Darknet - The Darkside: Pentoo – Gentoo Based Penetration Testing Linux LiveCD

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Pentoo is a Gentoo based penetrating testing linux LiveCD. It’s basically a Gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included: Hardened Kernel with aufs patches Backported Wifi stack from latest stable kernel release Module loading support ala slax…

Read the full post at darknet.org.uk

LWN.net: Kernel prepatch 4.0-rc6

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Linus has released 4.0-rc6 right on
schedule. “Things are calming down nicely, and there are fixes all
over. The NUMA balancing performance regression is fixed, and things are
looking up again in general. There were a number of i915 issues and a KVM
double-fault thing that meant that for a while there I was pretty sure that
this would be a release that will go to rc8, but that may be
unnecessary.

трънки и блогинки: Цената на „държавния или обществен интерес“

This post was syndicated from: трънки и блогинки and was written by: Пейо. Original post: at трънки и блогинки

По повод продажбата на БТК, Дунарит и другите останки от империята на Цветан Василев за едно евро, се заговори за връщане правото на прокуратурата да иска разваляне на сделки, които са в ущърб на държавния или обществен интерес.  На пръв поглед това може да звучи справедливо, но аз считам промяната на закони заради частен случай и въвеждането на невъзможни за точна интерпретация критерии като „държавния или обществен интерес“, не само за безпринципно, но и много рисково. За да не се отдавам на абстрактни разсъждения по принцип, искам да разкажа за една от от най-скъпите илюстрации на опасенията ми – делото за национализацията на петролната компания Юкос от руската държава.
Делото Юкос срещу Русия, освен че е забележителен спектакъл за десетки милиарди, е изключително важно заради акцентирането на значението, което се отдава на думите на представляващите държавата. Резюмирам сърцевината на решението:

  1. Основанието за национализация. Руската федерация е национализирала Юкос, обосновавайки се с укриване на данъци.
  2. Размера на иска. Ищците искат 114 милиарда ($114 174 000 000), като компенсация за стойността на активите и пропуснатите приходи.
  3. Преценка на обстоятелствата по делото:
    1. Арбитрите споделят мнението, че дори и да е налице данъчно нарушение, то национализацията не е подходяща и не е пропорционална мярка, спрямо укриването на данъци.
    2. От друга страна, арбитрите проучват данъчната практика в Русия и намират прилаганите от Юкос схеми за намаляване на данъчните задължения за „законни, но съмнителни“.
  4. Вината. Арбитрите единодушно решават, че национализацията е незаконна. Основание за решението им са намеренията зад действията и отношението на ръководителите на руската държава, за които си правят ясен извод от изказванията на Владимир Путин, че:
    1. национализацията на Юкос е защита на държавните търговски интереси («защита государственных коммерческих интересов»);
    2. на квалификацията, че приватизацията на компанията е била престъпна, и
    3. описанието, че използвайки напълно законни механизми руската държава е се е погрижила за своите интереси.
  5. Определяне на обезщетението: Отчитайки преценката на обстоятелствата по делото и заключението относно намеренията на ръководената от Путин администрация, арбитрите разделят отговорността между Русия и Юкос на 75:25. По този начин се стига до осъдителното решение Русия да плати $50 милиарда на акционерите на Юкос.

Толкова. Русия може да е действала напълно в рамките на процедурите и законите, но когато действащите лица контролират изпълнителната и законодателната власт, намеренията са това, което има значение.

В контекста на разказа за Юкос, искам да се върна към актуалните събития и да ви обърна внимание върху думите на Бойко Борисов по отношение на продажбата на БТК, Дунарит и другите останки от империята на Цветан Василев за едно евро:

  1. Квалифицира придобиването на БТК като: „разбойническата приватизация“;
  2. Признава, че той няма възможност да действа: „Фактически, инструментариумът на държавата да запази собствеността и това, което трябва да направи в момента. Така са направени законите, че няма тези права.“, но иска да окаже влияние като промени това:
  3. „Става въпрос за промени в ГПК и НПК, които да върнат правото на прокуратурата да завежда отделно дело срещу сделки, които са в ущърб на държавния или обществен интерес“, е заявил пред „Медиапул“ председателят на правната комисия в парламента Данаил Кирилов (ГЕРБ)
Сравнете тези изказвания с изказванията, въз основа на които взима решенията арбитража по делото Юкос. За мен аналогиите са очевидни. Но Бойко Борисов далеч не е единственият, който е престъпно невнимателен какво говори. Ето още няколко примера за такива изказвания, които може скоро да ни струват скъпо:
  1. Иван Искров (все още управител на БНБ), който заяви, как ще бъде разделена КТБ, чрез приет нарочен закон с патетичното си изказване: „Оттук нататък на ход са политиците!„. С това той основание за вземане на инвестиционно решение не само от вложителите кредитополучателите на банката, но и тези, които бяха закупили облигации от контролираните от тях дружества.
  2. Пламен Орешарски, който на практика призна иска на Росатом за АЕЦ „Белене“, като го определи като такъв „който с голяма степен на достоверност ще бъде спечелен“.
  3. За мен най-престъпно безразсъдни бяха изказванията и действията на Драгомир Стойнев, в качеството на министър на енергетиката и принципал на БЕХ,  насочи „независимия“ регулатор ДКЕВР да понижи цената на тока; взе страна в защита на държавната НЕК срещу електро-разпределителните дружества; подкрепи предложеният от Атака 20% данък върху зелената енергия и когато заговори за „национализацията на електроразпределителните дружества“.

В момента тече арбитраж за АЕЦ „Белене“, срещу действията на Стойнев също бяха заведени дела, и тепърва ще се развиват съдебни саги по последиците от фалита на КТБ. Заради делата и конкретно заради думите им всички горепосочени „държавници“ са за съд, пред който се надявам да се изправят възможно най-скоро. Но настрани от това изводът, е че безпринципността и използването на държавната власт за конюнктурни интереси в крайна сметка излиза скъпо. В крайна сметка „държавния или обществен интерес“ е в стабилна и предвидима държава, която е инфраструктура за гражданите си, а не властващ над гражданите субект.

TorrentFreak: Filmmakers Demand Cash From Popcorn Time Pirates

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

popcorntAfter suing hundreds of alleged downloaders in the United States, the makers of Dallas Buyers Club expanded their legal campaign to Europe late last year.

The first cases were brought in Denmark, with anti-piracy lawfirm Maqs demanding fines of roughly 250 euros per infringement.

After collecting several successful payments the scheme is now getting traction locally, especially following reports that Popcorn Time has become more popular than Netflix.

“You could say that the ‘Dallas Buyers Club’ letters have been a success in the number of inquiries that have come in,” Maqs’ lawyer Jeppe Brogaard Clausen told DR, noting that new letters are still being sent out for Dallas Buyers Club.

One of the filmmakers interested in the “speculative invoicing” scheme is Danish producer Ronnie Fridthjof. Together with other industry players he’s determined to go after Popcorn Time users.

“I had hoped that politicians and the police would take care of such matters, but unfortunately that hasn’t happened. When my business is threatened, I am more or less forced to do something,” Fridthjof tells TV2.

While Popcorn Time is specifically mentioned as a target, the action will affect regular BitTorrent users as well. After all, Popcorn Time streams films by connecting to regular torrent swarms.

The new fines are expected to be sent out this summer. The first ones will be around 1,000 to 2,000 Danish krone ($150 to $300), and will increase if recipients fail to respond. As a last resort the filmmakers are considering whether to take alleged pirates to court.

According to some users streaming films via Popcorn Time is seen as something in a legal gray area. Fridthjof, however, has no doubt that it’s against the law.

“It is absolutely crazy that people believe it is legal. It is in no way! It is comparable buying and selling counterfeit goods right next to an official store,” he says.

