I have never watched a parliamentary select committee before. It is worse that watching debates in The Lords to be honest, and I have had to start another bottle of whisky...
This is a lot of questions to the "witnesses" and they give answers.
Now, a lot of the answers make sense, but it is not clear that the answers have to actually reflect the bill. They answer saying how things will be done or what processes are in place, even when the actually wording of the bill may not match what they say - as far as I can see. They could waffle and that would be it. Maybe I do not understand the process.
I was rather concerned over the questions regarding encryption. Basically the bill says, in the explanatory notes, that RIPA already requires a CSP may be required to be "maintaining the ability to remove any encryption applied by the CSP to whom the notice relates".
This is a big problem - and iMessage is a very good example - someone asked many times how this tackles iMessage and the fact it is end-to-end encryption. The responses were waffle and somewhat contradictory (the classic "encryption in important" and "we much have a way to view terrorists communications" dilemma).
The question that needs to be clearly asked is "will you ban Apple operating iMessage with end-to-end encryption" and that is key.
I need to track down the clauses in the bill and RIPA.
2015-11-30
Data Retention, Spooks, and National Security
I think that there is perhaps some slight misunderstanding here, and worth clearing up.
The bill has several parts - one part covers bulk intercept of communications and is basically the spying done by the likes of GCHQ. They allegedly have taps on to transatlantic cables and loads of computing power to allow them to look for threats and chase leads and to address "National Security" issues. They already do this (allegedly) and the bill is primarily to put what they do on a more clear legal footing.
I have not really said a lot about that - partly because, like everyone else, I do not know a lot about what they actually do, and partly because the technical issues are sort of their problem. There are, of course, privacy issues, and I have concerns over what they do - but there are bodies like Privacy International and Open Rights Group working on these (and I am helping with that where I can).
The main issues I have been raising are not over the bulk intercept but over data retention. This is where ISPs keep data for up to 12 months to help the authorities. This is almost always normal requests from police forces investigating some normal crimes. Apparently, as I understand it, RIPA requests relating to national security are really rare compared to more normal crimes (which is not a huge surprise).
We have seen how the police handle such requests first hand, both as an ISP and as a victim of a crime, and we have seen how badly they handle the requests and the data.
The snooping that the government want ISPs to do, as opposed to GCHQ doing, is for these types of requests - so that normal police enquiries can get details. This is also the area where knowing every web site you have visited is likely to be very unhelpful (as seen in Denmark).
So accusing my comments as trying to hamper "National Security" is somewhat misguided.
Of course, as I have pointed out many times, the threat from terrorists is absolutely tiny compared to so many other threats and disproportionately treated in legislation like this.
- Security technology is changing, largely to tackle the very real threats of so called "cyber attacks", and this will render both bulk intercept and data retention more and more useless over time.
- Terrorists and criminals are already able to evade both bulk intercept and data retention anyway.
- ISP data retention is not generally related to terrorist investigations and national security anyway - that is more related to GCHQ and bulk intercepts.
- Having ISPs collect and retain this data has cost, privacy, and risks of data being disclosed or misused which far outweigh any benefits.
In my opinion we should scrap forcing ISPs to retain data at all - ISPs will have some data anyway for operational reasons, and once the police understand this technology better they will be better able to use RIPA requests to access the data that is available now. Forcing retention for a long time, and forcing logging and retaining more data is not a good idea.
2015-11-29
Logging DNS lookups
One of the interesting questions in relation to the  Draft Investigatory Powers Bill is whether it would allow a retention order to require an ISP to log DNS lookups.
What is a DNS lookup?
The Domain Name System is a key part of the Internet - its primary use being to convert the names you use on web sites (like www.me.uk) to the addresses used within the protocol itself (e.g. 2001:8b0:0:30::51bb:1e51).
It is actually a pretty good distributed database system, and can hold more than simply name to IP address lookups. It can do reverse lookups (IP to name), and hold text records and mail server records, and a number of other record types.
Why would you want to log DNS?
Well, the government have made it clear that they would like to see the web site names people access. Usually, when accessing a web site, before you access it you have to convert the name to an IP address, and hence to a DNS lookup. Trying to extract the name of the web site from the web site access itself it a lot harder than just logging the DNS lookup.
How easy is it to log DNS lookups?
Mostly the ISP runs DNS servers for their customers, and such servers could produce logs. To be honest, that would mean beefing up the servers, as they typically are not logging (it would be a lot of logs). Also it would mean finding a good way to store and search the logs, but it is possible.
What gets a tad more complex is when people do not use the ISPs DNS servers. Normally this is a simple thing to do, and some people use googles 8.8.8.8 or OpenDNS which can provide some parental control filtering. There are ISPs that do not run DNS at all themselves and subcontract it.
However, DNS packets are not encrypted, and are always on the same port, so it is technically possible to log the requests as they go past. This is a headache to do - you cannot easily divert these packets or copy them on a normal router - you have to look at a switch mirror port of all traffic and filter out the DNS packets. The only good news is that you probably do not have to do session tracking, simply catching the DNS replies would allow you to see the (apparent) requester and the answer they got. You'd also get all DNS reflection attack traffic.
Of course, it is easy to see how protocols could advance to allow encrypted DNS lookups, and I am sure that will come.
Why would people not use their ISPs DNS resolvers?
There are lots of reasons, but one of the reasons that is increasing a lot is because bypassing ISP DNS resolvers can bypass the ISPs ability to block access to some web sites in some cases. It is somewhat ironic that the governments moves to try and ban porn, copyright infringement, and extreme content are making the public at large much more tech-savvy in ways to bypass the controls of the ISPs, and hence also logging.
Should DNS lookup logging be allowed?
This is where it gets tricky! In the telephony world a call to Directory Enquiries is essentially the same function as a DNS lookup - however telcos are not expected to record, listen to, and log the content of that call any more than they can log the content of any other call. So it seems obvious that DNS requests should not be logged.
Will the bill allow DNS lookups to be logged?
The bill tries to define content and meta data (communications data) - which is a complex task. In principle, an "identifier" or data about a communications address is considered meta data and so could be logged. On that basis, maybe they could ask to log the content of these DNS lookups.
The problem is that DNS can be used for more than just a name/IP lookup. Only some types of DNS request will come within that somewhat loose definition of communications data. Any other type of lookup would be "content" which the ISP must definitely not be logging and retaining.
Even more complex is that you do not know for sure that a name/IP lookup is actually be used to look up a protocol address. The IP address returned could be used to signal something else - one common usage is a blacklist lookup. This is using DNS as a database query system, and the reply indicates a yes or no, and not actually an IP address, even though it looks like an IP address is returned.
Ultimately the ISP has no way to know for sure what purpose exists for the DNS lookup - it is simply a database. With that in mind, and with a ban on logging the "content", I do not think any ISP could legally log the content of DNS lookups under a retention order.
How would we know?
One huge problem here is that if this is not clear in the bill, once passed an ISP could be asked to log DNS requests. If they don't appeal that, then end up making and retaining such logs. If that is in fact not allowed (and presumably even one logged request which was not a protocol "identifier" would make it illegal) then that could cause problems. The issue here is nobody knows - the retention order is secret.
Indeed this is a more general issue with the secrecy - the definitions are not crystal clear and if the government decide something is in scope of "communications data" they could include it in a retention order and simply get away with it. One level example was the idea of grabbing from emails the details of calendar events. These seem obvious that they are "content" except the define the time of an event, and that is something that is defined as "communications data" in the bill. The fact that it was within the "content" part of an email may not matter. This is yet another reason that retention orders must not be secret.
What did the Home Office say?
They seemed unsure. As per my written evidence I think this needs spelling out in the bill that DNS lookups must not be logged.
What is a DNS lookup?
The Domain Name System is a key part of the Internet - its primary use being to convert the names you use on web sites (like www.me.uk) to the addresses used within the protocol itself (e.g. 2001:8b0:0:30::51bb:1e51).
It is actually a pretty good distributed database system, and can hold more than simply name to IP address lookups. It can do reverse lookups (IP to name), and hold text records and mail server records, and a number of other record types.
Why would you want to log DNS?
Well, the government have made it clear that they would like to see the web site names people access. Usually, when accessing a web site, before you access it you have to convert the name to an IP address, and hence to a DNS lookup. Trying to extract the name of the web site from the web site access itself it a lot harder than just logging the DNS lookup.
How easy is it to log DNS lookups?
Mostly the ISP runs DNS servers for their customers, and such servers could produce logs. To be honest, that would mean beefing up the servers, as they typically are not logging (it would be a lot of logs). Also it would mean finding a good way to store and search the logs, but it is possible.
What gets a tad more complex is when people do not use the ISPs DNS servers. Normally this is a simple thing to do, and some people use googles 8.8.8.8 or OpenDNS which can provide some parental control filtering. There are ISPs that do not run DNS at all themselves and subcontract it.
However, DNS packets are not encrypted, and are always on the same port, so it is technically possible to log the requests as they go past. This is a headache to do - you cannot easily divert these packets or copy them on a normal router - you have to look at a switch mirror port of all traffic and filter out the DNS packets. The only good news is that you probably do not have to do session tracking, simply catching the DNS replies would allow you to see the (apparent) requester and the answer they got. You'd also get all DNS reflection attack traffic.
Of course, it is easy to see how protocols could advance to allow encrypted DNS lookups, and I am sure that will come.
Why would people not use their ISPs DNS resolvers?
There are lots of reasons, but one of the reasons that is increasing a lot is because bypassing ISP DNS resolvers can bypass the ISPs ability to block access to some web sites in some cases. It is somewhat ironic that the governments moves to try and ban porn, copyright infringement, and extreme content are making the public at large much more tech-savvy in ways to bypass the controls of the ISPs, and hence also logging.
Should DNS lookup logging be allowed?
This is where it gets tricky! In the telephony world a call to Directory Enquiries is essentially the same function as a DNS lookup - however telcos are not expected to record, listen to, and log the content of that call any more than they can log the content of any other call. So it seems obvious that DNS requests should not be logged.
Will the bill allow DNS lookups to be logged?
The bill tries to define content and meta data (communications data) - which is a complex task. In principle, an "identifier" or data about a communications address is considered meta data and so could be logged. On that basis, maybe they could ask to log the content of these DNS lookups.
The problem is that DNS can be used for more than just a name/IP lookup. Only some types of DNS request will come within that somewhat loose definition of communications data. Any other type of lookup would be "content" which the ISP must definitely not be logging and retaining.
Even more complex is that you do not know for sure that a name/IP lookup is actually be used to look up a protocol address. The IP address returned could be used to signal something else - one common usage is a blacklist lookup. This is using DNS as a database query system, and the reply indicates a yes or no, and not actually an IP address, even though it looks like an IP address is returned.
Ultimately the ISP has no way to know for sure what purpose exists for the DNS lookup - it is simply a database. With that in mind, and with a ban on logging the "content", I do not think any ISP could legally log the content of DNS lookups under a retention order.
How would we know?
One huge problem here is that if this is not clear in the bill, once passed an ISP could be asked to log DNS requests. If they don't appeal that, then end up making and retaining such logs. If that is in fact not allowed (and presumably even one logged request which was not a protocol "identifier" would make it illegal) then that could cause problems. The issue here is nobody knows - the retention order is secret.
Indeed this is a more general issue with the secrecy - the definitions are not crystal clear and if the government decide something is in scope of "communications data" they could include it in a retention order and simply get away with it. One level example was the idea of grabbing from emails the details of calendar events. These seem obvious that they are "content" except the define the time of an event, and that is something that is defined as "communications data" in the bill. The fact that it was within the "content" part of an email may not matter. This is yet another reason that retention orders must not be secret.
What did the Home Office say?
They seemed unsure. As per my written evidence I think this needs spelling out in the bill that DNS lookups must not be logged.
2015-11-26
Snooper's Charter 101 Please share
There is a law that is being considered right now, and may be proper law some time next year.
You should care about it! You can help fix it!
It tries to update some of the existing laws, and make legal some of the stuff done by our "intelligence services". You know, James Bond stuff, except they don't just spy on our enemies (who exactly are they?) they spy on us as well.
It also tries to make some new powers to help the police. In theory these might help the police, and in general I am all in favour of helping the police, but it is not that simple.
Might be worth a small bit of history - phone systems. Originally they were a bit mechanical, and even had operators at the start. Charging for calls used a "meter" that clocked up units. That was it. But things got smarter and people understandably wanted to know where all these units of charge came from, so the phone companies started logging the calls you made and created the wonder that is Itemised Phone Bills. We kind of take them for granted now, but I am old enough to remember a time when we did not have them. This was all done for the benefit of the phone company and arguably their customers.
The fun then starts - the police realise that they can ask the phone company (there was only one) for details of phone calls made from a phone. In some cases this is really useful to some investigations. Later they were even able to ask about calls made to a phone, which is also useful. Of course, even before these itemised phone bills they could ask to "wire tap" a line so they could listen in. At one time this really meant connections to the physical line. This was for serious criminal suspects, obviously.
These days it has got more complex. There are mobile phones, and the police can ask where phones were (at least based on cell towers). As time has gone on, the technology to "snoop" on us all has improved a lot.
The big concern is where the line is drawn - how much snooping is too much, and there is a really big fear now that we are getting to that point. There is a bit of a clue when new laws actually have clauses to exclude MPs - even they feel that this would be too far for their comfort. The fact that someone knows the location of your phone, and hence probably you, every minute of the day for the last year is a tad scary.
Where do we not have privacy?
When we are out in public, we expect that the public can see us, and hear us, and know where we are.
This is usually that we only expect a few people can see us, but they can tell others, so overall the idea that there are cameras all over the place is no huge surprise really.
Basically, we don't have an expectation of privacy, that is what "being in public" means.
The laws on photography are also quite clear - as a photographer I can take a picture of pretty much anything and anyone from a public place - I am just recording what I myself am quite legally allowed to see. (Yes, there are a few caveats on that, but not the point here)
When we are at home, or pretty much anywhere behind closed doors, we expect privacy.
Now there are those that say "if you have nothing to hide you have nothing to fear", which is, to be frank, bullshit. None of those people want a public web cam in their toilet or bedroom, strangely enough, and they won't tell me their card details and first pet's name either.
