Queen's Speech: 'Problem of matching IP addresses' to be probed The Queen opened a new session of Parliament this morning and - as expected - Home Secretary Theresa May's Communications Data bill was absent from the government's upcoming programme of law-making for the next year. However, as indicated by Deputy Prime Minister Nick Clegg - who said late last month that the so-called …
Surely it would be better to use static or DHCP reserved addresses rather than normal DHCP allocated ones (if they want to make traceability easier and not have to look through DHCP logs). Maybe a reserved DHCP lease based on your Identity Card, NI number (or even some new "Internet Licence Number") sent as the GUID in the request.
Otherwise use a national captive portal.
I am joking of course as I know this wouldn't work well and could easily be circumvented/spoofed etc - but I guess somewhere, somebody is thinking along these lines...so perhaps I shouldn't give them ideas. :-)
No Big Brother worrier here, but in the U.S. you generally do have to provide ID to access the Internet. A credit card through your ISP and/or mobile carrier, and a valid govt issued ID or library card (which is tied to your ID) for library access. Same in most hotels, airports and bus stations as well. I suppose you could go around looking for free open wireless but that's providing fewer options daily.
All I'm saying is that the Internet isn't nearly as anonymous as people like to think, especially if the person who wants to pry has a warrant.
The solutiion is easy: Switch it off. No more smut then.
Likewise ban sugar, salt and all the other things that make people die. Outlaw alcohol, tobacco and cars. And sex, as you're at it.
Unfortunately then everyone (well, most people anyway) will find Spain or France so appealing that they will no longer fork out taxes to pay for the wages of home secretary or deputy prime minister.
Who the flying f'!$% voted for this bunch to waste resources on this?
"Who the flying f'!$% voted for this bunch to waste resources on this?"
No one of course.
This was conceived at least 8 Home Secretaries ago as the Interception Modernization Programme. It's essentially an idea thought up by a group of former senior intelligence civil servants.
Naturally they are mostly PPE graduates (there was one with a degree in particle physics) with no remote idea of what they are asking for or the scale of the problem.
We could have them personally assigned, on providing our ID cards and DNA.
Oh..wait a moment...
/me wonders if we'll next hear an announcement from HMG that they're going to help fund the roll out of IPv6 for "the benefit of our e-economy". And nothing at all to do with copyright, intellectual property, terrorism & pron.
agree with you that personally I don't mind all of my data packets being made into digitally signed and certificated evidence (IPv6) with the MAC address of the packet origin device also signed evidence.
Some other users may occasionally like to have a bit more pseudonimity, journalists, HMRC whistleblowers (google Osita Mba) etc - what privacy enhancing tools will they be able to use? (and I don't (yet) class ToR as being a safe tool for hazardous circumstances)
I disagree slightly in that VPN may well be 'virtual' - but they increasingly fail to be 'private' as the ease of snooping the data using multipurpose 'special' PKI certificates is no longer just at State level, but increasing at Enterprise level too. Sometimes that too can be OK, but do we just "get over it"? or do 'we' have to build our own nitrogen pressurised fibreoptic crypto systems with keydump on loss of pressure to swap great LOLcatz pics?
I disagree slightly in that VPN may well be 'virtual' - but they increasingly fail to be 'private' as the ease of snooping the data using multipurpose 'special' PKI certificates
You're telling me that Enterprises can watch what's happening inside an SSH link?
I think a lot of people might like to have a little chat with you.
Only the issuer of the certificate/key can see inside the link - that would include the possibility that those who issue SSL certificates like Verisign are cooperating with various governments. If you must use a properly issued certificate rather than self-signed and want to minimize the chance your own government can decrypt your traffic, you might want to choose a CA based in a country that's on less than friendly terms with your own. In the US we might want to see if there are any options in Venezuela, for instance. In the UK, you're probably pretty safe if you can find an Argentinian CA :)
You can't ever discount the possibility that the NSA and their friends in the UK have broken the encryption scheme you're using, but even if they have done so, the decryption won't be free, so it couldn't be done en masse unless they're so far ahead they have working quantum supercomputers. Assuming they can't do it for everyone, they'd have to take a special interest in you to decrypt your traffic. If they do, you probably have much bigger problems than insecure encryption once they send a black bag squad over to bug your computers, your house, your car, and your cat.
Even if the NSA doesn't decrypt your traffic in real time, that doesn't mean some of it isn't getting saved somewhere so it can be decrypted later just as the Boston investigation has proven phone calls to be.
The worries about your place of your decrypting your traffic are nil. If you're accessing your home SSH server or email server using self signed/created certificates, they can't possibly do this. Nothing stops them from having keylogger software on your work issued computer, of course, so if you're paranoid about this, you may want to inquire about their BYOD policy :)
"I don't mind all of my data packets being made into digitally signed and certificated evidence (IPv6) with the MAC address of the packet origin device also signed evidence."
Not that myth again (I wonder if Snopes or Adam and Jamie could be pursued to address this....).
Yes, at one point there was the consideration to make the bottom 48 bits of the IPv6 address be the MAC address of the device, to simplify stateless autoconfiguration. Then EVERYBODY pointed out the obvious security flaws in that idea, and the idea of using the MAC address to form the publicly routeable address was DROPPED. AXED. KILLED. REMOVED. That idea is not pinin' for the fjords, it is PASSED ON.
Even the idea of using the MAC address for the link local addresses has been made OPTIONAL, and alternatives to allow link local addresses to be created randomly have been defined.
That the political class has even less understanding of the Internet than the general public, this has to be it.
Endless argument and billions spent on solutions to non-existent problems that don't even work and will never even work.
