The way in which the Phorm system works (see yesterday’s blog post) creates an interesting, and possibly unexpected, risk for the ISPs that decide to go ahead and deploy the system.
All posts by Richard Clayton
The Phorm “Webwise'' System
Last week I spent several hours at Phorm learning how their advertising system works — this is the system that is to be deployed by the UK’s largest ISPs to pick apart your web browsing activities to try and determine what interests you.
The idea is that advertisers can be more picky in who they serve adverts to… you’ll get travel ads if you’ve been looking to go to Pamplona for the running of the bulls, car adverts if you’ve been checking out the prices of Fords (the intent is that Phorm’s method of distilling down the ten most common words on the page will allow them to distinguish between a Fiesta and a Fiesta!)
I’ve now written up the extensive technical details that they provided (10 pages worth) which you can now download from my website.
Much of the information was already known, albeit perhaps not all minutiae. However, there were a number of new things that were disclosed.
Phorm explained the process by which an initial web request is redirected three times (using HTTP 307 responses) within their system so that they can inspect cookies to determine if the user has opted out of their system, so that they can set a unique identifier for the user (or collect it if it already exists), and finally to add a cookie that they forge to appear to come from someone else’s website. A number of very well-informed people on the UKCrypto mailing list have suggested that the last of these actions may be illegal under the Fraud Act 2006 and/or the Computer Misuse Act 1990.
Phorm also explained that they inspect a website’s “robots.txt” file to determine whether the website owner has specified that search engine “spiders” and other automated processing systems should not examine the site. This goes a little way towards obtaining the permission of the website owner for intercepting their traffic — however, in my view, failing to prohibit the GoogleBot from indexing your page is rather different from permitting your page contents to be snooped upon, so that Phorm can turn a profit from profiling your visitors.
Overall, I learnt nothing about the Phorm system that caused me to change my view that the system performs illegal interception as defined by s1 of the Regulation of Investigatory Powers Act 2000.
Phorm argue, with some justification, that their system does not permit them to identify individuals and that they meet and exceed all necessary Data Protection regulations — producing a system that is superior to other advertising platforms that profile Internet users.
Mayhap, but this is to mix up data protection and privacy.
The latter to me includes the important notion that other people, even people I’ll never meet and who will never meet me, don’t get to know what I do, they don’t get to learn what I’m interested in, and they don’t get to assume that targeting their advertisements will be welcomed.
If I spend my time checking out the details of a surprise visit to Spain, I don’t want the person I’m taking with me to glance at my laptop screen and see that its covered with travel adverts, mix up cause and effect, and think — even just for a moment — that it wasn’t my idea first!
Phorm says that of course I can opt out — and I will — but just because nothing bad happens to me doesn’t mean that the deploying the system is acceptable.
Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.
Well now’s your chance to see all these technical details for yourself — I have, and I’m still not happy at all.
Update (2008-04-06):
Phorm have now quoted sections of this article on their own blog: http://blog.phorm.com/?p=12. Perhaps not surprisingly, they’ve quoted the paragraph that was favourable to their cause, and failed to mention all the paragraphs that followed that were sharply critical. They then fail, again how can one be surprised? to provide a link back to this article so that people can read it for themselves. Readers are left to draw their own conclusions.
Update (2008-04-07):
Phorm have now fixed a “tech glitch” (see comment #31) and now link to my technical report. The material they quote comes from this blog article, but they point out that they link to the ORG blog, and that links to this blog article. So that’s all right then!
A false accusation of "hacking"
One particular style of phishing email runs something like this (edited for brevity):
From: service@paypalL.com
Subject: Your account was hijacked by a third party.
Dear PayPal valued account holder,
We recently noticed one or more attempts to log in your PayPal account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization.
If you recently accessed your account while traveling, the log in attempts may have initiated by you.
However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account.
The log in attempt was made from:
ISP host: sargon.cl.cam.ac.uk
etc...
well, spare a thought for the lucky owner of sargon.cl.cam.ac.uk (not its real name), because sometimes when people receive these emails they see it as compelling evidence (kindly supplied by PayPal) of someone who was trying to hack into their account and steal all their money.
In practice of course, the accusation is as false as the rest of the email, which is merely designed to get you to click on a link to visit a phishing website and reveal your PayPal login credentials to the criminals.
We’ve found examples of emails mentioning our machine name in several web archives, so it looks as though this part of the rubric isn’t entirely random, but is chosen from a shortlist… and on two recent occasions people have worked out where this machine is located and have decided to get in touch with our hardworking sysadmins to complain about, it is assumed, some students who are acting in a criminal manner.