So, I think we can agree that whilst some things we do are not basically private where we have no right to privacy, there are places where we can go and things we can do where we expect privacy and to be quite frank we are entitled to it.
So how does this new law cross the line?
These days when in private we may use of technology a lot - phones, computers, TVs, games consoles, and all connected to the Internet. What we do on the Internet says a lot about us.
Now, with phone call records, the content of the call is not logged by the phone company. Unless you are a targeted suspect of a serious crime your calls are not being tapped, or at least should not be.
The problem is that what we do on the Internet is a lot more revealing about us that what phone calls we make. Privacy International have loads on this (here) and a great video on metadata, which is supposed to be the what, when, who, how, but not the content of what you do on the Internet.
The new law wants to collect a lot of this metadata about all of your Internet access. What is worse is that they want your Internet Service Provider to collect it and store it for a year and make it available to the authorities if they ask. Do you trust that your ISP will not get hacked? Even if they are pretty good now, they will become a juicy target for hacking very soon.
Don't they need this to keep us safe?
There are bound to be cases where knowing everything about everyone can help stop a crime, and if that is what you want then we really should go for cameras in your toilet and bedroom. There is a trade off to be had between the rights we enjoy, the way of life we want to live - with that degree of privacy, and with keeping us safe.
But let's try some facts here shall we...
- Terrorist attacks, one of the main justifications for all of this, remain one of the lowest threats to your life. There are way more people that died from suicide because of changes to the "Fit to work" assessments than died in recent terrorist attacks in Europe. The justification is scaremongering and bogus. Let me be clear - I do not need protecting from terrorists! What I need is protection from heart disease, cancer, and car accidents.
- The recent terrorist attacks did not lack this data - they had suspects and even had people under surveillance - the area we need to focus on is not "getting the data" it is what we do when we have it. In fact, having more data will make things harder.
But it gets worse - the Internet is just not like the phone network, and the logs they want don't exist. What logs they can get are likely to be unhelpful (they seem confused that a phone does not just connect to twitter, but actually stays connected all day every day). And over time they will get less and less data as changes in the Internet make it more secure (to combat criminals).
It is also true that criminals can cover their tracks with ease. Simply using secure messaging systems like iMessage, but with a bit of googling you can be way more secure. So the real targets, the serious criminals, and the terrorists, can hide already and always will be able to hide.
What can you do?
One is to spread the word - share and repost this blog to your friends. I have a lot of techie friends and they really get this already - what we need is all of the normal people, the non techies, the people fooled by the "Think of the children" news headlines. People need to think - do I really need the government, and worse, my ISP, spying one me?
Secondly, and this is more work, which is why spreading the word is important, contact your MP now. tell them you are unhappy about this. If you really want, look at my other blog posts and you'll find out a lot more, and even how to formally respond to the consultation and evidence processes, as I have done.
You can also contact people like the Open Rights Group, tell them how you feel. Join up, and stand up for some of these last remaining rights which we all enjoy before they get eaten away bit by bit. AAISP are a corporate sponsor. All that is necessary for the triumph of evil is that good men do nothing.
2015-11-25
Home Office meeting re IPBill
Thanks to the Internet Service Provider's Association (ISPA) I got the chance to visit the Home Office yesterday and hear their briefing on the Draft Investigatory Powers Bill and ask lots of questions. There were a number of small ISPs at the meeting. Obviously these are my views as I don't speak for ISPA.
Firstly, as you can imagine, security is pretty tight. There was an X-ray screening, and a two door air-lock entrance thing to get in, and constant escorts, and locking up phones, laptops, and any recording devices on a separate floor before going to the meeting. Obviously I was told to bring photo ID, and as I got to the desk I went to get my driving licence when the receptionist said "Ah, I can see your photo ID" and handed me my visitor's pass and sent me on my way. They even let me keep my pen knife. Yes, I got in on my work's photo ID around my neck, which I printed myself on the work Matica card printer - I could have been anyone!
However, apart from that amusement, things were quite interesting. We asked a lot of questions around data retention - this is one of the main areas of concern for small ISPs as the bill seems to allow an order to retain data that could only be obtained by somewhat expensive deep packet inspection (DPI) equipment. It also does not say we'd get paid for this kit, just that the "contribution" would not be "nil".
What we heard was somewhat "civil servant" waffle, but overall was quite reassuring. They basically said they already have retention orders with the large ISPs under the existing regime, and would expect to serve new orders only on them. They have already discussed with them what they could retain. They even said that an ISP would not be expected to log things for which they don't have the capability, or to log any "third party data", or "over the top services". From what we can tell, the logging of "Internet Connection Records" would come from operators that have web proxies and/or CGNAT equipment. They also said they currently do 100% cost recovery and intend to keep that the same.
Of course, they could not rule anything out. We basically said we need some of that re-assurance on the face of the bill some how (see my written evidence at the end of this post for more details of what I would like). The key points in the bill now are that they do have to consider cost and impact on the ISPs business when making an order, and they do have to consult us first. That should probably rule out doing any DPI stuff on cost grounds. Mind you, after yesterday, I would be surprised if A&A do not have a red flag and "don't go near with a retention order"...
At the start of the briefing the the bill was explained, and we heard a story very similar to Theresa May’s comments along the lines of:-
“Consider the case of a teenage girl going missing. At present we can ask her mobile provider for call records before she went missing which could be invaluable to finding her. But for Internet access, all we get is that the Internet was accessed 300 times. What would be useful would be to know she accessed twitter just before she went missing in the same way as we could see she make a phone call”
Now, I am sure this is a well practised speech, used many times before. I am sure the response has been nodding of heads and agreement with how important “Internet connection records” are, obviously.
However, I, and other ISPA members immediately pointed out the huge flaw in this argument. If the mobile provider was even able to tell that she had used twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.
This seemed to fool them somewhat and they had no real answer - we were not just nodding and agreeing, and that was unexpected :-)
I asked about Data Protection Act Subject Access Requests for retention data, and they don't know.
We asked if DNS logs might be wanted, and they don't know.
I asked about my canary and if the law could compel me to lie - they could not answer that either.
We asked what an "Internet Connection Record" is meant to be, and they confirmed that it is basically down to what they agree with the ISP when they do the consultation before the make a retention order, and will depend on what the ISP can log. We all expressed concern that the bill makes out that an "Internet Connection Record" is a real "thing" and not just some vague term.
I asked about the gagging clause - not allowed to disclose retention orders, and they said the large ISPs asked for that clause, which makes no sense as they could simply choose not to disclose anything.
I asked if the audio content telephone calls to directory enquires counted as "content" and not "communications data" and if so, the content of DNS packets should be treated the same. They were very non committal on that and I wonder if they will be wanting DNS logging. One ISP there outsources DNS to an American company so would have no logs!
I pointed out that if asked to log email I can simply move email to a foreign email service to avoid the hassle. That caught them out - almost like they have never considered that anyone would do that.
Overall - it looks like small ISPs probably have nothing to worry about, but...
Firstly, as you can imagine, security is pretty tight. There was an X-ray screening, and a two door air-lock entrance thing to get in, and constant escorts, and locking up phones, laptops, and any recording devices on a separate floor before going to the meeting. Obviously I was told to bring photo ID, and as I got to the desk I went to get my driving licence when the receptionist said "Ah, I can see your photo ID" and handed me my visitor's pass and sent me on my way. They even let me keep my pen knife. Yes, I got in on my work's photo ID around my neck, which I printed myself on the work Matica card printer - I could have been anyone!
However, apart from that amusement, things were quite interesting. We asked a lot of questions around data retention - this is one of the main areas of concern for small ISPs as the bill seems to allow an order to retain data that could only be obtained by somewhat expensive deep packet inspection (DPI) equipment. It also does not say we'd get paid for this kit, just that the "contribution" would not be "nil".
What we heard was somewhat "civil servant" waffle, but overall was quite reassuring. They basically said they already have retention orders with the large ISPs under the existing regime, and would expect to serve new orders only on them. They have already discussed with them what they could retain. They even said that an ISP would not be expected to log things for which they don't have the capability, or to log any "third party data", or "over the top services". From what we can tell, the logging of "Internet Connection Records" would come from operators that have web proxies and/or CGNAT equipment. They also said they currently do 100% cost recovery and intend to keep that the same.
Of course, they could not rule anything out. We basically said we need some of that re-assurance on the face of the bill some how (see my written evidence at the end of this post for more details of what I would like). The key points in the bill now are that they do have to consider cost and impact on the ISPs business when making an order, and they do have to consult us first. That should probably rule out doing any DPI stuff on cost grounds. Mind you, after yesterday, I would be surprised if A&A do not have a red flag and "don't go near with a retention order"...
At the start of the briefing the the bill was explained, and we heard a story very similar to Theresa May’s comments along the lines of:-
“Consider the case of a teenage girl going missing. At present we can ask her mobile provider for call records before she went missing which could be invaluable to finding her. But for Internet access, all we get is that the Internet was accessed 300 times. What would be useful would be to know she accessed twitter just before she went missing in the same way as we could see she make a phone call”
Now, I am sure this is a well practised speech, used many times before. I am sure the response has been nodding of heads and agreement with how important “Internet connection records” are, obviously.
However, I, and other ISPA members immediately pointed out the huge flaw in this argument. If the mobile provider was even able to tell that she had used twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.
This seemed to fool them somewhat and they had no real answer - we were not just nodding and agreeing, and that was unexpected :-)
I asked about Data Protection Act Subject Access Requests for retention data, and they don't know.
We asked if DNS logs might be wanted, and they don't know.
I asked about my canary and if the law could compel me to lie - they could not answer that either.
We asked what an "Internet Connection Record" is meant to be, and they confirmed that it is basically down to what they agree with the ISP when they do the consultation before the make a retention order, and will depend on what the ISP can log. We all expressed concern that the bill makes out that an "Internet Connection Record" is a real "thing" and not just some vague term.
I asked about the gagging clause - not allowed to disclose retention orders, and they said the large ISPs asked for that clause, which makes no sense as they could simply choose not to disclose anything.
I asked if the audio content telephone calls to directory enquires counted as "content" and not "communications data" and if so, the content of DNS packets should be treated the same. They were very non committal on that and I wonder if they will be wanting DNS logging. One ISP there outsources DNS to an American company so would have no logs!
I pointed out that if asked to log email I can simply move email to a foreign email service to avoid the hassle. That caught them out - almost like they have never considered that anyone would do that.
Overall - it looks like small ISPs probably have nothing to worry about, but...
- We'd like that a lot clearer on the face of the bill
- None of this addresses the privacy issues, but I have been invited to working group on that in a few weeks.
There is a call for written evidence - here is what I have submitted (pdf).
P.S. No, I did not see Theresa; No, they did not hypnotise me; No, I have not yet wiped my phone after being in their hands for two hours... yet; Yes, they had coffee and biscuits; No, I don't think Theresa is a goa'uld; No we have never been and are not subject to a retention order; No we have no "black boxes" of any colour.
2015-11-24
Changes to IP Bill?
What changes would I like to see to the Draft Investigatory Powers Bill - particularly with regard to data retention?
Obviously I'd like it dropped, but given the push on this in DRD, and DRIPA, I can see that may be a challenge, so simple changes :-
Obviously I'd like it dropped, but given the push on this in DRD, and DRIPA, I can see that may be a challenge, so simple changes :-
- I'd like to see transparency of retention orders - they are not specific to individuals or cases and so have no reason to be secret - however, sharing the details between ISPs helps establish best practice, common solutions, and so on. We need the gagging provisions dropped for these.
- I'd like to see retention only apply to data which the ISP is already logging to some durable medium, or that is reasonably practical to do so. I.e. existing logs but kept for up to a year. This would greatly simplify what was logged. This does mean that email and VoIP and so on end up kept for a year if logged at present, and if the services are provided in the UK.
- I'd like to see the "processed or generated" clause be included as per previous regulations, but also "processed" exclude "simple passes through". A definition such as "data is only 'processed' if it is logged already or used in some part of a decision process by the CPs systems". This stops us having to look deeper in to any packet than we already do, and hence avoids the possibly huge cost of DPI equipment, and risk of third party control of such kit and feature creep of logged data.
What would this mean? Well, it would not stop all of the intrusions in to privacy, and it would mean :-
- Anyone using any UK email server will have their emails logged
- Anyone using any UK VoIP server will have their calls logged
- Anyone using a CP that operates a transparent web proxy, as some mobile providers do, will have some of their web pages (not full URL, just site name) logged
However, it also means that the logging is even easier to bypass. A&A can, for example, stop providing email in the UK and move to a foreign data centre and company - bingo, no hassle with logging. We could do the same with VoIP, but getting it to be on the bills may be harder - perhaps a link to an off shore https that provides the itemised bills. We don't run a web proxy so no logging there. Transparency of orders would allow end users to choose ISP based on the level of snooping without the small extra hassle of having to VPN or Tor everything.
I am not trying to make the provisions useless - IMHO they already are useless, as criminals can use Tor and VPN and many other measures. I am trying to make it easier for normal innocent citizens to have the same level of privacy as those criminals without quite as much hassle (not that such things are a lot of hassle).
2015-11-23
Poisoning the well
One of the things I did say about the  Draft Investigatory Powers Bill is that people could easily create false "Internet Connection Records" by sending packets that from their machines.
I even suggested that this could be an app or virus people could use, though obviously a simple Tor exit node would create loads of bogus traffic.
It has, however, occurred to me that there are other ways people can be rebellious - if someone includes images in a web site, even 1 pixel by 1 pixel, they will be loaded. Those images can be from anywhere in the Internet - radical web sites, terrorist web sites (do they exist?), porn sites, anything.
Now, it seems the government are quite keen to log the web site name but NOT the full URL, which means that even though this is just an image grab it logs as a "visit" to the site - they cannot tell it was just an image and not something else on the site.
This means people can put these image tags on their web sites, or in HTML emails (even emails sent to politicians) and create false data in the logs.
P.S. As someone else pointed out, some browsers pre-cache links, fetching pages that the user may never visit.
P.P.S. Someone ask why would *I* do this - well people will have lots of reasons, not least of which is to rebel against the invasion of privacy - but I am also pointing out that criminals can be doing this to make the database less useful.
