Posts tagged ‘Facebook’

SANS Internet Storm Center, InfoCON: green: How to hack, (Tue, Sep 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

” />
Agreed, this information is not overly useful. These hacks are basically on the opposite end of the threat scale from the over-hyped Advanced Persistent Threat (APT). Lets call it the Basic Sporadic Annoyance (BSA), just to come up with a new acronym :).

The BSAs still tell us though what average wannabe hackers seem to be interested in breaking into, namely: websites, online games, wifi and phones. Cars, pacemakers, fridges and power plants are not on the list, suggesting that these targets are apparently not yet popular enough.

Being fully aware of the filter bubble https://en.wikipedia.org/wiki/Filter_bubble we had several people try the same search, and they largely got the same result. Looks like Facebook really IS currently the main wannabe hacker target. But Facebook dont need to worry all that much. Because if you just type How to h, then the suggestions reveal that other problems are even more prominent than hacking Facebook” />

If your results (of the how to hack query, not the latter one) differ significantly,please share in the comments below.”>Updated to add: Thanks, we have enough samples now :)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Tech Giants Want to Punish DMCA Takedown Abusers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

copyright-brandedEvery day copyright holders send millions of DMCA takedown notices to various Internet services.

Most of these requests are legitimate, aimed at disabling access to copyright-infringing material. However, there are also many overbroad and abusive takedown notices which lead to unwarranted censorship.

These abuses are a thorn in the side of major tech companies such as Google, Facebook and Microsoft. These companies face serious legal consequences if they fail to take content down, but copyright holders who don’t play by the rules often walk free.

This problem is one of the main issues highlighted in a new research report (pdf) published by the CCIA, a trade group which lists many prominent tech companies among its members.

The report proposes several changes to copyright legislation that should bring it in line with the current state of the digital landscape. One of the suggestions is to introduce statutory damages for people who abuse the takedown process.

“One shortcoming of the DMCA is that the injunctive-like remedy of a takedown, combined with a lack of due process, encourages abuse by individuals and entities interested in suppressing content,” CCIA writes.

“Although most rightsholders make good faith use of the DMCA, there are numerous well-documented cases of misuse of the DMCA’s extraordinary remedy. In many cases, bad actors have forced the removal of material that did not infringe copyright.”

The report lists several examples, including DMCA notices which are used to chill political speech by demanding the takedown of news clips, suppress consumer reviews, or retaliate against critics.

Many Internet services are hesitant to refuse these type of takedown requests at it may cause them to lose their safe harbor protection, while the abusers themselves don’t face any serious legal risk.

The CCIA proposes to change this by introducing statutory damage awards for abusive takedown requests. This means that the senders would face the same consequences as the copyright infringers.

“To more effectively deter intentional DMCA abuse, Congress should extend Section 512(f) remedies for willful misrepresentations under the DMCA to include statutory awards, as it has for willful infringement under Section 504(c),” CCIA writes.

In addition to tackling DMCA abuse the tech companies propose several other changes to copyright law.

One of the suggestions is to change the minimum and maximum statutory damages for copyright infringement, which are currently $750 and $150,000 per work.

According to the CCIA the minimum should be lowered to suit cases that involve many infringements, such as a user who hosts thousands of infringing works on a cloud storage platform.

The $150,000 maximum, on the other hand, is open to abuse by copyright trolls and rightsholders who may use it as a pressure tool.

The tech companies hopes that U.S. lawmakers will consider these and other suggestions put forward in the research paper, to improve copyright law and make it future proof.

“Since copyright law was written more than 100 years ago, the goal has been to encourage creativity to benefit the overall public good. It’s important as copyright is modernized to ensure that reforms continue to benefit not just rightsholders, but the overall public good,” the CCIA concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Backblaze Blog | The Life of a Cloud Backup Company: TurboTax Ends Backup to Cloud Service

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Andy Klein. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

Cloud Backup
In early 2015 a limited number of customers who used the TurboTax® desktop software were offered the opportunity to save their 2014 tax returns in the Turbo Tax cloud – for free. In early July, TurboTax decided to end their “Backup to Cloud” pilot program and sent those users an email notifying them that the program was ending. TurboTax gave the users until July 21st to download their tax returns, then TurboTax shut down the Backup to Cloud service.

Why this matters

If you are one of the people who used TurboTax’s Backup to Cloud service to back up your 2014 tax returns, you can no longer retrieve your tax returns from the TurboTax cloud. Instead, TurboTax has posted instructions on its website on how to obtain from the IRS a summary of your tax returns for free and/or your complete tax return for $50.

Why did they end the service?

In an article from the New York Times, a representative from TurboTax stated this was an experiment to see the demand for such a service. They concluded there was not currently enough demand and halted the service.

Are your tax returns really gone?

If you were one of the people that used the Backup to Cloud service from TurboTax and did not download your tax return files before the deadline, you’ll have to locate them elsewhere. Start with the laptop or desktop on which you used the TurboTax desktop software to prepare your return; there should be a local copy of your return stored on that system. If that doesn’t work, here are some other places to look:

  1. Backblaze or a similar automatic online backup service.
  2. Your Dropbox folder, if you copied/saved your tax returns there.
  3. Google Drive or a similar cloud service, if you copied/saved your tax returns there.
  4. An external hard drive used for automatic backup (Time Machine, Windows Backup, etc.)
  5. An external hard drive that you manually copied/saved your tax return files to.
  6. An email you sent to someone with your tax return files attached. Check your sent folder or ask the recipient if they still have the email message with the files.
  7. A USB stick, DVD, CD, etc. that you may have copied/saved your tax return files to.

3-2-1 Backup

Today more and more applications running on your computer offer to store your data “in their cloud”. You can take advantage of this type of service, but remember the 3-2-1 backup model. In short: besides the copy of data you have stored with a cloud service, have two or more copies of your tax returns, Google Docs, Facebook pics, etc. stored somewhere else.

Check out the Backblaze computer backup guide if you need help creating a 3-2-1 Backup plan.

 

The post TurboTax Ends Backup to Cloud Service appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Krebs on Security: Who Hacked Ashley Madison?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.

zu-launchpad-july-20It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.

Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.

I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.

On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?

Twitter user ThadeusZu tweets about setting up replication servers. Note which Youtube video is playing on his screen.

Twitter user ThadeusZu tweets about setting up replication servers. Did you spot the Youtube video he’s playing when he took this screenshot?

Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.

ThadeusZu tweeted about the downloadable AshleyMadison data more than 24 hours before news outlets picked up on the cache.

ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

WHO IS THADEUS ZU?

As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).

Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media counts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.

A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.

thad-canada Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day.

Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.

Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).

Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.

Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu ‏tweeted:

“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

MARRIEDzu

A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”

DOWNwardspiral

To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.

But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.

Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.

It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.

KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous.

Pid Eins: First Round of systemd.conf 2015 Sponsors

This post was syndicated from: Pid Eins and was written by: Lennart Poettering. Original post: at Pid Eins

First Round of systemd.conf 2015 Sponsors

We are happy to announce the first round of systemd.conf
2015
sponsors!

Our first Silver sponsor is CoreOS!

CoreOS develops software for modern infrastructure that delivers a consistent operating environment for distributed applications. CoreOS’s commercial offering, Tectonic, is an enterprise-ready platform that combines Kubernetes and the CoreOS stack to run Linux containers. In addition CoreOS is the creator and maintainer of open source projects such as CoreOS Linux, etcd, fleet, flannel and rkt. The strategies and architectures that influence CoreOS allow companies like Google, Facebook and Twitter to run their services at scale with high resilience. Learn more about CoreOS here https://coreos.com/, Tectonic here, https://tectonic.com/ or follow CoreOS on Twitter @coreoslinux.

A Bronze sponsor is Codethink:

Codethink is a software services consultancy, focusing on engineering reliable systems for long-term deployment with open source technologies.

A Bronze sponsor is Pantheon:

Pantheon is a platform for professional website development, testing, and deployment. Supporting Drupal and WordPress, Pantheon runs over 100,000 websites for the world’s top brands, universities, and media organizations on top of over a million containers.

A Bronze sponsor is Pengutronix:

Pengutronix provides consulting, training and development services for Embedded Linux to customers from the industry. The Kernel Team ports Linux to customer hardware and has more than 3100 patches in the official mainline kernel. In addition to lowlevel ports, the Pengutronix Application Team is responsible for board support packages based on PTXdist or Yocto and deals with system integration (this is where systemd plays an important role). The Graphics Team works on accelerated multimedia tasks, based on the Linux kernel, GStreamer, Qt and web technologies.

We’d like to thank our sponsors for their support! Without sponsors our conference would not be possible!

We’ll shortly announce our second round of sponsors, please stay tuned!

