British Government just passed the IPBill

[esme]

Just in case you hadn't heard the British Government just passed the IPBill

 

So fairly soon your ISP's will be required to log every site you visit in a log of your Internet Connection Records (ICR).

 

Sounds innocuous, just your browser history really, and you've got nothing to worry about as long as you steer clear of the t*rrorist & kiddie p*rn sites, or have you ?

 

Well yes you have.

 

At the moment the bad guys routinely break into advertising & 3rd party scripting sites to plant malware which gets downloaded to PC's, this malware does things like create botnets, encrypt your PC and tell you to call a number to pay to get it unencrypted or just spread a virus which downloads yet more crap, that sort of thing. Your virus scanner and antimalware software is designed to deal with this sort of thing and people are on the lookout for it so thankfully while it's dangerous and a pain in the arse, it's manageable. For example not long ago the BBC were serving infected adverts from 3rd party sites that had been compromised in this way.

 

I'll get to why I mentioned that in a minute.

 

Bear with me if you already know this.

 

When you visit a web page you effectively download a series of instructions for your browser which tell it how to render the page, but these instructions do much more.

 

They pull in images sometimes from 3rd party sites, they pull in scripts also sometimes from 3rd party sites, those scripts can pull in yet more content from yet more sites until eventually it's all on your PC, some of these continue while you're looking at the page and do so without you noticing.

 

This third party content is the stuff the bad guys tend to target when they plant their malware bombs.

 

These site accesses look just as if you'd sat and typed the address into your browser, it cannot be distinguished from the sites you know you visit, your browser is built to do this.

 

Every one of them is now going to be logged in an ICR that you know nothing about and cannot access.

 

So what I hear you say, it's all legal sites, nothing to worry about.

 

Except for the aforementioned bad guys, who now have another target, further it's a target you have no control over or access to, but it's very intimately yours.

 

Lets imagine the bad guys switch from planting malware to planting a small script section inside a commonly used script from one of these 3rd party sites. This script gets downloaded to your PC when you access a web page, say from the BBC.

 

Once on your PC the main script executes as normal and eventually hits the new code, this creates an element on the page with a "display:none;" style, this means no attempt is made to render the element, you can't tell that either the element or it's contents are there without looking at the generated source code for the page.

 

Then the script downloads some content from a t*rrorist or kiddie p*rn site & directs the output into this new hidden element, they can also pull in some content from their servers just so they can log your IP address and time of access so with a bit more work they can try and trace you with varying degrees of success, some people will be traced others not.

 

They don't have to do it this way, they can use a simple Ajax technique to read any available server content & dump it into a JavaScript variable, it never goes near the displayed page, but it still get's logged in your ICR log.

 

You know nothing about this, but your ICR now has references to t*rrorist and kiddie p*rn addresses in it, and the bad guys know your IP address and are using other methods to trace you.

 

Then after a few days the bad guys go back in & remove the evidence from the server, your ICR log still remains.

 

Then depending on how successful they are at tracing you there's an email or a phone call telling you someone planted t*rrorist and kiddie p*rn addresses in your ICR log and for a fee they won't call the police.

 

Some will pay, some won't, some will be found by the police anyway and as the only evidence will be the ICR log by this time and no one can affect that except by visiting sites, the police won't be interested in peoples protestations of ignorance of how those addresses got there, they will tear peoples lives apart looking for more evidence.

 

Or they don't, they just tip off the police with some IP addresses & contact times to create chaos.

 

The authorities may eventually figure out what is happening, but not before a lot of people have had their lives destroyed.

 

Before anyone tells me I'm telling the bad guys how to do their job, advertisers do this sort of thing all the time to preload & postload adverts, it's a well known technique, any javascript web developer can write a script to do this in under 5 minutes, probably with their eyes shut.

 

And as there's no attempt to download malware or exfiltrate data from your PC, no antimalware software will detect this, your browser is just doing what browsers do.

 

You can try disabling scripting, but a lot of sites just don't work if you do, plus there's nothing to stop the bad guys going after the main page and simply adding some HTML to do the same thing without a script, add a hidden iframe or an img with a source on some dodgy site, it's easier to compromise a script but you don't have to.

 

The British Government just destroyed the internet at the stroke of a pen.

Edited November 21, 2016 by esme

[tefdal]

Scary stuff. From the scenario you describe, I guess adblock would at least reduce the risk partly?

[esme]

Worth a try, but if a script is infected that doesn't relate to an advertising site you're still stuffed.

 

Unless you know the site doesn't use external scripts or images and is either served to you from read only media or monitored for changes 24/7 then any site you visit is a game of russian roulette.

 

I can't think of any sites like that.

 

I've been yelling about this since ICR's were first touted as a simple list of sites you visit with no mention of all the sites you don't know about being in there too and now it's law.

 

Soon your ISP will have to implement them, at your expense and then we can no longer trust any site we visit.

 

The only ways I can think of to avoid this are:

 

• Use a browser that has add ons and use an add on that prevents any access to sites which don't match the site in the address line, this will break the majority of sites & doesn't address emails with embedded web content.
  
• Use Tor or a VPN which might get around the ICR log but will flag you up to the security services who will then probably just launch an automated hack using zero day exploits, to target your machine with the new bulk hacking powers also included in IPBill, you may not get a 4 o'clock knock though providing they don't find anything interesting.

Edited November 21, 2016 by esme

[stumpy]

adblock wouldn't work, it would work on your end but your isp would still log the adverts going through there end.

