Posts tagged ‘Censorship’

TorrentFreak: Error 451: There’s Now an HTTP Code for Internet Censorship

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

451Domain name blocking has become one of the entertainment industries’ go-to methods for reducing online copyright infringement.

Blocking requests from both the music and movie sector are widespread around Europe, with The Pirate Bay has being one of the main targets.

At the moment all ISPs use different notifications to show that a website is blocked. In the UK for example, Virgin, BT and Sky all have a custom message, some being more descriptive than others.

This issue prompted Tim Bray to suggest a special HTTP status code for legal blockades. He noticed that some ISPs were using the “403 Forbidden” code for a Pirate Bay block, which is not what it was intended for.

After a long review process the Internet Engineering Task Force (IETF) has now approved this new HTTP status code.

There is no obligation for ISPs or other parties to use the new status. The 451 Unavailable project suggests that ideally it should be used to provide the public with additional details including a copy of the court order.

“A really good Error 451 message would tell their customers how to challenge a block, how long the block’s expected to last, where the relevant legal documents are and which legal authority imposed the blocking order,” they write.

The 451 Unavailable group says it will encourage ISPs to show 451 errors for legal blockades and it eventually hopes to reduce the scope of widespread blocking.

Interestingly, the most recent 451 draft already gives people some suggestions how to bypass court ordered blockades on their own, mentioning VPNs and Tor as possible workarounds.

“Note that in many cases clients can still access the denied resource by using technical countermeasures such as a VPN or the Tor network.”

While some HTTP errors numbers were arbitrarily chosen, 451 refers to Ray Bradbury’s dystopian novel Fahrenheit 451 which is about censorship and suppression of information.

In general, more openness about court ordered blockades is welcome, especially because the process is too often shrouded in secrecy. That said, the day that the web gets a special HTTP status code for censorship is hardly something to celebrate.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Errata Security: No, you can’t shut down parts of the Internet

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In tonight’s Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I’d create some quick notes why.

This post claims it would be easy, just forge a BGP announcement. Doing so would then redirect all Syrian traffic to the United States instead of Syria. This is too simplistic of a view.

Technically, the BGP attack described in the above post wouldn’t even work. BGP announcements in the United States would only disrupt traffic to/from the United States. Traffic between Turkey and ISIS would remain unaffected. The Internet is based on trust — abusing trust this way could only work temporarily, before everyone else would untrust the United States. Legally, this couldn’t work, as the United States has no sufficient legal authority to cause such an action. Congress would have to pass a law, which it wouldn’t do.

But “routing” is just a logical layer built on top of telecommunications links. Syria and Iraq own their respective IP address space. ISIS doesn’t have any “ASN” of their own. (If you think otherwise, then simply tell us the ASN that ISIS uses). Instead, ISIS has to pay for telecommunications links to route traffic through other countries. This causes ISIS to share the IP address space of those countries. Since we are talking about client access to the Internet, these are probably going through NATs of some kind. Indeed, that’s how a lot of cellphone access works in third world countries — the IP address of your phone frequently does not match that of your country, but of the country of the company providing the cellphone service (which is often outsourced).

Any attempt to shut those down is going to have a huge collateral impact on other Internet users. You could take a scorched earth approach and disrupt everyone’s traffic, but that’s just going to increasingly isolate the United States while having little impact on ISIS. Satellite and other private radio links can be setup as fast as you bomb them.

In any event, a scorched earth approach to messing with IP routing is still harder than just cutting off their land-line links they already have. In other words, attacking ISIS at Layer 3 (routing) is foolish when attacking at Layer 1 (pysical links) is so much easier.

You could probably bomb fiber optic cables and satellite links as quickly as they got reestablished. But then, you could disable ISIS by doing the same thing with roads, bridges, oil wells, electrical power, and so on. Disabling critical infrastructure is considered a war crime, because it disproportionately affects the populace rather than the enemy. The same likely applies to Internet connections — you’d do little but annoy ISIS while harming the population.

Indeed, cutting off the population from the Internet is what dictators do. It’s what ISIS wants to do, but don’t, because it would turn the populace against them. Our strategy shouldn’t be to help ISIS.

Note that I’ve been focused on clients, because ISIS’s servers they use to interact with the rest of the world are located outside of ISIS controlled areas. That’s because Internet access is so slow and expensive, they use it for only client browsing, not for services. Trump tried to backoff his crazy proposal by insisting it was only in ISIS controlled areas, but that’s not how the Internet works. ISIS equipment is world wide — the only way to shut them down is a huge First Amendment violating censorship campaign.

Here’s the deal. The Internet routes around censorship. Of the many options we have, censoring the Internet in ISIS controlled territories is neither something we can do or would want to do. Simply null routing AS numbers in BGP and bombing satellite uplinks would certainly not do it. Cutting the physical links is certainly possible, but even ISIS’s neighbors, all of whom oppose ISIS, have not taken that step.


Update: In response to Weev’s comment below, I thought I’d make a few points. The Pakistan goof did not disable all of YouTube, just areas with a shorter route to Pakistan than the United States, such as Europe. Also, while it’s possible to create disruption, it’s impossible to do so for a long period of time, as the Pakistan incident showed when after a bit everyone just ignored Pakistan. It hurt Pakistan more than YouTube. Lastly, ISIS has no ASN to null route. If you disagree with me, then name the ASN. Instead, the ASNs in ISIS controled areas are those from Syria, neighbors like Turkey and Iran, and possibly other countries like China. Trying to block them all would cause huge collateral damage.

Update: If you think you can wage war by spoofing BGP, then it means ISIS-friendly ISPs can retaliate by spoofing back. It’s not a precedent you want to establish.

TorrentFreak: Austrian Pirate Bay Blockade Censors Slovak Internet

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayCopyright holders are increasingly demanding that ISPs should block access to pirate sites in order to protect their business.

As the bastion of online piracy The Pirate Bay has become one of the main targets. The site has been blocked in over a dozen countries already, mostly in Europe.

Austria is one of the latest countries to take similar action. After a lengthy legal battle the Commercial Court of Vienna ordered local ISPs to stop subscribers accessing the infamous torrent site.

This week, however, news broke that the court’s decision has had an effect well beyond Austria’s borders. Over the past several days subscribers of the Slovak Internet provider UPC were unable to access the torrent site as well.

Initially it was unclear why the site had been rendered inaccessible as there are no blocking orders against the site locally. However, it soon became apparent that the problems were an unintended consequence of the Austrian censorship efforts.

As it turns out, the Slovak branch of UPC uses a DNS server that’s based in Austria. The IP-address in question, 195.34.133.21, resolves to viedns09.chello.at and points to a datacenter in Vienna.

According to UPC spokesman Jaroslav Kolar the block is not deliberate. He confirmed that it’s the result of the Austrian blockade and the ISP promised to resolve the matter as soon as possible.

“Access to The Pirate Bay through several DNS servers is blocked in the datacenter in Vienna on the basis of a court decision. Since UPC’s DNS server is hosted in the data center, access to some sites may be limited for our users,” Kolar said.

In addition to The Pirate Bay, Austrian ISPs also block access to other “structurally infringing” sites including Isohunt.to and 1337x.to, which broadens the problems.

According to local reports the blockade was lifted for many users yesterday. Those still experiencing issues can bypass UPC’s DNS by switching to a third-party provider such as Google DNS or OpenDNS.

Fixed or not, the news shows the risks and unintended consequences of DNS blocking. The Internet is by definition a global network, so DNS filtering and other forms of censorship can easily carry over to places and sites that shouldn’t be blocked.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Matthew Garrett: What is hacker culture?

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

Eric Raymond, author of The Cathedral and the Bazaar (an important work describing the effectiveness of open collaboration and development), recently wrote a piece calling for “Social Justice Warriors” to be ejected from the hacker community. The primary thrust of his argument is that by calling for a removal of the “cult of meritocracy”, these SJWs are attacking the central aspect of hacker culture – that the quality of code is all that matters.

This argument is simply wrong.

