• A Practical Demonstration of what IPB will allow

    There have been numerous write-ups of the threat that the Draft Investigatory Powers Billposes to our privacy and security.

    The intention of this post is not simply to repeat those, but to provide a practical demonstration of exactly the kind of information that the proposed powers would compel your Internet Service Provider (ISP) to record.

    As well as demonstrating what an ISP would soon be collecting (and how simple it is to extract), we'll look at the issues the IPB presents in the context of the information we've extracted.

    As the IPB isn't exactly explicit about exactly what it allows, especially in terms of techniques, I've made some assumptions (though I believe their fair and reasonable).

    Most of the results were exactly what I expected, but I think describing them explicitly is probably more helpful than not - to that end, I've tried to keep the language as accessible as possible, as those who understand how tech works at the network level are unlikely to find much of surprise here.

  • Android: Protecting your network data from local snooping

    There's been a lot of news of late about the likes of NSA and GCHQ passively listening to Internet traffic. The steps in this post won't protect you from such a well resourced attacker, but will prevent others on open wifi networks and your mobile data provider from looking at the content of your phone's network traffic.

    A good example of the data that can easily be collected can be seen in this recent Ars Technica post.

    In this post, we'll be configuring an Android phone to conditionally connect to an OpenVPN server, dependant on whether it's associated with a specific WLAN

  • Cookies: Taking Transparency a Step Further

    Contrary to the belief of some, the EU E-Privacy Directive was never about stopping cookies. It was always about raising awareness of what they are, which ones are set and how they can be misused. It was, and still is, a cause of annoyance for many - especially as only four member states have currently adopted the provisions.

    Whilst I don't think the implementation was correct, the underlying principle is sound - we should be ensuring users are aware of what data we're storing in their browser and how it's used. Most sites, in my opinion, don't go nearly far enough to achieve this, instead just scraping the minimum standard.

    In this post, we'll be exploring what I think we're doing wrong, and what we should be aiming for.

  • David Cameron: Idiot, Dangerous or just a lover of soundbites?

    We've heard Theresa May parroting the same lines for months, but in the wake of the Charlie Hebdo massacre, David Cameron has joined the choir of people calling for new surveillance powers.

    Mr Cameron has stated that if the Conservatives are re-elected, he will ensure that there is no form of communication that cannot be intercepted by the government.

    So, one of the question we'll be examining in this post, is - Is David Cameron

    1. An idiot who doesn't understand the technology he's talking about
    2. Demonstrating that pre-election promises are inevitably broken
    3. Planning on introducing a draconian surveillance state
    4. Being mis-informed by other parties
    5. Simply creating sound-bites to raise the chances of re-election

    Most of the coverage thus far has focused on option 3 - which seems fair given that it's the inevitable result of actually attempting to do what he is claiming.

    We'll also be taking a look at why Option 3 could, and should not happen

  • Don't Use Web2Tor/Tor2Web (especially Onion.cab)

    Web2Tor and Tor2Web are reverse proxies which allows clearnet users to access Tor Onion Sites (AKA Hidden Services), and there are a variety of services available online (such as onion.to, onion.cab, onion.city and onion direct) running this service.

    This post details why using these is such a bad idea, as well as detailing some of the changes I'm making to the site to help discourage use of these services.

  • It's funny how times change

    Over the past few days, I've been going over the old Benscomputer.no-ip.org archives and have republished some of the content.

    What's struck me as funny though, is how times change, but a lot of the issues remain exactly the same.

  • mod_yourData

    mod_yourData is a Joomla! module allowing you to show site visitors exactly what data your site is storing within their browser. It includes support for Cookies, Session Storage Objects and Local Storage Objects. Given ever-increasing awareness of Privacy online, it's important that sites are as transparent as possible.

    The ideal use of this module would be to assign it to a custom position and then include with your site's Privacy statement using Joomla's LoadPosition plugin.

    This page is the user documentation for the module, you can also view the Demo here

  • Multi-homing a Joomla site between the WWW and a Tor Hidden Service

    I did some work recently on making BenTasker.co.uk available via both a Tor Hidden Service (otherwise known as a .onion) and via the WWW.

    The reasons for doing this are published elsewhere, but this documentation summarises the steps I had to take (and why) in order to have the site safely accessible via both routes of access.

    For those who are interested, there's a far higher level of detail over on Projects.bentasker.co.uk.

  • PGP Encrypted Text Chat Via DNS

    In a recent post, I alluded to having given a little bit of thought to ways in which clandestine communications could be achieved.

    Having given a little more thought to the idea, I was unable to resist the temptation to build a small proof of concept - if only to see whether there were any obstacles that I hadn't considered.

    This post is the documentation for DNSChat - a small proof of concept enabling PGP encrypted text chat using DNS Queries as a transport mechanism

  • Republished: A bit of info on the Phorm Debacle

    Originally published on Benscomputer.no-ip.org 5 Mar 2008

    The tech news pages are alive with the news that BT, Virgin Media and Talk Talk are planning to sell its customers browsing information to a company named Phorm.

    BT claims that the new 'service' Webwise is intended to improve the browsing safety of its users. It includes a list of Phishing sites, and warns users when they attempt to connect to one of the listed sites. Newsflash for you guys: FIREFOX ALREADY HAS THIS FUNCTIONALITY. Its nothing new, and of no real benefit if you already have a browser that does this. It's also not a lot of use if you are wary of emails from institutions that ask for personal details.
    Unfortunately WebWise also sends your browsing history (and a copy of everything you send/download on unsecured connections) to Phorms servers where they will profile it and effectively mangle some of the pages you download to include adverts that they believe may interest you.
    This mangling will only happen on pages that run adverts from Phorm, not every site will be effected.

