Posts tagged ‘Censorship’

TorrentFreak: Israeli Court Lifts Ineffective Popcorn Time Ban

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

popcorntBranded a “Netflix for Pirates,” the Popcorn Time app quickly gathered a user base of millions of people over the past year.

The application has some of the major media giants shaking in their boots, including Netflix which sees the pirate app as a serious competitor.

In Israel, local anti-piracy group ZIRA took several Internet providers to court this year, with the goal to have several prominent Popcorn Time sites blocked. This effort resulted in an initial success when a preliminary injunction was granted in May.

However, after a careful review the Tel Aviv court has now reversed this decision. One of the arguments of the court is that blocking Popcorn Time domain names is relatively ineffective.

The court concluded that since the developers of the software can’t be tracked down, there’s nothing that prohibits them from launching new websites to render the blockade useless.

“Therefore, blockage or shutting down Popcorn Time sites does not guarantee that the application can no longer be downloaded,” the judgment reads.

In addition, the court points out that Popcorn Time applications that have been downloaded already will continue to work, even if the sites are blocked.

“This shows that the benefit of the requested measures is minimal, if any,” the verdict notes.

The Internet providers who protested the blocking requests further argued that the blockades would require a lot of resources and hurt their image, which the court largely agreed with.

“The cost of making ISPs some kind of censorship authority is at least equivalent, if not higher, than the cost of copyright infringement,” the verdict reads, mentioning that free competition and freedom of speech may be at risk.

Finally, the court gave ZIRA a slap on the wrist by pointing out that the requested blockade wasn’t as urgent as the copyright holders claimed, since Popcorn Time has been around for a long time.

“These sites, which presumably were visible to everyone, have been online for a long time. Given that, it seems that the applicant delayed the submission of the application which contradicts their urgency claim on the requested preliminary measures”, the judgment reads.

The outcome is a blow for ZIRA and the copyright holders they represent.

In addition to the negative outcome, the court also ordered the anti-piracy group to pay $1,060 to cover the legal fees of one ISP. The other ISPs settled the fees in question out of court.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Police Let Seized ‘Pirate’ Domains Expire, Some Up For Sale

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

cityoflondonpoliceFor the past several years the Police Intellectual Property Crime Unit (PIPCU) has been at the forefront of Internet-focused anti-piracy activity in the UK. The government-funded unit has been responsible for several high-profile operations and has been praised by a broad range of entertainment industry companies.

After carrying out raids against the operators of dozens of sites, PIPCU likes to take control of their domains. They do this for two key reasons – one, so that the sites can no longer operate as they did before and two, so they can be used to ‘educate’ former users of the downed sites.

That ‘education’ takes place when visitors to the now-seized ‘pirate’ domains are confronted not with a torrent, proxy, streaming or links site, but a banner published by PIPCU themselves. It’s aim is to send a message that sites offering copyrighted content will be dealt with under the law and to suggest that their visitors have been noted.

Earlier comments by PIPCU suggest that its banner has been seen millions of times by people who tried to access a ‘pirate’ site but subsequently discovered that it no longer exists. Last month in an announcement on Twitter, the unit revealed that since Jul 2015 it has diverted more than 11m ‘pirate’ site visits.


While the hits continue to mount for many domains PIPCU has seized (or gained control over by forcing site operators or registrars into compliance), it’s now likely that the group’s educational efforts will reach a smaller audience. Tests carried out by TorrentFreak reveal that PIPCU has somehow lost influence over several previously controlled domains.

Instead of the now-familiar PIPCU ‘busted’ banner, visitors to a range of defunct sites are now greeted with expired, advert-laden or ‘for sale’ domains.

MP3lemon.org, for example, currently displays ads/affiliate links. The same goes for Boxingguru.tv, a domain that was linked to a high-profile PIPCU raid in 2014. Former proxies Katunblock.com and Fenopyreverse.info, plus former streaming links site Potlocker.re complete the batch.

boxing-guru

Other domains don’t carry ads but are instead listed for sale. They include former anti-censorship tool site Torrenticity.com, proxy index PirateReverse.info and H33T proxy h33tunblock.info.

The fate of the final set of domains is much less glamorous. Movie2KProxy.com, Movie4KProxy.com, EZTVProxy.net, Metricity.org, YIFYProxy.net and TorrentProxies.com all appear to have simply expired.

Whether these domains will be snapped up at the first opportunity or left to die will largely hinge on whether people believe they can make a profit from them. Some have already changed hands and are now being touted for a couple of thousand dollars each but others are lying in limbo.

In any event, none of these domains seem destined to display PIPCU’s banner in the future. Whether or not the unit cares right now is up for debate, but if any of the domains spring back into life with a ‘pirate’ mission, that could soon change.

Unlike Megaupload’s old domains they don’t appear linked to obvious scams, so that’s probably the main thing.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Popcorn Time Blamed For Movie Streaming Piracy Explosion

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Up until last year, downloading content using BitTorrent was an activity that needed a reasonable level of technical competence. In addition to choosing the correct software and setting everything up, users needed to make themselves familiar with any number torrent indexes and platforms.

Then along came Popcorn Time and simplified the process to the point that almost anyone can now download the software and access a wide range of (mostly) infringing content within minutes. Needless to say, the various forks of the software have been a thorn in the side of the movie and TV show industry ever since.

With complaints being made against the software in most western countries, it’s now Norway’s turn to make some noise. While the country has expressed concerns about the software in the past, a report published in June by consultancy firm Mediavision is adding fuel to the fire.

According to the company, which analyzes consumer behavior within the sphere of digital media, around 750,000 Norwegians from a five million population are now obtaining video from illegal sources, up 17% on the previous year. However, it is the manner in which they are doing it that’s causing additional concern. According to the researchers, illegal consumption of streaming content has doubled in the past year. And no prizes for guessing who anti-piracy groups are blaming.

“The reason for the increase in piracy is Popcorn Time,” says Rights Alliance Norway chief Willy Johansen.

“It is unfortunately an incredibly easy way to watch movies. But one should be aware that this is a criminal offense. We are now collecting the IP addresses of Norwegian users of Popcorn Time.”

While users will be disappointed to hear that they are being tracked by a Hollywood-backed anti-piracy outfit, the big question is what Rights Alliance will choose to do with that data. The group says their hand may be forced.

“We have hoped for the longest time that we do not have to take on the end-user. But it is clear that if this does not stop, we will have no choice. Most people are now aware that they are doing something illegal, but many continue because ‘everyone else is doing it’,” Johansen says.

Also on the horizon are lawsuits against local ISPs. Rights Alliance hopes that by obtaining a blocking injunction against Popcorn Time-affiliated sites and services, the problem might be brought under control. However, things aren’t straightforward.

“It takes time in the Norwegian legal system, so there is a protracted process,” Johansen notes.

“There is nothing that can be sent to the court today. But we’re working on it together with our attorneys to look into the possibility of getting this stopped through a lawsuit against broadband providers.”

After changes in the law two years ago, these kinds of injunctions were supposed to be easy for groups like Rights Alliance to obtain, but it appears there are still significant hurdles to overcome. Not only are there very stringent requirements in order to obtain an injunction, all expenses incurred must be paid by the plaintiff.

“No independent licensees in Norway have the opportunity [to get injunctions], because they do not have the finances to do so. If we are to stop something, it must be an overall industry behind the lawsuit. It requires a very detailed presentation of evidence, says Johansen.

Interestingly, however, the group has been working on getting an injunction against another site, most probably The Pirate Bay. The results should become evident in a few weeks.

“The case we’re working on already started before Popcorn Time existed. The problem is that evidence is so extensive that the whole Popcorn Time phenomenon arose during the time we spent gathering evidence from the previous service,” the Rights Alliance chief adds.

As usual, however, the industry isn’t getting much help from ISPs including Telenor, Norway’s largest provider.

“We wish to contribute by relating to parliamentary procedure adopted in such cases,” says Telenor director Tormod Sandstø.

“So the court must make decisions in individual cases, also we will of course abide by those decisions. As an Internet provider we will not be a censorship body.”

The news that Norway may target end users is disappointing. The country has all but eliminated music piracy yet still prefers anti-piracy aggression over business model changes in the video sector.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: VPN Providers Respond To Allegations of Data Leakage

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

vpn4lifeAs Internet users seek to bypass censorship, boost privacy and achieve a level of anonymity, VPN services have stepped in with commercial solutions to assist with these aims. The uptake among consumers has been impressive.

Reviews of VPN services are commonplace and usually base their ratings on price and speed. At TorrentFreak we examine many services annually, but with a focus on privacy issues instead.

Now a team of researchers from universities in London and Rome have published a paper titled A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (pdf) after investigating 14 popular services on the market today.

“Our findings confirm the criticality of the current situation: many of these providers leak all, or a critical part of the user traffic in mildly adversarial environments. The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models,” the researchers write.

While noting that all providers are able to successfully send data through an encrypted tunnel, the paper claims that problems arise during the second stage of the VPN client’s operation: traffic redirection.

