Monday, 5 December 2016

Investigatory Powers Act - devil in the detail

It is published (here). It is an interesting read, so here are some initial observations...

I have been trying to focus on the bits that could impact us (A&A and FireBrick) mainly, and I am very happy to have had help from a friendly lawyer on this matter. I am the first to accept that I am not an expert on reading legislation, but getting better as the years go on.

So, some observations, in no particular order...

Can a retention order be placed on BT Wholesale to monitor A&A traffic?

We think no - surprisingly. This is because of 87(4): "A retention notice must not require an operator who controls or provides a telecommunication system (“the system operator”) to retain data which relates to the use of a telecommunications service provided by another telecommunications operator in relation to that system".

So that should mean, we think, that BT Wholesale or Openreach or BT plc as "the system operator" cannot be ordered to retain data which relates to the use of the telecommunications service provided by A&A in relation to that system. We see that as meaning BT provide PPP and we provide IP, and so BT cannot be ordered to log IP (or above), only PPP which is basically their RADIUS logs, because IP is related to what we provide via that system.

Good and bad - good is it means, in theory, if we say we have no monitoring (we don't) and we can assume BT do not, then there is no monitoring (same logic to LINX and transit providers). Bad news is that they may be more inclined to ask us to do retention as a niche ISP.

But it gets more fun - given that this now covers private as well as public telecommunications services, it is easy to say that every single one of our customers is a telecommunications operator even if only running one router to provide service to one person. So we can argue that we cannot be expected to retain data relating to our customer's use of the IP - you have to ask each and every one of them to retain data and not us.

We'll see how that plays out if ever we are asked to do retention (which we, A&A, have not been).

Can FireBrick be forced to add a back door?

We think no, thankfully. The definition of a telecommunications operator, which we thought could cover FireBrick would require that FireBrick is providing a "service", which we are not, we are providing a product, and that the FireBrick itself is a "system", which it is not, it is apparatus.

Even so, we still have standing order that if asked to back-door FireBricks then the UK company FireBrick Ltd would be dissolved.

In short, you can trust FireBrick!

Is FaceBook a telecommunications operator?

Well, this is tricky. Home office think so, apparently. An operator offers "services", and services means a service consisting of access to or facilitating making use of, a "system". A system is something allowing transmission of communications by electrical or electromagnetic energy.

So a system is wires and fibres and radio; A services provides access to that or making use of that; An operator offers a service to do that.

I think the wires, and fibres, and radio, facilitate the use of FaceBook, not the other way around. The "make use of" may be the sticking point.

I think it is badly drafted! FaceBook may want to argue on that definition.

What are Internet Connection Records?

Something much hyped in the process of this becoming law, but relegated to a small part of the Act.

It is a narrow and specific definition, "In this Act “internet connection record” means communications data which may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)."

So it is just stuff to identify the service used by the sender, nothing more. But why does this narrow definition matter?

Well, retention can cover all sorts of data, anything that is not "content", which is "meaning of the communication". And that can be way more than ICRs. It is clear that ICRs are a subset of that data.

However, requests for this data to be acquired (e.g. from retained data) can cover anything.

There are restrictions on "local authorities" getting ICRs, but as that is a subset of the data ISPs may be forced to collect. So that is a less than useful constraint. Local authorities could ask for all sorts of non ICR data an ISP was required to "retain"!

How serious is "serious crime"?

Some aspects of the acquisition of data have restrictions for "serious crime", and that covers stuff with long prison sentences. Good. But, oddly the section also covers "relevant crime" which is rather fun as it covers offences that are "by a person who is not an individual, or which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy." This means things like failing to put your company number on your letterhead (a crime by a company) is lumped in with "serious crime"!

And the irony that you can get all this data which is a huge invasion of privacy to investigate a breach of a person's privacy is not lost on me.

Can the food standards agency get browsing history?

Well there are caveats, but yes, they are in the list and not even covered by the "local authority" exception to getting ICRs.

Does this mean back-doors can be mandated?

Well, yes, to any "service" which can be ordered to maintain a capability to decrypt stuff and even notify if new services are planned to ensure they have the back-door.

But not if you do the encryption yourself, using PGP or your own apps or pen and paper! Criminals can do this and do so legally with no interference by this Act. Well done!

Friday, 2 December 2016

Two factor authentication

I am working on some new two factor authentication for our systems.

Before I even started this, I actually updated the systems we have in place for managing password hashes to move to the password competition winner Argon2. It updates the hash on next login to our various systems.

However, a big step forward would be two factor authentication where in addition to a username and a password we ask for an extra bit of information.

From various research the way to do this is using TOTP (which is a timed OTP using OATH hashing system). Basically you have an app or device that provides a code every so often, and when you log in you have to enter the current code. We are using the default of 6 digit codes created ever 30 seconds.