I even suggested that this could be an app or virus people could use, though obviously a simple Tor exit node would create loads of bogus traffic.
It has, however, occurred to me that there are other ways people can be rebellious - if someone includes images in a web site, even 1 pixel by 1 pixel, they will be loaded. Those images can be from anywhere in the Internet - radical web sites, terrorist web sites (do they exist?), porn sites, anything.
Now, it seems the government are quite keen to log the web site name but NOT the full URL, which means that even though this is just an image grab it logs as a "visit" to the site - they cannot tell it was just an image and not something else on the site.
This means people can put these image tags on their web sites, or in HTML emails (even emails sent to politicians) and create false data in the logs.
P.S. As someone else pointed out, some browsers pre-cache links, fetching pages that the user may never visit.
P.P.S. Someone ask why would *I* do this - well people will have lots of reasons, not least of which is to rebel against the invasion of privacy - but I am also pointing out that criminals can be doing this to make the database less useful.
2015-11-21
How can terrorists and pedophiles bypass the IPBill?
One of the issues with the Draft Investigatory Powers Bill is how pointless it is, given that its measures can by circumvented easily.
Of course, what I mean is "How can NORMAL PEOPLE THAT WANT TO MAINTAIN SOME PRIVACY IN THEIR OWN HOME bypass the IP Bill"?
So, I'll explain a few ways you can use the Internet and communicate reasonably privately. These are not new. These are explained in guides for journalists and freedom fights in oppressive countries. As an oppressive regime is something the UK is clearly aiming for, it is no surprise that these methods are the same. They can also be found in terrorist manuals, again, unsurprisingly.
Firstly, if you really are a terrorist or a criminal, please stop it now.
Simple instructions - time/place, etc.
If you want to send a simple instruction to your friends, perhaps because you are starting a video game or something, maybe “On est parti on commence.” then there are simple ways to do this and you can easily encrypt that message in totally uncrackable ways without even using a computer (see my simple encryption video). Of course, you can even just pre-arrange that when you say "elephant" in any message, that is the message to get started - you don't need encryption in any way at all. So none of the following really matters if you are sending something really simply like this - you could even use plain old SMS.
Equipment Interference
This is just hacking your computer, but legally! If you are a suspect they may have hacked your machine, or your web cam or whatever, so you are probably stuffed. Using good practice for security and firewalls and sensible use of the Internet may help avoid that happening. You may want good locks on your doors too. The best thing is not to be a suspect in a crime, if you can.
Accessing web pages
The simplest way to access web sites privately is to us Tor. This is a development funded by the US navy originally. You can download a Tor browser and use it. The browsing is bounced around multiple nodes on the Internet, many of which may not be in the UK, and all of that communications is encrypted. Each node only knows the next node, and they do not log anything. Eventually the data leaves an exit node - which could be anywhere in the world, and goes to the web site. The web site does not see your IP address, it sees the exit node's. The browser may leave some fingerprints of who you are, but a Tor browser would try not to. Obviously if you give a web site any details yourself then they will know who you are or claim to be. But the IPBill will only log that you are connecting to random nodes on the Internet, and that maybe you are using Tor. The ISP retention stuff will not show where you went on the Internet.
Using secure sites
Using an https (secure) web site outside the UK should be safe from the content being logged, but the fact you visited the site can be snooped. At present the name of the site may be too, but protocols are improving. Depends if you want to protect the content or meta data.
Sending and receiving email
For the content of email this is easy, get one of the PGP email plug-ins for your mail client. May be listed a GPG or GNUmail or similar. They talk an encrypted email protocol. Read up on handling keys properly and check the keys of your friends are really theirs. This protects the content of the email. Importantly it does not protect the subject line or the from/to email addresses. That could all be logged.
However, there are simple ways to protect the to/from and subject and so on - using encrypted links from your phone/PC to your email servers. This is normal, using imaps and smtps, and many mail services allow this. Or use https to a web mail system. But beware - the mail server may have logs, and if in the UK they could be collected under the IP Bill. To avoid this you need to run your own mail server - which is really not that hard (google it). You also need your friend to run their own mail server too. The snag then is that they can see this encrypted connection between your email server and your friends so assume you are communicating. Using Tor will help hide some of that too.
An alternative is use a common mail server in a sane country and use smtps and imaps to talk to it, and hope that country is not handing over logs to the UK. I don't know if there are email services in North Korea, but if there are you can bet they don't send logs to the UK.
Messaging
There are a number of end to end encrypted messaging apps for phones, but even iMessage should be mostly safe unless Apple get coerced in to unlocking it. All the snooping will show is you are talking to Apple - it may not even be obvious you are using iMessage. There are also Tor messenger that makes use of message systems like irc but encrypts message and hides the parties to the chat channel.
Phone calls
Tricky - some things like Apple FaceTime are as safe as iMessage, to probably quite good. Some apps exist like Signal which help ensure content of calls is secret, but the fact you are using Signal will probably not be. The biggest issue is that any calls to or from the normal phone network are already logged. Same with SMS to or from the normal phone network. Using foreign SIP gateways and a VPNs to get to them could make it hard to link the calls to you though. It depends a little if you just want to protect the content of the calls, or the meta data (the fact you made a call, when, and who to).
VPNs
One on the all encompassing methods it simply to make use of a VPN. This is an encrypted link to some point on the Internet. From there it is normal Internet traffic and all of the above may be useful, but if the VPN endpoint is in another country then that bypasses the IP Bill. The snooping shows only that you connect to that foreign endpoint using a VPN, not what you are doing.
Two main ways to make a VPN. One is to buy a VPN service. There are quite a few now, and some will allow connections via various countries. For a few quid a month you can make all of your Internet go via this.
The other way is to buy a cheap VPS (a virtual server) which is a computer on the Internet, and then install a VPN application on that server. Again, only a few pounds a month. This is then in your total control, but works in the same way. Of course if you and your friends all connect to a dedicated VPN endpoint like this, then the snooping shows you are connected somehow. Using a commercial VPN endpoint will hide that.
Either way you can make your phone or PC talk directly to the VPN endpoint, or you can even get some home routers now that handle IPSec (a VPN protocol) to put your whole house and wifi on the VPN.
The other end
Remember, if you are communicating with anyone, even a web site, the other end sees the communications. If they are compromised, hacked, or simply untrustworthy, they can reveal your communications. In some cases, such as Tor to a web site, they don't know who you are or where you are, but for email and messaging and so on, that is not so easy. Anonymity is a who other area of privacy which I am not going to try and cover here.
Conclusion
Yes, there a load of ways to make the logging in the IP Bill totally pointless. A lot of people would not bother with even these simple steps, but any criminal with any sense whatsoever will be able to hide what they are doing with ease. The real victims of the invasion of privacy will be the innocent citizens of the UK.
However, please, politicians, take this in the way I mean it - as an example that shows the futility of this endeavour. Concentrate the effort and money where it matters - police on the ground - following the leads you already competently get - stopping crime without invading privacy.
Quote of the day from the A&A irc channel:
Of course, what I mean is "How can NORMAL PEOPLE THAT WANT TO MAINTAIN SOME PRIVACY IN THEIR OWN HOME bypass the IP Bill"?
So, I'll explain a few ways you can use the Internet and communicate reasonably privately. These are not new. These are explained in guides for journalists and freedom fights in oppressive countries. As an oppressive regime is something the UK is clearly aiming for, it is no surprise that these methods are the same. They can also be found in terrorist manuals, again, unsurprisingly.
Firstly, if you really are a terrorist or a criminal, please stop it now.
Simple instructions - time/place, etc.
If you want to send a simple instruction to your friends, perhaps because you are starting a video game or something, maybe “On est parti on commence.” then there are simple ways to do this and you can easily encrypt that message in totally uncrackable ways without even using a computer (see my simple encryption video). Of course, you can even just pre-arrange that when you say "elephant" in any message, that is the message to get started - you don't need encryption in any way at all. So none of the following really matters if you are sending something really simply like this - you could even use plain old SMS.
Equipment Interference
This is just hacking your computer, but legally! If you are a suspect they may have hacked your machine, or your web cam or whatever, so you are probably stuffed. Using good practice for security and firewalls and sensible use of the Internet may help avoid that happening. You may want good locks on your doors too. The best thing is not to be a suspect in a crime, if you can.
Accessing web pages
The simplest way to access web sites privately is to us Tor. This is a development funded by the US navy originally. You can download a Tor browser and use it. The browsing is bounced around multiple nodes on the Internet, many of which may not be in the UK, and all of that communications is encrypted. Each node only knows the next node, and they do not log anything. Eventually the data leaves an exit node - which could be anywhere in the world, and goes to the web site. The web site does not see your IP address, it sees the exit node's. The browser may leave some fingerprints of who you are, but a Tor browser would try not to. Obviously if you give a web site any details yourself then they will know who you are or claim to be. But the IPBill will only log that you are connecting to random nodes on the Internet, and that maybe you are using Tor. The ISP retention stuff will not show where you went on the Internet.
Using secure sites
Using an https (secure) web site outside the UK should be safe from the content being logged, but the fact you visited the site can be snooped. At present the name of the site may be too, but protocols are improving. Depends if you want to protect the content or meta data.
Sending and receiving email
For the content of email this is easy, get one of the PGP email plug-ins for your mail client. May be listed a GPG or GNUmail or similar. They talk an encrypted email protocol. Read up on handling keys properly and check the keys of your friends are really theirs. This protects the content of the email. Importantly it does not protect the subject line or the from/to email addresses. That could all be logged.
However, there are simple ways to protect the to/from and subject and so on - using encrypted links from your phone/PC to your email servers. This is normal, using imaps and smtps, and many mail services allow this. Or use https to a web mail system. But beware - the mail server may have logs, and if in the UK they could be collected under the IP Bill. To avoid this you need to run your own mail server - which is really not that hard (google it). You also need your friend to run their own mail server too. The snag then is that they can see this encrypted connection between your email server and your friends so assume you are communicating. Using Tor will help hide some of that too.
An alternative is use a common mail server in a sane country and use smtps and imaps to talk to it, and hope that country is not handing over logs to the UK. I don't know if there are email services in North Korea, but if there are you can bet they don't send logs to the UK.
Messaging
There are a number of end to end encrypted messaging apps for phones, but even iMessage should be mostly safe unless Apple get coerced in to unlocking it. All the snooping will show is you are talking to Apple - it may not even be obvious you are using iMessage. There are also Tor messenger that makes use of message systems like irc but encrypts message and hides the parties to the chat channel.
Phone calls
Tricky - some things like Apple FaceTime are as safe as iMessage, to probably quite good. Some apps exist like Signal which help ensure content of calls is secret, but the fact you are using Signal will probably not be. The biggest issue is that any calls to or from the normal phone network are already logged. Same with SMS to or from the normal phone network. Using foreign SIP gateways and a VPNs to get to them could make it hard to link the calls to you though. It depends a little if you just want to protect the content of the calls, or the meta data (the fact you made a call, when, and who to).
VPNs
One on the all encompassing methods it simply to make use of a VPN. This is an encrypted link to some point on the Internet. From there it is normal Internet traffic and all of the above may be useful, but if the VPN endpoint is in another country then that bypasses the IP Bill. The snooping shows only that you connect to that foreign endpoint using a VPN, not what you are doing.
Two main ways to make a VPN. One is to buy a VPN service. There are quite a few now, and some will allow connections via various countries. For a few quid a month you can make all of your Internet go via this.
The other way is to buy a cheap VPS (a virtual server) which is a computer on the Internet, and then install a VPN application on that server. Again, only a few pounds a month. This is then in your total control, but works in the same way. Of course if you and your friends all connect to a dedicated VPN endpoint like this, then the snooping shows you are connected somehow. Using a commercial VPN endpoint will hide that.
Either way you can make your phone or PC talk directly to the VPN endpoint, or you can even get some home routers now that handle IPSec (a VPN protocol) to put your whole house and wifi on the VPN.
The other end
Remember, if you are communicating with anyone, even a web site, the other end sees the communications. If they are compromised, hacked, or simply untrustworthy, they can reveal your communications. In some cases, such as Tor to a web site, they don't know who you are or where you are, but for email and messaging and so on, that is not so easy. Anonymity is a who other area of privacy which I am not going to try and cover here.
Conclusion
Yes, there a load of ways to make the logging in the IP Bill totally pointless. A lot of people would not bother with even these simple steps, but any criminal with any sense whatsoever will be able to hide what they are doing with ease. The real victims of the invasion of privacy will be the innocent citizens of the UK.
However, please, politicians, take this in the way I mean it - as an example that shows the futility of this endeavour. Concentrate the effort and money where it matters - police on the ground - following the leads you already competently get - stopping crime without invading privacy.
Quote of the day from the A&A irc channel:
I actually already do tunnel almost all my internet stuff 
through a VPS, to deal with general local ISP rubbishness (e.g. 
dynamic IP address, lack of IPv6) and very localised 
surveillance/tampering (e.g. a dodgy wifi hotspot) rather than 
to try to hide from the UK government.
Cost of Data Retention
The Draft Investigatory Powers Bill has a requirement for ISPs to retain data, but the wording is so wooly it could literally be any data.
One of the important points to be debated about the bill is the cost impact. Obviously people are asking what the cost of retention will be. Unfortunately I don't know, because unless, and until, we get a secret retention order, we don't know what is expected of us. Even if other ISPs get orders, we will not know as they are secret.
So we need to get a handle on what they intend. Unfortunately it is more important than that though - it is not just what they intend, but that intention has to be then put in the bill. If not, then the second the bill passes the secret orders could be very different and have totally different costs to those debated in parliament before the bill passes. If even the politicians are honest (choke!) a change of government puts someone else in charge and they can use the act based on what it says, not what the intentions were. What is worse, as they are secret, nobody will know that the orders are not as per the intentions explained to parliament.
To try and put this in to some sort of logical order, I have listed below some of the things that could possible be requested and an idea of complexity. What would be useful it to know which of these they are after, and have that writing in to the bill now.
Keeping existing logs for a year
Some things an ISP already logs. Examples are email server logs, or call server logs. If the ISP already logs something to a durable medium such as a hard disk, and keep logs logs for a period (a few days for email logs, for example), then simply asking that they keep the logs for a year, and provide a means to access via RIPA requests, is not too hard. It has some costs (bigger hard disks), but is technically relatively simple. I am not too worried if such orders are made, especially because we could move such services outside the UK if we did not wish to make logs at all.
