Posts tagged ‘Facebook’

Errata Security: What they claim about NetNeutrality is a lie

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The EFF and other activists are promoting NetNeutrality in response the to FCC’s request for comment. What they tell you is a lie. I thought I’d write up the major problems with their arguments.

“Save NetNeutrality”

Proponents claim they are trying to “save” NetNeutrality and preserve the status quo. This is a bald-faced lie.

The truth is that NetNeutrality is not now, nor has it ever been, the law. Fast-lanes have always been the norm. Most of your network traffic goes through fast-lanes (“CDNs”), for example.

The NPRM (the FCC request for comments we are all talking about here) quite clearly says: “Today, there are no legally enforceable rules by which the Commission can stop broadband providers from limiting Internet openness“.

NetNeutrality means a radical change, from the free-market Internet we’ve had for decades to a government regulated utility like electricity, water, and sewer. If you like how the Internet has been running so far, then you should oppose the radical change to NetNeutrality.

“NetNeutrality is technical”

Proponents claim there is something “technical” about NetNeutrality, that the more of a geek/nerd you are, the more likely you are to support it. They claim NetNeutrality supporters have some sort of technical authority on the issue. This is a lie.

The truth is that NetNeutrality is pure left-wing dogma. That’s why the organizations supporting it are all well-known left-wing organizations, like Greenpeace, Daily Kos, and the EFF. You don’t see right-wing or libertarian organizations on the list supporting today’s protest. In contrast, other issues like the “SOPA blackout” and protests against the NSA enjoy wide bi-partisan support among right-wing, libertarian, and left-wing groups.

Your support of NetNeutrality correlates with your general political beliefs, not with your technical skill. One of the inventors of TCP/IP is Vint Cerf who supports NetNeutrality – and a lot of other left-wing causes. Another inventor is Bob Kahn, who opposes NetNeutrality and supports libertarian causes.

NetNeutrality is a political slogan only. It has as much technical meaning has “Hope and Change”. Ask 10 people what the phrase technically means and you’ll get 13 answers.

The only case where NetNeutrality correlates with technical knowledge is among those geeks who manage networks – and it’s an inverse correlation (they oppose it). That’s because they want technologists and not politicians deciding how to route packets.

“Fast lanes will slow down the Internet”

Proponents claim that fast-lanes for some will mean slow-lanes for everyone else. The opposite is true – the Internet wouldn’t work without fast lanes, because they shunt high-volume traffic off expensive long-distance links.

The fundamental problem with the Internet is the “tragedy of the commons” where a lot of people freeload off the system. This discourages investment needed to speed things up. Charging people for fast-lanes fixes this problem – it charges those willing to pay for faster speeds in order to invest in making the Internet faster. Everyone benefits – those in the new fast-lane, and those whose slow-lanes become less congested.

This is proven by “content delivery networks” or “CDNs”, which are the most common form of fast lanes. (Proponents claim that CDNs aren’t the fast lanes they are talking about, but that too is a lie). Most of your network traffic doesn’t go across long-distance links to place like Silicon Valley. Instead, most of it goes to data centers in your local city to these CDNs. Companies like Apple and Facebook maintain their own CDNs, others like Akamai and Lightspeed charge customers the privilege to be hosted on their CDNs. CDNs are the very essence of fast lanes, and the Internet as we know it wouldn’t happen without them.

“Bad things will happen”

NetNeutrality proponents claim bad things will happen in the future. These are lies, made-up stories designed to frighten you. You know they are made-up stories because NetNeutrality has never been the law, and the scary scenarios haven’t come to pass.

The left-wingers may be right, and maybe the government does indeed need to step in and regulate the Internet like a utility. But, we should wait for problems that arise and fix them – not start regulating to prevent bad things that would never actually occur. It’s the regulation of unlikely scenarios that is most likely to kill innovation on the future Internet. Today, corporations innovate first and ask forgiveness later, which is a far better model than having to ask a government bureaucrat whether they are allowed to proceed – then proceeding anyway by bribing or lobbying the bureaucrats.

“Bad things have happened”

Proponents claim that a few bad things have already happened. This is a lie, because they are creating a one-sided description of events.

For example, a few years ago, Comcast filtered BitTorrent traffic in a clear violation of NetNeutrality ideals. This was simply because the network gets overloaded during peak hours (5pm to 9pm) and BitTorrent users don’t particularly care about peak hours. Thus, by slowing down BitTorrent during peak hours, Comcast improved the network for everyone without inconveniencing BitTorrent users. It was a win-win solution to the congestion problem.

NetNeutrality activists hated the solution. Their furor caused Comcast to change their policy, no longer filtering BitTorrent, but imposing a 250gig bandwidth cap on all their users instead. This was a lose-lose solution, both BitTorrent users and Comcasts normal customers hated the solution – but NetNeutrality activists accepted it.

NetNeutrality activists describe the problem as whether or not Comcast should filter BitTorrent, as if filtering/not-filtering where the only two choices. That’s a one-sided description of the problem. Comcast has a peak-hour congestion problem. The choices are to filter BitTorrent, impose bandwidth caps, bill by amount downloaded, bill low-bandwidth customers in order subsidize high-bandwidth customers, cause all customers to suffer congestion, and so on. By giving a one-sided description of the problem, NetNeutrality activists make it look like Comcast was evil for choosing a bad solution to the problem, but in truth, all alternatives are bad.

A similar situation is the dispute between NetFlix and Comcast. NetFlix has been freeloading off the system, making the 90% of low-bandwidth customers subsidize the 10% who do streaming video. Comcast is trying to make those who do streaming to pay for the costs involved. They are doing so by making NetFlix use CDNs like all other heavy users of the network. Activists take a very narrow view of this, casting Comcast as the bad guy, but any technical analysis of the situation shows that NetFlix is the bad guy freeloading on the system, and Comcast is the good guy putting a stop to it.

Companies like Comcast must solve technical problems. NetNeutrality deliberately distorts the description of the problems in order to make corporations look evil. Comcast certainly has monopolies in big cities on broadband (above 10mbps) Internet and we should distrust them, but the above examples were decided on technical grounds, not on rent-seeking monopolist grounds.

Conclusion

I’m not trying to sway your opinion on NetNeutrality, though of course it’s quite clear I oppose it. Instead, I’m trying to prove that the activists protesting today are liars. NetNeutrality isn’t the status quo or the current law, it’s not being “saved”. NetNeutrality is pure left-wing politics, not technical, and activists have no special technical authority on the issue. Fast-lanes are how the Internet works, they don’t cause slow-lanes for everyone else. The activists stories of future doom are designed to scare you and aren’t realistic, and their stories of past problems are completely distorted.


Frankly, activists are dishonest with themselves, as shown in the following tweet. In their eyes, Comcast is evil and “all about profits” because they lobby against NetNeutrality, while NetFlix is arresponsible/good company because they support NetNeutrality. But of course, we all know that NetFlix is likewise “all about profits”, and their support for NetNeutrality is purely because they will profit by it.

The Hacker Factor Blog: Name Dropping

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Filename Ballistics is proving itself to be a massive success. The entire idea with this forensic approach is that (1) different applications use different filename formats, and (2) people rarely rename files. If the filename format is distinct enough, then you can identify the camera, application, or online service that generated the picture.

From a forensic viewpoint, knowing what causes these filenames helps identify the source. For example, some filenames map back to specific applications, platforms, and even software versions. Imagine law enforcement tracking down a suspect and finding the right type of mobile device with the right version of the right software installed… Or maybe the suspect has multiple smartphones, but only one matches the required software. This can be used to identify the smoking gun (or smoking cellphone, in this case).

The current ruleset covers over 60% of digital picture filename formats uploaded to FotoForensics. Cameras, web services, smartphone apps, etc. With many web services, you can even map the filename back to a URL. This is great for comparing the local file with the online version. (If they differ, then you immediately know some of the edits.)

The best part is that, even knowing how this works, there is no benefit to bad guys. Filenames are everywhere. On your hard drive, in your web cache, attached to emails. Even deleting files doesn’t always remove filenames from the system. The effort to rename everything is significant. And even if you do rename everything, it doesn’t alter the fact that you have incriminating evidence on your computer.

Filename Not Found

Unfortunately, there’s a couple of filename formats that I haven’t been able to map (yet). They clearly identify some kind of application, but I don’t know the application. For example, the following filenames all use the same file format:

!cid_B626BF5E-E459-4C3A-8733-E5B07D20C2D9.jpg
!cid_B6949C70C0FF4574B148D7105EF46F60@Mark.jpg
!cid_B924E50B-2F9B-46BF-B14B-B0F60B65BB74.jpg
!cid_C187D8556EB241E5A74400ABB5A1DE3A@jessy.jpg
!cid_C26120D4-EC68-4C61-B182-6A26EFCD2B53.jpg
!cid_C2D621A2-F7EF-47CA-A4C9-A28460314CD9.jpg
!cid_C631A409-36A2-40E5-9338-4594F68D35F5.jpg
!cid_CAFA4E77A0754C1484350D27E37CDC87@Solo.jpg

With each of these names, there’s an initial “!” (it may be optional), the letters “cid_”, and then a bunch of hex characters (it’s a random UUID). There’s an optional “@” with a name after it, and then “.jpg”. These appear to be from some kind of email attachment. However, I don’t know what email application generates these filenames. I also don’t know if the “@” repesents the sender, recipient, or something else.

Another unknown file format looks like:

imagesCAV0CD42.jpg
imagesCAVG12U3.jpg
imagesCAVSKWPT.jpg
imagesCAVW44WA.jpg
imagesCAW3915W.jpg
imagesCAW91TQN.jpg
imagesCAWBQHZA.jpg
imagesCAWFCH1K.jpg
imagesCAWRFD95.jpg
imagesCAX24U5P.jpg
imagesCAX4OMEI.jpg
imagesCAXJLC2J.jpg

Every name begins with “imagesCA” and is then followed by eight random characters. The picture is always some kind of thumbnail image, but I don’t know what creates this.

I’m also seeing some kind of application that converts underscores to “95″. For example:

IMG952012052495115512.jpg
IMG952012071295175345.jpg
IMG952012081995182842.jpg
IMG952013013195120643.jpg

The first filename should be IMG_20120524_115512.jpg — that’s from some kind of Android. However, something converted the underscores to “95″. This conversion is consistent and widespread; there is some kind of common application that performs the conversion, but I don’t know what causes it and it may not be limited to Android devices.

If you happen to recognize any of these unidentified filename formats, please let me know!

Good Names

Most online services need some way to generate unique filenames rapidly. If three people upload different files that are all called “image.jpg”, then the site needs to keep all of them separate. Low volume services can usually get away with a random element in the filename. Other sites use something more deterministic, like SHA1 checksums, incremental counters, or timestamps.

With random filenames, you always risk a naming collision. That’s where two files are assigned the same random characters. This is usually a low risk for small sites, but places like Flickr, Facebook, and Twitter need something with less risk of a collision.

Incremental counters are useful because there is no naming collision. Unfortunately, they permit nosy people to iterate through counter values and identify other pictures on the system. Many services with incremental counters also include some kind of random or user-specific element to prevent arbitrary photo traversal. Facebook image names have three numerical components; the third one is a random number to prevent guessing. However other sites, like Twitpic, permit anyone to just iterate through the list of images.

Cryptographic checksums are also a wonderful idea. The values are non-linear, so you cannot increment through values. And they are not predictable (unless you already have the source picture). However, computing the checksum can be time consuming. FotoForensics is a low volume site (compared to Google), so it can spend time computing checksums. In contrast, Facebook and Twitter process so many pictures that the computing overhead would be prohibitively expensive for them. (Their power bill would increase and they’d need more computers since the simple act of computing checksums tens of thousands of times per second would add up and delay the user experience.)

Timestamps, especially those with high-precision values, are great for filenames. They are fast to generate, constantly incrementing so there is no risk of a name collision, and large gaps in the sequence deter iterators. 4chan, for example, uses a timestamp format. The 4chan filename “1409931694122.jpg” is the time in microseconds since 1-Jan-1970; it translates as 2014-09-05 15:41:34.122. As long as their system does not process more than 1000 pictures per second, there won’t be a naming collision. (And I doubt that their servers can handle that kind of load.) Since 4chan usually receives a picture every few seconds, an iterator would need to go through thousands of failures before finding an image. And that many failures would likely trigger an alert if 4chan uses any kind of network attack detector.

Alternate Names

While timestamps are useful, some sites like to encode the times. I’ve managed to decode a lot of the encoded time formats, however one format is still stumping me: Twitter. Here’s the last few pictures from my Twitter stream (the top one is most recent). Do you see the pattern?

https://pbs.twimg.com/media/Bwx4vn2IQAAbwvQ.jpg
https://pbs.twimg.com/media/Bwx2U80CEAAewO6.jpg
https://pbs.twimg.com/media/BwugmBpCYAEF8yp.png
https://pbs.twimg.com/media/BwtWxxRCIAABdzo.png
https://pbs.twimg.com/media/BwtdDgvIQAAuD0h.jpg
https://pbs.twimg.com/media/BwtcsKjIQAAONkG.jpg
https://pbs.twimg.com/media/BwtYUMOCcAAYU7j.jpg
https://pbs.twimg.com/media/BwtWQqpIIAA6vJ1.jpg

Each filename is in the format “BxxxxxxxxAyyyyy.jpg”. The B values increment, but not as regularly as the A values. In contrast, the A values increment uniformly. Assuming that they actually are incremental values, it appears (and I could be wrong here) that lowercase are followed by uppercase are followed by numbers. (Or maybe it’s numbers followed by lowercase followed by uppercase?) There’s also two characters that may appear (underscore and hyphen). Basically, it looks like some kind of base-64 encoding. (When I say “base-64″ here, don’t think of it as the standard base64 function used to convert binary data into text. Instead, think of it like a numerical base conversion. Base-2 uses 2 digits. Base-16 uses 16 characters. Base-64 uses 64 characters.)

I recently did a time test on Twitter. I posted two pictures less that two seconds apart:
https://twitter.com/hackerfactor/status/506867107540135936/photo/1
https://twitter.com/hackerfactor/status/506867118126559233/photo/1

The tweet IDs always increment and fit within a 64-bit value. In this case, they differ by 10,586,423,297 (506867118126559233 – 506867107540135936 = 10586423297). I can’t help but wonder if this is actually two numbers, or one high-precision number. For example, they start with “50686710″ and “50686711″. Could that be a timestamp with a non-unix epoch? I can look at any tweet and see that the numerical IDs always increment.

The pictures from my tweets have specific filenames as well:
https://pbs.twimg.com/media/BwjA8nCCcAAy5zA.jpg
https://pbs.twimg.com/media/BwjA9QPCQAAQB_c.jpg

I suspect that the Ayyyyy values are a timestamp, or some fraction of a timestamp, while the B values may be the tweet ID. I can sort every picture by the Ayyyyy value and know the relative time when the picture was posted to Twitter. (And the initial “A” may actually be part of the time encoding.)

The Bxxxxxxxx string may represent the tweet ID. In my test, they are BwjA8nCCc and BwjA9QPCQ. The tweet ID changes about half-way through the number, as does this encoded sequence.

