tag:blogger.com,1999:blog-3993498847203183398.post2647778616374974687..comments2024-03-28T09:19:27.451+00:00Comments on RevK<sup>®</sup>'s ramblings: What privacy can we promise you?RevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-3993498847203183398.post-23468476325073973022019-12-22T00:51:54.194+00:002019-12-22T00:51:54.194+00:003 years since the last denial ;) - any sneaky blac...3 years since the last denial ;) - any sneaky black boxes yet?Anonymoushttps://www.blogger.com/profile/14075391731358188932noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-84217913034681308392016-04-06T20:31:49.231+01:002016-04-06T20:31:49.231+01:00FFS yes, "no 'black boxes'" - my...FFS yes, "no 'black boxes'" - my bad!RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-88155680083353834492016-04-06T20:30:11.525+01:002016-04-06T20:30:11.525+01:00I hope 'now "black boxes"' is a ...I hope 'now "black boxes"' is a typo for "no black boxes"David Abbishawhttps://www.blogger.com/profile/17656602956866538037noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-17191415727378997322016-04-06T15:18:00.006+01:002016-04-06T15:18:00.006+01:00We have never been subject to an intercept order o...We have never been subject to an intercept order or maintenance of capabilities order or data retention order, and as such have now "black boxes".RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-77504826567216446702016-04-06T14:55:21.758+01:002016-04-06T14:55:21.758+01:00So how are those "black boxes" - its see...So how are those "black boxes" - its seems a while since you denied having any?David Abbishawhttps://www.blogger.com/profile/17656602956866538037noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-87112102284095803382015-11-15T13:22:37.993+00:002015-11-15T13:22:37.993+00:00Can't you do that with nothing but ssh -w (the...Can't you do that with nothing but ssh -w (the tunnel device version) and a single remote host out there on the net to act as an ssh endpoint? (Assuming the user has something capable of running ssh -w, which, come on, a suitably capable device costs about £30 these days.)Nick Alcockhttps://www.blogger.com/profile/06590610308528769844noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-30526308607195880252015-11-14T16:43:07.511+00:002015-11-14T16:43:07.511+00:00I want this for all my traffic, not just web brows...I want this for all my traffic, not just web browsing. So Tor doesn't do the job, unless I've misunderstood it. Also I don't want something as complex and slow as Tor, it doesn't need to bounce around a lot of sites. A simple encrypted tunnel for all my traffic that exits outside the UK is all I want.<br /><br />The ability to add exceptions for certain devices in my house would be useful too, or some other way to exempt iPlayer and other TV catchup services. Otherwise they'll be geo blocked.Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-73861366961864965542015-11-14T13:05:41.799+00:002015-11-14T13:05:41.799+00:00Yes, it is a trade off, but eventually you have to...Yes, it is a trade off, but eventually you have to be pushing one step too far, and I feel that mass surveillance like this is one step too far.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-19147374358170239232015-11-14T11:33:17.011+00:002015-11-14T11:33:17.011+00:00Just because the government wants to use technolog...Just because the government wants to use technology to help keep us all safe by helping them find evidence of serious crimes does not automatically mean we are all guilty until proven innocent! Far from it, the fact that it is mass surveillance means that they know that almost everyone they are observing is innocent. The government is just using technology to efficiently sift a big stack of data, to help the find the proverbial needle in a haystack and produce the genuine evidence needed to either protect the public and prevent atrocities or to use in a court of law to help secure a sound conviction.<br /><br />In any case, effective individual privacy for the good guys is still almost entirely maintained despite mass government surveillance in that the data they collect is not simply "published" for anyone to see /use and should only be used to help our governmental authorities find genuine evidence of serious wrong doing. I agree with you that use of this data does need to be very carefully controlled, but the fact that this is such a sensitive issue should hopefully mean that it is. I would be much more sympathetic to privacy campaigners if and when they can highlight actual inappropriate use of mass surveillance data.<br /><br />What sort of breaches of privacy are people really worried about? Well, if someone steals your personal data and publishes it to the world (think Prince William and press photographers publishing photos of him and his family in private moments with long telephoto lenses) or uses your personal data to harm you in some way (e.g. if someone stole your customer list / contact details with the intent of trying to poach all your customers later), then you clearly have a breach of privacy which most members of the public would consider to be completely unacceptable.