“The problem stems from the fact that routing tables are a resource that is concurrently managed by the operating system, which is unaware of the security requirements of the VPN client,” the researchers write.

This means that changes to the routing table (whether they are malicious or accidental) could result in traffic circumventing the VPN tunnel and leaking to other interfaces.

IPv6 VPN Traffic Leakage

“The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface,” the researchers explain.

vpn-1

As illustrated by the chart above, the paper claims that all desktop clients (except for those provided by Private Internet Access, Mullvad and VyprVPN) leaked “the entirety” of IPv6 traffic, while all providers except Astrill were vulnerable to IPv6 DNS hijacking attacks.

The paper was covered yesterday by The Register with the scary-sounding title “VPNs are so insecure you might as well wear a KICK ME sign” but without any input from the providers in question. We decided to contact a few of them for their take on the paper.

PureVPN told TF that they “take the security of our customers very seriously and thus, a dedicated team has been assigned to look into the matter.” Other providers had already received advanced notice of the paper.

“At least for AirVPN the paper is outdated,” AirVPN told TorrentFreak.

“We think that the researchers, who kindly sent the paper to us many months in advance and were warned about that, had no time to fix [the paper] before publication. There is nothing to worry about for AirVPN.”

“Current topology allows us to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.”

TorGuard also knew of the whitepaper and have been working to address the issues it raises. The company adds that while The Register’s “the sky is falling” coverage of yesterday is “deceptive”, the study does illustrate the need for providers to stay vigilant. Specifically, TorGuard says that it has launched a new IPv6 leak prevention feature on Windows, Mac and Linux.

“Today we have released a new feature that will address this issue by giving users the option of capturing ALL IPv6 traffic and forcing it through the OpenVPN tunnel. During our testing this method proved highly effective in blocking potential IPv6 leaks, even in circumstances when these services were active or in use on the client’s machine,” the company reports.

On the DNS hijacking issue, TorGuard provides the following detail.

“It is important to note that the potential for this exploit only exists (in theory) if you are connected to a compromised WiFi network in which the attacker has gained full control of the router. If that is the case, DNS hijacking is only the beginning of one’s worries,” TorGuard notes.

“During our own testing of TorGuard’s OpenVPN app, we were unable to reproduce this when using private DNS servers because any DNS queries can only be accessed from within the tunnel itself.”

Noting that they released IPv6 Leak Protection in October 2013, leading VPN provider Private Internet Access told TorrentFreak that they feel the paper is lacking.

“While the article purported to be an unbiased and intricate look into the security offered by consumer VPN services, it was greatly flawed since the inputs or observations made by the researchers were inaccurate,” PIA said.

“While a scientific theory or scientific test can be proven by a logical formula or algorithm, if the observed or collected data is incorrect, the conclusion will be in error as well.”

PIA criticizes the report on a number of fronts, including incorrect claims about its DNS resolver.

“Contrary to the report, we have our own private DNS daemon running on the Choopa network. Additionally, the DNS server that is reported, while it is a real DNS resolver, is not the actual DNS that your system will use when connected to the VPN,” the company explains.

“Your DNS requests are handled by a local DNS resolver running on the VPN gateway you are connected to. This can be easily verified through a site like ipleak.net. Additionally… we do not allow our DNS servers to report IPv6 (AAAA records) results. We’re very serious about security and privacy.”

Finally, in a comprehensive response (now published here) in which it notes that its Windows client is safe, PIA commends the researchers for documenting the DNS hijacking method but criticizes how it was presented to the VPN community.

“The DNS Hijacking that the author describes [..] is something that has recently been brought to light by these researchers and we commend them on their discovery. Proper reporting routines would have been great, however. Shamefully, this is improper security disclosure,” PIA adds.

While non-IPv6 users have nothing to fear, all users looking for a simply fix can disable IPv6 by following instructions for Windows, Linux and Mac.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Google Scolds MPAA’s “Cozy” Anti-Piracy Lobby in Court

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

googlepopLate last year leaked documents from the Sony hack revealed that the MPAA helped Mississippi Attorney General Jim Hood to revive SOPA-like censorship efforts in the United States.

In a retaliatory move Google sued the Attorney General, hoping to find out more about the secret plan. The company also demanded internal communication from the MPAA and its lawfirm Jenner & Block.

After the Hollywood group and its lawyers refused to provide all information Google asked for, a separate legal battle began with both sides using rather strong language to state their case.

The MPAA accused Google of facilitating piracy and objected to a request to transfer the case to Mississippi, where the underlying case was started. According to the movie industry group and its lawyers they are merely bystanders who want to resolve the matter in a Washington court.

This week Google responded to the MPAA opposition with a scathing reply, which outs the cozy relationship between the MPAA and the Attorney General’s office.

“Their rhetoric does not match reality,” Google responds (pdf) to the request not to transfer the case. “The MPAA and Jenner are no strangers to Mississippi.”

“The Subpoenaed Parties sought out Mississippi when they co-opted the state’s Attorney General for their anti-Google campaign. Documents withheld by the MPAA until last week reveal a stunning level of involvement in Mississippi’s affairs.”

According to Google it’s clear that the MPAA and its law firm were in “intimate contact” with the Attorney General, offered monetary donations, hosted fundraisers and also helped him to draft legal paperwork.

“According to the Subpoenaed Parties, they are strangers to Mississippi. But documents produced last week by the MPAA tell a very different story. The Subpoenaed Parties and their representatives made repeated visits to AG Hood’s office in Mississippi to guide his anti-Google work.”

“Even when they weren’t physically at AG Hood’s office, they may as well have been, getting together with him in Denver and Santa Monica and holding a fundraising dinner for him in New Orleans.”

And there is more. The emails the MPAA recently produced also reveal “remarkably cozy and constant communications” between the MPAA and the Attorney General’s office.

In one email the MPAA’s Brian Cohen greeted one of Hood’s staffers with “Hello my favorite” offering to share pictures of his vacation in New Zealand via Dropbox. In another email discussing a meeting with the AG’s staff, MPAA’s Cohen writes “OMG we spent 3 hours.”

favorite

According to Google the examples above clearly show that there’s a rather close relationship between the MPAA’s lobbyists and the Attorney General.

“This pattern of sustained, intimate contact is hardly the mark of a party that merely ‘communicated with Attorney General Hood’ ‘previously,’ as the MPAA characterizes itself.”

Throwing in a movie reference, Google further notes that transferring the case would be in line with Rule 45, which ties the subpoena to the Mississippi case.

“But it is not merely the Subpoenaed Parties’ starring role in the underlying events that warrants transfer of Google’s Motions to Compel to Judge Wingate in Mississippi; all of the Rule 45 factors support it as well,” Google notes.

The reply continues adding more support and arguments to transfer the case, using more strong language, and the sarcastic-aggressive tone continues throughout.

If we hadn’t seen enough evidence already, the filing makes it clear that the MPAA and Google are not on speaking terms, to say the least. And with the Attorney General case just getting started, things may get even worse.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Surprise! VPN Provider Expects Victory in Site-Block Arms Race

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

networkAfter years of pressure but mere months of deliberations, yesterday the Australian government imposed a new copyright law on its citizens.

As soon as it receives the formality of royal assent, the Copyright Amendment (Online Infringement) Bill 2015 will enter into force and soon after it’s expected that rightsholders will make their first moves to have a site blocked.

After the passing of the law yesterday a lot of furious people took to the web, many decrying the censorship and filtering efforts of the Australian government. But despite the outcry there are others who are not only relaxed about the upcoming efforts but also stand to profit handsomely from them.

They are of course VPN providers, services setup to cut through web-blockades and similar efforts like a hot knife through butter. They’re already extremely popular in Australia due to their geo-unblocking abilities and will now do even more business as a result of the country’s new law.

However, there are still those that remain concerned over the future of VPNs and their status as site-blocking kryptonite. Might the government eventually run out of patience and do a U-turn on assurances they won’t tackle the technology by blocking? Would it matter, practically, if they did?

Robert Knapp, chief executive at CyberGhost, one of the more popular VPN providers, doesn’t think so. He is calm, taking developments completely in his stride, and foresees no threat to his business.

“We see in general the same that you see in nature if somebody tries to block a river floating – the water finds his way,” Knapp says.

Despite attempts by the Australian Greens to have VPNs exempted from the new law, it is unlikely that services who play by the rules (i.e do not promote their products for infringing purposes) will be blocked. However, if the authorities want to test the waters, companies like CyberGhost will be up for the challenge.

“They should also then realize with whom they play in the same league,” Knapp says.

“Maybe they do it [blocking], maybe they don’t do it, it’s kind of a technical race. So it’s our daily business. They might do it, we will find a way to keep our servers running.”

While most people understand that blocking a determined service provider could descend into an endless arms-race, rightsholders are also keenly aware of the political fallout from attacking legitimate technologies.

“We didn’t intend this law to be used specifically against VPN because there are many legitimate uses of VPN and the intention of the law is not to stop people using the internet for legitimate purposes,” a Foxtel spokesperson told Mumbrella this morning.