Eric’s been involved in software development for a long time. In that time he’s seen a number of significant changes. We’ve gone from computers being the playthings of the privileged few to being nearly ubiquitous. We’ve moved from the internet being something you found in universities to something you carry around in your pocket. You can now own a computer whose CPU executes only free software from the moment you press the power button. And, as Eric wrote almost 20 years ago, we’ve identified that the “Bazaar” model of open collaborative development works better than the “Cathedral” model of closed centralised development.

These are huge shifts in how computers are used, how available they are, how important they are in people’s lives, and, as a consequence, how we develop software. It’s not a surprise that the rise of Linux and the victory of the bazaar model coincided with internet access becoming more widely available. As the potential pool of developers grew larger, development methods had to be altered. It was no longer possible to insist that somebody spend a significant period of time winning the trust of the core developers before being permitted to give feedback on code. Communities had to change in order to accept these offers of work, and the communities were better for that change.

The increasing ubiquity of computing has had another outcome. People are much more aware of the role of computing in their lives. They are more likely to understand how proprietary software can restrict them, how not having the freedom to share software can impair people’s lives, how not being able to involve themselves in software development means software doesn’t meet their needs. The largest triumph of free software has not been amongst people from a traditional software development background – it’s been the fact that we’ve grown our communities to include people from a huge number of different walks of life. Free software has helped bring computing to under-served populations all over the world. It’s aided circumvention of censorship. It’s inspired people who would never have considered software development as something they could be involved in to develop entire careers in the field. We will not win because we are better developers. We will win because our software meets the needs of many more people, needs the proprietary software industry either can not or will not satisfy. We will win because our software is shaped not only by people who have a university degree and a six figure salary in San Francisco, but because our contributors include people whose native language is spoken by so few people that proprietary operating system vendors won’t support it, people who live in a heavily censored regime and rely on free software for free communication, people who rely on free software because they can’t otherwise afford the tools they would need to participate in development.

In other words, we will win because free software is accessible to more of society than proprietary software. And for that to be true, it must be possible for our communities to be accessible to anybody who can contribute, regardless of their background.

Up until this point, I don’t think I’ve made any controversial claims. In fact, I suspect that Eric would agree. He would argue that because hacker culture defines itself through the quality of contributions, the background of the contributor is irrelevant. On the internet, nobody knows that you’re contributing from a basement in an active warzone, or from a refuge shelter after escaping an abusive relationship, or with the aid of assistive technology. If you can write the code, you can participate.

Of course, this kind of viewpoint is overly naive. Humans are wonderful at noticing indications of “otherness”. Eric even wrote about his struggle to stop having a viscerally negative reaction to people of a particular race. This happened within the past few years, so before then we can assume that he was less aware of the issue. If Eric received a patch from someone whose name indicated membership of this group, would there have been part of his subconscious that reacted negatively? Would he have rationalised this into a more critical analysis of the patch, increasing the probability of rejection? We don’t know, and it’s unlikely that Eric does either.

Hacker culture has long been concerned with good design, and a core concept of good design is that code should fail safe – ie, if something unexpected happens or an assumption turns out to be untrue, the desirable outcome is the one that does least harm. A command that fails to receive a filename as an argument shouldn’t assume that it should modify all files. A network transfer that fails a checksum shouldn’t be permitted to overwrite the existing data. An authentication server that receives an unexpected error shouldn’t default to granting access. And a development process that may be subject to unconscious bias should have processes in place that make it less likely that said bias will result in the rejection of useful contributions.

When people criticise meritocracy, they’re not criticising the concept of treating contributions based on their merit. They’re criticising the idea that humans are sufficiently self-aware that they will be able to identify and reject every subconscious prejudice that will affect their treatment of others. It’s not a criticism of a desirable goal, it’s a criticism of a flawed implementation. There’s evidence that organisations that claim to embody meritocratic principles are more likely to reward men than women even when everything else is equal. The “cult of meritocracy” isn’t the belief that meritocracy is a good thing, it’s the belief that a project founded on meritocracy will automatically be free of bias.

Projects like the Contributor Covenant that Eric finds so objectionable exist to help create processes that (at least partially) compensate for our flaws. Review of our processes to determine whether we’re making poor social decisions is just as important as review of our code to determine whether we’re making poor technical decisions. Just as the bazaar overtook the cathedral by making it easier for developers to be involved, inclusive communities will overtake “pure meritocracies” because, in the long run, these communities will produce better output – not just in terms of the quality of the code, but also in terms of the ability of the project to meet the needs of a wider range of people.

The fight between the cathedral and the bazaar came from people who were outside the cathedral. Those fighting against the assumption that meritocracies work may be outside what Eric considers to be hacker culture, but they’re already part of our communities, already making contributions to our projects, already bringing free software to more people than ever before. This time it’s Eric building a cathedral and decrying the decadent hordes in their bazaar, Eric who’s failed to notice the shift in the culture that surrounds him. And, like those who continued building their cathedrals in the 90s, it’s Eric who’s now irrelevant to hacker culture.

(Edited to add: for two quite different perspectives on why Eric’s wrong, see Tim’s and Coraline’s posts)

comment count unavailable comments

TorrentFreak: Google Asked to Remove 1,500 “Pirate Links” Per Minute

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

deleteIn recent years copyright holders have flooded Google with DMCA takedown notices, asking the company to delete links to pirated content.

The number of requests issued has increased dramatically. In 2011, the search engine received only a few hundred takedown notices per day, but in the same period it now processes more than two million “pirate” links.

This translates to 1,500 links per minute, or 25 per second, and is double the amount being handled last year around the same time. The graph below illustrates the continuing increase.

Google takedown surge
google2m25

Over the past month Google received takedown notices from 5,609 different copyright holders targeting 65 million links, together spanning 68,484 different domain names.

Most of the reported URLs indeed point to pirated content and the associated links are often swiftly removed from Google’s search results. However, with the massive volume of reports coming in, mistakes and duplicate requests are also common.

The availability of pirated content in search results is a hot button issue for copyright holders, who believe that Google sometimes steers legitimate customers to unauthorized sites.

Google addressed this issue last year by implementing a significant change to its search algorithm, which downranks sites that receive many copyright infringement notices.

These efforts helped to make most large torrent sites less visible, but recent research shows that many streaming sites are still among the top results.

According to industry groups such as the MPAA and RIAA, Google should take a more aggressive approach and blacklist the worst offenders entirely. However, Google believes that this type of site-wide censorship goes too far.

For now, the dispute between both camps remains unresolved, which means that the takedown surge and purge is likely to continue.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: MPAA Wants $10 Million Piracy Damages From MovieTube

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

movietubeLast summer the MPAA sued several popular movie streaming websites which all operated under the MovieTube flag.

In their complaint the movie studios listed MovieTube.cc, TuneVideo.net, Watch33.tv, MovieTube.cz, Anime1.tv, MovieTube.pm, FunTube.co, MovieTube.la, KissDrama.net and several related sites.

The websites in question were typical streaming services, where users could watch videos and in some cases download source files to their computers. Since they used the same hosting facilities and design elements the studios believed that they were operated by the same people.

Several months have passed since the action was filed and the operators of the MovieTube sites have yet to appear in court. They were quick to pull the accused sites offline after the compliant was filed, but never responded to any of the claims.

Due to this inaction, the MPAA now requests a default judgment. In an affidavit submitted to a New York federal court before the weekend they point out that MovieTube made a healthy profit from its operations.

“Defendants’ aggressive promotion and search-engine optimization of the MovieTube Websites permitted them to profit off their blatantly infringing activities,” the MPAA’s attorney writes (pdf).

According to the MPAA the MovieTube sites attracted over 81 million estimated visits per month, including more than 60 million visits from the United States.

“Defendants’ advertising-based revenue model would have yielded them significant profits given their high traffic, little to no overhead, and the fact that, unlike legitimate digital content services, they paid not a single dollar to license the content on their websites.”

In a proposed default judgment (pdf) the MPAA requests a permanent injunction that would prohibit the accused from offering or linking to any copyright infringing material. In addition, the movie studios want the domain names to be transferred to them.

In addition, the MPAA requests statutory damages for willful copyright infringement in the amount of $75,000 per title, for a total of $10.5 million.

The proposed injunction no longer requires search engines, ISPs and hosting companies to stop linking or offering services to MovieTube. This request was dropped earlier after Google, Facebook, Twitter, Tumblr and Yahoo branded it as a broad censorship attempt.

Without any opposition from the defendants the MPAA is destined to win this case. However, whether they will ever see any damages is highly doubtful. For now the true operators of the MovieTube sites remain unknown.

That said, the Hollywood group has already scored a victory by shutting down the MovieTube ring when the lawsuit was filed.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Pirate Bay Censorship Marks the End of Open Internet, ISP Warns

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

censorshipAlmost exactly one year ago, Universal Music, Sony Music, Warner Music, Nordisk Film and the Swedish Film Industry teamed up against Swedish ISP Bredbandsbolaget (Broadband Company).

In a lawsuit filed at the Stockholm District Court, the entertainment industry plaintiffs argued that Bredbandsbolaget should be held liable for Internet piracy carried out by its own subscribers. The companies argued that if the ISP wants avoid liability it should block its customers from accessing The Pirate Bay and streaming portal Swefilmer.

Telenor subsidiary Bredbandsbolaget (Broadband Company) has fought the action every step of the way and will find out at the end of November whether those efforts have paid off.

Should it prevail the decision will be a historic one – no other ISP in Europe (complex Netherlands’ case aside) has managed to avoid blocking The Pirate Bay following a legal battle. If the ISP loses (and the odds suggest that it will) the provider will be required to censor the site, something it is desperate to avoid.

In a joint statement this week Patrik Hofbauer, CEO of Telenor and Bredbandsbolaget, and Anna Bystrom, company legal counsel, warned that an adverse ruling could put the model of a free and open Internet at risk.

“When a judgment becomes precedent a trial is about so much more than an Internet service provider and two controversial websites,” the executives begin.

“If the media companies are given the right it will lead to absurd consequences and Internet subscribers will ultimately end up using a severely censored Internet.”

Hofbauer and Bystrom highlight the fact that should the case go the plaintiffs’ way, Bredbandsbolaget and other Internet providers will be regarded as accomplices to infringement committed on sites such as Swefilmer and The Pirate Bay. However, the implications stretch far beyond those two domains.

“A conviction that makes us criminals because we do not block these sites is very dangerous and opens a door must remain closed,” they explain.

“Moving forward, will ISPs then be forced to block social media if we are deemed to contribute to copyright infringement, threats and defamation that may occur there?”

Indeed, copyright is the tip of the iceberg. Could ISPs’ liability stretch further still, to controversial sites such as Wikileaks for example?

“Will sites where whistle-blowers can reach out with secret classified material also need to be blocked? If so, Sweden would then be subjected to a harsh level of censorship unique in the EU,” Hofbauer and Bystrom warn.

While the copyright holders in the legal action are clear on their goals, it’s clear that Bredbandsbolaget is concerned that this case represents the thin end of a wedge, one that starts with copyright but has the potential to expand into unforeseen areas. Once the genie is out of the bottle, the company argues, the threat to the open Internet could be great.

Bredbandsbolaget says the legal and ethical choices it is confronted with are not always easy ones and it sometimes finds itself in the middle of contradictory demands from legislators on one side and stakeholders on the other. But on this issue, initially involving The Pirate Bay but with the potential to spread much further, the ISP’s position has been easy.

“Our role in society should be about making information available and we can not risk engaging in censorship,” the ISP explains.

“When we faced pressure from individual players in this case, we put our values ​​to the test. We are against piracy, but the idea that under threat of punishment ISPs must make assessments of the sites that Swedish people visit is absurd.”

In conclusion and while welcoming a positive outcome to the case, the executives say that if they’re forced to bend to the whims of outside influences, people may have to kiss goodbye to a free and open Internet.

“The day when we and other operators must be guided by private interests, that may represent the beginning of the end for what we in Sweden know as the open Internet. With that said, we welcome a decision that will hopefully strengthen our conviction,” Hofbauer and Bystrom conclude.

Whichever way it goes, there’s only two weeks left to find out.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Google Asked to Remove One Billion “Pirate” Search Results

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayIn recent years copyright holders have overloaded Google with DMCA takedown notices, targeting links to pirated content.

These requests have increased dramatically over the years. In 2008, the search engine received only a few dozen takedown notices during the entire year, but today it processes two million per day on average.

This week TorrentFreak crunched the numbers in Google’s Transparency Report and found that since its publication Google has been asked to remove over 1,007,766,482 links to allegedly infringing webpages.

Indeed, that’s more than a billion reported URLs, a milestone Google crossed just a few days ago.

The number of notices continues to increase at a rapid pace as nearly half of the requests, 420 million, were submitted during the first months of 2015. The graph below illustrates this sharp rise in takedown notices.

go-billion

While some notices identify pages that are not infringing, most are correct. These are then removed by Google and no longer appear in the search results.

The successful takedown notices are also factored into the Google’s search algorithms, where frequently targeted websites are downranked.

TorrentFreak asked Google for a comment on the most recent milestone but the company chose not to respond on the record.

In a submission to the Intellectual Property Enforcement Coordinator last week Google stated that it has taken various measures to help copyright holders, including swift removals.

“We process more takedown notices, and faster, than any other search engine,” the search giant commented.

“We receive notices for a tiny fraction of everything we host and index, which nonetheless amounts to millions of copyright removal requests per week that are processed, on average, in under six hours.”

The company rejects broader actions, such as the removal of entire domain names, as this would prove counterproductive and lead to overbroad censorship.

Copyright holders, however, don’t share these concerns. Over the years groups such as the MPAA and RIAA have repeatedly argued that clearly infringing sites should be barred from Google’s index. In addition, they want Google to promote legal services.

While Google believes that the billion reported URLs are a sign that the DMCA takedown process is working properly, rightsholders see it as a signal of an unbeatable game of whack-a-mole.

As this stalemate continues, we can expect the number of reported pages to continue to rise in the future, adding millions of new URLs on a daily basis.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Let's Encrypt: The CA’s Role in Fighting Phishing and Malware

This post was syndicated from: Let's Encrypt and was written by: Let's Encrypt. Original post: at Let's Encrypt

Since we announced Let’s Encrypt we’ve often been asked how we’ll ensure that we don’t issue certificates for phishing and malware sites. The concern most commonly expressed is that having valid HTTPS certificates helps these sites look more legitimate, making people more likely to trust them.

Deciding what to do here has been tough. On the one hand, we don’t like these sites any more than anyone else does, and our mission is to help build a safer and more secure Web. On the other hand, we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015. This post explains our thinking in order to encourage a conversation about the CA ecosystem’s role in fighting these malicious sites.

CAs Make Poor Content Watchdogs

Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things.

Treating a DV certificate as a kind of “seal of approval” for a site’s content is problematic for several reasons.

First, CAs are not well positioned to operate anti­-phishing and anti-malware operations – or to police content more generally. They simply do not have sufficient ongoing visibility into sites’ content. The best CAs can do is check with organizations that have much greater content awareness, such as Microsoft and Google. Google and Microsoft consume vast quantities of data about the Web from massive crawling and reporting infrastructures. This data allows them to use complex machine learning algorithms (developed and operated by dozens of staff) to identify malicious sites and content.

Even if a CA checks for phishing and malware status with a good API, the CA’s ability to accurately express information regarding phishing and malware is extremely limited. Site content can change much faster than certificate issuance and revocation cycles, phishing and malware status can be page-specific, and certificates and their related browser UIs contain little, if any, information about phishing or malware status. When a CA doesn’t issue a certificate for a site with phishing or malware content, users simply don’t see a lock icon. Users are much better informed and protected when browsers include anti-phishing and anti-malware features, which typically do not suffer from any of these limitations.

