Sunday, 24 July 2016

Blizzard withdrawing support for IPv6?


It seems that once again Blizzard have their IPv6 connectivity for World of Warcraft not working properly. I opened a ticket and explained the issue in detail. The connectivity issue is entirely in their network. My guess is, as they seem to be using SLAAC addresses, they have simply failed to update addresses when they changed hardware and MAC. That is only a guess though.

The impact - I could not log in to play the game for several days. I assumed they had a fault or were busy and to be honest, given that I use IPv6 for almost everything I do (google, Facebook, all A&A web sites and internal systems) and have done for about 14 years, it did not even occur to me to check if turning off IPv6 would fix it for a while. These days I rarely play, but have been off ill for a few days and though I may have a game or two.

It seems the game is not falling back, trying IPv6 first, which is sensible, and failing totally without trying IPv4.

Now, anyone can make a mistake, and I am sure they can fix it easily, but it seems they are not interested in making it work with the current Internet Protocol. Basically, it seems to me from this response that Blizzard have withdrawn support for the current version of IP protocol, IPv6. It is simple, either you support it, in which case you take a fault report seriously, or you don't.

Heya Adrian,

Thanks for the ticket. I had a look over your history of issues with IPv6. We take a soft approach to support of this as many places haven't fully transitioned over. Normally IPv4 works perfectly and is what the majority of places use despite the other being the upcoming industry standard. Whilst we do appreciate your tests with regards to Tcpdumps and your suggestions about hardware upgrades on our server's end being the cause, since IPv6 is relatively new when it comes to large scale servers it's not something that's 100% works all the time as you're evidently aware yourself.

At this point we've expended our scope of support regarding it's use solely over IPv4 and would suggest that, if able, for the time being you connect using IPv4 whilst we're working on improving how our hardware works with this. 

Just a few comments on this.
  • "Many areas have not fully transitioned over"? Well no, you don't "transition", i.e. use IPv6 instead of IPv4, for a very long time, but IPv6 does work along side IPv4 on many ISPs, and many services work on IPv6 (like google, and Facebook to name just two). Only when people are all taking IPv6 seriously can any sort of "transition" start.
  • IPv6 does work 100%, well, as well as IPv4, when people actually make sure it works, like ensuring that the machines they have are on the right addresses and have connectivity. This is no different to the way IPv4 works. The only reason IPv6 might be not 100% is if some company stupidly decides to not make things work, or worse, decides to ignore support tickets raised when things are broken. Suggesting IPv6 is unreliable is not valid.
  • Also IPv6 is not "relatively new", it is all grown up with RFC2460 being 18 years old now. A&A have been offering IPv6 since 2002. How many decades must IPv6 in place before Blizzard consider it is not "new"?
  • As for improving how your hardware works - as far as I know it works - you have connectivity for IPv6 to your network (I get 4ms pings) - you have IPv6 in the game client and the servers work with it - you just need to fix whatever config that you broke a few days ago. Not hard!
Now, if they have "expended their support scope", that sounds a lot like "not going to fix it" and basically taking the massively backwards step of dropping support for the current version of IP, being IPv6.

That is a bold step Blizzard, not many companies would take such a backwards step. I think it is time for me to cancel my subscription, as I cannot really work with such a backward looking company. I wonder what our thousands of IPv6 connected customers will think.

P.S. Obviously if Blizzard have any official comment on this, I'll be happy to add that here, or they can simply comment below.

Update: After posting and adding it to their ticket I had a slightly more encouraging update:-

Hello Adrian,

Thanks for taking the time to get in touch with us and I'm sorry that I couldn't get back to you any sooner.

I was able to get in touch with our net engineers regarding the issue you brought up and it seems that are already working on the issue. Sadly, I do not have any ETA as when we will have a solution or any further information at this time.

Thank you for your understanding I hope that we have this resolved shortly.

Thursday, 21 July 2016

Out-geeked by the best

I had a fun meeting yesterday, and I won't say who with (unless he wants me to), but it was initially a business meeting related to the organisation for which he works, but went on rather a lot, ending in a meal in cafe rouge. I have met him before, but this time we managed to take a lot about old times and "stuff".

I actually found myself out-geeked for a change. Heck, he had a rare "portable" BBC micro (i.e. big box with power, CRT, BBC micro, 5 1/4" floppy disks, and fold out keyboard) in the boot of his car. Next to that the half restored teletype and fibreglass orc in the office were no match.

I tell a story of old days doing "purely research" in to the way some games managed protection on tapes or disks, and how the Elite game does various scrambling (XOR) of data it loads from tape/disk in various stages so that you cannot simply access or change the underlying machine code of the game. TBH I am not 100% sure the game was "elite" or not now. But what was fun is that if you are manually simulating the various stages, then part way through there is a pattern in memory that you can see with text "Does you mother know you do this?". I remember it well as it was after I had left uni and was temporarily staying at my parents, and she was behind me at the time! That text is not on the tape/disk and not in the final memory image but an intermediate stage that only a "hacker" would ever see. Before I got to tell that story, this person told of a similar story with another game and intermediate text "You are in a maze of twisty passages all alike" (a classic line from text based adventure games). I was out geeked on one of the most geeky anecdotes I have in my arsenal!

I'd say I "won" on the forcing the teletext chip in a BBC micro in to "reveal mode" by rapid random screen mode switching, that is, until I saw his "portable BBC micro" in his boot. And yes, I had BBC with 6502 and Z80 second processors and even teletext adapter but I never had one that talked GPIB, FFS, out geeked again!

At the end of the day it make me realise what a small world it is - there are probably literally a handful of people that have been there and done that in the same level of technical arena that I have had in my life. This person is close, but he did more radio ham than I ever did. I think I have done more coding than he has. But we are a rare breed and becoming rarer I think.

Hopefully one of those useful contacts in life for personal and business progressing in various ways. Some times it is who you know and not what you know, but knowing both helps even more.

Sunday, 17 July 2016

Think of the children!

I just read a rather odd story in arstechnica, on Starbucks banning porn on their free wifi.

Now, please, don't get me wrong. It is crazy that anyone would be watching porn on a phone or device in a McDonalds or Starbucks. That is just daft and nonsense.

It is pretty much as crazy that someone would sneak a porn magazine in to such a venue and "read" it there.

Now, I am not saying there are not crazy people out there, sorry, but there are, and they could do either of those, or strip naked and run through the store, or whatever. Shit happens, but I really do not think this is an issue that needs any special technical measures like blocking porn on the wifi.

It is totally pointless.

But, what is the down side? There are many!
  • Once you have technical measures to block some types of content it becomes easy to block other content, and this can be added with far lower levels of justification and almost no costs. How long before Starbucks blocks access to Costa's web site? What about blocking some political web sites?
  • Once you try and block something it is quite hard to do it right and "catch 'em all". The WiFi cannot be assumed to be "safe" by parents letting kids use the wifi, but they may assume it is.
  • Once you try and block something it is quite hard to do it right and not over block. We see a lot of over blocking were legitimate web sites are blocked by mistake. This makes the wifi less useful, inconvenient even, and is bad for PR. The blocked web sites have big issues knowing they have been blocked and getting the block removed as they have no contract with Starbucks.
  • This does not stop someone accessing porn! Lots of people use VPNs on public wifi, and can then access what they like. So this is bad PR if someone is accessing porn on a device on the wifi in Starbucks after they claim to have blocked it.
  • Obviously someone could take porn on paper or stored on a phone or device or use 3G or 4G, and access it without the wifi being involved. Again, bad PR.
As I say, who the hell would access porn in a Starbucks? Well, if you make publicity over this there are slightly more people that will! This is because you have now increased the pool from just the nutters to people that deliberately want to create bad PR for them. There are many of those, some cross over the way companies pay tax, etc. People that will create embarrassing scenarios, using the supposedly "safe" WiFi to do it, just to cause bad PR for Starbucks.

One could even be cunning, find a site not blocked (or create one using a proxy) and then use DNS injection on wifi to cause people's phones in a Starbucks to actually serve up porn sites when people try to access normal things like Facebook. Technically easy, and really really bad PR!

And all of this flies in the face of net neutrality and may not even be legal in such places under EU or US laws.

When will people learn, communications systems are neutral (or should be), and they are not there to filter or police what people communicate. We understood this for the postal system for hundreds of years - even having laws to prohibit interference. Most people understand it with telephone - not filtering what people say on the phone. Why do people think it is any more sensible, useful or reasonable to think of filtering communications over IP?

Friday, 15 July 2016

The new elephant in the room - meta data collection. We need your help!

The Investigatory Powers Bill has many issues, and one of these is the collection of meta data known as "Internet Connection Records", or ICRs.

Up until now the main focus on security has been on the content of communications, and we now have very powerful processors (even in our phones) and we are able to ensure that the content of our communications is secure, end to end, encrypted.

But there is a new threat, the collection of meta data. By collecting ICRs from everyone, and creating a national database that can be searched and collated we create the very definition of a nanny state or big brothersister, and the all seeing eye of police state as depicted in "1984".

The problem is that (a) meta data is actually very revealing of our lives, what we do, and who we associated with, and (b) the law sees it as less significant. This second point is important as it means that new laws can collect data from everyone, not just suspects in a crime, and can allow use of that data by a lot of people without a warrant. It is only seen as serious and needing of a warrant when you want to look in detail at the communications via some sort of "intercept", the very things that will not work with the modern "encrypt everything" culture. Of course that won't work with criminals.

The UK government want to make a national system of searchable ICRs, and that means getting data from every ISP. But that is hard. There are literally thousands of ISPs, small and large, and they each would need notices to retain data. But it is worse - each ISP needs to consider the collection, storage, and access to this data, and how that will comply with the Investigatory Powers law and Data Protection law. The ISP may have to have positively vetted staff, and secure data storage systems, and all sorts. This is far from cheap or proportionate for a small ISP with only a few hundred or even a few thousand customer lines. Current policy is government pays for this too, so even harder.

Even with this security, the data is vast and the risk for it being compromised is very real. It is a far greater threat than the terrorists we try to thwart by such measures (but then so are paper cuts, well, nearly).

The only sane approach the UK government can take, if they really are hell bent on this new police state, is to engage with the back-haul carriers, like BT Wholesale, Talk Talk Business, Virgin, and maybe a couple of others. By doing this they can get almost everyone covered, even A&A customers! And all done in secret.

So what can be done?

Well, for a start, it is important to make it clear that we are not talking about helping "terrorists", "pedophiles", or "criminals" here. They can all take measures themselves, using Tor, and so on, to protect their data very easily. Also, they are often already known and already under more detailed surveillance. What we are talking about here is the police state surveillance on every single innocent person in the country for no legitimate reason. A true police state.

An important step is for everyone to ensure they use encryption as much as possible, to protect that content, but using encryption to protect meta data is harder. Tor is a start, but that is a complicated network that really should be used for those that really need it. So how can end users feel any safer over meta data collection?

One obvious answer is use of standards based encrypted PPP links. They exist, they work, and some small ISPs do this. Well done to them. The challenge is scaling up to larger ISPs. Running proper crypto for thousands of lines and gigabits of data is quite simply not easy, yet.

This is a short term issue in a way - I am sure in a few years the hardware will be up to the job, but not quite yet, in our experience.

So what can we do - well we can obfuscate the meta data!

Basically, the PPP traffic may look like normal IP data, but actually the IP addresses, maybe the TCP and UDP ports, and perhaps a bit in DNS queries, will be "scrambled" a bit. It does not have to be processor intensive or too complex. Just something that cannot easily be automated on a large scale.

Scrambling the data is not hard, the trick is to make some sort of initial negotiation to make it hard to descramble without some work. We are thinking some Diffie Hellman exchange at the LCP level maybe, and simple XOR of meta data. Maybe change occasionally during the connection. Ideally some properly negotiated obfuscation and publishing an RFC, or specification of this, so linux pppd can do it as well.

The result is that L2TP DPI based PPP capture will not easily collect meta data. Indeed, it will actually capture screwed up meta data and create bogus ICRs.

So what would happen - well, the government will have to consider talking to each and every one of those small ISPs, and pay the price for doing it - not financially viable, surely. If nothing else, the ICRs they collect to start with will be less than useless.

So we want to make an RFC - how can we get some help?

Please comment on here, let me know if you can help, DM me on twitter. Let's make a standard, or at least a specification, and I will code it in the FireBricks at the LNS end to work with A&A customers as well as a few other ISPs using the same kit.

We do not need a police state in the UK, or any country that follows, and we can help stop it, or at least thwart it.

Thursday, 14 July 2016

Will anyone buy a UK crypto solution ever again?

The Investigatory Powers Bill is progressing through the Lords, and facing some stupid issues still.

There was a long debate on the matter last night, and Earl Howe seems to miss the point.

Assuming that technical capability orders will be allowed that provide for a capability to remove protection from communications, it basically means that UK companies can be (secretly) banned from making encryption systems that are actually secure (where nobody but the parties communicating can ever see the communication).

So let's ask...

Would you buy this dodgy crypto product?

Would UK government , e.g. The Home Office, buy encryption solutions from a company in a country where they know that country's government can secretly force the supplier to have included some sort of "back door"? (whatever you call it, a means for third party access to the communications)

I'd actually like to see that question asked in the Lords ^^^

I think the answer would be no, and the same would be true for anyone wanting to buy some encryption solution...

Indeed, I have to wonder if the UK government would buy encryption solutions from UK providers after this, as they know that UK providers are basically not allowed to make a solution that is truly secure any more. The UK will have to buy crypto solutions from some other country!!!

On whom do you serve a technical capability order for open source code?

This is a biggie. The idea is to stop UK companies making secure solutions. Well, the idea is to stop anyone, even not in the UK, but there is no jurisdiction to do that. But what if the supplier is not just "not in the UK", but "not an entity" at all.

