2015-11-21

How can terrorists and pedophiles bypass the IPBill?

One of the issues with the Draft Investigatory Powers Bill is how pointless it is, given that its measures can by circumvented easily.

Of course, what I mean is "How can NORMAL PEOPLE THAT WANT TO MAINTAIN SOME PRIVACY IN THEIR OWN HOME bypass the IP Bill"?

So, I'll explain a few ways you can use the Internet and communicate reasonably privately. These are not new. These are explained in guides for journalists and freedom fights in oppressive countries. As an oppressive regime is something the UK is clearly aiming for, it is no surprise that these methods are the same. They can also be found in terrorist manuals, again, unsurprisingly.

Firstly, if you really are a terrorist or a criminal, please stop it now.

Simple instructions - time/place, etc.

If you want to send a simple instruction to your friends, perhaps because you are starting a video game or something, maybe “On est parti on commence.” then there are simple ways to do this and you can easily encrypt that message in totally uncrackable ways without even using a computer (see my simple encryption video). Of course, you can even just pre-arrange that when you say "elephant" in any message, that is the message to get started - you don't need encryption in any way at all. So none of the following really matters if you are sending something really simply like this - you could even use plain old SMS.

Equipment Interference

This is just hacking your computer, but legally! If you are a suspect they may have hacked your machine, or your web cam or whatever, so you are probably stuffed. Using good practice for security and firewalls and sensible use of the Internet may help avoid that happening. You may want good locks on your doors too. The best thing is not to be a suspect in a crime, if you can.

Accessing web pages

The simplest way to access web sites privately is to us Tor. This is a development funded by the US navy originally. You can download a Tor browser and use it. The browsing is bounced around multiple nodes on the Internet, many of which may not be in the UK, and all of that communications is encrypted. Each node only knows the next node, and they do not log anything. Eventually the data leaves an exit node - which could be anywhere in the world, and goes to the web site. The web site does not see your IP address, it sees the exit node's. The browser may leave some fingerprints of who you are, but a Tor browser would try not to. Obviously if you give a web site any details yourself then they will know who you are or claim to be. But the IPBill will only log that you are connecting to random nodes on the Internet, and that maybe you are using Tor. The ISP retention stuff will not show where you went on the Internet.

Using secure sites

Using an https (secure) web site outside the UK should be safe from the content being logged, but the fact you visited the site can be snooped. At present the name of the site may be too, but protocols are improving. Depends if you want to protect the content or meta data.

Sending and receiving email

For the content of email this is easy, get one of the PGP email plug-ins for your mail client. May be listed a GPG or GNUmail or similar. They talk an encrypted email protocol. Read up on handling keys properly and check the keys of your friends are really theirs. This protects the content of the email. Importantly it does not protect the subject line or the from/to email addresses. That could all be logged.

However, there are simple ways to protect the to/from and subject and so on - using encrypted links from your phone/PC to your email servers. This is normal, using imaps and smtps, and many mail services allow this. Or use https to a web mail system. But beware - the mail server may have logs, and if in the UK they could be collected under the IP Bill. To avoid this you need to run your own mail server - which is really not that hard (google it). You also need your friend to run their own mail server too. The snag then is that they can see this encrypted connection between your email server and your friends so assume you are communicating. Using Tor will help hide some of that too.

An alternative is use a common mail server in a sane country and use smtps and imaps to talk to it, and hope that country is not handing over logs to the UK. I don't know if there are email services in North Korea, but if there are you can bet they don't send logs to the UK.

Messaging

There are a number of end to end encrypted messaging apps for phones, but even iMessage should be mostly safe unless Apple get coerced in to unlocking it. All the snooping will show is you are talking to Apple - it may not even be obvious you are using iMessage. There are also Tor messenger that makes use of message systems like irc but encrypts message and hides the parties to the chat channel.

Phone calls

Tricky - some things like Apple FaceTime are as safe as iMessage, to probably quite good. Some apps exist like Signal which help ensure content of calls is secret, but the fact you are using Signal will probably not be. The biggest issue is that any calls to or from the normal phone network are already logged. Same with SMS to or from the normal phone network. Using foreign SIP gateways and a VPNs to get to them could make it hard to link the calls to you though. It depends a little if you just want to protect the content of the calls, or the meta data (the fact you made a call, when, and who to).

VPNs

One on the all encompassing methods it simply to make use of a VPN. This is an encrypted link to some point on the Internet. From there it is normal Internet traffic and all of the above may be useful, but if the VPN endpoint is in another country then that bypasses the IP Bill. The snooping shows only that you connect to that foreign endpoint using a VPN, not what you are doing.

Two main ways to make a VPN. One is to buy a VPN service. There are quite a few now, and some will allow connections via various countries. For a few quid a month you can make all of your Internet go via this.

The other way is to buy a cheap VPS (a virtual server) which is a computer on the Internet, and then install a VPN application on that server. Again, only a few pounds a month. This is then in your total control, but works in the same way. Of course if you and your friends all connect to a dedicated VPN endpoint like this, then the snooping shows you are connected somehow. Using a commercial VPN endpoint will hide that.

Either way you can make your phone or PC talk directly to the VPN endpoint, or you can even get some home routers now that handle IPSec (a VPN protocol) to put your whole house and wifi on the VPN.

