one of the rules I learnt was that an > encryption system only has to be as good as the timescale you're concerned > about. > > So the Playfair was completely appropriate as a battlefield cypher in the > First World War: even if you knew the system, it would take you at least an > hour to derive the key, at which point the information was redundant. > > I would assume any of these drones is a technological compromise between > flight time, control, and weapons delivery. The last probably being the > most important, it would mean that they would, assuming their control system > is cryptographically protected, go for the simplest possible system that > gives them protection within the expected flight time. That, to me, would > certainly exclude RSA as its computing baggage would be better directed > towards things like targeting. > > But I'm not an expert in this domain. I think there are two issues here, control of the vehicle and GPS spoofing. I have heard that RSA is used in the setup of control links, which makes sense. The use of RSA in GPS anti-spoofing technology is a little more uncertain, but it is also possible. I think it is most unlikely to be used as a prng stream generator, but it's use in distributing verification and/or prng stream keys seems well within normal crypto practices. Of course, there are easier ways to spoof GPS than breaking the crypto. There's the method I mentioned, and also perhaps the simplest method of all, which afaics cannot be cryptographically protected against - if you want a GPS receiver at point Y to think it is at point X, put something at point X which can collect the GPS signals there, and send them to point Y at signal strength levels which overwhelm the legitimate GPS signals at point Y. You don't have to even think about the crypto then, never mind break it. -- Peter Fairbrother > > TTFN > > JB > > -----Original Message----- > From: ukcrypto-bounces at chiark.greenend.org.uk > [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Peter > Fairbrother > Sent: 23 December 2011 7:53 PM > To: UK Cryptography Policy Discussion Group > Subject: Re: Iran GPS Spoofing and the RSA Cipher > > Ian Mason wrote: >> On 23 Dec 2011, at 15:33, Ian Batten wrote: >>> Leaving aside the practicalities of the algorithms, an asymmetric >>> system would be attractive for military-grade GPS, as it would mean >>> that the theft and complete analysis of a receiver would not provide >>> the key material for spoofing. There are a lot of military handsets >>> and by definition they are going to be used in hostile environments >>> with a risk of capture, so were it possible to engineer a system >>> where the handsets did not contain the transmission keys that would >>> be a desirable property. As you point out, it might prove very >>> difficult to achieve, but those problems would bring some value as well. >>> >>> ian >> I see what you're getting at, but I think you haven't really thought >> it through or misunderstand the problem. Remember that the satellites >> are broadcasting to all receivers, not having a conversation with each >> GPS receiver individually. The satellite/receiver system would still >> need to share secret material as having one private key per receiver >> would be impractical. If nothing else it would require the satellite >> to speculatively transmit the current spreading code key wrapped in >> many different public keys. > > > I'm with t'other other Ian on this - an enemy finding a receiver could then > use it to locate themselves, and if they could extract the key (a big if - > it's hard enough to extract the key from the chip in a bank > card) they could build more receivers (until the key is changed), but if > it's RSA protected they couldn't use the key they found to spoof other > receivers. > > > Brian's property, being able to calculate bit x without having to calculate > bits 1 ...x is probably essential, but it isn't exactly hard to do, and it > doesn't require RSA. Anything which can reset a simplish PRNG every second > or so could also be used. > > > > Pure speculation: Although it's somewhat inefficient, it is doable. ..a bit > of theory goes in here, multichannel datastream, XOR of subset of > datastreams gives real individualised ciphertext, XOR again plus key for > real plaintext .. you can switch off the signal to any individual receivers > which are known to be in enemy hands. You can also spoof a few captured or > cloned receivers at once as well. > > > > Getting back to the actual drone, I know very little about it. Is it > autonomous or controlled by a satellite signal link? I have heard a whisper > that for at least some drones which have such a link, the remote setup of > that control link is protected by RSA. > > But then the USAF isn't exactly famous for getting codes right, or even for > using codes at all. It wouldn't surprise me terribly if there were some > unencrypted links around. Maybe this one: > > >> All the GPS satellites transmit simultaneously on the same frequency >> using a CDMA/DSSS modulation. The only way you can separate the >> signals from multiple satellites is to use a different spreading code >> for each satellite, both for satellite transmission and terrestrial > reception. > > > That's true if the receivers are all in one place and omnidirectional, > but if you have several receivers which are well-seperated then you can > seperate the signals from the satellites (and find the prngstream, and > transmit that to your equipment). That sounds like something a country > could easily do over it's own territory. > > Doesn't matter what the encryption scheme used for the CDMA/DSSS > modulation was, the keystream is just plaintext against that attack. > > > Now I'm not sure if the keystream would be particularly useful for > everyday equipment, as it's maybe half a second or so out of date, but > if a receiver can keep half a second's worth of raw data .. > > > > >> The spreading code is the bitstream output of a PRNG, also sometimes >> called a keystream when the intent is encryption. The receiver needs the >> spreading code to demodulate the transmitted signal, so it has to >> generate exactly the same spreading code as the sender is using just to >> detect the signal - a fundamentally symmetric relationship. >> >> For the public channels such as the C/A (Coarse/Acquisition) signal the >> the PRNG formulation (key+algorithmn) used to generate the spreading >> signal is well known, the key is the satellite number. The M-code >> channel is an anti-spoofing feature and also uses a secret and much >> longer spreading code to achieve the antispoofing characteristic. > > Merry Christmas! > > > -- Peter Fairbrother > > > > From zenadsl6186 at zen.co.uk Mon Dec 26 01:34:48 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Mon, 26 Dec 2011 01:34:48 +0000 Subject: GPS spoofing. In-Reply-To: <4EF63D54.6080205@zen.co.uk> References: