All posts by Richard Clayton

Dangerous Blogs Act

The UK Government are currently in a tremendous rush to legislate (and create a Royal Charter) before the political consensus around “implementing Leveson” evaporates. Their proposals catch not just the print media, but also online publications. That’s only proper — a newspaper should meet the same integrity standards for their journalism whether it appears in ink and paper, or on their website.

However, the Governments approach has not been to describe the activity that they wish to regulate, but to describe the various media involved and then try to write exceptions to avoid regulating the whole Internet. Those exceptions are poorly thought out and will have all sorts of unintended consequences. They might even include this blog!
Continue reading Dangerous Blogs Act

Identifying file sharers — the US approach

Last Friday’s successful appeal in the Golden Eye case will mean that significantly more UK-based broadband users will shortly be receiving letters that say that they appear to have been participating in file sharing activity of pornographic films. Recipients of these letters could do worse than to start by consulting this guide as to what to do next.

Although I acted as an expert witness in the original hearing, I was not involved in the appeal since. It was not concerned with technical matters, but was deciding whether Golden Eye could pursue claims for damages on behalf of third party copyright holders (the court says that they may now do so).

Subsequent to the original hearing, I assisted Consumer Focus by producing an expert report on how evidence in file sharing cases should be collected and processed. I wrote about this here in July.

In September, at the request of Consumer Focus, I attended a presentation given by Ms Marianne Grant, Senior Vice President of the Motion Picture Association of America (MPAA) in which she outlined the way in which rights holders in the United States were proposing to monitor unauthorised file sharing of copyright material.

I had a number of concerns about these proposals and I wrote to Consumer Focus to set these out. I have now noted (somewhat belatedly, hence this holiday season blog post) that Consumer Focus have made this letter available online, along with their own letter to the MPAA.

So 2013 looks like being “interesting times” for Internet traceabity — with letters going out in bulk to UK consumer from Golden Eye, and the US “six strikes” process forecast to roll out early next year (albeit it’s been forecast to start in November 2012, July 2012 and many dates before that, so we shall see).

Since I was passing…

When you register an Internet domain name in “.com” (and some other top level domains) you have the choice of using a “privacy” or “proxy” service rather than having your name and contact details recorded within the “whois” systems that provide a public record of domain name ownership.

A privacy service will record that you are the owner of the domain name but your contact details will be hidden. A proxy service will hide your identity as well.

The privacy-conscious use these services to avoid disclosing information about themselves (and to avoid the trivial amount of spam sent to contact email addresses). The cyber criminals use these services as well — so that it is hard for the Good Guys to link domains into groups and hard for them to argue (in an Al Capone tax evading manner) that “you may not understand this criminality or be convinced this evidence, but just take a look at the invalid details given when registering the domain“.

I’m currently working on a project for ICANN that will measure the prevalance of privacy/proxy usage by different types of cybercriminals… of which more at another time — because at present I’m having a holiday! I went to Palm Cove (just north of Cairns) to see the recent total solar eclipse… and my holiday involves a short(ish) drive south to Melbourne

… and since I was passing Nobby Beach (just south of Brisbane) I took the opportunity to peek at the home of the larger Internet domain name proxy services:
Richard points at PrivacyProtect.org's PO Box
whose details appear in whois records like this:

PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676

There are at present (according to domainnametools.com) some 2,584,758 domains associated with contact@privacyprotect.org. You can see why they don’t want any postal mail, because their PO box is merely a standard size:
Close-up of PO Box #16
The reality of course is that you should contact Privacy Protection by email or their website… but then you’d miss out on getting to look at some of the nearby beaches!
View of beach at Surfer's Paradise

Source Ports in ARF Reports

Long time readers may recall my posts from Jan 2010 about the need for security logging to include source port numbers — because of the growth of ‘Carrier Grade NAT’ (CGN) systems that share one IPv4 address between hundreds, possibly thousands, of users. These systems are widely used by the mobile companies and the ‘exhaustion‘ of IPv4 address space will lead to many other ISPs deploying them.

A key impact of CGNs is that if you want to trace back “who did that” you may need to have recorded not only an IP address and an accurate timestamp, but also to be able to provide the source port of the connection. Failure to provide the source port will mean that an ISP using CGN will not be able to do any tracing, because they will be unable to distinguish between hundreds of possible perpetrators. In June 2011 the IETF published an RFC (6302) which sets out chapter and verse for this issue and sets out Best Practice for security logging systems.

Earlier this year, at the M3AAWG meeting in San Francisco, I talked with the people who have developed the Abuse Reporting Format (ARF). The idea of ARF is that abuse reports will be in standard format — allowing the use of automation at both sender and receiver. Unfortunately ARF didn’t include a field for the source port….