Similarly, the filmmaker doesn’t buy the excuse that people use Popcorn Time because the legal services don’t have the latest films. That doesn’t justify grabbing something for free, he says.

“We must be able to choose which business model we want, and it must not be guided by unlawful acts. We will not make a business model that competes with free content,” he says.

Legal threats against Popcorn Time users are not new. In the U.S. lawsuits against BitTorrent pirates are quite common, and in Germany Popcorn Time related ‘fines’ have also been issued.

Responding to these developments, various Popcorn Time variants have warned their users over possible legal repercussions and have started offering anonymizing options. Both popcorntime.io and popcorn-time.se now have built-in VPN support.

For now there are still many people using Popcorn Time without anonymizing services, so there will still be plenty of people to fine.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Raspberry Pi: The Young Innovators’ Club in Ulaanbaatar

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

The Young Innovators’ Club is a new initiative to promote engineering and tech education for school-aged children in Mongolia. It’s currently piloting a Raspberry Pi-based after-school club in Mongolia’s capital, Ulaanbaatar, with support from the National Information Technology Park, where activities take place:

Blinky lights
Girl with Pi
Student breadboarding
Students collaborate

Scratch and Python are on the menu, and electronics features prominently, with students using Raspberry Pis to control LEDs, sensors, motors and cameras. Club Coordinator Tseren-Onolt Ishdorj says,

So far the result of the club is very exciting because parents and children are very much interested in the club’s activity and they are having so much fun to be part of the club – trying every kind of projects and spending their spare time happily.

The idea of introducing Raspberry Pi-based after-school clubs was originally put forward by Enkhbold Zandaakhuu, Chairman of the Mongolian Parliament and himself an engineer by training; a group of interested individuals picked up the idea and established the Club in late 2014, and it has since attracted the interest of peak-time Mongolian TV news and other local media. The Club plans to establish After-School Clubs for Inventors and Innovators (ASCII) across the country with the help of schools, parents and other organisations and individuals; this would involve about 600-700 schools, and include training for over 600 teachers. They’re hopeful of opening a couple of dozen of these this year.

We’re quite excited about this at Raspberry Pi. It was lovely to see our Raspberry Jams map recently showing upcoming events on every continent except for Antarctica (where there are Pis, even if not, as far as we know, any Jams), but nonetheless there’s a displeasing Pi gap across central Asia and Russia:

Jams everywhere

Raspberry Jams on every continent except Antarctica (yes, really: the one that seems to be on the south coast of Spain is actually in Morocco)

It’s fantastic to know, then, that school students are learning with Raspberry Pis in Ulaanbaatar. We’ll be keeping up with developments at the Young Innovators’ Club on their Facebook page, where you can find lots of great photos and videos of the students’ work – we hope you’ll take a look, too.

Breadboard robot
Pi and breadboard
Lego robot

Backblaze Blog | The Life of a Cloud Backup Company: The Complete Guide to Computer Backup

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Andy Klein. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

Backup Resource Center

“How do I backup my computer?” That should be an easy question to answer, but if you’ve spent any time at all searching online you know that a simple query produces a myriad of results that are often confusing, incomplete, and in the end are not very helpful.

What would be great is a single place that addresses all of the available backup options for your computer, your smartphone and your iPad/tablet. The information there would be unbiased, easy-to-understand, and give you the ability to create a backup plan that fits you. Yes, that would nice.

That’s why today we are introducing the Complete Guide to Computer Backup Resource Center. The center consists of multiple sections each covering the topics needed to create and implement a backup plan that fits your devices and your data. Each section is designed to help the backup newbie as well as the seasoned computer pro to safely and efficiently backup their data.

Below, you’ll find a quick overview of each of the sections of the Backup Resource Center.

Getting Started with Data Backup

If you are new to data backup, you can begin with the Computer Backup Guide. This introductory guide starts by answering, “what is a computer backup”, and looks at different backup options like drive cloning, external hard drives and online backup.

Computer Backup Options

If you’re ready to dig a little deeper then the next step is to read the Backup Options Guide, which details the pros/cons of each type of backup product option available, ranging from CD/DVDs to cloud based services.

How to Backup Guides for Mac and Windows

Once you are comfortable with your options the next step is to implement a backup system. We have specific guides for how to backup your Mac and how to backup your Windows PC. These are hands on instructions for specific tasks like setting up Time Machine, cloning a hard drive, and using Windows Backup and Restore functions.

Mobile Device Backup Options

Of course in this day and age no backup guide would be complete without exploring your options for backing up your iPhone, iPad, and Android devices. The Mobile Device Backup Options does just that. Digging into the various Apple and Google systems for backup as well as third party and manufacturer options.

Online Storage vs. Online Backup

Lastly a lot of people are confused about the differences between online storage and online backup. Although on the surface the services have many similarities, the ideal use cases are in fact very different. In this guide we delve into what makes each service different and when it is best to use one or other or both in conjunction.

Final Thoughts

In the Computer Backup Resource Center you will find everything you need to easily setup your own backup plan. Without a backup plan, a hard drive failure or a stolen or lost computer or smartphone can mean the loss of years of irreplaceable digital memories. Now there is a comprehensive collection of backup options in one place. Take you a few minutes, read through the guides, and get backed up before you wish you had.

 

Author information

Andy Klein

Andy Klein

Andy has 20+ years experience in technology marketing. He has shared his expertise in computer security and data backup at the Federal Trade Commission, Rootstech, RSA and over 100 other events. His current passion is to get everyone to back up their data before it’s too late.

The post The Complete Guide to Computer Backup appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

LWN.net: Security advisories for Monday

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

CentOS has updated postgresql
(C6: multiple vulnerabilities).

Debian has updated freexl (code execution).

Fedora has updated drupal6 (F21; F20:
multiple vulnerabilities), drupal7 (F21; F20:
multiple vulnerabilities), libssh2 (F20:
information leak), mingw-xerces-c (F21; F20:
denial of service), php (F21: multiple
vulnerabilities), tcpdump (F21: multiple vulnerabilities), and xerces-c (F21; F20: denial of service).

Gentoo has updated busybox
(multiple vulnerabilities).

Mandriva has updated apache-mod_wsgi (MBS2.0: privilege
escalation), bash (MBS2.0: multiple
vulnerabilities), bind (MBS2.0: denial of
service), binutils (MBS2.0: multiple
vulnerabilities), clamav (MBS2.0: multiple
vulnerabilities), coreutils (MBS1.0,
MBS2.0: code execution), ctags (MBS2.0:
denial of service), ctdb (MBS2.0: insecure
temporary files), dbus (MBS2.0: multiple
vulnerabilities), drupal (MBS1.0: multiple
vulnerabilities), ejabberd (MBS2.0:
incorrectly allows unencrypted connections), erlang (MBS2.0: command injection), ffmpeg (MBS2.0: multiple vulnerabilities), firebird (MBS2.0: denial of service), freerdp (MBS2.0: two vulnerabilities), gcc (MBS2.0: code execution), git (MBS2.0: code execution), glibc (MBS2.0: multiple vulnerabilities), glpi (MBS2.0: multiple vulnerabilities), grub2 (MBS2.0: code execution), gtk+3.0 (MBS2.0: screen lock bypass), icu (MBS2.0: multiple vulnerabilities), ipython (MBS2.0: code execution), jasper (MBS2.0: multiple vulnerabilities), jython (MBS2.0: code execution), libarchive (MBS1.0, MBS2.0: directory
traversal), libtiff (MBS1.0: multiple
vulnerabilities), libxfont (MBS1.0:
multiple vulnerabilities), setup (MBS2.0:
information disclosure), tcpdump (MBS1.0:
multiple vulnerabilities), and wireshark
(MBS1.0: multiple vulnerabilities).

openSUSE has updated freetype2
(13.2, 13.1: many vulnerabilities), gnutls
(13.2, 13.1: certificate algorithm consistency checking issue), and rubygem-bundler (13.2, 13.1: installs malicious gem files).