And herein lies the problem. By driving traffic underground, into the encrypted tunnels of VPNs, rightsholders now have even less of an idea of who is pirating what and from where. VPNs are a legitimate but “dual use” technology, one that can be used for privacy or indeed piracy purposes. It’s a giant loophole that will be difficult to close. Nevertheless, companies like Foxtel say they will keep an developments.

“We would obviously be concerned if it meant there was a hole in the law,” the spokesman said. “We will be monitoring how things go and see if there is a serious issue in the future.”

So what next for Australia’s blocking regime?

If history from the UK repeats itself (and there’s every reason to believe that it will), rightsholders will first take on a site that is guaranteed to tick every ‘pirate’ box. That forerunner is almost certain to be The Pirate Bay, a site that is not only located overseas as the legislation requires, but one that also has no respect for copyright. The fact that it has been blocked in plenty of other regions already will be the icing on the cake.

Once the case against The Pirate Bay is complete then other “structurally similar” sites will be tackled with relative ease and since none of their operators will be appearing in court to defend themselves, expect the process to be streamlined in favor of copyright holders.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Lauren Weinstein's Blog: Why Google Must Stand Firm: Putin Pushes the Dangerous “Right To Be Forgotten” Further Into Lunatic Land

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

A week ago, in my latest discussion of the nightmarish EU “Right To Be Forgotten” (RTBF), titled Just Say “NON!” – France Demands Right of Global Google Censorship, I once again emphasized the “camel’s nose under the tent” aspect of RTBF, and how we should have every expectation that Russia, China, and other repressive regimes would make similar demands and…

TorrentFreak: MPAA: Google Assists and Profits from Piracy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayLate last year leaked documents from the Sony hack revealed that the MPAA helped Mississippi State Attorney General Hood to revive SOPA-esque censorship efforts in the United States.

In a retaliatory move Google sued the Attorney General, hoping to find out more about the secret effort. As part of these proceedings Google also demanded internal communication from the MPAA, but the Hollywood group has been hesitant to share these details.

After several subpoenas remained largely unanswered Google took the MPAA to court earlier this month. The search giant asked a Columbia federal court to ensure that the MPAA and its law firm Jenner & Block hands over the requested documents.

The MPAA and its law firm responded to the complaint this week, stressing that Google’s demands are overbroad. They reject the argument that internal discussions or communications with its members and law firm will reveal Attorney General Hood’s intent, not least due to the Attorney General not being part of these conversations himself.

According to the Hollywood group, Google’s broad demands are part of a public relations war against the MPAA, one in which Google inaccurately positions itself as the victim.

“Google portrays itself as the innocent victim of malicious efforts to abridge its First Amendment rights. In reality, Google is far from innocent,” the MPAA informs the federal court (pdf).

The MPAA notes that Google is knowingly facilitating and profiting from distributing “illegal” content, including pirated material.

“Google facilitates, and profits from, the distribution of third-party content that even Google concedes is ‘objectionable.’ ‘Objectionable’ is Google’s euphemism for ‘illegal’,” the MPAA writes.

The opposition brief states that for a variety of reasons the subpoenaed documents are irrelevant to the original lawsuit and are far too broad in scope. The MPAA’s initial searches revealed that 100,000 documents would likely require review, many of which it believes are protected by attorney-client privilege.

The MPAA says that Google is trying to leverage the information revealed in the Sony hack to expose the MPAA’s broader anti-piracy strategies in public, and that this is all part of an ongoing PR war.

“The purpose of these Subpoenas is to gather information — beyond the information that was already stolen via the Sony hack on which it relies — on the MPAA’s strategies to protect its members’ copyrighted material and address violations of law on the Internet affecting its members’ copyrights and the rights of others,” they write.

“Moreover, Google openly admits that it opposes any order to keep these discovery materials in confidence, revealing its goal to disseminate these documents publicly as part of its ongoing public relations war.”

Positioning itself as the victim, the MPAA goes on to slam Google for going after anyone who “dares” to expose the search engine’s alleged facilitation of piracy and other unlawful acts.

“…the most fundamental purpose of these Subpoenas is to send a message to anyone who dares to seek government redress for Google’s facilitation of unlawful conduct: If you and your attorneys exercise their First Amendment right to seek redress from a government official, Google will come after you.”

In conclusion, the MPAA and its law firm ask the court to reject Google’s broad demands and stop the “abuse” of the litigation process.

It’s now up to the judge to decide how to proceed, but based on the language used, the stakes at hand and the parties involved, this dispute isn’t going to blow over anytime soon. It’s more likely to blow up instead.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Lauren Weinstein's Blog: Just Say “NON!” – France Demands Right of Global Google Censorship

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

I’ve been waiting for this, much the way one waits for a violent case of food poisoning. France is now officially demanding that Google expand the hideous EU “Right To Be Forgotten” (RTBF) to Google.com worldwide, instead of just applying it to the appropriate localized (e.g. France) version of Google. And here’s my official response as a concerned individual: To…

TorrentFreak: Aussie ‘Pirate’ Site-Blocking Bill Given the Green Light

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

ausLate 2014, Attorney-General George Brandis and Communications Minister Malcolm Turnbull asked the Australian Cabinet to approve the development of a new system which would allow rightsholders to obtain site-blocking injunctions against ISPs. In March a draft of that legislation was introduced to parliament.

Since then the Copyright Amendment (Online Infringement) Bill 2015 has been under investigation by the Legal and Constitutional Affairs Legislation Committee. After examining the framework which allows rightsholders to apply for blocks against ‘pirate’ sites located overseas, this morning the Committee published a report that notes four recommendations but otherwise gives the legislation a green light.

Recommendations

When an application is made by a rightsholder for a blocking injunction, the Bill in its current form requires the Court to consider at least eight factors when determining whether an application should be granted. These include whether a site shows a general disregard for copyright, whether it has been blocked already in another jurisdiction, and the ‘flagrancy’ of any infringement.

Responding to rightsholder complaints that the bar had been set too high, alongside a belief that the thresholds for proving infringement had been narrowly established elsewhere in the Bill, the Committee advised an amendment from “is to take the following matters into account” to the watered down “may take the following matters into account”.

The recommendations also address VPNs, noting that “the Bill does not explicitly
contemplate the introduction of injunctions against VPNs”, adding that “VPNs are unlikely to meet the ‘primary purpose test’ [designed for infringing uses].” The Committee noted, however, that it would be “reassured” if the government clarified the status of such tools.

In respect of the “reasonable steps” ISPs will be expected to take in order to “disable access to an online location”, the Committee advised that these may include the posting of a landing page, similar to those currently used in the UK, which advise visitors that the site in question has been blocked alongside details of the order.

In another recommendation the Committee calls upon the government to provide greater clarity and guidance on the issue of costs and liability for ISPs after they comply with a court order to block a site.

“The committee urges the government to clarify its position regarding the
attribution of costs of compliance with orders where injunctive relief is granted,” the report reads.

“The committee notes the persuasive evidence of service providers to the effect that as [an ISP] bears no fault or liability for the infringement of copyright by its subscribers, [the ISP] should not be required to contribute to the cost of the remedy. The committee is of the view that more clarity is required to reassure [ISPs] that the costs associated with site-blocking will primarily be borne by those parties who are seeking the remedy.”

In other words, if rightsholders want to benefit from a site block, they should be the ones to pay for its implementation.

Finally, the Committee advises that the new legislation should be given an initial 24 months to do its work. At this point it should be re-examined to assess its performance.

“The committee recommends that the government conduct a formal review
of the effectiveness of the Copyright Amendment (Online Infringement) Bill2015, to be completed two years after its enactment,” the Committee concludes.

Dissenting Report – Australian Greens

In a second report published alongside the Committee’s this morning, Senator Scott Ludlam of the Australian Greens slams the Bill as the “latest in a long line of misguided attempts by the government to monitor, control and censor the Internet.”

Noting that the Bill hands “significant” new censorship powers to the court, Ludlam says that the evidence shows that it will be relatively easy to bypass the Bill’s provisions. Furthermore, the Bill lacks safeguards to ensure that legitimate online sources aren’t subjected to overblocking.

“Most importantly, there is also a significant weight of evidence showing that
the Bill will not meet its aims, as it does not address the underlying cause of online copyright infringement: The continual refusal of offshore rights holders to make their content available in a timely, convenient and affordable manner to Australians,” Ludlam concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Kim Dotcom’s MegaNet Preps Jan 2016 Crowdfunding Campaign

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptopFor many years Kim Dotcom was associated with a crazy lifestyle but these days he prefers to be seen more as a family man.

Regularly posting pictures of his children on Twitter and playing down his wild past, Dotcom seems unlikely to entertain a recent request from Pirate Bay founder Peter Sunde to join him on the Gumball Rally.

But while yachts and fast cars might be a thing of the past, Dotcom has certainly not lost the fire in his belly when it comes to his current predicament. As he fights off a ravenous U.S. government determined to bring him to justice by any means possible, spying included, the Megaupload founder has positioned himself as a champion of Internet privacy.

On January 19, 2013, Dotcom marked the anniversary of the raid on his empire by launching the privacy-focused cloud-storage service Mega.co.nz. Next year on the same date, the tenacious German says he will deliver again.