Twitter appears to be encoding useful information into their picture filename formats. Given a Twitter picture, I can easily find the URL to the image. However, I cannot easily identify when it was posted or who posted it. The encoded information may allow filename ballistics to map a picture to a specific time or specific tweet. And if I can map it to a tweet, then I can identify who tweeted it.

Public Assistance

I typically don’t make my really cool findings public unless I believe that there is (1) no benefit to the bad guys, and (2) little risk of the public disclosure causing the data to be changed.

For this reason, I rarely make public anything I discover about Facebook. Every time I mention how we can pull out cool information from Facebook, they change their system or patch their holes or take steps to prevent forensic analysis. I find it ironic that Facebook doesn’t mind if they repeatedly exploit your personal information, but they don’t want anyone else to gain any insight.

In contrast to Facebook, I do not believe that Twitter will change their encoding method. And I’m hoping that someone who reads this blog entry will either recognize the encoding method or figure out how to decode it. Besides, I think Twitter is doing this more for speed than for secrecy, especially since tweets are not secret.

TorrentFreak: Google, Facebook & Microsoft Reject Anti-Piracy Proposals

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

google-bayAs more of the submissions to the Australian Federal Government’s call for input on online copyright infringement are published, it’s becoming clear that the move and movie industries have a battle on their hands.

Hollywood in particular is seeking a tightening of the law which would hold ISPs more responsible for the actions of their users, while introducing a graduated response to deal with persistent domestic file-sharers.

Still can’t agree

In 2012, movie and recording companies fought a bloody battle with tech companies over SOPA in the United States but more than two years on its evident that the divide over what should be done about piracy is as wide as ever.

In a submission to the Government, a group of tech companies including Google, Facebook, Microsoft, eBay, Samsung, Motorola and BT largely oppose the wish-list of the entertainment industries.

Mirroring the tendency of Hollywood to state how important its members are to the economy, the Computer & Communications Industry Association begin by stating that its members employ more than 600,000 workers who generate more than $200 billion in revenue.

Launching its key observations, CCIA say that rather than pushing for the introduction of a so-called graduated response scheme, policy makers could achieve better results by focusing on the issues that encourage people to pirate in the first place.

No graduated response: provide content in a timely manner at a fair price

The group describes “high prices” and a “lack of availability of lawful content” as key domestic and international market barriers for consuming online content. But the problems don’t end there.

“Naturally, from this follows that access to on-demand/online content across territories becomes even more cumbersome and restrictive due to territorial copyright restrictions, licensing conduct, geo-blocking, price discrimination holdback and windowing,” CCIA explains.

Noting that there is “an inverted relationship” between lawful and unlawful access to content, the tech group underlines their point with a quote from Kevin Spacey.

“Audience wants the freedom.. they want control…give consumers what they want, when they want it and in the format they want it and at reasonable price,” they write.

Don’t believe their lies

A couple of points raised by the CCIA will sting their entertainment industry adversaries more than most. Noting that there “is little or no evidence” that graduated response schemes are successful (but plenty to the contrary), enforcement policies should be based only on facts, not on the claims of those determined to introduce them.

“It is also absolutely essential that enforcement debate and policy is not based on manufactured claims, exaggerations and deceptions that will in the long run risk resulting in a negative public sentiment concerning intellectual property,” CCIA writes.

“Empirical data on the impact of copyright infringement over the last two decades is deeply contested and in some cases to such a level that it is
being ridiculed. This is a highly undesirable development for the perception of copyright and by extension intellectual property in general by the broader public.”

Copyright is a “moral hazard”

In another interesting statement the CCIA suggest that when supported by legislation, companies will fall back on that to maintain business models that are no longer viable.

“Economists have expressed concerns that copyright has a moral hazard effect on incumbent creative firms, by encouraging them to rely on enforcement of the law rather than adopt new technologies and business models to deal with new technologies,” the tech firms continue.

“Hence, enforcement should not become a tool to protect businesses from competition, changing business realities and changes in consumer exactions, hereby allowing them to continue to hold on to outdated business models.”

Conclusion

Summing up, CCIA director Jakob Kucharczyk says that any new scheme should employ a “holistic end-to-end approach” and be coupled with efforts by content providers to give customers the content they need at a fair price.

On the issue of ISPs, the CCIA is clear. There must be a level playing field, legal protection from liability must be enshrined in law, and rightsholders must be held responsible for their actions when making allegations of infringement.

“If all parties are willing to look at equitable, cooperative programs that include a focus on the key issues outlined above, we believe that a better, more balanced and more effective outcome is achievable than that which is likely to result from the Government’s present proposals,” Kucharczyk concludes.

How the conflicting approaches of the technology companies, ISPs and the entertainment industries can ever be reconciled will be a topic for heated debate in the coming months, not only in Australia, but across the world.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Raspberry Pi: Ben’s Mega USA Tour

This post was syndicated from: Raspberry Pi and was written by: Ben Nuttall. Original post: at Raspberry Pi

Last month we put out a blog post advertising that I would be doing a tour of America, with a rough initial route, and we welcomed requests for visits.

usa-final

Over the next couple of weeks I was overwhelmed with visit requests – I plotted all the locations on a map and created a route aiming to reach as many as possible. This meant covering some distance in the South East before heading back up to follow the route west towards Utah. I prepared a set of slides based on my EuroPython talk, and evolved the deck each day according to the reception, as well as making alterations for the type of audience.

With launching the Education Fund, being in Berlin for a week for EuroPython followed by YRS week and a weekend in Plymouth, I’d barely had time to plan the logistics of the trip – much to the annoyance of our office manager Emma, who had to book me a one-way hire car with very specific pick-up and drop-off locations (trickier than you’d think), and an internal flight back from Salt Lake City. I packed a suitcase of t-shirts for me to wear (wardrobe by Pimoroni) and another suitcase full of 40 brand new Raspberry Pis (B+, naturally) to give away. As I departed for the airport, Emma and Dave stuck a huge Raspberry Pi sticker on my suitcase.

IMG_20140804_095615

When checking in my suitcase the woman on the desk asked what the Raspberry was, and her colleague explained it to her! In the airport I signed in to the free wifi with one of my aliases, Edward Snowden. I started to think Phil McKracken or Mr. Spock might have been a better choice once I spotted a few security guards seemingly crowding around in my proximity…

Mon 4 – NYC, New York

I managed to board the flight without a federal investigation (although I may now be on the list, if I wasn’t already), and got chatting to the 60 year old Texan lady I was seated with, who hadn’t heard about Raspberry Pi until she managed to land a seat next to me for 8 hours. I had her convinced before we left the ground. I don’t know how he does it, but Richard Branson makes 8 hours on a tin can in the sky feel like heaven. Virgin Atlantic is great!

Upon landing at JFK I was subjected to two hours’ queuing (it was nice of them to welcome us with traditional British pastimes), followed by a half-hour wait to get through customs. I felt I ought to declare that I was bringing forty computers in to the country (also stating they were to be given away), and was asked to explain what they were, show one to the officer who took hold of one of the copies of Carrie Anne‘s book, Adventures in Raspberry Pi, to validate my explanation. Fortunately I was not required to participate in a pop quiz on Python indentation, GPIO, Turtle graphics and Minecraft, as he took my word for it and let me through. I was then given the chance to queue yet again – this time about 45 minutes for a taxi to Manhattan. I arrived at Sam‘s house much later than I’d anticipated much she was there to greet me by hanging her head out the window and shouting “MORNING BEN”. An in-joke from a time we both lived in Manchester.

We ate and met my friend-from-the-internet Aidan, we went to a bar until what was 5am on my body clock. A sensible approach, I thought, was to just stay up and then get up at a normal time the next day. I awoke and saw the time was 6.00 – my jetlagged and exhausted mind decided it was more likely to be 6pm than 6am, but it was wrong. I arose and confirmed a meeting time and place for my first visit – just a few blocks away from Sam’s apartment in Manhattan.

Tue 5 – NYC, New York

I met Cameron and Jason who had set up a summer class teaching a computing course for locals aged 18-and-under for 2 weeks, delivered purely on Raspberry Pis! I chatted with them before the students arrived, and they told me about how they set up the non-profit organisation STEMLadder, and that they were letting the students take the Pis home at the end of the course. Today’s class was on using Python with Minecraft – using some material they found online, including a resource I helped put together with Carrie Anne for our resources section.

I gave an introduction about the Raspberry Pi Foundation and showed some example projects and then the kids did the Python exercises while working on their own “side projects” (building cool stuff while the course leaders weren’t looking)!

IMG_20140805_155705

Thanks to Cameron and Jason for taking the opportunity to provide a free course for young people. A perfect example use for Raspberry Pi!

Wed 6 – Washington, DC

On Wednesday morning I collected my hire car (a mighty Nissan Altima) and set off for Washington, DC! I’ve only been driving for less than a year so getting in a big American car and the prospect of using the streets of Manhattan to warm up seemed rather daunting to me! I had a GPS device which alleviated some of my concern – and I headed South (yes, on the wrong right side of the road).

IMG_20140806_104224

I’d arranged to meet Jackie at 18F – a digital services agency project in the US government General Services Administration. This came about when I met Matt from Twilio at EuroPython, who’d done a similar tour (over 5 months). After a 6 hour drive including horrendous traffic around Washington (during which I spotted a sign saying “NSA – next right – exployees only“, making me chuckle), I arrived and entered 18F’s HQ (at 1800 F Street) where I had to go through security as it was an official government building. I was warned by Jackie by email that the people I’d be meeting would be wearing suits but I need not worry and wear what I pleased – so I proudly wore shorts and a green Raspberry Pi t-shirt. I met with some of the team and discussed some of their work. 18F was set up to replicate some of the recent initiatives of the UK government, such as open data, open source projects and use of GitHub for transparency. They also work on projects dealing with emergency situations, such as use of smartphones to direct people to sources of aid during a disaster, and using Raspberry Pis to provide an emergency communication system.

We then left 18F for the DC Python / Django District user group, where I gave a talk on interesting Python projects on Raspberry Pi. The talk was well received and I took some great questions from the audience. I stayed the night in Washington and decided to use the morning to walk round the monuments before leaving for North Carolina. I walked by the White House, the Washington Monument and the Lincoln Memorial and took some awkward selfies:

IMG_20140807_085420
IMG_20140807_090645
IMG_20140807_092515

Thu 7 – Raleigh, North Carolina

I left DC and it took me 6 hours to get to North Carolina. I arrived at the University (NCSU) in Raleigh just in time for the event – Code in the Classroom - hosted at the Hunt library and organised by Elliot from Trinket. I set my laptop up while Eliot introduced the event and began my talk. There was a good crowd of about 60 people – from around age 7 to 70!

IMG_20140807_181918

The talk went down well, and I received many questions about teaching styles, classroom management and the future of the hardware. One older chap, who has been running a summer coding club on the Pi shouted out: “Where were you two weeks ago when I needed you!?” when I answered one of his questions, which generated laughter from the audience. I also had a teacher approach me after the talk asking if she could take a selfie with me to show her students she’d met someone from Raspberry Pi – I happily obliged and showed her some of my awkward selfies from Washington, DC. She asked if we could take an awkward one too – needless to say, I happily obliged!

selfie
awkward-selfie

Elliot had arranged a room next door to the lecture theatre with some Pis set up for kids to play on. I gave out some Pis to the kids and it was well over an hour before the last of them were dragged home by their parents. I chatted with Elliot and the others about them setting up a regular event in Raleigh – as there was obviously huge demand for Pi amongst kids and adults in the area and beyond (I’d heard someone had driven up from Florida to attend the talk!) – and so I look forward to hearing about the Raleigh Raspberry Jam soon! A few of us went out to get pizza, and we were accompanied by one of the smartest kids I’ve ever met – and among interesting and inspiring conversation, he kept asking me seemingly innocent questions like “what do you call that thing at the back of your car?” to which I’d reply with the British word he wanted me to speak! (It’s a boot.)

IMG_20140807_201928
IMG_20140807_202021
IMG_20140807_202136

Here’s a video of the talk:

I thanked Elliot and departed for Greensboro, where I’d arranged to stay with my friend Rob from my university canoe club, and his wife Kendra.

Fri 8 – Charlotte, North Carolina

In the morning I left for UNC Charlotte where I spoke to embeddable systems engineering students at EPIC (Energy Production Infrastructure Centre). There was a good crowd of about 60 students and a few members of staff. When I entered the room they were playing Matt Timmons-Brown’s YouTube videos – what a warm-up act!

IMG_20140808_104038
IMG_20140808_105259
IMG_20140808_110557
IMG_20140808_121321

Following the talk I chatted with students about their projects, answered some questions, deferred some technical questions to Gordon and Alex, and was taken out to a brilliant craft beer bar for a beer and burger with some of the staff.

PANO_20140808_152516.resized

In the evening Rob, Kendra and I went out to eat – we had a beer in a book shop and ate bacon (out of a jam jar) dipped in chocolate. True story. We also took some group awkward selfies:

IMG_20140808_195256
IMG_20140808_195310
IMG_20140808_195620
IMG_20140808_204401

Sat 9 – Pigeon River, Tennessee

The Saturday I’d assigned to be a day off – I hoped to go kayaking with Rob but he had to work and Kendra was busy so Rob put me in touch with some paddling friends who welcomed me to join them on a trip to the Pigeon River in Tennessee! An early start of 6am left me snoozing in the back of the car, which Matt took the chance to snap a picture of and post it to Facebook (I only found out when Rob mentioned it later that evening). We had a nice couple of runs of the river by kayak, accompanied by a rafting party. And another awkward selfie.

IMG_20140809_062333

Sun 10 – Lawrenceville, Georgia

On Sunday morning I left Rob and Kendra’s for Georgia. One of the requests I’d had was from a man called Jerry who just wanted to meet me if I was passing by. I said it’d be great if he could set up a public meeting to be more inclusive – and he got back in touch with a meetup link for an event at Geekspace Gwinnett – a community centre and hackspace in Lawrenceville. I pulled up, shook hands with Jerry and was shown to the front of the room to connect up my laptop. There was a larger crowd than I’d imagined, seeing as Jerry had set the event up just a few days prior to this – but there were about 40 people there, who were all very interested in Raspberry Pi and after my talk we had a great discussion of everyone’s personal projects.

IMG_20140810_143116

Liz, who runs marketing for the space, gave me a tour, and Joe, the guy setting up the AV for my presentation spotted the Adventure Time stickers on my laptop and told me he worked for Turner in Atlanta who broadcast Cartoon Network, and offered to give me a tour of the network when he went on his night shift that evening. I went to Jerry’s house where he and his wife cooked for me and he showed me Pi Plates, the extension board he’s been working on.

IMG_20140810_175159
IMG_20140810_175215

I then left to meet Liz and her husband, Steve, who has been working on a huge robotics project – a whole wearable suit (like armour) that’s powered by a Pi and will make sounds and be scary! I look forward to the finished product. They also have an arcade machine Steve built years ago (pre-Pi) which houses a PC and which, he claims, had basically every arcade game ever on it.

