Monday, 23 November 2015

Poisoning the well

One of the things I did say about the Draft Investigatory Powers Bill is that people could easily create false "Internet Connection Records" by sending packets that from their machines.

I even suggested that this could be an app or virus people could use, though obviously a simple Tor exit node would create loads of bogus traffic.

It has, however, occurred to me that there are other ways people can be rebellious - if someone includes images in a web site, even 1 pixel by 1 pixel, they will be loaded. Those images can be from anywhere in the Internet - radical web sites, terrorist web sites (do they exist?), porn sites, anything.

Now, it seems the government are quite keen to log the web site name but NOT the full URL, which means that even though this is just an image grab it logs as a "visit" to the site - they cannot tell it was just an image and not something else on the site.

This means people can put these image tags on their web sites, or in HTML emails (even emails sent to politicians) and create false data in the logs.

P.S. As someone else pointed out, some browsers pre-cache links, fetching pages that the user may never visit.

P.P.S. Someone ask why would *I* do this - well people will have lots of reasons, not least of which is to rebel against the invasion of privacy - but I am also pointing out that criminals can be doing this to make the database less useful.

9 comments:

  1. Yes, you could do this, but why would you want to? Do you want to deliberately try and make yourself look like a baddie and / or frustrate the authorities? We would all like the authorities to catch the baddies but at the same time, we'd like to deny them any access to communications data that they might find useful in doing so? Spying and intelligence gathering has been essential for defeating all kinds of enemies for years - Consider the breaking of Enigma at the end of WW2.

    Of course the data they would like to collect would be very raw and not perfect, but it might at least provide some clues and connections (after a lot of "big data" processing) that would be helpful. The fact that the data they want is so raw and imperfect and needs so much processing to glean much useful from it will mean that it has a lot less value as "personal data" for anyone else to steal / use inappropriately. I'm sure most of the criminals in the market for "personal data" would rather go after credit card details, email logins, names and addresses etc rather than the raw data from your browsing history!

    ReplyDelete
    Replies
    1. Sorry, but for the same reason that if cameras were installed in every room in my house by the government I may walk around with a balaclava on, or spray paint the cameras. It is a huge invasion of privacy to monitor what everyone is doing in their home. Not a hard concept.

      Delete
    2. There is an irony that the EU and UK have passed laws over web site tracking cookies because we don't want companies collecting loads of "big data" on us, even though all they want to do is more accurately target adverts, but we are happy for ISPs to be forced to do this against our will.

      Delete
  2. If someone visits a website that hotlinks to one of my photos, they are loading the image from my website. But not only that: because of a redirect triggered by the referer, they are redirected to something else, and that something else is not mentioned in the source code of the original website.

    Hmmm, just thought: could the redirect be made to recurse? Infinite connection records!

    ReplyDelete
    Replies
    1. Most web browsers recognise recursive redirects and stop them

      Delete
  3. I'm no fan of mass surveillance either, and I think that arguments against the proposed legislation based on its uselessness also have much validity.

    HOWEVER, it being useless and it being useless in the face of a campaign of wilfully obstructive behaviour are two completely different things (most law enforcement activity relies on the cooperation of the law-abiding, after all).

    By all means, do what you feel necessary to ensure your own privacy, but proposals to create a vast amount of noise look childish at best. Make sure you're not vulnerable to questions about whose side you're on.

    ReplyDelete
    Replies
    1. Well, I did not say I would be doing this - but people can, and probably will, for all sorts of reasons. The fact it can be done is something to consider in the uselessness and cost of the bill. People do not like being spied on - we have seen this with the backlash over Snowden. That has to be considered.

      Delete
    2. Something you probably had in mind when you wrote the last sentence of your post - hijacking of ad networks is relatively common (there are usual several layers of re-selling within which all sorts of fun and games can occur).

      Delete
  4. I like to to keep the snoopers busy with a list of words that were supposed to trigger NSA, GCHQ to look more closely, and hping3. hping3 -I p3p1 --rand-dest x.x.x.x -i u10000 --udp --data 100 -E words.txt Or add --rand-source assuming it will route??

    ReplyDelete