This is a pretty nasty situation that could happen to anyone. It might not have even been the wifi password. Any malware could have set up a vpn and done the same thing. Of course it's important to stop real crime but there has to be some improvements here.
At the very least they could have collected the passwords for the devices and dumped the storage to be investigated later rather than leaving these people without their essential devices for 3 months.
It's worth noting that if they didn't hand over the passwords they're automatically liable for an offence whose punishment is two years in gaol, and all the police need to prove is that it is likely that they did know them. One of the quotes of the article describes the husband getting what is presumably an admin key from work for a Windows laptop -- if the crown wanted to, that alone would be enough to utterly throw him under the bus.
I honestly have an irrational fear of this happening to me. It's a great way for a malicious actor to utterly wreck someone's life. I tunnel all outbound traffic over a supposedly privacy-preserving (or at least non-UK) VPN, but honestly, this is the dystopian stuff of my nightmares. And I don't know why!
How do you tunnel your traffic though? Unless you can be sure it's forcing everything on your wifi network through it, then that wouldn't offer any protection to someone else using it without the tunnel, as is assumed to happen in this case.
A lot of WiFi routers actually support plugging in VPN details in the router software itself, it's not complex at all[0] even for your average consumer.
I believe you're over estimating the skills of the average consumer. The average consumer usually don't even know how to access their router' web interface.
As the other poster here says, I just configure it at the network level: my default gateway is a single-board computer set up to act as a router and intercept and rebind DNS. It's not hard, seamlessly works, and is quite fast via wireguard. My VPN provider also provides a reverse port to provide convenient ssh tunneling into the SBC "bastion host" which I have configured to use a random port, changing IP addresses, and only accept certificate-based authentication.
Collecting passwords and dumping the storage is likely all they did. 3 months is fairly prompt for any kind of "cyber" in the UK to even get a brief look at, due to huge processing backlogs in the overworked departments whose job it is to deal with it.
I'd suspect that what happened here is they thought they had an easy win, went through the motions, determined fairly rapidly from interviews etc it wasn't actually a viable lead, and didn't pursue further. But the machinery is set in motion by the initial conversation, for fear of prompt deletion if the storage is left with the would-be perp.
Those routers don't have particularly bad default passwords iirc, 12-14 random chars, which is better than the vast majority of user-set passwords. I don't remember if it uses WPS 1.0 (why is there even a 2.0 of this horrible "feature"?), that would be the easiest way to access any router.
Why would the would-be hacker need access to the router settings? I can't think of anything worth changing there, these routers don't have any extra features.
The usual illicit use is to point an antenna at a router and use it from afar (well, no more than 100-300m, line of sight and preferably no obstructions).
In which case it makes more sense to just get a prepaid SIM card, set up a phone as a VPN in a location far from you and route traffic through it. It's not more complicated than bruteforcing a WPS PIN or WPA2 password. That is, if you can't just get a VPN without using any ID.
Yes, you can get and top them up with cash, at some dinky corner shop with non-functional cameras. Or just buy a bunch of them on Gumtree, also in cash.
Those reports often have the wpa password printed on the back - I’ve seen more than one person with it on their windowsill, visible from anyone at the door.
> Those routers don't have particularly bad default passwords iirc
I just checked, and the default credentials for the HHG2500 model mentioned in the article were admin / vodafone1234.
It isn't clear to me whether the router's admin interface was default open on the WAN side, or whether it could be remotely enabled through TR069. I wouldn't be at all surprised if it could.
> "They took everything: our desktop computer, both our laptops, our mobile phones, a laptop I had borrowed, even old mobile phones that were lying around in drawers,"
Worth considering when making backups. A burglary, fire, virus or hacker won't do this but the police may take your offsite backups and your onsite ones and your computer with the credentials to your online backup service.
Append only backups. With some services you can get it so you can only create a backup every X days and it is impossible to delete backups before they expire.
They delete it after 6 months if you don't connect, which would happen if the police had it. You also might not be able to log in without your phone for 2FA or your password manage for the password.
I guess storing backups on a device that's the property of somebody else would be a way. I'm guessing they won't go seizing non-suspects' property.
My question exactly. Could the ISP not have simply reallocated the ipv4 lease so that they could maybe get a history of router macs associated with that IP?