… but it does now, because RFC 6692 has recently been published. My name is on it, but in reality all of the work on it that mattered was done by Murray Kucherawy who wrote the initial draft, who has tweaked the text to address working group concerns and who has guided it through the complexities of the IETF process. Thanks to Murray, the mechanisms for dealing with abuse have now become just a little bit better.

Online traceability: Who did that?

Consumer Focus have recently published my expert report on the issues that arise when attempting to track down people who are using peer to peer (P2P) systems to share copyright material without appropriate permissions. They have submitted this report to Ofcom who have been consulting on how they should regulate this sort of tracking down when the Digital Economy Act 2010 (DEA) mechanisms that are intended to prevent unlawful file sharing finally start to be implemented, probably sometime in 2014.

The basic idea behind the DEA provisions is that the rights holders (or more usually specialist companies) will join the P2P systems and download files that are being shared unlawfully. Because the current generation of P2P systems fails to provide any real anonymity, the rights holders will learn the IP addresses of the wrongdoers. They will then consult public records at RIPE (and the other Regional Internet Registries) to learn which ISPs were allocated the IP addresses. Those ISPs will then be approached and will be obliged, by the DEA, to consult their records and tell the appropriate account holder that someone using their Internet connection has been misbehaving. There are further provisions for telling the rights holders about repeat offenders, and perhaps even for “technical measures” to disrupt file sharing traffic.

From a technical point of view, the traceability part of the DEA process can (in principle) be made to work in a robust manner. However, there’s a lot of detail to get right in practice, both in recording the data generated by the P2P activity and within the ISPs systems — and history shows that mistakes are often made. I have some first hand experience of this, my report refers to how I helped the police track down a series of traceability mistakes that were made in a 2006 murder case! Hence I spend many pages in my report explaining what can go wrong and I set out in considerable detail the sort of procedures that I believe that Ofcom should insist upon to ensure that mistakes are rare and are rapidly detected.

My report also explains the difficulties (in many cases the insuperable difficulties) that the account holder will have in determining the individual who was responsible to the P2P activity. Consumer Focus takes the view that “this makes the proposed appeals process flawed and potentially unfair and we ask Government to rethink this process”. Sadly, there’s been no sign so far that this sort of criticism will derail the DEA juggernaut, although some commentators are starting to wonder if the rights holders will see the process as passing a cost/benefit test.

Beware of cybercrime data memes

Last year when I wrote a paper about mitigating malware I needed some figures on the percent of machines infected with malware. There are a range of figures, mainly below 10%, but one of the highest was 25%.

I looked into why this occurred and wrote it up in footnote #9 (yes, it’s a paper with a lot of footnotes!). My explanation was:

The 2008 OECD report on Malware [14] contained the sentence “Furthermore, it is estimated that 59 million users in the US have spyware or other types of malware on their computers.” News outlets picked up on this, e.g. The Sydney Morning Herald [20] who divided the 59 million figure into the US population, and then concluded that around a quarter of US computers were infected (assuming that each person owned one computer). The OECD published a correction in the online copy of the report a few days later. They were actually quoting PEW Internet research on adware/spyware (which is a subtly different threat) from 2005 (which was a while earlier than 2008). The sentence should have read “After hearing descriptions of ‘spyware’ and ‘adware’, 43% of internet users, or about 59 million American adults, say they have had one of these programs on their home computer.” Of such errors in understanding the meaning of data is misinformation made.

We may be about to have a similar thing happen with Facebook account compromises.
Continue reading Beware of cybercrime data memes

DNSChanger might change the BGPSEC landscape

In early November, a sophisticated fraud was shut down and a number of people arrested. Malware from a family called “DNSChanger” had been placed on around four million machines (Macs as well as Windows machines) over several years.

The compromised users had their DNS traffic redirected to criminally operated servers. The main aim of the criminals seems to have been to redirect search queries and thereby to make money from displaying adverts.

Part of the mitigation of DNSChanger involves ISC running DNS servers for a while (so that 4 million people whose DNS servers suddenly disappear don’t simultaneously ring their ISP helpdesks complaining that the Internet is broken).

To prevent bad people running the DNS servers instead, the address blocks containing the IPs of the rogue DNS servers which used to belong to the criminals (but are now pointed at ISC) have been “locked”.

This is easy for ARIN (the organisation who looks after North American address space) to acquiesce to, because they have US legal paperwork compelling their assistance. However, the Dutch police have generated some rather less compelling paperwork and served that on RIPE; so RIPE is now asking the Dutch court to clarify the position.

Further details of the issues with the legal paperwork can be found on (or linked from) the Internet Governance Project blog. The IGP is a group of mainly but not entirely US academics working on global Internet policy issues.

As the IGP rightly point out, this is going to be an important case because it is going to draw attention to the role of the RIRs — just at the time when that role is set to become even more important.