IMG_20140810_223411

IMG_20140810_224211

Did you know there was a Michael Jackson game for the Sega Mega Drive, where you have to perform dance moves to save the children? Neither did I

We set off for Atlanta at about 11.30pm and I witnessed its beautiful skyline, which is well lit up at night. We arrived at Turner and met Joe, who gave us the tour – I’ve never seen so many screens in my life. They show all the broadcast material for TV and web on screens and have people sit and watch them to ensure the integrity of the material and ensure the advertising rules are adhered to. We also saw the Cartoon Network floor of the office side of the building where staff there work on the merchandise for shows like Adventure Time!

IMG_20140811_003701

IMG_20140810_234626
IMG_20140811_003609
IMG_20140810_233152
IMG_20140811_003635
IMG_20140811_003828
IMG_20140811_004436
IMG_20140811_005033
IMG_20140811_005120
IMG_20140811_004939

Joe also showed us the Turner Makers room – a mini hackspace for the Turner staff to work on side projects – he told me of one which used a Raspberry Pi to control steps that would light up and play a musical note as you walked across them. They’re currently working on a large games arcade BMO with a normal PC size screen as a display – I look forward to seeing it in action when it’s finished.

IMG_20140811_005737
IMG_20140811_005837

It’s great to see the space has since set up their own monthly Raspberry Pi group!

Mon 11 – Chattanooga, Tennessee

I then left Georgia to return to Tennessee, where I’d arranged to visit Red Bank Middle School in Chattanooga. I arrived at the school, signed in to get my visitor’s badge and met Kimberly Elbakidze - better known to her students as Dr. E – who greeted me with a large Subway sandwich. I ate in the canteen and while chatting with some of the staff I noticed the uniformed security guard patrolling the room had a gun on his belt. Apparently this is normal in American schools.

It was the first day back at the school, so the children were being oriented in their new classes. I gave two short talks, introducing the Raspberry Pi and what you can do with it – to sixth and eighth graders, and opened for some questions:

“Do you like Dr. Who?”
“Is that your real accent?”
“Are you really from England?”
“Can I get a picture with you?”
“Can I keep Babbage?”

rbms

rbms2

I wrapped up, left them a copy of Carrie Anne’s book and some Pis, and went on my way. I’d intended to get online and confirm the details of my next school visit (I’d arranged the date with the teacher, but we hadn’t settled on the time or what we were doing), but access to the internet from the school was restricted to staff so I couldn’t get on. I had to set off for Alabama, and only had the school name and the town. I put the town name in to my car’s GPS and set off.

Tue 12 – Talladega, Alabama

I arrived in Talladega town centre unsure how close I was to the school. I parked up and wandered down the main street in magnificent sunshine and intense heat looking for a McDonald’s or Starbucks, hoping to get on some WiFi to check where it was. With no luck, I headed back to the car and decided to just find a hotel and hope that I was at least nearby. I asked someone sitting outside a shop if they knew of the school – RL Young Elementary School – and they said it was just 15 minutes or so away, so I asked for a nearby hotel and she pointed me in the right direction. As I neared the car, the intense heat turned in to a terrific storm – the 5 minute drive to the hotel was in the worst rain I’ve ever seen.

IMG_20140811_162019
IMG_20140811_162416
IMG_20140811_162419

I checked in to the hotel and got on with my emails – I sent one to the teacher who’d requested me at the school to say I’d arrived in Talladega, that I was staying in the Holiday Inn, and asked what time I should come in. My hotel phone rang 5 minutes later – it was the husband of the teacher. Trey said the principal hadn’t been told about the visit yet, and the details needed to be confirmed with her before we set a time – but they would sort it out as soon as possible and let me know. He offered to take me out for a meal that night so I arranged to meet him within an hour. Just as I was leaving I got an email from someone called Andrew who said he’d just spotted I was in Talladega, and asked if I could meet him if I had time – I said if he could get to the restaurant, I’d be there for the next couple of hours.

As I arrived I met them both, and introduced them to each other. Driving through that afternoon I’d noticed the town has about 50 churches. Trey said he recognised Andrew’s surname, and Andrew said his father was the priest of one of the churches, and Trey said he knew him. Andrew was also training to become a priest like his Dad, and Trey said he’d skipped Bible school that night to come and meet me. We had a nice meal and a chat and Trey said he’d let me know in the morning what the plans for the school visit were. Andrew offered to take me out for breakfast and show me around the town. I said I’d contact him in the morning once I’d heard the timings from Trey.

Once I woke up the next morning my email told me I needed to be at the school for about 1pm, so I had time to go to breakfast with Andrew, and he showed me around the place. I also visited his home and his church and met his family. He showed me some Raspberry Pi projects he’s been working on too.

IMG_20140812_122156

He also offered to help out at the school – RL Young Elementary, so we got my kit and he drove us over. We signed in at reception where we entered our names in to a computer which printed visitor labels (seriously – a whole PC for that – and another just showing pictures of dogs! The Raspberry Pi was definitely needed in this place).

IMG_20140812_125632
IMG_20140812_125617

I was to follow a woman from the Red Cross, who gave a talk to the children about the importance of changing their socks every day. I thought an introduction to programming with Minecraft might blow their smelly socks right off!

The principal attempted to introduce me but had no idea who I was or why I was there, so just let me get on with it. I spoke to the young children and introduced the Raspberry Pi, focusing on a Minecraft demo at the end where I let them have a go themselves. The principal thanked me, said it was interesting and wished me a safe trip back to Australia! I left them some Pis and a copy of Adventures in Raspberry Pi.

Wed 13 – Somerville, Tennessee

I’d arranged my next visit with a very enthusiastic teacher called Terri Reeves from the Fayette Academy (a high school) in Somerville, Tennessee. In her original request she’d said she wasn’t really on my route, but would be willing to travel to meet me for some training – but I explained I’d changed my route to try to hit as many requests as I could, so I’d be happy to visit the school. She offered to let me stay at her house, and told me her husband would cook up some Southern Barbecue for me on arrival. It was quite a long drive and I arrived just after sunset – the whole family was sitting around the table ready to eat and I was welcomed to join them. I enjoyed the Southern Barbecue and was treated to some Razzleberry Pie for dessert. I played a few rounds of severely energetic ping pong with each of Terri’s incredibly athletic sons and daughters before getting to bed.

I spent most of the day at the school, where I gave my Raspberry Pi talk and demo to each of Terri’s classes. Again, it was the first week back for the school so it was just orientation for students settling in to their classes and new routines. The information went down well across the board and Terri said lots of students wanted to do Raspberry Pi in the after-school classes too.

This is what the Raspberry Pi website looks like in the school, as Vimeo is blocked

This is what the Raspberry Pi website looks like in the school, as Vimeo is blocked

I joined some students for lunch, who quizzed me on my English vocabulary and understanding of American ways – they thought it was hilarious when I pointed out they said “Y’all” too much. I suggested they replace it with “dawg”. I do hope this lives on.

IMG_20140813_124235

 

IMG_0374
IMG_0377
IMG_0384
IMG_0386
IMG_0391
IMG_0392
IMG_0393
IMG_0394
IMG_0396

IMG_0395

I also took a look at a project Terri had been trying to make in her free period – she’d been following some (really bad) instructions for setting up a webcam stream from a Pi. I diagnosed the problem fairly quickly – the apt-get install motion command she’d typed had failed as the site containing the .deb (hexxeh.net) was blocked on the school network (for no good reason!) – I asked if we could get it unblocked and the network administrator came over and unblocked it. She originally only wanted to unlock it for the Pi’s IP address but I explained it would mean no-one could install things or update their Pis without access to that website, so she unlocked it from the system. I tried again and there were no further problems so we proceeded to the next steps.

I then drove about an hour West to Downtown Memphis where I spent the early evening between Elvis Presley Boulevard and Beale Street (no sign of a Clive museum, just a row of Harley Davidsons) where I bought a new hat, which soon became the talk of the office.

 

My new hat

My new hat

IMG_20140813_171906
IMG_20140813_172045
IMG_20140813_180920

When I returned to Terri’s house she asked me to help her with webcam project again – I checked she’d done all the steps and tried opening the stream from VLC Player on my laptop. I’ve never heard anyone shriek with joy so loud when she saw the webcam picture of us on that screen! Terri was overjoyed I’d managed to help her get that far.

Thu 14 – Louisville, Kentucky

I left the next morning for Louisville (pronounced Lou-er-vul), and en route I realised I’d started to lose my voice. I arrived in the afternoon for an event at FirstBuild, a community hackspace run by General Electric. The event opened with an introduction and a few words from me, and then people just came to ask me questions and show me their projects while others were shown around the space and introduced to the equipment.

firstbuild

IMG_20140814_161610
IMG_20140814_161148
IMG_20140814_163529

Check out this great write-up of the FirstBuild event: Louisville, a stop on US tour for credit-card sized computers.

We then proceeded to the LVL1 hackerspace where I was given a tour before people arrived for my talk. By this point my voice had got quite bad, and unfortunately there was no microphone available and the room was a large echoey space. However I asked people to save questions to the end and did my best to project my voice. I answered a number of great questions and got to see some interesting projects afterwards.

IMG_20140814_190943

 

IMG_20140814_211059
IMG_20140814_204040
IMG_20140814_185224
IMG_20140814_183657

lvl1-colour

Fri 15 – St. Louis, Missouri

Next – St. Louis (pronounced Saint Lewis), Missouri – the home of Chuck Berry. I had a full day planned by teacher and tinkerer Drew McAllister from St. John Vianney High School. He’d arranged for me to meet people at the Grand Center Arts Academy at noon, then go to his school to speak to a class and the after school tech club followed by a talk at a hackspace in the evening.

I was stuck in traffic, and didn’t make it to the GCAA meetup in time to meet with them, so we headed straight to the school where I gave a talk to some very smartly dressed high school students, which was broadcast to the web via Google Hangouts. Several people told me afterwards how bad my voice sounded on the Hangout. Here it is:

I had a few minutes’ rest before moving next door to the server room, where they host the after school tech club – Drew kindly filled in the introduction of the Pi to begin (to save my voice) and asked students if they knew what each of the parts of the Pi were for. I continued from there and showed examples of cool projects I thought they’d like. I gave Drew some Pis for the club and donated some Adafruit vouchers gifted by James Mitchell – as I thought they’d use them well.

photo 1
photo 2
photo 3

Drew showed me around St. Louis and took me out for a meal (I consumed lots of hot tea for my throat) before we went to the Arch Reactor hackerspace. I gave my talk and answered a lot of questions before being given a tour of the space.

IMG_20140815_181747
IMG_20140815_181922

IMG_20140815_190239

Throat sweet selfie

IMG_20140815_204944

IMG_20140815_190252
IMG_20140815_202313
IMG_20140815_204859
IMG_20140815_210203
IMG_20140815_210231
IMG_20140815_211009

Sat 16 – Colombia, Missouri

In the morning I left in the direction of Denver, which was a journey long enough to have to break up over two days. With no visit requests in Kansas City, but one in Colombia, which was on my way but not very far away, I stopped there to meet with a group called MOREnet, who provide internet connection and technical support to schools and universities. Rather than have me give a talk, they just organised a sit-down chat and asked me questions about education, teacher training and interesting ways of learning with Raspberry Pi. Some of the chat was video recorded which you can watch at more.net (please excuse my voice).

IMG_20140816_131800

I even got to try Google Cardboard – a simple virtual reality headset made with cardboard and an Android phone. A very nice piece of kit! I stayed a couple of hours and made my way West. I’d asked around for a good place to stay that night on my way to Denver. Some people had suggested Hays in Kansas so I set that as my destination. It had taken me 2 hours to get to Columbia and would be another 6+ hours to Hays, so it was always going to be a long day, but at least I was in no rush to arrive anywhere for a talk or event.

Kansas City Selfie

Kansas City Selfie

I stopped briefly in Kansas City (actually in the state of Missouri, not Kansas) to find almost nobody out and almost everything closed. I think it’s more of a nightlife town. I finally arrived in Hays at 8.30pm after the boring drive through Kansas and checked in to a hotel just in time for a quick dip in the swimming pool.

PANO_20140816_202557

Sun 17 – Denver, Colorado

I left Hays for Denver, which meant I had a good 5+ hour drive ahead – all along that same freeway – the I-70, to arrive at denhac, the Denver Hackspace for 4pm. I’d also arranged late the night before to visit another Denver hackspace afterwards, so I said I’d be there at 7pm. On my way in to Denver I noticed a great change in weather – and saw lots of dark grey and black clouds ahead – and as I got closer I entered some rough winds and even witnessed a dust storm, where dust from the soil and crops of the fields was swept in to the air. It was surreal to drive through!

PANO_20140817_151722

I worked out later that the distance I’d travelled that day was roughly equivalent to driving from Southampton to Inverness! The longest I’ve driven before is Southport to Cambridge!

I arrived just on time and was greeted by Sean, who had invited me. He introduced me to the members, all sitting around their laptop screens, and was given a tour of the space. He was telling me how the price of the space had been rising recently due to the new demand for warehouse space such as theirs for growing cannabis, now that it is legal in Colorado. I took some pictures of cool stuff around the space, including a Pibow-encased Pi powering a 3D printer. I even got to try on Sean’s Google Glass (I think Cardboard is much better).

To Grace Hopper, you will always be grasshopper

To Grace Hopper, you will always be grasshopper

IMG_20140817_171936
IMG_20140817_170837
IMG_20140817_171804
IMG_20140817_172232
IMG_20140817_172245
IMG_20140817_172526

One of the neatest Pi cases I've ever seen

One of the neatest Pi cases I’ve ever seen

I met a young girl, about 12 years old, who told me she recently went in to an electronics shop saying she wanted to buy a Raspberry Pi for a new project, and the member of staff she spoke to had never heard of a Raspberry Pi and assumed she wanted to cook one. Anyway, I gave her one of mine – she was delighted and immediately announced it in the networked Minecraft game she was hosting. I gave my talk in their classroom (great to see a classroom in a hackspace) before heading to my next stop – TinkerMill.

TinkerMill is a large hackspace, coworking space and startup accelerator in Denver. On arrival a group of people were sitting ready for my talk, so I got set up and was introduced by Dan, who runs the space and works out of it. The hackspace version of my talk includes more technical detail and updates on our engineering efforts. This went down well with the group and after answering a few questions we broke out in to chat when we discussed the Pi’s possibilities and what great things have come out of the educational mission.

IMG_20140817_205420

I found a Mini Me

I found a Mini Me

I also met a woman called Megg who was standing at the back of the room, I got chatting to her and she asked me a few questions. She hadn’t attended the event but just came to use the laser cutter for the evening, and caught the end of the talk. She kept asking me questions about the Pi, and in answering them I basically gave the talk again. She said the reason she’d not come to the talk was that she was looking to use the Arduino in some future projects because she assumed it would be easier than using a Pi, based on the fact she’d heard you could do more with a Pi, so it must be more complex. I explained the difference to her hoping this would shed light on how the Pi might be useful to her after all, and that she would be able to choose a suitable and appropriate tool or language on the Pi, which is not an option with Arduino. She also discussed ideas for creative projects and wearables which were really interesting and I told her all about Rachel’s project Zoe Star and put her in touch with Rachel, Charlotte and Amy. Dan took Meg and me out to dinner and we had a great time.

Mon 18 – Boulder, Colorado

Dan offered to put me up and show me around Denver the following day – I’d originally planned to get straight off to Utah the next day but it made sense to have an extra day in Denver – I’m glad I did as I really enjoyed the town and got to have a great chilled out day before driving again. We drove up one of the nearby mountains to a height of almost 10,000 feet.