Thus far, details are thin on the ground, but what we do know is that Dotcom is planning a new anti-censorship network he calls MegaNet.

“How would you like a new Internet that can’t be controlled, censored or destroyed by Governments or Corporations?” Dotcom teased in February.

MegaNet’s precise mechanism is yet to be revealed, but Dotcom has already stated that the network will be non-IP address based and that blockchain technology will play an important role.

What we also know is that users’ mobile phones will play a crucial role, although at launch other devices will participate in the network.

“All your mobile phones become an encrypted network,” Dotcom notes. “You’d be surprised how much idle storage & bandwidth capacity mobile phones have. MegaNet will turn that idle capacity into a new network.”

At this stage it appears that Dotcom envisions a totally decentralized system, an essential quality if he is to deliver on his claims of absolute privacy.

With the earlier promise that participants in MegaNet “become the MegaNet”, Dotcom’s announcement this morning that the project will seek monetary contributions from the masses seems entirely fitting.

“MegaNet details will be revealed and equity will be available via crowd funding on 20 Jan 2016, the fourth anniversary of the raid [on Dotcom and Megupload],” Dotcom confirmed.

And for now, that is all. Dotcom has become somewhat of an expert at dripping small details to the masses as and when he sees fit while allowing the media to fill in the blanks. It’s a somewhat effective strategy which provides millions in free advertising for close to zero marketing outlay.

The big question now is how much equity MegaNet will need to get off the ground and how many of Dotcom’s supporters will believe that privacy is a commodity worth supporting with their wallets. People were happy to support Peter Sunde’s Heml.is on the same premise, but as recently revealed the amount of cash required to compete can be considerable.

However, Dotcom probably won’t attempt this entirely on his own. Given his history there’s a significant chance that the entrepreneur will pull in heavyweights such as Julian Assange and Glenn Greenwald to support the campaign. That will definitely help to boost the coffers.

Update: Kim Dotcom has sent TorrentFreak additional details on how MegaNet will operate.

“MegaNet has a unique file crystallization and recreation protocol utilizing the blockchain. You can load entire websites with this new technology and it makes them immune to almost all hacker attacks and ddos,” Dotcom informs TF.

“In the beginning MegaNet will still utilize the current Internet as a dumb pipe but in 10 years it will run exclusively on smartphones with hopefully over 500 million users carrying the network.

“A network by the people for the people. Not controlled by any government or corporations. MegaNet will be a powerful tool to guard our privacy and freedoms and it will also be my legacy,” Dotcom concludes.

On the finance front, MegaNet will partner with Bnktothefuture.com and Max Keiser to raise capital.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Google Takes MPAA to Court Over Secret Censorship Plans

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

googlepopHelped by the MPAA, Mississippi State Attorney General Jim Hood launched a secret campaign to revive SOPA-like censorship efforts in the United States.

The MPAA and Hood want Internet services to bring website blocking and search engine filtering back to the table after the controversial law failed to pass.

In response to the looming threat Google filed a complaint against Hood last December, asking the court to prevent Hood from enforcing a subpoena that addresses Google’s failure to take down or block access to illegal content, including pirate sites.

This resulted in a victory for Google with District Court Judge Henry Wingate putting the subpoena on hold. At the same time Google requested additional details from the Attorney General and various other parties involved in the scheme, including the MPAA.

Thus far, however, these requests haven’t proven fruitful. In a motion to compel directed at the MPAA (pdf), Google explains that the movie industry group and other petitioned parties have yet to hand over the requested information.

“To date, the subpoenaed parties have produced nothing,” Google’s lawyers inform the court.

“They have inexplicably delayed producing the few documents they agreed to turn over, and have objected that many of their documents, including internal notes or summaries of meetings with AG Hood, are irrelevant or protected by some unsubstantiated privilege.”

In addition to the MPAA, Google has also filed similar motions against the MPAA’s law firm Jenner & Block, Digital Citizens Alliance, 21st Century Fox, NBC Universal and Viacom.

All parties thus far have refused to hand over the requested information, which includes communication with and prepared for the Attorney General, as well as emails referencing Google.

According to the MPAA this information is “irrelevant” or privileged, but Google disagrees.

“The relevance objections are meritless. As Judge Wingate has already held, there is substantial evidence that the Attorney General’s actions against Google were undertaken in bad faith and for a retaliatory purpose,” the motion reads.

According to Google’s legal team the documents will shine a light on how the MPAA and others encouraged and helped the Attorney General to push for Internet censorship.

“Google expects the documents will show that the Attorney General, the Subpoenaed Parties, and their lobbyists understood that his actions invaded the exclusive province of federal law,” the motion reads.

“More fundamentally, the documents are likely to show that the Attorney General’s investigation was intended not to uncover supposed violations of Mississippi law, but instead to coerce Google into silencing speech that Viacom, Fox, and NBC do not like…”

District Court Judge James Boasberg has referred the case to a magistrate judge (pdf), who will discuss the matter in an upcoming hearing. Considering the stakes at hand, the players involved will leave no resource untapped to defend their positions.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Russia Orders ISPs to Block The Pirate Bay

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayAs the arch-rival of many copyright groups, The Pirate Bay has become one of the most censored websites on the Internet in recent years.

Courts all around the world have ordered Internet providers to block subscriber access to the torrent site and the list continues to expand.

This week Russia’s telecommunications watchdog Roskomnadzor issued an update to the country’s blocklist adding two Pirate Bay domain names.

Following a complaint from Mosfilm, one of the largest European movie studios, Russian ISPs are now required to block access to thepiratebay.se and thepiratebay.mn.

Interestingly, there is no separate court order against The Pirate Bay. Instead, the domains were added to an existing injunction targeting tushkan.net, which was offering a pirated copy of Mosfilm’s movie “The Road to Berlin.”

Under Russian law, copyright holders can add domain names to an injunction if their content appears on other sites as well. In addition to The Pirate Bay domains, a dozen other sites were added in the same update.

Technically, The Pirate Bay can request a removal from the blocklist after they remove all links to the film in question. But considering the site’s stance on taking down content, this is not going to happen.

Pirate Bay Blocked
russiablocked

While the order aims to deprive millions of Russians from visiting the popular torrent site, it will be rather ineffective for now. Two weeks ago The Pirate Bay added several new domain names and four of those remain readily accessible.

It is clear, however, that Russia is not averse to taking measures against websites that are accused of facilitating copyright infringement. Hundreds of websites have been blocked in recent years and there are calls to ban various circumvention tools including VPNs and TOR as well.

The first step in this direction was set last week when an anti-censorship website from a local human rights group was blocked, and similar crackdowns may follow in the near future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Court Orders VPN, TOR & Proxy Advice Site to be Blocked

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

stopstopWhile there is still much resistance to the practice in the United States, having websites blocked at the ISP level is becoming easier in many other countries around the world.

One country where the process is becoming ever more streamlined is Russia. The country blocks hundreds of websites on many grounds, from copyright infringement to the publication of extremist propaganda, suicide discussion and the promotion of drugs.

Keeping a close eye on Russia’s constantly expanding website blocklist is RosComSvoboda. The project advocates human rights and freedoms on the Internet, monitors and publishes data on blockades, and provides assistance to Internet users and website operators who are wrongfully subjected to restrictions.

Now, however, RosKomSvoboda will have to fight for its own freedoms after a local court ordered ISPs to block an advice portal operated by the group.

The site, RUBlacklist, is an information resource aimed at users who wish to learn about tools that can be used to circumvent censorship. It doesn’t host any tools itself but offers advice on VPNs, proxies, TOR and The Pirate Bay’s Pirate Browser.

Also detailed are various anonymizer services (which are presented via a linked Google search), Opera browser’s ‘turbo mode’ (which is often used in the UK to unblock torrent sites) and open source anonymous network I2P (soon to feature in a Popcorn Time fork).

Unfortunately, Russian authorities view this education as problematic. During an investigation carried out by the Anapa district’s prosecutor’s office it was determined that RosKomSvoboda’s advice undermines government blocks.

“Due to anonymizer sites, in particular http://rublacklist.net/bypass, users can have full access to all the banned sites anonymously and via spoofing. That is, with the help of this site, citizens can get unlimited anonymous access to banned content, including extremist material,” a ruling from the Anapa Court reads.

Describing the portal as an anonymization service, the Court ordered RosKomSvoboda’s advice center to be blocked at the ISP level.

Needless to say the operators of RosKomSvoboda are outraged that their anti-censorship efforts will now be censored. Group chief Artyom Kozlyuk slammed the decision, describing both the prosecutor’s lawsuit and the Court ruling as “absurd”.

“Law enforcement has demonstrated its complete incompetence in the basic knowledge of all the common technical aspects of the Internet, though even youngsters can understand it,” Kozlyuk says.

“Anonymizers, proxies and browsers are multitask instruments, helping to search for information on the Internet. If we follow the reasoning of the prosecutor and the court, then the following stuff should be prohibited as well: knives, as they can become a tool for murder; hammers, as they can be used as a tool of torture; planes, because if they fall they can lead to many deaths.

