Slashdot Mirror
BBC To Deploy Detection Vans To Snoop On Internet Users (telegraph.co.uk)
product_bucket writes: The BBC has been given permission to use a new technology to detect users of the iPlayer who do not hold a TV license. Researchers at University College London have apparently developed a method to identify specially crafted "packets" of data over an encrypted Wi-Fi link without needing to break the underlying encryption itself. TV Licensing (the fee-collecting arm of the BBC) has said the practice is under regular scrutiny by independent regulators, but declined to elaborate on how the technique works. Dr Miguel Rio, a computer network expert who helped to oversee the doctoral thesis, said: "They actually don't need to decrypt traffic, because they can already see the packets. They have control over the iPlayer, so they can ensure that it sends packets at a specific size, and match them up. They could also use directional antennae to ensure they are viewing the Wi-Fi operating within your property." The BBC has been given such authority through the Regulation of Investigatory Powers Act.
(But *do* tell all the idiots out there who play multiplayer online games on wifi)
First off, Ethernet. Now that it's known, it's easily defeated.
Secondly, false positives. Now that hackers know what they're looking for, these will be trivially easy to implement: just send whatever traffic with the packet-size signature, and people will look like they're using iPlayer when they are not.
I think it'll be quite obvious when I notice the cat5 snaking up from a parked van to my wired network. :)
Boo.
If the BBC just proved that they need to be completely destroyed they just handed their anti-BBC crowd the ammunition to do it. Bet it won't take more then a few weeks before people start making honeypots to bait them, and wouldn't that be very fun to see in court.
Om, nomnomnom...
I just came to say what everyone else already has - I use ethernet for streaming so fuck you BBC!
Although I don't watch it anyway - anything good appears on other streaming services eventually anyway and I'm long past caring about seeing things on day zero. I already get letters almost weekly telling me they are now in the last stages of their investigation (for not paying my license fee). They are welcome to visit anytime, but unless they have a warrant my answer to any of their questions will be " "
Will be next, to make sure you have a license for your cats......
The same way their detector vans did that detected whether you have TVs equipped for terrestrial reception, and the same way lie detectors work: They don't. They just scare you into thinking they work so you comply.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think the UK has completely lost it's mind! Here's a novel idea that's so much simpler and how we approach it in Canada. Here we have the CBC (Canadian Broadcasting Corp) which is pretty much the same thing as the BBC - aka publicly funded TV, Radio, and Media. It is funded by the Federal taxes of all Canadian tax payers. Regardless of whether you use the CBC or not, you're paying for it. No special taxes that people must specifically pay, no special enforcement (except for maybe geo-ip), and no white vans running around snooping wifi traffic (which, here would be illegal) thanks to our Charter of Rights and Freedoms (something the UK DESPERATELY NEEDS). The UK people really get the shaft with their government and it's constant big brother mantra and it's excessive need to invade the lives of its people.
Can someone from the UK please explain to me the reason a 'TV' license still exists? It's not the 1950's!
The old TV detector vans were a hoax to scare people into getting a TV licence. Enforcement was actually done by visiting addresses with no record of a licence. This is another con.
Right, Viv - eat the WiFi!
To find me in SoCal.
Easily thwartable.
Seriously.... for the WiFi... just modify the encryption protocol so the source cannot influence the size or precise timing of the encrypted payload.
Since BBC control the iPlayer.... why not just put access controls on their website?
Users will be prompted to enter their street address and Television License ID# to link their Browser and IP address, before they can start playing content.
Also, if they don't have one, prompt them to register on the website and pay online Ala Netflix.
Because the best government is MORE government!
Come on - PAY YOUR FAIR SHARE so we can all get MORE of this type of CRAP!
Because if we can all just give our governments even MORE money and resources TO USE AGAINST US, this is what we'll all get.
Did this change recently? iPlayer to watch catch up programs never used to require a license.
Besides all this, the answer is fairly simple. If they want to enforce license status, iPlayer should just require a login with an account the BBC can use to very status.
The candy van from limey land has come for you.
The countermeasures used in cryptography to fight differential power analysis can be used here if necessary.
In DPA, the dynamic power consumption is measured on a hardware device such as a smart card that performs crypto operations so that, when the challenge-response is begun, the card's regular crypto operations for asymmetric and symmetric encryption can be captured and analyzed using statistical correlation over many challenges and other means so that the correct keys for the device can be determined. The primary countermeasure is to introduce false operations in parallel with the actual operation at different times and with different power consumption patterns such that the correlation takes far too long for the number of challenge-response cycles.
Similarly, a countermeasure to this and for all VPN traffic is to accomplish the same thing by having an application that actively monitors the bandwidth across the physical interface used by the iPlayer and ensures that additional sources of bandwidth consumption via internal or external servers/clients are programmed. Even if the WiFi packets are monitored, the packet analysis could be much more difficult to conduct. In addition, one could randomly force routes across multiple physical interfaces at random to hop across multiple inexpensive routers that are bridged, further frustrating such efforts. In combination with a VPN, could defeat this outrageous and intrusive de facto taxation enforcement scheme.