Such complaints would be straightforward to deal with, except that the “sargon” machine happens to be used for monitoring phishing website lifetimes. Fairly regularly this leads to correspondence, when people clearing up an intrusion into their machine come across our monitoring visits in their web server logs. Of course once we explain the nature of our research, everyone is happy.
Anyway, last weekend someone complained about us hijacking his PayPal account, and it was immediately assumed that it just someone else looking at their logs, and so there was little here to be unduly worried about.
The complainant was promptly asked for the evidence, and he sent back a copy of the email. Unfortunately, the University of Cambridge spam filter quietly discarded it, because it contained a phishing URL. Everyone here assumed that the matter had been forgotten about, and nothing proactive was done to follow it up.
Unfortunately, at the other end of the conversation, it looked as if Cambridge wasn’t responding, and perhaps the sysadmins were part of the criminal conspiracy. So, still concerned about the safety of their PayPal account, contact was made with the Metropolitan Police and the local Cambridgeshire constabulary… which would be an interesting experiment in seeing whether eCrime is ever investigated if it hadn’t, at heart, been an unfortunate misunderstanding. So far, no officers have appeared at our door, so hopefully not too much police time has been spent on this.
Eventually, after a little more to-ing and fro-ing, a copy of the original email arrived with the sysadmins via a @gmail account (which doesn’t completely discard phishing URLs), the penny dropped and it was all sorted out on the phone.
I’d like to draw a moral from this story, but apart from noting the wickedness of discarding valuable email merely because it superficially resembles spam, it’s not easy to cast fault more in one place than another. In particular, it’s clearly nonsense to suggest that people should just “know” that emails like this are fraudulent. If phishing emails didn’t mislead a great many people, then they’d evolve until they did!
Award Winners #2
Two years ago, almost exactly, I wrote:
Congratulations to Steven J. Murdoch and George Danezis who were recently awarded the Computer Laboratory Lab Ring (the local alumni association) award for the “most notable publication” (that’s notable as in jolly good) for the past year, written by anyone in the whole lab.
Well this year, it’s the turn of Tyler Moore and myself to win, for our APWG paper: Examining the Impact of Website Take-down on Phishing.
The obligatory posed photo, showing that we both own ties (!), is courtesy of the Science Editor of the Economist.
Tyler Moore and Richard Clayton, most notable publication 2008
Inane security questions
I am the trustee of a small pensions scheme, which means that every few years I have to fill in a form for The Pensions Regulator. This year the form-filling is required to be done online.
In order to register for the online system I need to supply an email address and a password (“at least 8 characters long and contain at least 1 numeric or non-alphabetic character”). So far so good.
If I forget this password, I will be required to answer two security questions, which I get to choose from a little shortlist. They’ve eschewed “mother’s maiden name”, but the system designer seems to have copied them from Bebo or Disney’s Mickey Mouse Club:
- Name of your favourite entertainer?
- Your main childhood phone number?
- Your favourite place to visit as a child?
- Name of your favourite teacher?
- Your grandfather’s occupation?
- Your best childhood friend?
- Name your childhood hero?
Since most pension fund trustees, the people who have to provide good answers to these questions, will be in their 50’s and 60’s, these questions are quite clearly unsuitable.
I’ve gone with the last two… each of which turn out to be different from the password, but the answers, weirdly enough, are also at least 8 characters long and contain at least one numeric or non-alphabetic character!
Computer Misuse in Scotland
Last June I explained that the Computer Misuse Act 1990 would not be amended until April 2008 — because the amendments introduced in the Police and Justice Act 2006 were themselves to be amended by the Serious Crime Act 2007, and that was not expected to come into force until then. Also, right at the end of 2007 the CPS published their guidance on how these new offences might be prosecuted.
Now Clive Feather draws my attention to a rather significant difference in the way that the law stands in Scotland.
Although on the face of it, both Acts do not extend to Scotland (Computer Misuse is a devolved matter) in practice the Scottish Parliament has used a Sewel motion (here for the Police and Justice Act, and here for the Serious Crime Act) to keep the law in both jurisdictions the same…
HOWEVER — as Clive points out — for some currently unknown reason the Scots brought the first version of the amendments into force on 1st October 2007 with this statutory instrument.
So North of the Border the law is currently different: you can prosecuted for denial-of-service attacks and locked up for distributing hacking tools… whereas in the rest of the country, it’s 1990 offences only for a few more weeks.
The changes that arrive in April with the Serious Crime Act won’t make much difference to the people of Scotland, all that happens is that one of the new offences stops being computer-specific and is more broadly drawn instead. Still, it makes you wonder why the denial-of-service offence particularly — which has been widely welcomed — has been delayed for over a year; if the Scots can cope with two law changes rather than one.