Red Hat has updated kernel-rt
(RHE MRG for RHEL6: two vulnerabilities), libxml2 (RHEL7: denial of service), and postgresql (RHEL6, RHEL7: multiple vulnerabilities).

Scientific Linux has updated libxml2 (SL7: denial of service) and postgresql (SL6, SL7: multiple vulnerabilities).

Linux How-Tos and Linux Tutorials: How to Use the Linux Command Line: Basics of CLI

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Swapnil Bhartiya. Original post: at Linux How-Tos and Linux Tutorials

terminal window

One shell to rule them all, one shell to find them, one shell to bring them all and in the same distro bind them.

Command line is one of the many strengths of Linux based systems. Why is it a strength? There is no one answer; there are many answers. I agree that the graphical user interface (GUI) makes it easier for a user to interact with their system and that’s what new users may need to get started with Linux; that’s what I needed when I was starting off with Linux back in 2005. But as I matured as a user I found CLI (command line interface) was more efficient than fiddling with the buttons of a tool.

CLI also allows users to be independent of distros. Just look at the derivates of Ubuntu, even if they use the same code-base they have different tools to do the same job. Different desktop environments on the same distro need different ways to perform the same task. A user has to un-learn and then re-learn the process of doing the same thing while they hop between distros. Furthermore if we move between Fedora, openSUSE and Arch, it becomes even more complicated.

But once you understand that in Debian-based systems apt-get or dpkg are the commands that you need to manage software, life becomes easy. Then it desn’t matter whether you are on Ubuntu or Lubuntu.

When I was dependent on a GUI, I used to get worried whether that particular distro has that feature or not – it was all about certain features being exposed or hidden through the GUI. One simple example is that Gnome’s Nautilus doesn’t allow batch rename of files where as KDE’s Dolphin does. As a result the user of x distro or DE hesitates in trying out other projects fearing they won’t find the same tools. A Gnome user doesn’t have to sacrifice such a useful function, thanks to the command line.

But that’s not all command line does. It also saves system resources which are consumed by GUIs. So if you are on a slower system, you are better off with the command line than GUI.

People tend to think command line is difficult; it’s not. It’s more or less like SMSing to your PC, telling it what to do.

So without further ado let’s learn some basics of command line.

Get the shell

Shell is basically a program that turns the ‘text’ that you type into commands/orders for your computer to perform. As such there is a set structure of commands; different OSes may use a different structure to perform the same task.

There are many Shells available for Linux, but the most popular is Bash (Bourne-Again shell) which was written by the GNU Project. Another more modern shell with more features is ‘zsh’ which you can install for your distribution (we will talk about shells in a later article).

If you are using a desktop environment then you need a terminal emulator to emulate the terminal within that interface. Different distros come with their own terminal emulators: KDE comes with Konsole and Gnome comes with Gnome Terminal.

Basics Commands

When you open a terminal emulator, by default you are in the home directory of the logged in user. You will see the name of the logged in user followed by the hostname. $ means you are logged in as a regular user, whereas # means you are logged in as root.

Unless you are performing administrative tasks or working inside root directories never work as root as it will change the permissions of all directories and files you worked on, making root the user of those directories and their content.

You can list all directories and files inside the current directory by using the ls command.

[swapnil@swaparch ~]$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos

Moving around

To change to any directory, use the cd command. You can also use the ‘Tab’ key which will auto completes the path. Use forward slash to enter directories. So if I want to change directory to ‘Downloads’ which is inside my home folder, we run cd and then give the path. In this case ‘swapnil’ is the username. You need to type your username:

Documents/ Downloads/
[swapnil@swaparch ~]$ cd /home/swapnil/Downloads/
[swapnil@swaparch Downloads]$

As you can see in the third line, ‘Downloads’ directory has moved inside the square brackets, which denotes that currently we are inside this directory. I can see all subdirectories and files inside Downloads directory by running the ls command.

You don’t have to give the complete path if you want to move inside the sub-directory of the current directory. Let’s say we want to move inside the ‘Test’ directory within the current ‘Downloads’ directory. Just type cd and the directory name, in this case it’s ‘Test’, without any slash.

[swapnil@swaparch Downloads]$ cd Test

If you want to change to another directory just follow the same pattern: cd PATH_OF_DIRECTORY . If you want to move one step back in the directory then use cd . . /. To go back two directories use cd . . /. . /and so on.

But if you want to get out of the current directory and go back to home, simply type cd.

Seeing is believing

You don’t have to change directory to see its content. You can use the ls command in following manner:

ls /PATH_OF_DIRECTORY

Example:

[swapnil@swaparch ~]$ ls /home/swapnil/Downloads/Test/

There is no place to hide

To see hidden directories and files use -a option with the ls command.

[swapnil@swaparch ~]$ ls -a /home/swapnil/Downloads/Test/

Size does matter

In order to see the size of directories and files you can use -l option with the ls command. It will also tell the permissions of the files and directories, their owners and the time/date of modification:

[swapnil@swaparch ~]$ ls -l /home/swapnil/Downloads/Test/
total 4
drwxr-xr-x 2 swapnil users 4096 Mar 26 11:55 Test_2

The command gave us the file size in a form hard to understand. If you want to get the file size in human readable format then use ls -lh command:

[swapnil@swaparch ~]$ ls -lh /home/swapnil/Downloads/Test/
total 4.0K
drwxr-xr-x 2 swapnil users 4.0K Mar 26 11:55 Test_2

If you want to get a simple list of all the directories and files inside a location, without extra info such as file size, etc., use ls -R command. This command will give a very long output (depending on how many files are there) as directory trees.

Let’s create some directories

If you want to create new directories the command is mkdir. By default the directory will be created in the current directory. So give the complete path of the location where you want the directory to be created:

mkdir /path-of-the-parent-directory/name-of-the-new-directory

So if I want to create a directory ‘distros’ inside the ‘Downloads’ directory, then this is the command I will run:

[swapnil@swaparch ~]$ mkdir /home/swapnil/Downloads/distros

If you want to create a sub-directory inside a new directory then use ‘-p’ option with ‘mkdir’. I am going to create a directory called ‘distro’ along with a sub-directory called ‘opensuse’ inside it. If I run the mkdir command with ‘/distro/opensuse’ as the path, it will throw an error that the directory ‘distro’ doesn’t exist. That’s when the option ‘p’ comes at play and creates all the directories in the given path:

mkdir -p /home/swapnil/Downloads/distros/opensuse

This command will create new directory ‘distros’ and sub-directory ‘opensuse’ inside it.

And now let’s delete them

If you want to delete any file or directory the command is ‘rm’ (for files) and ‘rm -r’ (for directories). You need to be very careful with this command because if you fail to give the correct path of the file or directory then it will remove everything from the current directory and you may lose precious data. The command is simple:

rm /path-of-the-directory-or-file

If I want to remove the opensuse directory, the command would be:

rm -r /home/swapnil/Downloads/distros/opensuse/

However, if you want to delete all the content of a directory without deleting the directory itself use the ‘*’ wildcard with a slash. Let’s say I want to delete all the content of opensuse directory:

rm /home/swapnil/Downloads/distros/opensuse/*

If there are sub-directories inside, for example, opensuse directory then you will need that ‘-r’ option to also delete the sub-directories:

rm -r /home/swapnil/Downloads/distros/opensuse/*

That’s all for today. This article will make you pretty comfortable with the command line. In the next article we will take you to the next level of managing your system via CLI.

Till then, cd bye

SANS Internet Storm Center, InfoCON: green: YARA Rules For Shellcode, (Mon, Mar 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

I had a guest diary entry about my XORSearch tool using shellcode detection rules from Frank Boldewins OfficeMalScanner. To detect malicious documents, Frank coded rules to detect shellcode and other indicators of executable code inside documents.

