SANS Internet Storm Center, InfoCON: green: ISC StormCast for Monday, March 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4377, (Mon, Mar 2nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Copyright Monopoly Fraudsters Need To Go To Jail With Heavy Damages

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

copyright-brandedLast week there was a story on TorrentFreak about a copyright monopolist who had gone absolutely insane and sent so-called “takedown notices” to everybody and their brother, from EFF to TOR – basically anybody with a download page.

It’s a complete mystery why this isn’t a criminal behavior. The fact that it isn’t is why it continues and harms innovation, creativity, free speech, and the Internet.

The Swedish Pirate Party had a very clear policy on crimes like this: if you lied about holding an exclusive right to something, the same penalty that would have applied to an infringer of that exclusive right would instead apply to you. This is only fair, after all: you are infringing on the distribution of a creative work by dishonest means.

For repeat offenders, or organizations that committed this crime on a commercial basis or commercial gain, like that idiot record label in the TorrentFreak story – they would be declared criminal organizations and have all their assets seized. The individuals doing so for commercial gain would go to jail for a couple of years.

The thing is, this should not even be contentious. This is how we deal with this kind of criminal act in every – every – other aspect of society. If you lie as part of commercial operations and hurt somebody else’s rights or business, you are a criminal. If you do so repeatedly or for commercial gain, direct or indirect, you’re having your ill-gotten gains seized. This isn’t rocket science. This is standard bloody operating procedure.

The copyright industry goes ballistic at this proposal, of course, and try to portray themselves as rightsless victims – when the reality is that they have been victimizing everybody else after making the entire planet rightsless before their intellectual deforestation.

The irony is that at the same time as the copyright industry opposes such penalties vehemently, arguing that they can make “innocent mistakes” in sending out nastygrams, threats, and lawsuits to single mothers, they are also arguing that the situation with distribution monopolies is always crystal clear and unmistakable to everybody else who deserve nothing but the worst. They can’t have it both ways here.

It’s a matter of incentives, at the end of the day. If there’s no risk at all in lying and causing pain to other people, along with a very small reward, then sociopaths – like those in the copyright industry – will do so at an industrial scale, accompanied by the most Stalinesque of laughters. This is also the behavior we observe now. There must to be a risk associated with willfully lying and causing injury or damage. Today, there isn’t.

And because there isn’t, Google alone receives on the order of thirty million nastygrams per month. Most or all of them automated at the sender’s end. There’s no cost or risk in sending them, after all, and that has to change.

The U.S. DMCA – what a horrible mistake that was – does state that somebody sending a takedown notice does so under penalty of perjury. However, that only applies to the claim of representing the person believing to hold the copyright monopoly to the work; not to the claim of actually holding the exclusive right you claim to hold. A bare legislative minimum would be to extend the penalty of perjury to include the actual – not believed, but actual – holding of the copyright monopoly somebody claims to hold.

The very least you can ask is that committing a crime such as fraudulent exclusive rights carries a risk with it. It’s not rocket science.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Piracy Lawsuits Dominated By Just Three Movie Companies

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-cardThanks to the development of advanced file-sharing systems and fast Internet connections, lawsuits aimed at alleged Internet pirates have become commonplace over the past decade and are showing no signs of disappearing anytime soon.

The statistics behind the threats have been documented periodically but now a detailed study of IP litigation as a whole has painted a clearer picture of trends during the past 10 years.

Published by Matthew Sag, Professor of Law at Loyola University Chicago School of Law, IP Litigation in United States District Courts: 1994 to 2014 provides a review of all IP litigation in U.S. district courts over the past two decades to include copyright, patent and trademark lawsuits over 190,000 case filings.

Perhaps unsurprisingly one of the paper’s key findings is that Internet file-sharing has transformed copyright litigation in the United States, in one area in particular.

“To the extent that the rate of copyright litigation has increased over the last two decades, that increase appears to be entirely attributable to lawsuits against anonymous Internet file sharers,” the paper reads.

In broad terms the paper places lawsuits against alleged pirates into two categories – those with an aim of discouraging illegal file-sharing and those that exist to monetize online infringement.

Category one is dominated by lawsuits filed by the RIAA against users of software such as Kazaa and LimeWire who downloaded and shared tracks without permission. Announced in 2003, the wave seriously got underway during 2004 and persisted until 2008, straggling cases aside.

Category two is dominated by the so-called copyright trolls that have plagued file-sharing networks since 2010. These companies, largely from the adult movie sector, track down alleged file-sharers with the aim of extracting cash settlements.

As illustrated by the chart below, so-called ‘John Doe’ lawsuits witnessed their first big boost during 2004, the year the RIAA began its high-profile anti-P2P scare campaign. The second big wave can be seen from 2011 onwards.

stud-1

“John Doe litigation in the second wave appears to be aimed primarily, if not exclusively, at monetizing infringement—i.e., creating an independent litigation revenue stream that is unrelated to compensation for the harms of infringement and unconcerned with deterrence,” the paper reads.

“The availability of statutory damages is essential to the infringement monetization strategy. United States copyright law allows a plaintiff to elect statutory damages ranging from $750 to $150,000 for willful copyright infringement, regardless of the extent of the copyright owner’s actual damage.”

Needless to say, this situation has encouraged some companies to file more and more lawsuits over the past several years in pursuit of profit. However, they have been required to adapt along the way.

Between 2010 and 2012 lawsuits were typically filed against hundreds or even thousands of John Doe defendants at once, but due to increased scrutiny from District Court judges the average number of Does per suit has declined dramatically.

“[In] 2010 the average number of John Doe defendants per suit was over 560; by 2014 it was just over 3,” the paper notes. “2014 still witnessed the occasional mass-joinder suit, but by this time the model had almost entirely shifted to suits against individual unnamed defendants.”

Also under the spotlight are the types of content being targeted by trolls. Pornographic titles were behind the lion’s share of lawsuits since 2010 and in 2014 accounted for 88% of all ‘John Doe’ actions.

stud-2

What is also startling about this second category is how it has become increasingly dominated by a tiny number of plaintiffs. Back in 2010 the top three plaintiffs accounted for less than 25% of John Doe lawsuits but it wouldn’t stay that way for long.

“In 2011 and 2012, the top three plaintiffs accounted for just under 50% of John Doe cases. In 2013, Malibu Media, alone accounted for 64% of John Doe cases and the top three in that year accounted for more than 75% of such cases. The top three plaintiffs in 2014 account for more than 93% of John Doe litigation filings in copyright,” the paper adds.

stud-3

Conclusion

Despite the large number of lawsuits being filed against John Doe defendants, the paper dismisses the notion that litigation since 2010 is a broad-based phenomenon. In fact, it draws quite the opposite conclusion, noting that a tiny number of plaintiffs are effectively making a huge noise.

