All posts by Richard Clayton

Hacking tools are legal for a little longer

Legal issues

It’s well over a year since the Government first brought forward their proposals to make security research illegal crack down on hacking tools.

They revised their proposals a bit — in the face of considerable lobbying about so-called “dual-use” tools. These are programs that might be used by security professionals to check if machines were secure, and by criminals to look for the insecure ones to break into. In fact, most of the tools on a professionals laptop, from nmap through wireshark to perl could be used for both good and bad purposes.

The final wording means that to succesfully prosecute the author of a tool you must show that they intended it to be used to commit computer crime; and intent would also have to be proved for obtaining, adapting, supplying or offering to supply … so most security professionals have nothing to worry about — in theory, in practice of course being accused of wickedness and having to convince a jury that there was no intent would be pretty traumatic!

The most important issue that the Home Office refused to concede was the distribution offence. The offence is to "supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]". The Home Office claim that “likely” means “more than a 50% chance” (apparently there’s caselaw on what likely means in a statute).

This is of course entirely unsatisfactory — you can run a website for people to download nmap for years without problems, then if one day you look at your weblogs and find that everyone in Ruritania (a well-known Eastern European criminal paradise) is downloading from you, then suddenly you’re committing an offence. Of course, if you didn’t look at your logs then you would not know — and maybe the lack of mens rea will get you off ? (IANAL ! so take advice before trying this at home!)

The hacking tools offences were added to the Computer Misuse Act 1990 (CMA), along with other changes to make it clear that DDoS is illegal, and along with changes to the tariffs on other offences to make them much more serious — and extraditable.

The additions are in the form of amendments that are incorporated in the Police and Justice Act 2006 which received its Royal Assent on the 8th November 2006.

However, the relevant sections, s35–38, are not yet in force! viz: hacking tools are still not illegal and will not be illegal until, probably, April 2008.

Continue reading Hacking tools are legal for a little longer

Should there be a Best Practice for censorship?

Internet censorship, Privacy technology

A couple of weeks ago, right at the end of the Oxford Internet Institute conference on The Future of Free Expression on the Internet, the question was raised from the platform as to whether it might be possible to construct a Best Current Practice (BCP) framework for censorship?

If — the argument ran — IF countries were transparent about what they censored, IF there was no overblocking (the literature’s jargon for collateral damage), IF it was done under a formal (local) legal framework, IF there was the right of appeal to correct inadvertent errors, IF … and doubtless a whole raft more of “IFs” that a proper effort to develop a BCP would establish. IF… then perhaps censorship would be OK.

I spoke against the notion of a BCP from the audience at the time, and after some reflection I see no reason to change my mind.

There will be many more subtle arguments — much as there are will be more IFs to consider, but I can immediately see two insurmountable objections.

The first is that a BCP will inevitably lead to far more censorship, but now with the apparent endorsement of a prestigious organisation: “The OpenNet Initiative says that blocking the political opposition’s websites is just fine!” Doubtless some of the IFs in the BCP will address open political processes, and universal human rights … but it will surely come down to quibbling about language: terrorist/freedom-fighter; assassination/murder; dissent/rebellion; opposition/traitor.

The second, and I think the most telling, objection is that it will reinforce the impression that censoring the Internet can actually be achieved! whereas the evidence piles up that it just isn’t possible. All of the schemes for blocking content can be evaded by those with technical knowledge (or access to the tools written by others with that knowledge). Proxies, VPNs, Tor, fragments, ignoring resets… the list of evasion technologies is endless.

One of the best ways of spreading data to multiple sites is to attempt to remove it, and every few years some organisation demonstrates this again. Although ad hoc replication doesn’t necessarily scale — there’s plenty of schemes in the literature for doing it on an industrial scale.

It’s cliched to trot out John Gilmore’s observation that “the Internet treats censorship as a defect and routes around it“, but over-familiarity with the phrase should not hide its underlying truth.

So, in my view, a BCP will merely be used by the wicked as a fig-leaf for their activity, and by the ignorant to prop up their belief that it’s actually possible to block the content they don’t believe should be visible. A BCP is a thoroughly bad idea, and should not be further considered.

How quickly are phishing websites taken down?

Banking security, Security economics

Tyler Moore and myself have a paper (An Empirical Analysis of the Current State of Phishing Attack and Defence) accepted at this year’s Workshop on the Economics of Information Security (WEIS 2007) in which we examine how long phishing websites remain available before the impersonated bank gets them “taken-down”.