If you’d like to join the ranks of systemd.conf 2015 sponsors, please have a look at our Becoming a Sponsor page!

Reminder! The systemd.conf 2015 Call for Presentations ends on monday, August 31st! Please make sure to submit your proposals on the CfP page until then!

Also, don’t forget to register for the conference! Only a limited number of
registrations are available due to space constraints!
Register here!.

For further details about systemd.conf consult the conference website.

TorrentFreak: Torrent Trackers Ban Windows 10 Over Privacy Concerns

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

win10Since the release of Windows 10 last month many media reports have focused on various privacy intrusions.

The WiFi password sharing feature, for example, or the extensive sharing of personal data and information back to Microsoft’s servers. The list goes on and on.

While we’re the last ones to defend these policies, it is worth pointing out that many other large tech companies have similar privacy violating policies. Reading rants about Windows 10 privacy on Facebook is particularly ironic.

This week things took a turn for the worse. Slowly but steadily reports started pouring in that Windows 10 has a built-in piracy kill switch. If we were to believe some of the reports, Microsoft would nuke all torrents downloaded from The Pirate Bay.

The truth is nowhere near as dystopian though. The controversy originates from a single line in Microsoft’s Service Agreement which allows the company to download software updates and configuration changes that may prevent people from “playing counterfeit games.”

This change isn’t limited to Windows 10 but covers many services. Also, there is no indication that this will ever be used to target third-party games, which is highly unlikely.

Still, the recent privacy concerns have some torrent tracker staffers worried. During the week TF received reports informing us that several private trackers have banned Windows 10, or are considering doing so.

The staffers at iTS explain that Windows 10 is off-limits now because of the extensive amount of data it shares. This includes connections to MarkMonitor, the brand protection company which is also involved in the U.S. Copyright Alert System.

“Unfortunately Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company called MarkMonitor,” iTS staff note.

“Amongst other things Windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures,” they add.

While this may sound scary, Microsoft has been working with MarkMonitor for years already. Among other things, the company helps to keep scammers at bay.

There is no evidence that any piracy related info is being shared. Still, the connection is raising red flags with other tracker operators as well. More trackers reportedly ban Windows 10 and others including BB and FSC are consider to follow suit.

“We have also found [Windows 10] will be gathering information on users’ P2P use to be shared with anti piracy group,” BB staff writes to its users.

“What’s particularly nasty is that apparently it sends the results of local(!!) searches to a well known anti piracy company directly so as soon as you have one known p2p or scene release on your local disk … BAM!”

The same sentiment is shared at FSC where staff also informed users about the threat.

“As we all know, Microsoft recently released Windows 10. You as a member should know, that we as a site are thinking about banning the OS from FSC. That would mean you cannot use the site with the OS installed,” FSC staff writes.

While a paranoid mindset is definitely not a bad thing for people in the business of managing a torrent community, banning an operating system over privacy concerns is a bit much for most. Especially since many of the same issues also affect earlier versions of Windows.

Luckily, the most invasive privacy concerns can be dealt with by configuring Windows properly. Or any other operating system, application or social network for that matter.

Instead of banning something outright, it may be a good idea to inform the public on specific dangers and educate them how they can be alleviated.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: MPAA Seeks New Global Anti-Piracy Vice President

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Due to opposing beliefs over how content should be consumed online, there is a war being waged on the Internet, one in which the guerilla forces of the file-sharing masses take on the world’s leading content companies and their armies of lawyers.

As a result, Hollywood and the major recording labels are committed to pouring endless millions into content protection, with the aim of affecting consumer behavior by any means – and by force if necessary.

To that end the MPAA is currently hoping to boost its already sizable anti-piracy team with the addition of a new Vice President of Global Content Protection.

The position – advertised externally this week – is an important one and will see the new recruit working with Hollywood studios to “define and execute” the MPAA’s global online content protection strategies.

“This position is primarily responsible for developing and executing a global Internet strategy for combating piracy, managing multiple projects simultaneously, managing staff and keeping apprised of technological developments in the piracy ecosystem and user behaviors online,” the MPAA’s listing reads.

The post is central to the MPAA’s entire anti-piracy operation. Responsibilities include directing international investigations of “websites, operators and business entities engaged in or associated with copyright infringement” while monitoring and reporting on emerging trends and threats.

Legal action is a large part of the MPAA’s work and the role requires the successful candidate to develop and manage relationships “with high-level law enforcement officials in key regions and countries” while helping to develop the movie group’s global civil litigation policy.

Also falling within the job description are key elements of the so-called “Follow the Money” approach to online piracy.

Along the lines of several collaborative initiatives already underway (six strikes etc), the new VP will be expected to develop relationships with intermediaries such as hosting providers, advertising companies, payment processors, domain name registrars and social networks such as Facebook.

He or she will also be responsible for providing technical assistance, research, data and training to government agencies, lobbyists and other rights holders concerning content protection issues.

As should be clear from the above, it’s a big job that will only be suitable for a limited number of applicants. In addition to a bachelor’s degree, candidates will need a graduate degree and experience in content protection intelligence, investigation and enforcement under their belts.

Naturally the MPAA only seeks the technically adept when it comes to piracy-related vacancies. Candidates should have plenty of experience with various content distribution methods including “streaming video, online file hosting and peer-to-peer sharing.”

For a group determined to hold third parties responsible for the infringements of others, it should comes as no surprise that applicants are also expected to have a sterling understanding of the relationships between “ISPs, domain names, IP addresses, and hosting providers, and technical infrastructure of such online resources.”

Finally, the MPAA insists that their ideal applicant will know right from wrong.

“[We require] a team player who has the utmost moral and ethical character to support the content protection team and to implement sound strategies that will benefit the motion picture industry today and tomorrow,” the MPAA concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Dallas Buyers Club Wants to Interrogate Suspected Pirates

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

dallasThe makers of Dallas Buyers Club have sued hundreds of BitTorrent users over the past year.

Many of these cases end up being settled for an undisclosed amount. This usually happens after the filmmakers obtain the identity of the Internet account holder believed to have pirated the movie.

Not all alleged downloaders are eager to pay up though. In fact, many don’t respond to the settlement letters they receive or claim that someone else must have downloaded the film using their connection.

In a recent court filing (pdf) at a Washington District Court the filmmakers explain the efforts they undertake to ensure that the right person is accused. This includes gathering information from Facebook, LinkedIn and even Google Maps.

“Google address mapping and county records were investigated to confirm ownership/rental status of and residence at the property associated with the IP address, as well as observe the physical makeup and layout of the house and neighborhood to anticipate possible claims that a wireless signal was highjacked by someone outside of the residence,” the filmmakers explain.

The router security settings and download history of a specific connection are used as additional pieces of information to ensure that the alleged copyright infringements are systematic.

“Further, given the standard security measures imposed by ISPs to prevent unauthorized use of an IP address, the volume of piracy demonstrated over the extended observation period could not be the result of someone driving by, a temporary house guest or a hacker sitting in a car on the street.”

While the methods above are already quite invasive, Dallas Buyers Club now aims to take it up a notch.

In order to pinpoint the true pirates the movie studio wants to depose 15 account holders. This means that they will have to testify under oath for up to two hours and face a grilling from the studio’s legal team.

This is the first time that we’ve seen a request for a deposition in a Dallas Buyers Club case. Needless to say, a testimony under oath can be quite intimidating, and is highly unusual in these type of cases.

The account holders of IP-addresses linked to the pirated downloads have already been identified by the ISP. However, they failed to respond to the movie studio or denied that they had shared the film illegally.

Through a testimony under oath, the movie studio hopes to identify the true pirates, so they can be named in the lawsuit.

“DBC believes that further discovery is warranted to confirm which of any possible occupants of the physical address assigned the infringing IP address is the proper Doe defendant to be named in the case,” they note.

The filmmakers suspect that some of the subscribers are the actual infringers, but it’s possible that they’re covering for someone else, such as a roommate or spouse.

“A subscriber should not be allowed to shield, immunize and anonymize those they allow to use their Internet service from liability for intentional torts. The subscriber is the single best and perhaps only source of information as to the responsible party using its IP address.”

According to the filmmakers the depositions will result in a reduction of legal expenses while guaranteeing the anonymity of the defendants.

However, more critical observers may also note that it is an optimal tool to pressure ISP subscribers who choose to ignore settlement requests and other threats.

At the time of writing the court has yet to rule on the discovery request.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Pid Eins: First Round of systemd.conf 2015 Sponsors

This post was syndicated from: Pid Eins and was written by: Lennart Poettering. Original post: at Pid Eins

First Round of systemd.conf 2015 Sponsors

We are happy to announce the first round of systemd.conf
2015
sponsors!

Our first Silver sponsor is CoreOS!

CoreOS develops software for modern infrastructure that delivers a consistent operating environment for distributed applications. CoreOS’s commercial offering, Tectonic, is an enterprise-ready platform that combines Kubernetes and the CoreOS stack to run Linux containers. In addition CoreOS is the creator and maintainer of open source projects such as CoreOS Linux, etcd, fleet, flannel and rkt. The strategies and architectures that influence CoreOS allow companies like Google, Facebook and Twitter to run their services at scale with high resilience. Learn more about CoreOS here https://coreos.com/, Tectonic here, https://tectonic.com/ or follow CoreOS on Twitter @coreoslinux.

A Bronze sponsor is Codethink:

Codethink is a software services consultancy, focusing on engineering reliable systems for long-term deployment with open source technologies.

A Bronze sponsor is Pantheon:

Website Management Platform

A Bronze sponsor is Pengutronix:

Pengutronix provides consulting, training and development services for Embedded Linux to customers from the industry. The Kernel Team ports Linux to customer hardware and has more than 3100 patches in the official mainline kernel. In addition to lowlevel ports, the Pengutronix Application Team is responsible for board support packages based on PTXdist or Yocto and deals with system integration (this is where systemd plays an important role). The Graphics Team works on accelerated multimedia tasks, based on the Linux kernel, GStreamer, Qt and web technologies.

We’d like to thank our sponsors for their support! Without sponsors our conference would not be possible!

We’ll shortly announce our second round of sponsors, please stay tuned!

If you’d like to join the ranks of systemd.conf 2015 sponsors, please have a look at our Becoming a Sponsor page!

Reminder! The systemd.conf 2015 Call for Presentations ends on monday, August 31st! Please make sure to submit your proposals on the CfP page until then!

Also, don’t forget to register for the conference! Only a limited number of
registrations are available due to space constraints!
Register here!.

For further details about systemd.conf consult the conference website.

TorrentFreak: Universal Music and Kim Dotcom Prepared a Deal to Tax Google

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptopJust when some thought that Kim Dotcom might be running out of ammunition, the Megaupload founder has dropped another huge bombshell.

A recording of a discussion between the German and several Universal Music executives that took place in 2012 – just two days before the infamous raids – reveals a somewhat excited record label preparing to do business with Dotcom, in part at Google’s expense.

The 32 minute recording starts off mid conversation, with the one exec prompting Kim to talk a little bit more about Megakey, his system to monetize free music by replacing the ads that users normally see with ones supplied by Mega.

Megakey

As previously detailed, Kim explained that when Megakey users surf the Internet they see Mega ads instead of ads provided by other companies such as Google. In exchange, users are given credit to access free content. By Dotcom’s estimates it would be possible for Megakey to pay the labels 33 cents per track while enabling users to obtain 75 songs per year for free.

Soon the execs were asking questions, such as how Megakey could properly target users with appropriate ads. Kim explained that initially they would receive the ads at the bottom end of the market but once users began to experience high quality music provided by UMG, that would attract a better quality of ads worth up to twice as much.

Dotcom also offered to profile users to better understand them, with part of the Megakey deal being that users reveal information about themselves such as age, sex and location when they sign up. Dotcom said that the company could also cross reference user information made available on Facebook.

Start slowly and build

Due to the controversial nature of the Megakey ad replacement mechanism, both sides expressed a desire to start off slowly, initially by replacing just 10% of a user’s adverts.

“We need to be able – and this is also going to be one of the challenges – to be able to sell all of these impressions we will have. So to be able to fully sell out 10% of the ads that 100 million users would consume each day, that is a challenge and that would take time to build up, to have that kind of buying power from advertisers,” Dotcom said.

“We’re basically talking about a few billion dollars here and you need to, you know, create these relationships and so on.”

The caution over taking more than 10% was shared by the UMG execs.

“I can see what they’d say already,” said one. “It’ll be described as a parasite on other cyber services.”

Dotcom said that his legal team had already looked into it and concluded that each user is the king of their own computer and if he or she wants to replace ads, they are free to do so. Quickly, Kim suggested a target.

Target: Google

“If we were to enter a partnership with UMG, we would advise to only, for example at the start, to only replace ads being served from Google. Because Google, frankly, is benefiting the most of all Internet companies from piracy,” the Megaupload founder said.

“They host the world’s largest piracy index and if you want to find a song that belongs to UMG you just go to Google and you find a thousand links on a hundred different sites. These guys are probably not sending you the ad dollars that they are making, so I think that replacing ads from Google would be a fair thing. You are basically now charging a little tax for the benefits that they have with your content.

“I completely agree,” said one exec.

Kim later asked whether there would be any commercial agreements with other labels that would get in the way of a Megakey deal?

“We probably would need to agree a whitelist of where you could replace ads, just to avoid deliberately antagonizing,” said one.

“But Google will not be on that list!” laughed another.

“It’ll just be open season!” “Fire in the hold!” chimed in two others.

Don’t use the ‘T’ word

By now the conversation was starting to warm, but at least one of the UMG execs had taken issue with Kim’s use of the word ‘tax’.

“Isn’t that the worst analogy you could make? Isn’t that the worst possible way of phrasing it?” he said.

Dotcom disagreed.

“You are trying to get legislation in place and get governments to do that for you but they won’t do that. They want to be reelected. They will not have a culture tax, ok? So we can make that happen for you, the culture tax,” Dotcom said.

The label exec preferred to frame it differently

“I’d argue that what you are trying to do is not imposing a tax on anybody, it’s that you are giving users a chance to control their own destiny when it comes to how ads are served and to participate in the revenue generated from it. Because anything that has the word tax in it is immediately ‘Oh God!”

“Let me add that we would never say that in any public forum,” Dotcom responded. “So I use this term in this closed round here but at the end of the day, that’s what it is.”

This thing has potential….

Soon the UMG execs were coming up with the ideas.

“If Universal decided to work with you guys, rather than replacing ads everywhere we could replace a much higher percentage when it came to any page connected to a Universal artist,” said one. “If we choose to work with you guys, Megakey replaces [the ads], and that then makes it less parasitic. There’s a bunch of spins we could take, we could replace them with Vevo ads.”

“I like you guys, why didn’t we talk years ago?” asked Dotcom.

“We are dealing with everyone who just hates us and wants to kill us but I think we really have a solution that can solve the problem of the content creators. We are very proud of it and would love to work with you guys as you seem to be really getting it and i’m so happy that we have had this meeting now.”

How soon can we start?

Complaining about the music business being run by lawyers after the Napster era, one UMG exec told Dotcom that things are changing.

“So, if we were to do a deal with [Megakey], how quickly could you [move]? This technology is live and in place now?”

“Yes, that’s correct,” Kim confirmed.

“So all we have to do is work out a deal, plug you guys into our legitimate feed of repertoire, and we could go live this side of the summer,” an exec responded.

“We need to have a commercial conversation about the deal making process and I’ll keep the lawyers at bay as long as I possibly can. When we come to paper the deal I’ll have to bring in a lawyer but I’ve got a lawyer I can trust who can do this.”

Dotcom and the UMG guys agreed to meet up in March 2012, but first there was a thorny issue to raise.

The Mega Song Controversy

“Have you guys heard about this Mega Song video that happened between UMG and us?” Dotcom asked.

UMG had previously angered Dotcom by wrongfully taking down his wildly successful video from YouTube and legal action was still pending.

“So the thing is because of that takedown we had to take some legal action and we’re basically now in court with UMG and if you guys feel like this is something interesting to talk about I think we should diffuse that a little bit,” Dotcom told the meeting.

“I agree,” came the response. “I think that in the wider conversation at some point it would be very helpful if that just disappeared.”

Interestingly, the execs then provided a surprise reason for the problems, partially laying the blame on Google.

Google had a point to prove on SOPA?

“The Google [YouTube] filters which are normally very inefficient got miraculously efficient. We could not understand why. We’d withdrawn the claim yet the filter was taking down stuff that in a million years it wouldn’t normally catch. So we were sat in the background going ‘What the fuck is going on here?’” one exec said.

“We did something that we thought was in good faith, we then took back the takedown and then the filters went mad in a way that if they’d done so on a normal day, we’d be happy.”

Then the conversation got a little bit dark, to say the least.

“Between you and I, please never repeat any of this conversation – because I’d be sacked – but there was a lot of weird shit going on in that very brief period where we had to wonder whether the people running the [YouTube] filters were running the business to their ends,” one exec explained.

“It was a perfect political football,” said another. “And they kicked it very hard.”

“Because of the SOPA thing, we got fucked. Which is fine.”

Moving on to the size of the market and Universal’s dominant share, one exec told Dotcom what he was waiting to hear.

“I will happily do a deal with you guys.”

‘Notorious Market’ lists are bad for business

But of course, an elephant remained in the room. Megaupload was out of favor with not only the record labels but also the MPAA and United States Trade Representative. Dotcom decided to point out what everyone in the meeting almost certainly had in the back of their minds.

“We have gotten a lot of fire from RIAA, MPAA, everyone in the content industry, for you know, Megaupload,” Dotcom said.

“We don’t have a rewards program, we are one of the cleanest guys. I mean you guys, UMG, RIAA, everyone has direct access to our servers. We remove content swiftly, we try our best to be the best player in our industry but we’re getting all the heat because of our size.

“What would also be nice is if we could try and defuse that whole situation and if you can make an effort to help us with that because, you know, putting us on all sorts of nasty lists and how bad we are and all of that, that doesn’t help either.”

The suggestion was well received.

Allow us to improve your standing, Mr Dotcom

“Yeah, I agree. In exchange for the litigation disappearing there are certain people I can have conversations with where you will be moved onto a different list as opposed to a bad list,” an exec told Dotcom

“We want to be on the friends list!” he responded.

“Yeah, well you get on to the friends list once we’ve signed a deal. And then the rules of engagement change completely. In the short-term I can downgrade your status from ‘evil’ to ‘bad’ and as the process goes on it will be from ‘bad’ to ‘good’ to ‘exceptional partner’.”

Never one to miss a point of negotiation, Dotcom persuaded the execs to change his designation from “evil to bad” to “evil to neutral” and they agreed, noting that companies can be easily removed from the notorious markets list if they so desire.

But sadly for all involved, none of that came to pass.

“They wanted to reduce my status from ‘evil to neutral’ if I partnered with them,” Dotcom told TorrentFreak this morning.

“This call was two days before the raid. They were excited about Megabox and especially my Megakey innovation. It clearly shows that I was trying to help artists to create more income from the Internet.”

And then the raid happened, and the rest is history.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: MPAA Ducks Censorship Battle With Google, Twitter and Facebook

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

movietubeLast month the MPAA sued several popular movie streaming websites which all operated under the MovieTube flag.

As part of the lawsuit the major movie studios asked for a preliminary injunction ordering several third-party companies to stop linking or providing services to the sites.

For several tech companies this request went too far. Last week Google, Facebook, Twitter, Tumblr and Yahoo explained to the court that it could result in broad Internet censorship, similar to the blocking provisions that were listed in the controversial SOPA bill.

The filing appeared to be the start of a new standoff between Hollywood and the tech companies, but a letter submitted by the MPAA yesterday puts it on hold.

The MPAA informed the court that a preliminary injunction is no longer required as the MovieTube sites have been offline for several weeks already.

“Plaintiffs are no longer seeking preliminary injunctive relief at this time but will seek permanent relief as soon as possible,” the MPAA’s lawyers write.

The decision to drop the request may very well have been triggered by the Amici Curiae brief of the tech companies. After all, the MovieTube sites were already offline when the MPAA submitted the injunction request weeks ago.

In their letter to the court the MPAA stress that the opposition brief should no longer be considered now that they have pulled their request for an injunction.

“…because Plaintiffs have withdrawn their motion for preliminary injunctive relief, the arguments offered by Amici Curiae in opposition to that motion are not ripe for consideration and are otherwise inapplicable.”

“To the extent Amici are requesting what amounts to an advisory opinion, such a request is improper and should not be entertained,” they add.

It appears that it’s a strategic move from the MPAA not to challenge the tech companies, for now. However, the movie industry group has made it clear that website blocking is one of their main anti-piracy priorities so we can expect this battle to reignite in the future.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Krebs on Security: How Not to Start an Encryption Company

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Probably the quickest way for a security company to prompt an overwhelmingly hostile response from the security research community is to claim that its products and services are “unbreakable” by hackers. The second-fastest way to achieve that outcome is to have that statement come from an encryption company CEO who served several years in federal prison for his role in running a $210 million Ponzi scheme. Here’s the story of a company that managed to accomplish both at the same time and is now trying to learn from (and survive) the experience.

unbreakabletothecoreThanks to some aggressive marketing, Irvine, Calif. based security firm Secure Channels Inc. (SCI) and its CEO Richard Blech have been in the news quite a bit lately — mainly Blech being quoted in major publications such as NBC NewsPolitico and USA Today  — talking about how his firm’s “unbreakable” encryption technology might have prevented some of the larger consumer data breaches that have come to light in recent months.

Blech’s company, founded in 2014 and with his money, has been challenging the security community to test its unbreakable claim in a cleverly unwinnable series of contests: At the Black Hat Security conference in Las Vegas last year, the company offered a new BMW to anyone who could unlock a digital file that was encrypted with its “patented” technology.

At the RSA Security Conference this year in San Francisco, SCI offered a $50,000 bounty to anyone who could prove the feat. When no one showed up to claim the prizes, SCI issued press releases crowing about a victory for its products.

Turns out, Blech knows a thing or two about complex, unwinnable games: He pleaded guilty in 2003 of civil and criminal fraud charges and sentenced to six years in U.S. federal prison for running an international Ponzi scheme.

Once upon a time, Blech was the CEO of Credit Bancorp. Ltd., an investment firm that induced its customers to deposit securities, cash, and other assets in trust by promising the impossible: a “custodial dividend” based on the profits of “risk-less” arbitrage. Little did the company’s investors know at the time, but CBL was running a classic Ponzi scheme: Taking cash and other assets from new investors to make payments to earlier ones, creating the impression of sizable returns, prosecutors said. Blech was sentenced to 72 months in prison and was released in 2007.

THE UNBREAKABLE COMPETITION

In April 2015, Lance James, a security researcher who has responded to challenges like the BMW and $50,000 prizes touted by SCI, began receiving taunting Tweets from Blech and Ross Harris, a particularly aggressive member of SCI’s sales team. That twitter thread (PDF) had started with WhiteHat Security CTO Jeremiah Grossman posting a picture of a $10,000 check that James was awarded from Telesign, a company that had put up the money after claiming that its StrongWebmail product was unhackable. Turns out, it wasn’t so strong; James and two other researchers found a flaw in the service and hacked the CEO’s email account. StrongWebmail never recovered from that marketing stunt.

James replied to Grossman that, coincidentally, he’d just received an email from SCI offering a BMW to anyone who could break the company’s crypto.

“When the crypto defeats you, we’ll give you a t-shirt, ‘Can’t touch this,’ you’ll wear it for a Tweet,” Blech teased James via Twitter on April 7, 2015. “Challenge accepted,” said James, owner of the security consultancy Unit 221b.  “Proprietary patented crypto is embarrassing in 2015. You should know better.”

As it happens, encrypting a file with your closed, proprietary encryption technology and then daring the experts to break it is not exactly the way you prove its strength or gain the confidence of the security community in general. Experts in encryption tend to subscribe to an idea known as Kerckhoff’s principle when deciding the relative strength and merits of any single cryptosystem: Put simply, a core tenet of Kerckhoff’s principle holds that “one ought to design systems under the assumption that the enemy will gain full familiarity with them.”

Translation: If you want people to take you seriously, put your encryption technology on full view of the security community (minus your private encryption keys), and let them see if they can break the system.

James said he let it go when SCI refused to talk seriously about sharing its cryptography solution, only to hear again this past weekend from SCI’s director of marketing Deirdre “Dee” Murphy on Twitter that his dismissal of their challenge proved he was “obsolete.” Murphy later deleted the tweets, but some of them are saved here.

Nate Cardozo, a staff attorney at the nonprofit digital rights group Electronic Frontier Foundation (EFF), said companies that make claims of unbreakable technologies very often are effectively selling snake oil unless they put their products up for peer review.

“They don’t disclose their settings or what modes their ciphers are running in,” Cardozo said. “They have a patent which is laughably vague about what it’s actually doing, and yet their chief marketing officer insults security researchers on Twitter saying, ‘If our stuff is so insecure, just break it.’”

Cardozo was quick to add that although there is no indication whatsoever that Secure Channels Inc. is engaging in any kind of fraud, they are engaged in “wildly irresponsible marketing.”

“And that’s not good for anyone,” he said. “In the cryptography community, the way you prove your system is secure is you put it up to peer review, you get third party audits, you publish specifications, etc. Apple’s not open-source and they do all of that. You can download the security white paper and see everything that iMessage is doing. The same is true for WhatsApp and PGP. When we see companies like Secure Channel treating crypto like a black box, that raises red flags. Any company making such claims deserves scrutiny, but because we can’t scrutinize the actual cryptography they’re using, we have to scrutinize the company itself.”