“The trend from 2012 to 2014 is one of increasing concentration of plaintiff activity. In fact, the pornography producer Malibu Media is such a prolific litigant that in 2014 it was the plaintiff in over 41.5% of all copyright suits nationwide,” the paper notes.

Finally, in respect of the activities of the plaintiffs listed above, Matthew Sag’s study arrives at an opinion long held by many ‘troll’ critics.

“John Doe litigation is not a general response to Internet piracy; it is a niche entrepreneurial activity in and of itself,” Sag concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

GattaNegra's days: Мартениците и те…

This post was syndicated from: GattaNegra's days and was written by: GattaNegra. Original post: at GattaNegra's days

Няма установени точни исторически факти кога е възникнала традицията, дали по време на кХан Аспарух или по-рано, но със сигурност се знае, че на другия край на света има едно племе Калаши, което има същата традиция. ЗакИчването с бяло-червен конец в началото на Март (Марс) е хилядолетна традиция, може би едно от малкото неща от […]

SANS Internet Storm Center, InfoCON: green: Advisory: Seagate NAS Remote Code Execution, (Sun, Mar 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Beyond Binary is reporting a vulnerability affecting SeagatesBusiness Storage line of NAS devices and possibly other Seagate NAS products. These arefairly common devices in SOHO and even small enterprise applications.

It appears that a number of OTScomponents and the custom web applicationused in the web management interface are out of date and will permit unimpeded access to the administration functions of the device. It is believe that versions of the firmware up to and including 2014.00319 are vulnerable.

It appears to be trivial to exploit the devices and a metasploit module and an exploit are publicly available.

It is hoped that if you have one of these devices in your network that you do not havethe administration interface accessible on the Internet. If you do you will want to remove it.You can be sure that the bad guys have startedscanning for these devices.At this point no updated firmware is available to resolve this issue.

– Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Клошкодил: 2015-03-01 мина крокодиловден

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

Отпразнувах пак крокодиловден. Направих го на 27ми, понеже 23ти се падаше в понеделник, а от МТСП ме помолиха да не се пада преди работен ден, че от колективния махмурлук БВП-то на страната видимо падало.

На хората им хареса, няколко казаха, че трябвало да празнувам рождени дни всеки месец (щото така се виждали всякакви хора). Миналата година протестите вършеха тая работа, като се стопли, може да помислим за още някакви…
(или де да знам, конференция само с една лекция и двудневно afterparty …)

Следва стандартния списък подаръци, доколкото успявам да се сетя:
Бутилка Laphroaig (Мартин);
Бутилка Glenfiddich (Щеряна);
Котка (звучи ето така), или по-точно Digitech bass synth wah ефект (bofh);
Билети за Apocalyptica в Пловдив (там съм ги слушал за пръв път преди бая годин) (iffi и Калоян);
Ваучер за Декстрофобия и един за 3keyrooms (едното от Ива/Калоян, другото от Явор/Таня и още някой, не помня кое как се падаше);
смарткарта за pgp ключове и четец за нея от Merlijn и Моника (ще си сменям явно ключа тия дни);
Един zero-day от RealEnder (тестван, работи, да видим дали иска да го публикува);
Бинокъл (не помня от кого);
Мегафон, ще свърши добра работа по конференциите (Пешо);
Лампа и крушка за нея (Пенчев, Велин, Боян), че нямало у нас достатъчно приглушено осветление (замислих се да си взема още 2-3);
Lego, някакъв багер (Боян), разни хора изявиха вече желание да идват у нас да го сглобяват;
Метроном (Кънев) (без коментар);
Книгата “Плетене на една кука for dummies” (Никсън);
Книгата “Никой не обича крокодила” (Бобсън), някаква древна руска от 1974та;
Мангата “Fullmetal alchemst”, 1ви том (Антоанета);
Книгата “Алекс” на Пиет Льометр (Бойчо);
Книгата “Уискито на Шакълтън” на Невил Пийт (Миши), заедно с една картичка, която вероятно Снежи няма да ми разреши да сканирам и кача, но е много забавна;
“Книжка за зайчетата-самоубийци” (Владо младшия) – питайте google за bunny suicides;
Торбичка желирани крокодили (fredson);
Плато за сервиране на мезета (Мариела и Румен);
Чаша с крокодил в нея (нещо такова) (Румен);
и финално, майсторски клас за уиски тестване (от голяма група хора – Митьо, Стефан, Боян, Яна, Марио, Владо Василев, Стеф, Витков, Недко, Точо, Петко, Мариян, dzver, Кунев и Гери, Благовест, Печкин, Пламен и pCloud-ския екип), както и торба родопски био-картофи.

(извън тия неща, Снежи ми подари странна възглавница/шапка за спане навсякъде. Невероятно плашещо изглеждам с нея…)

Ако се сетя/открия още нещо, ще дописвам.

___: Честита Баба Марта / Happy Granny March

This post was syndicated from: ___ and was written by: Баба Марта. Original post: at ___

Честита Баба Марта!


Happy Granny March !


Мартеница / Martenitsa
under CC license from Wikipedia


TorrentFreak: NBC Universal Tries to Censor TorrentFreak’s News About Leaked Films

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

censorshipEarlier this year an unprecedented flood of leaked movies hit the net, including screener copies of popular titles such as American Sniper, Selma and Unbroken.

Hoping to steer people away from these unauthorized copies the copyright holders sent out thousands of takedown notices.

These efforts generally target URLs of torrent sites, cyberlockers and streaming services that link to the unauthorized movies. However, some requests go a little further, targeting news publications such as the one you’re reading at the moment.

Last week NBC Universal sent a series of takedown notices to Google including one for the leaked movie “Unbroken.” Aside from the usual suspects, the list of allegedly infringing URLs also included our recent coverage of the screener leaks.

As with the other pages, NBC Universal urged Google to remove our news report from its search results.

tfcensor1

Luckily, Google appears to have whitelisted our domain name so the search giant didn’t comply with the request. However, other sites may not be so lucky and could have their articles removed.

The overreaching takedown request doesn’t appear to be an isolated incident. Two days earlier NBC Universal sent another takedown notice targeting our coverage of the “Taken 3″ leak.

tfcensor2

But there’s more. Aside from our news articles there are also other dubious claims in the notices, such as the request to remove a live concert from the band “Unbroken.”

The question remains whether NBC Universal intentionally targeted our news articles our not.

While the latter seems to be the most likely explanation, it doesn’t change the fact that the overbroad censorship requests go too far.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

[Медийно право] [Нели Огнянова] : Неутралност на мрежата

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

fcc-net-neutrality_wide-667147afe5c68d5ee4dca5c9fcef5e45659e498d-s800-c85

[Mark Wilson/Getty Images]

 

Трима от състава на FCC, които гласуваха (3:2) че никой, държавата или корпорация, не може да ограничава свободния отворен достъп до интернет (съобщението).