I suspect that the future of online crime will use bystander computers to do their dirty work. It would actually be quite simple to do:
- Infect the computer via the normal means
- Connect to a CNC relay and await instructions
- Receive instructions and perform the deed
The most important aspect would be to use a non-persistent compromise so that it leaves no trace when the police arrive and unplug the computer to bring it in for forensic analysis. With the trail ending at this computer and no sign of infection, they have their perp; case closed.
Criminal organizations could even offer a SAAS solution - a kind of "crime as a service", where they rent you the infrastructure of ephemeral compromised machines to use.
> Criminal organizations could even offer a SAAS solution - a kind of "crime as a service", where they rent you the infrastructure of ephemeral compromised machines to use.
There is already an entire industry offering "residential proxies," which are relays with the functional characteristics you describe. The difference is that the machines providing the relay are (typically) co-opted by adware etc, rather than being overtly compromised. I believe there may also be some operators who actually own the relay nodes.
Back when Netflix was a US exclusive, I've tried the Hola proxy addon. Hola basically turned/turned your computer into a proxy and, in exchange, let(x) you use other people's computer as a proxy.
That's all pretty great when it comes to foreign Netflix, but it's also an easy way to get other people convicted for posting child porn. I don't think there's a lot of security going on on that network. And you don't even need a special criminal organisation to abuse such a system, you have actual normal, civilian users!
Is UK police so dumb that they suspect people solely based on ipv4? A malware can always attack a computer and set up vpn etc. There can be many thing so UK police please stop your nonsense. Do they even realize how much tragedy those innocent people had to face due to their silliness?
> Is UK police so dumb that they suspect people solely based on ipv4?
It’s not dumb. It’s very practical. Very easy conviction and it entirely turns the burden of proof over to the accused who now have to prove their innocence which is much harder to do especially as they probably lack the resources to do so.
If success is measured in amount of convictions and/or arrests, going with just the IP address is the easiest road to success.
Articles like this are incredibly important to make it clear to judges that an IP address is not sufficient evidence. This is not common knowledge yet
On might consider disabling the WiFi password entirely so there's plausible deniability if this happens. Pitch it as a public service. Maybe set up a separate router or VLAN and cap the bandwidth.
And yet, GDPR considers IP address personal data. As long as there are stupid things written in laws and directives, we can expect the judicial branch issue stupid rulings.
My name is personal data. A bank robber can say "Hands up, this is Ensorceled, hand over your money or die." but that should not be proof I did the crime.
Same with IP addresses, THEY ARE PERSONAL DATA. Ad tech companies routinely use IPs for tracking and identification.
This is a completely different matter with entirely different goals and implications. GDPR takes the hardest stance on what is and is not personal data for the sake of consumer protection. If a company had the IP of this couple they could link their online activity (most of which is their own) with their name, that's sufficient to spy on them.
If you'd eaten chips this morning and there was a database of chip-eaters, eating chips would be considered personal information.
It's tiring to see these uninformed hot takes on GDPR on completely unrelated subjects.
> If a company had the IP of this couple they could link their online activity (most of which is their own) with their name, that's sufficient to spy on them.
If "most" of their online activity is their own, then some of it coming from "their" IP address isn't. You can pretend to be able to identify a person behind an IP address, but that doesn't make it true.
IP address might be part of a proof based on balance of probabilities (used in Civil law cases, torts like copyright/trespass) but is unlikely to be useful in proving 'behind reasonable doubt' (ie in a criminal case), IMO, it might lead to something that provides such proof though.
It's not surprising that people are suspected based on their IP address - most of the criminals involved in these kinds of crimes are unlikely to be tech-savvy enough to gain access to someone else's wifi router.
The problem with suspicion is that collateral damage to those who are innocent, but I don't think the answer is to not investigate.
UK Police are interested in finding non-exculpatory evidence and securing convictions.
Computer forensics usually means software bought from a vendor and operated by a technician sometimes with no deep technical knowledge beyond the tool they use. It probably even works well for the common case, but breaks in cases where something unusual has happened.
UK ISPs mostly use an IP pool – meaning they have to keep records about who was assigned which IP at which time. Some may run carrier-grade NAT. Those records are obviously trusted, but may not necessarily be accurate – and even if they are, human mistakes occur, especially when working with things like IP addresses, dates and timezones.
But if not for following IP addresses, how else do you investigate this sort of thing?
