Forensics and terrorism

Legal issues

Tomorrow I’ll be at Parliament giving evidence to the Home Affairs Committee, who are considering a request from the police to be able to hold terrorism suspects for ninety days without charge, so as to be able to examine seized computers properly. My written evidence to them is here.

The police are short of forensic capability, sure; and that’s going to get worse until they get their act together. But they’re also short of interpreters. I don’t think they’d dream of asking for increased detention powers just because not enough coppers speak Somali. Parliament would just tell them to hire interpreters from commercial agencies. Why do people get away with such poor policy arguments when computers are involved?

EarthLink has just 31 challenge-response CAPTCHAs

Security economics

EarthLink, the US ISP, provides its users with a number of spam blocking and filtering systems. One of these systems, deployed since 2003 or so, is called “Suspect Email Blocking” and is one of those tedious and ineffective “Challenge-Response” systems. They might have made sense once, but now they just send out their challenges to the third parties whose identity has been stolen by the spammers.

Since the spammers have been stealing my identity a LOT recently — and since Earthlink is failing to detect their emails as spam — I have received several hundred of these Challenge-Response emails 🙁 Effectively, EarthLink customers are dumping their spam filtering costs onto me.

Well I’m now mad as hell and not going to take it any more. So I’ve been responding to these challenges, and whenever possible I’ve been sending along a message that indicates the practical effect of the system. Of course this will mean that the spam will be delivered (and the forged email address will be whitelisted in future) which is hardly what is desired! Since this should be quite noticeable, if everyone was to spend a few minutes each day responding to the challenges then Challenge-Response systems would die out overnight! So please join in!!

Howver, responding is rather tedious (the idea, after all, is that the spammers won’t be able to afford to do it — though in practice they would be able to keep sending their more profitable spam by using labour from the Third World). To avoid this tedium I’ve been working on the automation of my responses. However, the EarthLink web page on which you respond contains a visual CAPTCHA — specifically so as to prevent automatic responses to the challenges. Nevertheless, I got a lot slicker at answering the questions when I wrote some Perl and put up a little Tk widget to collect the answer to the CAPTCHAs.

TK widget for EarthLink CAPTCHAs

The idea was to move on to some fancy image processing since there’s been a lot of success at this (see here and here for starters)… However, that won’t be necessary. It turns out, nearly 300 challenges later, that EarthLink only have 31 CAPTCHAs in total… although since some turn up a great deal more more rarely than others, it may be that there’s a few more to be collected!

01 EarthLink CAPTCHA 01 02 EarthLink CAPTCHA 02 03 EarthLink CAPTCHA 03
04 EarthLink CAPTCHA 04 05 EarthLink CAPTCHA 05 06 EarthLink CAPTCHA 06
07 EarthLink CAPTCHA 07 08 EarthLink CAPTCHA 08 09 EarthLink CAPTCHA 09
10 EarthLink CAPTCHA 10 11 EarthLink CAPTCHA 11 12 EarthLink CAPTCHA 12
13 EarthLink CAPTCHA 13 14 EarthLink CAPTCHA 14 15 EarthLink CAPTCHA 15
16 EarthLink CAPTCHA 16 17 EarthLink CAPTCHA 17 18 EarthLink CAPTCHA 18
19 EarthLink CAPTCHA 19 20 EarthLink CAPTCHA 20 21 EarthLink CAPTCHA 21
22 EarthLink CAPTCHA 22 23 EarthLink CAPTCHA 23 24 EarthLink CAPTCHA 24
25 EarthLink CAPTCHA 25 26 EarthLink CAPTCHA 26 27 EarthLink CAPTCHA 27
28 EarthLink CAPTCHA 28 29 EarthLink CAPTCHA 29 30 EarthLink CAPTCHA 30
31 EarthLink CAPTCHA 31

For rather more detail, and the current totals for each CAPTCHA (some have turned up nearly 30 times, some just once) please see the detailed account which I’ve placed on my own webspace.

By the way: If you’re an EarthLink user reading this — then please turn OFF “Suspect Email Blocking”! You’re just annoying everyone else 🙁

Security research may become a crime in the UK

Legal issues

Clause 35 of the new Police and Justice Bill will amend the Computer Misuse Act to make it an offence to make or adapt any article –

(a) knowing that it is designed or adapted for use in the course of or in connection with an offence … ; or

(b) intending it to be used to commit, or to assist in the commission of, an offence …

This would be OK if the “or” at the end of (a) were replaced with “and”. As it stands, it looks like criminalising much of what we do here. Time to write to your MP?

Mysterious and Menacing

Legal issues

There’s a big change coming in the way that the UK police deal with “hi-tech crime” — and it might mean that a lot of Internet crime gets ignored.

For the past five years, since April 2001, the National Hi-Tech Crime Unit (NHTCU) has been the national unit for combating “national and transnational serious and organised hi-tech crime both within, or which impacts upon, the UK”. However, from April 2006 the NHTCU is to become part of the Serious Organised Crime Agency (SOCA), along with the National Crime Squad (NCS), National Criminal Intelligence Service (NCIS), part of the Customs Service (especially those dealing with class A drugs) and part of the Immigration Service (who deal with “people smuggling”).

The task of SOCA is to deal with “level 3” criminality, which is defined by the National Intelligence Model (NIM) as “Serious and Organised Crime — usually operating on a national and international scale, requiring identification by proactive means and response primarily through targeting operations by dedicated units and a preventative response on a national basis”.

Level 1 criminality, defined as “Local Issues — usually the crimes, criminals and other problems affecting a basic command unit or small force area”, will continue to be dealt with, as now, by local police forces. This is the type of crime you report to the desk sergeant in the local nick, and of course it’s seldom the model for crime involving the Internet!

That leaves “level 2” crime which is “Cross Border”. In this definition the border isn’t an international demarcation, but between police forces. Since there are 49 police forces in the UK, it’s pretty clear that almost all Internet crime that doesn’t involve mafias or gangs is going to be level 2.

Up until now, Internet crime has been investigated by the NHTCU (in so far as they have had the resources to manage this). They’ve had successes on phishing, software counterfeiting and DDoS attacks. However, if these crimes occurred this year, with the NHTCU personnel within SOCA, then few of them would be level 3 and so they would not be looked at.

So who will investigate these level 2 Internet crimes in the future? Your local desk sergeant may take down the details, but the Chief Constable, who is meeting targets on how well level 1 crime is dealt with, isn’t going to be interested in putting resources into investigating criminals who are likely to be in another force’s area — and possibly even in another country.

You won’t learn much about this change on any police websites at the moment… and this is partly because there’s another change being made by the NHTCU. Up until now they’ve been very media-friendly with loads of press releases about their successes and lots of information on their website to ensure that High Tech Crime gets reported appropriately.

However, in their new role they’ve decided to leave all this behind. So there will be no more NHTCU officers as speakers on panels at conferences, no more cuddly interviews in The Times. Their watchwords, they tell me privately, for the new style are “mysterious and menacing”.

Let’s hope that’s not how we end up viewing the Internet as the level 2 criminals run riot 🙁