As we move to crypto-secured BGP routing, the RIRs (ARIN, RIPE etc) will be providing cryptographic assurance of the validity of address block ownership. Which means, in effect, that we are building a system where the courts in one country (five countries in all, for five RIRs) could remove ISPs and hosting providers from the Internet… and some ISPs [and their governments] (who are beginning to think ahead) are not entirely keen on this prospect.

If, as one might expect, the Dutch courts eventually uphold the DNSChanger compulsion on RIPE (even if the Dutch police have to have a second go at making the paperwork valid) then maybe this will prove the impetus to abandon a pyramid structure for BGP security and move to a “sea of certificates” model (where one independently chooses from several overlapping roots of authority) — which more closely approximates the reality of a global system which touches a myriad set of local jurisdictions.

Oral evidence to the malware inquiry

The House of Commons Science and Technology Select Committee is currently holding an inquiry into malware.

I submitted written evidence in September and today I was one of three experts giving oral evidence to the MPs. The session was televised and so conceivably it may turn up on the TV in some strange timeslot — but if you’re interested then there’s a web version for viewing at your convenience. Shortly there will be a written transcript as well.

The Committee’s original set of questions included one about whether malware infection might usefully be treated as a public health issue — of particular interest to me because I have a published paper which considers the role that Governments might play in countering malware for the public good!

In the event, this wasn’t asked about at all. The questions were much more basic, covering the security of hardware and software, the role of the police (and at one point, bizarrely, considering the merits of the Amstrad PCW; a product I was jointly involved in designing and building, some 25 years ago).

In fact it was all rather more about dealing with crime than dealing with malware — which is fine (and obviously closely connected) but it wasn’t the topic on which everyone submitted evidence. This may mean that the Committee has a shortage of material if their report aims to address the questions that they raised today.

Sovereignty and Cybercrime

I spent the early part of this week at the London Conference on Cyberspace, organised by the UK Foreign Office.

Besides feel-good sessions on how wonderful the Internet can be for social engagement and economic growth, the two themes that had really drawn the participants were cybercrime and cyberwar (the latter being rebranded as ‘cyber security’ to avoid frightening the horses).

There was predictably little progress on the latter topic to be seen in public — Russia wants to strengthen national borders in cyberspace (and Evgeny Kaspersky spoke approvingly of strong online identity) and China’s position is similar (albeit their main intervention from the floor was an offer to investigate hacking attacks that came from their country).

Cybercrime was more straightforwardly condemned (which would not have surprised Calvin Coolidge) but the same fault-lines showed up in this topic as well.
Continue reading Sovereignty and Cybercrime

Will LBT be blocked?

Back in July I wrote a blog article “Will Newzbin be blocked?” which discussed the granting of an injunction to a group of movie companies to force BT to block access to “Newzbin2“.

The parties were back in court this last week to hammer out the exact details of the injunction.

The final wording of the injunction requires BT to block customer access to Newzbin2 by #1(1) rerouting traffic to relevant IPs and #1(2) applying “DPI based” URL blocking. The movie companies have to tell BT which IPs and which URLs are relevant.

#2 of the injunction says that BT can use its existing “Cleanfeed” system (which I wrote about here and at greater length in my PhD thesis here) to meet the requirements of #1, even though Cleanfeed isn’t believed to use DPI at all !

#3 and #4 of the injunction allows the parties to agree to suspend blocking and to come back to court in the future, and #5 relates to the costs of the court action.

One of the (few) upsides of this injunction will be to permit lawful experimentation as to the effectiveness of the Cleanfeed system, assuming that it is used — if the studios ask for all URLs on a website to be blocked, I expect that null routing the website entirely will be simpler for BT than redirecting traffic to the Cleanfeed proxy.

Up until now, discovering a flaw in the technical implementation of Cleanfeed would result in successful access to a child sexual abuse image website. Anyone monitoring the remote end of the connection might then draw the conclusion that images had been viewed and a criminal offence committed. Although careful experimental design could avoid law-breaking, it might be some time into the investigation process before this was properly understood by the criminal justice system, and the intervening period would be somewhat stressful for the investigator.

There is no law that prevents viewing of the contents of Newsbin2, and so the block circumvention techniques proposed over the past few years (starting of course with just using “https”) can now start to be evaluated as to their actual effectiveness.

However, there is more to #1 of the injunction, in that it applies to:

[…] www.newzbin.com, its domains and sub-domains and including payments.newzbin.com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 website.

I don’t expect that publishing circumvention experience here on LBT could be seen as the predominant purpose of this blog… so I don’t really expect these pages to suddenly become invisible to BT customers. But, since the whole process has an Alice in Wonderland feel to it (someone who believes that blocking websites is possible clearly had little else to do before breakfast), it cannot be entirely ruled out.