I would argue the fault is in a mentality that suggests presuming guilt based on an IP address, then looking for the confirmatory evidence as an "icing on the cake," and a mentality that the investigation process should be so harrowing that the guilty will always go punished even if there isn’t enough evidence for an attempt at conviction. This is long after several such scandals around the same type of crimes.
Is UK police so dumb that they suspect people solely based on ipv4?
The police aren't really interested in catching criminals or helping people. There's no promotions in that. Meeting a quota of number of arrests however, you'll be chief inspector in no time!
They arrested Cliff Richard a few years ago in a highly publicised case that eventually they had to pay him for. This stuff tends to swing between "not investigating at all" and "jump on the first easy lead". Mind you, it is pretty difficult to investigate; if you have a seized messageboard and an upload record from an IP address, and that's all you have, how do you investigate?
(It's also interesting to compare the amount of sympathy these wrongly accused people receive versus other victims of police action ...)
> and shouldn’t ruin people’s lives if they are innocent.
Yes. The searches are not designed to ruin anyone's life but informing other parties, like what happened in this article, is sometimes necessary and and can have life ruining consequences even when entirely innocent. Things could leak out from the school to parents, to other work colleagues, limit career progression, etc. These leaks may even be intentional when stupid people are involved. Doing the searches quicker and being innocent or not doesn't help avoid either of the below (from the article) from happening:
> The police needed to unlock Matthew's work laptop, which was encrypted. He had to tell his boss about the case in order to get the decryption key.
> And the police had also informed social services and the children's school about the investigation, meaning Kate was suspended from her role as a governor there.
The first one could be unavoidable. The second one is technically avoidable but it is going to happen (in UK society, at least).
> Doing the searches quicker and being innocent or not doesn't help avoid either of the below [...]
It could definitely have avoided the second.
I think there is a moral duty to carry out investigations in a way that protects the lives, reputations and livelihoods of the innocent, and this example has fallen short of that in my opinion (although a reasonable person could disagree).
It sounds you think the UK police are able to perform a sufficienty thorough search in a matter of hours. That sounds ideal and of course theoretically feasible but maybe not realistic. For anything longer than hours they are always going to (and IMO should) remove a suspected person from a position that directly involves children.
> For anything longer than hours they are always going to (and IMO should) remove a suspected person from a position that directly involves children.
This is the bit I disagree with personally, as I think it conflicts with 'innocent until proven guilty' when a person can be removed from their position and have their reputation destroyed by the police without sufficient evidence to convict (remember - no charge was ever made from the police).
It's pretty feasible to do an initial scan of a few devices within a few hours - and if you don't find enough evidence after a few hours of looking then IMO you don't have enough evidence to ruin someone's life (go get more evidence first in that case!).
The 'blast zone' of this investigation was ultimately two innocent people's reputations ruined in an attempt to find one guilty person (who wasn't found).
(Again, reasonable people will disagree on how far an investigation should be able to go prior to charge - my own view is clearly more on the 'protect the innocent, even if it means investigation is harder and a few baddies escape justice' side than some others might be!)
> if you have a seized messageboard and an upload record from an IP address, and that's all you have, how do you investigate?
If I ran a message board, not only would I not capturing the upload IPs in any log files (hello GDPR in any case), I'd be tempted to put fake upload IPs in instead -- change the first two or three octets so the logs point to a government owned range.
In the US, I'd expect an IPv4 address to be enough for probable cause unless the ISP is doing carrier-grade NAT. IPv4 shouldn't be enough for a conviction since there's obvious reasonable doubt.
The most complete solution I can think of to recommend to people to protect themselves from this insane law is to route all traffic over a VPN at the router. Otherwise you have to be worried about every single device that connects to your router - and you will just end up looking like a jerk when you don't let your friends use your internet out of fear of malware.
A VPN isn’t a solution, it’s a workaround. A solution would be to change the law. Pressure your law makers and your fellow voters.
It’s worrying that every time there’s a problematic internet law, the response is “use a VPN”. I even saw that suggestion where it would be downright useless—the European law to require upload filters.
If the recommendation is always to use VPNs and otherwise keep quiet, those in power can calmly strip you of every right and ban VPNs at the end. What do you do then?
A VPN isn't a solution because it would only help the guilty. The innocent still fall victim to someone else jumping on their wifi and uploading stuff unVPNed.
There is also the highly probable case of the IP address being shared by many people or switching to a new user mid day which does happen.