Another issue with treating DV certificates as a “seal of approval” for site content is that there is no standard for CA anti­-phishing and anti-malware measures beyond a simple blacklist of high-­value domains, so enforcement is inconsistent across the thousands of CAs trusted by major browsers. Even if one CA takes extraordinary measures to weed out bad sites, attackers can simply shop around to different CAs. The bad guys will almost always be able to get a certificate and hold onto it long enough to exploit people. It doesn’t matter how sophisticated the best CA anti­-phishing and anti-malware programs are, it only matters how good the worst are. It’s a “find the weakest link” scenario, and weak links aren’t hard to find.

Browser makers have realized all of this. That’s why they are pushing phishing and malware protection features, and evolving their UIs to more accurately reflect the assertions that certificates actually make.

TLS No Longer Optional

When they were first developed in the 1990s, HTTPS and SSL/TLS were considered “special” protections that were only necessary or useful for particular kinds of websites, like online banks and shopping sites accepting credit cards. We’ve since come to realize that HTTPS is important for almost all websites. It’s important for any website that allows people to log in with a password, any website that tracks its users in any way, any website that doesn’t want its content altered, and for any site that offers content people might not want others to know they are consuming. We’ve also learned that any site not secured by HTTPS can be used to attack other sites.

TLS is no longer the exception, nor should it be. That’s why we built Let’s Encrypt. We want TLS to be the default method for communication on the Web. It should just be a fundamental part of the fabric, like TCP or HTTP. When this happens, having a certificate will become an existential issue, rather than a value add, and content policing mistakes will be particularly costly. On a technical level, mistakes will lead to significant down time due to a slow issuance and revocation cycle, and features like HSTS. On a philosophical and moral level, mistakes (innocent or otherwise) will mean censorship, since CAs would be gatekeepers for online speech and presence. This is probably not a good role for CAs.

Our Plan

At least for the time being, Let’s Encrypt is going to check with the Google Safe Browsing API before issuing certificates, and refuse to issue to sites that are flagged as phishing or malware sites. Google’s API is the best source of phishing and malware status information that we have access to, and attempting to do more than query this API before issuance would almost certainly be wasteful and ineffective.

We’re going to implement this phishing and malware status check because many people are not comfortable with CAs entirely abandoning anti-phishing and anti-malware efforts just yet, even for DV certificates. We’d like to continue the conversation for a bit longer before we abandon what many people perceive to be an important CA behavior, even though we disagree.

Conclusion

The fight against phishing and malware content is an important one, but it does not make sense for CAs to be on the front lines, at least when it comes to DV certificates. That said, we’re going to implement checks against the Google Safe Browsing API while we continue the conversation.

We look forward to hearing what you think. Please let us know.

Schneier on Security: The Need for Transparency in Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In Data and Goliath, I talk about the need for transparency, oversight, and accountability as the mechanism to allow surveillance when it is necessary, while preserving our security against excessive surveillance and surveillance abuse.

James Losey has a new paper that discusses the need for transparency in surveillance. His conclusion:

Available transparency reports from ICT companies demonstrate the rise in government requests to obtain user communications data. However, revelations on the surveillance capabilities of the United States, Sweden, the UK, and other countries demonstrate that the available data is insufficient and falls short of supporting rational debate. Companies can contribute by increasing granularity, particularly on the legal processes through which they are required to reveal user data. However, the greatest gaps remain in the information provided directly from governments. Current understanding of the scope of surveillance can be credited to whistleblowers risking prosecution in order to publicize illegitimate government activity. The lack of transparency on government access to communications data and the legal processes used undermines the legitimacy of the practices.

Transparency alone will not eliminate barriers to freedom of expression or harm to privacy resulting from overly broad surveillance. Transparency provides a window into the scope of current practices and additional measures are needed such as oversight and mechanisms for redress in cases of unlawful surveillance. Furthermore, international data collection results in the surveillance of individuals and communities beyond the scope of a national debate. Transparency offers a necessary first step, a foundation on which to examine current practices and contribute to a debate on human security and freedom. Transparency is not the sole responsibility of any one country, and governments, in addition to companies, are well positioned to provide accurate and timely data to support critical debate on policies and laws that result in censorship and surveillance. Supporting an informed debate should be the goal of all democratic nations.

TorrentFreak: Pirate Party Beats Iceland’s Government Coalition in the Polls

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-iceFounded in 2006 by Rick Falkvinge, the Pirate party movement has scored some significant victories over the years.

The greatest success is the continuing presence in the European Parliament, but in Iceland the local Pirate Party is writing history as well.

The Pirates have a great track record in Iceland already, with three members in the national Parliament. However, many more may join in the future as the Pirates have become the largest political party in the polls.

Earlier this year we already reported on this remarkable achievement. At the time the Pirate Party had 23.9% of the polled votes, a number that has now grown to 34.2% in the last MMR survey.

According to the most recent polls the Pirate Party now has more support than the local coalition Government, which consists of the Independence Party (21.7%) and Progressive Party (10.4%).

Pirates leading the polls
iceicepirate

The continued rise is quite a success for a party that was founded just three years ago, and for now the upward trend continues.

TF spoke with Ásta Helgadóttir, Member of Parliament for the Icelandic Pirate Party, who believes that many people are fed up with the current state of politics.

“I believe people are tired of the old fashioned politics the old parties are practicing,” she says.

“We have been focusing on making decisions based on evidence, being honest when we make mistakes and ready to change our minds if that is needed. We have also been working on changing the system from within and demanding that the people in position of power are responsible for their actions.”

Unlike some outsiders believe, the Pirates are not a one issue party. The party is known to fight against increased censorship and protect freedom of speech, but also encourages transparency and involvement of citizens in political issues.

“We are working on taking our democratic system into the 21st century,” Ásta says. “The division between the executive and legislative should be much clearer than it is today, as ministers can and most often are also members of parliament now.”

This is just one of the many ideas the party is working on. While the current poll results are promising, it has to hold these for a while as the next elections are scheduled in 2017.

While the Pirate Party may be more popular than the current government at the moment, it doesn’t mean that governing is a main goal. The Pirates just want to make sure that the status quo changes.

“We don’t really want to govern, but rather have the system working as a whole where everyone in it has responsibility for their actions.”

“I don’t know how realistic it is that we’ll form a government, only time will tell,” she concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Google Opposes Whole-Site Removal of “Pirate” Domains

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayIn recent years the movie and music industries have continually pressured Google to take action against online piracy.

Ideally, groups including the MPAA and RIAA want search engines to remove clearly infringing websites from their search results entirely, especially if courts have previously found them to be acting illegally.

Just recently the MPAA reiterated this stance in recommendations to U.S. Intellectual Property Enforcement Coordinator (IPEC) Daniel Marti.

However, Google disagrees and is now urging the Government not to facilitate or promote so-called “whole-site” removals. According to the search giant this may lead to overbroad censorship.

“Unfortunately, whole-site removal is ineffective and can easily result in censorship of lawful material,” Google writes.

In its letter Google points out that blogging sites or social networks can contain infringing material, but that removing an entire site would also take down perfectly legitimate content.

The MPAA is probably not referring to blog platforms, but The Pirate Bay instead. However, according to Google the current DMCA takedown system is both effective and efficient enough to deal with all infringing content

“The DMCA provides copyright owners with an effective and efficient framework for removing any infringing page on a site,” Google stresses, noting that it has removed hundreds of millions of URLs already this year.

Removing or blocking entire websites might not only chill free speech but also prove counterproductive, Google says.

“Whole site removal would simply drive piracy to new domains, legitimate sites, and social networks,” the company notes, adding that copyright holders should go after the site’s revenue sources instead.

Another downside of whole-site removal is that the U.S. would send the wrong message to the rest of the world.

If the U.S. is prepared to censor entire websites based on copyright violations, then other regimes may find it easier to demand the same based on local laws. For example, by demanding the removal of news sites based on political statements, or insults to religion.

“This would jeopardize free speech principles, emerging services, and the free flow of information online globally and in contexts far removed from copyright,” Google notes.