“To conclude, I would love to ask the prosecutor of Anapa to consider the possibility of prohibiting paper and ink, because with these tools one can draw a very melancholic picture of this ruling’s complete ignorance.”

RosKomSvoboda’s legal team say they intend to appeal the ruling which was the result of a legal procedure that took place without their knowledge.

“We can only guess why the project is considered to be an anonymizer. It’s likely that no one in Anapa city court understands what they are dealing with,” says RosKomSvoboda lawyer Sarkis Darbinian.

“We see that these kinds of rulings are being stamped on a legal conveyor belt. Moreover, we see the obvious violation of the fundamental principles of civil procedure – an adversarial system.”

The court ruling against RUBlacklist arrives at the same time as a report from the United Nations which urges member states to do everything they can to encourage encryption and anonymity online.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Hola VPN Sells Users’ Bandwidth, Founder Confirms

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

hola-logoFaced with increasing local website censorship and Internet services that restrict access depending on where a user is based, more and more people are turning to specialist services designed to overcome such limitations.

With prices plummeting to just a few dollars a month in recent years, VPNs are now within the budgets of most people. However, there are always those who prefer to get such services for free, without giving much consideration to how that might be economically viable.

One of the most popular free VPN/geo-unblocking solutions on the planet is operated by Israel-based Hola. It can be added to most popular browsers in seconds and has an impressive seven million users on Chrome alone. Overall the company boasts 46 million users of its service.

Now, however, the company is facing accusations from 8chan message board operator Fredrick Brennan. He claims that Hola users’ computers were used to attack his website without their knowledge, and that was made possible by the way Hola is setup.

“When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this,” Brennan says.

This means that rather than having their IP addresses cloaked behind a private server, free Hola users are regularly exposing their IP addresses to the world but associated with other people’s traffic – no matter what that might contain.

hola-big

While this will come as a surprise to many, Hola says it has never tried to hide the methods it employs to offer a free service.

Speaking with TorrentFreak, Hola founder Ofer Vilenski says that his company offers two tiers of service – the free option (which sees traffic routed between Hola users) and a premium service, which operates like a traditional VPN.

However, Brennan says that Hola goes a step further, by selling Hola users’ bandwidth to another company.

“Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io,” the 8chan owner says.

TorrentFreak asked Vilenski about Brennan’s claims. Again, there was no denial.

“We have always made it clear that Hola is built for the user and with the user in mind. We’ve explained the technical aspects of it in our FAQ and have always advertised in our FAQ the ability to pay for non-commercial use,” Vilenski says.

And this is how it works.

Hola generates revenue by selling a premium service to customers through its Luminati brand. The resources and bandwidth for the Luminati product are provided by Hola users’ computers when they are sitting idle. In basic terms, Hola users get their service for free as long as they’re prepared to let Hola hand their resources to Luminati for resale. Any users who don’t want this to happen can buy Hola for $5 per month.

Fair enough perhaps – but how does Luminati feature in Brennan’s problems? It appears his interest in the service was piqued after 8chan was hit by multiple denial of service attacks this week which originated from the Luminati / Hola network.

“An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM,” Brennan says.

Again, TorrentFreak asked Vilenski for his input. Again, there was no denial.

“8chan was hit with an attack from a hacker with the handle of BUI. This person then wrote about how he used the Luminati commercial VPN network to hack 8chan. He could have used any commercial VPN network, but chose to do so with ours,” Vilenski explains.

“If 8chan was harmed, then a reasonable course of action would be to obtain a court order for information and we can release the contact information of this user so that they can further pursue the damages with him.”

Vilenski says that Hola screens users of its “commercial network” (Luminati) prior to them being allowed to use it but in this case “BUI” slipped through the net. “Adjustments” have been made, Hola’s founder says.

“We have communicated directly with the founder of 8Chan to make sure that once we terminated BUI’s account they’ve had no further problems, and it seems that this is the case,” Vilenski says.

It is likely the majority of Hola’s users have no idea how the company’s business model operates, even though it is made fairly clear in its extensive FAQ/ToS. Installing a browser extension takes seconds and if it works as advertised, most people will be happy.

Whether this episode will affect Hola’s business moving forward is open to question but for those with a few dollars to spend there are plenty of options in the market. Until then, however, those looking for free options should read the small print before clicking install.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: China Censors Facebook.net, Blocks Sites With “Like” Buttons

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Chinese government censors at the helm of the “Great Firewall of China” appear to have inadvertently blocked Chinese Web surfers from visiting pages that call out to connect.facebook.net, a resource used by Facebook’s “like” buttons. While the apparent screw-up was quickly fixed, the block was cached by many Chinese networks — effectively blocking millions of Chinese Web surfers from visiting a huge number of sites that are not normally censored.

fblikeunlike

Sometime in the last 24 hours, Web requests from within China for a large number of websites were being redirected to wpkg.org, an apparently innocuous site hosting an open-source, automated software deployment, upgrade and removal program for Windows.

One KrebsOnSecurity reader living in China who was inconvenienced by the glitch said he discovered the problem just by trying to access the regularly non-blocked UK newspapers online. He soon noticed a large swath of other sites were also being re-directed to the same page.

“It has the feel of a cyber attack rather than a new addition to the Great Firewall,” said the reader, who asked not to be identified by name. “I thought it might be malware on my laptop, but then I got an email from the IT services at my university saying the issue was nation-wide, which made me curious. It’s obviously very normal for sites to be blocked here in China, but the scale and the type of sites being blocked (and the fact that we’re being re-directed instead of the usual 404 result) suggests a problem with the Internet system itself. It doesn’t seem like the kind of thing the Chinese gov would do intentionally, which raises some interesting questions.”

Nicholas Weaver, a researcher who has delved deeply into Chinese censorship tools in his role at the International Computer Science Institute (ICSI) and the University of California, Berkeley, agrees that the blocking of connect.facebook.net by censors inside the country was likely a mistake.

“Any page that had a Facebook Connect element on it that twas unencrypted and visited from within China would instead get this thing which would reload the main page of wpkg.org,” Weaver said, nothing that while Facebook.com always encrypts users’ connections, sites that rely on Facebook “like” buttons and related resources draw those from connect.facebook.net. “That screw-up seems to have been fairly quickly corrected, but the effect of it has lingered because it got into peoples’ domain name system (DNS) caches.”

In short, a brief misstep in censorship can have lasting and far flung repercussions. But why should this be considered a screw-up by Chinese censors? For one thing, it was corrected quickly, Weaver said.

“Also, the Chinese censors don’t benefit from it, because this caused a huge amount of disruption to Chinese web surfers on pages that the government doesn’t want to censor,” he said.

Such screw-ups are not unprecedented. In January 2014, Chinese censors attempting to block Greatfire.org — a site that hosts tools and instructions for people to circumvent restrictions erected by the Great Firewall — inadvertently blocked all Chinese Web surfers from accessing most of the Internet.

Doing censorship right — without introducing the occasional routing calamities and unintended consequences — is hard, Weaver said. And China isn’t the only nation that’s struggled with censorship goofs. The United Kingdom filters its providers’ Internet traffic for requests to known child pornography material. In 2008, a filtering system run by the U.K-based Internet Watch Foundation flagged the cover art for the album Virgin Killers by the rock band Scorpions as potential child porn. As a result, the system placed several pages from Wikipedia on its Internet black list.

The British child porn filtering system checked for requests to images flagged as indecent by using a proxying the traffic through a specific system. So when U.K. residents tried to edit Wiki pages following the blacklisting, Wikipedia saw those requests as huge numbers of users all trying to edit Wiki pages from the same Internet addresses, and blocked the proxy address — effectively cutting off U.K. users from editing all Wiki pages for several days.

Suggested further reading:

Don’t Be Fodder for China’s ‘Great Cannon’

TorrentFreak: Pirate Bay Blockade Censors CloudFlare Customers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cloudflareLike any form of censorship web blockades can sometime lead to overblocking, targeting perfectly legitimate websites by mistake.

This is also happening in the UK where Sky’s blocking technology is inadvertently blocking sites that have nothing to do with piracy.

In addition to blocking domain names, Sky also blocks IP-addresses. This allows the site to stop https connections to The Pirate Bay and its proxies, but when IP-addresses are shared with random other sites they’re blocked too.

This is happening to various customers of the CDN service CloudFlare, which is used by many sites on the UK blocklist. Every now and then this causes legitimate sites to be blocked, such as CloudFlare customers who shared an IP-address with Pirate Bay proxy ilikerainbows.co.uk.

Although the domain is merely a redirect to ilikerainbows.co, it’s listed in Sky’s blocking system along with several CloudFlare IP-addresses. Recently, the CDN service received complaints from users about the issue and alerted the proxy owner.

“It has come to our attention that your website — ilikerainbows.co.uk — is causing CloudFlare IPs to be blocked by SkyB, an ISP located in the UK. This is impacting other CloudFlare customers,” CloudFlare wrote.

The CDN service asked the proxy site to resolve the matter with Sky, or else it would remove the site from the network after 24 hours.