The other end

Remember, if you are communicating with anyone, even a web site, the other end sees the communications. If they are compromised, hacked, or simply untrustworthy, they can reveal your communications. In some cases, such as Tor to a web site, they don't know who you are or where you are, but for email and messaging and so on, that is not so easy. Anonymity is a who other area of privacy which I am not going to try and cover here.

Conclusion

Yes, there a load of ways to make the logging in the IP Bill totally pointless. A lot of people would not bother with even these simple steps, but any criminal with any sense whatsoever will be able to hide what they are doing with ease. The real victims of the invasion of privacy will be the innocent citizens of the UK.

However, please, politicians, take this in the way I mean it - as an example that shows the futility of this endeavour. Concentrate the effort and money where it matters - police on the ground - following the leads you already competently get - stopping crime without invading privacy.

Quote of the day from the A&A irc channel:

I actually already do tunnel almost all my internet stuff 
through a VPS, to deal with general local ISP rubbishness (e.g. 
dynamic IP address, lack of IPv6) and very localised 
surveillance/tampering (e.g. a dodgy wifi hotspot) rather than 
to try to hide from the UK government.

15 comments:

  1. There is a downside if a website thinks you are browsing from an "incorrect" country. Yesterday, my wife wanted to listen to the BBC commentary of the tennis but this was not available from my location. But going through a ssh tunnel to the computer at home allowed this.

    Similary, I have had problems with making a credit card payment to an organisation that uses Paypal. From here, the website insists you create a Paypal account to pay with credit card; tunnelling via my computer at home presented the option to pay wihout a Paypal account.

    So using Tor or whatever to browse from outside the UK may have unexpected consequences.

    ReplyDelete
  2. With a mind to the future I tried out Tor for the first time ever this week. I expected browsing to be a little slower but at times it can be tortuously languid. It's not something I could suffer for normal everyday uses. Maybe if you have a fibre connection substantially faster than my 14/15 Mbps adsl 2+ connection it wouldn't be do noticeable, I don't know. I suppose I'll have to fork out for a good VPN to protect against the inevitable secret totalitarian state.

    It's not that I have anything illegal to shield. I just mistrust the stated motives of the duplicitous politicians who, I firmly believe, would happily allow a terrorist attack to succeed in order to justify ever more stringent powers.

    ReplyDelete
    Replies
    1. No, it's terribly slow anyway. The problem isn't bandwidth: the problem is the latency incurred by chopping your stuff up into lots of little pieces and sending it via multiple, multi-hop routes -- you have to wait for the slowest of those multi-hop routes to get back to you.

      Delete
  3. You cant use SIP over tor, tor only allows TCP...

    ReplyDelete
    Replies
    1. SIP can use TCP but the RTP is normally UDP, so you are probably right. You can send over a VPN.

      Delete
  4. "Or use https to a web mail system". I cannot believe you posted that. I've contacted support about that one. Try this link - https://www.aaisp.co.uk/login-email.html - I'll leave it at that!

    ReplyDelete
    Replies
    1. Where did you get that URL? There are plenty of https web mail providers, and we even have https but not on that URL.

      Delete
  5. I just added the 's' to http from the main webmail link, same for http://aa.net.uk/login-email.html (refuses https) - As far as I can see, AA webmail does not support https!? Happy to be proven wrong on that one :)

    ReplyDelete
    Replies
    1. At the moment the main A&A page (which I don't think we ever published as aaisp.co.uk) is not https. The webmail servers do have https though. That page should almost certainly force https and I expect that will be changed this week.

      Delete
    2. Cool :) Whatever link I try with webmail, when I change the the url to httpS (e.g. https://aaisp.net/login-email.html) , I get the connection refused. I've always been surprised that the AA webmail system defaults to http with authentication in the clear etc. Please don't use cacert, I hope letsencrypt.org comes out of beta soon :) As AAISP puts other ISPs to shame, you get held to higher standards ;)

      Delete
    3. Yes, you are trying the main web site using https which does not yet work. The web mail is on one of various servers like h.mail.aa.net.uk which has https using a cacert certificate. However, this will be reviewed this week to make https the default.

      Delete
  6. There's an oral evidence transcript from the Science and Technology Committee, which is quite interesting reading. http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/science-and-technology-committee/investigatory-powers-bill-technology-issues/oral/24378.pdf

    You can also submit written submissions to them until the 27th of November, so that might be something: http://www.parliament.uk/business/committees/committees-a-z/commons-select/science-and-technology-committee/news-parliament-2015/investigatory-powers-bill-inquiry-launch-15-16/

    ReplyDelete
    Replies
    1. I read the oral evidence, and will be at Home Office on Tuesday, so depending on how that goes I may make a submission too.

      Delete
  7. Can I get my Firebrick to create a VPN terminated at A&A ?

    ReplyDelete
    Replies
    1. Technically, yes, but in practice we do not have the resources to support everyone using a VPN.

      Also, if you did this, and we were ever subject to a retention or intercept order, it would not help you.

      You need a VPN to another country to escape this Draconian legislation.

      Delete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Hot tubbing...

I have a hot tub, it came with the house over 3 years ago. Managing a hot tub is complicated, and expensive. The expensive part is the power...