Something as trivial as the police forgetting to check what timestamp their website file upload date is in could easily result in getting the entirely wrong customer from the ISP.
Or police reading a timestamp from a website, not realising it's actually a non-local timestamp so offset by X hours, and then requesting based on the wrong timestamp. Fairly sure that's happened before.
I’d wager the majority of the population would have no idea how to do that. Even if they know how to use a VPN, all they probably know is to run the VPN program.
The act introduced a new power that, among many other things, could force ISPs – upon being ordered to do so by a senior judge – into logging the Internet Connection Records (ICR) of all their customers for up to 12 months (e.g. the IP addresses of the servers you’ve visited and when), which can be accessed without a warrant and occurs regardless of whether or not you’re suspected of a crime.
You can get a 2 year trip to prison for contempt of court if you refuse to decrypt your devices for the court.
> The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,[20] requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail
In Russia this is explicitly illegal (even if you give all device passwords to the police) - you must identify all people who have access to your network, i.e. not let unidentified people in, or go to jail if there is a possibility for strangers to connect, even if nobody actually connected.
While plausible, it's very likely not worth the bother to crack this couple's wifi passphrase. For all this work it leak the attacker's general geographic area anyway.
More likely is that the ISP messed up their logs, or that they were incomplete. That happens more often than they would like to admit.
This is a real concern, especially in the age of carrier grade NAT. Vodafone (the families ISP), is a mobile ISP which dynamically pass IPs around like hot potatos - their monitoring solutions need to be far more sophisticated to keep accurate records... this feels a bit like the start of another Royal Mail "the computer is right" scenario but at a larger scale.
Not just that, the default logging for almost all server software does not log ports or have second by second accurate timestamps. Often making it only possible to track down someone using a less popular website as the data will be too noisy without information on top websites.
Something similar (but not relating to CSAM) happened to me (though not the ISPs fault).
I was on IRC and someone I have talked to a few times sent me a official looking link to the website of a local political party and it was a sub-folder that had indexing enabled and that's where they stored their backups.
The dude then got in and published all usernames and hashed passwords on pastebin.
He was using a VPN at the time, I wasn't.. The police took all my devices and kept them for a year until charges were dropped. Not a fun time.
While it is a small and unlikely reason, it's a succint explanation that can be used to explain away this entire clusterfuck of an incident.
Doubly so putting the explanation with little wording to leave doubt should help the family get some level of normalcy. At least now they can point to an article in the BBC to explain when employers, coworkers, other parents, or staff at the school inevitably bring it up.
It's not perfect but it's an easy explanation to put people's minds at ease and dissuade any notion of wrongdoing from this ridiculous incident which will undoubtedly follow them for at least the next decade or so if not the rest of their lives.
I would not expect this to be a local attack via wifi. Internet is so cheap/free nowadays, why would you go through the trouble to crack someone’s wifi instead of using a public one + VPN or Tor?
I believe this was a remote attack. Either on their computers, phones or router. Consumer-grade network equipment is notoriously insecure and Vodafone has absolutely zero expertise let alone incentive to do anything about it - they just buy these routers wholesale from China for a couple bucks a piece and call it a day.
This is not a tech security issue. This is a government issue. Having the power of nearly destroying your life for suspecting you of a crime.
Society so caught up in guilty until proven innocent.
Justice wasn't swift either. They disrupted their life and this couple is expected to bear all the costs of the govs wrong action.
It's not about finding ways to keep yourself safe so that the gov can't accuse you of something and destroy you (see swatting), it's about the gov not being able to destroy you with such ease.
Use the ISP-provided router as a modem in bridge mode (so it's essentially invisible from the network) and put an enterprise-grade router behind it that you keep up to date and disable any unneeded services (so no web interface, telnet, SSH, etc - at least not on the public-facing interface).
This obviously isn't immune to a zero-day, but at this point you'd be more secure than 99% of the rest of the people so any attacker will just move on (why bother breaking into this router when you have an exploit that will net you hundreds of other ones with much less effort?)
And equally shit with any sort of tech law. The couple were quite lucky. For a while there was about a 5 year backlog of computers (plus phones, ipad etc) waiting for the police to even look at. Imagine waiting 5 years to be cleared of this...
I don't really understand the concept here. Taken to the extreme: a murderer is acquitted then the next day concrete evidence is found proving their guilt 100%, do they still walk free because they can't be tried again?