“If this issue does not get resolved with SkyB though we will need to route your domain off CloudFlare’s network as it is currently impacting other CloudFlare customers due to these blocked IP addresses.”

cfemail

The operator of the “Rainbows” TPB proxy was surprised by Sky’s overbroad blocking techniques, but also by CloudFlare’s response. Would CloudFlare also kick out sites that are blocked in other countries where censorship is common?

“What do they do when Russia starts blocking sites under their system? Are they going to kick users off CloudFlare because there’s a Putin meme that the Russians don’t like?” Rainbows’ operator tells TF.

Instead of waiting for the domain to be switched off by CloudFlare he reverted it back to the domain registrar’s forwarding services. The main .co domain still uses CloudFlare’s services though, as does the official Pirate Bay site.

This is not the first time that CloudFlare customers have been blocked by mistake. Earlier this year the same thing happened to sites that shared an IP-address with The Pirate Bay. At the time we contacted Sky, who informed us that they do all they can to limit collateral damage.

“We have a process in place to monitor requested site blocks to limit the chances of inadvertently blocking sites, and in addition to this if we are advised by a site owner or Sky customer that a site is being inadvertently blocked we take the necessary steps to remove any unintended blocks,” a Sky spokeswoman said.

In addition to Sky we also contacted CloudFlare about the issue multiple times this year, but the company has yet to reply to our inquiries.

It’s clear though that despite cheers from copyright holders, website blocking is not all rainbows and unicorns. Without any significant change to Sky’s blocking setup, more of these inadvertent blocks are bound to happen in the future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Court: Google Can See Emails About MPAA’s Secret ‘SOPA Revival’

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mailgIn backroom meetings the MPAA and Mississippi State Attorney General Jim Hood discussed a plan to bring website blocking and search engine filtering back to the table after the controversial SOPA law failed to pass.

The plan, dubbed “Project Goliath,” became public through various emails that were released during the Sony Pictures leaks. In a response Google said that it was “deeply concerned” about the developments.

To counter the looming threat Google filed a complaint against Hood last December, asking the court to prevent Hood from enforcing a subpoena that addresses Google’s failure to take down or block access to illegal content, including pirate sites.

This resulted in a victory for Google with District Court Judge Henry Wingate putting the subpoena on hold. At the same time Google requested additional details from the Attorney General on his discussions with Hollywood.

During an oral hearing earlier this month Google requested various documents including an email conversation between MPAA’s Senior Vice President State Legislative Affairs Vans Stevenson and the Attorney General.

In addition, Google asked for copies of Word files titled Google can take action, Google must change its behavior, Google’s illegal conduct, CDA, and any documents gathered in response to a request previously submitted by Techdirt’s Mike Masnick .

After a careful review District Court Judge Henry Wingate sided with Google, ordering Attorney General Hood to hand over the requested information before the end of the month.

Judge Wingate’s order
hoodorder

The documents will help Google to get to the bottom of the censorship efforts and to determine what role the MPAA played and what its contributions were.

Various emails that leaked after the Sony hack already revealed that the MPAA’s long-standing law firm Jenner & Block had drafted a subpoena and other communication the Attorney General could use against Google.

Many of the “Project Goliath” emails and documents are readily available after Wikileaks released them late last week, but nearly all details had already been made public after the leaks first surfaced.

Interestingly, in one email the MPAA’s Vans Stevenson linked to a New York Times piece on how lobbyists court State Attorneys to advance their political agendas.

“FYI, first is a series of articles,” Stevenson wrote to several high level executives involved, not knowing that a follow-up would include “Project Goliath.”

Perhaps fittingly, New York Times’ journalist Eric Lipton won a Pulitzer prize for the series yesterday, for reporting “how the influence of lobbyists can sway congressional leaders and state attorneys general, slanting justice toward the wealthy and connected.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Beating Internet Censors With BitTorrent’s Maelstrom Browser

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

bittorrent-logoSan Francisco-based BitTorrent Inc. already has a few popular applications in its catalog, including uTorrent and Sync. However, with its new “people-powered” browser it hopes to spark another revolution.

Project Maelstrom, as it’s called, is still in the early stages of development but the company has decided to push a Beta out to the public so developers can start building tools and services around it.

In short, Maelstrom takes Google’s Chromium framework and stuffs a powerful BitTorrent engine under the hood, meaning that torrents can be played directly from the browser. More excitingly, however, Maelstrom also supports torrent-powered websites that no longer have to rely on central servers.

By simply publishing a website in a torrent format the website will be accessible if others are sharing it. This can be assisted by web-seeds but also completely peer-to-peer.

For example, earlier this week Wikileaks published a controversial archive of documents and emails that leaked after the Sony hack. If the hosting provider was forced to take the files down they would disappear but with Maelstrom-supported sites, users would be able to keep it online.

The same is true for torrent sites such as The Pirate Bay, which suffered weeks of downtime recently after the site’s servers were raided.

BitTorrent powered page
meal

At the moment there are very few websites that support Maelstrom. There is an early WordPress plugin and others are experimenting with it as well, but wider adoption will need some time.

That said, traditional magnet links work too, so people can play video and audio from regular torrent sites directly in the browser.

BitTorrent Inc. informs TF that the main goal is to provide a new and open publishing platform. It’s now up to developers to use it to their advantage.

“We believe in providing an alternative means for publishing that is neutral and that gives ownership back to those publishers. But one of our biggest goals with this release is just to get it out and into the hands of developers and see what emerges,” Maelstrom’s project lead Rob Velasquez says.

And in that respect momentum is building. BitTorrent Inc. says that a community of more than 10,000 developers and 3,500 publishers has already been established, with tools to bring more on board now available via Github.

While Maelstrom can bypass Internet censors, it’s good to keep in mind that all shared files are visible to the public. Maelstrom is caching accessed content to keep it seeded, so using a VPN might not be a bad idea. After all, users leave a trail of their browsing history behind.

On the upside, Maelstrom can be more private for publishers as they don’t have to share any personal details with hosting companies or domain registrars.

“The BitTorrent protocol remains the same, but it does mean that you no longer have to hand over personal, private data to domain registrars or hosting companies to put up a simple website,” Velasquez notes.

The idea for a BitTorrent-powered browser is not new. The Pirate Bay started work on a related project last year with the aim of keeping the site online even if its servers were raided.

It will be interesting to see if Maelstrom can get some traction. There’s still a long way to go, but the idea of an open and censorship-free web does sound appealing.

With a Mac version still under a development, Project Maelstrom (beta) can be downloaded for Windows here.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Music Industry Wants Cross Border Pirate Site Blocks

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

stop-blockedIn recent years blockades of “pirate” websites have spread across Europe and elsewhere. In the UK, for example, more than 100 websites are currently blocked by the major ISPs.

In recent weeks alone several new countries adopted similar measures, Australia, Spain and Portugal included.

Opponents of this censorship route often argue that the measures are ineffective, and that people simply move to other sites. However, in its latest Digital Music Report music industry group IFPI disagrees, pointing at research conducted in the UK.

“Website blocking has proved effective where applied,” IFPI writes, noting that the number of UK visits to “all BitTorrent” sites dropped from 20 million in April 2012 to 11 million two years later.

effblock

The key to an effective blocking strategy is to target not just one, but all leading pirate sites.

“While blocking an individual site does not have a significant impact on overall traffic to unlicensed services, once a number of leading sites are
blocked then there is a major impact,” IFPI argues.

For now, however, courts have shown to be among the biggest hurdles. It can sometimes take years before these cases reach a conclusion, and the same requests have to be made in all countries.

To streamline the process, copyright holders now want blocking injunctions to apply across borders, starting in the European Union.

“The recording industry continues to call for website blocking legislation where it does not already exist. In countries where there is already a legal basis for blocking, procedures can be slow and burdensome,” IFPI writes.

“For example, within the EU, blocking The Pirate Bay has meant taking multiple legal actions in different member states and rights holders are calling for injunctions to have cross-border effect.”

In addition to website blockades the music industry also stresses that other stakeholders should do more to help fight piracy. Search engines should prioritize legal services, for example, and advertisers and payment processors should cut their ties with pirate sites.

While IFPI’s numbers suggests that BitTorrent piracy has decreased globally, it still remains a significant problem. The group estimates that there are still four billion pirated music downloads per year on BitTorrent alone.

In other words, there’s plenty of blocking to be done before it’s no longer an issue, if that point will ever be reached.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: China’s Great Cannon

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Citizen Lab has issued a report on China’s “Great Cannon” attack tool, used in the recent DDoS attack against GitHub.

We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.

The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.

It’s kind of hard for the US to complain about this kind of thing, since we do it too.

More stories. Hacker News thread.

Krebs on Security: Don’t Be Fodder for China’s ‘Great Cannon’

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

China has been actively diverting unencrypted Web traffic destined for its top online search service — Baidu.com — so that some visitors from outside of the country were unwittingly enlisted in a novel and unsettling series of denial-of-service attacks aimed at sidelining sites that distribute anti-censorship tools, according to research released this week.