IMG_20140818_130223

Mountain selfie

Mountain selfie

I wandered around Boulder, a wonderful town full of cafes, restaurants and interesting shops. I ended up buying most of my awful souvenirs there – including a three-tiered monkey statue for Liz:

And you are a monkey too

We ate at a restaurant called Fork so it seemed appropriate to get a picture for my Git/GitHub advocacy!

FORK!

FORK!

Colorado seemed to be the most recognisable state in all the places I visited, by which I mean it was culturally closest to Britain. My accent didn’t seem too far from theirs, either. A really nice place with great food and culture, with mountains and rivers right on hand. I could live in a place like that!

IMG_20140818_153053
IMG_20140818_153109
IMG_20140818_152755
IMG_20140818_143254

Tue 19 – Provo, Utah

I left Dan’s in the morning and headed West along the I-70 again. After a couple of bathroom breaks I got on some McDonald’s WiFi and checked my email and twitter – I’d had a tweet asking if I would be up for speaking in Provo that night. I thought “why not?” and said yes – expecting to arrive by 7pm, I suggested they make it 8pm just in case. I was actually heading to Provo already, in hope of meeting up with some family friends, Ken and Gary, who I stayed with last time I visited Utah. I hadn’t managed to get hold of them yet, but I kept ringing every now and then to see if they were around. When I finally got hold of them, they asked if they could come to see my presentation – so I told them where it was and said I’d see them there.

As I entered Utah the scenery got more and more beautiful – I pulled up a few times to get pictures. The moment I passed the ‘Welcome to Utah’ sign I realised what a huge feat I’d accomplished, and as I started to see signs to Salt Lake City – my end point – I was overjoyed. I hadn’t covered much distance across the country in my first week, as I’d gone South, along a bit, North and East a bit before finally setting off from St. Louis in the direction of the West Coast, so finally starting to see the blue dot on my map look a lot closer to California meant a lot.

PANO_20140819_191933

PANO_20140819_182715.resized

I arrived in Provo about 7.30, located the venue, the Provo Web Academy, and by the time I found the right place and parked up it was 8pm. I was greeted by the event organiser, Derek, and my friends Ken and Gary! I hadn’t seen them for 13 years so it was a pleasure to meet again. I set up my presentation and gave my talk, had some great questions and inspired the group of about 20 (not bad, to say it had been organised just a few hours earlier) to make cool things with Pi and teach others to do the same. I went out to eat with Ken and Gary and caught up with them.

Wed 20 – Logan, Utah

The next day I had my talk planned for 4pm in Logan (North of Salt Lake City) so I had all morning free to spend with Ken (retired) while Gary was at work. Back story: my Mum (a primary school teacher) spent a year at a school in Utah in 1983-84 on an exchange programme. Ken was a fellow teacher at the school, and like many others, including families of the kids she taught, she kept in touch with him. As I said, we visited in 2001 while on a family holiday, and stayed with them on their farm. So Ken and I went to the school – obviously many of the staff there knew Ken as he only recently retired, and he told them all about my Mum and that I was touring America and wanted to visit the school. None of the teachers there were around in 1984, but some of the older ones remembered hearing about the English teachers who came that year. I took photos of the school and my Mum’s old classroom and sent them to her. We visited another teacher from that time who knew all about me from my Mum’s Christmas letter (yikes!) and even went to see the trailer my Mum lived in for the year!

IMG_20140820_114157
IMG_20140820_113828
IMG_20140820_114948

I then left Provo for Logan, where the talk was to take place at Utah State University. I’d prepared a talk for university students, really, but discovered there was a large proportion of children there from a makers group for getting kids in to tech hardware projects – but they seemed to follow along and get some inspiration from the project ideas. Down to my last two Pis, I did what I did at most events and called out for the youngest people in the room – these went to 5 and 7 year olds, and my demo Babbage (I mention Dave Akerman’s Space Babbage in all my talks) was given out to a family too.

IMG_20140820_172255

My final talk was recorded, but they told me they were recording the other screen so I’m out of the frame in most of the video.

Happy to have completed the tour, sad for my journey to be coming to and end, but glad to be able to sit down and take a breather, I chilled out for a while before heading back to Provo for my final night in America. I thought at one point I wouldn’t make it back as I hit a storm on my way home, and could barely see the road in front of me due to the incredible rain. The entire 4-lane freeway slowing to 40mph with high beams glaring, catching a glimpse of the white lines now and then and correcting the wheel accordingly, I made it home safely to join Ken and Gary for dinner.

Ken, me, Gary

Ken, me, Gary

Thu 21 – Salt Lake City, Utah

I bid farewell and left for the airport, returned my hire car with 4272 miles on it – which was 10% of the car’s overall mileage!

IMG_20140821_093149

I flew from Salt Lake City to New York and stupidly forgot to tell them that wasn’t my final destination so I had to retrieve my suitcases at JFK baggage claim and check them back in for my next flight – because, you know, I like stress. Luckily I had no problems despite the internal flight running late and me not having a boarding card for my second flight (I had no access to a printer or WiFi in the 24 hours before the flight!), my luggage and all was successfully transported back to London with me. I was driven back to Cambridge, then up to Sheffield where I bought a suit, had my hair cut and attended the wedding of two great friends – Congratulations, Lauren and Dave.

Lauren and Dave

Lauren and Dave

What did I learn?

  • Despite sales of Pis in America being the biggest in the world, the community is far less developed than it is in the UK and in other parts of Europe. There are hardly any Jams or user groups, but there is plenty of interest!
  • American teachers want (and need) Picademy – or some equivalent training for using Pis in the classroom.
  • There is a perception that Raspberry Pi is not big in America (due to lack of community), and assumption Pis are hard to buy in America. While this is still true in many hardware stores (though people should bug stores not selling Pi and accessories to start stocking stuff!), I refer people to Amazon, Adafruit and our main distributors Element14 and RS Components. You can also buy them off the shelf at Radioshack.
  • If you build it, they will come. Announcing that I would turn up to a hackspace on a particular day brought people from all walks of life together to talk about Raspberry Pi, in much the same way a Raspberry Jam does in the UK. I could stand in front of these people and make them realise there is a community – they’re sitting in the middle of it. All they need is a reason to meet up – a Jam, a talks night, an event, a hack day, a tech club. It’s so easy to get something started, and you don’t need to start big – just get a venue and some space, tell people to turn up with Pis and take it from there.

Huge thanks to all the event organisers, the people who put me up for the night or took me out for a meal, and everyone involved in this trip. Sorry if I didn’t make it to you this time around – but I have a map and list of places we’re required – so we hope to cover more ground in future.

You can view the last iteration of my talk slides at slideshare.

Raspberry Pi: China press and community tour

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

As you might have spotted, if you follow us on Twitter, Eben and I spent the last week and a bit touring China, meeting the Raspberry Pi community there and giving interviews to the press, with some sterling organisational help from our friends at RS Components. (A special and huge thank you to Eric Lee, without whom we’d have been absolutely stuffed. Mostly with delicious pork confections and noodles, but stuffed nonetheless.)

Here’s what we got up to.

First up, there were a lot of press conferences to give, with help from the excellent William, our simultaneous translator; after a week of doing this, we ended up with more than 100 pieces of media being written or recorded about Raspberry Pi across China. This one, in Shanghai, is pretty typical.

Press conference

We noticed that the tech press in China is incredibly well-educated; a lot of these journalists trained as engineers and then moved into publishing. (And everywhere we went, at least 50% of the technical journalists were women – something I wish we’d emulate in the west.)

140815_45

We went to a Raspberry Jam in Shanghai, held at RS Components’ offices. We met some great people (Kevin Deng and the gang from 52pi.cn, a Chinese website dedicated to the Raspberry Pi, actually followed us on to the next event in Shenzhen as well), who’d built some amazing projects.

Shanghai Jam

The robot on our desk is LIDAR (laser radar)-equipped, from DFrobot. We’re listening to a talk about open source from David Li, one of China’s most famous open source pioneers. Eric Lee from RS is on the right.

lidarbot

This laser-etcher is one of the projects the 52pi gang had brought along; you can buy lasers for this sort of project off the shelf in China, where the integrity of your eyeball is your own responsibility. I’ve got a couple of coasters with our logo on them on my desk at the moment, made using this machine.

laser etcher

Jackie Li gave an amazing talk about the projects he’s made at home – cameras streaming to remote screens, a simplified media centre for his grandma, robots – and this excellent LED persistence of vision device for displaying reminders in the kitchen.

CL_20140811_0087

We flew out next to Shenzen, where hundreds of people turned up for a Raspberry Jam, and where we did more press conferences and more interviews. Before we left for China, I’d been worried that the community base would be smaller than we’re used to. It turned out to be almost too large for us to deal with in the time we’d had allotted in each location.

Shenzhen Jam

It got a bit hard to move in Shenzhen for all the people wanting a photo. We saw some great presentations (one of which, from Martin Liu, who describes himself as a living-room maker, demonstrated the work we sponsored to get the XBMCmenu working in new fonts – including Chinese. It’s at the back of the photo here, behind all the people with cameras.)

allthecameras

We met a lot of Shenzhen makers who are also entrepreneurs; on the left here is Zoe from Seeed Studio. Eben’s holding some sensors from their Grove project, which works with Raspberry Pi.

seeed

This young gentleman had a robot to show us, controlled with Scratch (on the desk to the right), and a poster for Eben about Pi-controlled brewing. He was terribly shy, and I really wanted to give him a hug, but suspected that might have made matters worse.

Ukon_FG_20140813_0303

We managed to get about an hour at the enormous electronics market in Shenzhen with Eric, where we had some fun looking at components and working out if we could lower the bill of materials cost in the Pi itself. Unfortunately, it’s so big you need at least a week to work your way around the place; we plan to return.

OLYMPUS DIGITAL CAMERA

Next stop, Taipei. We started off at Noise Kitchen, where we met a group from CaveDu, a local hacker group. The robot in the middle was being prepared for the next day’s Jam at Tatung university – the display shows how many likes CaveDu’s Facebook page has.

CaveDu

These guys hung around for HOURS to meet us, for which we’re very grateful; our plane was delayed six hours, and we didn’t get there until nearly 11pm. I met a home-made laptop with a removable wireless keyboard (a clever way to get around the hinge problem), and made a new best friend.

2014-08-14 21.53.43

First thing the next morning, we headed out to Tatung university.

tatung uni jam

We were expecting a few tens of people, having failed to learn our lesson from Shenzhen. More than 250 people turned up.

tatung crowd

Among the crowd was my new best friend from the night before. We do not have a language in common, but we bonded over high-fives and fist-bumps.

10603505_684078491663028_4167564293087951052_n

It was HOT; about 33C in the shade. And unfortunately, the air conditioning in the building got turned off an hour or so in, so we get damper and damper as these photos progress and the temperature climbs well above 40C.

We met a self-balancing robot in a hamster ball.

140816-129

We bumped into an old friend. (The beer is there for thermal reasons.)

Rapiro

Eben got interviewed, sweaty, by Taiwanese TV.

140816-105

And this is my other new best friend, Liang Chih Chiang, who gave a presentation (which he’s very kindly translated for me so you can all read it) about our community and social media – a subject that’s very close to my heart, for obvious reasons.

2014-08-16 12.46.21

We saw some amazing projects, like this gaming machine…

140816-145

…this Pi-powered 3d printer…

140816-148

…and this, which I was never able to get close enough to to find out what it does. I think it might be a musical instrument. Or possibly a cocktail machine.

10606387_684080201662857_7689099765090924176_n

Any suggestions, anybody?

We had a wonderful, exhausting, wonderful time. Thanks so much to everybody who came to see us; and an especial thanks to Eric, Desiree, Soo Chun, Katherine and the rest of the RS gang, who looked after us so well. We hope we’ll be back in a year or so – and until then, here’s a picture of a bit of press that I can’t read, but that’s made me laugh more than anything else that’s been published about us this year.

image001

 

 

 

 

 

 

 

Блогът на Юруков: Една административна мярка ще повиши ражданията с 10%

This post was syndicated from: Блогът на Юруков and was written by: Боян Юруков. Original post: at Блогът на Юруков

 idei bylgariq

Миналата седмица писах в Twitter и Facebook за справка от ГРАО за българчетата родени в чужбина. Ще пиша подробно тези дни за това как я получих и ще пусна интерактивна карта с анализ. Сега обаче искам да обърна внимание на един интересен за мен аспект от данните.

За последните 10 години 96653 деца са били родени в чужбина и родителите им са изкарали български акт за раждане. Тези деца се вписват в статистиката на НСИ, защото ГРАО вижда, че имат издадени ЕГН-та. Писал съм и други пъти за статистиката около раждаемостта у нас и как почти всички медии се оплитат в цифрите. Приблизително може да приемем, че годишно се раждат 70000 българчета с лека тенденция на повишение от тази година. Това прави около 95 деца на всеки 10000 българи. Изключвайки родените в чужбина, цифрата клони към 82-85.

Поглеждайки данните получени от ГРАО, бързо се вижда, че в САЩ и Канада има много по-малко регистрирани деца спрямо други държави. Взимайки предвид приблизителни оценки за българското население там, излиза, че на всеки 10000 българи се раждат и регистрират съответно 21 и 25 деца. От Германия и Испания са регистрирани съответно 74 и 79 българчета на всеки 10000. Ще забележите, че тези цифри са доста под статистиката за България дори отчитайки занижените цифри на МЗ за ражданията в български болници. Има доста причини за това, но тук ще се концентрираме върху тройната разлика между регистрираните раждания в Европа и Северна Америка.

Единствената логична причина за това разминаване са усложнените административни процедури и липсата на информираност. За да се извади български акт за раждане, на този издаден в чужбина трябва да постави апостил и да се преведе. След това трябва да се предаде лично в общината по адрес на майката и след две-три седмици чакане се изважда български акт за раждане. Повечето българи зад граница не знаят, че по принцип служителите приемат документи подадени от близки и родителите няма нужда да присъстват лично. Някои се сблъскват с доста по-сложна процедура, защото не са извадили акт за раждане до 6-тия месец. Преди това е лесно, ако си подготвен. Ефектът е, че повечето българи вадят акт за раждане на децата си чак когато се прибират от чужбина и намерят повече време.

Всичко това може да се улесни неимоверно, ако се въведе услуга за изваждане на акт за раждане в консулските служби. Това вече се прави за паспорти и лични карти. Такава услуга се предлага от консулствата на много други държави. За целта е достатъчно да се предостави акта за раждане с апостил на консулството и те да се погрижат за превода и процедурата в съответната община. Това, разбира се, ще струва повече и ще отнеме повече време, отколкото като се прави на място в България. Улеснението обаче ще е огромно и при получаване на документа ще може веднага да се поръча паспорт за детето. Консулствата пък ще имат още един източник за приходи.

Друга малко известна подробност е, че от декември 2013-та България подписа Конвенция за издаване на многоезични извлечения. Това означава, че актове за гражданско състояние (раждане, смърт, брак) от 23 държави нямат нужда от апостил. Това е допълнително улеснение за родителите. Тъй като обаче най-често са на английски, документите ще имат нужда от превод, който може да бъде заверен в консулските служби.