Making some new logs
In some cases an ISP will have equipment which has some means of creating some logs, but they don't log at present. Assuming the equipment is capable of making logs that can be stored in some durable medium, then it could be possible to turn on that logging and keep those logs and have them for a year. This is slightly more work. If the logs are particularly sensitive data, the ISP may have to have extra security measures that would not be present if simply "not logging" as now. It is a step further than just keeping existing logs, but may be possible.
New equipment to make more logs
There are ways in which some equipment can create additional logging, such as sampled IP headers. This is usually used for network diagnostics, things like working out where a denial of service attack is coming from and going to or planning network upgrades or configuration changes. It may not be enough to be that useful for intelligence services as it is more statistical than a proper connection log, but it may be. Installing new equipment or upgrading existing equipment may be possible to provide this sort of additional logging. This will have some costs for the new equipment, and again for the logging itself, so is a step further. The cost will somewhat depend on the extent of logging required. In the case of A&A, one of the big costs in any new equipment is the fact that the rack in question is full and the data centre in question has no spare racks - that could make installing one cheap piece of kit very very expensive.
Logging TCP sessions, UDP exchanges, etc.
It could be that they would like a log of all "sessions". Note that a "session", or "Internet Connection" is not a hard concept - it exists for TCP, but not for UDP or ICMP. It sort of exists for IPSec with key negotiation. For some protocols like SCTP or MOSH it is somewhat more complex as the single "connection" can change endpoints like Trigger's broom and stay up for years. Even with TCP, a "connection" could last days or months or years - it could be that when the session ends and is logged it is already older than the 12 month period of logging. Just trying to define what a "connection" is will be hard, but some sort of Deep Packet Inspection (DPI) kit could track sessions. This is very expensive on any scale at all - ISPs routers use specialised hardware (ASICs) to keep up with just forwarding packets - to track "connections" is a lot more work and cost.
Logging stuff from TCP sessions, like web or email addresses
Ultimately, what was said in parliament, is that they want web logs - logging the web site names. This is much harder still - you don't just have to track a TCP session over multiple packets but have to track the clean data stream within it, understand higher level protocols like http, and extract information from those protocols like web site host name or email headers. This is another level of expensive and complex over and above session tracking. Note that this level will be increasingly thwarted by the use of encryption.
Logging all content
We don't think they yet want to log all content, but basically that would be impossible. The storage requirements would be vast and impossibly expensive - the data flowing over the Internet is just too vast to log.
In addition to these various levels of logging, there are some other key issues :-
Denial of Service attacks
One small point is that there are denial of service attacks - these will look like millions of separate connections a second. Any system that tries to log "internet connection" records will need to be able to keep up and log these. The issue is, of course, that these are enough to break the network normally - having a logging system that does not break in the face of trying to log this traffic will be even more expensive. Now, you could take the view that we don't need to log a denial of service attack, but (a) surely you do as it is illegal activity and that is the whole reason for making these logs, and (b) the DOS could be targeted at the logging - not enough to damage the ISPs network but enough to look like a shit load of connections and be too much for the logging systems to keep up with - thus losing real connection logs. Being able to cope with such new DoS targets will mean even more complexity and cost for the ISP.
Maintenance
One of the big issues, and costs, with any of the more complex solutions for tracking "connections" and especially tracking data from within those connections, is the changing nature of the Internet.
Already we see more and more systems using encryption - so even something a simple as sending or checking email will now be impossible for the ISP to "see" in to and identify the sender and recipient of the email by email address unless they are themselves providing the email service. https which is used for many web sites now currently allows DPI to "see" the website hostname, but that too is changing and it will soon be encrypted too.
But even without encryption, the protocols change. This is not just because standards change, and they do, but because of the very nature of the Internet. It allows packets to go from one place to another and does not care what protocols are used. As long as both ends understand, it does not have to be any sort of "standard" at all. An application on a phone could talk some completely new IP protocol to its server over the Internet, or even talk something that looks like an existing protocol like TCP but actually in a totally non standard way. That is all valid in the Internet. Web sites generally have to follow some standards but games and apps can do what they like, and often make up their own unique protocols for communication with game servers. One of the key things that may want to be tracked is things like in-game chat - but there is no way an ISP can sensibly do that looking at the packets as they pass, even if not encrypted.
Interestingly Network Address Translation (NAT) is responsible for limiting the protocols commonly in use (typically to ICMP, UDP and TCP) because that is what NAT boxes understand. Even with this limitation, the protocol then used over TCP and UDP can be whatever you like. However, IPv6 is finally taking back the Internet as simply a means to get IP packets end to end (as it was designed) - it now allows new protocols and misuse of existing protocols without the limitations of a NAT box having to understand what you are doing.
So, the equipment that does any sort of session/connection tracking or DPI will have to be constantly updated and maintained to handle the new protocols coming along, and even guess at some protocols it has never seen. If looking in to higher level protocols, that will be a constant battle with innovation on the Internet, and with rebellion at the monitoring that is being done.
However, in summary - we need to know what level of logging is intended by the bill, and we need the bill updated to be clear on that, else the cost estimates are a joke.
One of the important points to be debated about the bill is the cost impact. Obviously people are asking what the cost of retention will be. Unfortunately I don't know, because unless, and until, we get a secret retention order, we don't know what is expected of us. Even if other ISPs get orders, we will not know as they are secret.
So we need to get a handle on what they intend. Unfortunately it is more important than that though - it is not just what they intend, but that intention has to be then put in the bill. If not, then the second the bill passes the secret orders could be very different and have totally different costs to those debated in parliament before the bill passes. If even the politicians are honest (choke!) a change of government puts someone else in charge and they can use the act based on what it says, not what the intentions were. What is worse, as they are secret, nobody will know that the orders are not as per the intentions explained to parliament.
To try and put this in to some sort of logical order, I have listed below some of the things that could possible be requested and an idea of complexity. What would be useful it to know which of these they are after, and have that writing in to the bill now.
Keeping existing logs for a year
Some things an ISP already logs. Examples are email server logs, or call server logs. If the ISP already logs something to a durable medium such as a hard disk, and keep logs logs for a period (a few days for email logs, for example), then simply asking that they keep the logs for a year, and provide a means to access via RIPA requests, is not too hard. It has some costs (bigger hard disks), but is technically relatively simple. I am not too worried if such orders are made, especially because we could move such services outside the UK if we did not wish to make logs at all.
Making some new logs
In some cases an ISP will have equipment which has some means of creating some logs, but they don't log at present. Assuming the equipment is capable of making logs that can be stored in some durable medium, then it could be possible to turn on that logging and keep those logs and have them for a year. This is slightly more work. If the logs are particularly sensitive data, the ISP may have to have extra security measures that would not be present if simply "not logging" as now. It is a step further than just keeping existing logs, but may be possible.
New equipment to make more logs
There are ways in which some equipment can create additional logging, such as sampled IP headers. This is usually used for network diagnostics, things like working out where a denial of service attack is coming from and going to or planning network upgrades or configuration changes. It may not be enough to be that useful for intelligence services as it is more statistical than a proper connection log, but it may be. Installing new equipment or upgrading existing equipment may be possible to provide this sort of additional logging. This will have some costs for the new equipment, and again for the logging itself, so is a step further. The cost will somewhat depend on the extent of logging required. In the case of A&A, one of the big costs in any new equipment is the fact that the rack in question is full and the data centre in question has no spare racks - that could make installing one cheap piece of kit very very expensive.
Logging TCP sessions, UDP exchanges, etc.
It could be that they would like a log of all "sessions". Note that a "session", or "Internet Connection" is not a hard concept - it exists for TCP, but not for UDP or ICMP. It sort of exists for IPSec with key negotiation. For some protocols like SCTP or MOSH it is somewhat more complex as the single "connection" can change endpoints like Trigger's broom and stay up for years. Even with TCP, a "connection" could last days or months or years - it could be that when the session ends and is logged it is already older than the 12 month period of logging. Just trying to define what a "connection" is will be hard, but some sort of Deep Packet Inspection (DPI) kit could track sessions. This is very expensive on any scale at all - ISPs routers use specialised hardware (ASICs) to keep up with just forwarding packets - to track "connections" is a lot more work and cost.
Logging stuff from TCP sessions, like web or email addresses
Ultimately, what was said in parliament, is that they want web logs - logging the web site names. This is much harder still - you don't just have to track a TCP session over multiple packets but have to track the clean data stream within it, understand higher level protocols like http, and extract information from those protocols like web site host name or email headers. This is another level of expensive and complex over and above session tracking. Note that this level will be increasingly thwarted by the use of encryption.
Logging all content
We don't think they yet want to log all content, but basically that would be impossible. The storage requirements would be vast and impossibly expensive - the data flowing over the Internet is just too vast to log.
In addition to these various levels of logging, there are some other key issues :-
Denial of Service attacks
One small point is that there are denial of service attacks - these will look like millions of separate connections a second. Any system that tries to log "internet connection" records will need to be able to keep up and log these. The issue is, of course, that these are enough to break the network normally - having a logging system that does not break in the face of trying to log this traffic will be even more expensive. Now, you could take the view that we don't need to log a denial of service attack, but (a) surely you do as it is illegal activity and that is the whole reason for making these logs, and (b) the DOS could be targeted at the logging - not enough to damage the ISPs network but enough to look like a shit load of connections and be too much for the logging systems to keep up with - thus losing real connection logs. Being able to cope with such new DoS targets will mean even more complexity and cost for the ISP.
Maintenance
One of the big issues, and costs, with any of the more complex solutions for tracking "connections" and especially tracking data from within those connections, is the changing nature of the Internet.
Already we see more and more systems using encryption - so even something a simple as sending or checking email will now be impossible for the ISP to "see" in to and identify the sender and recipient of the email by email address unless they are themselves providing the email service. https which is used for many web sites now currently allows DPI to "see" the website hostname, but that too is changing and it will soon be encrypted too.
But even without encryption, the protocols change. This is not just because standards change, and they do, but because of the very nature of the Internet. It allows packets to go from one place to another and does not care what protocols are used. As long as both ends understand, it does not have to be any sort of "standard" at all. An application on a phone could talk some completely new IP protocol to its server over the Internet, or even talk something that looks like an existing protocol like TCP but actually in a totally non standard way. That is all valid in the Internet. Web sites generally have to follow some standards but games and apps can do what they like, and often make up their own unique protocols for communication with game servers. One of the key things that may want to be tracked is things like in-game chat - but there is no way an ISP can sensibly do that looking at the packets as they pass, even if not encrypted.
Interestingly Network Address Translation (NAT) is responsible for limiting the protocols commonly in use (typically to ICMP, UDP and TCP) because that is what NAT boxes understand. Even with this limitation, the protocol then used over TCP and UDP can be whatever you like. However, IPv6 is finally taking back the Internet as simply a means to get IP packets end to end (as it was designed) - it now allows new protocols and misuse of existing protocols without the limitations of a NAT box having to understand what you are doing.
So, the equipment that does any sort of session/connection tracking or DPI will have to be constantly updated and maintained to handle the new protocols coming along, and even guess at some protocols it has never seen. If looking in to higher level protocols, that will be a constant battle with innovation on the Internet, and with rebellion at the monitoring that is being done.
However, in summary - we need to know what level of logging is intended by the bill, and we need the bill updated to be clear on that, else the cost estimates are a joke.
2015-11-20
BGP Blackhole routes
A technical post for a change...
BGP is the protocol that distributes routes around the Internet, and one of the features of BGP is the "community tags" that can be attached to a route announcement.
There are a few that are standard and useful, such as limiting the announcements to the local AS.. Community tags are also often used in networks to tag from where the route came in to the network.
NTT (one of the big transit providers) have a great page on how they use communities, here. They use them not only to identify where routes came in, but also to control how routes are handled in their network.
A community tag is 32 bits and conventionally written as decimal 16 bits, colon, and decimal 16 bits. Where you have an AS number that fits in 16 bits it is common for the first 16 bits to be the AS that defines or uses the tag.
Now, one of the most important community tags you can use is surprisingly not standardised. It is the blackhole tag. The idea is that you can mark a route sent around by BGP that is "Do not route this", and just throw away any traffic to this prefix. The prefix is usually one address (IPv4 /32 or IPv6 /128).
There are two key ways an ISP can use Blackhole routes...
One is within their network, ensuring that their IBGP spreads the route and tags it so that each and every one of their routers knows not to route any traffic for the specified prefix. This helps ensure packets arriving at any ingress are dropped immediately to mitigate damage. It does not help much if the ingress is flooded though.
The other is for an ISP to tag the route and announce to their peers, and transit, so that they do the same. This helps avoid flooding the ingress points as the peer/transit is filtering in their network.
This is all quite important for managing Denial Of Service (DOS) attacks. Even if the target is one IP, which is not always the case, the traffic can be crippling. So an ISP that can tell their peers and upstream transit providers not to send the traffic to them, for that one IP, can stay on-line. The transit provider can spread this to all of their ingress points ensuring their network is not flooded further, and maybe even to their peers to push back further to the source of the traffic.
Over the last few days, for reasons that will be obvious if you have followed A&A status pages, I have been working on ways to make FireBricks smarter in their handling of Blackhole routes.
I could leave it to FireBrick customers, making rules to handle the way community tags are processed, but even that did not allow a route to be treated as a black hole, just drop it. So what I did is create ingress and egress blackhole community tag handling.
Anyone sending us traffic with a specific community (for A&A it is 20712:666) has the route treated as a blackhole route. Obviously the route has to pass any other input filters, so customers can only announce their own IPs to us. This route spreads around our network so every router knows it is a black hole.
Secondly, announcing any blackhole route to peers is special. We only send on IBGP (ensuring our black hole community tag is present), or if configured we send on EBGP with the peers black hole community tag, such as 2914:666 for NTT.
This means that anywhere in our network, even from a customer, we can create a blackhole route, and our whole network knows - all routers will drop traffic to the target IP. It also means we then tell all transit and peers that have blackhole community tags to do the same. Obviously if we can do this at peering points as well as transit then it is a massive help.