 

same with the bad site block, blocked at your side, but it still would have passed through isp side to get to you, if it was blocked at isp end then you would get a website address not found error, or a dns not resolved error.

 

google.co.uk regularly throws up bad sites, usually some type of advertising site, you can see it trying to get to the site in the status bar, then giving up, but that searching would have been recorded at the isp end, cause you can see it in your browser.

Edited November 22, 2016 by stumpy

[jaxa]

There's all sorts of Internet traffic that does not consist of web browsing or DNS resolution, so I don't give much credit to this idea of automated hacking of machines using VPNs or other obfuscation. You'll have to do something more to get their attention. In the case of Tor, connecting to one of their nodes perhaps.

 

ISPs logging the browser history just allows low-hanging fruit to be picked by law enforcement. And there will be a nice crop.

[stumpy]

most of the bad stuff is now on the dark web, and unless you know how to get there, logging where you go, on the non dark web will not gather much fruit.

[esme]

With the attack I outlined in the first post, you don't need to know anything about the dark web, the script can download anything from any available site, including those which are only available by an IP address, you can build in any handshake you like onto the script to get deeper into the site or you could just make repeated accesses to the home page, as the ICR only contains the url of the site & not which page you're accessing.

 

The only protection is to prevent your browser requesting information from these sites in the first place

 

As for a VPN not flagging you up to the security services you need to create a tunnel to a server which is outside the UK's jurisdiction otherwise they know both ends of the tunnel and simply go to the other end with a warrant to see your traffic, and even now all internet traffic that crosses the border is monitored, encrypted traffic is immediately suspicious, they would know your IP & the IP of the site your going to, and their bulk hacking authority lets them launch whatever they like at your machine. Tor is a little more difficult to spot but by adding sufficient relays they could identify a significant portion of the network and again attack each one.

 

In their eyes the guys using VPN's & Tor will be the people trying to avoid the ICR log, and that will make them valid targets

 

If everyone used VPN's & Tor they'd have a much harder job, but only a small percentage of traffic uses them

Edited November 22, 2016 by esme

[demagogue]

Orwell wept.

[AluminumHaste]

Yes scary indeed, it's why I run with Firefox with NoScript (javascript whitelist) and uBlock Origin (ad blocker) on at all times.

The javascript blocker is great, takes some getting used to though.

[AluminumHaste]

Also try anontab

[esme]

VPN providers are gearing up their services

http://www.bbc.co.uk/news/technology-38068078 - 23 November 2016

 

The other suggested alternative is Tor

[V-Man339]

most of the bad stuff is now on the dark web, and unless you know how to get there, logging where you go, on the non dark web will not gather much fruit.

 

This is why I hold to the mindset that this is an absolute waste of taxpayer money.

 

Orwell wept.

 

Agreed.

 

VPN providers are gearing up their services

 

http://www.bbc.co.uk/news/technology-38068078 - 23 November 2016

 

The other suggested alternative is Tor

 

Proving my above point.

All this does is further open legitimate and legal citizens to inconvenience as esme has pointed out while doing absolutely nothing to stop anybody even remotely intelligent interested in illegal activities.

This is just going to chill communication on the internet, which is getting to be quite old.

[esme]

I don't hold out much hope for this but there's a petition you can sign

Repeal the new Surveillance laws (Investigatory Powers Act)

 

118988 signatures so far, every little helps

 

Hopefully 4chan aren't going to fuck with this one, probably another forlorn hope

Edited November 28, 2016 by esme

[Bikerdude]

Signed.

[esme]

And ignored https://petition.parliament.uk/petitions/173199?reveal_response=yes

The Bill was subject to unprecedented scrutiny prior to and during its passage.
The Bill responded to three independent reports: by David Anderson QC, the Independent Reviewer of Terrorism Legislation; by the Royal United Services Institute’s Independent Surveillance Review Panel; and by the Intelligence and Security Committee of Parliament. All three of those authoritative independent reports agreed a new law was needed.

And David Anderson QC specifically said not to use ICR logs

 

Next up, the government has legislated free unicorns for everyone, they have no idea how these unicorns will be located but everyone will have one by the end of the month because that's the law

 

Why do we keep electing morons ?

[esme]

And just to rub our noses in it, despite the petition having 155006 signatures they aren't going to debate it

 

 

Dear XXXXXXXXXXXXXXX,

The Petitions Committee decided not to debate the petition you signed – “Repeal the new Surveillance laws (Investigatory Powers Act)”

The Petitions Committee has decided not to schedule a debate on this petition. When it decides which petitions should be debated, the Committee looks at whether the subject has recently been debated by the House of Commons.

The Investigatory Powers Bill was debated on many occasions in Parliament before it became law. You can read all the debates here:

http://services.parliament.uk/bills/2015-16/investigatorypowers/stages.html

Before it was introduced into Parliament, the Bill was investigated by a Committee of MPs and Members of the House of Lords, who heard evidence and produced a report with recommendations about the Bill. You can find out about the work of that Committee here:

https://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-investigatory-powers-bill/

The petition: https://petition.parliament.uk/petitions/173199

Find out more about the Petitions Committee: https://petition.parliament.uk/help#petitions-committee

Thanks,
The Petitions team
UK Government and Parliament

 

So much for we'll debate petitions with over 100000 signatures, and more get back to work you plebeian rabble we're in charge

 

Worth a try I suppose