[Медийно право] [Нели Огнянова] : ЕСПЧ: сатирично рекламно съобщение

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

Съдът за правата на човека се произнесе през седмицата по две дела Bohlen v. Germany ( 53495/09) и Ernst August von Hannover v. Germany (53649/09).  Две публични личности (Дитер Болен и съпругът на принцеса Каролина Фон Хановер) се обръщат към Съда с искане за защита срещу използването на имената им в реклама без тяхно съгласие.

Става дума за сатира – Съдът прави оценка на баланса между свобода на изразяване и защита по чл.8 ЕКПЧ, зачитане на личния живот.

Рекламни кампании в Германия включват имената на двамата в сатиричен контекст, като се основават на реални факти от живота им:

  • части от книга  на Дитер Болен не е била допусната за публикуване по силата на съдебно решение – в рекламата името му е частично задраскано с черен маркер;
  • Фон Хановер  става известен с участия в  сбивания на светски места – съответно в реклама на  British American Tobacco името му се свързва със смачкан пакет цигари.

Двамата търсят компенсация за използване на имената им в реклама. Тъй като решението не е в тяхна полза, се обръщат към ЕСПЧ. Претендират, че държавата не е успяла да ги защити при използването на първите им имена без тяхно  съгласие, поради което има нарушение на правото им на личен живот чрез използване на имената им с търговска цел.

Съдът прилага за пореден път критериите  за баланс между правото на неприкосновеност на личния живот и правото на свобода на изразяване.  Според Съда рекламите са принос към дебати от обществен интерес в Германия и по сатиричен начин се свързват със събития, които са били обект на обществени дебати. Образът на жалбоподателите не е бил представен по унизителен начин.

Като взема предвид и факта, че става дума за търговско слово, където се признава широка дискреция на държавите, Съдът потвърждава решението на Федералния съд в Германия – няма нарушение на чл.8 ЕКПЧ.

[Медийно право] [Нели Огнянова] : ЕСПЧ: публични фигури, заснемане на обществено място

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

В  решението на ЕСПЧ по делото Lillo-Stenberg and Sæther v. Norway ([2014) ECHR 59) се обсъжда балансирането между правото на гражданите да бъдат информирани за живота на публичните фигури и правото на личен живот.

Ларс Лилло-Стенберг и Андрине Сетер са  музикант и актриса, които сключват брак. Тържеството е на открито, на остров. В печатно издание се появява статия заедно със снимки, благодарение на специална техника за заснемане от разстояние. Двойката печели на две инстанции дело за нарушаване на личната неприкосновеност, но на трета инстанция губи делото и се обръща към Съда в Страсбург за нарушение на чл.8 ЕКПЧ.

Класически случай със знаменитости и папараци. Известни гости, множество музикални изпълнители, блясък.

Решението е интересно, защото е прието след решението Von Hannover v. Germany (No. 2) [2012] ECHR 228 и стандартите за балансиране на чл.8 и чл.10 се прилагат.

За отбелязване  е, че ЕСПЧ открива елементи на обществен интерес в частното:  не само при политически въпроси или престъпления, но и когато се засягат спортни въпроси или изпълнители  (т.36), сватбите са такъв пример (т.37), отбелязва се още, че  е имало видимост (възможно заснемане от около 250 м) и събитието е привличало внимание (т.43).

По начало Съдът поддържа, че не всичко, което е интересно за хората, е от обществен интерес – но в случая – зачитайки и известна зона на национална оценка (на Върховния съд) –  е постановил, че няма нарушение на чл.8 ЕСПЧ, личен живот.

GattaNegra's days: Което не се чисти с прахосмукачка, се чисти с нова прахосмукачка … (битовизми)

This post was syndicated from: GattaNegra's days and was written by: GattaNegra. Original post: at GattaNegra's days

И така, след като Ирина ми беше на гости и ме спаси от нервна криза преди около месец, оказа се, че май съм изхвърлила и част от прахосмукачката при чистенето същия ден по-рано. Липсата на този мъничък-сладичък-черничък чарк превърна и без това изтощителното поддържане на въпросния уред в направо мисия гнус невъзможна. Две котки и […]

[Медийно право] [Нели Огнянова] : EСПЧ: разследваща журналистика, записи без разрешение

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

Европейският съд за правата на човека на 24 февруари 2015 огласи решението по делото Haldimann and others v Switzerland.

Бойко Боев публикува  коментар, който споделям с негово разрешение.

boyko_boevФактите
Няколко редактора (обърнете внимание, че не става дума за обикновени журналисти – по-долу ще слагам в скоби фактите, на които трябва да се обърне внимание) решават да запишат тайно разговор между застрахователен брокер и журналист, представящ се за клиент. Поводът са оплаквания на граждани за това, че брокерите (като цяло, а не записвания брокер) не получават пълна и качествена информация за застраховките, които сключват. Записът на разговора се прави в жилището на журналиста и ретранслира в съседна стая, където са редакторите и на експерт по застраховките, който коментира това, което вижда. Оператор записва коментара на експерта, който установява на място проблеми в представянето на условията на застраховката. В края на разговора между “клиента” и брокера, един от редакторите влиза в стаята при тях и разкрива, че разговорът е записан и иска коментар от брокера за проблемите, които експертът е установил. Брокерът отказва да даде коментар.

По телевизията записът е излъчен като гласът на брокера и образът му са подправени, за да бъде запазена самоличността му. Въпреки това брокерът завежда наказателно дело за незаконно използване на записващи устройства, което е нарушило правото му на личен живот. Редакторите и журналистът – мним клиент са осъдени да платят минимална глоба (става дума за наказателна, а не за административна отговорност на редакторите и журналиста).

Европейският съд преценява дали швейцарскияm съд е балансирал правилно между правото на изразяване на жалбоподателите (редактори и журналист) и правото на личен живот на брокера. Това Страсбургският съд прави като сравнява дали критерият, използван от националните съдии, съвпада с неговите критерии по сходни дела и изследва как са приложени тези критерии разглеждането на конкретните факти по делото. Европейските съдии намериха, че швейцарските съдии не са използвали правилен стандарт и установиха нарушение на свободата на изразяване на журналистите.

Решението
1. От обществен интерес ли е материалът на журналистите? Съдът е намерил, че има обществен интерес, макар че в случая засегнатото лице е застраховател, т.е. частно лице, а не публична личност.
2. Как е взето решението за скритото използване на записващи средства? Решението в швейцарския случай е взето от редактори и след обсъждане на всички възможни начини за събиране на достоверна информация (т.е. не произволно от журналист).
3. По какъв начин е направен записът от журналистите и как са го използвали? Съдът намира, че жалбоподателите са действали съгласно етичните правила на журналистите в Швейцария, като максимално са ограничили намесата в личния живот на брокера (малко хора са разбрали самоличността му по време на записа, а при представянето пред публика гласа и лицето на брокера са били прикрити).
4. Какъв е характерът и тежестта на санкцията? Съдът е намерил, че жалбоподателите са осъдени за извършване на престъпление и им е била наложена глоба по Наказателния кодекс (а не административна, която е с по-леки последствия) и че това наказание е непропорционално тежко.