I also translated Franks detection rules to YARA rules. You can find them here, the file is maldoc.yara.

This is an example:

rule maldoc_API_hashing{    meta:        author = Didier Stevens (https://DidierStevens.com)    strings:        $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}        $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}    condition:        any of them}

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: KickassTorrents Celebrates ‘Happy Torrents Day’

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

HTDWith millions of unique visitors per day KickassTorrents (KAT) has become the most-used torrent site on the Internet, beating even The Pirate Bay.

The site also has a very active community of torrent aficionados from all over the world. On March 30th the site staff and its members come together to celebrate their beloved pastime on “Happy Torrents Day.”

The event was started by KAT administrator Mr. Pink. Initially it was a small celebration but over the years it has turned into a recurring tradition with many thousands of people participating.

TF spoke with Mr. Pink who notes that Torrents Day is a celebration of file-sharing. With the news being dominated by lawsuits, domain name trouble and torrent takedowns, this day is focuses of the positive.

“The main purpose is to get everybody to believe that what we do is worth fighting for. Everybody is equal. Yes it started on Kickass with us but it’s not about us. It’s about every person that believes in file sharing,” Mr. Pink says.

In recent weeks a lot of torrents have disappeared from the site as a result of an increase in DMCA takedown notices. The idea behind Torrent Day is to get people focused on something positive again.

“The DMCA is clamping down on us hard lately. And it’s becoming tougher so we need to give the userbase something to believe in,” Mr. Pink notes.

In celebration of the festive day several challenges and initiatives have been launched. A Happy Torrents Day album has been released for example, as well as the first issue of KAT’s official magazine “The KATalyst.”

happy-torrents-day

Besides KAT, Torrents Day is spreading to other sites as well. ExtraTorrent, another large community, previously joined in and is expected to do the same again this year.

If everything goes according to plan Torrents Day 2015 is expected to drive a lot of traffic to the site and perhaps set several new records.

“The support from other sites and the KAT team has been amazing,” Mr. Pink says. “We expect the site’s traffic and upload records to be broken today. We have a few ideas up our sleeves to make that happen.”

Records or not, judging from the activity on KAT’s website there’s definitely plenty of interest. So to all those who are celebrating: Happy Torrents Day!

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: Hands-On: Linux UEFI Multi-Boot Part Three, Problem Solving

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: ZDNet. Original post: at Linux How-Tos and Linux Tutorials

A look at special cases and uncooperative distributions – problem solving in Linux UEFI Multi-Boot

Read more at ZDNet News

Schneier on Security: Brute-Forcing iPhone PINs

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a clever attack, using a black box that attaches to the iPhone via USB:

As you know, an iPhone keeps a count of how many wrong PINs have been entered, in case you have turned on the Erase Data option on the Settings | Touch ID & Passcode screen.

That’s a highly-recommended option, because it wipes your device after 10 passcode mistakes.

Even if you only set a 4-digit PIN, that gives a crook who steals your phone just a 10 in 10,000 chance, or 0.1%, of guessing your unlock code in time.

But this Black Box has a trick up its cable.

Apparently, the device uses a light sensor to work out, from the change in screen intensity, when it has got the right PIN.

In other words, it also knows when it gets the PIN wrong, as it will most of the time, so it can kill the power to your iPhone when that happens.

And the power-down happens quickly enough (it seems you need to open up the iPhone and bypass the battery so you can power the device entirely via the USB cable) that your iPhone doesn’t have time to subtract one from the “PIN guesses remaining” counter stored on the device.

Because every set of wrong guesses requires a reboot, the process takes about five days. Still, a very clever attack.

More details.

lcamtuf's blog: On journeys

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

- 1 -

Poland is an ancient country whose history is deeply intertwined with that of the western civilization. In its glory days, the Polish-Lithuanian Commonwealth sprawled across vast expanses of land in central Europe, from Black Sea to Baltic Sea. But over the past two centuries, it suffered a series of military defeats and political partitions at the hands of its closest neighbors: Russia, Austria, Prussia, and – later – Germany.

After more than a hundred years of foreign rule, Poland re-emerged as an independent state in 1918, only to face the armies of Nazi Germany at the onset of World War II. With Poland’s European allies reneging on their earlier military guarantees, the fierce fighting left the country in ruins. Some six million people have died within its borders – more than ten times the death toll in France or in the UK. Warsaw was reduced to a sea of rubble, with perhaps one in ten buildings still standing by the end of the war.

With the collapse of the Third Reich, the attendees of the Yalta Conference decided the new order of the post-war Europe. At Stalin’s behest, Poland and its neighboring countries were placed under Soviet political and military control, forming what has become known as the Eastern Bloc.

Over the next several decades, the Soviet satellite states experienced widespread repression and economic decline. But weakened by the expense of the Cold War, the communist chokehold on the region eventually began to weaken. In Poland, the introduction of martial law in 1981 could not put an end to sweeping labor unrest. Narrowly dodging the specter of Soviet intervention, the country regained its independence in 1989 and elected its first democratic government; many other Eastern Bloc countries soon followed suit.

Ever since then, Poland has enjoyed a period of unprecedented growth and has emerged as one of the more robust capitalist democracies in the region. In just two decades, it shed many of its backwardly, state-run heavy industries and adopted a modern, service-oriented economy. But the effects of the devastating war and the lost decades under communist rule still linger on – whether you look at the country’s infrastructure, at its socrealist cityscapes, at its political traditions, or at the depressingly low median wage.

When thinking about the American involvement in the Cold War, people around the world may recall Vietnam, Bay of Pigs, or the proxy wars fought in the Middle East. But in Poland and many of its neighboring states, the picture you remember the most is the fall of the Berlin Wall.

- 2 -

I was born in Warsaw in the winter of 1981, just in time for the proclamation of martial law, with armored vehicles rolling onto Polish streets. My mother, like many of her generation, moved to the capital in the sixties as a part of an effort to rebuild and repopulate the war-torn city. My grandma would tell eerie stories of Germans and Soviets marching through their home village somewhere in the west. I liked listening to the stories; almost every family in Poland had some to tell.

I did not get to know my father. I knew his name; he was a noted cinematographer who worked on big-ticket productions back in the day. He left my mother when I was very young and never showed interest in staying in touch. He had a wife and other children, so it might have been that.

Compared to him, mom hasn’t done well for herself. We ended up in social housing in one of the worst parts of the city, on the right bank of the Vistula river. My early memories from school are that of classmates sniffing glue from crumpled grocery bags. I remember my family waiting in lines for rationed toilet paper and meat. As a kid, you don’t think about it much.

The fall of communism came suddenly. I have a memory of grandma listening to broadcasts from Radio Free Europe, but I did not understand what they were all about. I remember my family cheering one afternoon, transfixed to a black-and-white TV screen. I recall my Russian language class morphing into English; I had my first taste of bananas and grapefruits. There is the image of the monument of Feliks Dzierżyński coming down. I remember being able to go to a better school on the other side of Warsaw – and getting mugged many times on the way.

The transformation brought great wealth to some, but many others have struggled to find their place in the fledgling and sometimes ruthless capitalist economy. Well-educated and well read, my mom ended up in the latter pack, at times barely making ends meet. I think she was in part a victim of circumstance, and in part a slave to way of thinking that did not permit the possibility of taking chances or pursuing happiness.

- 3 -

Mother always frowned upon popular culture, seeing it as unworthy of an educated mind. For a time, she insisted that I only listen to classical music. She angrily shunned video games, comic books, and cartoons. I think she perceived technology as trivia; the only field of science she held in high regard was abstract mathematics, perhaps for its detachment from the mundane world. She hoped that I would learn Latin, a language she could read and write; that I would practice drawing and painting; or that I would read more of the classics of modernist literature.

Of course, I did almost none of that. I hid my grunge rock tapes between Tchaikovsky, listened to the radio under the sheets, and watched the reruns of The A-Team while waiting for her to come back from work. I liked electronics and chemistry a lot more than math. And when I laid my hands on my first computer – an 8-bit relic of British technical thought from 1982 – I soon knew that these machines, in their incredible complexity and flexibility, were I wanted to spend my time on.

I suspected I could be a competent programmer, but never had enough faith in my skill. Yet, in learning about computers, I realized that I had a knack for understanding complex systems and poking holes in how they work. With a couple of friends, we joined the nascent information security community in Europe, comparing notes on mailing lists. Before long, we were taking on serious consulting projects for banks and the government – usually on weekends and after school, but sometimes skipping a class or two. Well, sometimes more than that.

All of the sudden, I was facing an odd choice. I could stop, stay in school and try to get a degree – going back every night to a cramped apartment, my mom sleeping on a folding bed in the kitchen, my personal space limited to a bare futon and a tiny desk. Or, I could seize the moment and try to make it on my own, without hoping that one day, my family would be able to give me a head start.

I moved out, dropped out of school, and took on a full-time job. It paid somewhere around $12,000 a year – a pittance anywhere west of the border, but a solid wage in Poland even today. Not much later, I was making two times as much, about the upper end of what one could hope for in this line of work. I promised myself to keep taking courses after hours, but I wasn’t good at sticking to the plan. I moved in with my girlfriend, and at the age of 19, I felt for the first time that things were going to be all right.

- 4 -

Growing up in Europe, you get used to the barrage of low-brow swipes taken at the United States. Your local news will never pass up the opportunity to snicker about the advances of creationism somewhere in Kentucky. You can stay tuned for a panel of experts telling you about the vastly inferior schools, the medieval justice system, and the striking social inequality on the other side of the pond. But deep down inside, no matter how smug the critics are, or how seemingly convincing their arguments, the American culture still draws you in.

My moment of truth came in the summer of 2000. A company from Boston asked me if I’d like to talk about a position on their research team; I looked at the five-digit figure and could not believe my luck. Moving to the US was an unreasonable risk for a kid who could barely speak English and had no safety net to fall back to. But that did not matter: I knew I had no prospects of financial independence in Poland – and besides, I simply needed to experience the New World through my own eyes.

Of course, even with a job offer in hand, getting into the United States is not an easy task. An engineering degree and a willing employer opens up a straightforward path; it is simple enough that some companies would abuse the process to source cheap labor for menial, low-level jobs. With a visa tied to the petitioning company, such captive employees could not seek better wages or more rewarding work.

But without a degree, the options shrink drastically. For me, the only route would be a seldom-granted visa reserved for extraordinary skill – meant for the recipients of the Nobel Prize and other folks who truly stand out in their field of expertise. The attorneys looked over my publication record, citations, and the supporting letters from other well-known people in the field. Especially given my age, they thought we had a good shot. A few stressful months later, it turned out that they were right.

On the week of my twentieth birthday, I packed two suitcases and boarded a plane to Boston. My girlfriend joined me, miraculously securing a scholarship at a local university to continue her physics degree; her father helped her with some of the costs. We had no idea what we were doing; we had perhaps few hundred bucks on us, enough to get us through the first couple of days. Four thousand miles away from our place of birth, we were starting a brand new life.

- 5 -

The cultural shock gets you, but not in the sense you imagine. You expect big contrasts, a single eye-opening day to remember for the rest of your life. But driving down a highway in the middle of a New England winter, I couldn’t believe how ordinary the world looked: just trees, boxy buildings, and pavements blanketed with dirty snow.

Instead of a moment of awe, you drown in a sea of small, inconsequential things, draining your energy and making you feel helpless and lost. It’s how you turn on the shower; it’s where you can find a grocery store; it’s what they meant by that incessant “paper or plastic” question at the checkout line. It’s how you get a mailbox key, how you make international calls, it’s how you pay your bills with a check. It’s the rules at the roundabout, it’s your social security number, it’s picking the right toll lane, it’s getting your laundry done. It’s setting up a dial-up account and finding the food you like in the sea of unfamiliar brands. It’s doing all this without Google Maps or a Facebook group to connect with other expats nearby.

The other thing you don’t expect is losing touch with your old friends; you can call or e-mail them every day, but your social frames of reference begin to drift apart, leaving less and less to talk about. The acquaintances you make in the office will probably never replace the the folks you grew up with. We managed, but we weren’t prepared for that.

- 6 -

In the summer, we had friends from Poland staying over for a couple of weeks. By the end of their trip, they asked to visit New York City one more time; we liked the Big Apple, so we took them on a familiar ride down I-90. One of them went to see the top of World Trade Center; the rest of us just walked around, grabbing something to eat before we all headed back. A few days later, we were all standing in front of a TV, watching September 11 unfold in real time.

We felt horror and outrage. But when we roamed the unsettlingly quiet streets of Boston, greeted by flags and cardboard signs urging American drivers to honk, we understood that we were strangers a long way from home – and that our future in this country hanged in the balance more than we would have thought.

Permanent residency is a status that gives a foreigner the right to live in the US and do almost anything they please – change jobs, start a business, or live off one’s savings all the same. For many immigrants, the pursuit of this privilege can take a decade or more; for some others, it stays forever out of reach, forcing them to abandon the country in a matter of days as their visas expire. With my O-1 visa, I always counted myself among the lucky ones. Sure, it tied me to an employer, but I figured that sorting it out wouldn’t be a big deal.

That proved to be a mistake. In the wake of 9/11, an agency known as Immigration and Naturalization Services has been dismantled and replaced by a division within the Department of Homeland Security. My own seemingly straightforward immigration petition ended up somewhere in the bureaucratic vacuum that formed in between the two administrative bodies. I waited patiently, watching the deepening market slump, and seeing my employer’s prospects get dimmer and dimmer every month. I was ready for the inevitable, with other offers in hand, prepared to make my move, perhaps the very first moment I could. But the paperwork just would not come through. With the Boston office finally shutting down, we packed our bags and booked flights. We faced the painful admission that for three years, we chased nothing but a pipe dream. The only thing we had to show for it were two adopted cats, now sitting frightened somewhere in the cargo hold.

The now-worthless approval came through two months later; the lawyers, cheerful as ever, were happy to send me a scan. The hollowed-out remnants of my former employer were eventually bought by Symantec – the very place from where I had my backup offer in hand.

- 7 -

In a way, Europe’s obsession with America’s flaws made it easier to come home without ever explaining how it all played out. When asked, I could just wing it: a mention of the death penalty or permissive gun laws would always get you a knowing nod, allowing the conversation to move on.

Playing to other people’s preconceptions takes little effort; lying to yourself calls for more skill. It doesn’t help that when you come back after three years away from home, you notice all the small things you simply used to tune out. The dilapidated road from the airport; the drab buildings on the other side of the river; the uneven pavements littered with dog poop; the dirty walls at my mother’s place, with barely any space to turn. You can live with it, of course – but it’s a reminder that you settled for less, and it’s a sensation that follows you every step of the way.

But more than the sights, I couldn’t forgive myself something else: that I was coming back home with just loose change in my pocket. There are some things that a failed communist state won’t teach you, and personal finance is one of them; I always looked at money just as a reward for work, something you get to spend to brighten your day. The indulgences were never extravagant: perhaps I would take the cab more often, or have take-out every day. But no matter how much I made, I kept living paycheck-to-paycheck – the only way I knew, the way our family always did.

- 8 -

With a three-year stint in the US on your resume, you don’t have a hard time finding a job in Poland. You face the music in a different way. I ended up with a salary around a fourth of what I used to make in Massachusetts, but I simply decided not to think about it much. I wanted to settle down, work on interesting projects, marry my girlfriend, have a child. I started doing consulting work whenever I could, setting almost all the proceeds aside.

After four years with T-Mobile in Poland, I had enough saved to get us through a year or so – and in a way, it changed the way I looked at my work. Being able to take on ambitious challenges and learn new things started to matter more than jumping ships for a modest salary bump. Burned by the folly of pursuing riches in a foreign land, I put a premium on boring professional growth.

Comically, all this introspection made me realize that from where I stood, I had almost nowhere left to go. Sure, Poland had telcos, refineries, banks – but they all consumed the technologies developed elsewhere, shipped here in a shrink-wrapped box; as far as their IT went, you could hardly tell the companies apart. To be a part of the cutting edge, you had to pack your bags, book a flight, and take a jump into the unknown. I sure as heck wasn’t ready for that again.

And then, out of the blue, Google swooped in with an offer to work for them from the comfort of my home, dialing in for a videoconference every now and then. The pay was about the same, but I had no second thoughts. I didn’t say it out loud, but deep down inside, I already knew what needed to happen next.

- 9 -

We moved back to the US in 2009, two years after taking the job, already on the hook for a good chunk of Google’s product security and with the comfort of knowing where we stood. In a sense, my motive was petty: you could call it a desire to vindicate a failed adolescent dream. But in many other ways, I have grown fond of the country that shunned us before; and I wanted our children to grow up without ever having to face the tough choices I had to make in my life.

This time, we knew exactly what to do: a quick stop at a grocery store on a way from the airport, followed by e-mail to our immigration folks to get the green card paperwork out the door. Half a decade later, we were standing in a theater in Campbell, reciting the Oath of Allegiance and clinging on to our new certificates of US citizenship.

The ceremony closed a long and interesting chapter in my life. But more importantly, standing in the hall with people from all over the globe made me realize that my story is not extraordinary; many of them had lived through experiences far more harrowing and captivating than mine. If anything, my tale is hard to tell apart from that of millions other immigrants from the former Eastern Bloc.

I know that the Poland of today is not the Poland I grew up in. It’s not not even the Poland I came back to in 2003; the gap to Western Europe is shrinking every single year. But I am proud to now live in a country that welcomes more immigrants than any other place on Earth – and at the end of their journey, makes them feel at home. It also makes me realize how small and misguided the conversations we are having about immigration – not just here, but all over the developed world.

TorrentFreak: New Pirate Bay Blockade Foiled By Simple DNS Trick

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

One of the major strategies of the world’s leading entertainment companies is to have sites like The Pirate Bay blocked at the ISP level. The idea is that when subscribers can’t access ‘pirates’ sites they will flock to legal alternatives.

While there can be little doubt that some will take the opportunity to test out Netflix or Spotify (should they be available in their region), other users will be less ready to take the plunge.

In Spain, where online piracy is reportedly more widespread than most other European countries, users faced a Pirate Bay problem on Friday when a judge ordered the country’s service providers to block the site within 72 hours.

Some ISPs blocked the site immediately, provoking questions of where to get free content now that The Pirate Bay is off-limits. Of course, there are plenty of alternatives but for those a little more determined, access to TPB was just a click or two away.

The problem is that for whatever reasons, thus far Spanish ISPs are only implementing a Pirate Bay ban on the most basic of levels. In the UK, for example, quite sophisticated systems block domain names and IP addresses, and can even automatically monitor sites so that any blocking counter-measures can be handled straight away. But in Spain users are finding that blocks are evaded with the smallest of tweaks.

By changing a computer or router’s DNS settings, Spaniards are regaining access to The Pirate Bay in an instant. Both Google’s DNS and OpenDNS are reported as working on several Spanish discussion forums.

“I’ve [followed the instructions] and in two minutes you can enter Pirate Bay. And I am a computer illiterate and have no idea what a DNS is,” a user of a gaming forum writes.

Another user, who moved away from his ISP’s DNS a while ago, wasn’t even aware that any block had been put in place.

“If the block is using DNS, I would not call that blocking, really. I’ve been using the DNS of Google for years and I have not even noticed anything,” he notes.

While Spaniards will be pleased that the blockade is easily circumvented, it’s the reaction to the news that’s perhaps the most interesting aspect. News that the site is being blocked is hardly being welcomed, but there is a definite absence of panic among those who are supposed to be some of Europe’s most hardcore pirates.

Whether that’s chiefly down to the weak blocking method being employed by some ISPs is up for debate, but having seen blocks do little to stop file-sharers across Europe – particularly in the UK where the practice is widespread – the Spanish probably see no real reason to break into a cold sweat just yet.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Top 10 Most Pirated Movies of The Week – 03/30/15

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

interstThis week we have two newcomers in our chart.

Interstellar is the most downloaded movie for the third week in a row.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are BD/DVDrips unless stated otherwise.

RSS feed for the weekly movie download chart.

Ranking (last week) Movie IMDb Rating / Trailer
torrentfreak.com
1 (1) Interstellar 8.8 / trailer
2 (…) Cinderella 7.6 / trailer
3 (2) Exodus: Gods and Kings 6.2 / trailer
4 (10) Seventh Son 5.7 / trailer
5 (3) Into The Woods 6.2 / trailer
6 (9) Paddington 7.4 / trailer
7 (6) Fifty Shades of Grey 3.9 / trailer
8 (8) The Hobbit: The Battle of the Five Armies 6.0 / trailer
9 (4) Focus 6.9 / trailer
10 (…) Kidnapping Mr Heineken 6.2 / trailer

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: Sign Up at irs.gov Before Crooks Do It For You

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank name and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Experian, at least) before the agency is able to continue with the KBA questions as part of its verification process.

xkcd.com: Ontological Argument

This post was syndicated from: xkcd.com and was written by: xkcd.com. Original post: at xkcd.com

A God who holds the world record for eating the most skateboards is greater than a God who does not hold that record.

SANS Internet Storm Center, InfoCON: green: ISC StormCast for Monday, March 30th 2015 http://isc.sans.edu/podcastdetail.html?id=4417, (Sun, Mar 29th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Once You Accept File-Sharing Is Here To Stay, You Can Focus On All The Positive Things

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

diskettePeople started sharing files with each other – text, games, music – as soon as there was a storage medium you could copy.

Originally, this meant the compact cassette which was used for music and programs for the first home computers. Cassette decks at the time had a convenient copy mechanism where you’d insert an original in one slot, a blank tape in another slot, and press a prominent “copy” button to get an analog replica – not perfect, if it was music, but if it was a digital computer file, it would be readable and usable. The one-push copy was even a sales point.

Everybody had their circle of friends who contributed to the common collection between them, and we’d always be carrying some copy of something else we anticipated was in demand. People would copy something from you more or less every day. You would copy things from several people pretty much every day.

Copyparties were huge fests where hundreds of teens (or pre-teens) rented a school building for a weekend, brought their entire catalog of tapes and diskettes, an equivalent amount of blank media, and just copied everything they could from each other instead of sleeping. These copyparties frequently had pallets of Jolt Cola for sale.

In this setup, completely before the Internet, if something in high demand was published, it would take three days on average for that piece of media to get to everybody who wanted it.

In other words, in a complete shutdown of the Internet where people go back to sharing by copying media by hand, the very best the copyright industry can hope for is three days until saturation instead of today’s one day. It’s almost funny how the copyright industry still delays releases by weeks if not months between neighboring countries and think they can determine who gets to see what when. That was never the case, and won’t ever be the case.

File sharing is here to stay and the reason it’s still traceable is mostly because the risk of getting caught by stale, obsolete, and outdated laws is considerably lower than the risk of getting struck by lightning. There’s no real push to improve it, like there was right after Napster shut down. But let’s imagine for a moment if there was a real push to move sharing back under the radar.

Today, the storage of an ordinary mobile phone can effectively store all music except the most narrow. And with fourth-generation Bluetooth, it can wirelessly – and tracelessly! – share all of it to all mobile phones in a 50-meter range. Subway cars, cafés, even cars at red light stops become torrent swarms without somebody acting – or even noticing. The notion of being able to stop, control, or contain this files under “what’s the weather like on your planet?”.