<br /><br />Whilst in a theoretical ideal world we could have absolute privacy, in the real world, there is a practical trade-off to be made between a very modest loss of privacy (which does not result in any normal law abiding citizens suffering any real world harm at all) and the much larger and more important role of government in keeping society safe and secure and facilitating the collection of genuine evidence to achieve sound convictions.Ruperthttps://www.blogger.com/profile/04685206007070599216noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-32815343357613019582015-11-14T08:49:14.649+00:002015-11-14T08:49:14.649+00:00There is a huge difference between assisting catch...There is a huge difference between assisting catching of a criminal and spying on everyone just in case they are a criminal. We have a principle of innocent until proven guilty - so spying on the innocent needs careful controls and oversight to be done on those genuinely suspected of a crime. We have a human right to privacy.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-47556101262474653812015-11-13T22:43:04.937+00:002015-11-13T22:43:04.937+00:00Why does this legislation annoy you so much? Just...Why does this legislation annoy you so much? Just because the bad guys could potentially keep their conversations completely private, this doesn't mean that all communications by the bad guys they are after would definitely use encryption, or that the encryption couldn't be broken when required, so perhaps the proposed surveillance isn't as completely pointless as you believe. <br /><br />If the encryption used was standard TLS, then if the government was determined enough, it could easily break that today using a man-in-the-middle style attack, just like an SSL proxy like Bluecoat does for companies wanting to "secure" their corporate networks to scan the traffic going in and out - See https://www.bluecoat.com/products-and-solutions/encrypted-traffic-management. They would only need to create fake certificates using a certificate authority recognised by the world's normal web browsers to make this work without being detected by most people.<br /><br />You are a technical expert and you understand clearly what can and cannot be intercepted and exactly what you need to do to maintain privacy and avoid man-in-the-middle attacks. I doubt that very many (if any) of the bad guys that the authorities are after will be as technically clued up as you are and often they will be as lazy as anyone else in the general public and will value the convenience and ease of use of modern (potentially insecure) communication technology over and above maintaining their own privacy of communications. It is the modern and easy technology that has enabled the bad guys to organise themselves more easily and efficiently than was possible previously, so is it any wonder that the authorities want to at least try and listen in?<br /><br />Furthermore, I suspect that most of the general public consider assisting the authorities to catch the bad guys as being more important than maintaining absolute privacy over their own communications data, which for most people probably contains nothing that much worth hiding anyway, especially if it is metadata they are after as opposed to data payload. And this metadata is often still valuable in an encrypted world, as you can still at least see who is communicating with whom, even if you can't work out what they are saying. <br /><br />In any case, as you have often pointed out, anyone, including you, can maintain the privacy of their communications through their own encryption mechanism using their own keys if they really want to and if it is important enough to them. It's just a whole lot less convenient to do so!Ruperthttps://www.blogger.com/profile/04685206007070599216noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-65150516849185066662015-11-13T15:39:44.599+00:002015-11-13T15:39:44.599+00:00Another point, of course, is whether you consider ...Another point, of course, is whether you consider looking at the source and destination addresses in the IP header to be "Deep Packet Inspection". They may well ask you to log all "unique" samples of IP headers, for example. (Whatever their definition of "unique" may be. Of course they wouldn't tell you how that would be feasible either. Just that you _must_ do it.)saranhttps://www.blogger.com/profile/11236794581259276845noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-17326529721142589242015-11-13T15:28:35.275+00:002015-11-13T15:28:35.275+00:00Yes, but large scale IPSec is not simple, but some...Yes, but large scale IPSec is not simple, but something to look in to.