That is correct, but the intent of the double jeopardy laws are to stop people from being perpetually retried for a crime by someone that is convinced they have the right person (ie. every cop and DA that ever lived!) and holding the threat of that over them the rest of their life even though the case has already been adjudicated.
What you described is an unfortunate loophole in this concept.
The UK requires 'substantial' new evidence to re-try a case.
So far, it seems that hasn't been widely abused in the way you suggest. A court is the one who decides if new evidence is substantial or not - simple things like 'we found 11 of his footprints in the snow, but a re-re-review of the photos actually finds 12!" wouldn't cut it...
So it's a non-objective definition that depends on things like when the judge ate lunch. [1]
I'm more a fan of the "better a hundred guilty go free" model - in this case, that means the state gets one and only one bite at the apple, and they'd better do it right the first time. Fewer dragons on this road.
You're exaggerating a bit. It's not completely objective, that's true, but...
"the retrial must be approved by the Director of Public Prosecutions, and the Court of Appeal must agree to quash the original acquittal due to "new and compelling evidence"".
I think this is reasonable - there's checks and balances in place to make sure that the evidence really is 'new and compelling'.
You're muddying the waters a bit with this 'better a hundred guilty go free' thing - you might as well not bother ever arresting someone then? Surely this should be tested at trial, which is exactly what will happen (it's not 'oh we found compelling new evidence so we're putting you in prison even though we found you not guilty before', it's 'we found compelling new evidence, so we're going to give a new jury the opportunity to hear the new evidence and decide if they also think you're not guilty')
Keep in mind these laws exist because of how messed up European kings and queens were throughout the last several centuries. The Magna Carta exists because classical European governments could not be trusted. Why should they be now?
The Magna Carta exists because King John was trying to rein in the power of the barons. It has nothing whatsoever to do with helping the common people.
You just contradicted yourself. The Magna Carta exists to limit the power of the king and thus serves to benefit the common people. It was one of the most important documents for putting the tyrannical age of kings to an end. Like emperors there were few good kings.
In other words the decentralization of power from 'dieu and mon droit' to a legal contract. This is definitely in the direction of 'the common people'.
The king is distant and does not have direct interest in suppressing individual uppity peasants. The local lord can deliver individualized oppression. Generally, centralization of royal authority, specially in matters of justice, led to an improvement in the common people's situation.
In addition to what @mhuffman said, it is to incentivize the police and DA to look at every nook and cranny. The job of proving guilt rests with them, not the defendant. If they messed up, it’s not the defendant’s fault, so why should they suffer? (As @mhuffman referenced with new DAs)
Maybe UK (and everyone else) needs a law that requires anyone manufacturing an Internet-connected device to set unique passwords or force users to change the password before they can use it, like California's (SB-327).
I hope that only mean they plan to ban non-unique default passwords, rather than requiring users to set up their own password during setup. The latter is a sure-fire ticket to tons of “password” “12345678” “11111111” type passwords.
it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
I read this as a password based on the mac address or serial number would be compliant without meeting what I think is the intent of this law.
Most people are assuming the password was brute forced rather than it being a deauthentication attack. ISP provided routers (what the majority of people use) are so badly designed and left vulnerable it should be illegal. Heck some ISPs here still refuse to use IPv6.
Some of the information in this article seems pretty inaccurate:
> they would have to be within about 20 metres of the house
Using a directional antenna, they could be substantially farther away.
> to do anything particularly sinister on the home network, the hacker will need to change the router configuration
That's not even remotely accurate. Uploading child abuse images to a message board as in the central story this article covers does not require configuration changes, for example. Trying exploits on other devices connected to the network doesn't either.
Some models of router are pretty easy to run code on. You could then run code on it to give you a permanent 'bounce' IP address, which you could then use from anywhere on the globe.
Just for grins, we put the biggest "Wi-Fi" yagi we could find on a mast on top of our building (along with some other antennas). We've picked up IDs from WiFi from at least a mile away and can get solid connections to a few places with public WiFi for about half that distance. You could easily disguise a WiFi yagi inside or among TV antennas.
You're not wrong about the antenna, but I am confused who would do any of this for 4 images? Either parking outside or sitting 1km away with an antenna, isn't this a megatonne more work (and technical knowledge) than just downloading tor.