Българското законодателство не предвижда подобни критерии.
Етичният кодекс на българските медии не съдържа подробни правила при скрито използване на записващи средства. Според кодекса условието е единствено “недвусмислено” установено наличие на обществен интерес. За сравнение, например в Белгия етичните правила на журналистите изискват използване на скрити записващи средства да става само ако

  • е налице сериозен обществен интерес,
  • няма друг начин да бъде получена информацията,
  • използването на средствата е пропорционално на целения резултат и
  • решението се взeма от главните редактори.

Сходни са конкретизираните стандарти за работа на БиБиСи и етичните стандарти на журналистите в Холандия.

Има и интересно продължение – британски скандал на седмицата, по който се очаква произнасяне от парламентарната етична комисия: Jack Straw и Sir Malcolm Rifkind, двама бивши британски външни министри,  са филмирани тайно от журналисти на вестник Telegraph и предаването на Channel 4 Dispatches, как обещават услугите си срещу заплащане на фиктивна китайска фирма. Скандалът е предизвикан от това, че и двамата са в парламента, т.е. се очаква от тях да работят като депутати, за което получават пари, а не да предлагат услуги

*

Към казаното от Бойко Боев може още да се напомни, че в България по-сериозният проблем  не е на плоскостта на журналистическата етика, а от самото начало (2004) Етичният кодекс на българските медии е в противоречие с Наказателния кодекс.

Реалната заплаха за разследващата журналистика се очерта и при работата върху нов НК.  Вместо – както бяха обещали – да изключат наказателната отговорност в хипотезите на използване на специални средства без разрешение, предвидени в Етичния кодекс, авторите на проекта на НК (оставен без движение) разшириха приложимостта й.

Все пак, след решението Von Hannover v. Germany (No. 2) [2012] ECHR 228 , стандартите за балансиране на чл.8 и чл.10 се прилагат и в България също можем да се позоваваме на тях, в случай че  чл. 339а НК бъде приложен към журналисти в случай на обществен интерес.

TorrentFreak: Which VPN Services Take Your Anonymity Seriously? 2015 Edition

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spyBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim, as several incidents have shown in the past.

By popular demand we now present the fourth iteration of our VPN services “logging” review. In addition to questions about logging practices, we also asked VPN providers about other privacy sensitive policies, so prospective users can make an informed decision.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

Below is the list of responses we received from various VPN providers, in their own words. In some cases we asked for further clarification. VPN providers who keep logs for longer than 7 days were excluded, and others who simply failed to respond.

Please note that several VPN companies listed here do log to some extent. We therefore divided the responses into a category of providers who keep no logs (page 1/2) and one for who keep usage and/or session logs (page 3). The order of the VPNs within each category holds no value.

We are also working on a convenient overview page as well as dedicated review pages for all providers, with the option for users to rate theirs and add a custom review. These will be added in the near future.

VPNs That keep No Logs

Private Internet Access

piavpn1. We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy.

2. We choose to operate in the US in order to provide no logging service, as there is no mandatory data retention law in the US. Additionally, our beloved clients are given access to some of the strongest consumer protection laws, and thus, are able to purchase with confidence.

3. We do not monitor our users, period. That said, we have a proprietary system in place to help mitigate abuse.

4. We utilize SendGrid as an external mailing system and encourage users to create an anonymous e-mail when signing up depending on their adversarial risk level. Our support system is in-house as we utilize Kayako.

5. We have a proprietary system in place that allows us to comply in full with DMCA takedown notices without disrupting our users’ privacy. Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others.

6. We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have.

7. We do not have a warrant canary in place at this time as the concept of a warrant canary is, in fact, flawed at this time, or in other words, is “security theater.”

8. We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.

9. We utilize a variety of payment systems including, but not limited to, PayPal, Stripe, Amazon, Google, Bitcoin, Stellar, CashU, Ripple, Most Major Store Bought Gift card, PIA Gift cards (available in retail stores for “cash”), and more. We utilize a hashing system to keep track of payments and credit them properly while ensuring the strongest levels of privacy for our users.

10. The most secure VPN connection and encryption algorithm that we would recommend to our users would be our suite of AES-256, RSA 4096 and SHA1 or 256. However, AES-128 should still be considered quite safe. For users of Private Internet Access specifically, we offer addon tools to help ensure our beloved clients’ privacies including:

– Kill Switch : Ensures that traffic is only routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic would simply not be routed.
– IPv6 Leak Protection : Protects clients from websites which may include IPv6 embeds which could leak IPv6 IP information.
– DNS Leak Protection : This is built in and ensures that DNS requests are made through the VPN on a safe, private no-log DNS daemon.
– Shared IP System : We mix clients’ traffic with many clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

11. We are currently using our own DNS caching.

12. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed our due diligence on. Our servers are located in: USA, Canada, UK, Switzerland, Amsterdam, Sweden, Paris, Germany, Romania, Hong Kong, Israel, Australia and Japan. We have over 2,000 servers deployed at the time of writing with over 1,000 in manufacture/shipment at this time.

Private Internet Access website

TorGuard

1. No logs are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network because since day one we engineered every aspect of the operation from the ground up, permitting us full control over the smallest details. In addition to a strict no logging policy we run a shared IP configuration that provides an added layer of anonymity to all users. With hundreds of active sessions sharing a single IP address at any given time it becomes impossible to back trace usage.

2. At the time of this writing our headquarters currently operates from the United States. Due to the lack of data retention laws in the US, our legal team has determined this location to be in the best interest of privacy for the time being. Although TorGuard’s HQ is in the US, we take the commitment to user privacy seriously and will uphold this obligation at all costs, even if it means transferring services or relocating company assets.

3. Our network team uses a combination of open source monitoring apps and custom developed tools to mitigate any ongoing abuse of our services. This allows us to closely monitor server load and uptime so we can pinpoint and resolve potential problems quickly. If abuse reports are received from an upstream provider, we block them in real-time by employing various levels of firewall rules to large blocks of servers. Should these methods fail, our team is quick to recycle entire IP blocks and re-deploy new servers as a last resort.

4. For basic troubleshooting and customer service purposes we utilize Livechatinc for our chat support. TorGuard staff does make use of Google Apps for company email, however no identifying client information like passwords, or billing info is ever shared among either of these platforms. All clients retain full control over account changes in our secure member’s area without any information passing through an insecure channel.