THE INTERVIEW

I couldn’t believe that any security company — let alone a firm that was trying to break into the encryption industry (a business that requires precision perhaps beyond any other, no less) — could make so many basic errors and miscalculations, so I started digging deeper into SCI and its origins. At the same time I requested and was granted an interview with Blech and his team.

I learned that SCI is actually licensing its much-vaunted, patented encryption technology from a Swiss firm by the same name – Secure Channels SA. Malcolm Hutchinson, president and CEO at Secure Channels SA, said he and his colleagues have been “totally dismayed at the level of marketing hype being used by SCI.”

“In hindsight, the mistake we made was licensing SCI to use the Secure Channel name, as this has led to a blurring of the distinction between the owner of the IP and the licensee of that IP which has been exploited,” he told KrebsOnSecurity in an email exchange.

SCI’s CEO Blech has been quoted in the news media saying the company has multiple U.S. government clients. When asked at the outset of a phone interview to name some of those government clients, Blech said he was unable to because they were all “three-letter agencies.” He mentioned instead a deal with MicroTech, a technology integrator that does work with a number of government agencies. When asked whether SCI was actually doing any work for any government clients via its relationship with MicroTech, Blech conceded that it was not.

“We’re on their GSA schedule and in a flow with these agencies,” Blech said.

The same turned out to be the case of another “client” Blech mentioned: American electronics firm Ingram Micro. Was anyone actually using SCI’s technology because of the Ingram relationship? Well, no, not yet.

Did the company actually have any paying clients, I asked? Blech said yes, SCI has three credit union clients in California, two who of whom couldn’t be disclosed because of confidentiality agreements. In what sense was the credit union (La Loma Federal Credit Union) using SCI’s unbreakable encryption? As Blech explained it, SCI sent one of its employees to help the bank with a compliance audit, but La Loma FCU hasn’t actually deployed any of his products.

“They’re not ready for it, so we haven’t deployed it,” he said.

I asked Blech what about the gap in his resume roughly between 2003 and 2007. When he balked, I asked whether he’d advised all of his employees of his criminal record when they were hired? Yes, of course, he said (this, according to two former SCI employees, was not actually the case).

In any event, Blech seemed to know this subject was going to come up, and initially took ownership over the issue, although he said he never ran any Ponzi schemes.

“This is in my past and something I’ve addressed and paid my debt for in every way,” Blech said. “I took the approach that was going to get me home to my family the soonest. That meant cooperating with the government and not fighting them in a long, drawn-out battle. I took responsibility, financially and in every way I had to with this case.”

Then he added that it really wasn’t his fault. “There were people in my company that were in America while I was living in Europe that went out and did things inappropriately that got the attention of the authorities,” adding that virtually all of the money was returned to investors.

“I put more than $2 million of my own money into this company,” Blech said of SCI. “I could have hidden, and spent that to reinvent myself and sit on a beach in the Bahamas. But I didn’t do that.”

PATENTLY OBVIOUS?

Why in the world wouldn’t anyone want to deploy an unhackable security product? Perhaps because the product doesn’t offer much beyond existing encryption technologies to justify the expenditure?

The subject of all this hoopla — US Patent No. 8,744,078 B2, Issued June 3, 2014 — carries the title: “SYSTEM AND METHOD FOR SECURING MULTIPLE DATA SEGMENTS HAVING DIFFERENT LENGTHS USING PATTERN KEYS HAVING MULTIPLE DIFFERENT STRENGTHS.”

Put simply, SCI’s secret sauce is a process for taking existing encryption techniques (they only use vetted, established code libraries) and randomizing which one gets used to encrypt the file that needs to protected, and then encrypting the output with AES-256. Seems patently obvious, yet otherwise harmless. But how does this improve upon AES-256 — widely considered one of the most secure ciphers available today?

It’s not clear that it does. In case after case, we’ve seen security technologies that were previously secure compromised by the addition of functionality, features or implementations that are fundamentally flawed. In the case of the HeartBleed bug — a massive vulnerability in OpenSSL that enabled anyone to snoop on encrypted Web traffic — the bug was reportedly introduced accidentally by an OpenSSL volunteer programmer who intended to add new functionality to the widely-used standard.

Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security, pointed to another example: Acutrust, a once ambitious security firm that came up with a brilliant idea to combat phishing attacks, only to create a new problem in the process.

“Acutrust turned a normal [password] hash into a pretty picture as a convoluted way to prevent phishing and it made it super easy to brute-force every username and password offline, and didn’t help with phishing at all,” Hansen wrote in a Facebook message. “This article single handedly effectively put them out of business, FYI.”

All told, I spent more than an hour on the phone with Blech and his team. At the beginning of the call, it was clear that neither he nor any of his people were familiar with Kerckhoff’s principle, or even appreciated the idea that having their product publicly vetted might be a good thing. But by the end of the call, things seemed to be turning around.

At first, Blech said anyone who wanted to try to break the company’s technology needed only to look to its patent on file with the U.S. Patent & Trademark Office, which he said basically explained the whole thing. I took another look at SCI’s press release about its precious patent: “One of the most interesting things about technology is the personalities behind it,” the company’s own in-house media firm crowed. No question about that.

Early in the interview, Blech said he wouldn’t want to let just anyone and everyone have access to their product; the company would want to vet the potential testers. Later in the call, the tone had changed.

“Without the decryption key, even if you have the source code, not going to be able to get through it,” Blech said. “We don’t know the randomization sequence,” chosen by their technology when it is asked to encrypt a file, he said.

Now we were getting somewhere, or at least a whole lot closer to crotchety ole’ Kerckhoff’s principle. The company finally seemed opening up to the idea of an independent review. This was progress. But would SCI cease its “unhackable” marketing shenananigans until such time? SCI’s Marketing Director Deirdre Murphy was non-committal, suggesting that perhaps the company would find a less controversial way to describe their product, such as “impenetrable.” I just had to sigh and end the interview.

Just minutes after that call, I received an email from SCI’s outside public relations company stating that SCI would, in fact, be publishing a request for proposal for independent testing of its technology:

“As an early stage company we were focused on coming to market and channel partnering.  We now realize that specific infosec industry norms around independent need to be met – and quickly.  We’ve been using the peer review and testing of existing partners, advanced prospects and early engagements up until now. WE hear the infosec community’s feedback on testing, and look forward to engaging in independently conducted tests.  We are today publishing requests for proposals for such testing.”

“We realize that sometimes a technology innovator’s earliest critics can be their best sources of feedback. We hope to solicit constructive involvement from  the infosec community and some of its vast array of experts.”

Kreckhoff would be so proud.

TorrentFreak: Google, Facebook and Twitter Protest Hollywood’s ‘SOPA Resurrection’

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

goofactwiIn recent months there have been several lawsuits in the U.S. in which copyright holders were granted broad injunctions, allowing them to seize domain names of alleged pirate sites.

In addition, these injunctions were sometimes directed at hosting providers, search engines and social networks, preventing these companies from doing business with these sites.

Most recently, such a request came from Hollywood’s major movie studios, who previously sued several MovieTube websites. The companies asked for a preliminary injunction ordering several third-party companies to stop linking or providing services to the pirate sites.

This proposal reminded some opponents of the blocking provisions that were listed in the controversial SOPA bill. Among the opposition are some of the largest tech firms in the world.

A few hours ago Google, Facebook, Twitter, Tumblr and Yahoo submitted an amicus brief (pdf) asking the New York federal court not to include neutral service providers in the injunction.

According to the tech giants the proposed language goes too far. An injunction should not target companies that are not in “active participation” with MovieTube, nor should it circumvent the rules that are outlined in the DMCA, they argue.

The tech companies suggest that the MPAA is trying to resurrect SOPA-powers through this lawsuit and ask the court to halt their efforts.

“Plaintiffs now appear to be repackaging the excesses of SOPA into the All Writs Act. Indeed, the injunction proposed here would require the same online intermediaries targeted by SOPA to engage in the same kind of content and domain blocking that would have been required under SOPA had it been enacted,” the tech companies argue.

“The Court should not allow intellectual property rightsholders to obtain through the existing statutes the very sort of third-party blocking orders that failed to gain legislative approval.”

Instead, Google, Facebook, Twitter, Tumblr and Yahoo ask the court to rule that online services can’t be targeted by broad injunctions against websites they are not actively involved in.

“Such a ruling would be all the more appropriate in light of the fact that Congress recently rejected a push to change the law to authorize exactly these kinds of broadbased online blocking orders,” they note, referring to SOPA.

While the requested injunctions are not new, this is the first time that a broad coalition of tech companies has voiced its opposition. As a result, the MovieTube case may set a crucial precedent for the future of website blocking in the U.S.