Какъв ще е ефектът от подобна марка е трудно да се прецени, но ако предположим, че много родители в щатите не минават процедурата, защото не могат да пътуват до България, то консервативните оценки са за годишно увеличение от 70% на регистрираните деца. В това число включвам и повишаване на регистрациите в Европа и Азия. Така ще получим около 10% увеличение в статистиката на НСИ за раждаемостта и 20% понижение в сегашния ни отрицателен прираст. Това, разбира се, няма да е реално повишаване в раждаемостта, а по-скоро промяна в начина на броене. Ще отчитаме обаче по-добре реалните стойности за родените българчета в цял свят.

TorrentFreak: No VPN on Earth Can Protect Careless Pirates

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-cardLast year, Philip Danks, a man from the West Midlands, UK, went into a local cinema and managed to record the movie Fast and Furious 6. He later uploaded that content to the Internet.

After pleading guilty, this week Wolverhampton Crown Court sentenced him to an unprecedented 33 months in prison.

The Federation Against Copyright Theft are no doubt extremely pleased with this result. After their successful private prosecution, the Hollywood-affiliated anti-piracy group is now able to place Danks’ head on a metaphorical pike, a clear warning to other would-be cammers. But just how difficult was this operation?

There’s often a lot of mystery attached to the investigations process in a case like this. How are individuals like Danks tracked and found? Have FACT placed spies deep into file-sharing sites? Are the authorities sniffing traffic and breaking pirates’ VPN encryption?

Or are they spending half an hour with Google and getting most of it handed to them on a plate? In Danks’ case, that appears to be exactly what happened.

Something that many millions of people use online is a nickname, and Danks was no exception. His online alias in the torrenting scene was TheCod3r, and as shown below it is clearly visible in the release title.

Kick-up

The idea behind aliases is that they provide a way to mask a real name. Military uses aside, adopting an alternative communications identity was something popularized in the 70s with the advent of Citizens Band radio. The practice continues online today, with many people forced to adopt one to register with various services.

However, what many in the file-sharing scene forget is that while aliases on a torrent site might be useful, they become as identifying as a real name when used elsewhere in ‘regular’ life. The screenshot below shows one of Danks’ first huge mistakes.

Fish-Google

Clicking that link on dating site Plenty of Fish (POF) reveals a whole range of information about a person who, at the very least, uses the same online nickname as Danks. There’s no conclusive proof that it’s the same person, but several pieces of information begin to build a picture.

In his POF profile, Danks reveals his city as being Willenhall, a small town situated in an area known locally as the Black Country. What FACT would’ve known soon after the movie leaked online was which cinema it had been recorded in. That turned out to be a Showcase cinema, just a few minutes up the road from Willenhall in the town of Walsall.

Also revealed on Danks’ POF profile is his full name and age. When you have that, plus a town, you can often find a person’s address on the UK’s Electoral Register.

It’s also trivial to find social networking pages. Not only do pictures on Danks’ POF profile match those on his Facebook page, he also has a revealing movie item listed in his interests section.

fb-1

Of course, none of this in itself is enough to build a decent case, but when you have the police on board as FACT did, things can be sped up somewhat. On May 23, 2013 Danks was raided and then, just two days later, he did something quite astonishing.

Posting on his Facebook page, the then 24-year-old took to his Facebook account (he has two) to mock the makers of Fast and Furious 6.

“Seven billion people and I was the first. F*** you Universal Pictures,” he wrote.

Also amazing was Danks’ apparent disregard for the predicament he was in. On May 10, 2013, Danks again took to Facebook, this time to advertise that he was selling copies of movies including Robocop and Captain America.

sale

This continued distribution of copyrighted material particularly aggravated the Court at his sentencing hearing this week, with Danks’ behavior being described as “bold, arrogant and cocksure offending.”

While the list of events above clearly shows a catalog of errors that some might even find amusing, the desire of many pirates to utilize the same nickname across many sites is a common one employed by some of the biggest in the game.

Once these and other similar indicators migrate across into real-life identities and activities (and the ever-present Facebook account of course), joining the dots is not difficult – especially for the police and outfits like FACT. And once that happens, no amount of VPN encryption of lack of logging is going to put the genie back in the bottle.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The diaspora* blog: Dealing with problem content in a distributed system

This post was syndicated from: The diaspora* blog and was written by: Diaspora* Foundation. Original post: at The diaspora* blog

A number of journalists have responded to our recent blog post about Islamic State accounts on diaspora* with articles under headlines such as 'Diaspora cannot ban IS accounts'. This is simply untrue, and misrepresents what our last post said. This may come from a lack of understanding of the distributed nature of the network. We hope this follow-up post helps to clarify the situation.

diaspora* can and does deal with inappropriate usage. As with everything in a decentralized project, the ability and responsibility to deal with inappropriate usage are devolved, from the one central body of the centralized corporate model of Facebook or Twitter to individual podmins and individual community members.

We have always had mechanisms in place to deal with inappropriate usage of the network. Some time ago this was made a lot easier and more efficient by the introduction of the report feature. Using this, each diaspora* community member is able easily to report any post or comment they believe is inappropriate to the administrator of their pod. Once alerted, it is the responsibility of that podmin to decide how best to deal with that content. This decision will be based on their personal policy on dealing with such content, as well as the local legislation governing the hosting of such material which applies where they live and where their pod is hosted. This system has worked very well.

It's worth repeating: diaspora* does indeed have mechanisms in place to deal with inappropriate usage. Like everything else in diaspora*, these mechanisms are decentralized. That is the point our last post addressed.

As our last post made clear, by the time that post was written all of the most active IS accounts had already been closed by the podmins on whose pods those accounts had been opened. One podmin had technical difficulties in removing accounts which caused a few hours' delay, but in each case the decision and action was swift once alerted to the presence of those accounts.

As we said in the last post, if you find user accounts on a diaspora* pod which are a cause for concern, please be a responsible member of our community by contacting the administrator of that pod; most pods display a link to contact the podmin. If you cannot reach the podmin directly, you can send us an email and we will attempt to contact the person concerned.

TorrentFreak: Fraud and Embezzlement Drives Anti-Piracy Group into Bankruptcy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

smaisguyAnti-piracy groups are often quick to label file-sharing sites as criminal organizations, but these outfits also have some rotten apples amongst their own.

A few months ago we reported on the President of the Lithuanian Anti-Piracy Association LANVA, who was jailed for two years for drug trafficking. The boss of Iceland’s anti-piracy group SMAIS is not doing much better, it seems, as he stands accused of fraud and embezzlement.

SMAIS is a local branch of Hollywood’s Motion Picture Association. The group recently failed to get The Pirate Bay blocked in Iceland, and has now run into the law itself.

The organization’s board filed for bankruptcy after it discovered a wide range of serious problems. The group’s financial statements were falsified, the books were not in order, and taxes haven’t been paid since 2007.

Making matters even worse, the board says that its CEO Snæbjörn Steingrímsson has admitted to embezzlement. This case is now under review by the Special Prosecutor, who has to decide whether a criminal investigation will be launched against the anti-piracy chief.

The last time SMAIS made international headlines was last year, when the group pulled its Facebook page offline after four days. According to Steingrímsson, SMAIS didn’t have enough resources to handle the constant flaming comments from the public.

What certainly didn’t help was that the launch of the Facebook page coincided with the news that SMAIS never paid for the film and game rating software they purchased from a Dutch company back in 2007. Considering the position the group is in now this is hardly a surprise.

Whether Hollywood has plans to install a new anti-piracy group in Iceland if the bankruptcy goes through is currently unknown.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Social Engineering Alive and Well, (Wed, Aug 20th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

The muse for this diary is far from hot off the press. Many of you may have already come across the click through scam on Facebook reporting a video recording taken of Robin Williams moments before his death.  

In case you had not heard, Robin Williams is a popular American movie actor and entertainer that recently took his own life at the young age of 63.  The general public’s open expression of grief for his passing has given some evil doers an opening to take advantage of human emotion.

Snopes.com has a write up on this scam. [1]   I can offer a couple of details on it.    
An image like this one will show up in your Facebook feed enticing you to click to view the video of Robin Williams.

Once the link is clicked, it will bait again the user to fill out a survey and provide some information. (PII)
The following image is the next step.


 

By clicking through this type of scam it opens a list of vectors for the user to be exploited. So please beware, educate your family, friends, and co-workers.

Let this also be a wake up call for other soft spots.  The ALS Ice Bucket challenge is viral marketing success, that could easily be exploited. So don’t always trust and feel the need to meet your curiosity.

Safe clicking.

 
[1] http://www.snopes.com/computer/facebook/robinwilliams.asp

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: I Visited Pirate Bay’s Peter Sunde in Prison, Here’s What he Had to Say

This post was syndicated from: TorrentFreak and was written by: Julia Reda. Original post: at TorrentFreak

sunde-small— by Julia Reda

It wasn’t easy to meet Peter in prison. Initially, his request for the approval of my visit was rejected, as have been requests on behalf of other friends. It was only when he read up on the regulations and filed a complaint – pointing out my status as an elected representative of the European Parliament – that my visit was approved.

He tells me that this is par for the course in prison. “If you don’t constantly insist upon your rights, you will be denied them”. Repeatedly, he had to remind the guards that they’re not allowed to open confidential mail he receives from journalists. His alleged right to an education or occupation during his jail time in practice amounted to being given a beginners’ Spanish book.

“Prison is a bit like copyright,” Peter remarks. In both areas, there is a lack of transparency and the people in power profit from the fact that the average person doesn’t pay a lot of attention to the issue. That opens the door to misuse and corruption.

Few people feel directly affected by these systems (even though a lot of Internet users commit copyright infringements, many don’t even realize that they are breaking laws and suffer no repercussions). Hence it is difficult to get traditional politics to change even the most blatant injustices that these systems produce. I ask him whether his imprisonment has changed his political views.

“It has confirmed them,” he replies. “I knew the system was broken before, but now I know to what extent.”

“The worst thing is the boredom”, Peter informs me when I ask him about life in prison. He gives an account of his daily routine: “I have soy yoghurt and muesli for breakfast, which I was recently allowed to buy from my own money, as the prison doesn’t offer any vegan food.”

That is followed by one hour of exercise – walking around the yard in circles – and sometimes the chance to play ping-pong or visit the prison library in the afternoon, before Peter is locked in his cell for the night. The only other distraction comes from the dozens of letters Peter receives every day.

Not all the books that his friends and supporters send make their way to him – they are screened for “inappropriate content” first. Other items that arrive in the mail, such as vegan candy, won’t be handed out to him until after his release, “but at least the prison has to catalog every single thing you send me, which pisses them off,” Peter says with a wink.

While his notoriety mostly comes from his role in founding the Pirate Bay, Peter has been critical of the platform’s development for a long time and has been focusing his energy on other projects.

“There should be 10,000 Pirate Bays by now!” he exclaims. “The Internet was built as a decentralized network, but ironically it is increasingly encouraging centralization. Because The Pirate Bay has been around for 11 years now, almost all other torrent sites started relying on it as a backbone. We created a single point of failure and the development of file sharing technology got stuck.”

In Peter’s eyes, the Pirate Bay has run its course and turned into a commercial enterprise that has little to do with the values it was founded on. Nowadays, the most important battles for an open Internet take place elsewhere, he says, noting that the trend towards centralization is not limited to file sharing.

Facebook alone has turned into its own little walled-garden version of the Internet that a lot of users would be content using without access to the wider Net. At the same time, services from Google to Wikipedia are working on distribution deals that make their services available to people without real Internet access.

One step to counter this trend towards centralization could be data portability, the right to take all one’s personal data from a service such as Facebook and bring it along to a competitor. The right to data portability is part of the proposed European data protection regulation that is currently stuck in negotiations among the EU member states.

“Having data portability would be a great step forward, but it’s not enough. Portability is meaningless without competition.” Peter says.

“As activists and entrepreneurs, we need to challenge monopolies. We need to build a Pirate social network that is interoperable with Facebook. Or build competition to small monopolies before they get bought up by the big players in the field. Political activism in parliaments, as the Pirate Party pursues it, is important, but needs to be combined with economic disruptions.

“The Internet won’t change fundamentally in the next two years, but in the long-term, the effects of the decisions we take today can be dramatic.”

According to Peter, establishing net neutrality, especially on mobile networks, will be one of the crucial fights. The Internet may have started out as a non-commercial space, but is entirely ruled by business arguments nowadays, and without net neutrality, large corporations will be able to strengthen their monopolies and stifle innovation. A pushback will be needed from small enterprises as well as civil society – but those groups struggle to be heard in political debates as they often lack the financial resources for large-scale lobbying efforts.

Although Peter is visibly affected by his imprisonment and talks about struggling with depression, he has not stopped making plans for the future. “Things will get easier once I get out. I’ve been a fugitive for two years and could hardly go to conferences or would have to show up unannounced.”

Once his eight month sentence has come to an end, Peter wants to get back to activism. When I ask about his upcoming projects, he starts grinning and tells me to be patient.

“All I can say now is that I’m brimming with ideas and that one of my main goals will be to develop ethical ways of funding activism. You often need money to change things. But most ways of acquiring it require you to compromise on your ideals. We can do better than that.”

Peter is now hoping for his prison sentence to eventually be transformed into house arrest, which would allow him to see his critically ill father and spend less time in isolation. Whether that happens will largely depend on whether the Swedish state will continue to view a file-sharing activist as a serious threat to the public. In a society where the majority of young people routinely break copyright law simply by sharing culture, that view seems entirely unsustainable.

About The Author

Julia Reda is a German politician for the Pirate Party Germany and a member of the European Parliament since 2014, where she serves as a Vice-President of the Greens/EFA group. She is also the chairperson of the Young Pirates of Europe.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: This thumbdrive hacks computers. (Ars Technica)

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

Ars Technica takes
a look
at an exploit that transforms keyboards, Web cams, and other
types of USB-connected devices into highly programmable attack platforms. “Dubbed BadUSB, the hack reprograms embedded firmware to give USB devices new, covert capabilities. In a demonstration scheduled at next week’s Black Hat security conference in Las Vegas, a USB drive, for instance, will take on the ability to act as a keyboard that surreptitiously types malicious commands into attached computers. A different drive will similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The presenters will demonstrate similar hacks that work against Android phones when attached to targeted computers. They say their technique will work on Web cams, keyboards, and most other types of USB-enabled devices.

The Hacker Factor Blog: How Conspiracies Begin

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

There’s an ongoing trend with big news events. First, many news reports are so eager to be “first!” that they will report unvetted information as fact. This coincides with the news broadcasts that report baseless speculation as fact. Shortly after that comes the slow trickle of real information. Unfortunately, this real information is typically buried under fake reports and random conspiracy theories.

Add in a war scene that already has propaganda and false reports, and you have the makings for a lot of confusion and false information.

MH17

Let’s start with the only facts that nobody seems to be debating.

On 17-July-2014, Malaysia Airlines flight MH17 was shot down over the Ukraine. The plane was struck by Russian Buk — a type of surface to air missile (SAM).

