Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Yes there are several VPN services like 'Relakks' but it comes down to trust. How do you know you can trust Relakks? I've read their site and all the T&C and all the nods to privacy laws, but what guarantees do we have? Where are the testimonials and who vetted them in the first place.

There are some VPN service providers that sound really great and they offer good deals but then they go and spoit it by having just a PO Box office address in some far away country and no contact with a real person that can be held to account.

Sorry I don't want to throw cold ice water on your new discovery, and I hope you get what you think you will get which is a privacy solution for $5 per month. That is the value you have put on your privacy.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

I dunno really Wild Oscar; why should we trust them?

Incidentally, in that 'heated battle' did you notice that the principle of Oblonsky's suggestion was a bit of 80/20 thinking?

Apparently, the 80/20 principle – the fact that 80% of results flow from 20% of causes – is the "one true principle of highly effective people and organisations. The principle shows how you can achieve much more with much less effort, time and resources, simply by concentrating on that all-important 20%.

It is suggested that if we can latch on to the few powerful forces within and around us, we can leverage our efforts to multiply effectiveness. Most of what we do has trivial results. A little of what we do really matters. So if we focus on the latter, we can control events instead of being controlled by them, and achieve several times the results".

Perhaps that is what Oblonsky was getting at?

Intriguing.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Don't worry .. I'm not advocating it's use, just asking for opinions as I'd never heard of these sort of things before!

Obviously getting Virgin to give Phorm the elbow is the only way to go ...

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

There is Stunnel

http://www.stunnel.org/

Its an SSL wrapper

but to be honest you're better off dropping virgin altogether. Thats what I intend to do

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Firstly Tor is not secure, a proven fact that has been reported on several times.

Secondly even if it was secure, it doesn't fix the problem. Sure you can go and use Tor and your surfing will be "safer" and maybe 0.01% of the UK broadband population who are tech savvy enough to know about Tor might be too. But what about the millions of others out there, are we to just forget about them and only look after our own interests? And of course if a significant number of people start using Tor, how long do you think it will be until commercial organisations start setting up Tor exit nodes and harvest everything going through it in pretty much the same way Phorm are doing right now? It simply offsets the problems for a little, and it certainly isn't a wakeup call.

That isn't what I am about, my ISP won't be using Phorm or similar technologies so I have no personal threats to my privacy from Phorm, my involvement in this entire issue is to try and help to protect the 10s of millions who are not so lucky, not so technically minded and not so aware of the issues.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

with reference to post #6267 posted yesterday but now six pages back.
Have you, or anyone else, heard or seen anything about such an investigation?

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

You're right there are 10s of millions of potential victims for Phorm(and Phormlikes) and these people may not be able to defend themselves with a raft load of encryption techniques many of us take for granted. But end-to-end encryption is secure and reliable via SSL/TLS and it is very simple to use and built into most browsers. People need to be educated in the value of their privacy and what reliable systems they can use to secure that privacy, because when Phorm is defeated there will be another threat along similar line to Phorm just around the corner. More servers need to adopt HTTPS as standard until such a point there will be nothing left for Phormlikes to read.

So if you like the problem isn't the clients side, it is the server side. Eventually people that run servers will move over to HTTPS because there client/customer/readership will demand it.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Yes but the problem with Tor is that it isn't end to end encryption. The exit node is open to all sorts of abuse of equal severity to Phorm (including DPI).

I agree HTTPS is the way to go, but perhaps pressuring browser developers to include OpenCA support as an authentic CA would be better than just switching to Tor. Then SSL will be available to everyone for free.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

No, Tor isn’t much to do with security, in the sense that most people think of the security of a network. By default, Tor doesn’t produce any logs that might be useful to the authorities. If forced to produce such logs, those running the node would probably just shut it.


I hope you’re not suggesting that Tor is a sneakernet. :)


There’s a thread on BadPhorm called Relakks - A Phorm workaround? Relakks works fine. Note, though, that it’s only PPTP. This is not as secure as L2TP or OpenVPN. L2TP is apparently currently problematic to support. Relakks used to provide L2TP, but gave up on it. OpenVPN is built upon SSL/TLS, which we all know from HTTPS.

There’s an interesting alternative in the form of JonDonym. This was previously called Java Anon Proxy (JAP) and AN.ON. While a VPN may tunnel most things, Tor is more restrictive, being effectively a TCP proxy with further restrictions possible at the exit nodes. JonDonym is even more restrictive, being a HTTP proxy only. However, it tries to combine the best parts of VPNs and networks like Tor. Tor’s weakness is that anyone can set up as one or more nodes. A VPN’s weakness is that all your traffic can easily be monitored from a single point. Your VPN provider may find themselves forced, possibly by court order, to monitor your traffic. All you’ve done is move the ‘Phorm problem’ to a different place. JonDonym’s solution is to have a number of nodes in series, but to allow only identified businesses and institutions to provide those nodes.

