Skip to content or view screen version

The Times: Police set to step up hacking of home PCs

The Times | 05.01.2009 13:55 | Repression | Technology | Terror War | Sheffield

Just when you thought the attacks on privacy couldn't get worse... If you still need a reason to switch to Linux then read the following extracts from a Sunday Times article:

THE Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

A remote search can be granted if a senior officer says he “believes” that it is “proportionate” and necessary to prevent or detect serious crime — defined as any offence attracting a jail sentence of more than three years.

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state.

He said the authorities could break into a suspect’s home or office and insert a “key-logging” device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. “It’s just like putting a secret camera in someone’s living room,” he said.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”. If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

Police say that such methods are necessary to investigate suspects who use cyberspace to carry out crimes. These include paedophiles, internet fraudsters, identity thieves and terrorists.

The Times
- Homepage: http://www.timesonline.co.uk/tol/news/politics/article5439604.ece

Comments

Hide the following 27 comments

Fuck the state

05.01.2009 16:12

I'd like to see them try, at the very minimum all of my data is encrypted using 256bit multiple encryption methods although I usually use up to 2048bit, all of my emails are encrypted with pgp or something similar, and i regularly search for rootkits including those not listed by the antivirus companies.

I don't use wireless connections so they're aren't going to be able to sit outside my house and tap it, and all of my secure data is stored on a computer not connected to the internet or a network. They'd literally have to break into my house to access it, and even then they'd be there for years trying to brute force it... hardly covert.

I'd like to see them try


I'd like to see them try

05.01.2009 16:56

It wouldn't be too difficult for them to gain entry to your home and stick a keylogger on your "safe" box. And it wouldn't even have to booted up to do it- remember, think 'the point of LEAST resistance'.

The most secure you'll ever get with computers is sticking half a pound of TNT in it and hitting a plunger: assume all computers are compromised and you may be a bit safer.

They wouldn't have to try very hard


Encryption

05.01.2009 17:07

The best thing you can do is encrypt everything, use an email server outside of the UK, use an encrypted proxy like the free app tor or an encrypted VPN, change your dns server to something like opendns, avoid ISP's that snoop on your connections with Phorm like BT, Virgin and the Car Phone Wharehouse. Do not use any wireless networks other than ones from internet cafes with free open connections for patrons then use a mac address changer like the free offering from Technitium, to hide your network cards serial number ect.

secure:  https://www.torproject.org/

none secure:  https://www.torproject.org/

fta: Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

 http://www.opendns.com/

Technitium MAC Address Changer:  http://tmac.technitium.com/tmac/index.html

hms brittian number


Future proof?

05.01.2009 17:22

Even if your data is secure? For how long? No technology is future proof, at some point the holes in PGP will be discovered (they may have already been - why would the state tell us if they had cracked it?)

The best thing is to do things face to face with those you know and trust. Simple as.

The old ways will always be the best ways!

Netcu Watch
- Homepage: http://netcu.wordpress.com


dumb people

05.01.2009 17:57

You forget how dumb the terrorists are. There are plenty of examples: hey buy mobile phones as bomb triggers but then keep the receipt in their flat. Fortunately, most crims are completely stupid.

stalebread


article

05.01.2009 20:35

i started writing a comment but it was really long, so i posted it as an article.

sue denim


The security industry.

05.01.2009 20:52

This is a story about the growing security software industry in UK and the relationship they have with government.

What could be the purpose of this story? Well, most who read this, whether they have something to hide or not, might well be thinking after reading this "hmmmm, I need to go out and buy some up to date anti-virus software, and I need to do this now". If you purchase things online then you will simply be guided to update your computer software with up-to-date coded software that has the effect of "pushing" onto the nations computers software that is firstly "up-to-date" and secondly "inline" with government requirements. How many of us can say that software we have installed on our computers is out-of-date and, therefore, problematic for the police, government and the "anti-terrorist loons" in the security industry?

There was a story recently about Microshaft forcably updating people's PC's with code snippets that would detect if your copy of Windoze was legit or not. The story was put out by newspapers in this country and elsewhere and now doubt many journalcysts were slapped on the back for their efforts. Realistically, all you needed to do to avoid it was turn off automatic updates.