Instead of taking a repressive approach, the U.S. Government should address piracy in a more positive way by encouraging the development of legal alternatives.

“Piracy thrives when consumer demand goes unmet by legitimate supply,” Google writes.

“Online services like Google Play, Spotify, Netflix, and iTunes have demonstrated that the most effective way to combat piracy on the web is to offer attractive legal alternatives to consumers.”

Google’s letter will be taken into consideration by Intellectual Property Czar Daniel Marti, who is expected to release the 2016 – 2019 Joint Strategic Plan on Intellectual Property Enforcement during the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Police Seized a Torrent Proxy & 33K Users Kept Accessing it

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In July 2013 a new anti-censorship service arrived on the scene. Targeted at users who found VPNs too expensive and Tor too slow, Immunicity provided free access to a wide range of blocked websites.

A year later and with support from Hollywood, City of London Police arrested Immunicity’s then 20-year-old operator. He’s still on police bail facing an uncertain future.

For many months the Immunicity website remained online but with a very much changed appearance. Gone was the advice on how to unblock sites such as The Pirate Bay to be replaced by a City of London Police banner explaining that the site was under criminal investigation.

Police previously admitted that they’d been logging traffic to that site (and many other seized sites for that matter) but recent developments indicate that they could’ve had access to more than straightforward visits to the Immunicity website. Here’s how.

Central to the Immunicity system was providing its users with access to a Proxy Auto-Config (PAC) file. Browsers are easily configured to use PAC files and in just a couple of minutes Immunicity users were able to download a custom PAC and begin opening blocked sites via the Immunicity.org domain.

However, police took effective control of that domain when they arrested its owner last year and while former users might have been disappointed that the service no longer worked as advertised, thousands left their browsers configured to continue using it. How do we know that? Well, the UK Police Intellectual Property Crime Unit no longer has control of the domain.

At the end of August activists from Brass Horn Communications, a non-profit entity which operates Tor exits and other anti-censorship systems such as Packetflagon, managed to obtain the Immunicity domain. Until three days ago it displayed a modified version of the famous police seizure notice.

pipcu-immunicity

Speaking with TorrentFreak the operator of Brass Horn Communications says that since taking over the Immunicity domain it has become apparent that tens of thousands of former Immunicity users failed to remove the service’s PAC file from their browsers. This means that even after the police took control of Immunicity.org they continued to direct their traffic to the seized domain.

“More than a year [after the police raid] there were over 33k unique addresses still surrendering control of their operating systems / browsers (plus Steam, OS updates, OCSP / CRL requests etc) over to the Immunicity Proxy Auto-Config file,” he reveals.

“The Police (or another malicious actor had they acquired the domain) could have done a lot of damage.”

We asked Brass Horn’s spokesperson about the best and worst case scenarios for the users whose browsers continued to access the Immunicity PAC file. The best case is that nothing happened, the worst is more complicated.

“We know that the Police were monitoring the access logs of the seized domains so in theory they could simply have monitored everyone who requested the PAC file and recorded that,” he explains.

“But they could have also published a PAC file that sent *all* traffic through a proxy under their control and gathered metadata. They would have been able to alter HTTP content in flight and monitor which IPs were going to which websites, even if they were over SSL. Granted they couldn’t see which URL was being visited but that’s besides the point.”

Brass Horn’s operator says people should be aware that while routing their traffic through third parties has the ability to decrease censorship efforts, there are always security considerations to keep in mind.

“People need to be aware of the risks of PAC proxies, VPNs etc (e.g. all their traffic is at the whim of the VPN / Proxy operator). With that said, Brass Horn Communications won’t surrender any domains and will be publishing DNSSEC records, TLSA DNS records and long lived HSTS headers to hopefully break any seizures from having an effect.”

For now, however, Immunicity is in safe hands. Nevertheless, its new operator is advising former users to immediately delve into their browser settings to disable access to the old PAC file.

Full instructions on how to create and install a new PAC file are provided at Immunicity.org, which is now a fully operational PacketFlagon site-unblocking shard.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: ISPs Agree to Block The Pirate Bay in Iceland

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

icelandflagAs the arch-rival of many copyright groups, The Pirate Bay has become one of the most censored websites on the Internet in recent years.

Courts all around the world have ordered Internet providers to block subscriber access to the torrent site and the list continues to expand.

This week Icelandic ISPs reached an agreement with local entertainment industry representatives to prevent subscribers from accessing the notorious torrent site.

In addition to The Pirate Bay, the Internet providers also promised to block Deildu.net, Iceland’s most popular private torrent tracker.

The agreement follows a court decision from last fall when the Reykjavík District Court handed down an injunction to ISPs Vodafone and Hringdu, forcing them to block the two sites.

Iceland’s local equivalent of the RIAA (STEF) wasn’t satisfied with the limited scope of the order and wanted other providers to follow suit. The group set an ultimatum threatening legal action last year, but the parties eventually decided to settle the matter out of court.

The decision to block access to The Pirate Bay does not come without protest. The local Pirate Party, which is the most popular party with a third of all ‘votes’ in recent polls, describes it as censorship.

“We are of course against this, especially because of the circumstances,” Ásta Helgadóttir, Member of Parliament for the Icelandic Pirate Party, informs TF.

The Pirate Party views a private censorship agreement between ISPs and copyright holders as a worrying development, and warns that the judicial system should not be bypassed.

“The blocking itself is currently nothing other than an inconvenience which is quite easy to circumvent with some googling or setting up a VPN. What’s more serious is the way the rightsholders could bypass the judicial authority to get their censorship measures through with the ISPs,” Ásta tells TF.

Instead of asking for pointless DNS blockades copyright holders should focus on negotiating better contracts with the artists they are supposed to represent.

“The real problem is the poor negotiation status of the individual artist when it comes to signing contracts. That is the real problem, not private sharing of culture,” Ásta says.

According to local reports the Internet providers have agreed to block The Pirate Bay’s main domain names and any new ones that subsequently arise. However, for now, many of the well known proxy sites are still available.

Recent history has shown that people who want to access blocked sites can always find a way. Circumvention tools such as TOR, VPN services or the specialized Piratebrowser are readily available and growing in popularity as blocking efforts expand.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Errata Security: What’s that drama?

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The infosec community is known for its drama on places like Twitter. People missing the pieces can’t figure out what happened. So I thought I’d write up the latest drama.

It starts with “Wesley McGrew” (@McGrewSecurity), an assistant professor at Mississippi state. He’s been a frequent source of infosec drama for years now. Since I, myself, don’t shy away from drama, I can’t say that he’s necessarily at fault, I’m just pointing out that he’s been involved in several Big Infosec Drama Blowups.
Then there is “Adrian Crenshaw” (@irongeeek_adc) (aka. “Irongeek”) who maintains a website http://irongeek.com, which hosts a lot of infosec videos. He’ll work with conferences to make sure talks get recorded and uploaded to his site. A lot of smaller cons host their video there. If you frequently watch infosec videos, then you know the site.
I think this specific drama started back in April, when Irongeek made this April Fool’s joke:
https://twitter.com/McGrewSecurity/status/583250910387789824
Many, most especially McGew, criticized Irongeek for this, claiming it was an “unfunny slap to women in security”.
I don’t know when it happened, but Irongeek punished McGrew by blocking students from McGrew’s university, Mississippi State. This was noticed last week.
https://twitter.com/McGrewSecurity/status/639160910490259460
Irongeek responded to criticisms by changing the “block” to a simple “warning”, and removed the word “mangina”.
https://twitter.com/McGrewSecurity/status/639435344908288001
After further drama, Irongeek backed down and removed the thing altogether, so now Mississippi state students see the same site as before.
Today, BSidesLV, the most important of the “small conferences” that work with Irongeek, severed their relationship with the site:
A lot of people are now upset with BSidesLV because of this. On the other hand, had they kept their relationship with Irongeek, a lot of different people would be upset. There’s pretty much nothing they could have done to avoid getting sucked into the drama.
I think this is a complete summary of recent drama.
Update: Not so complete, apparently sponsors and board members left BSidesLV in protest. I don’t know which way they protested. Since a lot of these people have personal relationships, there’s obviously a lot going on behind the scenes that we are unaware of.


