The Internet is Simple, Part Four

El Cnutador, Going Postal

The UK, of course, ever keen to gild the lily and gold plate the restrictions that everyone else was putting on the internet, began blocking the torrent sites like The Pirate Bay, through the Cleanfeedsystem. It is interesting to read what Wikipedia says the purpose of Cleanfeed is – to block access to illegal pictures of children, and what its use has also been subverted to. Cleanfeed most likely works by putting an “incorrect” DNS mapping in the local tables of the internet on ramp – you are redirected to a “page not available” website, or receive no response, and I would lay dollars to doughnuts that this is specially logged by a government controlled computer somewhere. The UK has one of the most censored accesses to the internet – I strongly advise you read this writeup .

Our mainstream media has been often complicit in this censorship and control – publicising how the latest Act of Parliament strengthens the protection of our children yet ignoring how they are sometimes helped by filesharing being blocked – many media firms in the news business also have film and music corporate arms that are harmed by filesharing. Very little is made of how free speech is curtailed by the restrictions the UK government has introduced, so very few people are aware of how extensively we are monitored.

If you read one single link from this article, make sure it is this one . One thing is that the RIPA 2000 Act allows the demand that someone hand over encryption keys or passwords to protected information ; failure to do so is a crime in itself, even if you’ve forgotten the password. No matter what the encryption, you must surrender the password on demand if you have protected files on your computer. To this end, TrueCrypt added Plausible Deniability to their file encryption product. It basically gives an encrypted volume within a volume; a password can be given up but this only unlocks a small part of the file – there is another encrypted partition that is only accessible with another password.

Widely hailed in the media as a child protection and anti terrorism measure (and who doesn’t want to stop the abuse of children or prevent people being blown up?), the usage of RIPA was suborned into being used to stop such threats to society like people walking their dogs or feeding pigeons .

Further snooping acts widen the indiscriminate surveillance, in particular the recently passed the Investigatory Powers Act 201 6. This allows for keeping records of both content and metadata (stuff like who, when and where the communication took place) for targeted and mass surveillance. The Act puts the onus on ISPs and mobile phone companies to maintain records of your Internet connections for up to a year; police can seek approval to read these without a warrant. This is in addition to the MI5 run Tempora that got so much attention when the Snowden leaks broke.

I believe the information that the ISPs have to keep will record the DNS lookups that you make. Bear in mind that the ISP already knows your MAC, and the phone line you’re connecting from so they can uniquely identify you. They will hold the DHCP records so they know which IP address you have been assigned for a given session. They can then map that onto all the DNS lookups you’ve made, et voila, your browsing history is tied to you. The ISPs have to make this available to the authorities and so your browsing history is not as private as you may think. HTTPS goes some way to keep your information secure, but by design the Internet is open; it is only by legal constructs enforced on the technology that the limitations are enforced.

It is the drift of the way that the legislation is used – no one can argue that suppressing child abuse images and videos or terrorist training manuals is a bad thing, however when the legislation is used in the disproportionate way it has been, privacy advocates become concerned.

One way to keep your browsing activity private is to use a Virtual Private Network, or VPN. Originally designed for people to work from home and to extend local area networks to a wide area network – for example your office in Birmingham will have a LAN for the computers in that building, as will your Glasgow office. They can talk to each other through the WAN. Previously this would have been done only using an expensive leased line – a direct, private connection between the offices. A VPN based WAN connection between the two is much cheaper, although might not be as fast at transferring data. Previously to provide remote access to the corporate network, a company would have to run a bank of modems for you to dial in directly to.

VPNs sit on top of the internet protocol, and for the most part rely on Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) – same aim and usage but just a different flavour of it. It is very similar to the way that HTTPS is negotiated – on the remote end there is a VPN server that manages the connection. This is said to be a VPN tunnel between the two machines. At the beginning of the connection, your computer and the VPN server have a little chat about how they are going to proceed. After the tunnel is established, data can be sent and received. When your computer sends your data, it appends a tunnel data transfer protocol header to the packet – another layer on the onion skin. Your actual information is encrypted in the core of the onion.

On the remote end, the VPN server removes the tunnel data transfer protocol header info, decrypts your package and forwards the your data to the target computer or web site. Again, there is the public / private key handshake as in HTTPS that is used to randomly generate a key that is used to encrypt and decrypt your data for the tunnel session. To an outside observer, all that can be seen is that you have sent something to a VPN server. As far as your computer is concerned, it is still using your ISPs DHCP and DNS servers, and this is what can be tracked back to you. The final destination and content of what you are sending and receiving remain private to you and the VPN company, everything specific to you is encrypted. There are a number of different ways the VPN can keep your data safe but the basic principle is as just outlined. Your information is private unless the VPN company is monitoring your connection in real time, using the VPN’s private key to crack open the packets as they arrive. Your connection details and what you are looking at can still be linked back to you after the event if the VPN server is logging this information. As far as the internet is concerned, your entry point to the Internet is where the VPN company’s server is. You can confirm this by going to a what is my IP address location website – you will appear as coming from your VPN’s server location.

Most VPNs pride themselves on not keeping logs – although UK providers may have to. It is nigh on impossible to accurately investigate your activity after the fact if there are no logs, although the VPN company may be compelled to begin logging for a specific case if there is enough evidence of illegal activity. This would depend on the laws governing where the VPN server is physically located. All this tunnelling and encryption is not without cost though – you’re limited on bandwidth by how fast the VPN on ramp to the internet is, plus the cost of encrypting / decrypting the data. You are adding a few more hops on the internet too, so latency will suffer. You can VPN to another VPN, but unless this is another VPN provider there is no real point, and the connection will really slow down.

It is not only the VPN server that can be compromised by outside agencies; your computer can have monitoring software installed unbeknownst to you, in order to capture the public key exchange and insinuate itself to monitor and log your traffic.

And that, in a nutshell (ha!) is how the internet works. It really is indeed “a series of tubes” – some protected from prying eyes, others wide open.

Surf safely.

© El Cnutador

More from El Cnutador here, including parts one to three.