Most people in the UK using PC's (not mac or OP's with Linux installed) use anti-virus software that should come bundled with the ability to lock down your computer halting access to the internet. Or you are simply operating your computer intelligently and are not likely to open dodgy emails anyway. Most do not operate wireless systems.

The methods described in this story simply imply that the police are using the criminal techniques that spammers, phishers and internet fraudsters use to gain access to your computer. The implication being that you have no defence against it or, if you are brought to court, the judge can successfully encouraged to read that you have fallen foul of something that, by its very automatic nature, was designed to entrap those who are up to no good...irrespective of any supplementary evidence.

Its just another example of government gone wrong and frankly says more about the methods used by try-hards within the police "service" than it says about anything else.

Operate your computer sensibly and make yourself aware that you have nothing to fear from those who will have you fear everything.

Solidarity.





Not a fool.


You'd like to see them try

05.01.2009 20:57

So would I.

You must be into some Really Important Shit to have a separate PC for secure data, and to use PGP and all that shizzle.

Anne Archivist


tips?????

05.01.2009 20:58

with so may fuct up shit happening sameone have good tip for safe use in laptops and pcs at home ?????? tips welcome .........united we stand divided we fall ...............resistance

one of many


Peek-a-boo watching you

05.01.2009 22:03

So we do live under a fascist goverment, then?

None of my PC usage is illegal, however, I extremely strongly resent such invasion of privacy that this I-spy goverment is embarking on! Not that it's a problem, for all I need to do is cancel my ISP's subscription fee, that ISP losing £16 per month, courtesy of this Big Brother bully! And cancel I shall! Simple as that!

It's a matter of principle, eh?

Francis H. Giles
mail e-mail: francis@fgiles.orangehome.co.uk


To avoid keyloggers

05.01.2009 22:22

Use a laptop with a motion activated alarm on it at all times when you are sleeping, keep it on your person when you are awake. This way they well not be able to surreptitiously access your hardware.

Use OpenBSD

Use deniable encryption if possible such as steganography. Straight strong encryption is of limited use because of RIP.

Use a biometric scanner for authentication instead of passwords. Alternatively cover your keyboard when entering your passwords to avoid surveillance cameras or snooping. Consider that even the sounds of your keyboard keys could be used to reconstruct your keystrokes.

Take measures against TEMPEST interception of EM radiation from your machine (suggestions? Maybe build a PC into an old microwave oven!?)

It's trivial to crack WEP wi fi AP's and of course use open ones. Also, use public AP's. Use a script (cron job) to change your MAC address regularly or every time you access a new network.

Use Tor.

Use web proxies.

inb4 tinfoil hat

anon


Gmail et al

05.01.2009 22:29

And whatever you do DON'T use Gmail. Hotmail or any other corporate webmail that surveils its users under the convenient pretext of doing market research. Microsoft has been known to work with the NSA and Google with the CIA. The same goes for DAFT SOCIAL NETWORKING SITES and corporate Instant Messaging stuff like Skype and AIM! Use IRC and email instead!!

anon


To they wouldn't have to try very hard

06.01.2009 00:35

I shan't divulge into why my safe box is more secure than normal, I will however enlighten you to the fact that the OS and BIOS are also encrypted and that the base unit is alarmed (if you move it it'll start screaming). They'd have to brute force a multiple 2048bit encryption key before they could put the key logger on there, even using the worlds most powerful super computer Blue Gene/L it would take tens possibly hundreds of years to chip away at it by which point the data they are trying to access is out of date and useless.

I have a post doctorate in digital forensics and encryption, I am fully aware of the states methods and limitations. Much of what they rely on is fear and stupidity, they attempt to scare you into compliance into revealing your keys they like to boast that they can break your 256 in minutes but in reality they can't (for the next few years anyway). They rely on human stupidity, little slip ups, and fear in order to access your data.

If you're totally paranoid and really have something to hide you might as well dismantled the hard drive, smash it to pieces, and melt it. That however is a little over the top.