Looks to me as if the Brits never seem to miss any opportunities to get closer to that creepy "Big Brother" state of things when it comes to privacy and surveillance, what with London already having millions of cameras canvassing every possible square inch of it.
It's going to cost more to field these specially-equipped detector vans and the crews to operate them than they will EVER receive back in license fees.
Assume these costs:
the cost of the van ($30,000)
the cost of gas, oil, tires, and maintenance for the van per year ($3000)
the cost of the monitoring gear ($1000?)
the cost of the crew to operate the van ($20,000 per year per person?)
all associated upstream paperwork ($1000?)
the occasional accident(s) that the van will (statistically) be involved in over time ($$$$???)
So, probably a minimum of $50,000+ per year to operate...and how much will they get back? Nowhere near $50,000.
In other words, it costs more than it brings in, so it's another ridiculous sink hole for money.
Just cruising through this digital world at 33 1/3 rpm...
A Tor Project article from 2011
https://blog.torproject.org/bl...
Experimental Defense for Website Traffic Fingerprinting
Website fingerprinting is the act of recognizing web traffic through surveillance despite the use of encryption or anonymizing software. The general idea is to leverage the fact that many web sites have specific fixed request patterns and response byte counts that are known beforehand. This information can be used to recognize your web traffic despite attempts at encryption or tunneling. Websites that have an abundance of static content and a fixed request structure tend to be vulnerable to this type of surveillance. Unfortunately, there is enough static content on most websites for this to be the case. ...
It's looking at packet size. Pretty trivial to alter a VPN client to always send max size MTU's via padding.
No sir I dont like it.
Can I just install the iPlayer chrome app or android app and watch from the US without a license?
It would be great to be able to see all those boring Ken Loach movies for free.
You are welcome on my lawn.
Pussy IN your cock? I don't think you know pussies or cocks work....
"The BBC has been given such authority through the Regulation of Investigatory Powers Act."
So, granting powers to a TV station no less. What's next, outsourcing police work to OmniCorp?
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
What does the test to get a "TV License" look like?
It presumably looks like the form mailed to you when you respond to a PBS pledge drive. BBC is their counterpart to PBS, and it has made a deal with Ofcom (their counterpart to the FCC) to ban watching any broadcast TV (whether BBC or not) without a valid BBC subscription.
As a Brit, I used to love the quality programs that came out from the 70s, 80s and a little bit of the 90s. Horizon used to be a quality, science program that would present topics that required the watchers to have some decent education, but they finally bastardized to cater for lower IQ audiences. The Old Grey Whistle Test, was abandoned for Top of the Flops, John Peel struggled to keep his shows, the obscure films shown late Sunday night and analysed by cool directors faded away.
I could go on and on, but at the end of the day the BBC is just another shit TV station pouring out main stream crap that the other channels do. So they should just loose their forced subscribers and join the rest in the sector competing for advertising.
It's going to cost more to field these specially-equipped detector vans and the crews to operate them than they will EVER receive back in license fees.
You didn't get the memo: the point of the detector vans was always to make people believe that there are detector vans and that they'll get caught if they watch TV without a license. The real enforcement was always done by comparing the list of people who have bought TV receivers with the list of addresses of TV license holders, or knocking on doors or sending nasty letters and hoping they'd confess. Its widely suspected that the old detector vans were either fake or ineffective, but even if they were genuine (the theory was vaguely plausible, with old-style TV sets) I doubt the "business plan" was ever to have enough vans roaming the country to directly catch significant numbers of offenders.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
For a slightly more critical take on this than the Torygraph, there's an article in The Register that actually digs in to the subject a bit and has dug out the actual government report (which is pretty silly but doesn't quite seem to involve fleets of detector vans randomly snooping on WiFi at random).
NB: This is all because of the "iPlayer loophole" - people have been able to watch catch-up TV on iPlayer without a license and, while technically you're meant to have a license to use the Live Streaming features of iPlayer its pretty unenforceable. They're trying to have a crackdown to appease anti-BBC astroturfers and you're now going to need a TV license to use iPlayer (oh, the injustice!) If you wonder why iPlayer doesn't simply ask for a name, address and TV license number, or require a user account, then you're a very silly person who is trying to apply logic and rationality to politics.
Personally, I assume that they're going to record people's WiFi and sneak the results into the SETI@Home work queue to examine for signs of intelligent life. So, you're OK unless you're watching BBC4 :-)
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
As iPlayer is a BBC product, why do they need detector vans to determine who is streaming it? It is coming from their servers, so the they know (or could know) the IP addresses to which iPlayer is streaming. In most cases this will be the router address of the ADSL, Cable or Fibre subscriber, from which the address could be determined. Even with a detector van, if someone is streaming via a WiFi hotspot, there will be no way they could tell if the users of the smartphones, tablets and laptops have licences at their home address (and the licence covers use outside the home by equipment powered by internal batteries). Similarly with anyone streaming via 3G/4G.
there is a weakness in WIFI security: packet size should not be so determinable.
