I love cryptography. If you’ve ever received email from me you know I sign all my email messages with OpenPGP; many of you share keys with me and we exchange all our emails in encrypted form.
Yesterday, I went and bought an Ipredator subscription for 15 euros. Ipredator is a service that provides a PPTP Virtual Private Network endpoint in Sweden, anonymized and encrypted from your computer to the exit node.
Yesterday, the Digital Economy Bill was passed into law.
These two events were not unrelated. Why did I go and set up all of my internet traffic to be encrypted and exported from the UK before it gets released onto the internet? Because perfectly legal things that anyone on the internet does on a daily basis is being criminalized. Websites like YouTube and Google have the potential to be blocked at this point, based on rights holders (The BPI and pals) accusing sites of being likely to be used for copyright infringement. Awesome.
Not only that, but any connection in the UK which is accused of having copyright infringement associated with it (note there is no requirement for evidence, and this relates to a whole connection, not individuals) has to be disconnected by their ISP.
So, I’m turning to cryptography to cover my ass. Because if everything coming in and out of my connection is encrypted till it hits somewhere in Sweden at which point it has no actual traceable relation to me individually, then any accusations of filesharing _must_ be wrong because there’s no way they could know that (and for the record, I download the occasional TV show and Linux distributions using BitTorrent).
And I absolutely think that a little dash of cryptoanarchism in the UK would be a fantastic thing right now. Spread the word on cryptography and VPNs, get Tor and I2P in more mainstream use with your friends and family, you name it. Let’s face it- nearly everyone who can use BitTorrent or anything else to infringe copyright can use cryptography to hide that without much effort or expense, and there’s no reason why people who don’t infringe copyright shouldn’t use it. We all use cryptography every day of our lives for online banking, shopping, or just looking at some sites which default to using SSL (I use Github for example, which bundles SSL with their paid accounts). The government can’t regulate what it can’t see, and it can’t make bills to regulate cryptography out of existence. It’s a solution, though a tricky one.
I’ve already started thinking- what about cheap, mainstream-friendly VPN appliances? I’m not the only person to think of this it looks like- there’s a fair bit of discussion about this. It’d be great- imagine a £50-75ish bit of kit, you buy it, you get the hardware, some bundled months of VPN access, which you can add onto whenever you want to- if it were a polished and easy to set up (plug into wall, network cables between your existing router/modem and your computer(s), turn on, make account, done), then it’d have a chance of becoming a way to deliver cryptography against not only government and ISP snoopers, but also would provide security for people at places like university halls of residence, shared homes, etc. Heck, I use Ipredator on my iPod to encrypt anything going over wifi while I’m out and about using public wifi spots and campus wifi. I’m not concerned about being snooped on, but why not? (A bit of discussion came to the conclusion that a custom firmware for a WRT54GL would be the way to go).
The point is that those who do infringe copyright will always be one step ahead of the curve technologically. I absolutely predict VPN tunnels will be the next big thing for BitTorrent users and legitimate users alike. And what will the government do then? Cut off anyone using a VPN? There go business users working from home. Cut off anyone with lots of internet usage? (Not that ISPs aren’t trying to do that anyway. I’m looking at you, PlusNet!) You’d cut off half the UK, including anyone who used iPlayer. VPNs are the way to go, though the number of providers could do with increasing.
And there’s no chance the government can keep up- and why should it? At the end of the day, copyright needs to be reformed to take the internet into account. This is the only way that the problem will ever be solved from a legal standpoint- trying to win this war with technology won’t work for the government. Deep Packet Inspection hardware works till you slather everything with crypto. Disconnection notices work till you realise that all the pirates are using dynamic IPs and the ISPs don’t keep track of who has what IP at any given moment (and if they do, why? Do they have a legal onus to do so?)
, and even if DPI or Disconnection worked, you’re still not fixing the problem, and you’re still causing huge inconvenience for all the users of that connection.
I’d like to think that our ministers are vaguely understanding what all this means and that at least the guys in charge of all this know their technical stuff. Alas, this has been revealed to not be the case; The Rt Hon Stephen Timms MP, Minister for Digital Britain, revealed in this letter that he believes the term “IP Address” to mean “Intellectual Property Address”. I feel that it’s unlikely that he’s confused IP addresses with a URN scheme or anything, and that he really does think that’s what IP stands for. If you don’t know, it actually means Internet Protocol, because it’s the underlying framework most of our internet relies on for communication between computers. It’s the sort of thing you cover in the first lesson if you’ve ever been taught anything about networking.