Op-ed

I apologize, but I can’t resist commenting.
BSidesLV can’t have a relationship with Irongeek if they pull these sorts of stunts. They aren’t responding to the content, but that otherwise innocent MSU students had to suffer. They make no mention of the content. In other words, unlike the BSidesSF/VioletBlue drama of a couple years ago, they aren’t censoring somebody’s speech because of content.
On the other hand, I’m rabidly opposed to anything that even looks like censorship. I’d’ve hoped for a different resolution, such as a commitment from Irongeek that such things wouldn’t happen in the future. It’s going to hurt all of us at the next con when talks aren’t recorded.
Irongeek’s April Fools joke is funny. We are all feminists, but still many of us oppose the “radical feminists”. Nothing should be above mockery, most especially the “radical” of anything. Maybe Irongeek’s joke was inappropriate — but before I accept that, you have to show me jokes about radical feminists that meet your criteria of appropriateness.
McGrew is a typical radical feminist who attacks “old white males” with hate speech. He rejects the idea that this is even hate speech. But here’s the thing: groups like GamerGate are filled with otherwise feminists who are tired of all the hate directed their way, frustrated by the fact that as white males, it’s been declared that they cannot defend themselves in any legitimate way. So they lash out with immature anger, as gamers are apt to do. My point is that we are all feminists, but we are still going to disagree on the particulars. I vehemently disagree with McGrew’s approach.

Troll

Looking back through McGrew’s timeline to get the details for this post, I found this tweet, so I retweeted without comment to troll people. I really am a bad person.

TorrentFreak: Pirate Party Offers Uncensored DNS to Bypass Pirate Bay Blockade

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayLast week Norway became the latest country to block access to The Pirate Bay.

A local court ordered Internet providers to block users’ access to several large ‘pirate’ websites in the hope that it will decrease online copyright infringement.

The local Pirate Party is now vigorously protesting the ruling and has decided to fight back. Since the sites will be blocked on the DNS level the party is countering by providing their own DNS servers.

“We want a free and open Internet for everyone. The copyright industry’s fight for control over culture has put us in a situation where this is no longer the case in Norway,” Pirate Party co-chairman Øystein Middelthun tells TF.

“The censorship is easy to bypass, by simply changing your name server, so we decided to practice what we preach and offer such a service to all those affected by the problem,” he adds.

Indeed, since the sites’ IP-addresses are not blocked the blockade can be easily circumvented by changing the DNS settings on one’s device or computer. The Pirate Party is not the only company offering alternative DNS, OpenDNS and Google have a similar service.

The Pirate Party’s DNS has added benefits though, as it supports additional Top Level Domains including .geek or .pirate, and the Namecoin based .bit. In addition, it operates from Norway with minimal logging to guarantee users’ privacy.

The Pirates note that the order will have minimal effect on people’s sharing habits. However, Middelthun is concerned about the slippery slope, where companies and the authorities get to dictate what people are allowed to see online.

“The blocking order is yet another sad step down the road towards the dystopic world imagined by George Orwell. At the same time it achieves absolutely nothing of what the plaintiffs are hoping for,” he tells TF.

“The dangerous thing about it is that it sets a precedent. It is easy to imagine how the scope could be expanded to include other websites somehow considered immoral, and while the current technical implementation is easy to circumvent, hardening it is equally easy once society has accepted censorship in the first place,” Middelthun adds.

The DNS service is not limited to Norwegians. Everyone who wants an unfiltered DNS service is welcome to use it.

Previously the UK Pirate Party ran into trouble when they launched a Pirate Bay proxy in response to a local blockade. The Norwegian Pirates don’t expect that their DNS will be targeted, but if it does they are prepared to fight back.

“Running a public DNS service is fully legal, so we do not expect any legal trouble. A scenario to consider is if the copyright industry, or surveillance hungry politicians, started pushing for strictly regulating DNS- and/or VPN-services,” Middelthun says.

“If this scenario came true, we will fight it with everything in our power. It is paramount that the Internet remains free, or society would suffer greatly,” he concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Gucci Sets Trend for Broad Internet ‘Censorship’

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

gucciIn July the movie streaming site MovieTube was sued by the MPAA, which tried to shut it down with a broad injunction.

Last month a coalition of global tech firms including Google, Facebook, Twitter protested the MPAA’s request, which would require search engines, ISPs and hosting companies to stop linking to or offering services to MovieTube.

The MPAA eventually dropped the request as MovieTube shut down voluntarily, but we can expect more of these requests in the future. In fact, they are already quite common in the fashion industry.

This year alone Gucci has targeted hundreds of “infringing” websites that sell knockoffs without permission, and the fashion icon has no trouble getting courts to shut these sites down through similar injunctions.

Gucci’s most recent case was filed three weeks ago (pdf). It targets 221 websites and is similar to lawsuits that were filed previously, which accuse site owners of selling counterfeit merchandise.

In the complaint Gucci asks for a preliminary injunction to prevent all third parties from doing business with the site. This includes payment services, social networks and other online services.

Furthermore, Gucci specifically requests an order to prevent “search engines, Web hosts, domain-name registrars and domain-name registries” from facilitating access to the sites in question.

Gucci’s request
guccireq

While this case is still pending, the designer company has had success with previous requests. In May, for example, Gucci obtained an injunction which prohibits search engines from linking to 184 sites, while ordering domain name registrars to hand over the domains.

Unlike with the MovieTube case, there has been little public outcry about the Gucci cases. However, the Electronic Frontier Foundation believes that they pose a significant threat.

“The Gucci cases are certainly of concern for the same reasons as the MovieTube case, and they deserve more public scrutiny,” EFF attorney Mitch Stoltz informs TF.

“Vaguely written orders that could be used to co-opt numerous Internet intermediaries into blocking or filtering websites are an abuse of the law and threaten some of the same harms as the infamous SOPA bill did,” he adds.

In all fairness, Gucci shouldn’t get all the ‘credit’ here. Several other designer brands have successfully requested similar injunctions in the past, including Louis Vuitton and Chanel.

Similarly, media company ABS-CBN has been granted broad injunctions by American courts before.

Still, none of these cases triggered the same response as the MovieTube case did. Perhaps the involvement of the MPAA was needed to really hit a nerve with the tech companies?

In any case, it’s clear that Hollywood isn’t setting the trend here, they’re simply following a path already laid out by others.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Schneier on Security: China’s “Great Cannon”

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting research: “An Analysis of China’s ‘Great Cannon.’

Abstract: On March 16th, 2015, the Chinese censorship apparatus employed a new tool, the “Great Cannon”, to engineer a denial-of-service attack on GreatFire.org, an organization dedicated to resisting China’s censorship. We present a technical analysis of the attack and what it reveals about the Great Cannon’s working, underscoring that in essence it constitutes a selective nation-state Man-in-the-Middle attack tool. Although sharing some code similarities and network locations with the Great Firewall, the Great Cannon is a distinct tool, designed to compromise foreign visitors to Chinese sites. We identify the Great Cannon’s operational behavior, localize it in the network topology, verify its distinctive side-channel, and attribute the system as likely operated by the Chinese government. We also discuss the substantial policy implications raised by its use, including the potential imposition on any user whose browser might visit (even inadvertently) a Chinese web site.

TorrentFreak: Movie Studios and Record Labels Target Pirate Bay in New Lawsuit

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

tpbIn 2009, the IFPI and several local movie studios demanded that Norwegian ISP Telenor should block The Pirate Bay. The ISP refused and legal action commenced.

A subsequent ruling determined that there was no legal basis for site blocking and in 2010 a rightsholder appeal also failed. If sites were to be blocked, a change in the law was required.

In May 2011 the Ministry of Culture announced that it had put forward proposals for amendments to the Copyright Act, to include web blocking, and on July 1, 2013 the new law came into effect.

After more than two years of threats, local and international copyright holders have now made good on their promises to use the new legislation to stamp down on piracy.