5. Because we do not host any content it is not possible for us to remove anything from a server. In the event a DMCA notice is received it is immediately processed by our abuse team. Due to our shared network configuration we are unable to forward any requests to a single user. In order to satisfy legal requirements from bandwidth providers we may temporarily block infringing protocols, ports, or IPs.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

7. No, at this time we do not have a warrant canary.

8. Yes, TorGuard was designed with the BitTorrent enthusiast in mind. P2P is allowed on all servers, although for best performance we suggest using locations that are optimized for torrents. Users can find these servers clearly labeled in our VPN software.

9. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Paysafecard, Alipay, CashU, Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

10. For best security we advise clients to use OpenVPN connections only and for encryption use AES256 with 2048bit RSA. Additionally, TorGuard VPN offers “Stealth” protection against DPI (Deep Packet Inspection) interference from a nosey ISP so you can access the open web freely even from behind the Great Firewall of China. These options are available on select locations and offer excellent security due to the cryptography techniques used to obfuscate traffic. Our VPN software uses OpenVPN exclusively and features built in DNS leak protection, an App Killswitch, and a connection Killswitch. We have also just released a built in WebRTC leak block feature for Windows Vista/7/8 users.

11. Yes, we offer private, no log DNS servers which can be obtained by contacting our support desk. By default we also use Google DNS and OpenDNS for performance reasons on select servers.

12. TorGuard currently maintains 1000+ servers in over 44 countries around the world and we continue to expand the network every month. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key. We have servers in Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, United Kingdom, USA, and Vietnam.

TorGuard website

IPVanish

ipvanish1. IPVanish has a zero-log policy. We keep NO traffic logs on any customer, ever.

2. IPVanish is headquartered in the US and thus operates under US law.

3. IPVanish monitors CPU utilization, bandwidth and connection counts. When thresholds are passed, a server may be removed from rotation as to not affect other users.

4. IPVanish does not use any external support tools that hold user information. We do, however, operate an opt-in newsletter that is hosted at Constant Contact. Customers are in no way obligated to sign up for the newsletter.

5. IPVanish keeps no logs of any user’s activity and responds accordingly.

6. IPVanish, like every other company, follows the law in order to remain in business. Only US law applies.

7. No.

8. P2P is permitted. IPVanish does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.

9. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked. User authentication and billing info are also managed on completely different and independent platforms.

10. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm. IPVanish’s service and software also currently provide DNS leak prevention. We are developing a kill switch in upcoming releases of our software.

11. IPVanish does use its own DNS servers. Local DNS is handled by the server a user connects to.

12. IPVanish is one of the only tier-1 VPN networks, meaning we own and operate every aspect of our VPN platform, including physical control of our VPN servers. This gives IPVanish users security and speed advantages over other VPN services. IPVanish servers can be found in over 60 countries including the US, UK, Canada, Netherlands and Australia.

IPVanish website

IVPN

ivpn1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability.

2. Gibraltar. In 2014 we decided to move the company from Malta to Gibraltar in light of the new 2015 EU VAT regulations which affect all VPN service providers based in the EU. The EU VAT regulations now require companies to collect two pieces of non-conflicting evidence about the location of a customer; this would be at a minimum the customer’s physical address and IP address.

3. We have built a number of bespoke systems over the last 5 years as we’ve encountered and addressed most types of abuse. At a high level we use Zabbix, an open-source monitoring tool that alerts us to incidents. As examples we have built an anti-spam rate-limiter based on iptables so we don’t have to block any email ports and forked a tool called PSAD which allows us to detect attacks originating from our own network in real time.

4. No. We made a strategic decision from the beginning that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

6. That would depend on the information with which we were provided. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we reply that we do not store any personal data, we only store a customer’s email address. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question. We have never been served with a valid court order.

7. Yes absolutely, we’ve published a canary since August 2014.

8. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

9. We accept Bitcoin, Cash and Paypal. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin (See part 7 of our advanced privacy guides). With Paypal we store the subscription ID in our system so we can associate incoming subscription payments. This information is deleted immediately when an account is terminated.

10. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys. The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

11. Yes. Once connected to the VPN all DNS requests are sent to our pool of internal recursive DNS servers. We do not use forwarding DNS servers that forward the requests to a public DNS server such as OpenDNS or Google.

12. We use dedicated servers leased from 3rd party data centers in each country where we have a presence. We employ software controls such as full disk encryption and no logging to ensure that if a server is ever seized it’s data is worthless. We also operate a multi-hop network so customers can choose an entry and exit server in different jurisdictions to make the adversaries job of correlating the traffic entering and exiting our network significantly more complicated. We have servers located in Switzerland, Germany, Iceland, Netherlands, Romania, France, Hong-Kong, USA, UK and Canada.

IVPN website

PrivateVPN

privatevpn1.We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user on PrivateVPN.

2. We operate in Swedish jurisdiction.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. No. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.

5. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

6. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

7. We’re working on a solution where we publish a statement that we haven’t received legal process. One we receive a legal process, this canary statement is removed.

8. Yes, we allow Torrent traffic.

9. PayPal, Payson, 2Chrckout and Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

10. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but we’re working on a protection that detects the DNS leak and fixes this by changing to a secure DNS server.

11. We use a DNS from Censurfridns.

12. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, FDCServers, Blix, Zen systems, Wholesale Internet, Creanova, UK2, Fastweb, Server.lu, Selectel, Amanah and Netrouting. We have servers located in: Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada and Ukraine.

PrivateVPN website

PRQ

1. No

2. Swedish

3. Our own.

4. No

5. We do not care about DMCA.

6. We only require a working e-mail address to be a customer, no other information is kept.

7. No.

8. As long as the usage doesn’t violate the ToS, we do not care.

9. None of the payment methods are linked to a user.

10. OpenVPN, customers have to monitor their service/usage.

11. Yes.

12. Everything is inhouse in Sweden.

PRQ website

Mullvad

mullvad1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.

2. Swedish.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. There is no such Swedish law that is applicable to us.

6. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

7. Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.

8. Yes.

9. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

10. OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).

11. Yes, we use our own DNS servers.

12. We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.

Mullvad website

BolehVPN

bolehvpn1. No.

2. Malaysia. This may change in the near future and we will post an announcement when this is confirmed.

3. We do monitor general traffic patterns to see if there is any unusual activity that would warrant a further investigation.

4. We use ZenDesk and Zopim but are moving to use OSTicket which is open source. This should happen in the next 1-2 months.

5. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

6. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on their validity and we will resist such requests if done without proper cause or legal backing.

7. Yes.

8. Yes it is allowed except on those marked Surfing-Streaming only which are restricted either due to the provider’s policies or limited bandwidth.

