The Infrastructure Data Bill's only real purpose is for Snooping

By James Myers

30 November 2016
snoopers charter

One thing I keep saying about this Infrastructure Data Bill AKA The Snoopers Charter is that it’s not fit for purpose. Politicians state that this bill will be useful to stop Terrorists and Criminals and then even make silly clams that it could be used to track missing children by looking at their mobile phone Twitter usage. These claims just demonstrate to me that they don’t even understand the fundamentals of how the Internet works, the use of mobile telephony/mobile data and/or are deliberately misleading the public in order to gain access to see what they have been using the Internet for.

Any serious organised group would have the knowledge to bypass being identified using methods that have been available for over 20 years, some that were first thought of when Stan Hanks was first working on the TCP/IP-over-X.25 stack for CSNET in 1981.

VPN’s

Businesses use VPN’s to connect different offices together or for remote workers or homeworkers to connect to the office to access services such a fileservers, email and company Intranets. But some companies offer the VPN service as a means to allow you to route your traffic through their network.

The principal behind a VPN is that you connect to another network to create a secure encrypted tunnel which you’re traffic is routed through in order to access other web pages and services on that network. If you’re web traffic is routed through that network then it would appear that you were browsing from wherever their network is located (where their public facing IP address is). So if you were located in London and the VPN was located in Amsterdam and you browsed a website in Aberdeen it would appear that you had visited the website from Amsterdam.

A VPN can come in useful when watching certain online TV services such as Netflix that make some of their content only available to their customers that are located in the USA (or appear to be because they have a leased American IP Address) so if you’re in the UK and you connect to a VPN in America you can watch programs that would normally be unavailable to you. Another use for VPN’s are that they allow you to access pages that have been blocked by certain ISP’s for instance some sites allow you to watch movies that are out at the cinema but not on general release yet, films that havn’t yet made it to the cinema or to watch streaming sporting events that you would usually have to purchase.

Browsers such as Tor or Pirate Browser are configured to use a built in VPN so all browser traffic is encrypted to enable you to browse more anonymously and access content such as that mentioned above.

Parts of the web that can only be accessed using VPN’s or other anonymous browsing techniques is commonly referred to as ‘The Dark Web’ and is also known to contain illegal pornography sites, drug and arms trading sites.

Now this isn’t some magic secret I’m letting out of the bag this is fairly common knowledge for the younger and tech savvy generation. If someone knows a way of watching all of the latest unreleased films from their own laptop then that knowledge soon gets shared about.

I’m not going to debate the morality and legality of whether people should or should not watch the latest Star Wars Movie online via VPN without paying for a ticket someone else can write about that. What I will say is that ordinary people (non IT Professionals) are using simple means that are common knowledge to access content on the web which this expensive Infrastructure Bill will not prevent. So if this is common knowledge then you would expect hackers, organised crime syndicates, terrorist or activist groups to be using more advanced methods of remaining anonymous or hiding their browser traffic.

Default Internet Ports - Port 80 and Port 443

In the internet protocol suite there are a range of virtual points which are numbered 0 through 65535. These ports are sort of like TV Channels where on a TV you could allocate channel 1 for BBC 1 or channel 2 for BBC 2 where on the Internet or networking you typically allocate ports for applications/protocols such as Port 80 is HTTP and Port 443 is HTTPS. By default many applications are configured to use these default ports. So when you type in http://www.google.co.uk/ you are connecting to Port 80 on a web server. This web server is configured to listen for any traffic that is sent to Port 80 and then send back to the clients browser a web page. When you type in https (add the s after http) then the website URL for instance https://www.google.co.uk then you are communicating via port 443. But just as you could configure your TV to have BBC 1 on channel 3 and not the default channel of 1, you could also configure your web server to listen to web traffic on a different port (often many control panels or web portals are often configured to use one of the higher numbered and less common ports). For instance I could configure my web server to listen on Port 8080 for web traffic which you could then access http://www.somewebsite.co.uk:8080/ or port 4443 for secure encrypted web traffic

If you want to capture someone’s Internet traffic then typically you would act as a ‘Man in the Middle’ somewhere between two communicating parties. You can use a piece of software known as packet sniffer such as WireShark. This piece of software is very useful at diagnosing network problems but also useful at eavesdropping. Typically though if I want to capture someone’s Internet traffic I would only try to filter all network traffic that is not going to port 80 or 443, if I was to try and sift through the entirety of one person network traffic then there would be too much noise and it would take too much time. Now imagine the wealth of traffic on an office network and you would need to have some serious storage capabilities to capture all their network traffic. Now imagine the whole of the UK’s network traffic. So straight away for feasibility reasons you are going to have a nightmare if you are storing data on all ports and searching (even using powerful software and tools) through all this data. If this data is encrypted as well this adds another layer of complexity.

Besides even if we don’t have access to VPN, don’t mess around with different ports, SSL encryption we can still use other more primitive methods of sending coded messages to one another, masquerading as another user or by using open Internet connections.

Cryptography and Encryption

Basic encryption would be sending an encoded message to someone in such a way that only the authorised people would be able to read the message. Other people may be able to intercept the message but since they don’t know the secret key to decrypt the message they won’t be able to read the hidden message. A very simple example of encryption is the Caesar cipher (named after Julius Caesar who according to legend used it to protect important military messages ) where you replace each plaintext letter of an alphabet with a different letter a few places further along the alphabet e.g

Plain: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Cipher: X Y Z A B C D E F G H I J K L M N O P Q R S T U VW

An example message

Plain: Mr James Myers

Cipher: JO GXJBP JVBOP

A slightly more complex cipher is called the Vigenère Cipher (circa 1553) which is an example of polyalphabetic substitution where you have a different alphabet for each of the replaced letters. See here for more info https://en.wikipedia.org/wiki/Vigenère_cipher

Hidden Messages

Then of course we have all probably heard of the Enigma machine which was used to intercept German coded messages during World War II and captured Nazi spies in the UK used to use lemon juice as a form of invisible ink to send secret messages to each other.