Given that I felt it was understandable to just jump that whole question even if it is factually incorrect...
It's probably not the most effective way to go about sharing illegal content if that's the end goal, but if you want to frame someone else for uploading illegal content....
I thought about that, but then I always assumed the chance of getting caught for uploading 4 images would be <1%. Maybe enforcement is much better than I realise...
It could be separate efforts, eg one entity mass-exploiting APs and routers to act as outbound tunnels, the access of which is resold to users posting illegal content. Think a rouge black market version of Luminati.
So that means that anyone with access to my computer can put child porn on it and then report it? What exactly would the people involved of been guilty of if the 4 images were found on their computer?
A VPN service could have caused this issue. Plenty of them route traffic through their users internet connections. It's the easiest way to get residential IPs that won't be blocked by streaming sites.
132 comments
[ 2.8 ms ] story [ 190 ms ] threadAt the very least they could have collected the passwords for the devices and dumped the storage to be investigated later rather than leaving these people without their essential devices for 3 months.
I honestly have an irrational fear of this happening to me. It's a great way for a malicious actor to utterly wreck someone's life. I tunnel all outbound traffic over a supposedly privacy-preserving (or at least non-UK) VPN, but honestly, this is the dystopian stuff of my nightmares. And I don't know why!
[0] https://www.expressvpn.com/vpn-software/vpn-router#recommend...
Anyone with that browser extension installed on any device on their network is making themselves an open VPN exit for millions of random people.
I'd suspect that what happened here is they thought they had an easy win, went through the motions, determined fairly rapidly from interviews etc it wasn't actually a viable lead, and didn't pursue further. But the machinery is set in motion by the initial conversation, for fear of prompt deletion if the storage is left with the would-be perp.
Why would the would-be hacker need access to the router settings? I can't think of anything worth changing there, these routers don't have any extra features.
The usual illicit use is to point an antenna at a router and use it from afar (well, no more than 100-300m, line of sight and preferably no obstructions).
In which case it makes more sense to just get a prepaid SIM card, set up a phone as a VPN in a location far from you and route traffic through it. It's not more complicated than bruteforcing a WPS PIN or WPA2 password. That is, if you can't just get a VPN without using any ID.
Sometimes, they can be retrieved from the MAC address as well. So it's just the illusion of security for most.
[0]: https://www.xkyle.com/verizon-fios-wireless-key-calculator/
[1]: https://aruljohn.com/fios/
In the UK a prepaid SIM is normally linked to you in some way.
However, I just looked into it some more and it appears you can still buy prepaid cards by cash and buy top-up vouchers with cash.
I just checked, and the default credentials for the HHG2500 model mentioned in the article were admin / vodafone1234.
It isn't clear to me whether the router's admin interface was default open on the WAN side, or whether it could be remotely enabled through TR069. I wouldn't be at all surprised if it could.
Worth considering when making backups. A burglary, fire, virus or hacker won't do this but the police may take your offsite backups and your onsite ones and your computer with the credentials to your online backup service.
I guess storing backups on a device that's the property of somebody else would be a way. I'm guessing they won't go seizing non-suspects' property.
- Infect the computer via the normal means
- Connect to a CNC relay and await instructions
- Receive instructions and perform the deed
The most important aspect would be to use a non-persistent compromise so that it leaves no trace when the police arrive and unplug the computer to bring it in for forensic analysis. With the trail ending at this computer and no sign of infection, they have their perp; case closed.
Criminal organizations could even offer a SAAS solution - a kind of "crime as a service", where they rent you the infrastructure of ephemeral compromised machines to use.
There is already an entire industry offering "residential proxies," which are relays with the functional characteristics you describe. The difference is that the machines providing the relay are (typically) co-opted by adware etc, rather than being overtly compromised. I believe there may also be some operators who actually own the relay nodes.
https://oxylabs.io/products/residential-proxy-pool
That's all pretty great when it comes to foreign Netflix, but it's also an easy way to get other people convicted for posting child porn. I don't think there's a lot of security going on on that network. And you don't even need a special criminal organisation to abuse such a system, you have actual normal, civilian users!
It’s not dumb. It’s very practical. Very easy conviction and it entirely turns the burden of proof over to the accused who now have to prove their innocence which is much harder to do especially as they probably lack the resources to do so.
If success is measured in amount of convictions and/or arrests, going with just the IP address is the easiest road to success.
