Ars Technica takes
a look at an exploit that transforms keyboards, Web cams, and other
types of USB-connected devices into highly programmable attack platforms. “Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week’s Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.”
Posts tagged ‘Facebook’
Ars Technica takes
There’s an ongoing trend with big news events. First, many news reports are so eager to be “first!” that they will report unvetted information as fact. This coincides with the news broadcasts that report baseless speculation as fact. Shortly after that comes the slow trickle of real information. Unfortunately, this real information is typically buried under fake reports and random conspiracy theories.
Add in a war scene that already has propaganda and false reports, and you have the makings for a lot of confusion and false information.
Let’s start with the only facts that nobody seems to be debating.
On 17-July-2014, Malaysia Airlines flight MH17 was shot down over the Ukraine. The plane was struck by Russian Buk — a type of surface to air missile (SAM).
Currently, the news reports (that can be vetted) are showing indications that one side (Russia) is totally lying about the facts, preventing access to the debris, and interfering with the investigation. You just know that, when a second government-sponsored news reporter publicly quits because she refuses to report the false information coming out of the Kremlin, the propaganda has got to be really bad.
Shortly after the reports about the airliner were made public, a few details came out on social media. A couple of people asked me to evaluate a picture found on Facebook. This picture comes from Cor Pan’s facebook page. He was a passenger on flight MH17 and he posted one of the last photos of the airplane prior to take-off.
Sadly, when any major event happens, we receive false reports and people who make stuff up just for the shock factor. I was asked to determine if this picture is real. And since the passenger manifest had not, at the time, been made public, we couldn’t just look for his name. Is this picture real or a hoax?
The problem with everything at Facebook is that pictures get stripped, resaved, and passed around. It is relatively easy for someone to create a fake Facebook page just for the shock value. And no amount of metadata analysis on a Facebook image will identify even a real photo as being real.
Fortunately, there are other data points we can analyze. For example, last month Facebook rolled out a new JPEG compression system. This system leaves very distinct JPEG attributes that are detectable. Evaluating the picture shows these artifacts and indicates that it was uploaded recently — this is not an old picture at Facebook. However, if someone downloads a photo and then uploads it, it will be processed by the new JPEG encoder and it will look “new”.
The other clue comes from the Facebook profile itself. This picture was uploaded to Facebook on Thu, 17 Jul 2014 09:03:30 GMT. This timestamp comes from the HTTP metadata’s “Last-Modified” field. According to news reports, the flight took off around 10:15 GMT from Schiphol airport near Amsterdam, or about 75 minutes after the photo was posted to Facebook. This creates a very narrow timeframe: the person arrived at the airport, snapped the photo and posted it shortly before the flight, then the flight took off and was shot down hours later (14:15 GMT).
Since it’s virtually impossible to predict a horrific event such as this, this posting to Facebook — which predates the flight and mentions someone believed to be on the flight — has every reason to appear to be real.
Or to put it another way, had the Facebook account been created after the plane was destroyed, or the photo posted after the explosion, then we would have been certain it was fake. Similarly, if the photo was posted long before the flight, it would likely be fake. However, this is not the case, so we can conclude that it appears to be real.
In contrast to this picture, some of the short video clips that claim to show MH17 crashing predate the event and are posted days later. These indicate inconsistent timelines and identify many of the video clips as fake. A few of these fakes have been debunked in the Open Newsroom.
It did not take long for some people to start intentionally evaluating pictures incorrectly in order to propagate conspiracies. For example, Shane Kimmins tweeted a screenshot from Peter J Kuehlen. (Peter claims to be an “Oil Armageddon specialist”, but I think he’s a certified paranoid nutjob. And since Kimmins is gullible enough to believe what Kuehlen says, well, it means Kimmins can’t be very intelligent even if he is very vocal.)
Here’s the screenshot that Kimmins posted to Twitter:
In this posting, Kuehler asks, “How come fotoforensics show the date of January 25 2012 for the making of this picture?” The answer is really simple: it doesn’t.
The FotoForensics metadata for this picture identifies a color profile attached to this picture. Facebook attaches the same color profile to every uploaded picture (that’s one of my complaints about Facebook). You can clearly see that the “Profile Copyright” says “FB”, indicating Facebook. An ICC Profile is just a file that gets embedded with the picture during a resave. The profile creation date says “2012:01:25 03:41:57″ — so Facebook created their color profile back in 2012 and has been attaching it to every uploaded picture ever since then. (I even have a tutorial that describes how ICC Profiles work.)
Since Facebook strips out metadata, we don’t know the actual time this photo was taken. In contrast, the Facebook HTTP header tells us that the photo was uploaded 75 minutes before the flight. We don’t know when the photo was taken; we only know when it was uploaded to Facebook.
When I pointed this out to Shane Kimmins that the timestamp did not indicate when the photo was created, he tweeted back a reply that shows willful ignorance and a desire to further propagate his paranoid and conspiratorial views.
The two links that Kimmins provided point the Clues Forum. This forum seems to spend nearly all of their time propagating paranoid fantasies and seeing who can come up with the best conspiracy. One of the postings even has “A Little Trivia“, where they point out three airplane crashes that included the deaths of AIDS researchers. This has led to the conspiracy that someone is systematically killing leaders in AIDS research.
As my friend, Mr. Masters, put it:
Given enough data to cherry pick, any asinine idea can be supported. I think there is evidence that planes crash. Here we have three cases of flights and all three fell from the air and killed everyone. Coincidence?
Kimmins tweeted one other message that really irked me. He wrote:
While I do permit people to use FotoForensics in an unsupervised fashion, I also actively debunk the most gross examples of misuse for supporting conspiracies. I repeatedly debunked the Birthers, who believe so strongly that Obama’s birth certificate is fake, that they will explicitly and intentionally make up fake findings in order to support their claims. I have debunked staged and faked Syrian war photos and conspiracies related to other missing aircraft. (And that’s just the start of the list. I have plenty of blog entries where I debunk photos and conspiracies, and even a few where I debunk conspiracies by proving photos are real.)
Unfortunately, these false flags planted by Kimmins, Kuehler, and their ilk are dwarfed by the flood of misleading photos associated with the Ukraine on social sites like Twitter and Facebook, along with the insane cover-up statements coming out of Russia regarding MH17. When it comes to staged pictures, misrepresented photos, and false facts, Kimmins/Kuehler are wannabe’s, while the manipulators in Syria are mostly amateurs. Make no mistake: the Russians are the professionals, but even they can get tripped up. I’ll cover some of these other forms of propaganda in future blog entries.
Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.
Indexeus boasts that it has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! – listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts.
Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online.
Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline.
The brains behind Indexeus — a gaggle of young men in their mid- to late teens or early 20s — envisioned the service as a way to frighten fellow hackers into paying to have their information removed or “blacklisted” from the search engine. Those who pay “donations” of approximately $1 per record (paid in Bitcoin) can not only get their records expunged, but that price also buys insurance against having their information indexed by the search engine in the event it shows up in future database leaks.
The team responsible for Indexeus explains the rationale for their project with the following dubious disclaimer:
“The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.”
Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.
Indeed, the search engine was even indexing user accounts stolen from witza.net, the site operated by Hackforums administrator Jesse LaBrocca and used to process payments for Hackforums who wish to upgrade the standing of their accounts on the forum.
WHO RUNS INDEXEUS?
The individual who hired programmers to help him build Indexeus uses the nickname “Dubitus” on Hackforums and other forums. For the bargain price of $25 and two hours of your time on a Saturday, Dubitus also sells online instructional training on “doxing” people — working backwards from someone’s various online personas to determine their real-life name, address and other personal data.
Dubitus claims to be a master at something he calls “Web detracing,” which is basically removing all of the links from your online personas that might allow someone to dox you. I have no idea if his training class is any good, but it wasn’t terribly difficult to find this young man in the real world.
Contacted via Facebook by KrebsOnSecurity, Jason Relinquo, 23, from Lisbon, Portugal, acknowledged organizing and running the search engine. He also claims his service was built merely as an educational tool.
“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” Relinquo said. “I wouldn’t have won the NATO Cyberdefense Competition if I didn’t have a bigger picture in my mind. Just keep that in yours.”
Relinquo said that to address criticisms that his service was a shakedown, he recently modified the terms of service so that users don’t have to pay to have their information removed from the site. Even so, it remains unclear how users would prove that they are the rightful owner of specific records indexed by the service.
“We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.”
Asked which sort of legal complications were bedeviling his project, Relinquo cited the so-called “right to be forgotten,” data protection and privacy laws in Europe that were strengthened by a May 2014 decision by the European Court of Justice in a ruling against Google. In that case, the EU’s highest court ruled that individuals have a right to request the removal of Internet search results, including their names, that are “inadequate, irrelevant or no longer relevant, or excessive.”
I find it difficult to believe that Indexeus’s creators would be swayed by such technicalities, given that that the service was set up to sell passwords to members of a forum known to be frequented by people who will use them for malicious purposes. In any case, I doubt this is the last time we will hear of a service like this. Some 822 million records were exposed in more than 2,160 separate data breach incidents last year, and there is plenty of room for competition and further specialization in the hacked-data search engine market.
The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:
GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.
MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.
MOUTH: Tool for collection for downloading a user’s files from Archive.org.
PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.
SILVER SPECTOR: Allows batch Nmap scanning over Tor.
SPRING BISHOP: Find private photographs of targets on Facebook.
ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.
BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.
BOMB BAY: is the capacity to increase website hits/rankings.
BURLESQUE: is the capacity to send spoofed SMS messages.
CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.
CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.
GATEWAY: Ability to artificially increase traffic to a website.
GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).
SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.
SUNBLOCK: Ability to deny functionality to send/receive email or view material online.
SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine
UNDERPASS: Change outcome of online polls (previously known as NUBILO).
WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.
HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.
HUSK: Secure one-on-one web based dead-drop messaging platform.
I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.
EDITED TO ADD (7/16): HTML of the entire catalog is here.
Internet filters are now on the political agenda in many countries around the world. While China and Iran are frontrunners for political censorship, the UK is leading the way when it comes to porn and other content deemed unsuitable for children.
In addition to the mobile restrictions that have been in place for years already, last summer Prime Minister David Cameron announced a default filter for all Internet connections. This means that UK Internet subscribers are now required to opt-in if they want to view ‘adult’ content online.
These default filters have led to many instances in which perfectly legitimate sites can no longer be accessed. This very website, for example, was inaccessible on Sky Broadband after it was categorized as a “file-sharing” site. The false positive was eventually corrected after the BBC started asking questions, but that didn’t solve the underlying problem.
In an attempt to make it easier to spot overblocking the Open Rights Group (ORG) has today launched a new site. The embedded tool runs probes on all the major broadband and mobile filters of UK ISPs, and allows people to check which sites are blocked and where.
The first results are quite scary. A review of the 100,000 most-popular sites on the Internet reveals that 20% are blocked by at least one of the filtering systems.
“We’ve been surprised to find the default filtering settings are blocking around a fifth of the Alexa top 100k websites. That’s a lot more than porn, which accounts for around 4% of that list,” ORG’s Executive Director Jim Killock informs TorrentFreak.
The list of blocked domains includes many legitimate sites that aren’t necessarily harmful to children. TalkTalk file-sharing filter, for example, blocks websites including bittorrent.com and utorrent.com. TorrentFreak also appears to be listed in this category and is blocked as well.
Linuxtracker, which offers free downloads of perfectly legitimate software, is blocked by Sky, TalkTalk and Three’s filters, while the blocked.org.uk tool itself is off-limits on BT, EE and Virgin Media.
Perhaps even worse, the BT and TalkTalk filters also categorize social networking sites such as Facebook and Twitter as potentially dangerous to children, and the same applies to Reddit. All these sites are inaccessible if the social networking category of the Kids Safe filter is on.
With the new tool ORG hopes to provide more insight into what these filters do and how many sites they block. The ISPs themselves have thus far failed to reveal the scope of their filters.
“People need to know what filters are, and what they block. They need to know they are inaccurate, and also disrupt people’s businesses and speech,” Killock tells TF.
“If people feel they need them, that is their right, but they should at least know they’re very flawed technology that won’t protect them very much, but will also be likely to cause them problems. In short, they are a bit rubbish,” he adds.
The current results of the tool are based on various filtering levels. This means that the list of blocked sites will be even longer when the strongest settings are used.
It’s worth noting that all ISPs allow account holders to turn filters off or allow certain sites to be unblocked. However, many people may not even be aware that this option exists, or won’t want to unblock porn just to get access to file-sharing software if these are lumped together.
The results of ORG’s new tool show that what started as a “porn filter” has turned into something much bigger. Under the guise of “protecting the children” tens of thousands of sites are now caught up in overbroad filters, which is a worrying development to say the least.
Update: TalkTalk clarified that the file-sharing (with TorrentFreak included) and social networking filters are not enabled by default on their system.
These so-called “pirate” streams are available through dozens of sites, including Firstrow and Rojadirecta, which generate a lot of traffic during popular sporting events.
Before the World Cup started FIFA reached out to several of these sites, asking their operators to make sure that content is removed as soon as possible. Despite these requests, there are still plenty of illegal streams available for each game.
Content protection firm Viaccess-Orca, one of the companies that monitors these unauthorized broadcasts, is also tasked with sending takedown notices for some of the matches. The company informs TorrentFreak that up to last Friday they have sent 2,000 takedown notices to various sites.
One of the problems with live events is that takedown requests only have an effect when they are processed before the match ends. According to David Leporini, Viaccess-Orca Executive Vice President of Marketing, Products and Security, the linking sites have been rather cooperative on this front.
“The success rate varies per content platform but overall we manage to get 35 percent of the streaming links disabled before the game ends. I think this is a great success rate, especially compared to direct download sites,” Leporini informs us.
A success rate of 35% is pretty decent indeed, considering that the notices have to be sent and processed in a very small time frame. Also, the process is further complicated because many sites don’t publish the links to the streams until a few minutes before the game starts.
The content protection company also targets traditional social media sites where links to live streams are posted. Here, the success rate was the best at Facebook where half of all infringing links were taken down before the game ended.
“For the first ten days we have sent around 150 takedown notices to Facebook and Twitter pages. Among all content platforms notified, we measured a success rate of about 51% for link removals from Facebook pages.”
While Viaccess-Orca’s efforts may limit the availability of pirated live streams, there are still hundreds of thousands of people getting through. The company estimates that between 100,000 and 500,000 people tune in to an average game. Up until last week, Belgium versus Russia was the most-watched match with 471,541 unauthorized viewers.
Belgium vs. Russia streaming locations
Viaccess-Orca can measure part of the audience directly though P2P streaming services such as Sopcast and Acestream. This also allows the company to see from what location people are watching. As the overview above shows, Belgium vs. Russia was particularly popular in Europe and Asia.
The remainder of the streams go through centralized streaming services, with Hdcast and Iguide being the most frequently used. Rojadirecta and Wiziwig are the sites where Viaccess-Orca found the most infringing links.
Looking ahead, the content protection firm expects that the number of viewers per match will continue to increase, as will the enforcement actions.
Shown in Person of Interest, season 2, episode 15. They “hacked” a firewall with this code…
The code is js from a facebook XSS attack, here: https://gist.github.com/tysontate/968060 (4. line) is an example.
The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.
At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.
The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.
The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.
The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.
“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.
Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.
“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”
Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.
“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”
While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.
“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”
It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints – Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).
Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.
“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”
A GREAT CRIME FOR CRIMINALS
Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.
“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.”
Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.
Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up. Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.
The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.
A HIDDEN CRIME
Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.
Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.
“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.
Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.
Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.
But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.
“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”
Earlier this year we reported on a controversial anti-piracy campaign operated by the Business Software Alliance (BSA).
Representing major software companies, the BSA uses Facebook ads which encourage people to report businesses that use unlicensed software. If one of these reports results in a successful court case, the pirate snitch can look forward to a cash reward.
Below is one of the promoted Facebook posts that has appeared in the timelines of thousands of people, encouraging them to expose software piracy in return for hard cash.
While most responses on Facebook are negative, it appears that the campaign is not without results. In an interview with Radio Prague, the spokesman for the Czech branch of the BSA notes that the informant program has been a great success thus far.
“[The campaign is] very successful. We did it because we wanted to catch big fish. In the past, many informants did not want to disclose who they were, and it was difficult to set up serious communication with them.” the BSA’s Jan Hlaváč says.
“The only way out of this was to offer them something that would motivate them to fully cooperate. That’s why we decided to launch this programme, to reward information that leads not only to identifying illegal software but to bringing the whole case to the end,” he adds.
The cash reward has increased the number of serious tips and in the Czech Republic alone the BSA receives about 30 leads per month. Similar campaigns also run in the United States, Canada, the UK and Australia, where hundreds of tips come in every week.
Some of these tips lead to a follow up investigation where BSA offers the alleged infringer a settlement offer. In the Czech Republic alone there are currently several cases pending, worth roughly $500,000. If a settlement is reached, the informant will get a share, ranging from $5,000 to $200,000.
Earlier this week the BSA released new data (pdf) on piracy levels worldwide, with the rate of unlicensed software decreasing in most western countries.
Between 2011 and 2013 the percentage of unlicensed software installed on computers dropped from 19% to 18% in the United States, and similar downward trends were observed in the UK and elsewhere.
In the Czech Republic piracy rates decreased from 37% to 34%, and according to the BSA this is in part due to the snitch campaign.
“Definitely. The programme has helped a great deal convince companies that the legal risks are not worth it,” Hlaváč says.
Despite this success there is still plenty of work to be done. Globally the percentage of pirate software increased slightly, representing a total value of $62.7 billion, so there’s plenty of bounty left.
Over the past 12 years the Congressional International Anti-Piracy Caucus has worked to highlight enforcement practices in need of improvement and to place countries perceived to be falling short of United States standards under the spotlight.
Yesterday the caucus became the International Creativity and Theft-Prevention Caucus, a change of name shunning the term ‘piracy’ in favor of an artist-focused theme that furthers the notion that infringement is the same as stealing.
The Watch List
As usual there are international winners and losers in the caucus report. On the up are Italy and the Philippines, with the former taking especially drastic steps to combat online file-sharing, including the blocking of ‘pirate’ sites by an administrative body, no court process required.
“In light of the reforms undertaken and a greater commitment to enforcing the law, both nations were removed from the Special 301 Report for the first time in its 25 year history. The caucus applauds Italy and the Philippines for undertaking reforms that recognize the importance of fostering creativity,” the report reads.
But in terms of improvements, the praise stopped there. In the file-sharing space, Switzerland came under attack after a momentous court decision four years ago
The Swiss file-sharing privacy safe haven
The controversy surrounds the so-called ‘Logistep Decision‘. The Logistep anti-piracy outfit became infamous in the latter half of the last decade for their work providing tracking services for copyright trolls in Europe and the UK.
In 2010 following several years of legal wrangling and controversy, the Swiss Federal Supreme Court ordered the anti-piracy outfit to stop harvesting the IP addresses of file-sharers. Underlining the notion that IP addresses are private data, the court’s decision effectively outlawed the tracking of file-sharers in Switzerland with the aim of later filing a lawsuit.
In its report the caucus says that Switzerland’s timeline (18 months minimum) for bringing the country “back up to international standards for protection of copyright” is unacceptable so the country will remain on the Watch List. That position is unlikely to change anytime soon considering the long Swiss tradition of respecting privacy.
Unsurprisingly the main site mentioned in respect of Russia is local Facebook variant vKontakte. The site has come under sustained attacks from both the RIAA and MPAA and the caucus is happy to keep up the pressure in 2014, despite Russia’s efforts to really tighten up local copyright law.
“The Caucus urges the Russian Government to take prompt action against websites that actively facilitate the theft of copyrighted materials, in particular vKontakte which was again named as a Notorious Market while remaining one of the most highly trafficked websites in Russia. Given the scale of online piracy emanating from Russia, it is crucial the Russia take serious and large scale action to enforce the law against rogue actors and end their status as a haven for digital piracy,” the report reads.
China and India
As expected, China is yet again subjected to criticism, despite clear signs that the country is changing its attitudes towards IP enforcement.
“Though the climate for intellectual property has improved, driven in part by a growing domestic creative sector within China, the scale of piracy remains massive, inflicting substantial harm to American and Chinese creators,” the caucus says.
And despite playing host to a large local creative industry, the caucus says that India is not doing enough to protect IP either, with high rates of camcorder movie piracy and a lack of effective notice-and-takedown procedures both aggravating factors.
Given the current collaborations between governments and the private sector with their “follow-the-money” approach to dealing with infringement, it’s no surprise that the caucus has focused a section of its report on this initiative.
Current momentum sees strong international efforts to eliminate the appearance of major brands’ advertising on ‘rogue’ sites and the caucus reports further progress on that front. The Association of National Advertisers (ANA), American Association of Advertising Agencies (4As), and Interactive Advertising Bureau (IAB) have all reported taking “concrete steps” towards evaluating “digital ad assurance” technologies to keep revenue away from pirate sites.
In a response, RIAA Executive Vice President Neil Turkewitz praised the caucus for its efforts.
“Their work on advertising has already led to various improvements, and we hope that soon the lure of generating money from advertising will no longer be viable for sites serving as distribution hubs for infringing content,” Turkewitz said.
Echoing the words of Italian Ambassador Claudio Bisogniero, who had been invited to the report’s unveiling in recognition of his country’s anti-piracy achievements, the MPAA reiterated that the protection of copyright on the Internet is essential to the development of business.
“At the MPAA, we couldn’t agree more, and deeply appreciate the steps being taken by the caucus to help protect the creative industries and the millions of workers they employ – both here in the United States and abroad,” the MPAA conclude.
While many people get away with uploading infringing content to YouTube, the site’s ContentID system ensures that content belonging to many of the world’s leading entertainment companies gets spotted when it’s uploaded by an unauthorized third-party.
Unofficial uploads can also be subjected to a DMCA-style complaint, whereby rightsholders inform YouTube that content is illicit and should be removed. Mistakes do get made, so content uploaders get a chance to issue a counter-notice in dispute. The mechanism is far from perfect though, with the system weighted in favor of rightsholders with the “little guy” struggling to make his voice heard.
While those uploading pirated TV shows and movies have little to complain about when a “strike” is placed against their YouTube account, legitimate companies can also be subjected to the same kinds of complaints.
This morning a leading Indian news network is waking up to that reality and a pretty big headache after multiple strikes were lodged against its YouTube account. Multiple strikes are very bad, as the message from YouTube below illustrates.
ZeeNews appears to be a decent sized player in the Indian market, operating via zeenews.india.com, a sub-domain of the prestigious India.com. Its Twitter account has 457,000 followers and its Facebook page 2.6 million likes. Overall, ZeeNews claims 140 million viewers across ten channels and the title of “India’s Largest News Network”. It’s owned by Zee Media Corporation Ltd.
The precise nature of the complaints against the channel aren’t clear. The notice published by YouTube cites multiple complaints including those from “TF1″ and “Wizcraft”. TF1 could be the French national TV channel of the same name and Wizcraft might possibly relate to an Indian branding company – TorrentFreak is awaiting responses from both.
Meanwhile, ZeeNews’ YouTube account remains not merely suspended, but terminated. In most circumstances that means there is no chance of the account being put back online, but given ZeeNews’ prominence it may be able to deal with YouTube, especially if there has been some kind of error.
Emails to the contact addresses listed by ZeeNews are currently bouncing, but we’ll persevere.
Update June 25: The YouTube channel is back.
Преди точно 4 години пуснах официално първия си „общественополезен“ проект. За този период сайтът събра информация за 1000 случая, половината от които са вече решени от полицията, 1.6 милиона посещения от 220 хиляди души. Във Facebook наскоро мина 4500 последователи, а в Twitter – 390. След всичко това сайтът спира, но временно – поне докато намеря време да направя нова версия или се намери алтернатива.
Провалът да станеш излишен
Това трябваше да е заглавието на статията. От самото начало дадох да се разбере, че проектът няма цел да стане „регистърът“ на безследно изчезналите. Той просто стана. Исках сайтът да вдъхнови някое от големите НПО-та или най-добре МВР да направят нещо по-добро с по-точни данни и повече ресурс за поддръжка. Така Lipsva щеше да стане излишен и щях с радост да го изоставя. Сега става почти насила. Междувременно целта му беше да покаже на обществото, че проблем има, че случаите могат да се представят по-добре, че има една зееща липса в информираността ни и евентуално – с някакъв луд късмет – да помогне някой да бъде намерен.
За жалост, това не се случи. Проектът не стана излишен. Активността в последните месеци сочи дори точно обратното. МВР не пусна официален регистър и не подобри предоставянето на информация на медиите и в мрежата. В някои РДВР-та все още подават снимки и описание с лични мейли на местни журналисти. СДВР май единствено пуска случаите на Facebook страницата си. Имаше опит за специализирано НПО, но не съм чувал да има напредък.
В същото време Lipsva получава увеличаващ се брой регистрации на нови изчезнали и между 4 и 40 хиляди посещения седмично. Забелязвам малко повече прозрачност в случаите, защото намирам по-лесно информация за изчезналите. МВР работи и изглежда по-добре с Интерпол, защото жълтите бюлетини се обновяват вече почти всеки ден.
Грешки в модерацията и платформата
Направих доста грешки с този сайт и първата беше в системата за модерация. Технически е възможно повече хора да участват в преглеждането и одобряването на нови случаи, но на практика системата не е достатъчно изчистена и само аз знам как да работя с нея. Известно време имаше хора, които ми помагаха, но от доста време правя всичко аз. Работата, както казах, не намалява. Всичко това е изцяло по моя вина. Взех някои грешни решения в началото, а последвалите малки промени и бързи идеи не помогнаха.
Самата платформа написан на силно променен WordPress. Това нямаше да е проблем, ако не бях направил толкова промени в ядрото, които с течение на времето и версиите започнаха да дават грешки. Така постепенно платформата стана все по-трудна за работа. Отдавам го на това, че Lipsva беше първия ми проект. Доста научих покрай нея и гледам да не повтарям грешките в другите си проекти.
Заради всички тези проблеми със системата не съм я предоставил като отворен код. Интерес имаше от няколко места. В този си вид обаче не бих я пуснал, а и честно казано няма смисъл.
Защо просто не седна да я пренапиша?
Както споменах, Lipsva има нужда от тотална промяна. Започнах работа по това отдавна, но не ми остава време. Може би ще попитате – защо се занимавам с толкова много други проекти, а не довърша Lipsva. Отговорът е от няколко части.
Първо, проектите за отворени данни, избори и прочие са малки сравнение с Lipsva, доста по-прости и не изискват много време наведнъж. Повечето проекти свързани с данни, например, ги разработвам по 10 до 30 мин. в почивките. Добавям функция тук, оправям бъг там, експериментирам. Интересно ми е. Lipsva от друга страна, поне с концепцията, която съм заложил, ще изиска повече време наведнъж и концентрация.
Друга причина е мотивацията – досегашната платформа работеше за посетителите, макар и отвътре да беше грозна. В същото време не виждам се развива нанякъде освен да трупам случаи на изчезнали, някои от които вече решени без да има публична информация за това. При това, процесът е изключително ръчен и ненадежден. Като изляза в отпуска за седмица-две и вече има 10 невъведени случая.
Трета причина е качеството на данните. Докато няма добър начин да се потвърди дали един случай е актуален, „картата на изчезналите“ ще разчита на надеждността на медиите, което сами разбирате просто не ни върши работа.
През тези години се срещнах и говорих много пъти с хора от МВР на различни нива. Често обменяме мейли с пресцентъра по отделни случаи. Понякога получавам отговор, друг път – не. Понякога полицаи ми пишат да махна някой на лични мейли, защото през официалните канали било идиотски трудно. Още преди 4 години имаха силно желание официално да си сътрудничат с Lipsva, но къде заради бюрокрация, къде заради смяна на кадри това не стана.
Днес обявиха началото на система подобна на Amber Alert, която да сигнализира при отвлечени или изчезнали на малки деца. За този проект говорих с тях в началото на 2012-та като идеята им беше Lipsva да се включи с разпространяване на информация в мрежата. Това не стана и го отдавам отчасти на факта, че не съм НПО (което необяснимо защо е изключително важно), но най-вече на това, че физически не съм в България.
Междувременно на няколко пъти се опитах да пробия стената на секретност на полицията и да ги убедя поне да направя единен бюлетин за всички изчезнали. Не да дават повече информация – просто да не е пръснато всичко на 100 сайта. След време стигнахме до споразумение да изпратя Excel таблица с известните ми случаи, които те да потвърдят като актуални. Това не стана.
Към този момент няма никаква практическа промяна в начина на информиране на обществеността от страна на МВР за случаи на безследно изчезнали. Нито в интернет, нито в работата с медиите. Този проблем не се корени в работата на отдел Издирване, от които аз лично имам само добри впечатления. Дължи се на общата организация на МВР, вкорененият страх от взимане на решения и булото на секретност, което защитава по подразбиране всяка тривиална информация – както от външния свят, така и в рамките на самата полиция. Това е опитът, който имам за последните 4 години и всички работили с МВР ще го потвърдят – отделните контакти с хора са предимно положителни, но в крайна сметка рядко се получават резултати.
Ако ме следите в Twitter ще знаете, защо озаглавих тази секция така. Постоянно се оплаквам от мейли свързани с Lipsva. Спрях да им отговарям. Най-честите въпроси от журналисти са: колко души са намерени през сайта, имам ли данни за отвлечени деца и трафик на органи и да им дам телефоните на опечалени родители, за да участват в предаването. Разбира се, въпросите са нормални предвид качеството на повечето ни медии.
Първият въпрос обаче е отчасти коректен. Не, нямам данни някой да е намерен през Lipsva за тия 4 години. Това за някои може би се брои като голям провал и сочи колко безсмислен е проекта. Не знам дори дали информация дошла през сайта да е помогнала на МВР да открие някой, а такава е била подавана. Във всеки един случай пиша сигналите да се подават на 112 или 116 000. Аз не мога да направя нищо по тях освен да ги препратя. Аз не искам и да имам такава информация, защото в повечето случаи е лична и дори не трябва да я имам. Нямам и амбиции да слагам брояч с открити през сайта хора – това не е състезание или дори цел. Когато обаче журналистите чуят това, най-често губят интерес.
В този контекст предполагам, че разбирате защо никоя медия не се е заела с подобен на Lipsva проект. В Русия и Гърция има специализирани предавания. Посетители на сайта ми ги посочиха и ги предложих няколко пъти на колкото медии намерих. Не да използват Lipsva или каквото и да е – просто да направят нещо по темата. БНТ казаха, че ще проучат въпроса. Журналистка от БТВ отговори в прав текст, че губят достатъчно ефирно време за безследно изчезналите и нямат намерение да правят безплатна реклама на НПО-та. Който ми отговори от другите, каза, че ще правят скоро предаване и пратиха въпросите, с които започнах.
Знам, че темата е тежка и не очаквам някоя медия да инвестира в такъв медиен продукт. Много медии така или иначе ще го обърнат на пошло реалити. Отношението на повечето обаче е като с всяка кървава драма по улиците. Затова и обществото остава с впечатление, че изчезват все повече хора, че деца се отвличат всеки ден и че полицията не прави нищо. Почти никой не цитира как данните показват голяма разкриваемост, че не се забелязва тенденция на увеличение на случаите, а по-скоро по-голяма прозрачност. Това не е интересно. Не е интересен и случаят на бабата, изгубена преди седмица, която ще бъде открита след няколко дни в канавка. Интересно е момичето, което за 3-ти път тази година бяга от дом за сираци, за да посети пълнолетния си брат в София.
До кога ще е спрян сайтът?
Докато намеря време да го пренапиша или излезе нещо, което да покрива досегашните му функциите. Готов съм да помогна на всеки, който има намерение да работи по такъв проект – било то НПО, МВР или ентусиаст като мен. Мога да споделя данните си до сега, метаданните и общите идеи около сайта. За повечето съм писал много пъти в този блог.
В този си вид сайтът обаче не може да продължи. Вече два месеца не съм успял да обновя случаите, насъбраха се доста нови, а поне 15 случая от роднини очакват потвърждение. Гадно ми, че проектът спира – точно чувството, че помага и има нужда от него ме накара да го поддържам толкова години. Извинявам се на всички, които са добавили близките си в Lipsva с надеждата поне там някой да ги види. Всички те ще бъдат добавени автоматично в новата версия, когато стане готова.
The Electronic Freedom Foundation (EFF) is a very important organization to those of us who care about technology, security, and privacy. I primarily know about their legal efforts — protecting free speech, fair use, and civil rights. If you’re a security researcher, then you know that any moment some big corporation may choose to sue you for reporting an exploit rather than addressing their vulnerabilities. Apple has sued security researchers. Microsoft used to threaten to sue (and left open the potential to do it again). Epic Games, Cisco, and many other big companies have tried to sue people who report vulnerabilities. When this happens, we inevitably run to the EFF for assistance and guidance.
The EFF usually has a very visible position at most big security conferences and they are well-known in the security community. While I rarely donate to any organizations, I have donated to the EFF because they are needed and they do very good work.
Well… they usually do good work…
Oh, so close!
Beyond their legal actions, exposes, and topical news reports, they also provide a cute web plug-in, developed in collaboration with the Tor Project, called “HTTPS-Everywhere“. The idea is that it forces your web browser to use HTTPS rather than HTTP.
I have previously mentioned many of the limitations with HTTPS: it doesn’t reliably validate connections, it permits the human to bypass detected security risks, it is vulnerable to man-in-the-middle connection hijacking, and that little lock symbol really doesn’t mean you are secure.
As security goes, HTTPS is “better than nothing” security. Treat it like that little lock on your front door — it stops someone from easily opening the door. But it doesn’t stop someone from picking the lock, kicking in the door, listening to you through the door, or climbing in the open window next to the door.
Before Google forced everyone to use HTTPS, they offered both HTTP and HTTPS for accessing google.com. Using this plug-in, it would send you to HTTPS rather than HTTP. The same goes for eBay, PayPal, and many other sites. Lots of sites offer both HTTP and HTTPS, but few sites force you to use HTTPS when HTTP is available. In effect, this plug-in forces you to use security-by-placebo rather than no security at all.
My current irk with HTTPS-Everywhere is that the developers do not seem to be testing their code before releasing it. I recently learned that they have a rule file named Hacker-Factor.xml. This rule forces users who access my FotoForensics site to use HTTPS instead of HTTP. This is a big problem.
While FotoForensics does run both HTTP and HTTPS servers, these two interfaces do not provide the same services. “HTTP” is for the public. As clearly specified in the FAQ, the public service is public. It is not private, it offers no privacy, it is explicitly a research site, and it does not offer logins to the public.
In contrast, my HTTPS server demands a login. You won’t get to the upload page or any of the other features without login credentials. (Logins to that server are strictly limited to administrators and research partners.) With my server, you need HTTPS to access the login interface.
Forcing the Point
There is no rule that says the HTTP and HTTPS servers must provide the same content. In fact, many sites today are like mine: HTTP is for the public, and HTTPS are for users who need to login. Today, I cannot login to my bank’s web site without using HTTPS. With HTTP, I see their site, but I must switch to HTTPS to see the login. I cannot login to Google or Twitter or Facebook without HTTPS. Even most news sites use HTTP for public content but you must use HTTPS if you want to login. It is not uncommon to see very different content when using HTTPS instead of HTTP.
By forcing users to the HTTPS service at FotoForensics, HTTPS-Everywhere prevents people from using FotoForensics. Moreover, I know that I’m not the only web service out there that uses HTTP for public information and HTTPS for private access.
(I should point out that Buzzfeed.com forces users to HTTP. HTTPS at cnn.com doesn’t work. Reddit.com still uses HTTP, even for logins. And pay.reddit.com displays very different content depending on whether you use HTTP or HTTPS.)
As far as I can tell, someone associated with HTTPS-Everywhere did do a little testing with their Hacker-Factor.xml rules. They noted in their configuration file that I use a self-signed certificate. A self-signed certificate is typically considered “bad”. Except that I also use client-side certificates, which is much stronger security than third-party authentication without client-side certificates. (Also, I don’t see any point in paying a third-party certificate provider for a certificate that isn’t secure.) In effect, I have two-part authentication: something you have (the client-side certificate) and something you know (login credentials). While the EFF noticed my self-signed cert, they did not notice that they couldn’t use the HTTPS site!
I noticed this today when a user complained, so I filled out a trouble ticket, letting them know that the configuration for my site was incorrect. (The “reported by: cypherpunks” is their generic account for people who do not want to register a login with their trouble-ticket service.) They closed it out shortly after, with no change and the comment, “it won’t prohibit the vast majority of people from visiting the site.” I guess they missed the part that prohibiting ANYONE from accessing my site is a flaw in their rule-set!
The other thing that got me looking at the EFF was a tweet they made today:
One year after the first Snowden disclosure, we need a web that resists NSA spying. Fight back. Run a Tor relay. https://eff.org/tor
Wow… does the EFF really not understand what Tor does?
The folks at the Tor Project have a wonderful description of their process. Tor mixes up the path between your computer and the remote system you are accessing. Let’s assume that there is someone who can watch all network traffic. What will they be able to tell about your online activities:
- They will see that your computer is connecting to a Tor server. But they won’t know what you are doing. The data between you and the Tor server is encrypted.
- The Tor network is like a giant mixer. One node passes to another node passes to another node… And since everyone is getting mixed up, someone watching the network traffic will see you and lots of other people (and other Tor nodes) all connect to the same Tor nodes, but they won’t know which continuing traffic belongs to you. Your trail vanishes into anonymity.
- Eventually your traffic will reach an “exit node”. This is where it leaves the Tor network and connects to your desired server. The observer sees lots of exit nodes and lots of exit traffic — they don’t know which one belongs to you.
In this regard, Tor offers great security: an observer can see you enter, but doesn’t know what you sent or where you went. They can see lots of people exiting the Tor network, but they cannot identify which exit request is yours. It’s like being pursued by bloodhounds, getting into a car, and driving into rush-hour traffic — the dogs will lose your scent.
(For you deep-security folks, I’m ignoring potential connection leaks via applications that do not use Tor for DNS, or other things you run that do not pass through the Tor tunnel.)
If your path is secure, then that means you are secure, right? Well, no.
Eventually your network traffic must exit the Tor network. At that point, it’s just as secure as connecting directly. If you connect to your bank or your Reddit account, then someone watching the traffic will see your login credentials used at that service. The omnipotent observer will see you connect to Tor “going somewhere” and your credentials being used to check your email at Yahoo. At this point, they don’t need a high IQ to know it is you. (It’s like catching a bank robber who fled the scene after being identified. The cops won’t go chasing you. They’ll just send someone over to watch your house — you’re bound to go home sometime…)
Last January, there was a report about some evil Tor exit nodes. Remember: the exit nodes can watch you leave the system and they can explicitly see where you are going. According to the report, some Swedish researchers managed to find “at least 22 corrupt exit nodes that were tampering with encrypted traffic leaving the supposedly private Tor network.”
Tor nodes are run by volunteers, and there is no vetting involved. If you want to run a Tor node, you can. If you want to be an exit node, that’s allowed. And if you want to watch all traffic that leaves your exit node, there’s nothing stopping you. In the case with the Swedish researchers, they found some nodes that were intentionally altering the data that you wanted to receive.
Back in 2007, one Swedish guy ran a Tor exit node and was capturing login credentials. Among other things, he saw login credentials to embassies all over the world.
You are… The Weakest Link!
At this point, Tor is only as secure as your connection to the server. If you use HTTP over Tor and you do anything that identifies yourself (fill out a form that requires your name, enter your email address, login to a service, check Facebook, do an ego-search to see who is talking about you…) then you’ve just compromised any security that Tor was providing. Someone watching the network traffic will know it was you.
Using something like HTTPS-Everywhere can help a little. It will stop you from forgetting to use HTTPS for certain web sites. However, virtually nobody uses HTTPS with client-side certificates. And without client-side certificates, it is relatively easy for someone on the network between Tor and your bank to hijack your network connection. (For the attacker, you don’t sit and wait for “Neal” to login… You hijack everyone and eventually you’ll also catch “Neal”.) Moreover, if someone is smart enough to configure a Tor exit node and monitor traffic, then they are certainly smart enough to hijack your HTTPS connection. (We’re not talking about an extreme level of difficulty here; any beginner-admin can learn to do this in a few hours.)
Run or Run Away
In their tweet, the EFF recommends that people run their own Tor relays. This will make the mixer network larger and makes tracking network traffic more difficult. However, what does it do for privacy and to your network traffic?
- Tor consumes network bandwidth. I hope you have a high-speed network connection, because most residential users can either run a Tor relay or watch NetFlix, but you won’t have enough bandwidth for both.
- Tor has entry, middle, and exit nodes. Someone on an entry node can see you enter the network, but not where you are going. An exit node can see where you go and what you are doing, but not where the request came from. Meanwhile, a middle node sees anonymous traffic coming in and anonymous traffic going out. (Until I learn of an exploit, the middle nodes are safe enough.) If you run an exit node, then you can observe all network traffic between the outside world and your exit node. And you have the ability to interfere with network traffic.
As a Tor user, you don’t know who owns the exit nodes or what they are doing. “Assuming” it is safe does not make it safe.
- As an exit node, you cannot control where people go or what they want to download. If they download child porn, then it will look to the omnipotent network gods as if you (the owner of the exit node) downloaded child porn. (Better leave the front door unlocked since it’s expensive to repair a kicked-in door after the police arrive.)
- My contract with my Internet Service Provider (ISP) explicitly forbids me from sharing my network connection with other people outside my home. I cannot legally run a free WiFi access point for my neighbors or even run a public web service. That’s the same with most residential ISPs. The EFF’s suggestion for you to run a Tor node will likely be in violation of your ISP service agreement. (You’re running a network service and permitting the world to use your network connection.)
What my client meant to say…
Perhaps the EFF meant to tell people to use Tor and misspoke when they say to run a Tor relay… In that case, there are still two issues: speed and security. With regards to speed, Tor is really slow on its good days.
But then there is that pesky exit-node issue. Without Tor, I can connect to my bank from my home. I can be fairly confident that nobody is intercepting or hijacking the connections, and it is as safe as HTTPS (without client-certs) allows. But with Tor, I cannot trust the exit nodes. HTTPS will not notify me if the initial connection is hijacked and the exit node has a great opportunity for hijacking the connection.
Moreover, Tor nodes are run by volunteers all over the Internet. I have no idea who they are, what networks my login credentials are passing over, or who might be watching. As far as I know, there is no way to identify all of the networks that my packets touch. While I do use Tor for anonymous network access, I would never trust it in its current state for anything that requires identifiable information.
For more specific paranoia, consider this: If I connect directly from my home to my bank, I can use traceroute and identify that my packets never leave this country. Yes, corporations that run the networks may see my traffic, but I don’t have to worry about foreign governments. In contrast, if I use Tor and it randomly selects an exit node in Taiwan, then governments in Taiwan, China, Europe, and every other country can spy on my connection as the packets leave a distant Tor exit node and connect to my local bank. With Tor, there are a lot more options for people to watch my online activities and hijack the connection. Without Tor, I only have to worry about my local networks.
I typically trust the EFF’s judgment. Their legal advice and concerns about privacy, security, and technology are usually spot-on. And when the EFF speaks, people should listen.
However, as with anyone else, their suggestions are not always 100% reliable. Forcing people to use HTTPS on an HTTP-only service breaks access to the service. Releasing a HTTPS-Everywhere rule without testing it first seems like a really bad idea, and not patching it when told that the rule does not work seems willfully-ignorant. And while I agree that we need a more secure version of the Internet, Tor is not the solution. Advising people to run a Tor node without identifying the impact and risks seems like a huge mistake to me.
Perhaps I am just over-reacting. But it seems to me that the EFF just gave out some very bad advice.
While new file-sharing sites appear on a regular basis, it’s reasonably rare for fresh torrent sites to fill a niche in an effective and public fashion. PublicHD was a site that bucked that trend, in part by delivering focused content rather than simply making existing material searchable.
From a standing start, during the last quarter of 2012 PublicHD’s popularity skyrocketed. Concentrating on movie rips at the higher end of the quality spectrum, PublicHD grew steadily throughout 2013, a trend that continued – blips aside – into the first few months of this year.
Then yesterday, without warning, PublicHD simply disappeared and into today the site is still inaccessible via its main Swedish domain, .EU alternative, or official proxy. There has been no official announcement or explanation. Needless to say, currently there are plenty of worried users.
Of course, sites go offline for technical reasons all the time, and it may yet transpire that PublicHD has had some serious technical issues. The signs, however, are less than encouraging. The first logical places for users to check for status updates are PublicHD’s Twitter and Facebook accounts but just like the main site, they have completely disappeared.
Since PublicHD is, as its name suggests, a public site, its activities can be seen not only on its own domain but on other torrent sites too. For example, The Pirate Bay has a user account by the name of DibyaTPB, which is believed to be a PublicHD auto-uploading bot. After making hundreds of releases and rarely if ever having a break, yesterday DibyaTPB fell silent, indicating that the site is indeed completely offline.
Furthermore, BOZX, another Pirate Bay account associated with PublicHD, also went quiet on Saturday. And, after 19,199 uploads, the corresponding account for BOZX on KickassTorrents was silenced too. At some point, it’s not clear when, the account was also renamed.
The disappearance of PublicHD is even more puzzling given that earlier this month the site’s operators were planning new and bigger things.
“Soon we are a going to have a makeover and a brand new PublicHD with tons of new features and stronger security system,” they said in an announcement.
It’s certainly feasible that the upgrades are underway now, but why that would go hand in hand with PublicHD’s decision to disappear themselves from social media thus keeping their users entirely in the dark makes little sense.
Rightsholders have issued a steady stream of complaints against PublicHD to Google since late 2012 but since the start of 2014 the number being processed has steadily increased, with April and May being the most active months in the site’s history.
Ross Anderson has an important new paper on the economics that drive government-on-population bulk surveillance:
My first big point is that all the three factors which lead to monopoly – network effects, low marginal costs and technical lock-in – are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily involved in information sharing with the NSA, even though they have tried for years to pretend otherwise. A non-aligned country such as India used to be happy to buy warplanes from Russia; nowadays it still does, but it shares intelligence with the NSA rather then the FSB. If you have a choice of joining a big spy network like America’s or a small one like Russia’s then it’s like choosing whether to write software for the PC or the Mac back in the 1990s. It may be partly an ideological choice, but the economics can often be stronger than the ideology.
Second, modern warfare, like the software industry, has seen the bulk of its costs turn from variable costs into fixed costs. In medieval times, warfare was almost entirely a matter of manpower, and society was organised appropriately; as well as rent or produce, tenants owed their feudal lord forty days’ service in peacetime, and sixty days during a war. Barons held their land from the king in return for an oath of fealty, and a duty to provide a certain size of force on demand; priests and scholars paid a tax in lieu of service, so that a mercenary could be hired in their place. But advancing technology brought steady industrialisation. When the UK and the USA attacked Germany in 1944, we did not send millions of men to Europe, as in the first world war, but a combat force of a couple of hundred thousand troops – though with thousands of tanks and backed by larger numbers of men in support roles in tens of thousands of aircraft and ships. Nowadays the transition from labour to capital has gone still further: to kill a foreign leader, we could get a drone fire a missile that costs $30,000. But that’s backed by colossal investment – the firms whose data are tapped by PRISM have a combined market capitalisation of over $1 trillion.
Third is the technical lock-in, which operates at a number of levels. First, there are lock-in effects in the underlying industries, where (for example) Cisco dominates the router market: those countries that have tried to build US-free information infrastructures (China) or even just government information infrastructures (Russia, Germany) find it’s expensive. China went to the trouble of sponsoring an indigenous vendor, Huawei, but it’s unclear how much separation that buys them because of the common code shared by router vendors: a vulnerability discovered in one firm’s products may affect another. Thus the UK government lets BT buy Huawei routers for all but its network’s most sensitive parts (the backbone and the lawful-intercept functions). Second, technical lock-in affects the equipment used by the intelligence agencies themselves, and is in fact promoted by the agencies via ETSI standards for functions such as lawful intercept.
Just as these three factors led to the IBM network dominating the mainframe age, the Intel/Microsoft network dominating the PC age, and Facebook dominating the social networking scene, so they push strongly towards global surveillance becoming a single connected ecosystem.
These are important considerations when trying to design national policies around surveillance.
Ross’s blog post.
Изборите приключиха и тепърва ще анализираме какво се случи и какво значение има. А се случиха много неща – загуба за БСП, изхвърляне на Атака, практически пример в лицето на ББЦ колко депутата можеш да си купиш с няколко милиона евро и прочие.
Нещо, което обяснимо остана встрани от вниманието, е публикуването на резултати преди края на изборния ден. В събота Еленко ме подсети и вчера забелязах как отново куп медии се правят на интересни заобикаляйки изричната забрана в Изборния кодекс. Разбира се, на всички ни е ясно, че няма класация за песни, скорост на вятъра, модни тенденции и комикси точно в неделя. Трябва да е ясно и на ЦИК.
Малко мрънкане и един мейл
Затова направих нещо съвсем естествено в случая – писах мейл на официалния адрес на ЦИК. Изпратих им няколко линка със статии, които нарушават забраната. След бързо търсене допълних мейла с още няколко. Съобщих за общо 10 медии – Труд, 24 часа, Дневник, БТВ, Offnews, ClubZ, Focusnews, ПИК, БГНЕС и Стандарт. Навярно е имало още доста, но за тези се сетих да проверя.
Честно казано, не очаквах реакция или поне не в същия ден. ЦИК обаче са проверили и по техни думи са изпратили предупреждение до „много интернет страници“. Дневник бяха първите, които свалиха класацията си. Последваха Труд и 24 часа. Никой от останалите не благоволи да реагира. ПИК дори не се опитваше да завоалира резултатите под формата на класация, ами направо пишеше по партии.
Една от причините, доколкото разбрах, може да е, че предупреждението на ЦИК е дошло по мейл, който я някой чете в неделя, я не. По-вероятно обаче е просто да не им пука. Защо наистина? Досега в редки случаи ЦИК е санкционирала медии. Всяко нарушение се прави с ясна преценка за риска – колко вероятно е да те хванат и накажат. Вчера ЦИК показа, че може и че си струва да подаваме сигнали. Както каза Екенко – с едно мръкане и един мейл може да се стигне далеч.
#КОЙ и защо не веднага?
Има обаче няколко интересни подробности. Първата е кои са тия „много“ медии, които са били предупредени. Пред Капитал в ранния следобед говорителят на ЦИК е споменал Блиц, ПИК, e-burgas, BNews и Дневник. Очевидно е, че е имало и други подадени сигнали, освен моя. Дали обаче са предупредили всички в сигналите? Още нямаме публикувано решение, за да разберем. Със сигурност Труд и 24 часа са получили мейл. Дали БТВ и Стандарт имат?
Интересно е също времето, в което ЦИК са пуснали предупрежденията. Моят сигнал с изпратен в 11:33 (българско време). Допълненията бяха изпратени до 13:00. Дневник и Труд явно са получили мейла някъде след 17:00 или два часа преди края на изборите. Това някак обезсмисля цялото упражнение. При условие, че е имало сигнали още рано сутринта, защо са изчакали почти до края на гласуването?
Най-важното обаче е дали на следващите избори нещо ще се промени. Получих уверение, че големите медиите няма да пускат вече класации. Това ще стане обаче, ако всички го спазват. Тези класации донасят посещения на новинарските сайтове и е разбираемо защо заобикалят правилата. Ако големите не го правят обаче, малките ще е по-лесно да бъдат санкционирани. Навярно има смисъл да се накажат и социологическите агенции, защото именно те пускат exit-poll резултати по-рано, отколкото е позволено. Ако те бъдат спрени, проблемът се решава автоматично.
„Айде сега глупости!“ Дали?
Тук идва въпросът защо въобще ми беше нужно да го правя. Повечето медии, които „изпортих“, като Дневник, ClubZ и Offnews, харесвам и чета всеки ден. Това ги постави донякъде в кофти позиция, защото първо тях забелязах. Бяха обаче в нарушение и не могат да се сърдят. От друга страна, във Facebook тръгна дискусия дали това правило трябва въобще да го има – предварителното отразяване на резултатите пречи или помага на изборите. Моето мнение е, че правилото е добро и трябва да се запази. Във всеки случай обаче не тук и сега е мястото за тази дискусия. Има Изборен кодекс, който казва ясно какви са правилата. Ако някой има възражения, трябва да е коментирал и оспорвал когато го приемаха. Да, вярно е, че милите ни депутати не приеха много подобни критики, но също така е вярно, че точно по тази точка никой не направи проблем.
Съгласен съм, че всичко това въобще не е най-големият проблем на изборите. Особено в контекста на масовите измами с фиктивни наблюдатели гласували по много пъти, контролирания вот и всякакви други схеми смесени с неподготвеността и неграмотността на изборните комисии допускащи фрапиращи грешки. Дали ще обявят някакви измислени класации в „нетя“ или не, може би не грее никой.
Никой не отрича обаче, че е против правилата, а те трябва да се спазват. Важно е да разберем, че повечето изборни измами разчитат на проблеми в тези правила и най-вече на пропуски в съблюдаването им от секционните комисии. Ако за всяко дребно правило махаме с ръка, че не е важно, няма да стигнем далеч.
Та това са моите 10 ст. за тия избори. А, и картата на секциите в чужбина. И, разбира се, това че гласувах.