Not only that, but the best-generation scenario that the copyright industry can ever hope for is the equivalent of a shutdown of the entire internet. That would mean a regression from today’s 24-hour saturation to a pre-internet 72-hour saturation. Think about that. The best conceivable scenario for the copyright industry, if they really manage to destroy the entire Internet, is that it would take three days instead of one day for something to get shared to everybody who wants it.

Moore’s Law further suggests that in a decade or so, an ordinary mobile phone will also have capacity to store most TV and movies ever made.

So once you accept that file-sharing is here to stay for good, and that any attempt to contain it is a Canutian attempt to order the tide back, you can let go of that and instead focus on all the positive aspects of that development:

The income is there for artists. In fact, more than twice the income is there for artists with file-sharing. There’s no need to fret and worry about that development, no need to hunt license fees for every copy manufactured without a license. Rather, as soon as you realize that chasing license fees for every copy is actually a cashflow net negative, you’ll start to chill and realize the revenue is still there. (Well, not for the parasitic middlemen: not for the actual copyright industry. But artists have always hated those with a passion.) As a significant bonus, you won’t be turning your customers into enemies.

But more importantly, it means that every human being has 24/7 access to humanity’s collective knowledge and culture, and that every human being is able to add to that pool. That’s the equivalent of when the first public libraries opened in 1850, but on an enormously larger scale. Even though the copyright industry is trying again and again to burn this Library of Alexandria, it’s worth more than pause to consider what a huge leap ahead for humanity this really is.

And while the copyright industry may order the tide held back, waging war against future generations is rarely a winning proposition in the long run.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

LWN.net: A massive weekend security update pile

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The pile of security updates has gotten deep enough that it makes sense to
shove them out now. The biggest pile is seemingly Mandriva catching up on
numerous updates for its Mandriva Business Server (MBS) line of products.

Debian has updated
batik (unauthorized file access),
binutils (code execution),
dulwich (code execution),
libxfont (privilege escalation),
php5 (fix regression from previous update),
shibboleth-sp2 (denial of service), and
xerces-c (denial of service).

Fedora has updated
kernel (F21: code execution),
mongodb (F21: denial of service),
python-requests (F21: cookie stealing),
python-urllib3 (F21: cookie stealing),
strongswan (F20, F21: denial of service), and
webkitgtk4 (F21: late certificate
verification).

Mageia has updated
docuwiki (cross-site scripting),
drupal (authentication bypass),
krb5 (denial of service),
python-requests (cookie stealing),
setup (incorrect file protections), and
wireshark (dissector issues).

Mandriva has updated
apache (MBS2: 11 CVEs),
apache-mod_security (MBS2:
restriction bypass),
cifs-utils (MBS2: code execution),
cups (MBS2: six CVEs),
cups-filters (MBS2: nine CVEs),
curl (MBS2: seven CVEs),
dovecot (MBS2: denial of service),
egroupware (MBS2: code execution),
elfutils (MBS2: code execution),
emacs (MBS2: symbolic link vulnerability),
freetype2 (MBS2: 21 CVEs),
gnupg (MBS1, MBS2: five CVEs),
gnutls (MBS2: five CVEs),
imagemagick (MBS2: five CVEs),
jbigkit (MBS2: code execution),
json-c (MBS2: denial of service),
krb5 (MBS1-2: five CVEs),
lcms2 (MBS2: denial of service),
libcap-ng (MBS2: privilege escalation),
libgd (MBS2: denial of service),
libevent (MBS2: code execution),
libjpeg (MBS2: code execution),
libksba (MBS2: denial of service),
liblzo (MBS2: code execution),
libpng (MBS2: memory overwrite),
libpng12 (MBS2: three 2013 CVEs),
libsndfile (MBS2: code execution),
libssh (MBS2: information disclosure
and denial of service),
libssh2 (MBS1, MBS2: MITM vulnerability),
libtasn1 (MBS2: denial of service),
libtiff (MBS2: six CVEs),
libvirt (MBS1, MBS2: denial of service and
information leak),
libvncserver (MBS2: six CVEs),
libxfont (MBS2: six CVEs),
libxml2 (MBS2: denial of service),
lua (MBS2: code execution),
mariadb (MBS2: uncountable
unexplained CVEs),
mpfr (MBS2: code execution),
mutt (MBS2: denial of service),
net-snmp (MBS2: denial of service),
nginx (MBS2: code execution),
nodejs (MBS2: multiple unspecified
vulnerabilities),
not-yet-commons-ssl (MBS2: MITM
vulnerability),
ntp (MBS2: six CVEs),
openldap (MBS1, MBS2: denial of service),
openssh (MBS2: restriction and
authentication bypass),
openvpn (MBS2: denial of service),
patch (MBS2: file overwrite),
pcre (MBS2: denial of service),
perl (MBS2: denial of service),
php (MBS1, MBS2: lots of vulnerabilities),
postgresql (MBS2: twelve CVEs),
ppp (MBS2: privilege escalation),
pulseaudio (MBS2: denial of service),
python-django (MBS2: five CVEs),
python-pillow (MBS2: five CVEs),
python-requests (MBS2: cookie stealing),
php-ZendFramework (MBS2: eight CVEs),
python (MBS2: seven CVEs),
python3 (MBS2: five CVEs),
python-lxml (MBS2: code injection),
python-numpy (MBS2: temporary file vulnerability),
readline (MBS2: symbolic link vulnerability),
rsync (MBS2: denial of service),
rsyslog (MBS2: denial of service),
ruby (MBS2: denial of service),
samba (MBS1, MBS2: code execution and more),
samba4 (MBS2: code execution),
sendmail (MBS2: file descriptor access),
serf (MBS2: MITM vulnerability),
squid (MBS2: five CVEs),
stunnel (MBS2: private key disclosure),
subversion (MBS2: five CVEs),
sudo (MBS2: file disclosure),
tcpdump (MBS2: seven CVEs),
tomcat (MBS2: eight CVEs),
torque (MBS2: kill arbitrary processes),
udisks2 (MBS2: code execution),
unzip (MBS2: code execution),
util-linux (MBS2: command injection),
wpa_supplicant (MBS2: command execution),
wget (MBS2: symbolic link vulnerability),
x11-server (MBS2: thirteen CVEs), and
xlockmore (MBS2: lock bypass).

openSUSE has updated
mercurial (command injection).

SUSE has updated
firefox (SLES10-11: code execution) and
mysql (SLES11: 33 vulnerabilities).

TorrentFreak: Cox Refuses to Reveal Financials in “Repeat Infringer” Piracy Case

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cox-logoEvery month copyright holders and anti-piracy groups send hundreds of thousands of takedown notices to Internet providers.

These notifications have to be forwarded to individual account holders under the DMCA law, to alert them that their connection is being used to share copyrighted works without permission.

Cox Communications is one of the ISPs that forwards these notices. The ISP also implemented a strict set of rules of its own accord to ensure that its customers understand the severity of the allegations.

According to some copyright holders, however, Cox’s efforts are falling short. Last December BMG Rights Management and Round Hill Music sued the ISP because it fails to terminate the accounts of repeat infringers.

The companies, which control the publishing rights to songs by Katy Perry, The Beatles and David Bowie among others, claim that Cox has given up its DMCA safe harbor protections due to this inaction.

The case is a critical test for the repeat infringer clause of the DMCA and the safe harbor protections ISPs enjoy. In recent weeks both parties have started the discovery process to gather as many details as they can for the upcoming trial.

Cox, for example, is looking into the ownership of the 1,000 works for which they received seven million DMCA takedown notices. In addition, the ISP also wants an expert opinion on the source code of the Rightscorp’s crawler that was used to spot the alleged infringements.