As long ago as 2003, the service faced the problem of complying with a court order. There was a press release a little while after – AN.ON still guarantees anonymity. You can read more on the Law enforcement page and there’s a detailed paper entitled Revocable Anonymity that explains the process . The important point is that the German courts have only allowed for the monitoring of specific URLs. General logs that the authorities could trawl through have not been allowed. To make the legal process even harder for those who want to brake the anonymity, you can choose to have your traffic pass through nodes in different countries. Thus, court orders in more than one country would be required.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Under European (at least) Data Retention Laws they are required to keep logs for a period of not less than 12 months. So whether Tor logs by default or not is not really issue, it would be very easy to force them to without even needing to change the law. And Tor logs have been seized in the past as I mentioned earlier.

The best way to defeat Phorm is HTTPS but unfortunately this is not cost viable for the majority of websites out there due to processing overhead and CA certificates. OpenCA have been working for some time to be accepted as a valid CA and as I said, if this happened across the majority of mainstream browsers anyone would be able to setup SSL for free without the user's browser throwing up a certificate warning dialogue.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

I was just browsing round some online computer retailers (pcworld, ebuyer, scan, etc) adding items to my shopping basket. If I then go to the checkout all the items and prices are listed, it's only when I go to pay that http: changes to https:

Does this mean that Phorm/Webwise will not only be able to see all the items/prices of everything I want to purchase but will also be able to calculate the value and volume of daily sales of such sites, something I'm sure those sort of sites would prefer to keep confidential.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Anybody spotted this one on BBC today? Facebook users warned about ads

This is the sort of thing I can imagine Phorm would be right up to their eyes in, if they ever got going.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

That’s certainly not the case yet in Germany. There, it won’t come into effect until 2009. Each member state is different. There’s no requirement yet in Sweden, the home of Relakks, either. Also, does this EU directive apply to private individuals, when not engaged in a commercial activity? Even after the start of 2009, would the Chaos Computer Club’s Tor node be required to retain logs for twelve months? Is the directive going to catch every user of Skype with a non-NAT IP address, anonymous P2P client or game server within the EU?

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

Yes I was reading something last week about how these services are regarded as ISP services under the directive. In fact iirc don't even Relakk's state on their website that they are basically seen as an ISP? And the directive is EU wide so all EU countries will have to ratify it. Of course in the UK we are ahead of the game on this issue.

As far as I am aware Skype are already required to retain data and lets not forget the famous ruling by the FCC that Skype have to provide a federal backdoor for any communications which jump from SIPS to PSTN, a backdoor which has existed in Skype for about 3-4 years now if memory serves me correctly.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
 

All the content of the http pages will be scanned, so in theory the contents of a number of shopping baskets (for example) could be analysed to calculate this information. However, from what we know about the Webwise/OIX system (see Richard Clayton's analysis), the software does not appear to record information at the level of detail to do this consistently and accurately, and as far as I know there is no intention to do this anyway.

This is an important point you raise as most of the discussion about Webwise/OIX so far has centered on the privacy concerns of the internet user rather than the websites and the individuals, companies and other organisations that are running these websites. My feeling is that there is currently a low level of awareness about Webwise/OIX amongst website owners - I certainly have concerns but until we know more details including which pages are going to be scanned, I can't advise clients as to what actions to take. My feeling is that website owners shouldn't have to take any action - it should be opt-in for website owners as well as for web users.

As a example of how Webwise/OIX can affect a company's business consider an ecommerce site as you described. A company is likely to have spent a lot of time and money attracting people to the site through providing good, relevant content, pay-per-click advertising etc. Any prospective customers and the content they view will get picked up by Webwise, and on visiting an OIX partner site, that prospective customer may be delivered an advert for a product related to that content. Retailers will not be pleased that their hard work is effectively being used to deliver adverts for a competitor!

Another area that is likely to be important to website owners concerns protected content. There is no indication that Webwise can accurately determine whether a user is authenticated (there are a large number of ways that a user may be authenticated) so it looks likely that protected content will be scanned in many cases - this information may be commercially sensitive so this is clearly a concern for the website owner.

I could go on but these are some of the issues that website owners will be interested in, and Phorm's proposed opt-out for websites using a file originally designed to tell search engines which pages cannot be indexed (robots.txt) does not adequately address the issues. And this totally ignores any legal issues there may be with the Webwise/OIX system in the first place.