There are quite a few issues with this, and a scarily large number of OTP and OATH and TOTP applications available. It is a well published standard.

The challenge is getting the "seed" or "key" in to the device, or if it is a hardware device, then from the device to us. The latter is something to tackle later as most people use a mobile app these days, so we make the seed/key and it has to get in to the app.

The answer is a QR coded URI and there is a "standard" for this. It encodes the settings in a standard format with the seed/key in BASE32 which can be read by various apps including Google Authenticator. Once read, it provides a code every 30 seconds.

At our end we need to store the seed, which ultimately has to be readable. But we have hash for password and a readable OTP seed, so two factors, which is a good start. There is no real way around storing the seed in a readable format, sadly.

But it does get quite complex, and this is what I am working through now.

1. How do you make sure setting up or resetting the TOTP is safe / authenticated. Current plan is texting a code as an alternative two factor authentication before we can disclose the seed/key as a QR code. Some actions need to be properly two factor authenticated.

2. Do we allow changes of password if not already TFA, and what of lost password - is that independent?

3. What access do staff have to reset or clear the TFA system? How do we defend against social engineering whilst not locking out genuine customers? How much staff training on social engineering can we do? Ho much staff time will this take?

4. What levels of control do we offer to customers, what degrees of paranoia do we support?

5. What of ancillary systems such as ordering or the CHAOS2 API? Current plan is ordering will require the TOTP code if that is set up at all, even if normal logins not requiring as "trusted browser".

It is never as simple as it sounds when looking purely at the technical side. Systems like this extend in to social engineering!

Anyway, we are starting with staff logins, and then moving to end user logins on our various systems offering, and even recommending, two factor authentication.

P.S. Yes I waited more than 5 minutes after taking that picture so that even if you know my username and password you cannot use the code. And yes, we also protect against replay attacks on the code.

Tuesday, 29 November 2016

Evaluating a VPN provider

At A&A we are looking in to how we can best help customers exercise their human rights for privacy and rights to net neutrality and to access to legal content.

The IP Act puts in place horrendous snooping powers, and the DE Bill as proposed puts in place a new national censor with the job of blocking porn sites - legal porn sites. We can all imagine how much further such proposals could go.

At present there is no ban on operating a VPN - it would be hard to ban without also banning https used by many web sites and businesses and banks and the VPNs used by industry and even parliament.

There are VPN providers now (sensibly) targeting the UK market - they provide an VPN endpoint which you connect to from your computer or using a router that can do VPN for your whole house. They make a point of having equipment and legal entities in countries that do not require logging and snooping, and make a point of not recording anything or accepting orders from governments like the UK.

So, the next question is how we evaluate VPN providers and even make some recommendations. We may even set up a VPN operation ourselves (well, not ourselves, a foreign company with foreign servers, so no subject to UK jurisdiction).

These are this obvious aspects I can think of, but keen on other comments.

Speed

One simple aspect of the service and the devices you choose to operate the VPN at your premises is whether the service can keep up with the speed of your Internet connection, such as an 80Mb/s VDSL service.

Price

Obvious one, but you want a reasonable price. Free is great but there has to be a catch some how, so you expect to pay a few dollars a month at least for any reasonable service.

Anonymity

Are they really not logging anything, do they have a clear history of refusing information requests?

Trust

Can we really trust them? Very hard to be sure but reputation and how long they have been in business are key factors.

Geotagging

Can they have your traffic look like UK traffic (if that is what you want)? This may be tricky and without it things like netflix may not even work. If someone sets up a service specially for UK use they may be able to convince netflix and others that it is UK IP addresses even if plugged in via another country.

Technical

MTU issues, latency, transparency of IP protocols and ports and so on, IPv6. All things that matter from a technical point of view. Ironically, maybe even fixed IP - if blocking/censorship is your main concern.

Openreach/BT Split

As reported by BBC, OFCOM are getting Openreach split off as a separate legal entity from the rest of BT plc.

What do we think of that?

To be honest it is tricky - A&A deal with BT plc for both BT Wholesale and Openreach departments. The latter is for phone lines to support the broadband services we sell. Mostly we are dealing with the BT Wholesale part.

A lot of the reasons behind this are coming from some of the larger operators who have to deal with the Openreach part of BT much more. They are concerned that BT Retail get some preference of some sort. There are concerns over whether BT are investing enough in infrastructure.

I am not at all convinced by some of the arguments, as Openreach had 86% coverage of UK premises for VDSL (FTTC) back in April, and are pushing hard on this. So there seems to be quite a lot of investment in infrastructure. Also, we don't really see much in the way of preferrential dealing with BT Retail at all - it seems they, and Plus net, have as much hassle with Openreach as anyone else.

But the devil is in the detail, and it looks like the new Openreach will be owned by BT Group plc, so there is a source of investment via that route. But this also means one of the big issues still exists - if BT Retail pay lots to Openreach, that has no impact on my BT Group plc shares.