I'd like to see them try


Poor old Bill

06.01.2009 01:10

For the record, it is perfectly possible to secure a Microsoft PC, it just takes a lot of work. You have to follow the NSA guidelines (which include removing the scientology defrag software) and never connect it to the internet.

This story should be a non-story for activists. I've a secure PC but it isn't very functional, and the last time the police came visiting I had popped to the downstairs toilet and had fogotten to lock the PC. Luckily they weren't interested in it.

PS when you melt a hard-drive, and you should, just melt the platters unless you are what I would call paranoid. The fumes can be nasty otherwise.

xMCSE


my pc

06.01.2009 11:15

will have a large pic of plod wae a piggy face in a folder named topsecret

e-best option


responce to i'd like to see them try 2

06.01.2009 15:54

so all they have to do is raid, copy your hard drive then wait a few years before they arrest you.
legal cases can be kept open for years and years.
people who committed crimes 30 years ago are getting arrested now due to advancements in DNA technology.
its feasible for them to wait for advancements in computers

sue denim


I'd like to see them try

06.01.2009 18:16

The RIP 2K Act.

They don't have to "scare" anyone, they'll just throw your arse in jail for NOT divulging the keys, and for many people just the thought of years in jail is an incentive to comply. Withholding keys has been a criminal offence in the UK for some time now... as has warning people that the police have been given encryption keys.

You would have to be up to some seriously heavy stuff not to cough up the keys and cop a 2 possibly 5 year custodial.

 http://news.zdnet.co.uk/itmanagement/0,1000000308,39280970,00.htm

Why have your box rigged like Dr Evil's cave if you haven't anything to hide???

Anyone who trusts technology alone to protect them is a fool (who knows if someone should stumble on a breakthrough and knock Moore's Law into a cocked hat and make those brute force hacks look like a knife through hot butter (as someone pointed out, it's all a matter of time vs instructions per second)... I wouldn't bank on it; but anyone who does not use encryption is asking for trouble.

Just how do you stop them sticking sand-filled boxes/baffles around your base unit before they disable your alarm, pick the lock, open the box up and just syphon the drives without power ever going through your CMOS?

They wouldn't have to try very hard


To they wouldn't have to try very hard

06.01.2009 19:33

I'm fully aware that they can throw you in prison for not divulging the keys, it for this reason plausible deniability exists. It is fairly easy to encrypt and hide an operating system and volume within another encrypted partition. In fact you could have a chain of hidden volumes within each other it's essentially limitless. I can safely give away the keys and password to the outer partition and OS, because within the encrypted volume there are several more layers each one using a different encryption tumble and password. The state can't prove that i've created further volumes, so will essentially be happy that i've divulged what they need. The outer layer is filled with 'useful' information but it's far from incriminating, this can effectively side track and deter them from attempting to probe further.

As to why I should rig my computer like dr evils cave there's plenty of reasons I could give to the police, fear of cyber criminals and identity fraud for example or I could even play the crackpot paranoid card and portray myself as an insecure loony. The possibilities are endless. Just because i've encrypted my computer doesn't mean I necessarily have anything to hide, people add passwords to things for a whole variety of mundane reasons.

However I said in my previous post I shan't divulge why my safe box is more secure than normal, I'd consider complete hard drive encryption to be a basic step to take if you don't use at least this then you are foolish in my eyes. There are further steps I've taken as stated I've a post graduate degree in digital forensics and encryption however i'm certainly not going to discuss them on line, best to leave a few surprises to confront any would be attackers with.

I'm not familiar with Indymedia having never heard of it before however this article caught my attention through a search engine, just thought i'd add my two cents or so to speak.

I'd like to see them try


Least bad UK ISP ?

06.01.2009 20:22

I was asked today if there was a UK ISP with any backbone. Can anyone think of one - avoiding puns on the word backbone. The request was for a decent ex-journo setting up a site that may come under a fair bit of corporate legal pressure.