Last week the EFF also warned against the potential danger of the MPAA’s proposed injunction. This didn’t fare well with several entertainment industry insiders, who told the group to shut up. However, with the tech giants getting involved there will only be more talk about it now.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

SANS Internet Storm Center, InfoCON: green: .COM.COM Used For Malicious Typo Squatting, (Mon, Aug 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Today, our reader Jeff noted how domains ending in .com.com are being redirected to what looks like malicious content.Back in 2013, A blog by Whitehat Security pointed out that the famous com.com domain name was sold by CNET to known typo squatter dsparking.com [1]. Apparently, dsparking.com paid $1.5 million for this particular domain.Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazons cloud.

All .com.com hostnames appear to resolve to54.201.82.69, also hosted by Amazon (amazon.com.com is also directed to the same IP, but right now results in more of a Parked page, not the fake anti-malware as other domains)

The content you receive varies. For example, on my first hit from my Mac to facebook.com.com , I received the following page:

And of course the fake scan it runs claims thatI have a virus :)

As a solution, I was offered the well known scam-app Mackeeper

Probably best to block DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I dont think there is any valid content at any .com.com host name.

The Whitehat article does speak to the danger of e-mail going to these systems. A MX record is configured, but the mail server didnt accept any connections from me (maybe it is overloaded?).

Amazon EC2 abuse was notified.

[1]https://blog.whitehatsec.com/why-com-com-should-scare-you/


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: Difficult social problems are still difficult problems

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

After less than a week of complaints, the TODO group have decided to pause development of their code of conduct. This seems to have been triggered by the public response to the changes I talked about here, which TODO appear to have been completely unprepared for.

While disappointing in a bunch of ways, this is probably the correct decision. TODO stumbled into this space with a poor understanding of the problems that they were trying to solve. Nikki Murray pointed out that the initial draft lacked several of the key components that help ensure less privileged groups can feel that their concerns are taken seriously. This was mostly rectified last week, but nobody involved appeared to be willing to stand behind those changes in a convincing way. This wasn’t helped by almost all of this appearing to land on Github’s plate, with the rest of the TODO group largely missing in action[1]. Where were Google in this? Yahoo? Facebook? Left facing an angry mob with nobody willing to make explicit statements of support, it’s unsurprising that Github would try to back away from the situation.

But that doesn’t remove their blame for being in the situation in the first place. The statement claims
We are consulting with stakeholders, community leaders, and legal professionals, which is great. It’s also far too late. If an industry body wrote a new kernel from scratch and deployed it without any external review, then discovered that it didn’t work and only then consulted any of the existing experts in the field, we’d never take them seriously again. But when an industry body turns up with a new social policy, fucks up spectacularly and then goes back to consult experts, it’s expected that we give them a pass.

Why? Because we don’t perceive social problems as difficult problems, and we assume that anybody can solve them by simply sitting down and talking for a few hours. When we find out that we’ve screwed up we throw our hands in the air and admit that this is all more difficult than we imagined, and we give up. We ignore the lessons that people have learned in the past. We ignore the existing work that’s been done in the field. We ignore the people who work full time on helping solve these problems.

We wouldn’t let an industry body with no experience of engineering build a bridge. We need to accept that social problems are outside our realm of expertise and defer to the people who are experts.

[1] The repository history shows the majority of substantive changes were from Github, with the initial work appearing to be mostly from Twitter.

comment count unavailable comments

Schneier on Security: Backdoors Won’t Solve Comey’s Going Dark Problem

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

At the Aspen Security Forum two weeks ago, James Comey (and others) explicitly talked about the “going dark” problem, describing the specific scenario they are concerned about. Maybe others have heard the scenario before, but it was a first for me. It centers around ISIL operatives abroad and ISIL-inspired terrorists here in the US. The FBI knows who the Americans are, can get a court order to carry out surveillance on their communications, but cannot eavesdrop on the conversations, because they are encrypted. They can get the metadata, so they know who is talking to who, but they can’t find out what’s being said.

“ISIL’s M.O. is to broadcast on Twitter, get people to follow them, then move them to Twitter Direct Messaging” to evaluate if they are a legitimate recruit, he said. “Then they’ll move them to an encrypted mobile-messaging app so they go dark to us.”

[…]

The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said. Even when the FBI demonstrates probable cause and gets a judicial order to intercept that communication, it cannot break the encryption for technological reasons, according to Comey.

If this is what Comey and the FBI are actually concerned about, they’re getting bad advice — because their proposed solution won’t solve the problem. Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants’ knowledge or consent; that’s the “backdoor” we’re all talking about. But the problem isn’t that most encrypted communications platforms are security encrypted, or even that some are — the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.

Imagine that Comey got what he wanted. Imagine that iMessage and Facebook and Skype and everything else US-made had his backdoor. The ISIL operative would tell his potential recruit to use something else, something secure and non-US-made. Maybe an encryption program from Finland, or Switzerland, or Brazil. Maybe Mujahedeen Secrets. Maybe anything. (Sure, some of these will have flaws, and they’ll be identifiable by their metadata, but the FBI already has the metadata, and the better software will rise to the top.) As long as there is something that the ISIL operative can move them to, some software that the American can download and install on their phone or computer, or hardware that they can buy from abroad, the FBI still won’t be able to eavesdrop.

And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have.

Convincing US companies to install backdoors isn’t enough; in order to solve this going dark problem, the FBI has to ensure that an American can only use backdoored software. And the only way to do that is to prohibit the use of non-backdoored software, which is the sort of thing that the UK’s David Cameron said he wanted for his country in January:

But the question is are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: no, we must not.

And that, of course, is impossible. Jonathan Zittrain explained why. And Cory Doctorow outlined what trying would entail:

For David Cameron’s proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you’ve downloaded hasn’t been tampered with.

[…]

This, then, is what David Cameron is proposing:

* All Britons’ communications must be easy for criminals, voyeurs and foreign spies to intercept.

* Any firms within reach of the UK government must be banned from producing secure software.

* All major code repositories, such as Github and Sourceforge, must be blocked.

* Search engines must not answer queries about web-pages that carry secure software.

* Virtually all academic security work in the UK must cease — security research must only take place in proprietary research environments where there is no onus to publish one’s findings, such as industry R&D and the security services.

* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped.

* Existing walled gardens (like IOs and games consoles) must be ordered to ban their users from installing secure software.

* Anyone visiting the country from abroad must have their smartphones held at the border until they leave.

* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons.

* Free/open source operating systems — that power the energy, banking, ecommerce, and infrastructure sectors — must be banned outright.

As extreme as it reads, without all of that, the ISIL operative would be able to communicate securely with his potential American recruit. And all of this is not going to happen.

Last week, former NSA director Mike McConnell, former DHS secretary Michael Chertoff, and former deputy defense secretary William Lynn published a Washington Post op-ed opposing backdoors in encryption software. They wrote:

Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.

I believe this is true. Already one is being talked about in the academic literature: lawful hacking.

Perhaps the FBI’s reluctance to accept this is based on their belief that all encryption software comes from the US, and therefore is under their influence. Back in the 1990s, during the first Crypto Wars, the US government had a similar belief. To convince them otherwise, George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today.

This essay previously appeared on Lawfare.

Krebs on Security: Windows 10 Shares Your Wi-Fi With Contacts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends!

msoptoutThis brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

I first read about this disaster waiting to happen over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.

“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.

The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.

El Reg says it well here:

That sounds wise – but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access.

In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network. Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this.

I should point out that Wi-Fi networks which use the centralized 802.1x Wi-Fi authentication — and these are generally tech-savvy large organizations — won’t have their Wi-Fi credentials shared by this new feature.

Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).

It’s interesting to contrast Microsoft’s approach here with that of Apple, who offer an opt-in service called iCloud Keychain; this service allows users who decide to use the service to sync WiFi access information, email passwords, and other stored credentials amongst their own personal constellation of Apple computers and iDevices via Apple’s iCloud service, but which does not share this information with other users. Apple’s iCloud Keychain service encrypts the credentials prior to sharing them, as does Microsoft’s Wi-Fi Sense service; the difference is that it’s opt-in and that it only shares the credentials with your own devices.

Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS. But embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.

Why? For starters, despite years of advice to the contrary, many people tend to re-use the same password for everything. Also, lots of people write down their passwords. And, as The Reg notes, if you personally share your Wi-Fi password with a friend — by telling it to them or perhaps accidentally leaving it on a sticky note on your fridge — and your friend enters the password into his phone, the friends of your friend now have access to the network.

Source: How-To Geek

Source: How-To Geek

An article in Ars Technica suggests the concern over this new feature is much ado about nothing. That story states: “First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you’ll be asked if you want to share it with your friends/social networks.”

To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. True, that contact doesn’t get to see my Wi-Fi password, but he can nonetheless connect to my network.