Currently, the news reports (that can be vetted) are showing indications that one side (Russia) is totally lying about the facts, preventing access to the debris, and interfering with the investigation. You just know that, when a second government-sponsored news reporter publicly quits because she refuses to report the false information coming out of the Kremlin, the propaganda has got to be really bad.

Rapid Reports

Shortly after the reports about the airliner were made public, a few details came out on social media. A couple of people asked me to evaluate a picture found on Facebook. This picture comes from Cor Pan’s facebook page. He was a passenger on flight MH17 and he posted one of the last photos of the airplane prior to take-off.

Sadly, when any major event happens, we receive false reports and people who make stuff up just for the shock factor. I was asked to determine if this picture is real. And since the passenger manifest had not, at the time, been made public, we couldn’t just look for his name. Is this picture real or a hoax?

The problem with everything at Facebook is that pictures get stripped, resaved, and passed around. It is relatively easy for someone to create a fake Facebook page just for the shock value. And no amount of metadata analysis on a Facebook image will identify even a real photo as being real.

Fortunately, there are other data points we can analyze. For example, last month Facebook rolled out a new JPEG compression system. This system leaves very distinct JPEG attributes that are detectable. Evaluating the picture shows these artifacts and indicates that it was uploaded recently — this is not an old picture at Facebook. However, if someone downloads a photo and then uploads it, it will be processed by the new JPEG encoder and it will look “new”.

The other clue comes from the Facebook profile itself. This picture was uploaded to Facebook on Thu, 17 Jul 2014 09:03:30 GMT. This timestamp comes from the HTTP metadata’s “Last-Modified” field. According to news reports, the flight took off around 10:15 GMT from Schiphol airport near Amsterdam, or about 75 minutes after the photo was posted to Facebook. This creates a very narrow timeframe: the person arrived at the airport, snapped the photo and posted it shortly before the flight, then the flight took off and was shot down hours later (14:15 GMT).

Since it’s virtually impossible to predict a horrific event such as this, this posting to Facebook — which predates the flight and mentions someone believed to be on the flight — has every reason to appear to be real.

Or to put it another way, had the Facebook account been created after the plane was destroyed, or the photo posted after the explosion, then we would have been certain it was fake. Similarly, if the photo was posted long before the flight, it would likely be fake. However, this is not the case, so we can conclude that it appears to be real.

Falsifying Data

In contrast to this picture, some of the short video clips that claim to show MH17 crashing predate the event and are posted days later. These indicate inconsistent timelines and identify many of the video clips as fake. A few of these fakes have been debunked in the Open Newsroom.

It did not take long for some people to start intentionally evaluating pictures incorrectly in order to propagate conspiracies. For example, Shane Kimmins tweeted a screenshot from Peter J Kuehlen. (Peter claims to be an “Oil Armageddon specialist”, but I think he’s a certified paranoid nutjob. And since Kimmins is gullible enough to believe what Kuehlen says, well, it means Kimmins can’t be very intelligent even if he is very vocal.)

Here’s the screenshot that Kimmins posted to Twitter:

In this posting, Kuehler asks, “How come fotoforensics show the date of January 25 2012 for the making of this picture?” The answer is really simple: it doesn’t.

The FotoForensics metadata for this picture identifies a color profile attached to this picture. Facebook attaches the same color profile to every uploaded picture (that’s one of my complaints about Facebook). You can clearly see that the “Profile Copyright” says “FB”, indicating Facebook. An ICC Profile is just a file that gets embedded with the picture during a resave. The profile creation date says “2012:01:25 03:41:57″ — so Facebook created their color profile back in 2012 and has been attaching it to every uploaded picture ever since then. (I even have a tutorial that describes how ICC Profiles work.)

Since Facebook strips out metadata, we don’t know the actual time this photo was taken. In contrast, the Facebook HTTP header tells us that the photo was uploaded 75 minutes before the flight. We don’t know when the photo was taken; we only know when it was uploaded to Facebook.

Conspiracy Corner

When I pointed this out to Shane Kimmins that the timestamp did not indicate when the photo was created, he tweeted back a reply that shows willful ignorance and a desire to further propagate his paranoid and conspiratorial views.

The two links that Kimmins provided point the Clues Forum. This forum seems to spend nearly all of their time propagating paranoid fantasies and seeing who can come up with the best conspiracy. One of the postings even has “A Little Trivia“, where they point out three airplane crashes that included the deaths of AIDS researchers. This has led to the conspiracy that someone is systematically killing leaders in AIDS research.

As my friend, Mr. Masters, put it:

Given enough data to cherry pick, any asinine idea can be supported. I think there is evidence that planes crash. Here we have three cases of flights and all three fell from the air and killed everyone. Coincidence?

Kimmins tweeted one other message that really irked me. He wrote:

While I do permit people to use FotoForensics in an unsupervised fashion, I also actively debunk the most gross examples of misuse for supporting conspiracies. I repeatedly debunked the Birthers, who believe so strongly that Obama’s birth certificate is fake, that they will explicitly and intentionally make up fake findings in order to support their claims. I have debunked staged and faked Syrian war photos and conspiracies related to other missing aircraft. (And that’s just the start of the list. I have plenty of blog entries where I debunk photos and conspiracies, and even a few where I debunk conspiracies by proving photos are real.)

Unfortunately, these false flags planted by Kimmins, Kuehler, and their ilk are dwarfed by the flood of misleading photos associated with the Ukraine on social sites like Twitter and Facebook, along with the insane cover-up statements coming out of Russia regarding MH17. When it comes to staged pictures, misrepresented photos, and false facts, Kimmins/Kuehler are wannabe’s, while the manipulators in Syria are mostly amateurs. Make no mistake: the Russians are the professionals, but even they can get tripped up. I’ll cover some of these other forms of propaganda in future blog entries.

Krebs on Security: Even Script Kids Have a Right to Be Forgotten

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.

Indexeus[dot]org

Indexeus[dot]org

Indexeus boasts that it has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! – listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts.

Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online.

Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline.

The brains behind Indexeus — a gaggle of young men in their mid- to late teens or early 20s — envisioned the service as a way to frighten fellow hackers into paying to have their information removed or “blacklisted” from the search engine. Those who pay “donations” of approximately $1 per record (paid in Bitcoin) can not only get their records expunged, but that price also buys insurance against having their information indexed by the search engine in the event it shows up in future database leaks.

The team responsible for Indexeus explains the rationale for their project with the following dubious disclaimer:

“The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.”

Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.

Indeed, the search engine was even indexing user accounts stolen from witza.net, the site operated by Hackforums administrator Jesse LaBrocca and used to process payments for Hackforums who wish to upgrade the standing of their accounts on the forum.

WHO RUNS INDEXEUS?

The individual who hired programmers to help him build Indexeus uses the nickname “Dubitus” on Hackforums and other forums. For the bargain price of $25 and two hours of your time on a Saturday, Dubitus also sells online instructional training on “doxing” people — working backwards from someone’s various online personas to determine their real-life name, address and other personal data.

Dubitus claims to be a master at something he calls “Web detracing,” which is basically removing all of the links from your online personas that might allow someone to dox you. I have no idea if his training class is any good, but it wasn’t terribly difficult to find this young man in the real world.

Dubitus offering training for  "doxing" and "Web detracing."

Dubitus offering training for “doxing” and “Web detracing.”

Contacted via Facebook by KrebsOnSecurity, Jason Relinquo, 23, from Lisbon, Portugal, acknowledged organizing and running the search engine. He also claims his service was built merely as an educational tool.

“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” Relinquo said. “I wouldn’t have won the NATO Cyberdefense Competition if I didn’t have a bigger picture in my mind. Just keep that in yours.”

Relinquo said that to address criticisms that his service was a shakedown, he recently modified the terms of service so that users don’t have to pay to have their information removed from the site. Even so, it remains unclear how users would prove that they are the rightful owner of specific records indexed by the service.

Jason Relinquo

Jason Relinquo

“We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.”

Asked which sort of legal complications were bedeviling his project, Relinquo cited the so-called “right to be forgotten,” data protection and privacy laws in Europe that were strengthened by a May 2014 decision by the European Court of Justice in a ruling against Google. In that case, the EU’s highest court ruled that individuals have a right to request the removal of Internet search results, including their names, that are “inadequate, irrelevant or no longer relevant, or excessive.”

I find it difficult to believe that Indexeus’s creators would be swayed by such technicalities, given that  that the service was set up to sell passwords to members of a forum known to be frequented by people who will use them for malicious purposes. In any case, I doubt this is the last time we will hear of a service like this. Some 822 million records were exposed in more than 2,160 separate data breach incidents last year, and there is plenty of room for competition and further specialization in the hacked-data search engine market.

Schneier on Security: GCHQ Catalog of Exploit Tools

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

TorrentFreak: UK “Porn Filter” Triggers Widespread Internet Censorship

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

stop-blockedInternet filters are now on the political agenda in many countries around the world. While China and Iran are frontrunners for political censorship, the UK is leading the way when it comes to porn and other content deemed unsuitable for children.

In addition to the mobile restrictions that have been in place for years already, last summer Prime Minister David Cameron announced a default filter for all Internet connections. This means that UK Internet subscribers are now required to opt-in if they want to view ‘adult’ content online.

These default filters have led to many instances in which perfectly legitimate sites can no longer be accessed. This very website, for example, was inaccessible on Sky Broadband after it was categorized as a “file-sharing” site. The false positive was eventually corrected after the BBC started asking questions, but that didn’t solve the underlying problem.

In an attempt to make it easier to spot overblocking the Open Rights Group (ORG) has today launched a new site. The embedded tool runs probes on all the major broadband and mobile filters of UK ISPs, and allows people to check which sites are blocked and where.

The first results are quite scary. A review of the 100,000 most-popular sites on the Internet reveals that 20% are blocked by at least one of the filtering systems.

“We’ve been surprised to find the default filtering settings are blocking around a fifth of the Alexa top 100k websites. That’s a lot more than porn, which accounts for around 4% of that list,” ORG’s Executive Director Jim Killock informs TorrentFreak.

The list of blocked domains includes many legitimate sites that aren’t necessarily harmful to children. TalkTalk file-sharing filter, for example, blocks websites including bittorrent.com and utorrent.com. TorrentFreak also appears to be listed in this category and is blocked as well.

Linuxtracker, which offers free downloads of perfectly legitimate software, is blocked by Sky, TalkTalk and Three’s filters, while the blocked.org.uk tool itself is off-limits on BT, EE and Virgin Media.

Perhaps even worse, the BT and TalkTalk filters also categorize social networking sites such as Facebook and Twitter as potentially dangerous to children, and the same applies to Reddit. All these sites are inaccessible if the social networking category of the Kids Safe filter is on.

Reddit is blocked as well
blocked-filter

With the new tool ORG hopes to provide more insight into what these filters do and how many sites they block. The ISPs themselves have thus far failed to reveal the scope of their filters.

“People need to know what filters are, and what they block. They need to know they are inaccurate, and also disrupt people’s businesses and speech,” Killock tells TF.

“If people feel they need them, that is their right, but they should at least know they’re very flawed technology that won’t protect them very much, but will also be likely to cause them problems. In short, they are a bit rubbish,” he adds.

The current results of the tool are based on various filtering levels. This means that the list of blocked sites will be even longer when the strongest settings are used.

It’s worth noting that all ISPs allow account holders to turn filters off or allow certain sites to be unblocked. However, many people may not even be aware that this option exists, or won’t want to unblock porn just to get access to file-sharing software if these are lumped together.

The results of ORG’s new tool show that what started as a “porn filter” has turned into something much bigger. Under the guise of “protecting the children” tens of thousands of sites are now caught up in overbroad filters, which is a worrying development to say the least.

Update: TalkTalk clarified that the file-sharing (with TorrentFreak included) and social networking filters are not enabled by default on their system.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Millions Watch World Cup Through Pirated Live Streams

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

Brazil-World-Cup-2014-Official-LogoWhile most people watch World Cup matches through licensed broadcasters, there is also a large group of people who resort to unauthorized sources.

These so-called “pirate” streams are available through dozens of sites, including Firstrow and Rojadirecta, which generate a lot of traffic during popular sporting events.

Before the World Cup started FIFA reached out to several of these sites, asking their operators to make sure that content is removed as soon as possible. Despite these requests, there are still plenty of illegal streams available for each game.

Content protection firm Viaccess-Orca, one of the companies that monitors these unauthorized broadcasts, is also tasked with sending takedown notices for some of the matches. The company informs TorrentFreak that up to last Friday they have sent 2,000 takedown notices to various sites.

wctakedown

One of the problems with live events is that takedown requests only have an effect when they are processed before the match ends. According to David Leporini, Viaccess-Orca Executive Vice President of Marketing, Products and Security, the linking sites have been rather cooperative on this front.

“The success rate varies per content platform but overall we manage to get 35 percent of the streaming links disabled before the game ends. I think this is a great success rate, especially compared to direct download sites,” Leporini informs us.

A success rate of 35% is pretty decent indeed, considering that the notices have to be sent and processed in a very small time frame. Also, the process is further complicated because many sites don’t publish the links to the streams until a few minutes before the game starts.

The content protection company also targets traditional social media sites where links to live streams are posted. Here, the success rate was the best at Facebook where half of all infringing links were taken down before the game ended.

“For the first ten days we have sent around 150 takedown notices to Facebook and Twitter pages. Among all content platforms notified, we measured a success rate of about 51% for link removals from Facebook pages.”

While Viaccess-Orca’s efforts may limit the availability of pirated live streams, there are still hundreds of thousands of people getting through. The company estimates that between 100,000 and 500,000 people tune in to an average game. Up until last week, Belgium versus Russia was the most-watched match with 471,541 unauthorized viewers.


Belgium vs. Russia streaming locations
belrusgeo

Viaccess-Orca can measure part of the audience directly though P2P streaming services such as Sopcast and Acestream. This also allows the company to see from what location people are watching. As the overview above shows, Belgium vs. Russia was particularly popular in Europe and Asia.

The remainder of the streams go through centralized streaming services, with Hdcast and Iguide being the most frequently used. Rojadirecta and Wiziwig are the sites where Viaccess-Orca found the most infringing links.

Looking ahead, the content protection firm expects that the number of viewers per match will continue to increase, as will the enforcement actions.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Source Code in TV and Films: Shown in Person of Interest, season 2, episode 15. They…

This post was syndicated from: Source Code in TV and Films and was written by: Source Code in TV and Films. Original post: at Source Code in TV and Films

Shown in Person of Interest, season 2, episode 15. They “hacked” a firewall with this code…

The code is js  from a facebook XSS attack, here: https://gist.github.com/tysontate/968060 (4. line) is an example.

Krebs on Security: 2014: The Year Extortion Went Mainstream

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.

The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.

The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.

Interestingly, all three letters I could find that were posted online so far targeted pizza stores. At least two of them were mailed from Orlando, Florida.

The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.

“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.

Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.

“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”

While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.

“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”

It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints – Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).

Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.

“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”

A GREAT CRIME FOR CRIMINALS

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.

Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.

Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up.  Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.

The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.

A HIDDEN CRIME

Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.

Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.

“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.

Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.

Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.

But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.

“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”

TorrentFreak: Hundreds of Paid Informants Help to Rat Out Software Pirates

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

nopiracyEarlier this year we reported on a controversial anti-piracy campaign operated by the Business Software Alliance (BSA).