BTW: Clive has a marked up copy of the Computer Misuse Act on his website, with pretty colours to show the current form of the Act (it’s been amended a number of times now) and how it will soon look.
www.e-victims.org
A new UK website, launched today, has a subtly (and I think importantly) different “spin” on online security.
The site is www.e-victims.org, where the emphasis is not so much on offering up-front security advice (for that, the UK-oriented site I’d recommend is www.getsafeonline.org), and not on reporting incidents to the police (who probably don’t have the capability to investigate anyway), but on offering practical down-to-earth advice on your rights and your next steps in complaining or getting recompense.
In many cases, you’re in trouble — pay for a cheap camera from China using Western Union or a debit card, and you’re going to have to chalk it up to experience. However, if you order from a UK company with your credit card and the goods arrive damaged then this is the site for you [contact the seller, not the courier company to deal with the damage; the Sale of Goods Act means that what you receive must be of satisfactory quality; and if you spent between 100 and 30000 pounds then the Consumer Credit Act means that the credit card company should reimburse you].
The site has launched with content for e-shopping victims (no Virginia, not that sort of victim) — and over the coming year will add more topics (phishing is specifically mentioned). If the site continues to give clear and down-to-earth advice as to whether or not you’ll be able to do anything about your problem, and if so what, then it will serve a very useful purpose indeed. Bookmark it for when you need it!
ObDisclaimer: The site is run by people I’ve known for decades, and I was so enthusiastic that I’ve been asked onto their Advisory Council. So you’d expect me to be enthusiastic here as well!
Hacking tool guidance finally appears
When civil servants talk about “spring” they mean before Parliament rises in July and by “the summer” they usually mean “before the party conference season” in September. But it seems that when a minister tells a Lords Committee “the end of the summer” they mean the last day of December. Well it has been pretty cold recently, so I expect that concentrated their minds!
This “summer” event which can be reported today, is the publication of the Crown Prosecution Service guidance on what should be considered before bringing prosecutions under s3A of the Computer Misuse Act, when amendments to it come into force — probably April 2008 (for reasons that I discussed last July).
What is at issue is so-called hacking tools, and the problem arises because almost every hacking tool you can think of from perl to nmap is dual use — the good guys use it for good purposes, and the bad guys use it for bad. The bad guys are of course committing an offence, and the good guys are not … but the complexity surrounds “distribution”, if a good guy runs a website and a lot of bad people download the tool from it, has the good guy committed an offence?
The actual wording of the offence says "supply or offer to supply, believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act s1/s3 offence]" and so we need to know what "believing that it is likely" might mean. Whilst the law was going through Parliament the Home Office suggested that “likely” would be a 50% test, and they promised to publish the guidance to prosecutors so we’d all know where we stood.
Anyway, that guidance is now out — and there’s no mention, surprise, surprise, of “50%”. Instead, the tests that the CPS will apply are:
- Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorised access to computer material)?
- Is the article available on a wide scale commercial basis and sold through legitimate channels?
- Is the article widely used for legitimate purposes?
- Does it have a substantial installation base?
- What was the context in which the article was used to commit the offence compared with its original intended purpose?
which after a good start using words like “primarily” and “deliberately” (which would have been a sensible law to have in the first place) then goes a bit downhill in that prosecutors don’t know the difference between “i.e” and “e.g.” and seem to think that software is generally sold (!), and rather misses the point of dual use by talking about using the tool in a different “context”.
Still, the “installed base” test should at least allow people to distribute perl without qualms (millions of users) — though do note that these are the tests which will be applied at the “deciding if you ought to be charged with an offence” stage, not the points of law and interpretation that the court will use in deciding your guilt.
Fatal wine waiters
I’ve written before about “made for adware” (MFA) websites — those parts of the web that are created solely to host lots of (mainly Google) ads, and thereby make their creators loads of money.
Well, this one “hallwebhosting.com” is a little different. I first came across it a few months back when it was clearly still under development, but it seems to have settled down now — so that it’s worth looking at exactly what they’re doing.
The problem that such sites have is that they need to create lots of content really quickly, get indexed by Google so that people can find them, and then wait for the clicks (and the money) to roll in. The people behind hallwebhosting have had a cute idea for this — they take existing content from other sites and do word substitutions on sentences to produce what they clearly intend to be identical in meaning (so the site will figure in web search results), but different enough that the indexing spider won’t treat it as identical text.
So, for example, this section from Wikipedia’s page on Windows Server 2003:
Released on April 24, 2003, Windows Server 2003 (which carries the version number 5.2) is the follow-up to Windows 2000 Server, incorporating compatibility and other features from Windows XP. Unlike Windows 2000 Server, Windows Server 2003’s default installation has none of the server components enabled, to reduce the attack surface of new machines. Windows Server 2003 includes compatibility modes to allow older applications to run with greater stability.