9. We use MolPay, PayPal, Coinbase, Coinpayments and direct deposits. On our system it is only marked with the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

10. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

11. Yes we do use our own DNS servers.

12. Our VPN servers are hosted by third parties however for competitive reasons, we rather not mention our providers (not that it would be hard to find out with some digging). However none of these servers hold anything sensitive as they are authenticated purely using PKI infrastructure and as long as our users regularly update their configurations they should be fine. We do however have physical control over the servers that handle our customer’s information.

BolehVPN website

NordVPN

nordvpn1. Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).

2. NordVPN is based out of Panama.

3. No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.

4. We use the third-party live support tool, but it is not linked to the customers’ accounts.

5. When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.

6.If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.

7. We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.

8. We do not restrict any BitTorrent or other file-sharing applications on most of our servers.

9. We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.

10. We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.

In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.

11. NordVPN has its own DNS servers, also our customers can use any DNS server they like.

12. Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.

NordVPN website

TorrentPrivacy


1. We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.

2. Our company is under Seychelles jurisdiction.

3. We do not monitor any user’s traffic or activity for any reason.

4. We use third-party solutions for user communications and emailing. Both are running on our servers.

5. We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.

6. It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.

7. No, we don’t bother our users.

8. Yes we support all kind of traffic on all servers.

9. We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.

10. We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.

11. Yes. We are using our own DNS servers.

12. We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.

TorrentPrivacy website

Proxy.sh

proxy1. We do not keep any log at all.

2. Republic of Seychelles. And of course, every jurisdiction where each of our servers are, for their specific cases.

3. IPtables, TCPdump and Wireshark, for which their use is always informed at least 24 hours in advance via our Network Alerts and/or Transparency Report.

4. All our emails, panels and support are in-house. We host our own WHMCS instance for billing and support. We host server details, project management and financial management on Redmine that we of course self-run. The only third-party connections we have are Google Analytics and Google Translate on our public website (not panel), for obvious convenience gains, but the data they fetch can easily be hidden or faked. We may also sometimes route email through Mandrill but never with user information. We also have our OpenVPN client’s code hosted at Github, but this is because we are preparing to open source it.

5. We block the affected port and explain to upstream provider and/or complainant that we cannot identify the user who did the infringement, and we can therefore not pass the notice on. We also publish a transparency report and send a copy to the Chilling Effects Clearinghouse. If there are too many infringements, we may block all ports and strengthen firewall rules to satisfy upstream provider, but this may lead us to simply drop the server on short-term due to it becoming unusable.

6. We first post the court order to public and inform our users through our blog, much-followed Twitter account, transparency report and/or network alert. If we are unable to do so, we use our warrant canary. Then, we would explain to the court that we have no technical capacity to identify the user and we are ready to give access to competent and legitimate forensic experts. To this date, no valid court order has been received and acknowledged by us.

7. Yes, proxy.sh/canary.

8. We do not discriminate activity across our network. We are unable to decrypt traffic to differentiate file-sharing traffic from other activities, and this would be against our ethics anyway. The use of BitTorrent and similar is solely limited to the fact you can whether open/use the ports you wish for it on a selected server.

9. We support hundreds of payment methods, from PayPal to Bitcoin through SMS to Ukash and Paysafecard. We use third-party payment providers who handle and carry themselves the payments and the associated user information needed for them (e.g. a name with a credit card). We never have access to those. When we need to identify a payment for a user, we always need to ask him or her for references (to then ask the payment provider if the payment exists) because we do not originally have them. Last but not least, we also have an option to kill accounts and turn them into completely anonymous tokens with no panel or membership link at all, for the most paranoid customers (in the positive sense of the term).

10. We currently provide Serpent in non-stable & limited beta and it is the strongest encryption algorithm we have. We also openly provide to our experienced users ECDH curve secp384r1 and curve22519 through a 4096-bit Diffie-Hellman key. We definitely recommend such a setup but it requires software compiling skills (you need OpenVPN’s master branch). This setup also allows you to enjoy OpenVPN’s XOR capacity for scrambling traffic. We also provide integration of TOR’s obfsproxy for similar ends. Finally, for more neophyte users, we provide 4096-bit RSA as default standard. It is the strongest encryption that latest stable OpenVPN provides. Cipher and hash are the strongest available and respectively 256-bit CBC/ARS and SHA512. Our custom OpenVPN client of course provides a kill switch and DNS leak protection.

11. Yes, we provide our own OpenNIC DNS servers as well as DNSCrypt capacity.

12. We use a mix of collocation (physically-owned), dedicated and virtual private servers – also known as a private/public cloud combination. All our VPN servers are running from RAM and are disintegrated on shutdown or reboot. About two-third of them are in the public cloud (especially for most exotic locations). Our network spans across more than 40 countries.

Proxy.sh website

HideIPVPN

hideipvpn1. We have revised our policy. Currently we store no logs related to any IP address. There is no way for any third-party to match user IP to any specific activity in the internet.

2. We operate under US jurisdiction.

3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than three VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP address of VPN server, there is no way any third party could connect any online activity to a user’s IP address.

4. We are using Google apps for incoming mail and our own mail server for outgoing mail.

5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make impossible to track who downloaded any data from the internet using our VPN.

6. We would reply that we do not have measures that would us allow to identify a specific user. It has not happened so far.

7. Currently not. We will consider if our customers would welcome such a feature. So far we have never been asked for such information.

8. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – reason for this is our agreements with data centers. We also have a specific VPN plan for torrents.

9. Currently HideIPVPN accepts the following methods: PayPal, Bitcoin, Credit & Debit cards, AliPay, Web Money, Yandex Money, Boleto Bancario, Qiwi.

10. We would say SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems. Both versions have a “kill switch” feature in case connection drops. Also, our apps are able to re-establish VPN connection and once active restart closed applications.

Currently our software does not provide DNS leak protection. However a new version of VPN client is in the works and will be updated with such a feature. We can let you know once it is out. At this time we can say it will be very soon.

11. For VPN we use Google DNS servers, and for SmartDNS we use our own DNS servers.

12. We don’t have physical control of our VPN servers. Servers are outsourced in premium datacenters with high quality tier1 networks. Countries now include – US/UK/NL/DE/CA

HideIPVPN website

BTGuard

btguard1. We do not keep any logs whatsoever.

2. United States

3. Custom programs that analyze traffic on the fly and do not store logs.

4. No, all data is stored on servers we control.

5. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

6. We would take every step within the law to fight such an order and it has never happened.

7. No.

8. Yes, all types of traffic our allowed with our services.

9. We accept PayPal and Bitcoin. All payments are linked to users’ accounts because they have to be for disputes and refunds.

10. We recommend OpenVPN and 128-bit blowfish. We offer instructions for some third party VPN monitoring software.

11. We use our own DNS servers.

12. We have physical control over all our servers. Our servers we offer services with are located in the Netherlands, Canada, and Singapore. Our mail servers are located in Luxembourg.