I don't think that wireless security should concern itself with ensuring every possible form of steganography is also somehow encrypted or obfuscated. The only people that can "read" that data are the ones who already know what it is.
So, in a way this is like the BBC coming over every day for a free (for them) meal of baked beans on bread. They are literally stealing the food from your mouths and tables
How do you figure that? The BBC costs money to operate. Watching the programming without a license is like stealing a free meal from their tables. You're not required to pay, just as you're not required to watch.
Why would you waste bandwidth to pad it? You can slice up the packets and reassemble them to the max MTU size without decrypting the data.
They could also use directional antennae to ensure they are viewing the Wi-Fi operating within your property.
I live in the US, so whatever, but I have the transmission power on my AP (D-Link DAP-2660) set to just 25%. Wi-Fi works just fine everywhere inside my house but I can't detect any signal outside the house. Suck it BBC.
It must have been something you assimilated. . . .
https://www.youtube.com/watch?...
....against all of the Orwellian tyranny that has been growing rapidly there for the past couple decades? Or had the gov't locked everybody in full body restraints including rigid mitts (figurtavely, maybe starting literally?) so fighting back is now impossible?
How do you check the size of the packet without decrypting the L2 frames?
I see my shadow changing, stretching up and over me...
The "detection van" urban legend has existed for decades. But OK, let us think about it : how much cost that tech and how much would it cost to *sweep* around single family home ? How much that would give back in money ? keep in mind the beeb license is "cheap" 150 pound per year and at worst they can only ask you, or make such hoax to try to convince people. Not sue you AFAIK. And that's not even counting if such evidence would even be acceptable. And that's single home family. not try to imagine that's a multi home dwelling. This is the license van hoax for this decade apparently.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Just one small thing. We're talking about the BBC. BBC != Government.
Yes! This is how you catch the terrorists. That's what this law was all about, right?
The doctoral thesis explaining the techniques upon which this detection technology relies can be found here
Man didn't have the right van...
In a way, this is less snoopy than having a login to watch shows. At least this way, they're not tracking which shows you watch. A login would allow that.
Your ad here. Ask me how!
VPN only needs to go to the firewall so pretty much just over wifi for most people. I would doubt they would be sending to many packets to often as this would all seem to be sourced from iplayer to give the vans something to find. Mind you many VPN's allready can do compression and merging of small packets.
No sir I dont like it.
Oh come on everyone, how can anyone take this seriously. Even in the old days it was very obvious that the whole strategy was simply to worry people into buying their license. I know that it was theoretically possible to detect a faint signal emitted by a TV when switched on and receiving but I'm firmly convinced that the detector vans were nothing but dummies designed to worry people. Furthermore whenever I have met people who worked for the licensing folk they would always clam up and say absolutely nothing, neither confirming nor denying my theory. Even if they strongly suspected someone of viewing without a license they had no right of entry so unless someone chose to let them in or managed to photograph a television they could never make a case. Even if this new technique works it is still likely that it would be far too expensive to implement and pay for a fleet of vans, drivers and technicians. What will actually happen is that apart from the odd van for worrying purposes, they will look on their database for a particular density of people without licenses that makes it worthwhile to send inspectors round. Unless they have a right of entry things will stop there. If they have a right of entry and the right to seize and forensically analyse the contents of the occupant's computer then they may have a case. Since I consider the price of the license to be fabulous value, I find it much easier just to buy one.
Is more prosaic.
It's assumed that every address has a television, therefore those addresses without a license are watching illegally.
Once they have enough in an area to justify the costs, they break out the "detector vans" (which have 7 seats in the back and no electronics) and go doorknocking. The idea is to elicit an admission or observe the TV in use. (This was long before it was farmed out to Crapita)
I know, because I've been one of the door knockers.
Yes, it was possible to "detect" TVs or radios in the dim dark past, usually by listening for the heterodyne frequencies - but the reality is that that it only works when they're uncommon devices and it will be trivial to generate spoof traffic.
The fact that the BBC's enforcement arm (which is a wholly-owned, fully commercial subsidiary) has apparently managed to obtain permission to use RIPA is far more disturbing, both because it is the first time a private company has been allowed to use RIPA and because it means they can simply hit ISPs with orders to disclose what customer is on what IP at what time - and it's a criminal offence for the ISP to send a headsup to the subject of the RIPA investigation
IE: If you want to avoid "the detector vans", use a proxy.
For a more prosaic evaluation of their level of competence: I've had a UK TV license for the last 14 years and for the last 12 years they've been sending me nasty letters threatening prosecution because I don't have a TV license. The one time an "inspector" showed up, he ran away when I started filming him.
Would love to know how this all works, sounds crazy!
Adam Personal Holiday Planner