I know this is off-topic but since all the techies are here anyway I thought I'd ask since I couldn't think of a single brave UK ISP / hosting company. A decade ago I would have said Demon but today I could only recommend foreign organisations. Any tips would be for a good cause.

xMCSE


I'd like to see them try

06.01.2009 21:18

Wooh! That bit of paper with your MSc on it will have them tied up in knots!

They wouldn't have to try very hard


@I'd like to see them try

06.01.2009 21:40

How do you encrypt a volume within a volume such that if the exterior volume is decrypted, there's no evidence of the interior volume existing? Does Truecrypt do this? (and then I guess one has to use Windows, which raises another plethora of security issues).

The only way I've ever heard of to create a completely plausibly deniable encrypted volume was with StegFS (an experimental and unfinished Linux filesystem). I personally would just hide my truly secret information in a large collection of images with steganography. A typical activist really hasn't got that much truly incriminating material after all, unlike say, a paedophile - unless they're keeping, say high resolution surveillance or maybe blackmail imagery / videos.

anon


lets face it its more than a chance you gambler you!

06.01.2009 22:54

comments like that are gonna damage your fence in court when you "pretend to be a paranoid loonie".

as for isp's i've got no idea, their mostly shit.
talk talk is beyond shit.
and virgin media are founders of the "internet 2" censored internet project, so they'd be a big no no for me.


going back onto the track, with the stuff people get raided and nicked for now. you don't have to be doing something dodgy, Sean Kirkly got 4 years for running a legal website for a legit group.

can any give me any suggestions for some good user friendly (prefebly ubuntu freindly) linux encryption programs, my current setup is somewhat complex and i have on several occasions lost my data :-(
and my bank is getting sick of me asking for new login details.

sue denim


oh and

06.01.2009 22:58

their is a linux version of truecrypt, ubuntu has a nice gnome visual front end too!

sue denim


Deja Vuntu

07.01.2009 02:48

@They wouldn't have to try very hard
Who has an MSc ? I couldn't afford Uni for sure, I got an apprenticeship instead. Most computer users who can learn a wordprocessor can learn to how to encypt their data securely.

@anon
-How do you encrypt a volume within a volume such that if the exterior volume is decrypted, there's no evidence of the interior volume existing?
On technical forums it is considered impolite to ask questions you are obviously smart enough to research yourself.
 http://www.truecrypt.org/docs/plausible-deniability.php

-I personally would just hide my truly secret information in a large collection of images with steganography. A typical activist really hasn't got that much truly incriminating material after all, unlike say, a paedophile

Smarter than stegging all your activist data into your child-porn collection for sure but that isn't plausibly deniable. Although that does double-encypt if you are forced to open the StegFS volume then it is a simple matter to identify the stegged images or any other encrypted files for that matter. So whatever forced you to open the volume will force you to open the files.
It is also simple matter to identify if a drive has been encrpyted using Truecrypt but Truecrypt can nest one encrypted volume within another and fills up extra storage capacity such that it is indistinguishable and unidentifiable. Plus if you choose, you can encrypt it using a different algorythm and strength. Remember to setup your os so that all the system files are also on the hidden volume, but that is a simple dual-boot. RTFM -  http://www.truecrypt.org/docs/?s=plausible-deniability

-comments like that are gonna damage your fence in court when you "pretend to be a paranoid loonie".
Don't worry, I have testimony to that defence from other posters here!

@Sue Denim
-can any give me any suggestions for some good user friendly (prefebly ubuntu freindly) linux encryption programs, my current setup is somewhat complex and i have on several occasions lost my data
I can't recommend any user friendly Linux programs for anything I'm afraid! This will encrypt your email safe and will install on Ubuntu.
 http://dewinter.com/gnupg_howto/english/GPGMiniHowto.html

(Or for Microsofties -  http://www.theregister.co.uk/2008/11/14/email_encryption_how_to)

xMCSE


xMCSE

07.01.2009 09:14

I was referring to Mssr I'd Like to see Them... hoisting credentials in a debate is as good as waving a white flag... And for sure, these days much of computing is aimed at normal people and not shadowy groups of translucent geeks who speak in hexidecimal.