BTGuard website

SlickVPN

slickvpn1. SlickVPN does not log any traffic nor session data of any kind.

2. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We do not monitor any customer’s activity in any way. We have chosen to disallow outgoing SMTP which helps mitigate SPAM issues.

4. No. We do utilize third party email systems to contact clients who opt in for our newsletters.

5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

6. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

7. Yes. We maintain a passive warrant canary, updated weekly, and are investigating a way to legally provide a passive warrant canary which will be customized on a “per user” basis, allowing each user to check their account status individually. It is important to note that the person(s) responsible for updating our warrant canary are located outside of any of the countries where our servers are located.

8. Yes, all traffic is allowed.

9. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

10. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IP from leaking to the internet. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

11. Yes.

12. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties until we have enough traffic in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

SlickVPN website

OctaneVPN

octane1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written to disk on our gateways.

The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route incoming traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.

2. We operate two independent companies with different ownership structures – a network operations company and a marketing company. The network operations company operates out of Nevis. The marketing company operates under US jurisdiction and manages the website, customer accounts and support. The US company has no access to network operations and the Nevis company has no customer account data.

3. We are not in the business of monitoring customer traffic in any way. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues. We use a NAT firewall on incoming connections to our gateways to add an extra layer of security for our customers.

4. No. We do use a service to send generic emails.

5. Due to the structure of our network operations company, it is unusual that we would receive a notice. There should be no cause for the marketing company to receive a notice. If we receive a DMCA notice or its equivalent based on activity that occurred in the past, we respond that we do not host any content and have no logs.

If we receive a DMCA notice based on very recent activity and the customer’s current VPN session during which it was generated is still active on the gateway, we may put the account on hold temporarily and notify the customer. No customer data is used to respond to DMCA notices.

6. Our customers’ privacy is a top priority for us. We would proceed with a court order with complete transparency. A court order would likely be based on an issue traced to a gateway server IP address and would, therefore, be received by our our network operations company which is Nevis based. The validity of court orders from other countries would be difficult to enforce. The network company has no customer data.

Our marketing company is US based and would respond to an order issued by a court of competent jurisdiction. The marketing company does not have access to any data related to network operations or user activity, so there is not much information that a court order could reveal. This has not happened.

7. We are discussing internally and reviewing existing law related to how gag orders are issued to determine the best way to offer this measure of customer confidence.

8. Yes. We operate with network neutrality except for outgoing SMTP.

9. Bitcoin and other cryptocurriences such as Darkcoin, Credit/Debit Card, and PayPal. If complete payment anonymity is desired, we suggest using Bitcoin, DarkCoin, or a gift/disposable credit card. Methods such as PayPal or Credit/Debit card are connected to an account token so that future renewal payments can be properly processed and credited. We allow customers to edit their account information. With our US/Nevis operating structure, customer payment systems information is separate from network operations.

10. We recommend using the AES-256-CBC cipher with OpenVPN, which is used with our client. IPSec is available for native Apple device support and PPTP is offered for other legacy devices, but OpenVPN offers the best security and speed and is our recommended protocol

We provide both DNS and IP leak protection in our Windows and Mac OctaneVPN client. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection. This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts.

11. Yes and we physically control them. You can choose others if you prefer.

12. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host with third parties until volume at that location justifies a physical investment there. The hosted locations may have different providers based on geography. We operate gateways in over 44 countries and 90 cities. Upon booting, all our gateways load over our encrypted network from a master node and operate from encrypted ramdisk. If an entity took physical control of a gateway server, the ramdisk is encrypted and would vanish upon powering down.

OctaneVPN website

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Darknet - The Darkside: CMSmap – Content Management System Security Scanner

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

CMSmap is a Python open source Content Management System security scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool. At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal….

Read the full post at darknet.org.uk

LWN.net: IPython 3.0 released

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The IPython interactive development
system project has announced its 3.0
release
. “Support for languages other than Python is greatly
improved, notebook UI has been significantly redesigned, and a lot of
improvement has happened in the experimental interactive widgets. The
message protocol and document format have both been updated, while
maintaining better compatibility with previous versions than prior
updates. The notebook webapp now enables editing of any text file, and even
a web-based terminal (on Unix platforms).
” (LWN looked at IPython in 2014).

Raspberry Pi: Happy birthday to us!

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

It’s the Raspberry Pi’s third birthday today (or as near as we can get: we launched on February 29 in a leap year). To celebrate we’re having a huge party/conference/scrum over the weekend in Cambridge – we’ve sold 1,300 tickets and I’m currently hiding in the press room to get this post written. I’m on a really overloaded WiFi network, so I’m having trouble uploading pictures at the minute: we’ll have some for you next week.

Three years ago, we made 2,000 little computers, and I remember looking at the pallet, and thinking: “Cripes. Can’t believe we’ve made so many computers. That’s amazing.”

We’ve sold half a million of the things just this month. Thanks to everyone who’s joined us on this extraordinarily weird journey – you’re all brilliant.

This is becoming an annual tradition: Matt Timmons Brown, one of my favourite 15-year-olds, has made us another celebratory video. (Here’s last year’s.) Thank you Matt!

 

 

TorrentFreak: *CENSORED* Fifty Shades of Grey an HD BitTorrent Hit

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

censoredLast month a couple of near perfect copies of the Liam Neeson movie Taken 3 leaked onto the Internet. One with Arabic subtitles and one without, both copies were recorded from the OSN pay TV network headquartered in Dubai, United Arab Emirates.

At the end of our article we noted that a Chinese VOD platform had already announced that it would air Fifty Shades of Grey in HD in the final days of February.

Yesterday and as promised, China’s QQ.com aired the popular movie. As predicted by our source, pirates were waiting for the screening and within minutes of the final credits, Fifty Shades of Grey began to appear on torrent sites in full HD.

chin-grey

Needless to say, the quality boost was most appreciated by the waiting masses. Earlier copies of the controversial movie have been circulating for a couple of weeks but their grainy and shaky CAM sources left much to be desired. Now available in HD – albeit with Chinese subtitles – one might think the eroticism would be so much more detailed and enjoyable. Well, not exactly.

grey-shot

Despite more than 100,000 BitTorrent users flocking to the release in just the first 12 hours (and most being highly complimentary about the quality), many have noticed that the movie is somewhat lacking in the sex scene department. The problem, it appears, is the source.

QQ.com is operated by Tencent, one of China’s largest Internet companies and, as can be seen from the image below, also has deals with some of the leading studios in the United States.

qq-com-deal

While this means that QQ has early access to movies, it’s not free to show content frowned upon by Chinese authorities. As a result, Fifty Shades appears to have fallen to the censors.

“Good quality scan, but most of the nudity has been edited out.This is basically a PG-13 version,” a KickassTorrents user reported.