The findings, published in a joint paper today by researchers with University of Toronto’s Citizen LabCitizen Lab, the International Computer Science Institute (ICSI) and the University of California, Berkeley, track a remarkable development in China’s increasingly public display of its evolving cyber warfare prowess.

“Their willingness to be so public mystifies me,” said Nicholas Weaver, a researcher at the ICSI who helped dig through the clues about the mysterious attack. “But it does appear to be a very public statement about their capabilities.”

greatcannon

Earlier this month, Github — an open-source code repository — and greatfire.org, which distributes software to help Chinese citizens evade censorship restrictions enacted by the so-called “Great Firewall of China,” found themselves on the receiving end of a massive and constantly-changing attack apparently designed to prevent people from being able to access the sites.

Experts have long known that China’s Great Firewall is capable of blocking Web surfers from within the country from accessing online sites that host content which is deemed prohibited by the Chinese government. But according to researchers, this latest censorship innovation targeted Web surfers from outside the country who were requesting various pages associated with Baidu, such that Internet traffic from a small percentage of surfers outside the country was quietly redirected toward Github and greatfire.org.

This attack method, which the researchers have dubbed the “Great Cannon,” works by intercepting non-Chinese traffic to Baidu Web properties, Weaver explained.

“It only intercepts traffic to a certain set of Internet addresses, and then only looks for specific script requests. About 98 percent of the time it sends the Web request straight on to Baidu, but about two percent of the time it says, ‘Okay, I’m going to drop the request going to Baidu,’ and instead it directly provides the malicious reply, replying with a bit of Javascript which causes the user’s browser to participate in a DOS attack, Weaver said.

The researchers said they tracked the attack for several days after Github apparently figured out how to filter the malicious traffic, which relied on malicious Javascript files that were served to visitors outside of China that were browsing various Baidu properties.

Chillingly, the report concludes that Chinese censors could just have easily served malicious code to exploit known Web browser vulnerabilities.

“With a minor tweak in the code, they could have provided exploits to targeted [Internet addresses], so that instead of intercepting all traffic to Baidu, they would serve malware attacks to those visitors,” Weaver said.

Interestingly, this type of attack is not unprecedented. According to documents leaked by National Security Agency whistleblower Edward Snowden, the NSA and British intelligence services used a system dubbed “QUANTUM” to inject content and modify Web results for individual targets that appeared to be coming from a pre-selected range of Internet addresses.

“The Chinese government can credibly say the United States has done similar things in the past,” Weaver said. “They can’t say we’ve done large scale DDoS attacks, but the Chinese government can honestly state that the U.S. has modified traffic in-flight to attack and exploit systems.”

Weaver said the attacks from the Great Cannon don’t succeed when people are browsing Chinese sites with a Web address that begins with “https://”, meaning that regular Internet users can limit their exposure to these attacks by insisting that all Internet communications are routed over “https” versus unencrypted “http://” connections in their browsers. A number of third-party browser plug-ins — such as https-everywhere — can help people accomplish this goal.

“The lesson here is encrypt all the things all the time always,” Weaver said. “If you have to worry about a nation state adversary and if they can see an unencrypted web request that they can tie to your identity, they can use that as a vehicle for attack. This has always been the case, but it’s now practice.”

But Bill Marczak, a research fellow with Citizen Lab, said relying on an always-on encryption strategy is not a foolproof counter to this attack, because plug-ins like https-anywhere will still serve regular unencrypted content when Web sites refuse to or don’t offer the same content over an encrypted connection. What’s more, many Web sites draw content from a variety of sources online, meaning that the Great Cannon attack could succeed merely by drawing on resources provided by online ad networks that serve ads on a variety of Web sites from a dizzying array of sources.

“Some of the scripts being injected in this attack are from online ad networks,” Marczak said. “But certainly this kind of attack suggests a far more aggressive use of https where available.”

For a deep dive into the research referenced in this story, check out this link.

Errata Security: Pin-pointing China’s attack against GitHub

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

For the past week, the website “GitHub” has been under attack by China. In this post, I pin-point where the attack is coming from by doing an http-traceroute.

GitHub is a key infrastructure website for the Internet, being the largest host of open-source projects, most famously Linux. (I host my code there). It’s also a popular blogging platform.

Among the zillions of projects are https://github.com/greatfire and https://github.com/cn-nytimes. These are mirrors (copies) of the websites http://greatfire.org and http://cn.nytimes.com. GreatFire provides tools for circumventing China’s Internet censorship, the NYTimes contains news stories China wants censored.

China blocks the offending websites, but it cannot easily block the GitHub mirrors. Its choices are either to block or allow everything on GitHub. Since GitHub is key infrastructure for open-source, blocking GitHub is not really a viable option.

Therefore, China chose another option, to flood those specific GitHub URLs with traffic in order to pressure GitHub into removing those pages. This is a stupid policy decision, of course, since Americans are quite touchy on the subject and are unlikely to comply with such pressure. It’s likely GitHub itself can resolve the issue, as there are a zillion ways to respond. If not, other companies (like CloudFlare) would leap to their defense.

The big question is attribution. Is this attack authorized by the Chinese government? Or is it the work of rogue hackers?

The company Netresec in Sweden partially answered this problem by figuring out most of the details of the hack. The way the attack worked is that some man-in-the-middle device intercepted web requests coming into China from elsewhere in the world, and then replaced the content with JavaScript code that would attack GitHub. Specifically, they intercepted requests to Baidu’s analytics. The search-engine Baidu is the Google of China, and it runs analytics software like Google in order to track advertising. Everyone outside China visiting internal pages would then run this JavaScript to attack GitHub. Since the attack appears to be coming “from everywhere”, it’s impractical for GitHub to block the attack.

Netresec could clearly identify that a man-in-the-middle was happening by looking at the TTL fields in the packets. TTL, or time-to-live, is a field in all Internet packets that tracks the age of the packet. Each time a router forwards a packet, one is subtracted from the field. When it reaches zero, the packet is discarded. This prevents routing loops from endlessly forwarding packets around in circle.

Many systems send packets with a starting TTL of 64. Thus, when a packet arrives with a value of 46, you know that that there are 18 hops between you and the sender (64 – 18 = 46).

What Netresec found was a situation shown in the following picture. This picture shows a sequence of packets to and from the server. My packets sent to the Baidu server have a TTL of 64, the starting value I send with. The first response from the server has a value of 46 — because while they transmitted the packet with a value of 64, it was reduced by 18 by the time it arrived at my computer. After I send the web request, I get weird TTLs in response, with values of 98 and 99. These obviously did not come from the original server, but some intermediate man-in-the-middle device.

I know this man-in-the-middle is somewhere between me and Baidu, but where? To answer that, we use the concept of traceroute.

Traceroute is a real cool trick. Instead of sending packets with a TTL of 64, the tool sends them with a TTL of 1, then 2, then 3, and so on. Because the TTL is so low, they won’t reach their destination. Instead, the TTL will eventually reach 0, and routers along the way will drop them. When routers do this, they send back a notification packet called a Time-Exceeded message — using the router’s Internet address. Thus, I can collect all these packets and map the routers between me and a target.

The tool that does this is shown below, where I traceroute to the Baidu server from my machine:

The second column is time. As you can see, it takes almost 80-milliseconds for my packets to reach Los Angeles, and then the delay jumps to 230-milliseconds to reach China. Also note that I can’t quite reach the server, as there is a firewall after hop 16 that is blocking traceroute from working.

So where along this route is the man-in-the-middle interception happening? To answer this question, I had write some code. I wrote my own little traceroute tool. Instead of sending a single packet, it first established a connection with normal TTLs, so that it would reach all the way to the target server. Then, when it sent the web request packet, it used a smaller TTL, so it would get dropped before reaching the server — but hopefully after the man-in-the-middle saw it. By doing these with varying TTLs, I should be able to discover at which hop the evil device is lurking.

I found that the device lurks between 11 and 12 hops. The web request packets sent with a TTL of 11 are not seen, while packets with TTL of 12 are, generating a response, as shown below:

The black line above shows the packet I sent, with a TTL of 12. The orange line (and the two packets above it) show the packets received from the man-in-the-middle device. When I send packets with a TTL of 11, I never get a response from that evil device.

By looking at the IP addresses in the traceroute, we can conclusive prove that the man-in-the-middle device is located on the backbone of China Unicom, a major service provider in China.

The next step is to traceroute in the other direction, from China to a blocked address, such as the http://www.nytimes.com address at 170.149.168.130. Using the website http://www.linkwan.net/tr.htm, I get the following:

This shows that the Great Firewall runs inside the China Unicom infrastructure.

Conclusion

Using my custom http-traceroute, I’ve proven that the man-in-the-middle machine attacking GitHub is located on or near the Great Firewall of China. While many explanations are possible, such as hackers breaking into these machines, the overwhelmingly most likely suspect for the source of the GitHub attacks is the Chinese government.

This is important evidence for our government. It’ll be interesting to see how they respond to these attacks — attacks by a nation state against key United States Internet infrastructure.