Now, I'm no sooperdooper expert in cryptography, but I suspect like you said finding stegged images will usually be routine (known algorithms, and cheksum versus visual content, noise patterns... would be my amateur guessing. Apparently GCHQ has had little bot apps scouring UseNet and known haunts for years now... but apparently there is a massive global organisation called al Qaeda with a big beardy man running it all from a cave...)

I guess such an approach would also apply to finding nested encrypted volumes too... but, from the close-by second-hand experience I have had, law enforcement tends to like applying initial brute force on hacking the 'suspect' more than the data: 'we can put you away in a federal prison for 20 years and you'll never see your kids again or you can sit there and write down all you passwords."

Someone asked about ISPs. To my knowledge there isn't a single UK-based ISP that will promise as a matter contract or sales pitch to fight any court orders. Most ISPs wil ignore complaints from nobodies. Some will readily comply with the demands of corporate attorneys (especially when it comes to TOS issues), all will buckle and yield to any court order, and from what I gather most won't ask the police to many jurisdictional questions, if any.

But I did read a few years back about some guy who has bought a decommissioned MOD platform in the Atlantic and is running "secure" accounts outside national law... but whether that was just leased lines or domestic too, I cannot remember.

I have no idea if he is kosher; I know some people who had offered similar services in the US were outed as "ex-NSA/CIA"...

But anyone in a built up area can homebrew a PMCIA WiFi card into a decent receiver dish and just piggyback open WiFi routers... and WEP is apparently as efficacious as wet toilet paper in keeping people out too, so I guess there will be WEP scripts out there.

They wouldn't have to try very hard


@They wouldn't have to try very hard

07.01.2009 18:09

"I guess such an approach would also apply to finding nested encrypted volumes too... but, from the close-by second-hand experience I have had, law enforcement tends to like applying initial brute force on hacking the 'suspect' more than the data"

I've read some critisms of Truecrypt, even on Indymedia, but no one has criticised its claim of plausible deniability.
I fully agree with you on the second point. I reckon if you even use low strength encryption then the biggest risk to your data is from someone you trust. Every algorithm can be broken eventually but people just break on their own, so I send my mail through Hotmail and the like and the only time I've used mail-encryption is for other peoples data. You can send an encrypted mail from the most secure PC possible in the most secure environment in the most secure manner and if the person you are mailing opens it on a PC fitted with say, a root-kit screen-scraper or any other minor fatal flaw, then you are fucked. Plus it saves me evaluating each person I email as to whether they are just malicious or stupid eough to cut'n'paste what I have written. I just don't have much data worth protecting and the stuff that is is too important to stick on any computer.

"But anyone in a built up area can homebrew a PMCIA WiFi card into a decent receiver dish and just piggyback open WiFi routers... and WEP is apparently as efficacious as wet toilet paper in keeping people out too, so I guess there will be WEP scripts out there."
I cable. If I was to be up to looking at or creating dodgy sites then I'd be tempted to install WiFi and not enable any security except to disconnect my PC cable when not in use, hide it in plain view so to speak and blame the kid across the street or at least 'plausibly deny' it was you. You can build a directional tube using a CD behind a WiFi stickk and a tube around it. Point it at the window of anyone you know uses WiFi - and if it is someone elses unprotected WiFi that is being used, it is unprotected for any 'lurkers' too. Most people don't change the default password on their router. Most people setup a new PC os and then immediately connect to the internet for security downloads, before setting up any security - and most of them with an unpassworded admin/su account, no wonder Cisco got rich.

xMCSE


MSc != MSCE

10.01.2009 20:03

I think someone was confused earlier thinking xMSCE referred to an MSc (Master of Science) degree.

MCSE is Microsoft Certified Systems Engineer which is a proprietary certificate. I think it expires after a number of years, which is why they are an xMCSE (ex-MCSE).

re: encryption on Linux:

Most distributions come with full disk encryption (apart from the boot image) as part of a standard install. Certainly the Debian-based Linux distributions like Ubuntu have this. I have always found it to work very well and to be very reliable.

g33k