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-72402441365119384052015-11-13T15:15:46.765+00:002015-11-13T15:15:46.765+00:00But you could open an independent offshore company...But you could open an independent offshore company, whose only business is to offer a persistent IPSec tunnels (along with perhaps a DNS server). That surely _would_ do the trick.saranhttps://www.blogger.com/profile/11236794581259276845noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-5769456265218836712015-11-13T15:08:23.391+00:002015-11-13T15:08:23.391+00:00Well, basically, that is Tor, which is simple to s...Well, basically, that is Tor, which is simple to set up and use. If we ran the encryption we could be subject to retention and intercept orders.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-83699838435523772332015-11-13T15:04:35.348+00:002015-11-13T15:04:35.348+00:00Hmm, I was hoping A&A would offer end to end e...Hmm, I was hoping A&A would offer end to end encryption to a foreign country. Ie. I buy a Firebrick to do the encryption at my end, and my A&A internet then goes via an encrypted VPN to somewhere else who decrypt it and pass it on to the internet. If we're all expected to set that sort of thing up entirely by ourselves, then the uptake will be minimal and costs for doing it individually probably high.Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-6781005751311655962015-11-13T13:42:31.574+00:002015-11-13T13:42:31.574+00:00LOL, like it!LOL, like it!RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-3099220957828035292015-11-13T13:35:27.661+00:002015-11-13T13:35:27.661+00:00If you do get given a retention + gag order, I ass...If you do get given a retention + gag order, I assume that you have no equipment capable of performing the required functions. If you were to put an order in for this kit with another company (say A&A Equipment Ltd.) is there anything stopping them from putting out a press release saying they have had a large order of surveillance equipment from AAISP? I assume the gag order wouldn't cover them, and they wouldn't even have knowledge of it. All they know is that you have purchased equipment from them...Bored Student Techhttps://www.blogger.com/profile/03128584693886634840noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-64622030613687469512015-11-13T10:21:08.154+00:002015-11-13T10:21:08.154+00:00"We do provide itemised phone bills, and thos...<i>"We do provide itemised phone bills, and those hang around - we are not sure of a tidy way to not keep them as they are needed if any billing dispute. One thought was to send digitally signed call records on the bill, and then delete them - that way, if there is a dispute, you have to provide the call records, but we can validate that they are genuinely from us and unchanged."</i><br /><br /><b>Judge:</b> "So, Mr Bloggs, you're suing Andrews and Arnold because you claim they overcharged you for your phone calls. What evidence do you have of this?"<br /><b>Bloggs:</b> "Actually, none. I never received a call itemisation and lots of money was just taken from my account."<br /><b>Judge:</b> "OK. This should be easy to sort out. Mr Kennard, please could you provide the call itemisations?"<br /><b>RevK:</b> "No. We delete them after e-mailing them to the customer and producing the invoice."<br /><b>Judge:</b> "So you have no evidence of what calls were made and how much Mr Bloggs was charged for them?"<br /><b>RevK:</b> "No. But we e-mailed them to Mr Bloggs, so he has copies."<br /><b>Judge:</b> "But Mr Bloggs claims not to have received the e-mail. What evidence do you have that Mr Bloggs received it?"<br /><b>RevK:</b> "None."<br /><b>Judge:</b> "Then I find for Mr Bloggs and order the full amount to be refunded with costs."<br /><b>Bloggs:</b> [wanders off singing "I'm in the money"]<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-3030433743848811132015-11-13T06:00:08.496+00:002015-11-13T06:00:08.496+00:00If your back-haul carriers were forced to record d...If your back-haul carriers were forced to record data from deep packet inspection would you be aware of the fact, given that they would presumably be legally prevented from revealing what they're doing? If not, then how can you be sure that they are not already collecting data?<br /><br />The possibility of a retention order on wholesale providers hadn't occured to me until you mentioned it. Hopefully it won't occur to the technically illiterate politicians either. Anonymoushttps://www.blogger.com/profile/10823387395371201608noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-32232180705685365062015-11-13T03:19:59.019+00:002015-11-13T03:19:59.019+00:00"We did wonder what the rules are for Isle of..."We did wonder what the rules are for Isle of Man, for example, or maybe we keep it in the EU"<br /><br />I'm thinking Ireland might be quite good. They speak the same language (which makes explaining things to remote hands easier), there are plenty of datacentres in/around Dublin, connectivity both across the pond and back to the UK is good, and it's (relatively) inexpensive to get to quickly in person if needed.Chris @ Minotaurhttps://www.blogger.com/profile/05483863423399413251noreply@blogger.com