Representing major software companies, the BSA uses Facebook ads which encourage people to report businesses that use unlicensed software. If one of these reports results in a successful court case, the pirate snitch can look forward to a cash reward.

Below is one of the promoted Facebook posts that has appeared in the timelines of thousands of people, encouraging them to expose software piracy in return for hard cash.

BSA’s Facebook ad
report-piracy

While most responses on Facebook are negative, it appears that the campaign is not without results. In an interview with Radio Prague, the spokesman for the Czech branch of the BSA notes that the informant program has been a great success thus far.

“[The campaign is] very successful. We did it because we wanted to catch big fish. In the past, many informants did not want to disclose who they were, and it was difficult to set up serious communication with them.” the BSA’s Jan Hlaváč says.

“The only way out of this was to offer them something that would motivate them to fully cooperate. That’s why we decided to launch this programme, to reward information that leads not only to identifying illegal software but to bringing the whole case to the end,” he adds.

The cash reward has increased the number of serious tips and in the Czech Republic alone the BSA receives about 30 leads per month. Similar campaigns also run in the United States, Canada, the UK and Australia, where hundreds of tips come in every week.

Some of these tips lead to a follow up investigation where BSA offers the alleged infringer a settlement offer. In the Czech Republic alone there are currently several cases pending, worth roughly $500,000. If a settlement is reached, the informant will get a share, ranging from $5,000 to $200,000.

Another BSA Facebook ad
getpaid

Earlier this week the BSA released new data (pdf) on piracy levels worldwide, with the rate of unlicensed software decreasing in most western countries.

Between 2011 and 2013 the percentage of unlicensed software installed on computers dropped from 19% to 18% in the United States, and similar downward trends were observed in the UK and elsewhere.

In the Czech Republic piracy rates decreased from 37% to 34%, and according to the BSA this is in part due to the snitch campaign.

“Definitely. The programme has helped a great deal convince companies that the legal risks are not worth it,” Hlaváč says.

Despite this success there is still plenty of work to be done. Globally the percentage of pirate software increased slightly, representing a total value of $62.7 billion, so there’s plenty of bounty left.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Respect for File-Sharers’ Privacy Keeps Swiss on US Watch List

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

congressOver the past 12 years the Congressional International Anti-Piracy Caucus has worked to highlight enforcement practices in need of improvement and to place countries perceived to be falling short of United States standards under the spotlight.

Yesterday the caucus became the International Creativity and Theft-Prevention Caucus, a change of name shunning the term ‘piracy’ in favor of an artist-focused theme that furthers the notion that infringement is the same as stealing.

The Watch List

As usual there are international winners and losers in the caucus report. On the up are Italy and the Philippines, with the former taking especially drastic steps to combat online file-sharing, including the blocking of ‘pirate’ sites by an administrative body, no court process required.

“In light of the reforms undertaken and a greater commitment to enforcing the law, both nations were removed from the Special 301 Report for the first time in its 25 year history. The caucus applauds Italy and the Philippines for undertaking reforms that recognize the importance of fostering creativity,” the report reads.

But in terms of improvements, the praise stopped there. In the file-sharing space, Switzerland came under attack after a momentous court decision four years ago

The Swiss file-sharing privacy safe haven

The controversy surrounds the so-called ‘Logistep Decision‘. The Logistep anti-piracy outfit became infamous in the latter half of the last decade for their work providing tracking services for copyright trolls in Europe and the UK.

In 2010 following several years of legal wrangling and controversy, the Swiss Federal Supreme Court ordered the anti-piracy outfit to stop harvesting the IP addresses of file-sharers. Underlining the notion that IP addresses are private data, the court’s decision effectively outlawed the tracking of file-sharers in Switzerland with the aim of later filing a lawsuit.

In its report the caucus says that Switzerland’s timeline (18 months minimum) for bringing the country “back up to international standards for protection of copyright” is unacceptable so the country will remain on the Watch List. That position is unlikely to change anytime soon considering the long Swiss tradition of respecting privacy.

Russia

Unsurprisingly the main site mentioned in respect of Russia is local Facebook variant vKontakte. The site has come under sustained attacks from both the RIAA and MPAA and the caucus is happy to keep up the pressure in 2014, despite Russia’s efforts to really tighten up local copyright law.

“The Caucus urges the Russian Government to take prompt action against websites that actively facilitate the theft of copyrighted materials, in particular vKontakte which was again named as a Notorious Market while remaining one of the most highly trafficked websites in Russia. Given the scale of online piracy emanating from Russia, it is crucial the Russia take serious and large scale action to enforce the law against rogue actors and end their status as a haven for digital piracy,” the report reads.

China and India

As expected, China is yet again subjected to criticism, despite clear signs that the country is changing its attitudes towards IP enforcement.

“Though the climate for intellectual property has improved, driven in part by a growing domestic creative sector within China, the scale of piracy remains massive, inflicting substantial harm to American and Chinese creators,” the caucus says.

And despite playing host to a large local creative industry, the caucus says that India is not doing enough to protect IP either, with high rates of camcorder movie piracy and a lack of effective notice-and-takedown procedures both aggravating factors.

Follow-the-money

Given the current collaborations between governments and the private sector with their “follow-the-money” approach to dealing with infringement, it’s no surprise that the caucus has focused a section of its report on this initiative.

Current momentum sees strong international efforts to eliminate the appearance of major brands’ advertising on ‘rogue’ sites and the caucus reports further progress on that front. The Association of National Advertisers (ANA), American Association of Advertising Agencies (4As), and Interactive Advertising Bureau (IAB) have all reported taking “concrete steps” towards evaluating “digital ad assurance” technologies to keep revenue away from pirate sites.

In a response, RIAA Executive Vice President Neil Turkewitz praised the caucus for its efforts.

“Their work on advertising has already led to various improvements, and we hope that soon the lure of generating money from advertising will no longer be viable for sites serving as distribution hubs for infringing content,” Turkewitz said.

Echoing the words of Italian Ambassador Claudio Bisogniero, who had been invited to the report’s unveiling in recognition of his country’s anti-piracy achievements, the MPAA reiterated that the protection of copyright on the Internet is essential to the development of business.

“At the MPAA, we couldn’t agree more, and deeply appreciate the steps being taken by the caucus to help protect the creative industries and the millions of workers they employ – both here in the United States and abroad,” the MPAA conclude.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: YouTube Terminates Top Indian News Network For Infringement

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

youtubesadsmallWhile many people get away with uploading infringing content to YouTube, the site’s ContentID system ensures that content belonging to many of the world’s leading entertainment companies gets spotted when it’s uploaded by an unauthorized third-party.

Unofficial uploads can also be subjected to a DMCA-style complaint, whereby rightsholders inform YouTube that content is illicit and should be removed. Mistakes do get made, so content uploaders get a chance to issue a counter-notice in dispute. The mechanism is far from perfect though, with the system weighted in favor of rightsholders with the “little guy” struggling to make his voice heard.

While those uploading pirated TV shows and movies have little to complain about when a “strike” is placed against their YouTube account, legitimate companies can also be subjected to the same kinds of complaints.

This morning a leading Indian news network is waking up to that reality and a pretty big headache after multiple strikes were lodged against its YouTube account. Multiple strikes are very bad, as the message from YouTube below illustrates.

ZeeNews

ZeeNews appears to be a decent sized player in the Indian market, operating via zeenews.india.com, a sub-domain of the prestigious India.com. Its Twitter account has 457,000 followers and its Facebook page 2.6 million likes. Overall, ZeeNews claims 140 million viewers across ten channels and the title of “India’s Largest News Network”. It’s owned by Zee Media Corporation Ltd.

The precise nature of the complaints against the channel aren’t clear. The notice published by YouTube cites multiple complaints including those from “TF1″ and “Wizcraft”. TF1 could be the French national TV channel of the same name and Wizcraft might possibly relate to an Indian branding company – TorrentFreak is awaiting responses from both.

Meanwhile, ZeeNews’ YouTube account remains not merely suspended, but terminated. In most circumstances that means there is no chance of the account being put back online, but given ZeeNews’ prominence it may be able to deal with YouTube, especially if there has been some kind of error.

Emails to the contact addresses listed by ZeeNews are currently bouncing, but we’ll persevere.

Update June 25: The YouTube channel is back.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Блогът на Юруков: Lipsva.com спира – защо и до кога

This post was syndicated from: Блогът на Юруков and was written by: Боян Юруков. Original post: at Блогът на Юруков

1501437_718151938197981_1248520752_o

Преди точно 4 години пуснах официално първия си „общественополезен“ проект. За този период сайтът събра информация за 1000 случая, половината от които са вече решени от полицията, 1.6 милиона посещения от 220 хиляди души. Във Facebook наскоро мина 4500 последователи, а в Twitter – 390. След всичко това сайтът спира, но временно – поне докато намеря време да направя нова версия или се намери алтернатива.

Провалът да станеш излишен

Това трябваше да е заглавието на статията. От самото начало дадох да се разбере, че проектът няма цел да стане „регистърът“ на безследно изчезналите. Той просто стана. Исках сайтът да вдъхнови някое от големите НПО-та или най-добре МВР да направят нещо по-добро с по-точни данни и повече ресурс за поддръжка. Така Lipsva щеше да стане излишен и щях с радост да го изоставя. Сега става почти насила. Междувременно целта му беше да покаже на обществото, че проблем има, че случаите могат да се представят по-добре, че има една зееща липса в информираността ни и евентуално – с някакъв луд късмет – да помогне някой да бъде намерен.

За жалост, това не се случи. Проектът не стана излишен. Активността в последните месеци сочи дори точно обратното. МВР не пусна официален регистър и не подобри предоставянето на информация на медиите и в мрежата. В някои РДВР-та все още подават снимки и описание с лични мейли на местни журналисти. СДВР май единствено пуска случаите на Facebook страницата си. Имаше опит за специализирано НПО, но не съм чувал да има напредък.

В същото време Lipsva получава увеличаващ се брой регистрации на нови изчезнали и между 4 и 40 хиляди посещения седмично. Забелязвам малко повече прозрачност в случаите, защото намирам по-лесно информация за изчезналите. МВР работи и изглежда по-добре с Интерпол, защото жълтите бюлетини се обновяват вече почти всеки ден.

Грешки в модерацията и платформата

Направих доста грешки с този сайт и първата беше в системата за модерация. Технически е възможно повече хора да участват в преглеждането и одобряването на нови случаи, но на практика системата не е достатъчно изчистена и само аз знам как да работя с нея. Известно време имаше хора, които ми помагаха, но от доста време правя всичко аз. Работата, както казах, не намалява. Всичко това е изцяло по моя вина. Взех някои грешни решения в началото, а последвалите малки промени и бързи идеи не помогнаха.

Самата платформа написан на силно променен WordPress. Това нямаше да е проблем, ако не бях направил толкова промени в ядрото, които с течение на времето и версиите започнаха да дават грешки. Така постепенно платформата стана все по-трудна за работа. Отдавам го на това, че Lipsva беше първия ми проект. Доста научих покрай нея и гледам да не повтарям грешките в другите си проекти.

Заради всички тези проблеми със системата не съм я предоставил като отворен код. Интерес имаше от няколко места. В този си вид обаче не бих я пуснал, а и честно казано няма смисъл.

Защо просто не седна да я пренапиша?

Както споменах, Lipsva има нужда от тотална промяна. Започнах работа по това отдавна, но не ми остава време. Може би ще попитате – защо се занимавам с толкова много други проекти, а не довърша Lipsva. Отговорът е от няколко части.

Първо, проектите за отворени данни, избори и прочие са малки сравнение с Lipsva, доста по-прости и не изискват много време наведнъж. Повечето проекти свързани с данни, например, ги разработвам по 10 до 30 мин. в почивките. Добавям функция тук, оправям бъг там, експериментирам. Интересно ми е. Lipsva от друга страна, поне с концепцията, която съм заложил, ще изиска повече време наведнъж и концентрация.

Друга причина е мотивацията – досегашната платформа работеше за посетителите, макар и отвътре да беше грозна. В същото време не виждам се развива нанякъде освен да трупам случаи на изчезнали, някои от които вече решени без да има публична информация за това. При това, процесът е изключително ръчен и ненадежден. Като изляза в отпуска за седмица-две и вече има 10 невъведени случая.

Трета причина е качеството на данните. Докато няма добър начин да се потвърди дали един случай е актуален, „картата на изчезналите“ ще разчита на надеждността на медиите, което сами разбирате просто не ни върши работа.

А полицията?

През тези години се срещнах и говорих много пъти с хора от МВР на различни нива. Често обменяме мейли с пресцентъра по отделни случаи. Понякога получавам отговор, друг път – не. Понякога полицаи ми пишат да махна някой на лични мейли, защото през официалните канали било идиотски трудно. Още преди 4 години имаха силно желание официално да си сътрудничат с Lipsva, но къде заради бюрокрация, къде заради смяна на кадри това не стана.

Днес обявиха началото на система подобна на Amber Alert, която да сигнализира при отвлечени или изчезнали на малки деца. За този проект говорих с тях в началото на 2012-та като идеята им беше Lipsva да се включи с разпространяване на информация в мрежата. Това не стана и го отдавам отчасти на факта, че не съм НПО (което необяснимо защо е изключително важно), но най-вече на това, че физически не съм в България.

Междувременно на няколко пъти се опитах да пробия стената на секретност на полицията и да ги убедя поне да направя единен бюлетин за всички изчезнали. Не да дават повече информация – просто да не е пръснато всичко на 100 сайта. След време стигнахме до споразумение да изпратя Excel таблица с известните ми случаи, които те да потвърдят като актуални. Това не стана.

Към този момент няма никаква практическа промяна в начина на информиране на обществеността от страна на МВР за случаи на безследно изчезнали. Нито в интернет, нито в работата с медиите. Този проблем не се корени в работата на отдел Издирване, от които аз лично имам само добри впечатления. Дължи се на общата организация на МВР, вкорененият страх от взимане на решения и булото на секретност, което защитава по подразбиране всяка тривиална информация – както от външния свят, така и в рамките на самата полиция. Това е опитът, който имам за последните 4 години и всички работили с МВР ще го потвърдят – отделните контакти с хора са предимно положителни, но в крайна сметка рядко се получават резултати.

Ох, медиите

Ако ме следите в Twitter ще знаете, защо озаглавих тази секция така. Постоянно се оплаквам от мейли свързани с Lipsva. Спрях да им отговарям. Най-честите въпроси от журналисти са: колко души са намерени през сайта, имам ли данни за отвлечени деца и трафик на органи и да им дам телефоните на опечалени родители, за да участват в предаването. Разбира се, въпросите са нормални предвид качеството на повечето ни медии.

Първият въпрос обаче е отчасти коректен. Не, нямам данни някой да е намерен през Lipsva за тия 4 години. Това за някои може би се брои като голям провал и сочи колко безсмислен е проекта. Не знам дори дали информация дошла през сайта да е помогнала на МВР да открие някой, а такава е била подавана. Във всеки един случай пиша сигналите да се подават на 112 или 116 000. Аз не мога да направя нищо по тях освен да ги препратя. Аз не искам и да имам такава информация, защото в повечето случаи е лична и дори не трябва да я имам. Нямам и амбиции да слагам брояч с открити през сайта хора – това не е състезание или дори цел. Когато обаче журналистите чуят това, най-често губят интерес.