We have even made a system so a "connected" DSL line that is subject to a DOS attack can be marked as blackhole routed and that route go around our network and to peers and transit for a few minutes to mitigate the attack automatically!
Of course, there are attacks this will, by no means, fix. All it means is that an ISP is better able to partition out IPs as under attack and help avoid impact on other customers. As a feature it is good for FireBrick to be able to offer this to ISPs.
What is odd is that there is not a pre-defined standard blackhole community tag.
P.S. Every one of the millions of DOS attack packets per second will probably need to create an "Internet Connection Record" under the new IPBill so will mean DOSing the DPI boxes the government want installed.
BGP is the protocol that distributes routes around the Internet, and one of the features of BGP is the "community tags" that can be attached to a route announcement.
There are a few that are standard and useful, such as limiting the announcements to the local AS.. Community tags are also often used in networks to tag from where the route came in to the network.
NTT (one of the big transit providers) have a great page on how they use communities, here. They use them not only to identify where routes came in, but also to control how routes are handled in their network.
A community tag is 32 bits and conventionally written as decimal 16 bits, colon, and decimal 16 bits. Where you have an AS number that fits in 16 bits it is common for the first 16 bits to be the AS that defines or uses the tag.
Now, one of the most important community tags you can use is surprisingly not standardised. It is the blackhole tag. The idea is that you can mark a route sent around by BGP that is "Do not route this", and just throw away any traffic to this prefix. The prefix is usually one address (IPv4 /32 or IPv6 /128).
There are two key ways an ISP can use Blackhole routes...
One is within their network, ensuring that their IBGP spreads the route and tags it so that each and every one of their routers knows not to route any traffic for the specified prefix. This helps ensure packets arriving at any ingress are dropped immediately to mitigate damage. It does not help much if the ingress is flooded though.
The other is for an ISP to tag the route and announce to their peers, and transit, so that they do the same. This helps avoid flooding the ingress points as the peer/transit is filtering in their network.
This is all quite important for managing Denial Of Service (DOS) attacks. Even if the target is one IP, which is not always the case, the traffic can be crippling. So an ISP that can tell their peers and upstream transit providers not to send the traffic to them, for that one IP, can stay on-line. The transit provider can spread this to all of their ingress points ensuring their network is not flooded further, and maybe even to their peers to push back further to the source of the traffic.
Over the last few days, for reasons that will be obvious if you have followed A&A status pages, I have been working on ways to make FireBricks smarter in their handling of Blackhole routes.
I could leave it to FireBrick customers, making rules to handle the way community tags are processed, but even that did not allow a route to be treated as a black hole, just drop it. So what I did is create ingress and egress blackhole community tag handling.
Anyone sending us traffic with a specific community (for A&A it is 20712:666) has the route treated as a blackhole route. Obviously the route has to pass any other input filters, so customers can only announce their own IPs to us. This route spreads around our network so every router knows it is a black hole.
Secondly, announcing any blackhole route to peers is special. We only send on IBGP (ensuring our black hole community tag is present), or if configured we send on EBGP with the peers black hole community tag, such as 2914:666 for NTT.
This means that anywhere in our network, even from a customer, we can create a blackhole route, and our whole network knows - all routers will drop traffic to the target IP. It also means we then tell all transit and peers that have blackhole community tags to do the same. Obviously if we can do this at peering points as well as transit then it is a massive help.
We have even made a system so a "connected" DSL line that is subject to a DOS attack can be marked as blackhole routed and that route go around our network and to peers and transit for a few minutes to mitigate the attack automatically!
Of course, there are attacks this will, by no means, fix. All it means is that an ISP is better able to partition out IPs as under attack and help avoid impact on other customers. As a feature it is good for FireBrick to be able to offer this to ISPs.
What is odd is that there is not a pre-defined standard blackhole community tag.
P.S. Every one of the millions of DOS attack packets per second will probably need to create an "Internet Connection Record" under the new IPBill so will mean DOSing the DPI boxes the government want installed.
2015-11-18
What could happen next after #IPBill?
Obviously I am trying to engage with politicians and try and explain some of the issues, both technical and ethical with this monitoring, and I had a productive meeting in the House of Lords today. It is, at least, a foot in the door.
However one thing I was pondering is where could things go...
If the Investigatory Powers Bill was to go ahead, one of the key issues is the retention of data by ISPs that somehow logs who is talking to who (or what) for everyone in the country.
We are told this is not mass surveillance, and I suspect the Oxford English Dictionary will be having committee meetings on that one, and how the words are redefined. One of the arguments is that it is not surveillance as nobody looks at the data until and unless you are suspected of a crime.
I suspect if this was a bill to install video in every room of every house, but again, not looked at unless later you are suspected of a crime, people would still consider it surveillance, personally.
But let's assume for a moment the bill is passed, and ISP are logging connection data in some detail by some means, what would happen next?
Well, the problem is see is that an ideal end game for the security services would be to have this data and perform some "big data" analysis to find patterns and identity suspects automatically - you may be able to find terrorist cells or bank robbers simply by tracking their communications data in some detail. You can profile groups of people, cults, fan clubs, all sorts.
So how to get there from here - there are a few simple steps.
Statistics using anonymous data
My guess would be the first step would be getting anonymised access to do statistical analysis. This really does seem harmless enough doesn't it - after all the data is anonymous.
Emergency powers
But then you start to spot these patterns, and before long you have GCHQ saying they know there is a terrorist cell but they cannot tell who it is because the data is anonymous - they need an emergency power to be able to uncover the real data in special cases like that.
Getting the raw data
Of course, if they are right, then they will want to be able get all of the data all of the time, and use it for any crimes they can profile.
And finally privacy is a thing of the past
We know a society with no privacy - with cameras in every room, and with all communications logged, would probably be a bit "safer" - though it will not stop all crime and not stop terrorists, but a bit safer. But we do not want that society!
However one thing I was pondering is where could things go...
If the Investigatory Powers Bill was to go ahead, one of the key issues is the retention of data by ISPs that somehow logs who is talking to who (or what) for everyone in the country.
We are told this is not mass surveillance, and I suspect the Oxford English Dictionary will be having committee meetings on that one, and how the words are redefined. One of the arguments is that it is not surveillance as nobody looks at the data until and unless you are suspected of a crime.
I suspect if this was a bill to install video in every room of every house, but again, not looked at unless later you are suspected of a crime, people would still consider it surveillance, personally.
But let's assume for a moment the bill is passed, and ISP are logging connection data in some detail by some means, what would happen next?
Well, the problem is see is that an ideal end game for the security services would be to have this data and perform some "big data" analysis to find patterns and identity suspects automatically - you may be able to find terrorist cells or bank robbers simply by tracking their communications data in some detail. You can profile groups of people, cults, fan clubs, all sorts.
So how to get there from here - there are a few simple steps.
Statistics using anonymous data
My guess would be the first step would be getting anonymised access to do statistical analysis. This really does seem harmless enough doesn't it - after all the data is anonymous.
Emergency powers
But then you start to spot these patterns, and before long you have GCHQ saying they know there is a terrorist cell but they cannot tell who it is because the data is anonymous - they need an emergency power to be able to uncover the real data in special cases like that.
Getting the raw data
Of course, if they are right, then they will want to be able get all of the data all of the time, and use it for any crimes they can profile.
And finally privacy is a thing of the past
We know a society with no privacy - with cameras in every room, and with all communications logged, would probably be a bit "safer" - though it will not stop all crime and not stop terrorists, but a bit safer. But we do not want that society!
2015-11-17
Uncrackable encryption
Another effort to explain a simple point to people that are not that technical.
Encryption is all about hiding something, such as a message, in such a way that only the correct people (the recipient of the message) can see what the message says. They typically need some sort of "key" to unlock it. Cracking encryption is about finding a way to access the message without having the key.
One of the fun comments you hear is that all encryption is crackable, it is simply a matter of enough time and computing power.
In most cases this is true - encryption usually uses mathematical operations which are inherently difficult, but with enough computing power and time you can crack it.
There is a big caveat though - for many encryption systems, using all of the computers in the world, will take longer than the time until the sun dies to crack the message. OK maybe an exaggeration for some systems in use, but the point is - for all practical purposes, and for the lifetime that the message is important, most encryption systems are uncrackable.
That is the point - encryption only has to be good enough that with the resources an adversary may have, it would take longer to decode the message than the message has useful lifetime.
So, asking if encryption is crackable is a silly question - the answer is "technically yes, but not in any practical way".
However, it is worth pointing out that there are encryption systems that are in fact uncrackable. Ironically, the pen and paper method explained in the video (above) is an example of one - the "one time pad". Without the key it is not possible to crack, even with infinite time and computing power. The reason is that you can pick all of the possible keys and get every possible message that could be sent (including the real message) but all are equally likely. You have every possible message, including a recipe for chicken soup, and cannot tell which is the actual message. Unlike systems that involve solving a difficult mathematical problem, there is no way to tell when you have solved a one time pad. You simply have to get the keys.
And this is where most encryption is "cracked" - not by cracking the encryption itself, but by accessing the end points or the people involved. XKCD put it nicely :-
2015-11-16
https and shopping, for dummies
When you are using any on-line shop you are expected to hand over some personal details, including a credit card number, name, address, expiry date, code from back of card, etc.
Indeed, these are the very details that a hacker would like to use to buy things using your card. They have to be, as you are in fact buying something using your card!
One the the great things that computers can do is send that data to the merchants securely so that nobody can snoop on it on the way (not even Theresa May). This is important because your Internet traffic will go via a load of different companies to get to the end point, and you cannot be sure of trusting every individual within those companies who could have access to your data to not to be a criminal. This is even more important when not at home and using someone's wifi.
You can tell when this is happening by a padlock by the web address. This is the browser telling you it is secure, and that the other end at least matches the web address. If you click on the padlock you can get more information, and in some cases the browser will show you the legal name of the company by the padlock. What this means is that a protocol called "https" is being used.
But there are two key parts to using https - one is the way the data is sent so that nobody can snoop on it, but the other is checking the other end is who they say they are.
This second part is very important, as the other end, the web server, does get to see all of those details you are entering. If they are not really the merchant of bank or payment company that you think you are talking to, but instead some hacker, then the padlock does not help you.
To ensure that credit card details are handled carefully, there is a whole heap of crap that retailers have to go through called PCI/DSS. It is well intentioned, but really is horrid from a technical point of view. I don't mean that it forces unnecessary levels of protection and security - most of the ideas are sensible - I mean it makes huge assumptions about the way things are done and then asks lots of technically stupid and leading questions that can be impossible to answer honestly.
However, in spite of all of this annoyance, it seems that the basic level of PCI/DSS compliance, the self assessment questionnaires, lacks a simple question about your web site...
Yes, they do require that card details are encrypted when sent, but they don't require that the previous web page - the page where you type in those details - is secure (using https).
I'll try and explain - when you are presented with a form to fill in, that form has come from a web server. When you type in those details and press the button, those details are sent to a web server, and a reply page comes back. They do not have to be the same site or use the same protocol. It is quite possible for the form asking for details to be insecure (just using http, and no padlock), but the details you send are sent using https, so secure. So yes, the details are safe from passive snooping on the Internet. Apparently this meets the PCI/DSS self assessment questionnaire and requirements.
But there are two major issues with this:
Indeed, these are the very details that a hacker would like to use to buy things using your card. They have to be, as you are in fact buying something using your card!
One the the great things that computers can do is send that data to the merchants securely so that nobody can snoop on it on the way (not even Theresa May). This is important because your Internet traffic will go via a load of different companies to get to the end point, and you cannot be sure of trusting every individual within those companies who could have access to your data to not to be a criminal. This is even more important when not at home and using someone's wifi.
|  | 
| Look for the padlock | 
But there are two key parts to using https - one is the way the data is sent so that nobody can snoop on it, but the other is checking the other end is who they say they are.
This second part is very important, as the other end, the web server, does get to see all of those details you are entering. If they are not really the merchant of bank or payment company that you think you are talking to, but instead some hacker, then the padlock does not help you.
To ensure that credit card details are handled carefully, there is a whole heap of crap that retailers have to go through called PCI/DSS. It is well intentioned, but really is horrid from a technical point of view. I don't mean that it forces unnecessary levels of protection and security - most of the ideas are sensible - I mean it makes huge assumptions about the way things are done and then asks lots of technically stupid and leading questions that can be impossible to answer honestly.
However, in spite of all of this annoyance, it seems that the basic level of PCI/DSS compliance, the self assessment questionnaires, lacks a simple question about your web site...
Yes, they do require that card details are encrypted when sent, but they don't require that the previous web page - the page where you type in those details - is secure (using https).
I'll try and explain - when you are presented with a form to fill in, that form has come from a web server. When you type in those details and press the button, those details are sent to a web server, and a reply page comes back. They do not have to be the same site or use the same protocol. It is quite possible for the form asking for details to be insecure (just using http, and no padlock), but the details you send are sent using https, so secure. So yes, the details are safe from passive snooping on the Internet. Apparently this meets the PCI/DSS self assessment questionnaire and requirements.
But there are two major issues with this:
- It trains the public that they do not have to expect the padlock when completing the details. This is very bad. It is a bit technical for someone to check if the details will be sent securely or not, and you cannot expect everyone to be that technical. It is only by the public being aware and checking at the very least that there is a padlock that hackers can be thwarted and preventing from defrauding banks.
- It allows various types of attack that would not be possible if the form itself was secure (example below).
The attack I am talking about relates to knowing the other end is who they say their are. There are various ways to attack the bits in the middle of the Internet and even divert them (DNS attacks, DSL router attacks, ARP/ND spoofing, routing/BGP attacks, and so on). These could send the request for the web page to a hackers server instead of the merchants real web server.
Now, if https is used, the hacker cannot pretend to be the merchant or server in questions as they do not have the keys that are necessary to make the padlock appear. The browser would tell you that something is wrong.
However, if the form is just a normal, non-secure, web page, they can send an identical looking form to you. When you post the details, instead of those going securely to the merchant or the bank, they go to the hacker.
Now the hacker can even be clever, and after copying the details he can send your web browser on to the right place, a secure https web site for the bank or merchant with your details, so to you it looks the same. Indeed, he could be feeding the order to the merchant cleanly as well and allow your purchase to work perfectly with neither you, nor the merchant, knowing there is any hacking. Then, when he has lots of card details, he can use all of those card details, or sell them.