  • Republished: A look at BT's Trial Documentation

    Originally published on Benscomputer.no-ip.org 14 June 2009

    Now, it can hardly have escaped anyones attention that BT ran some very questionable trials of Phorms system. It's been on BBC News, as well as many other sources, including the Governments refusal to take action. This has led to the EU intervening on our behalf, not that much has happened from that so far.

    But most of the media has focused on the RIPA element of it, that is to say the Illegal Interception of the users traffic. Having read the leaked test documentation (Have a look on WikiLeaks), I'd say that there's another element to it that appears to have gone largely unnoticed.

    The original trial involved injecting Javascript into each and every page the user visited (with some unfortunate results on forums), and based on the test documentation, even users who were opted out (not that they were given the opportunity in the trials) would find JavaScript being run on every page.

  • Republished: A quick look at Webwise Discover

    Originally published on Benscomputer.no-ip.org 06 June 2009

    Well, as I posted in the News links yesterday, Phorm have launched a service called Webwise Discover. It appears that this is largely a front end, allowing the user to further benefit from having Phorm follow you around the internet.

    But lets take a quick look at it;

  • Republished: A suggestion for BT

    Originally published on Benscomputer.no-ip.org on 27 October 2008

    Given that BT claim to be creating a network level opt-out from Phorm, I thought I would give them a bit of a helping hand. They claim that although it will be implemented, it's unlikely to be in place by the time the WebWise system is rolled out.

  • Republished: BT Finally See Sense

    Originally published on Benscomputer.no-ip.org 18 March 2008

    There have been murmers online that BT are planning to do the same as Carphone Wharehouse and make a few changes to the Phorm system, by creating a virtual wall between people who haven't opted in and the profiling hardware. They also intend to do away with the cookie 'opt-out' and create something more in line with the law. I sent BT an email a few days ago asking a variety of questions about the system (I'm on BT and don't like the system one bit) and got the following as a reply

  • Republished: No Phoul Play Involved - Good Phorm by BadPhorm

    Originally published on Benscomputer.no-ip.org 5 May 2009

    A question posed on the StopPhoulPlay blog;

    The more interesting question is this: if the Home Office and the many expert legal advisors we consulted are wrong, how is it that a system such as GMail - which scans emails from non-account holders without their consent to GMail users - is not also an ?interception? and as such not also a prime target of their campaign?

    Unlike Gmail?s webmail service, which is perfectly legal, Phorm?s system is fully anonymous, does not look at email and does not store personal information such as IP addresses. Surely if FIPR/ORG is genuinely interested in a fair debate and the application of law as it sees it, the question merits a response?

  • Republished: Nobody wants Phorm checking their data

    Originally published on Benscomputer.no-ip.org on 12 March 2008

    The ISP's may not believe that no-one wants Phorm intercepting their traffic, but Phorms share price certainly seems to have taken a hit since the plans were made public. Someone out there certainly recognises that most people are not going to want this so-called service

    Perhaps this may help motivate the ISP's to fulfil their customers needs rather than chasing the elusive golden penny.

    On the Plus Side, Carphone Warehouse are looking a tbuilding a 'wall' between customers that opt-out and Phorms hardware, so this is a step in the right direction at least. The others may soon follow suit, though comments on the net suggest that these three ISP's have already lost quite a good portion of customers.
    BT are pushing their luck with me, I've sent them two e-mails about this, had one reply that was completely irrelevant to my original communication, and no reply since. I'm giving them the benefit of the doubt for now, as there are presumably internal talks happening about the Phorm issue, but they only have so long before I decide to change ISP.

  • Republished: NoIP.com rejects Phorm

    Originally published on Benscomputer.no-ip.org 26 March 2009

    I've been having a conversation with NoIP.com recently, they provide the DNS Re-Direct for Benscomputer.no-ip.org, about Phorm and the Webwise system. Although I completely disagree with Phorms systems using Opt-Out, I also do not want to help them monetize their customers browsing behaviour.

    So, some time back I sent an e-mail to their website exclusion list, stating that I did not give permission for them to scrape my site for their own benefit. I received a reply effectively stating that as the WHOIS query for the domain (no-ip.org) does not match my details, the request was being viewed as unauthorised and would not be actioned.

  • Republished: Phorm launches the InPhorm Newsletter

    Originally published on Benscomputer.no-ip.org 29 June 2009

    In a casual spare moment I clicked onto Phorms Website, once I got past the vomit evoking mess that is the Webwise Discover advert page, I noticed that there has been a bit of a shake-up since I last visited.

  • Republished: Phorm your own opinions

    Originally published on Benscomputer.no-ip.org on 06 October 2008

    It has been revealed today that BT consider it the account holders responsibility to explain about Webwise to all users of their connection. BT have revealed in their revised terms and conditions that they can accept no responsibility if users of a connection are not kept informed about Webwise by the account holder.

  • Republished: Phorm, PR Master or PR Disaster

    Originally published on Benscomputer.no-ip.org 14 June 2009

    About a week ago, I wrote about Webwise Discover, Phorm's new 'service'. At the time I questioned just how Phorm's survey managed to find such a large proportion of responders interested in their service, to me it seemed that these users had not been fully informed before being asked.

    It now appears that I was correct. Over at the PC-Pro Forums (thanks for the tip Peter) there's a post by a user called Jonaba, who claims he was one of the respondents. He claims that at no point was Deep Packet Inspection mentioned, and in fact the actual reason for the technology was that well hidden that it took him a couple of minutes to even clock onto what the survey was about.