In practice, Openreach is already operated like a separate company - annoyingly so on occasions. This split will actually remove one useful aspect of being one company. At present, when dealing with BT Wholesale they will often blame Openreach (or "their suppliers") for a failure. Legally that could be force majeure (matters beyond their reasonable control) if they were not in fact the same company and in fact blaming themselves. Being able to throw that back at them can be useful and force them to do their job and not just blame someone else.

But otherwise I would be surprised if we see any difference at all from this move - apart from new contracts which gives them a chance to screw us over somehow.

Wednesday, 23 November 2016

Human Rights

The BBC did a good article on the Investigatory Powers Act (which oddly has yet to appear on the legislation.gov.uk web site).

But there is one aspect they did not make that clear...

The headline was :-

"Tech firms seek to frustrate internet history log law"

It should have been

"Tech firms seek to help people exercise their basic human rights"

We all have the right to a private life and family and correspondence,  and that is all people are after here. Nobody is aiming the thwart the law, unless, that is, if the law is trying to take away that basic human right.

So please, BBC, report it correctly. Nobody is trying to break laws, or frustrate them - we are just trying to exercise our human right in EU and UN declarations of human rights - a right to a private life - that is all.

Sunday, 20 November 2016

First they came for the porn sites

If it was not bad enough with the Investigatory Powers Act passing in to law, we are now facing another wave of stupid and dangerous law - the Digital Economy Bill.

Several people have written some good pieces on that - see one of the latest by Jim Killock of Open Rights Group.

What problem are they trying to address?

"THINK OF THE CHILDREN!"

Seriously, it is not clear what the specific problem is here - but the Government have been after porn sites for a long time. Those of us that are cynical see this as just one more step in censoring the Internet, one small justification for more filters and laws to back them, so that more and more can later be added to the filtering lists over time.

I will be delighted if someone reading this has some concrete evidence of studies showing what problem exists to be solved. Are there any MPs that did not see porn before 18 (or a pig's head maybe?).

Personally I see two issues, the first is younger children inadvertently encountering unsavoury content on the Internet. This is easy to address with existing tools and some education of parents. The second is older children that want to access porn on the Internet but are not yet 18 (e.g. people that are 16, can fight in the army, and can get married and have sex, those sort of people as well as those a few years younger). This is not a "problem" to solve - teenage kids have accessed porn, probably forever, and long before the Internet. The only problem is where they see porn as "reality" rather than "entertainment and fiction", and that is solved by education. No amount of blocking will ever stop a teenage kid accessing porn if they want to and that is a simple fact!

What is the solution they propose?

There are two key parts here, both of which have huge issues.

1. Age verification on porn sites. Unlike whisky selling web sites that have "Are you over 18? Yes/No", they mean something that can actually validate that you are over 18.

This is serious - a lot of people (adults) access porn. It is not unusual. However, the fact that people access porn, and the specific preferences for people's fantasies is very personal information - sensitive personal information which is valuable to criminals, may be very embarrassing, and usable for blackmail and who knows what else. Remember, until surprisingly recently a preference for same sex relationships would make you a criminal suspect! If anything, it is one's sexual preferences that are perhaps one of the main reasons for the basic human right to a private life.

The only real way to do any sort of age verification is to identify the user somehow. This is a huge challenge to do "over the Internet". Almost anything that can be used to identify a person can be copied and used by their teenage kid - and something like a credit card is one of the easiest. Also, bear in mind, kids as young as 8 can legitimately get a pre-payment visa/mastercard now.

No matter how you try - the system will be flawed somehow (what can an adult type or do on a computer that a child cannot copy?).

But no matter what you try - there will be an association of the web site access with the identity of the person accessing it. Steps can be taken to try and avoid this linking together cleanly by some means, but ultimately there will be a link somewhere, and that allows for a huge database of sexual preferences for adults in the UK. That will get hacked or sold or both.

We are talking about a database of the sexual preferences of every UK adult! But I suppose the Investigatory Powers Act allows such a database to be created as well - at least tied to an Internet connection if not a person. This database will tie to specific people.

2. Blocking of porn sites. Only UK sites would have to comply (putting them at a commercial disadvantage and hampering minority groups), so they propose that sites that do not comply can be blocked by an order on UK ISPs.

There is plenty of evidence that trying to block illegal sites that assist in copyright infringement in some way simply does not work. It is a massive game of "whack-a-mole" at best, and totally pointless at worst. This has been tried, and it simply does not work.

But trying to censor completely legitimate and legal web sites, which have financial and legal resources, is going to be a much bigger challenge. For a start, there are a lot of them, a hell of a lot. We are not talking of blocking one web site like piratebay, we are talking every single non UK porn web site that is not going to pay for UK age verification services - they would be much more successful investing in ways for UK "users" to bypass government censorship.