This is why it is very important to check the page you are filling in has the padlock - at least do that. There are many more checks you can do, but the most important is that simple first step.
Sadly I found a merchant that is using something called an iframe. It means you have someone else's web site in the seamlessly shown middle of your web page. In this case they have the payment company's web site in theirs, but you do not see an address bar and do not see a padlock.
So in this case you cannot tell that the data will be sent securely. You cannot tell who it is being sent to. You cannot tell the encompassing page has not been changed so that it includes some hackers page in the iframe. You promote a public acceptance of payment pages that do not show the padlock. It should not be allowed, and I hope the PCI/DSS rules are changed to stop it.
Sadly their card processing provider, Sage Pay, seem a little disinterested in this issue and even referred me to examples in their documentation where they say the padlock won't show, as if that was acceptable!
Sadly their card processing provider, Sage Pay, seem a little disinterested in this issue and even referred me to examples in their documentation where they say the padlock won't show, as if that was acceptable!
2015-11-15
Plan an attack in-game?
You can use encryption (even with pen and paper) but you don't even need that if the medium is one that cannot easily be monitored.
Now that criminals know that the government want to log web sites visited, there are places they can go. And if you plug that hole, they can do something else. Apparently 9/11 planned using draft emails on a web mail server, not logged as the emails were never sent. This is a never ending battle that will take every last shred of privacy away from all of the innocent people in the world if we let it.
What am I talking about? Well, apparently, the latest conjecture is that the Paris attacks may have been planned using Sony Playstation - PS4 - using in-game to communication.
This is very difficult to track - it is not like a simple phone call. There are thousands of different games people play even just on one platform, and millions of people that play the game. One can meet up, virtually, in-game and communicate by voice or text or other means. One of the more cunning ideas I have heard was that you could spell a message in a spray of bullets on a wall that the other player can see before it fades away - there is no way to track that!
What is ever worse is that people in game may well be planning a bombing or attack plan - in the game! Some games may even be set in real towns, so planning to meet at a specific (real) building may be valid innocent in-game communications, but in reality may be planning when and where to plant a bomb!
P.S. It is worth pointing out that whilst in-game communications may be a viable means of planning an attack, the evidence so far is that they found a PS4 in a young persons house (wow!) and the media are jumping to conclusions.
This is not new, and it does not work
The Danes have tried this - and it did not work.
http://techpresident.com/news/wegov/23918/denmark-government-will-not-allow-ordinary-citizens-have-digital-privacy
Basically, they have had this level of mass surveillance for a long time, and it has not helped at all. It is clear that this level of monitoring of citizens does not meet the objectives stated, and this example should be considered carefully by the UK while debating the Draft Investigatory Powers Bill.
(Thanks to Jesper Lund on twitter for pointing me to that article)
I also have to question some of the examples - Theresa May talked of an example of an abducted child and how it is crazy that if there was communications by phone or text before that, it could help investigation, but not if by social media. The proposed bill would show, for example, that the entire household has people connected to Facebook all day, or twitter, etc. It would not show which computers or even phones (on WiFi) in the house were connected, or if the child had any accounts on social media. The police would have to ask parents for details and then ask social media sites for details. The Internet Connection Records would not actually help with that.
However, given the extent that computers communicate behind the scenes, and the fact that a whole house will normally share the same IP address*, and that there may be unknown users on WiFi from the house, and DNS relays in daft routers, and viruses, and Tor, and so on, it is clear that apparent "Internet Connection Records" may be unrelated to individuals in the house. There is massive scope for misdirection. That is before anyone considers legally poisoning the database with deliberate bogus connections.
* Typically share a single IPv4 with NAT on the router which is not logged, or have an IPv6 prefix with privacy addressing meaning you cannot attribute a connection to a device.
Someone else pointed out that surveillance only really works when the people being spied on don't know it. If criminals know that all Internet connections are logged, they can be more careful with what they do - perhaps even reverting to paper! This leaves only the innocent having their privacy invaded for no real benefit - just look at the example of Denmark and learn from that lesson!
It is also worth looking at France which does a lot of surveillance as well - it clearly did not help, and I feel sorry for those that lost their lives due to the action of criminals.
Someone actually asked if I was arguing from a cost/complexity point of view as an ISP, or from a privacy and moral point of view. To some extent it is both, but as an ISP, if the government gave us a retention order, they would pretty much have to pay us to make that happen (though there is some debate on the extent of cost recovery). So from that point of view it is not really an issue - indeed, as we make routers and firewalls we have the scope to make a killing selling kit to provide the monitoring solutions to companies even. We aren't doing that! The issue really is that I think it is wrong to treat the population as criminals, and disproportionally spend public money reacting to terrorism and giving in to the terror in the way we do. We need to consider this like any other crime and tackle it sensibly and not with knee-jerk headline-grabbing "something must be done" crap. I hope that makes my views a bit clearer...
P.S. There is one thing that perhaps Theresa May has not considered. After an attack it is very bad PR for government and intelligence agencies if you can say "But they had them under surveillance and still did nothing to prevent this". Once you have everyone under surveillance, people can always say that after every incident.
http://techpresident.com/news/wegov/23918/denmark-government-will-not-allow-ordinary-citizens-have-digital-privacy
Basically, they have had this level of mass surveillance for a long time, and it has not helped at all. It is clear that this level of monitoring of citizens does not meet the objectives stated, and this example should be considered carefully by the UK while debating the Draft Investigatory Powers Bill.
(Thanks to Jesper Lund on twitter for pointing me to that article)
I also have to question some of the examples - Theresa May talked of an example of an abducted child and how it is crazy that if there was communications by phone or text before that, it could help investigation, but not if by social media. The proposed bill would show, for example, that the entire household has people connected to Facebook all day, or twitter, etc. It would not show which computers or even phones (on WiFi) in the house were connected, or if the child had any accounts on social media. The police would have to ask parents for details and then ask social media sites for details. The Internet Connection Records would not actually help with that.
However, given the extent that computers communicate behind the scenes, and the fact that a whole house will normally share the same IP address*, and that there may be unknown users on WiFi from the house, and DNS relays in daft routers, and viruses, and Tor, and so on, it is clear that apparent "Internet Connection Records" may be unrelated to individuals in the house. There is massive scope for misdirection. That is before anyone considers legally poisoning the database with deliberate bogus connections.
* Typically share a single IPv4 with NAT on the router which is not logged, or have an IPv6 prefix with privacy addressing meaning you cannot attribute a connection to a device.
Someone else pointed out that surveillance only really works when the people being spied on don't know it. If criminals know that all Internet connections are logged, they can be more careful with what they do - perhaps even reverting to paper! This leaves only the innocent having their privacy invaded for no real benefit - just look at the example of Denmark and learn from that lesson!
It is also worth looking at France which does a lot of surveillance as well - it clearly did not help, and I feel sorry for those that lost their lives due to the action of criminals.
Someone actually asked if I was arguing from a cost/complexity point of view as an ISP, or from a privacy and moral point of view. To some extent it is both, but as an ISP, if the government gave us a retention order, they would pretty much have to pay us to make that happen (though there is some debate on the extent of cost recovery). So from that point of view it is not really an issue - indeed, as we make routers and firewalls we have the scope to make a killing selling kit to provide the monitoring solutions to companies even. We aren't doing that! The issue really is that I think it is wrong to treat the population as criminals, and disproportionally spend public money reacting to terrorism and giving in to the terror in the way we do. We need to consider this like any other crime and tackle it sensibly and not with knee-jerk headline-grabbing "something must be done" crap. I hope that makes my views a bit clearer...
P.S. There is one thing that perhaps Theresa May has not considered. After an attack it is very bad PR for government and intelligence agencies if you can say "But they had them under surveillance and still did nothing to prevent this". Once you have everyone under surveillance, people can always say that after every incident.
2015-11-14
What is an "Internet Connection Record"?
As an experiment I set my firewall to log sessions (TCP or UDP or ICMP) from my computer. I then powered it on, visited Facebook, liked one comment, and then shut it down.
As a "user" this was just one thing that I just did - the Internet equivalent of "making a single phone call" as far as the government would consider it.
I also went further and captured the DNS requests.
So, here is a single visit to Facebook from my machine :-
And here are the DNS requests made :-
Now remember, all I did was power up, visit Facebook, do one "like" and shutdown again, so logically this should magically condense to a single "Internet Connection Record".
Now, if I had dumped what the network actually sees, the packets that flow, and not had my firewall condense this down to some distinct "sessions" it would have been much more complex.
Update: Also see this excellent analysis of a day's logging. https://babyis60.wordpress.com/2015/11/13/the-investigation-of-packets/
As a "user" this was just one thing that I just did - the Internet equivalent of "making a single phone call" as far as the government would consider it.
I also went further and captured the DNS requests.
So, here is a single visit to Facebook from my machine :-
2015-11-14T14:27:20.664898Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#49530-[Self]91.240.176.254#53 Allow
2015-11-14T14:27:20.665207Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#59439-[Self]91.240.176.254#53 Allow
2015-11-14T14:27:20.665952Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#53729-[Self]91.240.176.254#53 Allow
2015-11-14T14:27:20.666428Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#51358-[Self]91.240.176.254#53 Allow
2015-11-14T14:27:20.666487Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#60935-[Self]91.240.176.254#53 Allow
2015-11-14T14:27:20.671649Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#60324-[Maidenhead-link]17.253.34.125#123 Allow
2015-11-14T14:27:20.717343Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54132-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.717422Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55163-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.717492Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59313-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.717796Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52186-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.723916Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60603-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.724084Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51865-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.725502Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64929-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.725575Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59852-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.732971Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49152-[Maidenhead-link]23.205.169.17#80 Allow
2015-11-14T14:27:20.741156Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54972-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.741231Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50228-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.750757Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57434-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.750829Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59956-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.752334Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58760-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.752408Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60096-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.756662Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49153-[Maidenhead-link]23.63.98.34#80 Allow
2015-11-14T14:27:20.774940Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51384-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.775013Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64924-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.779341Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58360-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.779414Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51596-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.780712Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49154-[Maidenhead-link]17.143.161.149#5223 Allow
2015-11-14T14:27:20.816263Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49155-[Maidenhead-link]17.167.142.26#443 Allow
2015-11-14T14:27:20.821184Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64085-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:20.822340Z boxless.ec strack-new P=17(10s/10s) [House]91.240.176.2#12309-[Self]255.255.255.255#12307 Allow
2015-11-14T14:27:20.892672Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49156-[Maidenhead-link]17.143.162.153#5223 Allow
2015-11-14T14:27:21.070637Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64935-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:21.087399Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59175-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:21.788424Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59506-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:21.788497Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52576-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:21.788570Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49694-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:21.788640Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55870-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:22.280989Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58988-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:25.940011Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50596-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:25.940086Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54593-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:25.940167Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56717-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:25.940238Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58072-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:25.942433Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62375-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:26.824961Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60875-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:26.825035Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51362-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.054976Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50563-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.055050Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56929-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.067553Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63938-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.067626Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52342-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.752290Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62284-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.752366Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61798-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.794104Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49157-[Maidenhead-link]17.173.66.146#443 Allow
2015-11-14T14:27:27.978241Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59697-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:27.978314Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58910-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.015604Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55906-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.015686Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63391-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.017200Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55031-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.017302Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62842-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.021844Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49158-[Maidenhead-link]184.29.67.153#443 Allow
2015-11-14T14:27:28.058214Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52583-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.058286Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50786-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.064801Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49717-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.064875Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64969-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.071296Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49159-[Maidenhead-link]17.171.43.55#80 Allow
2015-11-14T14:27:28.106951Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53195-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.231792Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63192-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.231866Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53449-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.266271Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53196-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.266346Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55378-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.267915Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54715-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.267987Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61685-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.283959Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49160-[Maidenhead-link]17.248.144.72#443 Allow
2015-11-14T14:27:28.302694Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57801-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.302771Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60117-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.302825Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49161-[Maidenhead-link]104.67.40.203#443 Allow
2015-11-14T14:27:28.311543Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56322-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.311616Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50402-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.311874Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49162-[Maidenhead-link]184.29.67.153#443 Allow
2015-11-14T14:27:28.313019Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54817-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.313100Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53145-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.326312Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49163-[Maidenhead-link]104.66.246.96#443 Allow
2015-11-14T14:27:28.362206Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49164-[Maidenhead-link]17.248.144.72#443 Allow
2015-11-14T14:27:28.586143Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64814-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:28.648460Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55270-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:29.344494Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49165-[Maidenhead-link]104.67.40.203#443 Allow
2015-11-14T14:27:29.390266Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62891-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:29.390443Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62432-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:29.426074Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49166-[Maidenhead-link]17.173.66.144#443 Allow
2015-11-14T14:27:29.490804Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49167-[Maidenhead-link]17.154.66.108#443 Allow
2015-11-14T14:27:29.733643Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#65049-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.060809Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57929-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.060986Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#65073-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.082427Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61126-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.082509Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64676-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.083960Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58530-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.084051Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55319-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.089579Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49170-[Maidenhead-link]23.205.169.32#80 Allow
2015-11-14T14:27:30.104004Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49171-[Maidenhead-link]184.29.67.153#443 Allow
2015-11-14T14:27:30.117124Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58732-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.117209Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55289-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.158566Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49172-[Maidenhead-link]17.154.66.108#443 Allow
2015-11-14T14:27:30.177282Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55243-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.177356Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49934-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.183957Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59742-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.184039Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61471-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.199492Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52387-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.199575Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53546-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.201007Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49173-[Maidenhead-link]17.171.74.166#443 Allow
2015-11-14T14:27:30.205161Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55732-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.205243Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60374-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.239282Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51716-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.239355Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55557-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.255483Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49174-[Maidenhead-link]17.252.11.246#443 Allow
2015-11-14T14:27:30.262228Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49175-[Maidenhead-link]17.110.227.102#5223 Allow
2015-11-14T14:27:30.298087Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49176-[Maidenhead-link]17.167.142.36#443 Allow