Continue reading How quickly are phishing websites taken down?

There aren’t that many serious spammers any more

Legal issues, Security economics

I’ve recently been analysing the incoming email traffic data for Demon Internet, a large(ish) UK ISP, for the first four weeks of March 2007. The raw totals show a very interesting picture:

Email & Spam traffic at Demon Internet, March 2007

The top four lines are the amount of incoming email that was detected as “spam” by the Cloudmark technology that Demon now uses. The values lie in a range of 5 to 13 million items per day, with the day of the week being irrelevant, and huge swings from day to day. See how 5 million items on Saturday 18th is followed by 13 million items on Monday 20th!

The bottom four lines are the amount of incoming email that was not detected as spam (and it also excludes incoming items with a “null” sender, which will be bounces, almost certainly all “backscatter” from remote sites “bouncing” spam with forged senders). The values here are between about 2 and 4 million items a day, with a clear pattern being followed from week to week, with lower values at the weekends.

There’s an interesting rise in non-spam email on Tuesday 27th, which corresponds to a new type of “pump and dump” spam (mainly in German) which clearly wasn’t immediately spotted as spam. By the next day, things were back to normal.

The figures and patterns are interesting in themselves, but they show how summarising an average spam value (it was in fact 73%) hides a much more complex picture.

The picture is also hiding a deeper truth. There’s no “law of large numbers” operating here. That is to say, the incoming spam is not composed of lots of individual spam gangs, each doing their own thing and thereby generating a fairly steady amount of spam from day to day. Instead, it is clear that very significant volumes of spam is being sent by a very small number of gangs, so that as they switch their destinations around: today it’s .uk, tomorrow it’s aol.com and on Tuesday it will be .de (hmm, perhaps that’s why they hit .demon addresses? a missing $ from their regular expression!).

If there’s only a few large gangs operating — and other people are detecting these huge swings of activity as well — then that’s very significant for public policy. One can have sympathy for police officers and regulators faced with the prospect of dealing with hundreds or thousands of spammers; dealing with them all would take many (rather boring and frustrating) lifetimes. But if there are, say, five, big gangs at most — well that’s suddenly looking like a tractable problem.

Spam is costing us [allegedly] billions (and is a growing problem for the developing world), so there’s all sorts of economic and diplomatic reasons for tackling it. So tell your local spam law enforcement officials to have a look at the graph of Demon Internet’s traffic. It tells them that trying to do something about the spammers currently makes a lot of sense — and that by just tracking down a handful of people, they will be capable of making a real difference!

(In)security at the University of Birmingham

Security engineering

I travelled to the University of Birmingham on Friday to give a guest lecture to their undergraduates on Anonymity and Traceability. It was given in a smart new lecture theatre, which had what Birmingham apparently call a lectern PC at the front with buttons to give the speaker control of the room’s AV devices and lighting, along with a proper PC running various Windows applications, so you can plug in your USB flash drive and display your material.

As you can see from the photo, they have a rather trivial security model for using this PC:

Birmingham Lectern PC with text “Username=user” and “Password=user&2006″

The text (apologies for a rather fuzzy photo) says: "Username=user" and "Password=user&2006".

With a little thought, it can be seen that most likely this isn’t really a security issue at all, but a software design issue. I rather suspect that there just isn’t a way of turning off the login function, and the PC can’t be used to access any other important systems — and no-one wants to see lectures delayed if the password isn’t to hand. That’s undoubtedly why they’ve used proper Dymo-style tape for the information, rather than relying on the traditional yellow sticky, which could get lost!

SOCA: we just want your money?

Legal issues

Just over a year ago I wrote about the, then upcoming, Serious Organised Crime Agency (SOCA), reporting that their aim in tackling “level 3” crime was to be “mysterious and menacing“. I pointed out how they were going to be absorbing the National High Tech Crime Unit (NHTCU) and that this would leave a large gap, in that there would apparently be no police organisation dealing with “level 2” eCrime — crime which is not local to a single police force area, but that is not sufficiently serious or organised to be dealt with by SOCA.