With this absolute failure to have knowledge where it’s needed in the current UK political system it’s even more important that the Digital Economy Bill be removed as soon as humanly possible (if that is possible; I’m not a lawyer) or at least be heavily amended. And in the meantime, we should be encouraging MPs to learn the basics, voting for those who will make the right decisions (looks like LibDem for me), and spreading the word about all this as fast as we can. And a little cryptoanarchism wouldn’t hurt, either.
And on that note, I’m going to go see what it’d take to set up a free VPN endpoint on one of my underused VPSes.
Well said James, Dave Hughes sent me here btw xD
Do you reckon someone’s already come up with the encryption boxes, like using a dongle or something and plugging it in through the back of the PC? May need one for my laptop the way things are going…uni network shuts me off from P2P downloads anyway, but do you think they’d get me if I downloaded batch files zipped up in a .rar format? The government I mean, not really bothered about Cardiff’s My First Internet Setup from Fisher Price, etc.
Benji, Cardiff Uni
At the end of the day under current legislation, copyright infringement is still illegal and can’t be condoned. And at the end of the day, programmers/artists still need to get paid. I’m of the opinion that copyright in it’s current form isn’t the way to do that, but hey, that’s one for another day.
The hardware exists; I’ve been exploring options with the WRT54GL, the designed-to-be-hacked router from Cisco/Linksys. This platform enjoys many custom firmwares, and when I get the bloody thing un-bricked I’ll let you know if it works. I actually have a Netgear Prosafe FVS318 hardware VPN firewall which is specifically the bit of kit you’d buy to do this, but it’s expensive and the FVS318 is so out of date I can’t make it work with _anything_. And then there’s options like the GuruPlug which would potentially be the perfect device- plug into mains, there’s two network sockets, plenty of CPU headspace and Linux. http://www.globalscaletechnologies.com/p-32-guruplug-server-plus.aspx for more on that.
The WRT is the cheapest route at £35ish, with custom firmware available for free, and the GuruPlug isn’t ridiculous at £80.
If the government forces ISPs to implement the requirements of the DEA, it’s unlikely they’ll pick apart files- they’ll use deep packet inspection to work out what each individual packet is doing and block those deemed in appropriate. That might be determined by the destination, protocol, size, timing, you name it. We’ll have to wait and see on that one.
Some UK ISPs clearly do keep track of dynamic IPs.
My friend got busted by “Logistep”, a company that provides illegal P2P download/connection info to rights holders’ solicitors.
They forwarded his IP along with date/time of alleged illegal activity.
The solicitors then contacted his ISP (in this case Virgin) who provided his name and address so they could sue him.
In this case, the publisher initiating the action was Zoo Publishing who published Call Of Juarez. I am all in favour of people going out of their way to pirate Zoo stuff now just because of their over zealous actions. I’d be very happy to see a marked upturn in the piracy of Zoo games who should be made an example of in my opinion.
Virgin are something of a special case I believe; they have been the first (only? Not been keeping track) ISP to agree to disconnection. With Branson’s media empire he has a vested interest in reducing his perceived losses to copyright infringement.
Guys, I think you’re giving away too many details of the cryptosystems. If you want to go crypto, one of the golden rules is not to reveal what type you’re going to use, especially if it’s a hardware-based one.
Absolutely the opposite. Keys you keep secret, algorithms you publish and spread and share. Because the more eyes trying to break it, the better the chance of it actually being secure. AES is still unbroken but has been distributed far and wide and is probably the most implemented cryptosystem in the world.
That’s true when you want to openly distribute your public keys and get everyone using crypto software.
Hardware-based encryption’s a different matter. You want to keep very quiet about the tech details of whatever hardware you’re using, as there’ll always be one weak spot or other. The chip in the new passports, which the government kept telling us is 100% secure, has been hacked, and some of us know how to break the crypto on it.
The security of AES is down to the fact nobody, as far as the public is aware, has found a quick way to factorise a huge number into its two large primes. If a mathematician finds a way, AES becomes useless. Always bear in mind that because your message is securely encrypted today, that might not be the case in 20 years time.
It is a trivial matter for an attacker to open up the hardware and work out what you’re using. You can build protection against that, of course- potting, self-destructs, etc- but fundamentally it would be trivial to determine the algorithm being used.
AES is of course only secure for as long as that mathematical problem remains hard, and quantum computers will completely change the game. However, they are still a good five years off now.
Chips in passports is an excellent example. If the government had publicly consulted they’d have known that the chips were useless. Heck, maybe they knew before they went into production anyway. Either way, security by obscurity is no security at all. What will keep your data secure is a well designed implementation of a well tested algorithm.