2015-11-14T14:27:30.329033Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49177-[Maidenhead-link]17.173.66.145#443 Allow
2015-11-14T14:27:30.362289Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49178-[Maidenhead-link]17.110.227.101#5223 Allow
2015-11-14T14:27:30.407208Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49463-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.519312Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58346-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.544716Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62989-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.659088Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49179-[Maidenhead-link]17.173.66.145#443 Allow
2015-11-14T14:27:30.662346Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63371-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:30.662513Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58953-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.080173Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58989-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.080255Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63837-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.106799Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54478-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.106872Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51822-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.178691Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49180-[Maidenhead-link]17.167.142.87#443 Allow
2015-11-14T14:27:32.181829Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49181-[Maidenhead-link]17.167.142.80#443 Allow
2015-11-14T14:27:32.281436Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53849-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.281510Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54465-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.282883Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49182-[Maidenhead-link]2001:8b0::30:230:48ff:fedb:25dc#143 Allow
2015-11-14T14:27:32.379694Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51731-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.380599Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54092-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.422027Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58715-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.442087Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57736-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.523353Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52873-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.523427Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64947-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.528734Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52218-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.528901Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53483-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.530606Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49183-[Maidenhead-link]77.238.185.31#443 Allow
2015-11-14T14:27:32.594363Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49184-[Maidenhead-link]77.238.185.31#443 Allow
2015-11-14T14:27:32.812857Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57185-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.898479Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49185-[Maidenhead-link]63.245.213.24#443 Allow
2015-11-14T14:27:32.981809Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64332-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.981983Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60133-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983021Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49257-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983102Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#65427-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983185Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54385-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983263Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55252-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983333Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59114-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983413Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56607-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.983498Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#62277-[Maidenhead-link]194.126.249.5#22026 Allow
2015-11-14T14:27:32.985195Z boxless.ec strack-new P=17(10s/120s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62278-[Maidenhead-link]2001:470:28:4d6::5#22026 Allow
2015-11-14T14:27:32.986534Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49606-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.986607Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51660-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.988267Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62553-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.988439Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49370-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.990106Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56734-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:32.990179Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62485-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.001573Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49186-[Maidenhead-link]192.30.252.124#443 Allow
2015-11-14T14:27:33.163186Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57309-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.163259Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50250-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.164087Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58314-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.164167Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62060-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.165400Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60286-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.165488Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62817-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.411242Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64573-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.411315Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51053-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.415033Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58558-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.415255Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60134-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.865704Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51727-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:33.867485Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49187-[Maidenhead-link]2620:101:8016:5::2:20#443 Allow
2015-11-14T14:27:34.042948Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51654-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.044479Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49188-[Maidenhead-link]68.232.34.191#443 Allow
2015-11-14T14:27:34.044620Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49189-[Maidenhead-link]68.232.34.191#443 Allow
2015-11-14T14:27:34.054462Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#56591-[Maidenhead-link]194.126.249.5#22026 Allow
2015-11-14T14:27:34.054524Z boxless.ec strack-new P=17(10s/120s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58637-[Maidenhead-link]2001:470:28:4d6::5#22026 Allow
2015-11-14T14:27:34.166087Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62288-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.166308Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50955-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.166691Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61688-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.166794Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52917-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.167094Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55238-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.167421Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56059-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.167509Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58341-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.167579Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63159-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.168144Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53089-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.168233Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54783-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.168304Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58899-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.168383Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60378-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.168495Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63755-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.168565Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58295-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.169235Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51529-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.169342Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62721-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.170901Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51778-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.170974Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54194-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.172361Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49190-[Maidenhead-link]93.184.220.29#80 Allow
2015-11-14T14:27:34.271342Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64585-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.271561Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53072-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.866588Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64209-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.866662Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55763-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.895361Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52177-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.895435Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64173-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.897070Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49191-[Maidenhead-link]17.154.66.67#443 Allow
2015-11-14T14:27:34.969375Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62746-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:34.969450Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49174-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.013228Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49192-[Maidenhead-link]2a02:26f0:b6:282::1abd#80 Allow
2015-11-14T14:27:35.150486Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64750-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.150563Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49985-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.152107Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62441-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.152180Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56189-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.156834Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49193-[Maidenhead-link]104.67.55.140#443 Allow
2015-11-14T14:27:35.415832Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56471-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.440542Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63018-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.440616Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62644-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.464649Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62573-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.464723Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52556-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:35.488710Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49194-[Maidenhead-link]17.173.254.28#443 Allow
2015-11-14T14:27:35.670134Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#60592-[Maidenhead-link]17.253.34.251#123 Allow
2015-11-14T14:27:35.963040Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#49731-[Maidenhead-link]17.155.127.222#16384 Allow
2015-11-14T14:27:35.963081Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#16403-[Maidenhead-link]17.155.127.222#16384 Allow
2015-11-14T14:27:35.963120Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#16403-[Maidenhead-link]17.155.127.222#16385 Allow
2015-11-14T14:27:35.963159Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#49731-[Maidenhead-link]17.155.127.222#16385 Allow
2015-11-14T14:27:35.963197Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#16403-[Maidenhead-link]17.155.127.223#16386 Allow
2015-11-14T14:27:35.963236Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#49731-[Maidenhead-link]17.155.127.223#16386 Allow
2015-11-14T14:27:36.618970Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56484-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:36.619169Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60267-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:36.619503Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53216-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:36.619588Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57784-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:36.640317Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49201-[Maidenhead-link]192.30.252.124#443 Allow
2015-11-14T14:27:36.652429Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49202-[Maidenhead-link]31.13.90.36#443 Allow
2015-11-14T14:27:36.967374Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54497-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:37.345210Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49203-[Maidenhead-link]17.167.142.31#443 Allow
2015-11-14T14:27:37.435817Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50436-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:37.435890Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56367-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:37.537872Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49204-[Maidenhead-link]17.154.239.52#443 Allow
2015-11-14T14:27:37.813285Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51977-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:37.952452Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57366-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:37.952526Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55470-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.045661Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49205-[Maidenhead-link]17.167.142.25#443 Allow
2015-11-14T14:27:38.302002Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#65176-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.515129Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64858-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.515203Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53289-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.561541Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49207-[Maidenhead-link]23.205.168.72#443 Allow
2015-11-14T14:27:38.596572Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60665-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.596645Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56485-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.601761Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49208-[Maidenhead-link]2a03:2880:f01b:5:face:b00c::1#443 Allow
2015-11-14T14:27:38.677948Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49209-[Maidenhead-link]17.167.142.25#443 Allow
2015-11-14T14:27:38.846960Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49210-[Maidenhead-link]2a03:2880:f01b:5:face:b00c::1#443 Allow
2015-11-14T14:27:38.876708Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61958-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:38.937510Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#65470-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.274922Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62501-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.275094Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61140-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.279956Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49211-[Maidenhead-link]2a03:2880:f01a:1e:face:b00c::25de#443 Allow
2015-11-14T14:27:39.445315Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51259-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.445389Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61189-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.449964Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54766-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.450038Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#54783-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.470969Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49212-[Maidenhead-link]82.199.80.141#443 Allow
2015-11-14T14:27:39.699489Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61055-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.699564Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55714-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:39.704348Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49213-[Maidenhead-link]2a03:2880:f01a:1:face:b00c::1#443 Allow
2015-11-14T14:27:39.808565Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49214-[Maidenhead-link]184.29.67.153#443 Allow
2015-11-14T14:27:40.092595Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55894-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:41.733919Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58387-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:41.733993Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59097-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:41.753734Z boxless.ec strack-new P=6(10s/3600s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49215-[Maidenhead-link]2a02:26f0:5d::173f:6349#443 Allow
2015-11-14T14:27:42.028459Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49732-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.032082Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49733-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.033225Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49734-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.033535Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49735-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.033640Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49736-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.034000Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49737-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.034751Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49738-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.036335Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49739-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.036722Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49740-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.037107Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49741-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.040009Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49742-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.059237Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49743-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.070939Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49744-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.097784Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49745-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.116469Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56304-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.142387Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49746-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.678277Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57114-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.678350Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52691-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.678614Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49216-[Maidenhead-link]184.29.67.153#443 Allow
2015-11-14T14:27:42.679814Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55828-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.679904Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55494-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.680336Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49217-[Maidenhead-link]17.173.66.149#443 Allow
2015-11-14T14:27:42.684266Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49218-[Maidenhead-link]17.248.144.177#443 Allow
2015-11-14T14:27:42.797123Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52091-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.797196Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#65363-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:42.896749Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49219-[Maidenhead-link]17.167.142.81#443 Allow
2015-11-14T14:27:43.132827Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58402-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:43.715115Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49220-[Maidenhead-link]17.167.142.81#443 Allow
2015-11-14T14:27:45.834745Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63684-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:45.834828Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49861-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:45.924616Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49221-[Maidenhead-link]17.167.144.40#443 Allow
2015-11-14T14:27:46.143397Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62497-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:46.143470Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#55640-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:46.169254Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59177-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:46.170808Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49222-[Maidenhead-link]17.167.137.37#443 Allow
2015-11-14T14:27:46.201529Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49223-[Maidenhead-link]17.164.1.38#443 Allow
2015-11-14T14:27:46.548807Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#59228-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:46.584847Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#51060-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:46.584924Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63150-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:46.702646Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49224-[Maidenhead-link]17.167.142.10#443 Allow
2015-11-14T14:27:46.945151Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63171-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:47.233574Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61781-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:47.233649Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57972-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:47.233955Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#53299-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:47.234027Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#56144-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:47.265587Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49225-[Maidenhead-link]17.167.142.44#443 Allow
2015-11-14T14:27:47.265731Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49226-[Maidenhead-link]17.167.142.42#443 Allow
2015-11-14T14:27:47.272428Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49227-[Maidenhead-link]17.167.142.10#443 Allow
2015-11-14T14:27:47.626892Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#61202-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:47.626966Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#49904-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:48.135136Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#60666-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:48.135467Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52652-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:48.924560Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#52498-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:48.924637Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57478-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:48.953413Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49228-[Maidenhead-link]31.13.90.6#443 Allow