Articles like this are incredibly important to make it clear to judges that an IP address is not sufficient evidence. This is not common knowledge yet
Same with IP addresses, THEY ARE PERSONAL DATA. Ad tech companies routinely use IPs for tracking and identification.
If you'd eaten chips this morning and there was a database of chip-eaters, eating chips would be considered personal information.
It's tiring to see these uninformed hot takes on GDPR on completely unrelated subjects.
If "most" of their online activity is their own, then some of it coming from "their" IP address isn't. You can pretend to be able to identify a person behind an IP address, but that doesn't make it true.
The problem with suspicion is that collateral damage to those who are innocent, but I don't think the answer is to not investigate.
Computer forensics usually means software bought from a vendor and operated by a technician sometimes with no deep technical knowledge beyond the tool they use. It probably even works well for the common case, but breaks in cases where something unusual has happened.
UK ISPs mostly use an IP pool – meaning they have to keep records about who was assigned which IP at which time. Some may run carrier-grade NAT. Those records are obviously trusted, but may not necessarily be accurate – and even if they are, human mistakes occur, especially when working with things like IP addresses, dates and timezones.
But if not for following IP addresses, how else do you investigate this sort of thing?
I would argue the fault is in a mentality that suggests presuming guilt based on an IP address, then looking for the confirmatory evidence as an "icing on the cake," and a mentality that the investigation process should be so harrowing that the guilty will always go punished even if there isn’t enough evidence for an attempt at conviction. This is long after several such scandals around the same type of crimes.
The police aren't really interested in catching criminals or helping people. There's no promotions in that. Meeting a quota of number of arrests however, you'll be chief inspector in no time!
(It's also interesting to compare the amount of sympathy these wrongly accused people receive versus other victims of police action ...)
I would say you search the computers, but do this in a very timely manor so that you do not have to involve employers and social services.
These searches should take minutes or hours, not months, and shouldn’t ruin people’s lives if they are innocent.
Yes. The searches are not designed to ruin anyone's life but informing other parties, like what happened in this article, is sometimes necessary and and can have life ruining consequences even when entirely innocent. Things could leak out from the school to parents, to other work colleagues, limit career progression, etc. These leaks may even be intentional when stupid people are involved. Doing the searches quicker and being innocent or not doesn't help avoid either of the below (from the article) from happening:
> The police needed to unlock Matthew's work laptop, which was encrypted. He had to tell his boss about the case in order to get the decryption key.
> And the police had also informed social services and the children's school about the investigation, meaning Kate was suspended from her role as a governor there.
The first one could be unavoidable. The second one is technically avoidable but it is going to happen (in UK society, at least).
It could definitely have avoided the second.
I think there is a moral duty to carry out investigations in a way that protects the lives, reputations and livelihoods of the innocent, and this example has fallen short of that in my opinion (although a reasonable person could disagree).
This is the bit I disagree with personally, as I think it conflicts with 'innocent until proven guilty' when a person can be removed from their position and have their reputation destroyed by the police without sufficient evidence to convict (remember - no charge was ever made from the police).
It's pretty feasible to do an initial scan of a few devices within a few hours - and if you don't find enough evidence after a few hours of looking then IMO you don't have enough evidence to ruin someone's life (go get more evidence first in that case!).
The 'blast zone' of this investigation was ultimately two innocent people's reputations ruined in an attempt to find one guilty person (who wasn't found).
(Again, reasonable people will disagree on how far an investigation should be able to go prior to charge - my own view is clearly more on the 'protect the innocent, even if it means investigation is harder and a few baddies escape justice' side than some others might be!)
If I ran a message board, not only would I not capturing the upload IPs in any log files (hello GDPR in any case), I'd be tempted to put fake upload IPs in instead -- change the first two or three octets so the logs point to a government owned range.
I'm holding Theresa May directly responsible for this family's hellish experience.
Previous HN: https://news.ycombinator.com/item?id=26430266
The most complete solution I can think of to recommend to people to protect themselves from this insane law is to route all traffic over a VPN at the router. Otherwise you have to be worried about every single device that connects to your router - and you will just end up looking like a jerk when you don't let your friends use your internet out of fear of malware.
It’s worrying that every time there’s a problematic internet law, the response is “use a VPN”. I even saw that suggestion where it would be downright useless—the European law to require upload filters.