In a lawsuit filed at the Oslo District Court, Disney, Warner Bros. and Sony plus local producers and representatives from the recording industry are teaming up to sue eleven local ISPs. Also targeted in the action are the alleged operators of eight ‘pirate’ sites.

Although the sites are yet to be publicly revealed, The Pirate Bay is among them and site co-founder Fredrik Neij is named as a party in the case.

According to Dagens Næringsliv, studios and labels filed an initial complaint with ISPs back in April via anti-piracy outfit Rights Alliance. It was sent to the country’s largest ISP Telenor plus others including Get, NextGenTel and Altibox.

The rightsholders’ demands are familiar. All the main local ISPs must block The Pirate Bay and related sites so that subscribers can no longer access the domains directly.

“We understand licensees’ struggle for their rights. For us it is important that the court must take these decisions, and that we do not assume a censorship role,” says Telenor communications manager Tormod Sandstø.

Also of interest is how the legal process is being handled. The Oslo District Court is dealing with the case in writing so the whole process is completely closed to the public. After processing the case during the summer, early estimations suggest that the court will have made its decision within the next 10 days.

The news follows several key Norwegian anti-piracy developments in 2015. In March, an investigation by Rights Alliance culminated in a police raid against local pirate site Norskfilm.

In July, Rights Alliance placed the blame for a piracy explosion firmly on the shoulders of Popcorn Time, with the group announcing last week that up to 75,000 users of the application could now be contacted by mail. The message they will receive remains unclear but comments from Rights Alliance during the past few days have leaned away from lawsuits.

Interestingly, Popcorn Time related sites are not among the batch of domains currently under consideration by the Oslo District Court as the service was not considered a priority when the original Rights Alliance complaint was being put together. Should the current blocking attempt prove successful, expect Popcorn Time domains to appear in an upcoming lawsuit.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Tech Giants Want to Punish DMCA Takedown Abusers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

copyright-brandedEvery day copyright holders send millions of DMCA takedown notices to various Internet services.

Most of these requests are legitimate, aimed at disabling access to copyright-infringing material. However, there are also many overbroad and abusive takedown notices which lead to unwarranted censorship.

These abuses are a thorn in the side of major tech companies such as Google, Facebook and Microsoft. These companies face serious legal consequences if they fail to take content down, but copyright holders who don’t play by the rules often walk free.

This problem is one of the main issues highlighted in a new research report (pdf) published by the CCIA, a trade group which lists many prominent tech companies among its members.

The report proposes several changes to copyright legislation that should bring it in line with the current state of the digital landscape. One of the suggestions is to introduce statutory damages for people who abuse the takedown process.

“One shortcoming of the DMCA is that the injunctive-like remedy of a takedown, combined with a lack of due process, encourages abuse by individuals and entities interested in suppressing content,” CCIA writes.

“Although most rightsholders make good faith use of the DMCA, there are numerous well-documented cases of misuse of the DMCA’s extraordinary remedy. In many cases, bad actors have forced the removal of material that did not infringe copyright.”

The report lists several examples, including DMCA notices which are used to chill political speech by demanding the takedown of news clips, suppress consumer reviews, or retaliate against critics.

Many Internet services are hesitant to refuse these type of takedown requests at it may cause them to lose their safe harbor protection, while the abusers themselves don’t face any serious legal risk.

The CCIA proposes to change this by introducing statutory damage awards for abusive takedown requests. This means that the senders would face the same consequences as the copyright infringers.

“To more effectively deter intentional DMCA abuse, Congress should extend Section 512(f) remedies for willful misrepresentations under the DMCA to include statutory awards, as it has for willful infringement under Section 504(c),” CCIA writes.

In addition to tackling DMCA abuse the tech companies propose several other changes to copyright law.

One of the suggestions is to change the minimum and maximum statutory damages for copyright infringement, which are currently $750 and $150,000 per work.

According to the CCIA the minimum should be lowered to suit cases that involve many infringements, such as a user who hosts thousands of infringing works on a cloud storage platform.

The $150,000 maximum, on the other hand, is open to abuse by copyright trolls and rightsholders who may use it as a pressure tool.

The tech companies hopes that U.S. lawmakers will consider these and other suggestions put forward in the research paper, to improve copyright law and make it future proof.

“Since copyright law was written more than 100 years ago, the goal has been to encourage creativity to benefit the overall public good. It’s important as copyright is modernized to ensure that reforms continue to benefit not just rightsholders, but the overall public good,” the CCIA concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Takedown Resistant ‘Hydra Proxy’ Launches to Beat Censorship

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In July 2013 a brand new anti-censorship service burst onto the scene. Aiming to service those who found VPNs too expensive but couldn’t live with the slow speeds provided by Tor, Immunicity provided swift, free access to a wide range of blocked websites.

The service quickly gained an enthusiastic following but just a year later in 2014 it was all over. With support from Hollywood, City of London Police arrested Immunicity’s then 20-year-old operator. A full 12 months later he remains on bail facing an uncertain future.

To mark this anniversary a new service has debuted to finish the job Immunicity started. Titled ‘HydraProxy’, the service isn’t just another run-of-the-mill unblocking tool but one that aims to grow like a hydra.

Hydra Proxy (HP) acts as a frontend to PacketFlagon, a system which in turn is based on the RoutingPacketsisNotaCrime software detailed in our earlier article.

“After the fall of Immunicity it would appear that most people have migrated to using SSH tunnels, Tor or commercial VPN products,” an HP developer informs TF.

“Unfortunately not everyone can afford (or wants) to do that so [Hydra Proxy] will allow those people to continue to evade overzealous filters at libraries, homes, coffee shops, mobile networks and fixed lines at no cost.”

Central to the system is the ability of popular browsers to use Proxy Auto-Config (PAC) files. Browsers are easily configured to use PAC files and in just a couple of minutes users are able to create their own to access any blocked site. Once configured, blocked sites open as usual.

“Essentially the RoutingPacketsIsNotACrime.uk software has been bundled up into a quickly deployable ‘shard’ which talks to a TLS secured common backend API to create, update and view Proxy Auto-Config (PAC) files,” Hydra Proxy’s developer informs TorrentFreak.

One of the main advantages of the project is that since anyone with the know-how can operate their own Hydra Proxy shard, the system becomes more diverse and capable of evading censorship.

“Volunteers can deploy HydraProxy shards which can create and serve PAC files whilst synchronizing with the central node to help frustrate blocks of the PAC serving servers. Or, they can deploy an entire stand-alone platform,” HP’s dev explains.

hydraproxy1

There are already more than half a dozen Hydra Proxy shards in operation but the project is welcoming more.

“I’d encourage people to register other domains and we will even host them for free – they register a domain for use with PacketFlagon, they contact us and we’ll provide an IP to point the DNS at and then we’ll handle configuring the server and keeping the shard software up-to-date,” the dev says.

The hosting will be provided by Brass Horn Communications, a non-profit entity which not only operates PacketFlagon but also other ISP-esque services such as Tor exits, web hosting and Unix shells. Brass Horn Communications is its own ISP and has “mere-conduit” protection.

Somewhat refreshingly, HP’s developer says he is more than happy to share the fun with others.

“Everything is open-source under a BSD license rather than GPL as it’s more permissive. The goal is undermining censorship not bickering about who owned / misused what,” he explains.

“If someone has the time to take this software and create a commercial model then have at it, if someone wants to create their own independent infrastructure with new branding; please do!”

In conclusion, Hydra Proxy sends the following message.

“Centralization is what allowed the Internet to get in the mess where one DMCA against two companies kills an innocent users uploaded videos or a single court order against four ISPs censors 90% of the population. So take this truly free (as in speech and as in beer) software and help kick the censors’ ass!”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Lauren Weinstein's Blog: EU Demands Google Forget “The Right To Be Forgotten”

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

Brussels, Belgium (ZAP) – The European Union today issued a preliminary order requiring that Google and all other Search Engines and similar services remove all search results related to the EU “Right To Be Forgotten” (RTBF). “We’ve been deliberating on this issue for a very long time,” noted Winston Charrington, Minister of the European Union World Censorship Directorate. “We’ve come…

TorrentFreak: MPAA Ducks Censorship Battle With Google, Twitter and Facebook

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

movietubeLast month the MPAA sued several popular movie streaming websites which all operated under the MovieTube flag.