In fact, I’ve since learnt that the inability to deal with level 2 criminality is not just an eCrime issue. In 2005 Her Majesty’s Inspectorate of Constabulary (HMIC) published “Closing the Gap – Review of the ‘Fitness for Purpose’ of the Current Structure of Policing in England and Wales“, which found that the failure to deal with “level 2” criminality was an issue across a very wide range of different crimes (the whole report makes its points without once mentioning eCrime or the Internet). This led to the, now abandoned, proposals to compulsorily merge 43 police forces into 17 larger units. No further generic policy initiative appears to be forthcoming.

However, as I wrote in October, there is some thought going into eCrime and the current proposal is “mainstreaming“, viz: not treating it as anything special.

Additionally, the Met Police have been floating the idea of an national coordination centre for eCrime reports, as hinted at in this January 2007 Met eCrime progress report to the Metropolitan Police Authority. Current indications are that the Home Office may have problems coming up with the money to fund the centre, although SCDEA e-Crime, the equivalent unit in Scotland, is funded by the Scottish Executive. Perhaps more about progress south of the border will come to light in March, when Commander Sue Wilkinson, the Association of Chief Police Officers (ACPO) lead on eCrime testifies before a House of Lords Select Committee.

But, I’m digressing, so back to SOCA

Last month I, and a couple of other eCrime policy opinion formers (!), were invited down to Docklands for the proverbial “free lunch” and several hours of presentations on what SOCA is doing about “level 3” criminality. It’s a little tricky to report on the detail, because they asked us to treat some of the material in confidence. However, two clear messages stood out:

The first is that the absorbed NHTCU is now significantly bigger, significantly better resourced, and with the hiving off of “child abuse image” issues to CEOP, is not being forever distracted into chasing down individual paedophiles (if there’s one child at risk, or an 420-million dollar bank hack to investigate, the former tended to get all the resource). This is basically a Good Thing, so far as it goes.

The second message is that SOCA is a “harm reduction agency” and is not just concentrating on detective work and prosecutions. They are also looking at a whole range of other interventions, from offender management (serious, organised criminals have a very high recidivism rate) through diligent application of the Proceeds of Crime legislation, to working with industry to harden systems against criminal opportunities.

They have a Bill before parliament at present (the Serious Crime Bill) which will give them sweeping new powers to create “gangster-ASBOs” to restrict the lives of convicted organised criminals, and will permit the wholesale swapping of data for the prevention of fraud, without infringement of the Data Protection Act. The Bill also reworks the framework for “inchoate” offences, viz: incitement to commit crimes or assisting with them — of which perhaps more on another occasion, since poor wording for the offences could make many security research activities problematic.

Looking back, it is this strong emphasis on SOCA’s approach to ensuring “crime doesn’t pay” that remains with me most strongly. This isn’t just the approach of locking Al Capone up for tax evasion because nothing else could be made to stick (though Capone actually served time for several other offences). This is all about SOCA developing an effective way of stripping criminals of their ill-gotten gains.

I’m reminded of Sir Alan Sugar giving a lecture about management way back in the 1980’s. He was mocking the catch-phrase/mission-statement culture, memorably saying, “‘Pan Am takes good care of you’, ‘Marks and Spencer loves you’, ‘Securicor cares’ . . . at Amstrad, ‘We just want your money’“. Twenty years on, that seems a rather apt phrase for a significant slice of SOCA’s activities.

Human Rights and Biophysics (strange similarities)

Security economics

I recently received an email from “Daniel” at the “European Human Rights Centre”.

I came across your site while searching the net for
some quality websites. I think you did a great job
with your site.

My name is Daniel. I work for The European Human
Rights Centre (EHRC).

I would like to add your site to our usefull links page
(http://www.ehrcweb.org/links.php ) and I was
wondering if you can post a link with our site in
your website.

For your convenience I send you bellow the code
for our website:
<a href="http://www.ehrcweb.org/">EHRC</a>

If you have any questions, don't hesitate to
contact me and I'll answer your questions promtly.

We are Nonprofit organization .
Best regards,
Daniel
European Human Rights Centre Organisation
ehrcweb.org
HPM G5
ETH Honggeberg
CH-8093 Zurich / Switzerland
Tel: +41-1-638-3453
Fax: +41-1-693-10 73 and 693 11 51

But this email is not quite what it seems…. Continue reading Human Rights and Biophysics (strange similarities)

A backwards way of dealing with image spam

Security engineering

There is a great deal more email spam in your inboxes this Autumn (as noted, for example, here, here and here!). That’s partly because a very great deal more spam is being generated — perhaps twice as much as just a few months ago.