“It is really good quality,” said another. “But it is missing what the movie was so popular for, sex scenes. If you don’t care for them, then this is a good copy, if you do….don’t waste your time.”

Exactly how much has been cut will be revealed in due course, but according to several people familiar with the Chinese version between four and six minutes are absent from the release.

The big question now is whether the majority of viewers will think the movie has been censored or will conclude that it’s much tamer than they were led to believe. Either way, downloaders will most certainly remain eager for a longer, sexier copy – without off-putting subtitles.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Let’s Encrypt!, (Fri, Feb 27th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

As I have stated in the past,I am not a fan of all of the incomprehensible warning messages that average users are inundated with, and almost universally fail to understand, and the click-thru culture these dialogsare propagating.

Unfortunately this is not just confined to websites on the Internet. With the increased use of HTTPS for web based management, this issue is increasingly appearing on corporate networks.” />

The issue in most cases is caused by what is called a self-signed certificate. Essentially a certificate not backed up by a recognized certificate authority. The fact is that recognized certificates are not cheap. For vendors to supply valid certificates for every device they sell would add significant cost to the product and would require the vendor to manage those certificates on all of their machines.

The Internet Security Research Group (ISRG)a public benefit corporation sponsored by the Electronic Frontier Foundation (EFF), Mozilla and other heavy hitters aims to help reduce this problem and cleanup the invalid certificate warning dialogs.

Their project, Lets Encrypt, aims to provide certificates for free, and automate the deployment and expiry of certificates.

Essentially, a piece of software is installed on the server which will talk to the Lets Encrypt certificate authority. From Lets Encypts website:

The Lets Encrypt management software will:

  • Automatically prove to the Lets Encrypt CA that you control the website
  • Obtain a browser-trusted certificate and set it up on your web server
  • Keep track of when your certificate is going to expire, and automatically renew it
  • Help you revoke the certificate if that ever becomes necessary.

While there is still some complexity involved it should make it a lot easier, and cheaper, for vendors to deploy legitimate certificates into their products. I am interested to see how they will stop bad guys from using their certificates for Phishing sites, and what the process will be to report fraudulent use, but I am sure all of that will come.

Currently, it sounds like the Lets Encrypt certificate authority will start issuing certificates in mid-2015.

– Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Backblaze Blog | The Life of a Cloud Backup Company: Translating Morse Code for Verizon

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Yev. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog_verizon

Yesterday, the FCC announced that it would be reclassifying internet service providers as Title II utilities. Net Neutrality has been a topic of great debate over the last few months, and while many people are excited about the change, there is also some dissent. Verizon for their part, looked to the past, claiming that the FCC is going back to 1930’s technology, by posting their official response to the FCC in Morse Code.

We appreciate the humor in their approach, but we think they severely limited the possibility of having their message read and appreciated. We’d like help. We’ve taken the liberty of translating their Morse Code encoded message into a language that is more common among the millions of people whose careers are built on the Internet. The Verizon point of view in Klingon:

Verizon_Klingon

Hopefully this won’t turn into an intergalactic incident, but we’re excited to see how the new internet rules will play out!

LLAP

Author information

Yev

Yev

Chief Smiles Officer at Backblaze

Yev enjoys speed-walking on the beach. Speed-dating. Speed-writing blog posts. The film Speed. Speedy technology. Speedy Gonzales. And Speedos. But mostly technology.

Follow Yev on:

Twitter: @YevP | LinkedIn: Yev Pusin | Google+: Yev Pusin

The post Translating Morse Code for Verizon appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

LWN.net: VLC 2.2.0 released

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

Version 2.2.0 of the VLC media player has been released. According to the announcement, highlights in the new version include automatic, hardware-accelerated rotation of portrait-orientation videos such as those shot on smartphones, resuming playback at the last point watched in the previous session, in-application download and installation of extensions, support for interactive Blu-Ray menus, and “compatibility with a very large number of unusual codecs.” The release is available for Linux, Android, and Android TV, plus various Windows and Apple platforms.

Schneier on Security: Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Scientists are attaching cameras to Humboldt squid to watch them communicate with each other.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

TorrentFreak: MPAA Pushes For ICANN Policy Changes to Target “Pirate” Domains

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoThe Internet Corporation for Assigned Names and Numbers (ICANN) is the main oversight body for the Internet’s global domain name system.

Among other things, ICANN develops policies for accredited registrars to prevent abuse and illegal use of domain names.

What not many people know, however, is that the MPAA is actively involved in shaping these policies.

As a member of several ICANN stakeholder groups the lobby outfit is keeping a close eye on the movie industry’s interests. Most of these efforts are directed against pirate sites.

For example, in ICANN’s most recent registrar agreements it’s clearly stated that domain names should not be used for copyright infringement.

As the MPAA’s Alex Deacon explains, these agreements “contain new obligations for ICANN’s contract partners to promptly investigate and respond to use of domain names for illegal and abusive activities, including those related to IP infringement.”

The MPAA hopes that “the community” will take these new obligations seriously and make sure that they are enforced.

“As with any new contractual obligations, it is essential that the community as a whole be on the same page on how these obligations are interpreted and ultimately enforced,” Deacon writes.

The MPAA’s involvement with ICANN’s policy making is a sensitive subject and Deacon’s comments in public are carefully worded. However, the MPAA is getting involved with ICANN for a reason.

Thanks to internal documents that were made public in the Sony leak, we know that the MPAA ideally wants to adopt “procedures for broad-based termination of pirate sites.”

While admitting that such a major change is “unlikely,” the MPAA notes that “seeking to make policy changes through ICANN meetings” remains an important strategy.

Besides influencing future policy, the MPAA also sees an option to use the existing agreements to convince registrars to take action against domain names that are used by “pirate” sites.

“The recent ICANN changes to the registrar agreement for new gTLDs apparently provide non-judicial ‘notice’ opportunities that may suggest new strategies requiring fewer resources. We need to explore these further,” the internal MPAA document reveals.

Whether registrars are likely to comply with voluntary takedown requests has yet to be seen though. Previously, City of London Police didn’t have much luck with a similar strategy.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

LWN.net: LLVM 3.6 Released

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Version 3.6 of the LLVM compiler suite is out. Changes include “many
many bug fixes, optimization improvements, support for
more proposed C++1z features in Clang, better native Windows
compatibility, embedding LLVM IR in native object files, Go bindings,
and more.
” Details can be found in the LLVM 3.6
release notes
and the Clang
3.6 release notes
.

Lauren Weinstein's Blog: Google’s Gutsy Reversal: Explicit Content Blogger Ban Rescinded

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

Just a few days ago, in With Sudden Blogger Change, Google Drags Their Trust Problem Back into the Spotlight, I expressed strong concerns over Google’s decision to both retroactively and proactively ban most “explicit content” from their Blogger platform, with only a month’s warning and no real explanation offered at the time for such a dramatic policy change. The next…