След няколко месеца – пак. #ОСТАВКА
SANS Internet Storm Center, InfoCON: green: Another Site Breached – Time to Change your Passwords! (If you can that is), (Thu, May 22nd)
So after yesterday’s news that eBay had been compromised, and that the compromise was in play for a good 2-3 months (short in comparison to many), I decided it was time to change my passwords. Yes – ALL of them.
Don’t get me wrong, I do change my passwords – really. Not as frequently as I should, but it happens. I decided to use my little “make me a random string” character generator script, and set them all to 32 char gobbledygook. Except for the ones that have 10, 16 or 20 character maximums that is (really? that limit was a good idea why?)
So I dug through all my applets, “saved password” tabs and saved notepads to find them all, and change them all. It’s amazing how many logins you can accumulate over the years. It’s also amazing how many of these logins have my credit card info (eeps). eBay, Paypal, Apple, travel sites – it really starts to add up.
What did I find when I got going on this?
- For starters, since the last time I reset almost EVERY site has let their marketing and “design” folks at their site layout. The password change is almost universally hidden 4-10 or more clicks and menus deep in the interface.
- Many sites now disable the “paste” function. So if you have a complex password, you can’t cut and paste it – you have to type it from the keyboard. This also breaks many “password keeper” applications. So what does this encourage? Simple passwords, that’s what. Just because you can enable a neat feature doesn’t meant that it’s helpful.
- Don’t even get me started on Facebook. I’m not even sure how i got to the menu (it took a while), but when I did, password change was under “General” instead of “Security”. Like so many other sites, “security” to Facebook is about Authorization (who can see me) rather than Authentication (credentials). And the 3rd A” in “AAA” – Accounting – is not available to the end user, only to the system administrators. So if someone has attacked and/or compromised your account, the only folks who see that are the ones who review the logs. Oh – and I guess that’s a problem too.
- Facebook does have a nice “log me out of other devices” option during the password change though. So if it’s an attacker who’s compromised your account, they can punt you offline as they change your password. They phrased it the other way though – I guess it’s a race to see who gets to the password change page first.
- I’m still working on my Apple password. Apparently they’ve decided that my favourite book as a child doesn’t meet their literary standards, so they’ve changed it. More likely, what I typed in is still there and is case sensitive – and knowing me, it’s either all lower case, or the one Cap in the phrase is accidental. Long story short, I can’t answer the challenge phrases. And the “send me an email” trapdoor didn’t work – no email yet.
What does this all add up to? Web designers really have made it increasingly difficult for us to protect our credentials. Almost every site has emphasised the “friends and sharing” functions, and this has crowded the “protect your credentials” stuff into the background. Challenge phrases are great I suppose, but making challenge phrases case sensitive is a really bad idea. Not a single site in my list had a periodic password change requirement.
The other big conclusion? It’d be nice if more sites implemented two factor authentication – that way a password breach wouldn’t be such an emergency or such big news.
Long story short, when sites say “we’ve been breached, please change your password”, I think that’s in the nature of a dare or a challenge – it’s not as easy as it sounds.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The last seven days have been amazing at FotoForensics. I have a bunch of metric collection systems running on the box. The main metric that I track is the number of unique picture uploads. If three people upload the exact same file, then it is counted as “1″ unique upload. But if they upload three different files, then it counts as “3″ uploads. Using this metric, I can identify the highest and lowest volume days of the week, and even lowest-volume hour for doing system updates. I can also use this to estimate disk space usage and predict monthly volumes.
The monthly volume prediction is pretty variable at the beginning of each month — it takes a few days to establish an average. (I’m not using a multi-month window right now.) By the middle of the month, I can usually predict the monthly total to within a few hundred pictures. And by the last week of the month, it’s usually +/- 50. The only thing that throws off the average is an unexpected spike in traffic. Spikes typically happen every 2-3 months and last 2-3 days. They usually coincide with major events or a new forum discovering the site.
Prior to last week, the site was averaging 700-800 unique image uploads per day. But then there was a spike in activity. The spike started off in the middle-east — primarily in Saudi Arabia. After about a day, the spike began to dip… but then it got picked up by Indonesia. This second spike has been going on for 4 solid days and is only beginning to dip a little.
Based on the monthly average, which includes 6 full days of high volume, this month is looking like it will become the highest-volume month so far. The current highest volume month happened this time last year: May 2013. Last year, there was an extended spike due to the Boston Marathon Bombing. (The spike was big enough to take down the server. I have since fixed that issue.) Back then, FotoForensics received 30,314 unique uploads in one month (and most of that came in one week). This year, the spike is primarily due to the Indonesian elections. Assuming the rate remains constant for the next 11 days, this month will easily break 34,000 unique uploads. (I’m actually expecting it to drop but still be a record month.)
I was actually surprised to see virtually no traffic from this month’s huge election in India. One politician managed to get a majority vote in the world’s largest democracy. Given India’s segmented, fractional, and outright hostile political party system, this is virtually unheard of! (I think the United States needs more than two major political parties. But I also think the 50+ major parties in India is way too many.) Maybe India had a friendlier election than normal, leading to fewer pictures needing to be analyzed…
In contrast to India, I heard that Indonesia’s upcoming election is looking like an ugly brawl. And that’s saying a lot since I rarely follow foreign politics. (People in Hungary got mad when I referred to their Prime Minister as “some guy”. But I have no idea who is running in Indonesia or what to call their candidates. Fortunately for me, I don’t expect to become an ambassador anytime soon.)
Many people in Indonesia have uploaded variations of the same picture. Although the contents look the same, there have been over 50 variants of this file — different sizes, different resolutions, different cropping… This is what the file looks like:
How do you say ‘Birther’ in Indonesia?
As I have been told, Indonesia is having their own version of the Obama birth certificate controversy. With the “birther movement” in the United States, no amount of facts or proof will ever convince the extremists that the controversy is baseless. I suspect that Indonesia is going to have the same problem — regardless of whether it is real or fake.
This picture show some documents. It is supposed to be the Indonesian candidate’s response to the conspiracy. Someone uploaded a variant of the picture to FotoForensics and declared that it was “fake” — that started the current spike in activity.
This picture has a lot of problems, not the least of which is a faulty “fake” analysis that went viral in Indonesia. So, I’m going to take a closer look at this picture.
Where to start…
Before I begin, let me point out: I don’t know what this controversy is about. I don’t know the candidate’s name. I don’t know what this photo is supposed to be showing other than pages from some kind of government document. I cannot read the language and I don’t know if the pages are in order or supposed to be from the same booklet. I also don’t know who made this file public.
To me, this is just a picture of some pages. But I view my lack of understanding as a good thing: it means that I have no biases regarding the entire controversy. And as someone with no ties to Indonesia (besides owing a few T-shirts that were made there) and who does not follow Indonesian politics, I have no influences persuading me to identify the picture as real or fake.
When evaluating an image, the first thing you want to do is find the highest quality version. FotoForensics has lots of variants of this file. There’s big versions, small versions, cropped versions, versions with squashed aspect ratios… Based on dimensions, file size, uncropped content, and overall image entropy, the highest quality picture that I can find came from a Google+ upload (Link). This version is 1024×1024 and was provided as a file-upload, so I don’t know who uploaded it or where they got it.
I do have versions of the picture that are larger, such as a 1200×1200 image. However, it came from Facebook, was saved to the user’s computer, and then uploaded as a file to FotoForensics. Many of the artifacts that I noticed also exist in this picture, but other artifacts are muted or gone. Since Facebook resaves images, this resave would have muted many artifacts and could have removed others.
Someone also uploaded a version that is 800×800 but a much larger file size. It is a PNG file that was converted from one of the other JPEG images.
Starting the Evaluation
According to the metadata, the 1024×1024 picture was processed by Google’s Picasa. That’s standard practice for files processed by the Google+ uploader. I can trace that this picture came from Google+, but I don’t know the source URL. Someone had the file and uploaded it to Google+. Then someone downloaded the picture and submitted it to FotoForensics as a file-upload. That means the file has changed hands at least twice, and I have no idea if it was tampered with by either anonymous person. And since I cannot read the text, I cannot even determine if the content looks like the content found in all of the other versions of this picture. (I see some Arabic on the pages. With Arabic, a minor squiggle change can make a significant difference in words.)
There’s a few other important observations before we apply some algorithms:
- The picture is 1024×1024. I am not aware of any digital cameras that natively capture with these dimensions. Other variants are 800×800, 720×720, 403×403, and other square dimensions. At minimum, I suspect that the picture has been resized.
- The picture is mostly black-and-white. But there are slight green and blue tinges to parts of each of the pages. I find this odd since they should either be colorized or monochrome. This is certainly not caused by a camera and probably not caused by a scanner. This is probably due to significant post-processing (like adjusting color curves to make grayish scans appear whiter.) Since I don’t know how the pictures were handled, I cannot conclusively identify the cause.
These color tinges do not appear to be specific to certain text or content in the image. They do not appear to be an indication of intentional tampering or a forgery.
- None of the pictures contain metadata that identifies how it was first created. With all of the pictures, there have been multiple resaves and the source metadata has been stripped.
At this point, I have an unknown picture of unknown origins that has undergone unknown handling and was likely overly post-processed.
Error Level Analysis (ELA) quantifies the JPEG compression rate across the image. The compression rate for similar surfaces should look similar, and the rates for similar edges should look similar. With this picture (and all other variants except for the small and extremely resaved versions), something stand out:
First we evaluate the surfaces. For example, the solid areas of gray paper all look the same under ELA. So this appears to be consistent.
Next, we evaluate all edges. We look at the thin black lines (text and borders) on the gray paper. The ELA intensity should be similar on all of the lines. Within each page, all edges look similar. With ELA, there is no indication of editing on the individual pages. However, we can see that the top two pages are distinctly darker under ELA than the three pages on the bottom. From this, we can deduce that the image is a composite: the two pages on top were combined with the three pages on the bottom.
This makes sense if the person who created this picture wanted to keep the five panels together. For example, he could have scanned in two pages. Then scanned in three pages. Then pasted them together into a big square image.
(But the picture was color corrected! Remember that “mostly black-and-white” stuff? JPEG compress stores the intensity independently of the coloring. As long as the intensity is modified a little and linearly, it shouldn’t alter the ELA result very much.)
One Little Thing
There is one odd thing that appears in this Google+ version of the image and appears to be gone in the Facebook versions… Under ELA, there is a very faint curve in the unused space (top-right empty panel). It really only shows up in the full-size picture. However, other algorithms, like an entropy colorization, highlights the curves:
The colors indicate the amount of entropy. The curve is white — indicating very little information content. Darker colors indicate more information (more noise). Other versions of this image have the similar dark splotches over the woman’s face, but lack the visible curve in the empty area. (They’re just solid white in the empty area, so the resave removed what little information was present.)
With any circular curve, if you can identify at least three points on the curve, then you can identify the center of the circle. I selected three points and computed the circle and the center.