While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name. The Register seems to think Windows 10 upgraders can avoid each by including both “_nomap” and “_optout” in the Wi-Fi network name, but this article at How-To Geek says users will need to choose the lesser of two evils.

Either way, Wi-Fi Sense combined with integrated Google mapping tells people where you live (and/or where your business is), meaning that they now know where to congregate to jump onto your Wi-Fi network without your permission.

My suggestions:

  1. Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”.
  2. After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.
  3. If you haven’t already done so, consider additional steps to harden the security of your Wi-Fi network.

Further reading:

What Is Wi-Fi Sense and Why Does it Want Your Facebook Account? 

UH OH: Windows 10 Will Share Your Wi-Fi Key With Your Friends’ Friends

Why Windows 10 Shares Your Wi-Fi Password and How to Stop it

Wi-Fi Sense in Windows 10: Yes, It Shares Your Passkeys, No You Shouldn’t Be Scared

TorrentFreak: Sony Settles Piracy Lawsuit With Russia’s Facebook

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

vkFor several years VKontakte, or VK, has been branded as a piracy facilitator by copyright holders and even the U.S. Government.

In common with many user-generated sites, VK allows its millions of users to upload anything from movies and TV shows to their entire music collections. However, copyright holders often claim that Russia’s social network has failed to adopt proper anti-piracy measures.

Last year this resulted in a lawsuit filed at the Saint Petersburg and Leningrad Region Arbitration Court, in which Sony Music, Universal Music and Warner Music demanded countermeasures and compensation for the large scale copyright infringement VK allegedly facilitates.

The case is still ongoing, but as of this week Sony Music has dropped out. According to a local report Sony and VK signed a confidential settlement agreement to resolve the dispute.

No further details on the content of the deal have been published, but according to sources VK will upgrade its current music service.

Among other things, the social network will start charging mobile users for access to its official music platform. Desktop users will still have free access, but these views will be monetized through advertisements.

Both changes will be rolled out gradually after a thorough test phase.

The settlement with Sony Music is a breakthrough for the Russian equivalent of Facebook, but it doesn’t mean that all legal troubles are over.

The remaining cases against Universal Music and Warner Music haven’t been resolved yet. Together with Sony the companies demanded 50 million rubles ($830,000) in damages in their complaint last year, and VK is still on the hook for most of it.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: MPAA Sues MovieTube Sites Over Mass Piracy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

movietubeUnauthorized movie streaming sites have been a thorn in the side of Hollywood for many years, and yesterday the MPAA decided to take one of the most prominent players to court.

MPAA members 20th Century Fox, Columbia Pictures, Disney, Paramount, Universal and Warner Bros filed a lawsuit against a group of MovieTube affiliated websites, which operate from more than two dozen domain names.

In the complaint, filed at a New York District Court a few hours ago, the movie studios describe MovieTube as a business that’s designed and operated to promote copyright infringement for profit.

The MPAA lists several popular websites including MovieTube.cc, TuneVideo.net, Watch33.tv, MovieTube.cz, Anime1.tv, MovieTube.pm, FunTube.co, MovieTube.la and KissDrama.net. These sites share hosting facilities and a similar design and the studios believe that they are operated by the same people.

The websites in question are typical streaming sites, where users can watch videos and in some cases download the source files to their computers.

“Defendants, through the MovieTube Websites, aggregate, organize and provide embedded links to extensive libraries of Infringing Copies of Plaintiffs’ Works,” the compliant (pdf) reads.

“…users can watch Infringing Copies without leaving the MovieTube Websites. The MovieTube Websites even allow users, in some instances, to download Infringing Copies by clicking on a selection from a menu built into the video player software supplied by Defendants.”

According to the MPAA, MovieTube’s operators are well aware of the infringing nature of their site. On one of their Facebook pages they write that it’s not a problem that many films are pirated, since they are not bound by U.S. laws.

facebookadmit

The complaint accuses MovieTube of various counts of copyright and trademark infringement. This means that the site’s operators face millions of dollars in statutory damages.

Perhaps more importantly, the MPAA is also demanding a broad preliminary injunction to make it virtually impossible for the operators to keep their sites online.

Among other things, the proposed measures would prevent domain registrars, domain registries, hosting companies, advertisers and other third-party outfits from doing business with the site.

If granted, MovieTube’s operators will have a hard time keeping the sites afloat, but it appears that the injunction may not even be needed.

At the time of writing all MovieTube domain names are unreachable. It is unclear whether the operators took this decision themselves, but for now the future of these sites looks grim.

The full list of sites mentioned in the complaint is as follows: MovieTube.tw, MovieTube.ph, TVStreaming.cc, MovieTube.sx, MovieTube.pw, MovieTubeNow.com, MovieTube.tf, MovieTube.co, MovieOnDrive.com, MovieTube.vc, TuneVideo.net, MovieTube.mn, MovieTube.cc, Watch33.tv, MovieTube.cz, Anime1.tv, MovieTube.pm, FunTube.co, MovieTube.la, KissDrama.net, MovieTube.so, MovieTube.click, MovieTubeHD.co, MovieTubeHD.net, MovieTubeHD.org, MovieTubeHD.tv, MovieTubeHD.us, MovieTubenow.in and TuneMovie.me.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Linux How-Tos and Linux Tutorials: How to Install WordPress With Nginx, MariaDB and HHVM in Ubuntu 15.04

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Falko Timme. Original post: at Linux How-Tos and Linux Tutorials

HHVM (Hip Hop Virtual Machine) is a just-in-time compiler developed by Facebook to run applications that are written in PHP and Hack language. HHVM is faster than the traditional PHP engine from ZEND and is used by Facebook to serve billions of web requests per day. This tutorial describes the steps to install WordPress with Nginx, MariaDB and HHVM on Ubuntu 15.04 Server.

Read more at HowtoForge

TorrentFreak: KickassTorrents Disappears From Google After Penalty

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

kickassWith millions of visitors per day KickassTorrents (KAT) is arguably the most visited torrent site on the Internet, outranking even the notorious Pirate Bay.

After several domain hops KAT has been operating from the KAT.cr domain name for a few months now. However, in recent weeks many infrequent visitors have experienced trouble locating the site, leading to all sorts of problems.

Traditionally, the site has been easy to find through Google by entering the search terms “KickassTorrents” or “Kickass Torrents,” but this is no longer the case.

In fact, the official KAT.cr address is nowhere to be found in the top results. Instead, people see the unknown and unaffiliated Kickasstorrents.eu domain on top in many locations, as the screenshot below shows.

Google’s KickassTorrents search results
googlekick

The KAT team informs us that Google began to penalize its pages a while ago, for reasons unknown. Perhaps there are ways to solve the problems, but the site is currently not doing any search engine optimization (SEO).

“It’s already about five or six months since we started to experience some kind of penalty from Google. The issue is that we were not performing any SEO activities at all,” KAT says.

What makes matters worse is that .eu site which tops Google search results is a scam. It doesn’t offer any torrents but instead prompts visitors to download File_Downloader.exe, which appears to be malware.

The KAT team finds it unfortunate that Google is sending tens of thousands of visitors to a shady site and encourages people to check the official Facebook and Twitter accounts for the latest official domain name.

Interestingly, not all search engines treat KAT the same. In Bing the site’s official domain name is not on top either, but it’s listed on the first page. DuckDuckGo does the best job, identifying the correct domain and even tagging it as an “official site,” which is quite useful to estranged KAT users.

DuckDuckGo’s KickassTorrents search results
duckkick

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Krebs on Security: Third Hacking Team Flash Zero-Day Found

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.

News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.

We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.

flashpotus

Google Chrome comes with its own version of Flash pre-installed, but disabling it is easy enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

Windows users can remove Flash from non-Chrome browsers from the Add/Remove Programs panel, and/or using this Flash Removal Tool. Note that you must exit out of all Web browsers before running the tool. To verify that Flash has been removed, visit this page; if it says your browser needs Flash, you’ve successfully removed it.

For Mac users, AppleInsider carries a story today that has solid instructions for nixing the program from OS X once and for all.

“Flash has become such an information security nightmare that Facebook’s Chief Security Officer called on Adobe to sunset the platform as soon as possible and ask browser vendors to forcibly kill it off,” AppleInsider’s Shane Cole writes. “Though most exploits are targeted at Windows, Mac users are not invincible.”