Open source comes from a collection of people contributing to source code that can be seen. Even if you tried to order one contributor to dumb down the solution, that could not be done in secret, and their change can be seen and removed by the "community".

Why do we need this?

The government want no safe place for a terrorist to communicate. That means there is no safe place for anyone to communicate as any system will not know if the user is a terrorist or not. That is what they want, and have clearly stated that.

But this law will simply mean UK providers cannot provide a safe place, for anyone, to communicate. It does not mean there are no safe places.

There are many ways to communicate secretly, including apps and solutions from non UK providers, open source solutions. Heck! Even pen, paper and dice.

So a person that wants to communicate secretly can do so with very little effort.

The people affected by this are the users that just want the convenience of using a product or service securely. Such products and services will not be allowed to exist, at least from UK suppliers. So those users suffer, as does the whole UK crypto industry.

The criminals do not suffer at all!

Wednesday, 13 July 2016

Everyone loves Lenny!

Those that have read my blog will know how I feel about junk callers. I managed to make some really good long monologues to tie up callers. But I have to admit that "Lenny" takes the biscuit here and is better than I ever was.

Lenny is an automated system that can be used with asterisk and it just waits for gaps and plays some pre-recorded audio in various sequences. It is pretty impressive.

Now, to catch some of these we had to add a DTMF '5' to the start, but once that was done, we managed to get a person to chat with Lenny for nearly 5 minutes.

That is 5 minutes that some scumbag junk caller was paying someone to be on the phone with no prospect of actually getting any money. The more people that do this, the less the whole despicable business will be worth running.

The only thing is Lenny could be a bit quicker to answer, but I am sure that will improve.

Here's one we caught earlier (mp3).

I may post some more if I get some good ones.

P.S. we got a recruitment company too, LOL (mp3), and the classic Indian call centre call (mp3) and (mp3) and (mp3). And have you been in a car accident (mp3).

What is interesting is the number of "junk calls" that are now from "normal" calling numbers, so as to fool people in to answering. Also surprising how many from POP telecom!

Monday, 11 July 2016

Junk calls, TPS and DPA

If you want to avoid marketing calls, the "right" way to do it is to register the number with the Telephone Preference Service (TPS). They have a web site where you can check the number and register. Simple enough...

There are, however, a few problems. I am looking at this as the new number I recently obtained (my old home phone number from 20 years ago) got another junk call. I checked, and it is no in the TPS.

Now, this should be simple, but it is not.

The TPS web site does not just want the number, which is all they actually require to maintain the register, they also want:-
  • Name
  • Full postal address
  • Email address
  • Agreement to their privacy and cookie policy
Well, half way through the web site filling in a form, it is a tad late to ask for agreement to the cookie policy, but what if I do not wish to agree? I cannot register.

As for the privacy policy - it looks rather iffy to me. Again, what if I don't agree?

First part of the privacy policy that seemed odd was "You should be aware that if you subsequently give any personal information to another company, the uses to the Telephone Preference Service privacy policy will no longer apply." I am not trying to be thick here, but they seem to say that if I give any personal information (at all?) to another company (any company?), then their privacy policy no longer applies. Well, of course I have given some personal information to some other companies! My employer for a start, and, well, loads of companies. Does that really stop the TPS privacy policy applying. Maybe I am misreading it. Seems a pointless policy if it stops applying so easily.

The other issue is they can give my personal information to other parties. They do say the uses are limited to "suppression purposes or to incorporate onto suppression software". So if the software wants email and postal addresses, it can be incorporated in to that software. That is one valid use of the data. The suppression software does not have the restriction on use (note the "or" in that statement). The TPS can also use for "research and statistical analysis".

It seems to me a great way for my phone number and postal address and email address to leak, and be given to the unscrupulous companies involved in direct marketing. That could mean I am actually giving my data to the very people I do not want calling me. Saying "unscrupulous" may seem harsh, and is my opinion, but is an opinion based on the fact we even need laws on this matter in the first place, that I get junk calls to TPS listed numbers all the time, and that the ICO have fined companies, so I feel it is not an unfounded assertion, at least for some of them.

I have now contacted OFCOM to add the number, and advised that they are not to store email or postal addresses or disclose that to third parties. If they want to validate my request they can call the number! We'll see what they say.

Interestingly, OFCOM themselves were promoting (on twitter) a text based TPS listing saying "Calling all mobile users...text ‘TPS’ & your email address to 85095 to reduce #nuisancecalls" so again asking people to provide email address when not needed to maintain the register.

I believe one of the Data Protection principles is you don't collect data you don't need. As my requests on twitter went unanswered, I have asked OFCOM to tell us more (FoI request). We'll see what they say.