Released on April 24, 2003, Windows Server 2003 (which carries the form quantity 5.2) is the follow-up to Windows 2000 Server, incorporating compatibility and other skin from Windows XP. Unlike Windows 2000 Server, Windows Server 2003’s evasion installation has none of the attendant workings enabled, to cut the molest outward of new machines. Windows Server 2003 includes compatibility modes to allow big applications to gush with larger stability.
I first noticed this site because they rendered a Wikipedia article about my NTP DDoS work, entitled “NTP server misuse and abuse” into “NTP wine waiter knock about and abuse” … the contents of which almost makes sense:
“In October 2002, one of the first known hand baggage of phase wine waiter knock about resulted in troubles for a mess wine waiter at Trinity College, Dublin”
for doubtless a fine old university has wine waiters to spare, and a mess for them to work in.
Opinions around here differ as to whether this is machine translation (as in all those old stories about “Out of sight, out of mind” being translated to Russian and then back as “Invisible idiot”) or imaginative use of a thesaurus where “wine waiter” is a hyponym of “server”.
So fas as I can see, this is all potentially lawful — Wikipedia is licensed under the GNU Free Documentation License so if there was an acknowledgement of the original article’s authors then all would be fine. But there isn’t — so in fact, all is not fine!
However, even if this (perhaps) oversight was corrected, some articles are clearly copyright infringements.
For example, this article from shellaccounts.biz entitled Professional Web Site Hosting Checklist appears to be entirely covered by copyright, yet it has been rendered into this amusement:
In harmony to create sure you get what you’ve been looking for from a qualified confusion put hosting server, here are a few stuff you should take into tally before deciding on a confusion hosting provider.
where you’ll see that “site” has become “put”, “web” has become “confusion” (!) and later on “requirements” becomes “food” which leads to further hilarity.
However, beyond the laughter, this is pretty clearly yet another ham-fisted attempt to clutter up the web with dross in the hopes of making money. This time it’s not Google adwords, but banner ads, and other franchised links, but it’s still essentially “MFA”. These types of site will continue until advertisers get more savvy about the websites that they don’t wish to be associated with — at which point the flow of money will cease and the sites will disappear.
To finish by being lighthearted again, the funniest page (so far) is the reworking of the Wikipedia article on “Terminal Servers” … since servers once again becomes “wine waiters”, but “terminal” naturally enough, becomes “fatal”. The image is clear.
A conspicuous contribution !
When people are up for an award at the Oscars or some other prestigious event, they generally know all about it beforehand. So they turn up on the day with an impromptu speech tucked away in a pocket and they’ve a glassy smile to hand when it turns out that they’ve been overlooked for yet another year…
… LINX, the London Internet Exchange, doesn’t work that way, so I’d no previous inkling when they recently gave me their 2007 award for a “conspicuous contribution”.
This award was first given in 2006 to Nigel Titley, who was a LINX council member from its 1994 formation through to 2006, and his contribution is crystal clear to all. My own was perhaps a little less obvious. I have regularly attended LINX general meetings from 1998 onwards — even after I became an academic, because attending LINX meetings is one of the ways that I continue to consult for THUS plc (aka Demon Internet), my previous employer. I’ve often given talks at meetings, or just asked awkward questions of the LINX board from the floor.
But I suspect that the main reason that I got the award is because of my contribution to many of LINX’s Best Current Practice (BCP) documents, on everything from traceability to spam. These documents are hugely influential. They show the industry the best ways to do things — spreading knowledge to all of the companies, not keeping it within the largest and most competent. They show Government and the regulators that the industry is responsible and can explain why it works the way it does. They educate end-users to the best way of doing things and — when there’s a dispute with an abuse@ team — that other ISPs will take the same dim view of their spamming as their current provider (which reduces churn and helps everyone to work things out sensibly).
Of course I haven’t worked on these documents in isolation — the whole point is that they’re a distillation of Best Practice from across the whole industry, and so there’s been dozens of people from dozens of companies attending meetings, contributing text, reading drafts, and then eventually voting for their adoption at formal LINX meetings.
When you step back and think about it, it’s quite remarkable that so many companies from within a fiercely competitive industry are prepared, like THUS, to put their resources into co-operation in this way. I think it’s partly far-sightedness (a belief that self-regulation is much to be preferred to the imposition of standards from outside), and partly the inherent culture of the Internet, where you cannot stand alone but have to co-operate with other companies so that your customers can interwork.
Anyway, when I was given the award, I should have pulled out a neat little speech along the above lines, and said thank you to the whole industry, and thank you to THUS, and thank you to colleagues and particularly thank you to Phil Male who had faith that my consultancy would be of ongoing value… but it was all a surprise and I stammered out something far less eloquent. I’m really pleased to try and fix that now.