But as Jim Killock points out - the second "age verification" becomes the "norm" for UK porn "users", we see massive opportunity for fraud - porn sites that insist you have to enter card details to proceed and even quoting the UK law on this. Quote a law and link to it and the request seems legitimate. If all of the free sites vanish (unless you try a little to find them), then we will be swamped by the bogus sites collecting personal information. And there is almost no end to how much personal information they can ask for in the interests of "age verification" and a promise not to actually charge your card or log the details. There is no way for people to tell the "real" (and supposedly safe) age verification requests from the bogus ones, and there is a massive incentive for people that are defrauded to keep quiet rather than own up to the site they were trying to access. It will be a secret and undercover fraud that will be a nightmare to track down.

What is the right answer?

You have to assume there is a question/problem in the first place, which is not clear, but assuming there is one - what is the answer.

I think it is simple to say - education is the answer, not censorship.

But I'll try and be a tad more helpful.

For young children you need education of parents and guardians on how to use the many tools available to them, and some education that the Internet is not the ultimate baby sitter. There are many tools - just installing any operating system these days will offer a range of "parental controls". There are safe-search settings on search engines and there are controls that can be set in most ISPs systems that offer filtering as an option. ISP filters tend to be whole house and so a tad crude but there are DNS based systems which are easier to set on a per computer basis and provide controls not only on content but times of day, etc. Lots of tools exist, in the control of the parent/guardian. Yes, they are easy for some teenage kid to bypass, but we are talking here of young children not trying to access porn, and for that all of these tools work well.

For older children that want to assess porn the first thing to realise is that there really is no point trying to stop them doing so - it will never work, sorry. But education matters. Along with sex education you need education for teenagers about porn! I know it seems odd, but teenagers need to know porn exists, and that every type of porn and sexual preference you can imagine (and many you cannot) exist somewhere. They need to now that porn is entertainment and not reality. That it is fiction. That there are many things out there, with which they may feel uncomfortable, and that they have the choice of what they look at and what they do not. And that most of all they need to understand that it is not in any way a guide to any real relationship, just as many fictional and entertainment films are not a guide to real life. With some basic education people can enjoy porn, avoid things they do not enjoy, and still have meaningful sexual relationships in the real world.

Saturday, 19 November 2016

IPv6 and Zen

With my FireBrick hat on for a change, one of our customers has a Zen line with IPv6

He was surprised to find the IPv6 was not working when using a FireBrick FB2700, and so was I!

As usually, within a couple of hours of reporting the issue, we have new code that solves it, even on a weekend. I have to say though that I was impressed that Zen looked at the FireBrick web site and manual in an effort to help their customers with this. Well done guys.

For so long FireBrick has been used on A&A lines for IPv6, it is nice to see how other people do it.

The problem is that the protocols used for this are horrid. I think I mentioned this before. I really think a PPP level negotiation would make a lot more sense. I even have my name on a draft RFC, but no luck on that.

What happens is, after the IPV6CP negotiation for a 64 bit interface address, you can then send IPv6 using the FE80:: based address. To get any real IPv6 addresses works a lot like a LAN but with extra bits. You can get Router Announcements on the PPP, and pick an address and you can use DHCPv6 to request an address and prefixes for your LAN.

Traditionally, as it seems the most common way, FireBrick used the latter - expecting the DHCPv6 to allocate a "real" address on the link itself (maybe) and a prefix for LAN. We actually ask for one or more /64 prefixes for different LAN interfaces as configured, but by default it is all of the interfaces we have. You can configure which interfaces to use with which PPPoE links though, if you want.

We have a bug where the IPV6CP forced a new interface address, which Zen do, specifically 00:00:00:00:00:01 for some reason. We were not then using the right FE80:: address for DHCPv6, or rather not accepting replied to the address we were using due to a silly mismatch of the two.

It also looks like Zen do RA for the PPP side address, and DHCPv6 for Prefix Delegation, which sort of almost worked. We had some bugs. For a start, we did not handle "infinity" as the validity for these (even though that is what we requested), silly error, but it meant we expired every allocation one second before we got it! Took me a while to worth that one out...

We also did not handle a case of asking for a prefix even if no interfaces are set up to use it (e.g. where Zen is a secondary ISP on separate routing table).

However, with a few tweaks we have it sorted, only using DHCPv6, not RA, but picking an address for PPP link from the delegated addresses and requesting at least one /64 by default.

Obviously, we are happy to test with other ISPs and make sure we work. IPv6 should "just work" with a default config with any ISP, not just A&A.

Our customer now says IPv6 wastes a lot of time - not because of any difficulty setting up, but because he just spent an hour playing www.loopsofzen.uk which is only on IPv6.

Well done Zen, the world is gradually moving forward. A&A started doing IPv6 in 2002.