Whilst the goal of Cryptography is to make data unreadable by a third party Steganography is the practice of hiding information for instance concealing a file, message, image, or video within another file, message, image, or video. http://www.garykessler.net/library/steganography.html

So as you can see encryption and people have been sending secret messages long before the advent of the TCP/IP protocol. As long as there has been encryption there has been people wanted to gain access to that secret information. As someone learns how to decipher one form of encryption we create more powerful algorithms and ciphers to make our secrets tougher to access.

The shape and popularity of the web today means we use encryption vis the use of SSL certificated to secure our personal details such as usernames, passwords and credit card details from individuals who would exploit and take advantage of this information if they could obtain it. When we log into Facebook, Twitter and services such as Hotmail our Internet traffic is encrypted. Google even uses SSL certificate usage a metric in its ranking algorithm. So more and more of the websites we visit contain encrypted traffic.

Data Leaks and Breaches

Where you have a popular service or system that contains a lot of personal data such as email addresses, dates of birth, historical data, bank details, usernames and passwords then that system is a very attractive target to hackers and criminals. So aggregating the entire countries Internet traffic will be a prime target for hackers. Creating hacking tools and distributing them amongst various government service departments so that they can ‘interfere’ with your equipment will almost certainly expose your data and your machines to either people who don’t know what they’re doing or malicious users.

“"Personal data security was breached nearly 9,000 times by the government in a year, the National Audit Office (NAO) has found. The watchdog revealed the 17 largest departments recorded 8,995 data breaches in 2014-15 – but that only 14 were reported to the Information Commissioner (ICO)" https://www.theguardian.com/uk-news/2016/sep/14/government-breached-personal-data-security-9000-times-in-a-year-nao-watchdog-reveals

Here is shortlist of UK Government Data Losses https://en.wikipedia.org/wiki/List_of_UK_government_data_losses

OpenWiFi, WiFi Hotspots and Mobile Technology

In a typical day I use probably 4-5 different Internet connection, some of which have multiple users connecting to the same network with various devices :

My Home Network connection
1. Smart TV, Kindle *2, Ipads, Several Laptops, Several Phones, Several consoles all connect to a single Wireless Router which accesses the Internet through a single Public IP address which is dynamically assigned (meaning tomorrow I could have a different Public IP address).
My Mobile Phone Internet connection
1. Communicates though various transmitting towers and will be dynamically assigned a different IP address.
My Work Mobile Phone Internet connection
1. Communicates though various transmitting towers and will be dynamically assigned a different IP address.
My Office Network Wired Internet connection
1. Office with about 100 members of staff and a 100 users connected via VPN all appearing to browse the Internet via the same Public IP Address
My Office WiFi
1. Many office workers connect their phones and laptops to the office WiFi

Looking at the above you can see how many different devices and people share the same Internet connection and even without trying to remain anonymous it could be difficult to identify exactly whose traffic belongs to who without having some inside access to the network. So you can also imagine how difficult it may be if someone was using public WiFi hotspots, Open Wifi, local café/pubs WiFI or even hacking into someone else’s WiFi.

Government Department Access to Tamper/Hack with your devices

So let's say the Snoopers Charter was fit for said purpose then how could they guarantee that only designated people with honest intentions don't damage innocent peoples machine that they can hack into? This raises a series of worrying questions:

What protocols and procedures will be in place within organisations such as the Food Standards Agency to stop intended and/or accidental damage of hacked persons machines? I'm assuming there would be some kind of intranet/portal application/suite of tools with some kind of centrally located database and accessed via VPN that each organisation could connect to?
Would the software be on designated purpose built workstations or on laptops that workers could take home (at risk of being stolen).
Who would have access to these machines?
Would there be physical security to prevent unauthorised access, enforce policies such as Clean Desk Policy and ensure they don't leave workstation unlocked whilst they go on a break?
How qualified/experienced will the person with access be, would they be an apprentice, a junior or have no IT qualification at all?
What vetting procedures will be in place in Interviews?
How will you monitor/rollback any changes that someone makes to a machine?

Conclusion

The claim is that the Infrastructure Data Bill’s intended purpose is for security reasons and to stop terrorists in their tracks but the reality is that If you were someone trying to remain anonymous online then you would probably doing a mixture of these things and more already meaning that this Bill would be that easy to circumvent that it’s not fit for said purpose and the only actual use of the Bill would be to Spy on the citizens of the UK.

References

https://www.quora.com/Who-invented-virtual-private-networks-VPN

https://en.wikipedia.org/wiki/X.25

https://msdn.microsoft.com/en-us/library/bb742566.aspx

http://www.networkworld.com/article/2200809/security/cisco-has-long-history-with-vpns.html

https://en.wikipedia.org/wiki/CSNET

https://www.bestvpn.com/blog/42672/using-vpn-and-tor-together/

https://en.wikipedia.org/wiki/Cipher

https://en.wikipedia.org/wiki/Caesar_cipher

https://en.wikipedia.org/wiki/Vigenère_cipher

https://en.wikipedia.org/wiki/Polyalphabetic_cipher

http://secretmessages.org.uk/untitled/test/

https://www.newscientist.com/article/mg22329770-900-revealing-all-a-history-of-secret-writing/