Now we see something interesting. The center of the circle is dead center on the woman’s face. (I didn’t select the woman’s face — I selected the points on the circle. Click on the image to see it full-size with the center point right between her eyes.) Does this mean that the woman’s picture was digitally added? No. It means that whoever was doing the post-processing used some kind of circular gradient to brighten up a bad scan. I’d chalk this up to aggressive post-processing long before I’d suspect intentional deception.
An Inconclusive Conclusion
Normally when I evaluate photos for my blog, there is a clear result. But in this case, we have an unknown picture of unknown origins that was significantly post-processed and repeatedly passed around. It did not come from an authoritative source — in fact, I cannot identify any authoritative source.
Does this prove that the document is fake? No. But it also doesn’t prove that it is real. In this case, I don’t think this digital picture proves anything. If it is fake, then there are so many modifications and resaves and iterations that I cannot detect any intentionally deceptive alterations. If it is real, then the modifications and resaves obscure the fact. And since I cannot trace it to an authoritative source, I cannot even set a baseline for evaluating the picture.
As an analogy to pulling clues out of images, consider tracking someone’s footprints on the ground. If the soil is soft and retains shape (like a recently plowed field), then you can probably see every detail about each footstep and even identify the shoe’s tread. A JPEG resave is like a light rain — it obscures some of the details. Multiple resaves are like a heavy rain — you may see the footsteps but none of the details. But evaluating a picture that has been spliced together, aggressively post-processed, repeatedly resaved, and is at a low quality? That’s like tracking footsteps along a sandy beach during a hurricane — you will be lucky if you can find any footprints at all.
About 0.2% of all SSL certificates are forged. This is the first time I’ve ever seen a number based on real data. News article:
Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates.
At what point does a trend become an annual event? Shortly after starting FotoForensics, we noticed an odd trend in specific content being uploaded to the site. A year later, we saw a rise in the same type of content. And this year? We’re seeing that same type of content ramp up again.
What kind of content are we seeing this time of year, every year? Fake diplomas.
Wish You Were Here
It isn’t like these fake diplomas are coming from one specific country. It’s really from schools all over the world. The only consistency seems to be the person listed on the diploma: he or she is usually a foreign student. That is, foreign with regards to where the school is located. For example, he may be Canadian and getting a degree from a school in Germany. Or he’s from Saudi Arabia, attending a school in the Philippines, or she’s from China and attending a school in France.
One clever friend of mine wasn’t surprised when I first told him about this trend. He explained to me a scam that had been going on for decades. (How naïve of me to have not known about it!) It goes something like this:
Mom and Dad send Junior to a foreign school for a good education. After a semester or two, Junior drops out and decides to just live off of the “tuition” his parents keep sending.
After about four years of living the easy life, it’s time to “graduate”. Junior mocks up a fake diploma and sends it to Mom and Dad. Since the parents cannot attend the graduation, Junior returns home and nobody questions his new degree.
There’s actually an entire underground industry based on providing fake diplomas. For a fee, Junior can buy a paper diploma that looks like it came from his school of choice. For more money, Junior can get a real diploma that has been whitewashed and the name has been changed. For a lesser fee, Junior can just pay someone to make a fake JPEG of a diploma that he can email to his parents. And if Junior is really cheap, he can make the forgery himself.
All of this works well for Junior, as long as:
- Mom and Dad don’t try to attend the graduation. (“I’m sorry mother, but the school ran out of tickets to the graduation ceremony.”)
- Mom and Dad don’t contact the school and ask for verification that Junior graduated. (Seriously, if his parents trust him enough to go to a foreign school, why would they ever question the diploma?)
- None of Junior’s friends do something stupid that tips off the parents. (“Text to Billy: So did your parents fall for the fake diploma?” Let’s hope Mom isn’t looking at Billy’s phone as she snoops around for details about his new “girlfriend”.)
- Junior has a run-in with the local law and gets deported before graduation for violating his expired education visa.
- Mom and Dad receive an email with the JPEG. For fun, they upload it to FotoForensics. Suddenly, Junior has some explaining to do…
The same type of scam can work with employers. For example, you need a degree to get a good job. So… you claim that your degree is from some foreign school and you provide a fake JPEG of your diploma. It would be costly for the employer to contact a foreign school. (Most schools require a fee to verify a student’s graduation status), so employers just assume that the JPEG represents a real degree.
In The Flesh?
Some of the fake diplomas are clearly being uploaded by people involved in the manufacturing process. A few people have uploaded multiple revisions in an effort to evade detection. In other cases, the date on the fake diploma is still a few weeks away. (If only Junior put this type of advanced planning effort into getting the actual degree…)
However, I think that parents and employers are also uploading suspicious diplomas that they receive. These documents are past the graduation date and the users only uploads one file. Also, I have seen some JPEGs that I believe represent real diplomas. However, “real” is a definite minority compared to the flood of fakes that we are seeing.
Most of the fakes are for technical degrees: computers, engineering, “science”. I have only seen a few diplomas for medical degrees, and most of those appear to be real. Ironically, I haven’t seen anyone try to get a fake degree in Art History or Ethnomusicology.
Signs of Life
I really wanted to post a couple of fake diplomas along with this blog entry. Unfortunately, the diplomas contain the names of real people. And in every instance I checked, I could easily find the person online — on Facebook, Twitter, LinkedIn, etc. Seriously, I just typed their name and the school’s name into Google, and the specific people come right up! So for their privacy, I won’t post links to their fake diplomas. While FotoForensics is a public site, pictures don’t make the trending page unless they go viral. Unless someone publicly posts the fake diploma, I won’t be posting it.
(However, I will mention one person that I saw. I really liked this guy’s bravado. His public Facebook page had comments from his friends like, “I’m sorry you couldn’t attend the graduation” and “We’ll come back to visit when you graduate!” Yeah… there’s a doctored up diploma for a fake master’s degree with his name on it. According to that JPEG, he graduated with everyone else.)
This trend is not just with diplomas. Every semester I see a short burst of elementary school, high school and college transcripts. Usually it’s something simple, like changing a “C” to an “A” or a “3″ to a “5″. But other times, the grades are all correct — just the name has been changed.
For all of these aspiring graduates, I have some words of advice:
- If you’re going to change a grade, then be sure to also recompute the GPA. (And if you don’t know how to recompute the GPA, then maybe there is a reason you got that math grade.)
- If you’re going to claim to have a degree from a school, then make sure that the school actually offers that degree!
- Graduations happen on specific dates. Get the date right.
- Spell-check. Use it.
- Those people who signed the diploma are not just random names. Make sure the name is correct. (I’ve seen fake diplomas where the University’s President was wrong, or even reflected a guy who had been dead for years.)
- Match the font! (Sorry, but this is just a big pet peeve with me. Comic Sans is only used at clown schools — no offense to any real clowns who read my blog.)
You get what you pay for. A $20 diploma will only work if you have extremely trusting and gullible parents. For the cost and effort to make a perfect forgery, you might as well get the actual degree.
And for those people who are offended at this easy way to get a higher education… Watch out for your friends who ask for a picture of your diploma. “I just want to see it” is a big clue.
Becoming the first impressioning world champion really paved the way to become a full time lock-professional. After that I left my comfort zone and signed a contract with Lockmasters Technologies, Inc in 2012. I am one of their European distributors and assist them in any way I can (working from Amsterdam). So far it has been a dream come true.
Besides the work for Lockmasters Technologies, Inc I run some lock-related classes from Amsterdam (and on location in Europe) with my private company Wels Security Solutions / Lock-Experts.com.
Last but not least my company “intact locksmith services” opens doors, safes and cars in a non-destructive way. In reality I forward a lot of the intact support calls to locksmith colleagues that do have time to take the job. So working for Intact has my lowest priority but is a nice way to keep my skills sharp and stay in touch with what happens in the real world.
I could never have come this far without the help of my friends in the locksport community. I am very fortunate with the friends I have made over the years. And I am happy to see that others have made the step to the lock industry as well. Just to name two: Han Fey and Dr. Torsten Quast are now working for Assa Abloy, the largest lock manufacturer in the world. It is my believe many “lock enthusiasts” will follow…
I decided to transfer my Toool (NL) leadership position in 2013. New Toool president Walter Belgers and vice president Jos Weyers are perfect for the job and have my full trust and support.
One of the things they did is to extend LockCon by one full day. The dates for the three day event are: September 19/20/21. This is the weekend before the security show in Essen (to encourage international travelers to come). The extra day will be used for more presentations and workshops and I am already looking forward to attend it. The LockCon request for talks / presentations is open.
The end of an era
All good things come to an end and so does this weblog. This is the last post before it closes.
This does not mean I will be completely off the radar. Lockmasters Technologies, Inc just started a newsletter that I am contributing to. I am sure you will enjoy some of the articles there.
And there is the regularly updated “Intact locksmith services” facebook site for you to visit and “like” (thank you!).
I have not made up my mind what to do with BlackBag’s content. If you want to capture any of the information: the blog will be at least up until September and I will make a decision after that.
Thank you for your interest and support over the years.
Feel free to contact me for anything related to locks and security.
Blackbag signing out.
Поради лошите метеорологични условия, състезанието се отменя. Очаквайте скоро допълнителна информация за датата на провеждане.”
За четвърта поредна година любителите велосипедисти ще могат да се включат във велосъстезанието „КолелоТУ” в София. Надпреварата е организирана от Студентски съвет към Техническия университет и е подкрепена от Столична община. Събитието, което е част от проекта „Зелен месец”, ще се проведе на 13 май от 13:00 до 18:00 часа в Южния парк.
Участниците ще бъдат разделени в две категории – мъже и жени, като ще трябва да преодолеят предварително зададен маршрут. Стартът е масов и ще се засичат времена. Трасето е със смесен характер, като съдържа както крос кънтри елементи, така и по-тежък „олмаунтин” етап. Първите трима мъже и първите три дами ще получат награди.
Идеята на организаторите отново е да стимулират „зеленото” мислене у хората. Интересът към събитието расте все повече и всяка следваща година обединява около себе си все повече последователи. Целта на „КолелоТУ 4.0”, както и на предишните му издания, е да стимулира спорта на открито, като акцентира върху този лесен, екологичен и полезен за здравето начин за придвижване – колоезденето.
За повече информация посетете facebook страницата на събитието.
We put this video up on our various social media sites earlier in the week (here’s our Facebook page, if you’re not familiar with it yet: we’re also on G+ and Twitter if you’d like to chat), but so many of you have emailed me about it since then that I’m giving it a spot here, too. Ume.net are a Swedish broadband provider, and they conducted this experiment to demonstrate just how sucky lag would be if you had to put up with it in real life, using an Oculus Rift headset and a Raspberry Pi. In the end, this is just a piece of advertising: but it’s a beautifully realised project which made us laugh, and if my inbox is anything to go by, it seems that a lot of you liked it too. Enjoy!
