Friday, 27 December 2013

David Cameron’s Porn Filter Hosted On Cisco Server In The Good Old United States of America?

secure-web CiscoINTERESTING, HUH? I have already broken this story on Twitter; but I am going to bring together what I believe is happening here for others with better resources to follow-up, and subsequently either confirm or deny my analysis…

I’m using TalkTalk, and have always had the anti-virus option turned on; but, until Christmas Eve, any alerts generated by my ISP simply added a ‘[SUSPICIOUS MESSAGE]’ to the email’s subject field.

Here is the source of an Argos mail-shot, sent to me at 11:00am on Christmas Eve.

Argos - before

Nothing to see here. But now note what happens when Jessops email me at 18:49:51 that evening.

Ironport comes online

A sniffer has been inserted into the opaltelecom traffic that is my ISP. I believe that the offending X-IronPort designation corresponds to the ‘anti-virus capability’ of Dave’s Porn Filter (that he has not mentioned) – and I had that ISP service turned-on, at the time, remember?

But now look what happens when the Health Lottery sends me that confirmation email, which I receive at 19:30:53…

health lottery modifications

If you look carefully, you will notice that X-IronPort snatches the communication from opaltelecom at 18:40:43, when the Health Lottery sent it, and only releases it at 19:30:53 (when I receive it). In other words: it was examined and processed for 50 minutes on Cisco’s servers in the USA! (Perhaps they should rewrite their Perl).

Dave is apparently intercepting all emails sent from the National Health Lottery info@domain.

Just what processing that email received will obviously remain a mystery; but it did include actually modifying the links that the Lottery sent me (to verify my account, and to visit the government’s Gambling Commission’s Web Site) and then sending their message on its way.

Here are those modified links: and you can see what happens for yourselves…

This should activate my account and this should take me to the Gambling Commission.

If anyone can verify my account for me by using the green ‘I trust this site’ button through the Cisco proxy: please let me know. The problem with the ‘filter’s’ programming (if you are listening X-IronPort) is that it does not release the original keys that were present in the Health Lottery’s message to its server. (Pity the poor bloody IT guys at the Health Lottery trying to discover a problem that has nothing to do with them).

Now, I have been laughing at the pure incompetence of IT expert, and serial liar Dave as I write this, because any 7-year-old is perfectly capable of pointing-out that filtering words from the internet’s data stream as a means of classifying both ends of a communication is pure BBC drama and science fiction. And I laugh even more at the PC brigade who believe that, by banning words from our language, we can all live in a more equal, ‘nicer’ society. The fact is, if you are denied the ability to speak your mind, others cannot discern the real you or your intent: and the only option then left to you is to express what you are prevented from saying physically. You can only identify a bigot by the way he speaks – and if you force him to remain silent, his anger will only grow until he lashes out at that which offends him.

Deny anyone free speech and they can only express themselves through violence.

But, now, I have to stop laughing; because I turned-off my ISP’s ‘anti-virus’ protection and, the next day, the lottery sent me a duplicate email to verify my account: but it never arrived!

Obviously, I do not have that email’s source to show you; but I can show you another that I received from John Lewis, a little while ago, at 16:09:39.

sniffer still there

I opted-out of my ISP’s anti-virus protection, remember? That was on Christmas Day at 19:21; but the X-IronPort sniffer is still there.

I can only conclude that X-IronPort was responsible for intercepting my email; that it ensured I did not receive it – and that it does not matter what my ISP settings are: BECAUSE MY ISP CANNOT BYPASS THE SNIFFER THAT IS PROGRAMMED TO INTERCEPT THE HEALTH LOTTERY EMAILS IN ANY EVENT!..

Now this will make you laugh. I received this email from the Health Lottery’s Help Desk, bless ‘em, offering me a solution:-

lottery solution

In one foul swoop, IT expert David Cameron has apparently forced the National Health Lottery to break all internet security protocols as the only way to serve their new customers. And, no doubt, all other businesses on his ‘I’ve got a list’ will be experiencing exactly the same problems.

Got to hand it to you Dave: you are the UK’s greatest dimwit.

Will all those businesses affected be able to sue our idiot PM personally for loss of trade? Or will the taxpayers foot the compensation bill, as usual?

I wonder…

People: that sniffer is acting upon what it has been instructed to monitor in its USA based database, and that is primarily a list of English words and phrases that our UK Politicians have devised, and what we have not been made aware of – assuming Obama cannot add words of his own.

This is Censorship with a Capital ‘C’ – and they only need add another word or phrase to deny us ever reading the sentences or paragraphs that contain it on the Web. (Like; UKIP, immigration, and Roma perhaps?)

I wait to be proved wrong; but I suspect it is not websites that Dave’s Filter will block us from seeing; but individual pages where certain words appear. In other words, there will be no Cisco Preview, as can be seen via the links provided above. When the filter is fully bedded in: we will all be suddenly surfing the ‘Secure-Web’ hosted by Cisco in the USA, which will just be a slowly performing mirror of those public internet pages that Dave allows us to see.

I sent this to my MP, Rebecca Harris (Castle Point) on Christmas night after I had sufficient confirmation of what was happening.

Harris questions

 

This was her eventual (no comment) reply:-

Rebecca replies

Here are a couple of tips:-

If you are using Outlook 10, as I am, you can check your received message internet headers by first opening the message and then choosing: File/Properties. Get your son or daughter to teach you how to read them if you do not already know. The examples I have provided here should help you. Focus upon the period spanning Christmas Eve.