As part of the lawsuit the major movie studios asked for a preliminary injunction ordering several third-party companies to stop linking or providing services to the sites.

For several tech companies this request went too far. Last week Google, Facebook, Twitter, Tumblr and Yahoo explained to the court that it could result in broad Internet censorship, similar to the blocking provisions that were listed in the controversial SOPA bill.

The filing appeared to be the start of a new standoff between Hollywood and the tech companies, but a letter submitted by the MPAA yesterday puts it on hold.

The MPAA informed the court that a preliminary injunction is no longer required as the MovieTube sites have been offline for several weeks already.

“Plaintiffs are no longer seeking preliminary injunctive relief at this time but will seek permanent relief as soon as possible,” the MPAA’s lawyers write.

The decision to drop the request may very well have been triggered by the Amici Curiae brief of the tech companies. After all, the MovieTube sites were already offline when the MPAA submitted the injunction request weeks ago.

In their letter to the court the MPAA stress that the opposition brief should no longer be considered now that they have pulled their request for an injunction.

“…because Plaintiffs have withdrawn their motion for preliminary injunctive relief, the arguments offered by Amici Curiae in opposition to that motion are not ripe for consideration and are otherwise inapplicable.”

“To the extent Amici are requesting what amounts to an advisory opinion, such a request is improper and should not be entertained,” they add.

It appears that it’s a strategic move from the MPAA not to challenge the tech companies, for now. However, the movie industry group has made it clear that website blocking is one of their main anti-piracy priorities so we can expect this battle to reignite in the future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Krebs on Security: Stress-Testing the Booter Services, Financially

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they’ve enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers.

Image:

Image:

By offering a low-cost, shared distributed denial-of-service (DDoS) attack infrastructure, these so-called “booter” and “stresser” services have attracted thousands of malicious customers and are responsible for hundreds of thousands of attacks per year. Indeed, KrebsOnSecurity has repeatedly been targeted in fairly high-volume attacks from booter services — most notably a service run by the Lizard Squad band of miscreants who took responsibility for sidelining the the Microsoft xBox and Sony Playstation on Christmas Day 2014.

For more than two months in the summer 2014, researchers with George Mason University, UC Berkeley’s International Computer Science Institute, and the University of Maryland began following the money, posing as buyers of nearly two dozen booter services in a bid to discover the PayPal accounts that booter services were using to accept payments. In response to their investigations, PayPal began seizing booter service PayPal accounts and balances, effectively launching their own preemptive denial-of-service attacks against the payment infrastructure for these services.

PayPal will initially limit reported merchant accounts that are found to violate its terms of service (turns out, accepting payments for abusive services is a no-no). Once an account is limited, the merchant cannot withdraw or spend any of the funds in their account. This results in the loss of funds in these accounts at the time of freezing, and potentially additional losses due to opportunity costs the proprietors incur while establishing a new account. In addition, PayPal performed their own investigation to identify additional booter domains and limited accounts linked to these domains as well.

The efforts of the research team apparently brought some big-time disruption for nearly two-dozen of the top booter services. The researchers said that within a day or two following their interventions, they saw the percentage of active booters quickly dropping from 70 to 80 percent to around 50 percent, and continuing to decrease to a low of around 10 percent that were still active.

ppintervention

While some of the booter services went out of business shortly thereafter, more than a half-dozen shifted to accepting payments via Bitcoin (although the researchers found that this dramatically cut down on the services’ overall number of active customers). Once the target intervention began, they found the average lifespan of an account dropped to around 3.5 days, with many booters’ PayPal accounts only averaging around two days before they were no longer used again.

The researchers also corroborated the outages by monitoring hacker forums where the services were marketed, chronicling complaints from angry customers and booter service operators who were inconvenienced by the disruption (see screen shot galley below).

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

"It's a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more," says this now-defunct booter service to its former customers.

“It’s a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more,” says this now-defunct booter service to its former customers.

Deadlyboot went dead after the PayPal interventions. So sad.

Deadlyboot went dead after the PayPal interventions. So sad.

Daily attacks from Infected Stresser dropped off precipitously following the researchers' work.

Daily attacks from Infected Stresser dropped off precipitously following the researchers’ work.

As I’ve noted in past stories on booter service proprietors I’ve tracked down here in the United States, many of these service owners and operators are kids operating within easy reach of U.S. law enforcement. Based on the aggregated geo-location information provided by PayPal, the researchers found that over 44% of the customer and merchant PayPal accounts associated with booters are potentially owned by someone in the United States.

ROOTED BOOTERS

The research team also pored over leaked and scraped data from three popular booter services —”Asylum Stresser,” another one called “VDO,” and the booter service referenced above called “Lizard Stresser.” All three of these booter services had been previously hacked by unknown individuals. By examining the leaked data from these services, the researchers found these three services alone had attracted over 6,000 subscribers and had launched over 600,000 attacks against over 100,000 distinct victims.

Data based on leaked databases from these three booter services.

Data based on leaked databases from these three booter services.

Like other booter services, Asylum, Lizard Stresser and VDO rely on a subscription model, where customers or subscribers can launch an unlimited number of attacks that have a duration typically ranging from 30 seconds to 1-3 hours and are limited to 1-4 concurrent attacks depending on the tier of subscription purchased. The price for a subscription normally ranges from $10-$300 USD per a month depending on the duration and number of concurrent attacks provided.

“We also find that the majority of booter customers prefer paying via PayPal and that Lizard Stresser, which only accepted Bitcoin, had a minuscule 2% signup to paid subscriber conversion rate compared to 15% for Asylum Stresser and 23% for VDO 1, which both accepted PayPal,” they wrote.

The research team found that some of the biggest attacks from these booter services take advantage of common Internet-based hardware and software — everything from consumer gaming consoles to routers and modems to Web site content management systems — that ships with networking features which can easily be abused for attacks and that are turned on by default.

Specific examples of these include DNS amplification attacks, network time protocol (NTP) attacksSimple Service Discovery Protocol (SSDP) attacks, and XML-RPC attacks. These attack methods are particularly appealing for booter services because they hide the true source of attacks and/or can amplify a tiny amount of attack bandwidth into a much larger assault on the victim. Such attack methods also offer the booter service virtually unlimited, free attack bandwidth, because there are tens of millions of misconfigured devices online that can be abused in these attacks.

Finally, the researchers observed a stubborn fact about these booter services that I’ve noted in several stories: That the booter service front-end Web sites where customers go to pay for service and order attacks were all protected by CloudFlare, a content distribution network that specializes in helping networks stay online in the fact of withering online attacks.

I have on several occasions noted that if CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and — more importantly — help eradicate the booter industry. The company has responded that this would lead to a slippery slope of censorship, but that it will respond to all proper requests from law enforcement regarding booters. I won’t rehash this debate again here (anyone interested in CloudFlare’s take on this should see this story).

In any case, the researchers note that they contacted CloudFlare’s abuse email on June 21st, 2014 to notify the company of the abusive nature of these services.

“As of the time of writing this paper, we have not received any response to our complaints and they continue to use CloudFlare,” the paper notes. “This supports the notion that at least for our set of booters CloudFlare is a robust solution to protect their frontend servers. In addition, crimeflare.com has a list of over 100 booters that are using CloudFlare’s services to protect their frontend servers.”

A copy of the research paper is available here (PDF).

Lauren Weinstein's Blog: Why the “Right To Be Forgotten” is the Worst Kind of Censorship

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

Let’s start from a foundational premise on which we hopefully can all agree. Our abilities to interpret and understand the world around us are predicated on the availability of information. In the far past, that information was usually entirely based on what we could sense directly or were told by others. Later, written and the printed materials vastly expanded our…