When humorous stories go viral, I like to track down the source. For me, part of the fun is just the exercise of tracking content online. But I also find it fascinating to see how stories change as they propagate. Since viral stories spread over time, it is best to start tracking as soon as you hear the story.
Last week, I heard a story about a police dog that was being passed around. According to Viralnova:
The law is a tricky beast to tackle. Trials, witnesses, evidence and precedent are all part of a complicated system that should hopefully result in justice. Sometimes, there are misunderstandings and difficult waters to navigate. But what happened to the West Midlands Police Department was absolutely ridiculous.
The Crown Prosecution Service (CPS) repeatedly contacted the department, hoping to get an account of an altercation from Officer PC Peach. PC Peach was unavailable to give a statement, but that didn’t stop the CPS. Neither did the fact that Officer Peach is a K9 officer. Frustrations were mounting on each side, so the department gave in an sent the following statement:
Although it was meant as a joke, The Professional Standards Department will be investigating the police department after the false statement. Obviously, someone should be examining the prosecutors who couldn’t understand why a German Shepherd couldn’t give a statement.
Share PC Peach’s hilarious statement with others. (Good dog!)
(I don’t mind block-quoting almost their entire article since they say to share the statement with others.)
This story has everything: a funny statement, attorneys, police, and a dog! When I first read it, I thought, “I don’t care if it’s fake! This is funny!” But it would be funnier if it was real. I immediately started tracking it…
Viralnova did not initiate this story. Their story is dated 21-Apr-2014 and has the comment “(H/T Metro.co.uk)”. Their hyperlink goes to the Metro — a news/tabloid in the UK.
The Metro’s link does contain the story. However, it is dated 18-Feb-2013 — more than a year earlier. If you look at the picture, you can see that “the dog” dated the report 8-Feb-2013. This viral story isn’t recent. Here’s the Metro’s article:
West Midlands Police could be in the doghouse after someone from the force filled out a form in the guise of one of their police dogs, Peach.
The faux statement was brief and said: ‘I chase him. I bite him. Bad man. He tasty. Good boy. Good boy Peach.’
It also came complete with a ‘signature’ from the Alsatian, which was a print of its paw.
It was reportedly written in response to a barrage of requests from the Crown Prosecution Service (CPS) for an account from PC Peach on a matter, the Daily Mail reports.
Officers are said to have become frustrated after they continually told the law service Peach was a dog but were not listened to.
But it seems the joke report may have consequences as the force is now being looked at.
‘The matter will be investigated,’ DCI Julian Harper, from West Midlands Police, told Huffington Post UK.
‘The Professional Standards Department are looking into this, early enquiries suggest it is a light-hearted exchange as a result of a misunderstanding around a police dog and a police officer.’
This version of the story repeats the same basic elements. The CPS submitted multiple requests for the dog’s statement, and seemed to ignore the police department’s response that “Officer Peach” is a dog and cannot provide a written statement. It says that the police are being investigated for providing a false statement.
The Metro includes the same photo, with the caption “The statement with a ‘signature’ from the pooch, which was a print of its paw (Picture: Twitter)”. I have an ongoing complaint with how Twitter shares pictures. Twitter resaves all images at a low quality and strips out all metadata but retains any color profile information. This Twitter attribute provides a known expectation for the picture (I should not expect to see metadata). If the picture matches the expectation, then it supports the claim. However, if the picture deviates from the expectation, then we can identify an inconsistency.
In this case, this “picture from Twitter” does, in fact, contain metadata. That means that the cited source is incorrect — this picture did not come from Twitter. The metadata contains an Adobe color profile (so it was processed by some kind of Adobe product) and the comment “Taken by pej from Dailymail online”. Although the Metro says that they got the picture from Twitter, they actually took it from the Daily Mail.
The text in the Metro’s article also cites the Daily Mail:
It was reportedly written in response to a barrage of requests from the Crown Prosecution Service (CPS) for an account from PC Peach on a matter, the Daily Mail reports.
So far, it looks like Viralnova saw a story at the Metro, and didn’t notice that it was old. The Metro, in turn, wrote a story about a story that they saw at the Daily Mail.
Although the Metro doesn’t link to the Daily Mail (probably because they don’t want to link to a competitor), the source article wasn’t too hard to find. I just searched Google for the dog’s name at the Daily Mail. The source article came right up.
The Daily Mail’s article contains an update note. It was first published at 17:54 EST on 16 February 2013, but was updated two day s later, at 03:06 EST, 18 February 2013. This update predates the Metro’s article by nearly 10 hours. (We can safely assume that the Daily Mail’s updated text was the source for the Metro’s article since newsrooms typically don’t sit on stories like this for hours. They write it, review fast, and publish. If there was any delay, then the turnaround was likely on the order of 2-4 hours total. This wouldn’t be a >10-hour delay.)
Here’s the first few paragraphs of the Daily Mail’s report:
Police are under investigation for jokingly filling in a witness statement in the name of a force dog.
Officers became exasperated when prosecutors asked for an account of a crime from a ‘PC Peach’, not realising Peach was the name of a police dog.
So they completed the form as if it had been written by the alsatian, and signed it with a paw print.
The dog’s statement read: ‘I chase him. I bite him. Bad man. He tasty. Good boy. Good boy Peach.’
The form was pinned up at a West Midlands Police station last week for the amusement of colleagues, who are often at odds with the Crown Prosecution Service (CPS) over the handling of cases.
The Daily Mail’s report contains a number of significant differences:
- The Daily Mail never describes the request for the dog’s statement as a “barrage” (Metro) or “repeatedly contacted” (Viralnova). In fact, the Daily Mail makes it sound like there was only one request for a statement from Officer Peach (the dog).
- According to the Daily Mail, the fake statement was never submitted to the court, as claimed by the Metro and Viralnova. The Daily Mail says it was filled out as a joke and “pinned up” at the police station so everyone could enjoy the joke.
- The article at the Daily Mail says that the joke went public when someone took a photo of the statement and posted it to a “‘cop humour’ page on Facebook”. From Facebook, it went to Twitter.
- The article does say that the CPS asked for an investigation: “The CPS, however, failed to see the funny side. Officials are believed to have complained to police that their mistake has been turned into a very public joke.” The report says that the investigation was not for filing a false witness statement, as claimed by the Metro and Viralnova. The investigation was in regards to filling out a witness form as a joke and having it posted online — in violation of “new guidelines” about posting things online that went into effect a week earlier. The Daily Mail also points out that “Sources say [the officer] is unlikely to be reprimanded.”
At this point in the tracking, we can be pretty certain that Viralnova paraphrased the story from the Metro, and the Metro loosely based their reporting on the Daily Mail’s story. We can also be pretty certain that the Metro got key facts wrong in their story.
Now we have to see if any of the statements in the Daily Mail’s story match up with the facts. The Daily Mail claims that the picture started at Facebook and was then passed around on Twitter. I managed to find one of the early tweets that feature this picture. This particular tweet was sent on 15 Feb 2013 — one day before the Daily Mail’s article first came out.
I mentioned that Twitter strips metadata but retains color transformation information. The picture from Twitter looks exactly as expected. The metadata has been stripped (no camera information, timestamps, comments, etc.) but it retains the original ICC color profile. In this case, the color profile says, “Profile Copyright: FB” — that’s Facebook. This means that the picture went from Facebook to Twitter. This detail precisely matches the information provided by the Daily Mail.
I have not contacted the West Midlands Police to verify the details from the Daily Mail’s article. However, their details about how the picture was passed around matches the details in the picture. The Daily Mail’s article also names a police officer: PC Mark Tissington. Every police officer I know has appeared in some article at one time or another. I found another article — from 2010 — that mentions the same officer. It associates him with the West Midlands Police. This makes two key details that we can verify as being correct. If they got these right and nothing else stands out as incorrect, then I have no reason to doubt the rest of the article.
Unfortunately, we cannot easily compare the article to different news sources because independent sources may still evolve the story as it is retold. For example, Yahoo News has a similar story to the Metro’s version. It’s about the same dog. Yahoo’s article claims that the CPS insisted on hearing from the witness, so the handler wrote the fake witness statement. While they don’t explicitly say it, their next paragraph says that the CPS was not amused by the prank. This implies that the CPS were handed the fake document.
Yahoo News cites the UK Telegraph. The Telegraph’s article has the correct information, including the detail that it was “pinned to the wall at West Midlands Police Station, much to the amusement of colleagues.” The Telegraph even mentions that the picture appeared on Facebook and on Twitter, and the CPS did not enjoy the publicity of their mistake.
However, the Telegraph also includes an unattributed quote that mentions repeated requests. We don’t know who made this statement. Did this quote come from the police department, or from someone who is unauthoritative and just making the picture viral on Facebook or Twitter? As an unattributed quote, there is nothing to suggest that it represents any facts. Moreover, their next two paragraphs cite comments on Facebook. Personally, I don’t give any factual credibility to anything written in the comments on Facebook by anonymous sources.
“They were told several times Peach was actually a police dog but insisted on a written statement so the case handler sent them this.”
One Facebook user wrote: “Typical of the CPS being dogmatic about getting statements from literally everyone present! I bet they are woofing it down!”
And another asked: “Does CPS stand for Clown Prosecution Service?”
The CPS, however, failed to see the funny side and complained to the police that their mistake had been turned into a very public joke.
While the Telegraph does repeat some of the facts mentions in the Daily Mail’s article, they also quote anonymous comments that they saw on Facebook. Just because someone wrote it on Facebook does not mean it is true. This calls into question all of the other unidentified sources used in the Telegraph’s article. Did they actually research anything, or are they just parroting anonymous comments from social networks?
There’s a couple of things that can be concluded from this example. First, just because it goes viral today doesn’t mean that it is recent. Viral stories periodically resurface. This picture, which surfaced last week, was actually from over a year ago.
Second, if there is one thing clearly wrong in a news report, then that is probably not the only thing wrong with the report. (This goes back to my ‘Just One’ Principle — it’s never just one thing.) In this case, we found that the picture was misattributed. Tracking the actual source identified other incorrect facts in the Metro’s article.
Third, this humorous story about a dog shows some very sloppy journalistic practices. Between Viralnova, Metro, Yahoo News, and the Telegraph, we see news reports that failed to notice dates, forgot to validate facts, misattributes sources, and quoted obviously non-authoritative sources. We can even see how the story changes as it gets passed from one news outlet to another. If they can be wrong about a simple dog story, then how can we know that their more serious news articles are accurate?
Finally, even though it is over a year old, the story makes it appear that the Crown Prosecution Service really needs to lighten up. If they made a mistake by requesting a statement from a dog, then they should just learn to laugh at it. I mean, it may be a year old, but this story is really funny.
Am I over-reaching here? Maybe, but hear me out. I would submit that social media really is indeed changing everything. Today we see nods to the socialsphere all around us – on TV, on product packaging, on food, on your arm, on billboards, on vehicles … I could keep going. Listen to nearly any conversation…