Karl, from TalkTalk, tweeted me a neat old trick of how to discover if your email was delivered (and check how long it takes to arrive at its destination). Just CC what you are sending to yourself. You can, of course, BCC, if you do not want your correspondent to know what you are doing.

I have provided a great deal of personal information in this post to present my evidence as clearly as possible. Please respect my privacy.

Oh, and by the way: Happy New Year…

PS: If you need to contact me via email: please use Verisign.

[Update 28/12 at 12:45] The Lottery tried another duplicate email around 08:30; but it has joined its sibling in Cyberspace.

For those in a similar position: the question that needs to be resolved by your IT Dept. is:-

  1. Is the intercept only activated by a message’s content (leaving the post@domain free to continue communicating) or is the address quarantined?

You should be able to resolve that question by setting-up a public account as a target and firing test messages at it from the account that is having the problems. If affected parties did that, recorded the ‘trip’ words and phrases that activate the redirect, and posted those trips in the comment section of this post (you can now post anonymously without moderation): we might be able to devise a work-around until sanity has been restored.

[Update 29/12 at 21:43] I can now personally confirm the info@ trip discovered by Anonymous in this post’s comment section this morning. Moreover, X-IronPort’s activities are not confined to incoming mail traffic: it sniffs all outgoing TalkTalk user email as well!

This is what happened today…

At 05:45, X-IronPort was still online, as this header from Jessop’s email shows:-

IronPort still there

 

True to form, the message passes through the sniffer without incident. I would expect nothing less; because I continue to have my ISP’s anti-virus option turned OFF.

Then, at some time between 05:45 and 09:37 this morning, X-IronPort was taken offline.

IronPort taken offline

I would like to claim some influence in that development; but, to my chagrin, I find I might have only given TalkTalk an opportunity to explain away the 50 minute delivery delay, reported earlier, as a technical problem that required X-IronPort to be taken down for a software upgrade.

Woolovers confirm info@

As the above header reveals: X-IronPort was back online by 18:04 this evening, now declaring itself as an Anti-Spam filter, which, it is interesting to note, was the angle suggested by Christopher Brennan, in this post’s Comment Section yesterday. (Thanks for that vital link by the way, Chris). This explicit renaming is my ISP saying: ‘There’s nothing to see here folks. Please pass along.’

Really?..

Well, the interesting point is that this message (thank you Woolovers) is from an info@domain – and it immediately triggers X-IronPort into action. There is no subsequent redirect to Cisco this time, nor are any changes made to the email’s subject field; but X-IronPort is nonetheless forced to wake-up and sniff a potential dinner.

It seems that X-IronPort is definitely keen to spider anything that TalkTalk users request information on. Moreover, when that information is of a specific type: it is immediately redirected to Cisco in the US.

High quality woollen clothes, it seems, does not fit one of those categories.

Please keep visiting and commenting.

It is good to talk…

6 comments:

  1. this is TalkTalk who doing it not the government

    ReplyDelete
    Replies
    1. update:
      it seems talktalk uses Cisco for there anti-virus http://www.hotlaptop.co.uk/anti-virus/seven-reasons-to-avoid-talktalk-homesafe/
      I think you should change ISP but I have to say this has noting to do with the government. talktalk pron filters have been here since 2011 so this is not new

      Delete
    2. also did you try and find out if you someone is trying hack you emails by using the anti-virus? because that's what it look likes

      Delete
  2. "X-" is a standard prefix used in e-mail headers to show that it is a non-standard or extension header. This leaves us with "IronPort" - IronPort is a commercial e-mail anti-spam and anti-virus solution and yes, it is owned by Cisco. The reason you are seeing these headers is because TalkTalk are using it as part of their incoming e-mail setup.

    As for:
    X-IronPort-AV: E=Sophos;i="4.95,568,1384300800"; d="scan'208,217";a="1701122696"

    This header is merely saying that the message was scanned by the Sophos antivirus engine with version information "4.95,568,1384300800".

    Having e-mail anti-virus and anti-spam protection is a standard part of running a mail server and as far as I'm aware TalkTalk do not provide an option to disable their anti-virus and anti-spam specifically on their mail servers - you may disable any protection they provide while web browsing or on your local computer however - again, this is not unusual.

    IronPort itself is provided as either server appliances that you can install locally or as a cloud based service - there's no information as to which option TalkTalk have chosen that I can see.
    For more information: http://www.ironport.com/index.html, http://en.wikipedia.org/wiki/IronPort

    A 50 minute delay in e-mail receipt is a bit long, but can be explained quite easily by Greylisting (where e-mail is rejected on the first delivery attempt to see if the server sending it tries to resend - a common way to block large quantities of spam) and heavily loaded mail servers (as TalkTalk are likely to have).

    As an IT professional, I run several mail servers - both personally and on behalf of my customers - and I do not use IronPort for AV or anti-spam. No "X-IronPort-..." headers are ever added to my own incoming e-mail or e-mail services that I provide.


    If you don't like having Cisco authored software scanning your email for spam or viruses, then I suggest that you simply create an e-mail account elsewhere?

    If you are concerned about TalkTalk in general, why not change ISP to one that is not operating filters? One that has been well-publicised recently is Andrews & Arnold - they are opposed to filtering in general - see: http://aa.net.uk

    ReplyDelete
    Replies
    1. Sorry your comment was delayed - Blogger treated it as Spam (and I've just got-in).

      Thank your for commenting; but I do not think you are telling us anything we do not know.

      It is not about WHAT X-IronPort is; it is WHERE it is that is important.

      Delete