If the recommendation is always to use VPNs and otherwise keep quiet, those in power can calmly strip you of every right and ban VPNs at the end. What do you do then?
There is also the highly probable case of the IP address being shared by many people or switching to a new user mid day which does happen.
Something as trivial as the police forgetting to check what timestamp their website file upload date is in could easily result in getting the entirely wrong customer from the ISP.
If the contours of the internet are such that every local despot can change it, then it's not really an internet.
Can I claim they cannot arrest me since everyone might use my Wifi?
> The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,[20] requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail
https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...
You can read the full law here: https://www.legislation.gov.uk/ukpga/2000/23/part/III
More likely is that the ISP messed up their logs, or that they were incomplete. That happens more often than they would like to admit.
I was on IRC and someone I have talked to a few times sent me a official looking link to the website of a local political party and it was a sub-folder that had indexing enabled and that's where they stored their backups.
The dude then got in and published all usernames and hashed passwords on pastebin.
He was using a VPN at the time, I wasn't.. The police took all my devices and kept them for a year until charges were dropped. Not a fun time.
I wrote about it here -> https://blog.haschek.at/2015-that-not-so-awesome-time-the-po...
Doubly so putting the explanation with little wording to leave doubt should help the family get some level of normalcy. At least now they can point to an article in the BBC to explain when employers, coworkers, other parents, or staff at the school inevitably bring it up.
It's not perfect but it's an easy explanation to put people's minds at ease and dissuade any notion of wrongdoing from this ridiculous incident which will undoubtedly follow them for at least the next decade or so if not the rest of their lives.
Or they really were guilty...
I believe this was a remote attack. Either on their computers, phones or router. Consumer-grade network equipment is notoriously insecure and Vodafone has absolutely zero expertise let alone incentive to do anything about it - they just buy these routers wholesale from China for a couple bucks a piece and call it a day.
That said you’re completely right on the state of ISP router security
Society so caught up in guilty until proven innocent.
Justice wasn't swift either. They disrupted their life and this couple is expected to bear all the costs of the govs wrong action.
It's not about finding ways to keep yourself safe so that the gov can't accuse you of something and destroy you (see swatting), it's about the gov not being able to destroy you with such ease.
This obviously isn't immune to a zero-day, but at this point you'd be more secure than 99% of the rest of the people so any attacker will just move on (why bother breaking into this router when you have an exploit that will net you hundreds of other ones with much less effort?)
What you described is an unfortunate loophole in this concept.
So far, it seems that hasn't been widely abused in the way you suggest. A court is the one who decides if new evidence is substantial or not - simple things like 'we found 11 of his footprints in the snow, but a re-re-review of the photos actually finds 12!" wouldn't cut it...
I'm more a fan of the "better a hundred guilty go free" model - in this case, that means the state gets one and only one bite at the apple, and they'd better do it right the first time. Fewer dragons on this road.
[1]: https://www.theguardian.com/law/2011/apr/11/judges-lenient-b...
"the retrial must be approved by the Director of Public Prosecutions, and the Court of Appeal must agree to quash the original acquittal due to "new and compelling evidence"".
I think this is reasonable - there's checks and balances in place to make sure that the evidence really is 'new and compelling'.
You're muddying the waters a bit with this 'better a hundred guilty go free' thing - you might as well not bother ever arresting someone then? Surely this should be tested at trial, which is exactly what will happen (it's not 'oh we found compelling new evidence so we're putting you in prison even though we found you not guilty before', it's 'we found compelling new evidence, so we're going to give a new jury the opportunity to hear the new evidence and decide if they also think you're not guilty')
> The government plans to ban default passwords being pre-set on devices, as part of upcoming legislation covering smart devices.
it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met: (1) The preprogrammed password is unique to each device manufactured.
I read this as a password based on the mac address or serial number would be compliant without meeting what I think is the intent of this law.
> they would have to be within about 20 metres of the house
Using a directional antenna, they could be substantially farther away.
> to do anything particularly sinister on the home network, the hacker will need to change the router configuration
That's not even remotely accurate. Uploading child abuse images to a message board as in the central story this article covers does not require configuration changes, for example. Trying exploits on other devices connected to the network doesn't either.
Given that I felt it was understandable to just jump that whole question even if it is factually incorrect...
I've been spammed quite a bit by friends with such applications past 6 months...