A lot of this junk is “image spam”, where the advertisement is contained within an embedded picture (almost invariably a GIF file). The filtering systems that almost everyone now uses are having significant problems in dealing with these images and so a higher percentage of the spam that arrives at the filters is getting through to your inbox.

So higher volumes and weaker filtering are combining to cause a significant problem for us all 🙁

But I have an interesting suggestion for filtering the images: it might be a lot simpler to go about it backwards 🙂

So read on!

Continue reading A backwards way of dealing with image spam

Opting out of the NHS Database

News coverage, Privacy technology

The front page lead in today’s Guardian explains how personal medical data (including details of mental illness, abortions, pregnancy, drug taking, alcohol abuse, fitting of colostomy bags etc etc) are to be uploaded to a central NHS database regardless of patients’ wishes.

The Government claims that especially sensitive data can be put into a “sealed envelope” which would not ordinarily be available… except that NHS staff will be able to “break the seal” under some circumstances; the police and Government agencies will be able to look at the whole record — and besides, this part of the database software doesn’t even exist yet, and so the system will be running without it for some time.

The Guardian has more details in the article: From cradle to grave, your files available to a cast of thousands, some comments from doctors and other health professionals: A national database is not essential and a leading article: Spine-chilling.

The Guardian give details on how to opt-out of data sharing: What can patients do? using suggestions for a letter from our own Ross Anderson who has worked on medical privacy for over a decade (see his links to relevant research).

If you are concerned (and in my view, you really should be — once your data is uploaded it will be pretty much public forever), then discuss it with your GP and write off to the Department of Health [*]. The Guardian gives some suitable text, or you could use the opt-out letter that FIPR developed last year (PDF or Word versions available).

[*] See Ross’s comment on this article first!

Mainstreaming eCrime

Legal issues

Back in February I wrote about how the establishment of the Serious Organised Crime Agency (SOCA) was likely to lead to situation in which “level 2” eCrime could end up failing to be investigated. “Level 1” crime is “local” to a single police force, “level 3” crime is “serious” or “organised” and requires tackling at a national or international level — and “level 2” crime is what’s in-between: occurring across the borders of local police forces, but not serious or organised enough to be SOCA’s problem.

Over the past few weeks I’ve been at a Metropolitan Police “Knowledge Forum” and at a Parliament and Internet Conference. There I’ve learnt about how the police (at ACPO level, not just the Met) are intending to tackle eCrime in the future.

The jargon for the new policy is “mainstreaming” — by which is meant that the emphasis will move away from tackling “eCrime” as something special, and regular officers will deal with it just as “Crime”.

In particular when there are “e” aspects to a normal crime, such as a murder, then this will be dealt with as a matter of course, rather than be treated as something exotic. With the majority of homes containing computers, and with the ubiquity of email, instant messaging and social network sites, this can only be seen as a sensible adaptation to society as it is today. After all, the police don’t automatically call in specialist officers just because the murder victim owns a car.

Although there is a commitment to maintain existing centres of excellence, specialist units with expertise in computer forensics, units that tackle “grooming” by paedophiles, and undercover police who deal with obscene publications, I am less sanguine about the impact of this policy when it comes to crimes that rely upon the Internet to be committed. These types of crime can be highly automated, operated from a distance, hard to track down and obtain evidence about, and can be lucrative even if only small amounts are stolen from each victim.

I believe there is still some doubt that Internet-based crimes will be investigated, not just from lack of resources (always a problem, as anyone who has been burgled or had a car window smashed will know), but because it’s no-ones task and appears on no-one’s checklist for meeting Government targets (there’s still no central counting of eCrime occurring).

Mainstreaming is proposed to have some sensible adjuncts in that police forces will be encouraged to pool intelligence about eCrime (to build up a picture of the full impact of the crime and to link investigators together), and some sort of national coordination centre is planned to partially replace the NHTCU. However, although this may sometimes mean that an investigation can be mounted into an eBay fraudster in Kent who rips off people in Lancashire and Dorset — I am not sure that the same will be true if the victims are in Louisiana and Delaware — or if the fraudster lives in a suburb of Bucharest.

The details of what “mainstreaming” will mean for eCrime are still being worked out, so it’s not possible to be sure what it will mean exactly. It sounds like it will be an improvement on the current arrangements, but I’m pessimistic about it really getting to grips with many of the bad things that continue to happen on the Internet.