For their part, BMG Rights Management and Round Hill Music have asked for details on Cox’s policy towards repeat copyright infringers and extensive details on the company’s financials. The ISP believes the latter request is too broad and as a result is refusing to produce the requested documents.

In a response the music companies have filed a motion asking the federal court to force the ISP to comply (pdf). Among other things, they argue that the financial details are needed to calculate damages and show that Cox has a financial motive to keep persistent pirates on board.

“The financial information that Cox refused to produce is directly relevant to Cox’s strong motivation for ignoring rampant infringement on its network because ignoring this infringement results in a financial benefit to Cox,” they argue.

“Moreover, Cox’s financial motivation for refusing to take meaningful actions against its repeat infringing customers is important to both the knowledge element of contributory infringement and the financial benefit element of vicarious liability,” the music groups add.

In its response Cox states that the rightsholders’ demands are too broad (pdf) since the documents requested include those related to the ISP’s market share, capital expenditures, profits per customer for each service, and so forth. According to Cox most of the information is irrelevant to this case.

“Plaintiffs’ document requests seek virtually every financial record that Cox maintains about its internet Customers and its provision of internet services,” Cox notes.

The ISP says it’s willing to share some financial detail but with a far more limited scope than demanded by the rightsholders.

“To be clear, Cox has been and remains willing to produce high-level, aggregate financial data of the kind that courts permit in cases involving statutory copyright damages, for example corporate tax returns. But Plaintiffs have never offered to entertain even minor limitations to the scope of their discovery requests, making any compromise effectively impossible,” the ISP notes.

The court has yet to decide how many of its financial secrets Cox must reveal but judging from the demands being made from both sides, it’s clear that we can expect more fireworks during the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Malicious XML: Matryoshka Edition, (Sun, Mar 29th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

A couple of days ago I received another malicious document (078409755.doc B28EF236D901A96CFEFF9A70562C9155). Unlike the XML file I wrote about before, this one does not contain VBA macros:

20150329-114936

But as you can see, it should contain an embedded object. The base64 code found inside the XML object decodes to an OLE file. The single stream present in this OLE file contains ZLIB compressed data (identifiable via byte 0x78). Decompressing this ZLIB stream reveals another OLE file. Which in turn contains an embedded OLE object that turns out to be a VBS script:

20150326-203953

And the base64 string in this VBS script is a PowerShell command:

20150326-204225

If you are interested to see how you can analyze this sample with oledump, you can take a look at this video I produced.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: MPAA Wanted Less Fair Use In Copyright Curriculum

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

gr3During the summer of 2013 we voiced our doubts about an initiative from the Center for Copyright Information (CCI).

The group, which has the MPAA and RIAA as key members, had just started piloting a kindergarten through sixth grade curriculum on copyright in California schools.

The curriculum was drafted in collaboration with iKeepSafe and aims to teach kids the basics of copyright. Unfortunately, the lesson materials were rather one-sided and mostly ignored fair use and the more flexible copyright licences Creative Commons provides.

These concerns were picked up by the mainstream press, creating a massive backlash. The CCI and other partners emphasized that the pilot was tested with an early draft and promised that the final curriculum would be more balanced.

In the months that followed the lesson plans indeed got a major overhaul and last summer the “Copyright and Creativity for Ethical Digital Citizens” curriculum was finalized.

As reported previously, the new and improved version was indeed expanded to discuss fair use principles and Creative Commons licenses. However, as far as Hollywood is concerned it now includes too much discussion on fair use.

TorrentFreak received a copy of a leaked email the MPAA’s Howard Gantman sent to various insiders last summer, explaining what happened. It starts off by mentioning the negative response to the leak and states that the MPAA and RIAA will try to keep a low profile in future, probably to prevent another wave of critique.

“After there was serious negative commentary on twitter, blogs and by news columnists who are not strong supporters of copyright last fall when a draft version of the curriculum was leaked accidentally by iKeepSafe – a determination was made to try to release this in a way that would keep a low profile for any MPAA or RIAA involvement,” Gantman writes.

The copyright holder groups and CCI decided to let iKeepSafe and its PR firm handle the media, something which eventually came to pass. Continuing the conversation Gantman explains that the lesson materials were heavily edited to include a broader and more diverse perspective on copyright.

“The curriculum that has been produced also went through numerous rounds of edits and debate involving a wide range of organizations with differing views on copyright,” Gantman writes.

According to the MPAA, the end result is a compromise that includes more fair use than they had wanted, but still good enough to teach kids how to behave ethically on the Internet.

“So the end result contains sections on fair use that are more extensive than we would use if we drafted the curriculum ourselves. But overall, the effort will hopefully lead to an active program within our schools to help get kids to understand what it means to behave ethically on the Internet,” Gantman adds.

By comparing the first pilot materials with the final curriculum it becomes clear that nearly all additions are about fair use.

Grade 4 lesson handout
shareinggrade4

For example, where children were initially warned against using copyrighted images and music from the Internet in Powerpoint presentations, they are now told that this is totally fine, as long as the material is only shown in class.

Similar changes have been made throughout the entire curriculum, as we documented in our earlier coverage.

The question that remains is whether these extensive changes would have been made if the pilot materials hadn’t leaked in advance. That will probably remain a secret, but at least it’s clear that Hollywood got more fair use than they hoped for.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Lauren Weinstein's Blog: For the Anti-Gay Indiana GOP, the Web Is a Harsh Mistress

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

It was with obvious glee two days ago that GOP Governor Mike Pence signed Indiana’s new “Religious Freedom Restoration Act” — in reality a law created to gladden the political voting hearts of closeted and outed racists, not to mention other right-wing lowlifes throughout the Hoosier State. While written so broadly that it conveniently could be used to discriminate against…

TorrentFreak: Why Game Of Thrones Will Be The Most Pirated TV-Show, Again

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

got5Mid April the first episode of Game of Thrones’ fifth season will find its way onto dozens of torrent sites.

Like previous years, a few hours later millions of people will have downloaded this unofficial release.

Traditionally, pirates have used “availability” as an excuse to download movies and TV-shows from illegal sources. In some countries there is simply no legal option available, the arguments often go.

To remove this piracy incentive HBO has made sure that the new Game of Thrones series is available in as many countries as possible. The company recently announced that it will air in 170 countries roughly at the same time as the U.S. release.

This decision is being framed as an anti-piracy move and may indeed have some effect. However, availability is not the only reason why so many people choose to download the show from unauthorized sources.

In fact, if we look at the list of countries where most Game of Thrones downloaders came from last year, we see that it was legally available in all of these countries.

Data gathered during the first 12 hours of the season 4 premiere revealed that most downloads originated from Australia, followed by the United States, the United Kingdom, Canada and the Netherlands. So there must be something else going on.

Pricing perhaps?

The price tag attached to many of legal services may be too high for some. In Australia, for example, it cost $500 to follow last year’s season and in the U.S. some packages were priced as high as $100 per month.

This year there is some positive change to report in the US, as iTunes now offers a $15-per-month subscription without the need for a cable subscription. But if the steep prices remain in most countries it’s unlikely that the piracy rates will drop significantly.

This is nothing new for HBO of course. The company has probably considered offering separate and cheaper Game of Thrones packages, but while this may result in less pirates it will also severely hurt the value of their licensing deals and full subscription plans.

And aside from the financials, piracy also has it upsides.

Game of Thrones director David Petrarca previously admitted that piracy generated much-needed “cultural buzz” around his show. Similarly, Jeff Bewkes, CEO of HBO’s parent company Time Warner, noted that piracy resulted in more subscriptions for his company and that receiving the title of “most-pirated” was “better than an Emmy.

All in all it’s safe to say that Game of Thrones will be crowned the most pirated TV-show again in 2015. The only uncertainty right now is whether it will break last year’s BitTorrent “swarm record,” which currently stands at 254,114 simultaneous sharers.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.