2015-11-14T14:27:49.280751Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#50294-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:50.708911Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57977-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:50.708986Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57194-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:51.098092Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#58259-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:51.101453Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#57529-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:27:51.767330Z boxless.ec strack-new P=17(10s/3s) [House]91.240.176.2#123-[Maidenhead-link]17.253.34.125#123 Allow
2015-11-14T14:27:58.020764Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49229-[Maidenhead-link]17.167.142.32#443 Allow
2015-11-14T14:28:04.179329Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#63962-[Maidenhead-link]194.126.249.5#22026 Allow
2015-11-14T14:28:04.179395Z boxless.ec strack-new P=17(10s/120s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63963-[Maidenhead-link]2001:470:28:4d6::5#22026 Allow
2015-11-14T14:28:09.232526Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#62395-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:28:09.232600Z boxless.ec strack-new P=17(10s/3s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#63665-[Self]2001:67c:2a40::#53 Allow
2015-11-14T14:28:09.235712Z boxless.ec strack-new P=17(10s/120s) [House]91.240.176.2#64127-[Maidenhead-link]194.126.249.5#22026 Allow
2015-11-14T14:28:09.235774Z boxless.ec strack-new P=17(10s/120s) [House]2001:67c:2a40::aaaa:aaaa:aaaa:aaaa#64128-[Maidenhead-link]2001:470:28:4d6::5#22026 Allow
2015-11-14T14:28:15.314592Z boxless.ec strack-new P=6(10s/3600s) [House]91.240.176.2#49230-[Maidenhead-link]17.167.142.31#443 Allow
And here are the DNS requests made :-
2015-11-14T14:27:20.717656Z boxless.ec dns-rx DNS relay swscan.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.717693Z boxless.ec dns-rx DNS relay appleid.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.724113Z boxless.ec dns-rx DNS relay init-p01st.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.724173Z boxless.ec dns-rx DNS relay init-p01st.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.725711Z boxless.ec dns-rx DNS relay a1441.g4.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.725744Z boxless.ec dns-rx DNS relay a1441.g4.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.741369Z boxless.ec dns-rx DNS relay p23-fmip.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.750971Z boxless.ec dns-rx DNS relay aia.entrust.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.751007Z boxless.ec dns-rx DNS relay aia.entrust.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.752575Z boxless.ec dns-rx DNS relay a57.d.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.752658Z boxless.ec dns-rx DNS relay a57.d.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.775157Z boxless.ec dns-rx DNS relay 16-courier.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.775208Z boxless.ec dns-rx DNS relay 16-courier.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:20.779555Z boxless.ec dns-rx DNS relay us-courier.push-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:21.070766Z boxless.ec dns-rx DNS relay appleid.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:21.087522Z boxless.ec dns-rx DNS relay p23-fmip.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:21.788819Z boxless.ec dns-rx DNS relay www.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:21.788853Z boxless.ec dns-rx DNS relay www.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:21.788905Z boxless.ec dns-rx DNS relay 1-courier.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:25.940439Z boxless.ec dns-rx DNS relay lb._dns-sd._udp.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:25.940484Z boxless.ec dns-rx DNS relay lb._dns-sd._udp.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:25.940527Z boxless.ec dns-rx DNS relay lb._dns-sd._udp.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:25.940558Z boxless.ec dns-rx DNS relay lb._dns-sd._udp.0.176.240.91.in-addr.arpa for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:25.942566Z boxless.ec dns-rx DNS relay lb._dns-sd._udp.bec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:26.825174Z boxless.ec dns-rx DNS relay apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.055192Z boxless.ec dns-rx DNS relay p23-keyvalueservice.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.055228Z boxless.ec dns-rx DNS relay p23-keyvalueservice.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.067767Z boxless.ec dns-rx DNS relay p23-keyvalueservice.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.067802Z boxless.ec dns-rx DNS relay p23-keyvalueservice.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.752510Z boxless.ec dns-rx DNS relay play.itunes.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.752546Z boxless.ec dns-rx DNS relay play.itunes.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:27.978573Z boxless.ec dns-rx DNS relay www.firebrick.ltd.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.015829Z boxless.ec dns-rx DNS relay configuration.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.015868Z boxless.ec dns-rx DNS relay configuration.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.017439Z boxless.ec dns-rx DNS relay e5153.a.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.017479Z boxless.ec dns-rx DNS relay e5153.a.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.058429Z boxless.ec dns-rx DNS relay wu-calculator.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.058463Z boxless.ec dns-rx DNS relay wu-calculator.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.065018Z boxless.ec dns-rx DNS relay wu-mdn.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.065051Z boxless.ec dns-rx DNS relay wu-mdn.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.107076Z boxless.ec dns-rx DNS relay play.itunes-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.232018Z boxless.ec dns-rx DNS relay init.itunes.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.232057Z boxless.ec dns-rx DNS relay init.itunes.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.266512Z boxless.ec dns-rx DNS relay p04-caldav.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.266558Z boxless.ec dns-rx DNS relay p04-caldav.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.268016Z boxless.ec dns-rx DNS relay p04-caldav-current.edge.icloud.apple-dns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.268071Z boxless.ec dns-rx DNS relay p04-caldav-current.edge.icloud.apple-dns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.311764Z boxless.ec dns-rx DNS relay gspe1-ssl.ls.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.311801Z boxless.ec dns-rx DNS relay gspe1-ssl.ls.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.313306Z boxless.ec dns-rx DNS relay e6987.g.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.313343Z boxless.ec dns-rx DNS relay e6987.g.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:28.586265Z boxless.ec dns-rx DNS relay e673.e9.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:29.390468Z boxless.ec dns-rx DNS relay xp.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:29.733768Z boxless.ec dns-rx DNS relay mzuserxp.itunes-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.061009Z boxless.ec dns-rx DNS relay 1-courier.sandbox.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.061063Z boxless.ec dns-rx DNS relay 1-courier.sandbox.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.082647Z boxless.ec dns-rx DNS relay init-s01st.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.082680Z boxless.ec dns-rx DNS relay init-s01st.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.084255Z boxless.ec dns-rx DNS relay a1414.g4.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.084288Z boxless.ec dns-rx DNS relay a1414.g4.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.117347Z boxless.ec dns-rx DNS relay 3-courier.sandbox.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.117383Z boxless.ec dns-rx DNS relay 3-courier.sandbox.push.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.177523Z boxless.ec dns-rx DNS relay gsa.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.177558Z boxless.ec dns-rx DNS relay gsa.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.184184Z boxless.ec dns-rx DNS relay api.smoot.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.199715Z boxless.ec dns-rx DNS relay gsa.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.205382Z boxless.ec dns-rx DNS relay p23-quota.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.205415Z boxless.ec dns-rx DNS relay p23-quota.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.239502Z boxless.ec dns-rx DNS relay 3.courier-sandbox-push-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.239536Z boxless.ec dns-rx DNS relay 3.courier-sandbox-push-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.407333Z boxless.ec dns-rx DNS relay 1.courier-sandbox-push-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.519442Z boxless.ec dns-rx DNS relay api.smoot-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.544839Z boxless.ec dns-rx DNS relay p23-quota.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.662538Z boxless.ec dns-rx DNS relay radarsubmissions.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:30.662590Z boxless.ec dns-rx DNS relay radarsubmissions.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.080422Z boxless.ec dns-rx DNS relay p23-availability.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.080456Z boxless.ec dns-rx DNS relay p23-availability.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.107021Z boxless.ec dns-rx DNS relay p23-ckdatabase.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.379820Z boxless.ec dns-rx DNS relay live.mozillamessaging.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.380730Z boxless.ec dns-rx DNS relay live.mozillamessaging.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.422151Z boxless.ec dns-rx DNS relay p23-availability.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.442219Z boxless.ec dns-rx DNS relay p23-ckdatabase.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.523569Z boxless.ec dns-rx DNS relay apple-finance.query.yahoo.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.523606Z boxless.ec dns-rx DNS relay apple-finance.query.yahoo.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.528922Z boxless.ec dns-rx DNS relay geo-applefinance-cache.internal.query.g03.yahoodns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.528976Z boxless.ec dns-rx DNS relay geo-applefinance-cache.internal.query.g03.yahoodns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.812984Z boxless.ec dns-rx DNS relay static.external.zlb.scl3.mozilla.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.982115Z boxless.ec dns-rx DNS relay announce.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.983709Z boxless.ec dns-rx DNS relay announce-v6.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.983764Z boxless.ec dns-rx DNS relay api.github.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.983793Z boxless.ec dns-rx DNS relay api.github.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.983842Z boxless.ec dns-rx DNS relay synamic.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.983877Z boxless.ec dns-rx DNS relay synamic.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.986759Z boxless.ec dns-rx DNS relay synamic.bec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.986792Z boxless.ec dns-rx DNS relay synamic.bec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.988509Z boxless.ec dns-rx DNS relay synamic.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.988560Z boxless.ec dns-rx DNS relay synamic.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.990206Z boxless.ec dns-rx DNS relay synamic.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:32.990259Z boxless.ec dns-rx DNS relay synamic.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.163397Z boxless.ec dns-rx DNS relay docs.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.163430Z boxless.ec dns-rx DNS relay docs.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.164321Z boxless.ec dns-rx DNS relay syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.165653Z boxless.ec dns-rx DNS relay web.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.165685Z boxless.ec dns-rx DNS relay web.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.411455Z boxless.ec dns-rx DNS relay www.mozilla.org for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.411488Z boxless.ec dns-rx DNS relay www.mozilla.org for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.415164Z boxless.ec dns-rx DNS relay mozorg.cdn.mozilla.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.415407Z boxless.ec dns-rx DNS relay mozorg.cdn.mozilla.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:33.865843Z boxless.ec dns-rx DNS relay bedrock-prod-zlb.vips.scl3.mozilla.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.043074Z boxless.ec dns-rx DNS relay cs163.wpc.taucdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.166220Z boxless.ec dns-rx DNS relay forum.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.166459Z boxless.ec dns-rx DNS relay forum.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.166940Z boxless.ec dns-rx DNS relay github.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.167000Z boxless.ec dns-rx DNS relay github.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.167306Z boxless.ec dns-rx DNS relay fontawesome.io for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.167777Z boxless.ec dns-rx DNS relay fontawesome.io for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.167809Z boxless.ec dns-rx DNS relay golang.org for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.167852Z boxless.ec dns-rx DNS relay golang.org for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.168617Z boxless.ec dns-rx DNS relay twitter.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.168648Z boxless.ec dns-rx DNS relay data.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.168691Z boxless.ec dns-rx DNS relay data.syncthing.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.168762Z boxless.ec dns-rx DNS relay getbootstrap.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.168791Z boxless.ec dns-rx DNS relay getbootstrap.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.169554Z boxless.ec dns-rx DNS relay ocsp.digicert.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.169587Z boxless.ec dns-rx DNS relay ocsp.digicert.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.171122Z boxless.ec dns-rx DNS relay cs9.wac.phicdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.171155Z boxless.ec dns-rx DNS relay cs9.wac.phicdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.271475Z boxless.ec dns-rx DNS relay angularjs.org for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.271714Z boxless.ec dns-rx DNS relay angularjs.org for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.866805Z boxless.ec dns-rx DNS relay pd-nk.itunes.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.866891Z boxless.ec dns-rx DNS relay pd-nk.itunes.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.895576Z boxless.ec dns-rx DNS relay pd-nk.itunes-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.895611Z boxless.ec dns-rx DNS relay pd-nk.itunes-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.969600Z boxless.ec dns-rx DNS relay svrsecure-g3-aia.verisign.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:34.969636Z boxless.ec dns-rx DNS relay svrsecure-g3-aia.verisign.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.150703Z boxless.ec dns-rx DNS relay static.gc.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.150737Z boxless.ec dns-rx DNS relay static.gc.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.152208Z boxless.ec dns-rx DNS relay e5871.e9.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.152729Z boxless.ec dns-rx DNS relay e5871.e9.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.415979Z boxless.ec dns-rx DNS relay e6845.dscb1.akamaiedge.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.440752Z boxless.ec dns-rx DNS relay service.gc.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.440785Z boxless.ec dns-rx DNS relay service.gc.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.464863Z boxless.ec dns-rx DNS relay service.gc.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:35.464897Z boxless.ec dns-rx DNS relay service.gc.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:36.619190Z boxless.ec dns-rx DNS relay google.co.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:36.619241Z boxless.ec dns-rx DNS relay google.co.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:36.619778Z boxless.ec dns-rx DNS relay www.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:36.619811Z boxless.ec dns-rx DNS relay www.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:37.436028Z boxless.ec dns-rx DNS relay query.ess.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:37.436063Z boxless.ec dns-rx DNS relay query.ess.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:37.813410Z boxless.ec dns-rx DNS relay query.ess-apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:37.952665Z boxless.ec dns-rx DNS relay p23-fmfmobile.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:37.952698Z boxless.ec dns-rx DNS relay p23-fmfmobile.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.302127Z boxless.ec dns-rx DNS relay p23-fmfmobile.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.515345Z boxless.ec dns-rx DNS relay fbcdn-profile-a.akamaihd.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.515380Z boxless.ec dns-rx DNS relay fbcdn-profile-a.akamaihd.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.596783Z boxless.ec dns-rx DNS relay external-ams3-1.xx.fbcdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.596816Z boxless.ec dns-rx DNS relay external-ams3-1.xx.fbcdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.876830Z boxless.ec dns-rx DNS relay a2047.dspl.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:38.937655Z boxless.ec dns-rx DNS relay scontent-ams3-1.xx.fbcdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.275118Z boxless.ec dns-rx DNS relay pixel.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.275179Z boxless.ec dns-rx DNS relay pixel.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.445528Z boxless.ec dns-rx DNS relay bs.serving-sys.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.445561Z boxless.ec dns-rx DNS relay bs.serving-sys.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.450178Z boxless.ec dns-rx DNS relay bs.eyeblaster.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.450211Z boxless.ec dns-rx DNS relay bs.eyeblaster.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.699709Z boxless.ec dns-rx DNS relay 4-edge-chat.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:39.699743Z boxless.ec dns-rx DNS relay 4-edge-chat.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:40.092720Z boxless.ec dns-rx DNS relay star.c10r.facebook.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:41.734130Z boxless.ec dns-rx DNS relay fbexternal-a.akamaihd.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:41.734164Z boxless.ec dns-rx DNS relay fbexternal-a.akamaihd.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.028583Z boxless.ec dns-rx DNS relay _aaplcache._tcp.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.032213Z boxless.ec dns-rx DNS relay _aaplcache1._tcp.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.033345Z boxless.ec dns-rx DNS relay _aaplcache._tcp.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.033808Z boxless.ec dns-rx DNS relay _aaplcache2._tcp.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.033866Z boxless.ec dns-rx DNS relay _aaplcache4._tcp.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.034175Z boxless.ec dns-rx DNS relay _aaplcache3._tcp.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.034874Z boxless.ec dns-rx DNS relay _aaplcache1._tcp.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.036499Z boxless.ec dns-rx DNS relay _aaplcache2._tcp.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.036856Z boxless.ec dns-rx DNS relay _aaplcache3._tcp.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.037239Z boxless.ec dns-rx DNS relay _aaplcache1._tcp.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.040338Z boxless.ec dns-rx DNS relay _aaplcache4._tcp.ec.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.059358Z boxless.ec dns-rx DNS relay _aaplcache._tcp.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.071061Z boxless.ec dns-rx DNS relay _aaplcache4._tcp.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.097908Z boxless.ec dns-rx DNS relay _aaplcache2._tcp.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.116590Z boxless.ec dns-rx DNS relay a1531.dsw4.akamai.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.142507Z boxless.ec dns-rx DNS relay _aaplcache3._tcp.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.678501Z boxless.ec dns-rx DNS relay p04-bookmarks.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.678537Z boxless.ec dns-rx DNS relay p04-bookmarks.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.680069Z boxless.ec dns-rx DNS relay p04-bookmarks-current.edge.icloud.apple-dns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.680104Z boxless.ec dns-rx DNS relay p04-bookmarks-current.edge.icloud.apple-dns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.797340Z boxless.ec dns-rx DNS relay p23-ckdevice.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:42.797426Z boxless.ec dns-rx DNS relay p23-ckdevice.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:43.132958Z boxless.ec dns-rx DNS relay p23-ckdevice.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:45.835007Z boxless.ec dns-rx DNS relay setup.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:46.143612Z boxless.ec dns-rx DNS relay lcdn-locator.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:46.169381Z boxless.ec dns-rx DNS relay st11-setup.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:46.548940Z boxless.ec dns-rx DNS relay lcdn-locator.apple.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:46.585068Z boxless.ec dns-rx DNS relay p23-bookmarks.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:46.585103Z boxless.ec dns-rx DNS relay p23-bookmarks.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:46.945296Z boxless.ec dns-rx DNS relay p23-bookmarks.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:47.233828Z boxless.ec dns-rx DNS relay p23-streams.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:47.234224Z boxless.ec dns-rx DNS relay p23-sharedstreams.icloud.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:47.627106Z boxless.ec dns-rx DNS relay p23-streams.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:47.627142Z boxless.ec dns-rx DNS relay p23-sharedstreams.icloud.com.akadns.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:48.135264Z boxless.ec dns-rx DNS relay synamic.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:48.135635Z boxless.ec dns-rx DNS relay synamic.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:48.924809Z boxless.ec dns-rx DNS relay static.xx.fbcdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:48.924841Z boxless.ec dns-rx DNS relay static.xx.fbcdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:49.280873Z boxless.ec dns-rx DNS relay scontent.xx.fbcdn.net for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:50.709136Z boxless.ec dns-rx DNS relay time.euro.apple.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:51.098215Z boxless.ec dns-rx DNS relay time-ios.g.aaplimg.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:27:51.101573Z boxless.ec dns-rx DNS relay time-ios.g.aaplimg.com for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:28:09.232742Z boxless.ec dns-rx DNS relay synamic.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
2015-11-14T14:28:09.232782Z boxless.ec dns-rx DNS relay synamic.bracknell.aa.net.uk for 2001:67c:2a40::aaaa:aaaa:aaaa:aaaa
Now remember, all I did was power up, visit Facebook, do one "like" and shutdown again, so logically this should magically condense to a single "Internet Connection Record".
Now, if I had dumped what the network actually sees, the packets that flow, and not had my firewall condense this down to some distinct "sessions" it would have been much more complex.
Update: Also see this excellent analysis of a day's logging. https://babyis60.wordpress.com/2015/11/13/the-investigation-of-packets/
Subscribe to:
Comments (Atom)
The end of 17070 and serious consequences
I just read a very concerning article on BBC https://www.bbc.co.uk/news/articles/ckgknm8xrgpo TL;DR BT crossed wires and so a criminal inve...
- 
This is an appeal for (sensible) comments. I am working on revised A&A tariffs for broadband. For those that are not sure how they wor...
- 
For many years I used a small stand-alone air-conditioning unit in my study (the box room in the house) and I even had a hole in the wall fo...
- 
Broadband services are a wonderful innovation of our time, using multiple frequency bands (hence the name) to carry signals over wires (us...

 







 