TorrentFreak: Pirate Bay To Open Its Own .PIRATE Domain Name Registry

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayThe Pirate Bay’s parent company Reservella Ltd. has started the registration process for a new gTLD with a .PIRATE extension.

Responding to increased pressure from the MPAA and RIAA on the domain name industry, the torrent site hopes to break away from the rules and regulations which forced it to move to several new domains in recent years.

“We can no longer trust third party services and registries, who are under immense pressure from the copyright lobby. So we decided to apply for our very own gTLD and be a true Pirate registry,” TPB’s Winston informs TF.

The new registration is currently being processed by the Internet Corporation for Assigned Names and Numbers (ICANN), the main oversight body for the Internet’s global domain name system which accepts new gTLD proposals.

.PIRATE application
pirapri1

If the new TLD is finalized the Pirate Bay team plans to open registrations to the public. While it has to agree to some oversight formalities and ICANN agreements, the .PIRATE domains are expected to be less prone to censorship.

“The ultimate goal is to create a true PIRATE hydra. This means that we will allow other sites to register .PIRATE domain names too. Staying true to our pirate roots the domains can be registered anonymously without charge,” Winston tells us.

The Pirate Bay crew has prepared the application in secret, setting the wheels in motion nearly a year ago. Ideally, the process would have been finished by late January but a police raid and persistent hosting problems caused some delay.

“Things are looking good so far, but we’re not there yet. Fingers crossed. Let’s hope nothing foolish happens,” Winston concludes.

For the time being, however, The Pirate Bay will continue operating from the Swedish based .SE domain name. A transition to the .PIRATE domain is expected to take place this summer, at the earliest.

The MPAA and RIAA couldn’t be reached for a comment on today’s news, but it’s expected that they will do everything within their power to block Pirate Bay’s deviant plans.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

The Hacker Factor Blog: Chinese Sayings

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I recently blogged about Google ending support for Google Code. I had pointed out that the recommended solution was to move from Google Code to Github and that we should hope Github doesn’t go away anytime soon. I swear that was just a snide comment and not displaying any insider knowledge of what happened next…

About a week later, GitHub announced that they were under a very large scale denial-of-service attack. According to GitHub’s blog:

The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.

The folks at TechCrunch elaborated on the targeted attack:

Specifically, security experts report that the attackers were redirecting search traffic from overseas users of the Chinese search engine Baidu, and were targeting two pages in particular. One page was run by Greatfire.org, a site that reports on the government censorship in China, and the other linked to a copy of the New York Times’ Chinese language website.

To put things into perspective, the denial of service attack last year against my own site lasted 24 hours and prevented the public from accessing the server. This attack against GitHub appears to have recently ended — after 118 hours! And the attack only caused short outages. (I am very impressed at Github’s ability to withstand a massive network attack like this.)

Chinese Proverb: A cornered dog will jump over the wall.

In a press conference yesterday, Chinese officials were asked about the network attack. (Note: This quote comes from a web page posted in English on a Chinese government web site.)

Q: First, officials from Puntland, Somalia said that more and more ships from Iran, the ROK and China are involved in illegal fishing off the Somali waters. UN officials said that the rise of illegal fishing may lead to rampant piracy. Has China asked its fishermen to stop illegal fishing? Second, a report says that a US website was under hacker attack, and the source of the attack was from China. How do you respond?

A: On your first question, the Chinese government is opposed to illegal fishing, and we have been asking Chinese citizens to fish in accordance with the law. We also hope countries concerned can take tangible steps to safeguard the security and rights and interests of the Chinese fishermen.

On your second question, it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I’d like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner.

As ZDNet noted, China’s Foreign Ministry spokesperson Hua Chunying did not deny the attack. Moreover, Hua tried to spin it as if China was the victim.

Chinese Proverb: An offender sues the victim first.

I watch the logs on my web server very closely. I regularly see network attacks against the server. Most attacks are from automated bots looking for known vulnerabilities. However, occasionally there are manual attacks or novel 0-day attacks. (None have been successful, but I still keep an eye on the server.)

Geolocating a network address back to a source is relatively straightforward. You start with the network address of the client and you reference some public data that maps addresses to locations. Identifying the country is relatively easy. Identifying the city or something more specific may be less accurate. Typically, if a network address traces to “Denver, Colorado”, what it really means is “in or near Denver, Colorado” — it may be Aurora, Littleton, Boulder, or even Colorado Springs, but it’s probably not Pueblo, Ted’s Place, or anywhere outside Colorado.

Of course, hostile attackers could use proxies. But those kind of attacks typically do not use network addresses from the same subnets.

At FotoForensics, a solid 60% all network attacks come from addresses that geolocate to China. The next largest countries (20% and 10% respectively) are from the United States and Russia. With the USA, attacks typically come from everywhere — there is no particular subnet or hosting location. These attacks likely represent infected computers and botnets. In contrast, Russia is usually isolated to specific network addresses. But China? I see entire subnets attacking my site. When one address gets banned, another address in the same subnet continues where the last one left off.

Recently I noticed that the attacks from China follow one of two patterns.

Attack Pattern #1: “Scan bot”
A bot first attacks my secure-shell (ssh) server. It tries a couple of brute-force login attempts as “root” and then gets banned. Immediately after the ban (within 2 seconds), there is a web bot from a different network address in China that accesses “/” or “/favicon.ico”. I know this is a bot because a real user’s client would download my logo image, style sheet, and other dependency files.

I’m not sure what the Chinese web bot is looking for, but I suspect that it is something in the HTTP header. If they see it, then they will likely attack. And since I’m not seeing the web attack, I must not be returning whatever it is they are looking for.

Attack Pattern #2: “The Follow-up”
My site gets visitors from all over the world. But in any given hour, I may only receive a small sample of countries using my online service. I may go hours without a legitimate user accessing FotoForensics from China. But when they do, there seems to be a consistent pattern.

First, the user accesses my site. This is harmless and they use the site as intended. Then, between 5 and 15 minutes later, a bot from a different subnet in China will attempt to attack my ssh server.

For example…
A user at 111.186.106.xx (Kunming, CN) used my site at 29/Mar/2015:08:51:44 -0600.
This was followed by an attack against my ssh server from 221.229.166.28 (Shancheng, CN).

On 29/Mar/2015:06:34:45, a user at 180.76.6.xx (Beijing, CN) visited my site. This was followed by ssh attacks from 58.218.204.241 (Shancheng, CN).

The attacks in my logs look like:

root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)

I checked these attack addresses against various DNS blacklists that track network attacks. Every single one of these addresses are known attackers. For example, CBL.AbuseAt.org lists 221.229.166.28, 221.229.166.30 and 221.229.166.254 as known hostile addresses that perform network attacks. The site Blocklist.de also lists them as known attackers. And websworld.org shows similar ssh attacks coming from these addresses as well as a ton of other Chinese network addresses. (Currently Websworld lists 62 addresses that have attacked their ssh servers — 58 of them are from China.)

It has reached the point where I have blacklisted entire subnets from China that have only been used to attack my server. For example, I have banned 211.229.166.0/24 since many of the addresses in that range have attacked my server and none have been used for legitimate uses.

I find this second attack pattern to be very disturbing and very consistent. First a user in China accesses my site, and then an attack comes in 5-15 minutes later. It is disturbing because it appears that the Chinese government actively tracks every web site their citizens access, and then they queue up the site for a follow-up attack.

If this were just a botnet, then it would not be predictable. However, it is very predictable. If nobody from China visits my site in an hour, then there are none of these ssh attacks from China. As soon as someone from China visits my site, I can expect and receive an attack within 15 minutes.

The second question becomes: is this the Chinese government or someone else? To answer that, we just need to look at the users who visit my site. In order to queue up these attacks, “someone” must be able to watch all traffic out of China. As far as I can tell, only the Chinese government is configured to watch all packets that leave their country. An individual user can monitor their local subnet, but not the entire country. A compromised router can monitor a region, but not the entire country. So either all of China has been compromised and is being used to attack everyone, or the Chinese government is actively monitoring all traffic and queuing up sites to attack. (The third option is that this is a very long-term and consistent coincidence. But a 100% predictability rate over weeks does not seem coincidental to me.)

Chinese Proverb: A thief cries “Stop thief!”

The Chinese government is well-known for performing cyber attacks. Some of the attacks are espionage, while others attempt to identify dissidents. I can only assume that these latest attacks are China’s new method to automate compromises, identify critics, and silence online voices.

The Chinese official said, “it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it”. Whether it is a long-term denial of service that tries to silence voices or wide-spread network attacks, there is no question whether these attacks trace to China or whether the Chinese government permits these attacks. In my case, these attacks are not speculation; they form a consistent, repeatable, and predictable pattern. I also have no doubt that if the Github security staff say the attacks trace to China, then it came from China. Since the Chinese government attempts to filter all content in and out of their country, it is reasonable to believe that they could mitigate or stop these attacks if they wanted it stopped.

The only thing odd is the Chinese official saying that she finds it “odd” that these attacks keep being blamed on China. Perhaps the Foreign Ministry spokesperson should adopt a British idiom: “if the cap fits, wear it.