Unless everybody is bolted to a fixed IP address and massive router flap happens when they connect via a wifi hotspot, there is never going to be a way to guarantee IP level traceability, and NAT rules anyway.
Even if you stuck a MAC address in the packet, that too can be hacked away.
Of COURSE it would be simple if every single message could be uniquely tagged to an end user or piece of physical kit. It would be simple if we all had chips embedded in our foreheads uniquely identifying who we are so that our movements could be recorded in real time on Stasi Central's computers. "we note that you and your neighbour's wife's GPS are coincident in her bedroom for over three hours: vote Stasi or your wife gets to hear".
Like all grandiose and lazy political schemes, it will cost a fortune, wont work, and will simply irritate people.
True - but there are people out there dumber than the politicians.
The average child murderer or terrorist bomber does seem incapable of emptying (much less wiping) their Internet browsing history and cache - let alone fathom VPNs, anonymous proxies, MAC obfuscation etc.
This does give the illusion that a mega-log of everything an ISP sees could be trawled for suspicious activity.
"The average child murderer or terrorist bomber that actually gets caught does seem incapable of emptying (much less wiping) their Internet browsing history and cache - let alone fathom VPNs, anonymous proxies, MAC obfuscation etc."
Fixed.
(Although, I accept your point; there aren't that many unsolved bombings / child murders.)
"(Although, I accept your point; there aren't that many unsolved bombings / child murders.)"
It seems that a lot (most?) intelligence led "terrorist" arrests seem to end up without any terrorist offence to prosecute. Others have been prosecuted for having accessed freely available material that was once the knowledge of any half-intelligent schoolboy.
There was that raid where a man was accidentally shot. Eventually the Police said that even though they hadn't found any evidence for a terrorist charge - there were other offences. The major one specifically being kiddie pr0n. Finally they had to admit the latter was one alleged thumbnail in a cache - insufficient for any charge.
This post has been deleted by its author
BT are running tests on carrier-grade NAT so one IP address will support many users simultaneously, making it much harder to match subscribers (let alone users) to online activity.
Unfortunately, this will also break many of the interesting things you might want to do online.
What's so hard?
BT have a record of which customer was getting which packet, BT are more than happy to help the government by handing over any data , with or without a warrant.
A more serious IP problem is that it doesn't uniquely record which site you visited. Your machine access 100.200.100.200 to download a thumbnail from an advertiser on el'reg. That server also hosts the Grimethorpe Ferret Lovers secret photo archive - so the fair and wise ms May has a recordt hat you accesssed a site showing images of under-age ferrets
Most (httpd)server logging assume that the IP address the request came from is enough to track its owner. With NATs the (httpd)server also has to log the TCP Port number.
With the Port number and time, then the NATs logs (in theory) can be checked to see which customer (unless that is also a NAT; say an open wifi) the request came from.
A great many NAT systems don't provide that sort of logging and the logs would be horrendous in volume anyway. Each socket you open would need to be separately logged. Then there would be the issue of stacked NAT. You'd need to correlate the logs of each level to get a fix.
So are they going to enact legislation that bans NAT systems that don't automatically log each translation?
I run quite a few connections where we stick a Linux box at the front end and it'll do all the NAT you want, but adding a couple of lines to your iptables config ain't going produce logs of what packets originate from which of your internal addresses. Then there is the matter of identifying the internal addresses. My youngest managed to find out how to change the MAC address on his phone at the age of ten, in a vain attempt to get around his "bedtime WiFi blocking" (hopefully he's not reading this) but if he'd chosen to spoof to the MAC address of another device in the house he'd have probably succeeded.
I'm afraid the boy Clegg hasn't got a clue about what he's talking about. He's in the normal politician's state of mind where he is only hearing what he wants to hear. Add to that the fact he's surrounded by people who only get paid if they tell him what he wants to hear and we end up at the mess they usually leave us in.
"With the Port number and time, then the NATs logs (in theory) can be checked to see which customer (unless that is also a NAT; say an open wifi) the request came from."
A browser instance usually makes four TCP connections in parallel. In the old days each connection was discarded after downloading an HTML element - and a new one was opened for the next element. Modern HTTP keeps the TCP connections open for longer.
These are usually closed when: a new page URL is accessed; the connection has been idle for a couple of minutes; a busy HTTP server/proxy decides it doesn't want a potentially idle connection once the element request is fulfilled.
In practice that means any particular NAT source port is only assigned to a particular end user for a very short time. A source port number has to be put back into the active pool quite quickly given the fast turnover of a large ISP's NAT connections.
There are only a maximum of 65k+ source port numbers. So the NAT TCP stack implementation has either to have one global pool of source port numbers shared by all connections - or several pools differentiated with some additional connection criteria.
I was contacted by our local police force to assist with the identification of stolen equipment. One of their senior bods had heard that you could trace machines via IP address and wanted me to let them know how they could match up devices (PS3s, Xboxs and phones) with IPs so they could return them to the owner.
I told them that they each device would have a MAC address that was unique (I didn't go into spoofing) but that the IP would change depending upon which network it was connected to. They could cross reference the MAC address against information ISPs help about which MAC address had been assigned which IP address. The police were adamant that this wasn't the case and that the IP was the only piece of information they needed to identify the device.
I tried to explain that the laptop I was emailing them on was picking up xxx.xxx.xxx.xxx at work but it picked up yyy.yyy.yyy.yyy when I was at home and zzz.zzz.zzz.zzz when I was connected to a different network. I gave them a brief overview of DHCP and DNS and they were still fixated on IPs and IPs alone as the single identifying factor.
I advised them to contact their IT department to corroborate what I had told them and to get back to me if they wanted further clarification. They never got back to me.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