I removed Flash entirely more than a month ago and haven’t missed the program one bit. Unfortunately, some sites — including many government Web sites  — may prompt users to install Flash in order to view certain content. Perhaps it’s time for a petition to remove Flash Player from U.S. Government Web sites altogether? If you agree, make your voice heard here.  For more on spreading the word about Flash, see the campaign at OccupyFlash.org.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Backblaze Blog | The Life of a Cloud Backup Company: What You Would Do With a Storage Pod

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Andy Klein. Original post: at Backblaze Blog | The Life of a Cloud Backup Company

blog-pod-contest-winner-1

A few weeks ago, we held a contest offering a free Storage Pod chassis as a prize to people who came up with creative ways to use/reuse a Backblaze Storage Pod chassis. The response was outstanding! We reviewed all the submissions and selected 20 we thought the most deserving – it was hard work. Here are some of the winning entries with all the winners listed at the end.

Storage Pods in education

Over the years, students have built Storage Pods to store data for research projects and similar data intensive activities. Here are a couple of submissions where the students most likely will not be using the Storage Pods to store data – and that’s just fine with us.

    “I have three kids ages 9, 7 and 5. What would we do with these? They would immediately be incorporated into their ongoing quasi-engineering to build various things out of parts of all kinds, both indoors and outdoors, as they continue to develop their imagination, creativity and engineering ability.”

    “We are building a Makerspace and Tinkering lab at our SF school and are trying to use as much up-cycled and repurposed material as possible. Our students would love to think of creative and innovative uses for the pods in their new spaces.”

A second career for the Storage Pods

The Storage Pods being retired have worked 24/7 for the last six years. That’s equivalent to working 40 hours a week for 26 years. While these Storage Pod chassis are technically in retirement, some of them want to continue to work. Several of the contest winners suggested excellent second careers.

    Magician’s Assistant – “I am a magician. The storage pods would be easily convertible into a mini sword box, where I could put something inside and stick swords though the item, then open it up and see the item is still in one piece with no holes.”

    Roadie – “I would use it for storage for all my musical equipment and I will be able to route cables and ports through the holes so that way I can make it a one stop shop for all my outboard gear for recording.”

    Senior Roadie – A sturdy box to put cables and other material for guitar gigs and then place the box under my 2×12 guitar cabinet to elevate it. A metal box is sturdy as well as has a good connection to the ground as it’s important that the cab rests on a sturdy environment so the cab won’t move around and has a good connection so the low-end guitar sound is propagated through the floor.

    Skydiving Assistant – I would make it in to a skydiving gear box including a monitor to playback the action after each jump. So many skydivers are geeky enough that they would immediately recognize and be envious of this unique and awesome piece of history.

blog-pod-contest-winner-2

Courtesy of Angel

A leisurely Storage Pod life

A full time second career may not be what every retiring Storage Pod wants. Here are some suggestions from our contest winners that would let Storage Pods leisurely pass the time.

    Popcorn Dispenser – Design a Storage Pod to “distribute popcorn to 3 cups at once.”

    Boombox – “A sweet boombox to turn my famous server room parties up to 11.”

    Bookshelf – Repurpose the Storage Pod into a little free library in front of my historic New Orleans home. Use solar power to charge batteries to illuminate it at night.

Fish and zombies

Of course there are some Storage Pods looking for something a little different in their retirement. Here are a couple of suggestions that have an interesting twist…

    A wagon – Construct a wagon from a Storage Pod so “I can take my pet fish, Ruth Bader Ginsberg, out for walks. She always complains we never take her anywhere.”

    A doll house – Build a doll house out of a Storage Pod so it can be used as safe place for dolls during a zombie apocalypse. Playful, yet practical.

blog-pod-contest-winner-3

Courtesy of Kirk (left) and Bret (right)

What’s next?

Over the next few days, we’ll match each Storage Pod chassis to their appropriate retirement opportunity. Each Pod is different, so this could take a while. Then, we’ll ship out the Storage Pods to their new owners. That will be a happy yet sad day here at Backblaze.

The Winners

The people below have been contacted and we will be shipping out their Storage Pods shortly.

    Wayne, Kent, Frank, Nicholas, Tristan, Bret, Nathan, Paul, Jorge, Yon, Franz, Angel, Kirk, and Alan.

The following people are winners, but we’ve been unable to reach them. If your name is below and you’re interested in receiving a Storage Pod chassis, contact us at (andy at backblaze.com) and let us know. If we don’t hear from you by July 15th, we’ll select another winner.

    Nepal, Don, Samantha, Michael, Alan, Gaëtan, and Marius.

No losers

If you didn’t win a Storage Pod this time, don’t fret there will be more Storage Pod chassis coming available over the next few months. We’ll post updates to our Facebook page as they become available and let you know how you can scoop one up!

Thanks to everyone that sent in a submission, we appreciate each of your very creative and entertaining ideas.

The post What You Would Do With a Storage Pod appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

TorrentFreak: Popcorn Time Warns Users Against Malware and Scams

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

popcorntWith millions of users worldwide Popcorn Time is one of the most used pieces of software.

This success has also caught the attention of scammers, who launch rip-off sites to lure people into downloading malware or paying to obtain the client.

In recent months the developers of the original Popcorntime.io fork have received numerous complaints about “unofficial” releases.

“We’ve been dealing with reports about malware in Popcorn Time for a long time, and constant questions via email, Reddit or on our forums complaining about malware or other malicious copies,” the Popcorntime.io team informs TF.

“We felt it was time to publish a blog post about it in order to clear it up with a proper answer, and help prevent the constant questions so we can dedicate our time elsewhere.”

A search for “Popcorn Time” on Google does indeed return a long list of websites that contain shady links and popup ads. Also, there are sites that require people to pay or like them on Facebook, before allowing people to download anything.

Confusingly, all these Popcorn Time websites have more or less the same layout, so prospective users should tread carefully.

“…we warn you that we’re victims of our own success and you should always be careful: The ‘Popcorn Time’ branding is used a lot by malicious people trying to surf the wave and make a profit,” Popcorntime.io explains.

“This means you may find in some of these websites either non-working applications, which are simply a genuine waste of time and bandwidth, or – and this is worse – end up with viruses, adware or other trojan horses infecting your machine.”

In addition, the Popcorn Time team explains that they are not affiliated with the Porn Time app or the Popcorn-Time.se fork. While these clients are by no means harmful, the myriad of alternatives often causes confusion.

To point users in the right direction the Popcorntime.io developers have made a flow chart, which is featured below. Interestingly, the developers also list Netflix as an option for people who are willing to pay.

Popcorntime.io’s flow chart
popcornlegit

Although it has to be said that there are several harmless Popcorn Time forks out there, including those listed earlier, the scammer problem is definitely a growing concern.

On that note, we also asked the Popcorntime.io team why they still use torrents from the compromised ETZV.ch site. We were informed that they’re looking for a good alternative, without any signs of malware. They will use the hijacked site in the meantime.

“While we’re working on moving we haven’t noticed any infected video from the compromised EZTV site and believe it to be acceptable while we work on finding the replacement rather than simply taking TV shows out of the application for the time being,” they inform TF.

Yet another pitfall to be on the lookout for.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Tech Giants Oppose Broad Anti-Piracy Injunctions

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

msfacebookIn recent months there have been several lawsuits in the U.S. in which copyright holders were granted broad injunctions, allowing them to seize domain names of alleged pirate sites.

In addition, these injunctions were sometimes directed at hosting providers, search engines and ISPs, preventing these companies from doing business with these sites.

Most recently, such a request came from the publishing company Elsevier, who sued the websites Libgen.org and Sci-Hub.org. The publisher asked for a preliminary injunction targeting several third-party services.

While the operators of the “pirate” sites have yet to respond, several tech companies have joined in to protest the request. This week the Computer & Communications Industry Association (CCIA), which includes members such as Google, Facebook and Microsoft, asked the court to limit the proposed injunction.

In its current form the proposal targets any search engine, ISP and hosting company, without naming any in particular, which isn’t allowed according to the tech companies.

“What Plaintiffs here are seeking is, in essence, an injunction against the world. It is well established that such a sweeping injunction against nonparty intermediaries is impermissible,” CCIA writes (pdf).

According to the tech companies, neutral service providers are not “in active concert or participation” with the defendant, and should therefore be excluded from the proposed text.

The CCIA gives the example of search engines, which may link to pirate websites but can’t be seen as “aiders and abettors,” or as collaborating with these sites to violate the law.

Even if one of the third party services could be found liable, the matter should be resolved under the DMCA and not through an injunction, the CCIA claims.

“The DMCA thus puts bedrock limits on the injunctions that can be imposed on qualifying providers if they are named as defendants and are held liable as infringers. Plaintiffs here ignore that.”

“What they seek, in the posture of a preliminary injunction against nonparties, goes beyond what Congress was willing to permit, even against service providers who come before a court as defendants against whom an actual judgment of infringement has been entered. That request must be rejected.”

The New York federal court has scheduled a hearing later this month after which it will decide whether to issue the preliminary injunction or not. Thus far, Elsevier hasn’t responded to CCIA’s opposition.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.