В този контекст предполагам, че разбирате защо никоя медия не се е заела с подобен на Lipsva проект. В Русия и Гърция има специализирани предавания. Посетители на сайта ми ги посочиха и ги предложих няколко пъти на колкото медии намерих. Не да използват Lipsva или каквото и да е – просто да направят нещо по темата. БНТ казаха, че ще проучат въпроса. Журналистка от БТВ отговори в прав текст, че губят достатъчно ефирно време за безследно изчезналите и нямат намерение да правят безплатна реклама на НПО-та. Който ми отговори от другите, каза, че ще правят скоро предаване и пратиха въпросите, с които започнах.

Знам, че темата е тежка и не очаквам някоя медия да инвестира в такъв медиен продукт. Много медии така или иначе ще го обърнат на пошло реалити. Отношението на повечето обаче е като с всяка кървава драма по улиците. Затова и обществото остава с впечатление, че изчезват все повече хора, че деца се отвличат всеки ден и че полицията не прави нищо. Почти никой не цитира как данните показват голяма разкриваемост, че не се забелязва тенденция на увеличение на случаите, а по-скоро по-голяма прозрачност. Това не е интересно. Не е интересен и случаят на бабата, изгубена преди седмица, която ще бъде открита след няколко дни в канавка. Интересно е момичето, което за 3-ти път тази година бяга от дом за сираци, за да посети пълнолетния си брат в София.

До кога ще е спрян сайтът?

Докато намеря време да го пренапиша или излезе нещо, което да покрива досегашните му функциите. Готов съм да помогна на всеки, който има намерение да работи по такъв проект – било то НПО, МВР или ентусиаст като мен. Мога да споделя данните си до сега, метаданните и общите идеи около сайта. За повечето съм писал много пъти в този блог.

В този си вид сайтът обаче не може да продължи. Вече два месеца не съм успял да обновя случаите, насъбраха се доста нови, а поне 15 случая от роднини очакват потвърждение. Гадно ми, че проектът спира – точно чувството, че помага и има нужда от него ме накара да го поддържам толкова години. Извинявам се на всички, които са добавили близките си в Lipsva с надеждата поне там някой да ги види. Всички те ще бъдат добавени автоматично в новата версия, когато стане готова.

До тогава профилите във Facebook и Twitter ще продължават да работят и ще споделям новини, статии и снимки на изчезнали.

The Hacker Factor Blog: EFF’ing Up

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

The Electronic Freedom Foundation (EFF) is a very important organization to those of us who care about technology, security, and privacy. I primarily know about their legal efforts — protecting free speech, fair use, and civil rights. If you’re a security researcher, then you know that any moment some big corporation may choose to sue you for reporting an exploit rather than addressing their vulnerabilities. Apple has sued security researchers. Microsoft used to threaten to sue (and left open the potential to do it again). Epic Games, Cisco, and many other big companies have tried to sue people who report vulnerabilities. When this happens, we inevitably run to the EFF for assistance and guidance.

The EFF usually has a very visible position at most big security conferences and they are well-known in the security community. While I rarely donate to any organizations, I have donated to the EFF because they are needed and they do very good work.

Well… they usually do good work…

Oh, so close!

Beyond their legal actions, exposes, and topical news reports, they also provide a cute web plug-in, developed in collaboration with the Tor Project, called “HTTPS-Everywhere“. The idea is that it forces your web browser to use HTTPS rather than HTTP.

I have previously mentioned many of the limitations with HTTPS: it doesn’t reliably validate connections, it permits the human to bypass detected security risks, it is vulnerable to man-in-the-middle connection hijacking, and that little lock symbol really doesn’t mean you are secure.

As security goes, HTTPS is “better than nothing” security. Treat it like that little lock on your front door — it stops someone from easily opening the door. But it doesn’t stop someone from picking the lock, kicking in the door, listening to you through the door, or climbing in the open window next to the door.

Before Google forced everyone to use HTTPS, they offered both HTTP and HTTPS for accessing google.com. Using this plug-in, it would send you to HTTPS rather than HTTP. The same goes for eBay, PayPal, and many other sites. Lots of sites offer both HTTP and HTTPS, but few sites force you to use HTTPS when HTTP is available. In effect, this plug-in forces you to use security-by-placebo rather than no security at all.

My current irk with HTTPS-Everywhere is that the developers do not seem to be testing their code before releasing it. I recently learned that they have a rule file named Hacker-Factor.xml. This rule forces users who access my FotoForensics site to use HTTPS instead of HTTP. This is a big problem.

While FotoForensics does run both HTTP and HTTPS servers, these two interfaces do not provide the same services. “HTTP” is for the public. As clearly specified in the FAQ, the public service is public. It is not private, it offers no privacy, it is explicitly a research site, and it does not offer logins to the public.

In contrast, my HTTPS server demands a login. You won’t get to the upload page or any of the other features without login credentials. (Logins to that server are strictly limited to administrators and research partners.) With my server, you need HTTPS to access the login interface.

Forcing the Point

There is no rule that says the HTTP and HTTPS servers must provide the same content. In fact, many sites today are like mine: HTTP is for the public, and HTTPS are for users who need to login. Today, I cannot login to my bank’s web site without using HTTPS. With HTTP, I see their site, but I must switch to HTTPS to see the login. I cannot login to Google or Twitter or Facebook without HTTPS. Even most news sites use HTTP for public content but you must use HTTPS if you want to login. It is not uncommon to see very different content when using HTTPS instead of HTTP.

By forcing users to the HTTPS service at FotoForensics, HTTPS-Everywhere prevents people from using FotoForensics. Moreover, I know that I’m not the only web service out there that uses HTTP for public information and HTTPS for private access.

(I should point out that Buzzfeed.com forces users to HTTP. HTTPS at cnn.com doesn’t work. Reddit.com still uses HTTP, even for logins. And pay.reddit.com displays very different content depending on whether you use HTTP or HTTPS.)

As far as I can tell, someone associated with HTTPS-Everywhere did do a little testing with their Hacker-Factor.xml rules. They noted in their configuration file that I use a self-signed certificate. A self-signed certificate is typically considered “bad”. Except that I also use client-side certificates, which is much stronger security than third-party authentication without client-side certificates. (Also, I don’t see any point in paying a third-party certificate provider for a certificate that isn’t secure.) In effect, I have two-part authentication: something you have (the client-side certificate) and something you know (login credentials). While the EFF noticed my self-signed cert, they did not notice that they couldn’t use the HTTPS site!

I noticed this today when a user complained, so I filled out a trouble ticket, letting them know that the configuration for my site was incorrect. (The “reported by: cypherpunks” is their generic account for people who do not want to register a login with their trouble-ticket service.) They closed it out shortly after, with no change and the comment, “it won’t prohibit the vast majority of people from visiting the site.” I guess they missed the part that prohibiting ANYONE from accessing my site is a flaw in their rule-set!

Bad Advice

The other thing that got me looking at the EFF was a tweet they made today:

One year after the first Snowden disclosure, we need a web that resists NSA spying. Fight back. Run a Tor relay. https://eff.org/tor

Wow… does the EFF really not understand what Tor does?

The folks at the Tor Project have a wonderful description of their process. Tor mixes up the path between your computer and the remote system you are accessing. Let’s assume that there is someone who can watch all network traffic. What will they be able to tell about your online activities:

  • They will see that your computer is connecting to a Tor server. But they won’t know what you are doing. The data between you and the Tor server is encrypted.

  • The Tor network is like a giant mixer. One node passes to another node passes to another node… And since everyone is getting mixed up, someone watching the network traffic will see you and lots of other people (and other Tor nodes) all connect to the same Tor nodes, but they won’t know which continuing traffic belongs to you. Your trail vanishes into anonymity.
  • Eventually your traffic will reach an “exit node”. This is where it leaves the Tor network and connects to your desired server. The observer sees lots of exit nodes and lots of exit traffic — they don’t know which one belongs to you.

In this regard, Tor offers great security: an observer can see you enter, but doesn’t know what you sent or where you went. They can see lots of people exiting the Tor network, but they cannot identify which exit request is yours. It’s like being pursued by bloodhounds, getting into a car, and driving into rush-hour traffic — the dogs will lose your scent.

(For you deep-security folks, I’m ignoring potential connection leaks via applications that do not use Tor for DNS, or other things you run that do not pass through the Tor tunnel.)

Insecure-Tor

If your path is secure, then that means you are secure, right? Well, no.

Eventually your network traffic must exit the Tor network. At that point, it’s just as secure as connecting directly. If you connect to your bank or your Reddit account, then someone watching the traffic will see your login credentials used at that service. The omnipotent observer will see you connect to Tor “going somewhere” and your credentials being used to check your email at Yahoo. At this point, they don’t need a high IQ to know it is you. (It’s like catching a bank robber who fled the scene after being identified. The cops won’t go chasing you. They’ll just send someone over to watch your house — you’re bound to go home sometime…)

Last January, there was a report about some evil Tor exit nodes. Remember: the exit nodes can watch you leave the system and they can explicitly see where you are going. According to the report, some Swedish researchers managed to find “at least 22 corrupt exit nodes that were tampering with encrypted traffic leaving the supposedly private Tor network.”

Tor nodes are run by volunteers, and there is no vetting involved. If you want to run a Tor node, you can. If you want to be an exit node, that’s allowed. And if you want to watch all traffic that leaves your exit node, there’s nothing stopping you. In the case with the Swedish researchers, they found some nodes that were intentionally altering the data that you wanted to receive.

I’d say that this is earth-shattering news, except that it isn’t. This type of exploit has been reported in 2012, and 2011 (with sample code), and pretty much every year since Tor started.

Back in 2007, one Swedish guy ran a Tor exit node and was capturing login credentials. Among other things, he saw login credentials to embassies all over the world.

You are… The Weakest Link!

At this point, Tor is only as secure as your connection to the server. If you use HTTP over Tor and you do anything that identifies yourself (fill out a form that requires your name, enter your email address, login to a service, check Facebook, do an ego-search to see who is talking about you…) then you’ve just compromised any security that Tor was providing. Someone watching the network traffic will know it was you.

Using something like HTTPS-Everywhere can help a little. It will stop you from forgetting to use HTTPS for certain web sites. However, virtually nobody uses HTTPS with client-side certificates. And without client-side certificates, it is relatively easy for someone on the network between Tor and your bank to hijack your network connection. (For the attacker, you don’t sit and wait for “Neal” to login… You hijack everyone and eventually you’ll also catch “Neal”.) Moreover, if someone is smart enough to configure a Tor exit node and monitor traffic, then they are certainly smart enough to hijack your HTTPS connection. (We’re not talking about an extreme level of difficulty here; any beginner-admin can learn to do this in a few hours.)

Run or Run Away

In their tweet, the EFF recommends that people run their own Tor relays. This will make the mixer network larger and makes tracking network traffic more difficult. However, what does it do for privacy and to your network traffic?

  • Tor consumes network bandwidth. I hope you have a high-speed network connection, because most residential users can either run a Tor relay or watch NetFlix, but you won’t have enough bandwidth for both.

  • Tor has entry, middle, and exit nodes. Someone on an entry node can see you enter the network, but not where you are going. An exit node can see where you go and what you are doing, but not where the request came from. Meanwhile, a middle node sees anonymous traffic coming in and anonymous traffic going out. (Until I learn of an exploit, the middle nodes are safe enough.) If you run an exit node, then you can observe all network traffic between the outside world and your exit node. And you have the ability to interfere with network traffic.

    As a Tor user, you don’t know who owns the exit nodes or what they are doing. “Assuming” it is safe does not make it safe.

  • As an exit node, you cannot control where people go or what they want to download. If they download child porn, then it will look to the omnipotent network gods as if you (the owner of the exit node) downloaded child porn. (Better leave the front door unlocked since it’s expensive to repair a kicked-in door after the police arrive.)
  • My contract with my Internet Service Provider (ISP) explicitly forbids me from sharing my network connection with other people outside my home. I cannot legally run a free WiFi access point for my neighbors or even run a public web service. That’s the same with most residential ISPs. The EFF’s suggestion for you to run a Tor node will likely be in violation of your ISP service agreement. (You’re running a network service and permitting the world to use your network connection.)

What my client meant to say…

Perhaps the EFF meant to tell people to use Tor and misspoke when they say to run a Tor relay… In that case, there are still two issues: speed and security. With regards to speed, Tor is really slow on its good days.

But then there is that pesky exit-node issue. Without Tor, I can connect to my bank from my home. I can be fairly confident that nobody is intercepting or hijacking the connections, and it is as safe as HTTPS (without client-certs) allows. But with Tor, I cannot trust the exit nodes. HTTPS will not notify me if the initial connection is hijacked and the exit node has a great opportunity for hijacking the connection.

Moreover, Tor nodes are run by volunteers all over the Internet. I have no idea who they are, what networks my login credentials are passing over, or who might be watching. As far as I know, there is no way to identify all of the networks that my packets touch. While I do use Tor for anonymous network access, I would never trust it in its current state for anything that requires identifiable information.

For more specific paranoia, consider this: If I connect directly from my home to my bank, I can use traceroute and identify that my packets never leave this country. Yes, corporations that run the networks may see my traffic, but I don’t have to worry about foreign governments. In contrast, if I use Tor and it randomly selects an exit node in Taiwan, then governments in Taiwan, China, Europe, and every other country can spy on my connection as the packets leave a distant Tor exit node and connect to my local bank. With Tor, there are a lot more options for people to watch my online activities and hijack the connection. Without Tor, I only have to worry about my local networks.

Focal Points

I typically trust the EFF’s judgment. Their legal advice and concerns about privacy, security, and technology are usually spot-on. And when the EFF speaks, people should listen.

However, as with anyone else, their suggestions are not always 100% reliable. Forcing people to use HTTPS on an HTTP-only service breaks access to the service. Releasing a HTTPS-Everywhere rule without testing it first seems like a really bad idea, and not patching it when told that the rule does not work seems willfully-ignorant. And while I agree that we need a more secure version of the Internet, Tor is not the solution. Advising people to run a Tor node without identifying the impact and risks seems like a huge mistake to me.

Perhaps I am just over-reacting. But it seems to me that the EFF just gave out some very bad advice.

TorrentFreak: PublicHD Disappears, Twitter & Facebook Accounts Gone

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

publichd-logoWhile new file-sharing sites appear on a regular basis, it’s reasonably rare for fresh torrent sites to fill a niche in an effective and public fashion. PublicHD was a site that bucked that trend, in part by delivering focused content rather than simply making existing material searchable.

From a standing start, during the last quarter of 2012 PublicHD’s popularity skyrocketed. Concentrating on movie rips at the higher end of the quality spectrum, PublicHD grew steadily throughout 2013, a trend that continued – blips aside – into the first few months of this year.

PublicHD-stats

Then yesterday, without warning, PublicHD simply disappeared and into today the site is still inaccessible via its main Swedish domain, .EU alternative, or official proxy. There has been no official announcement or explanation. Needless to say, currently there are plenty of worried users.

Of course, sites go offline for technical reasons all the time, and it may yet transpire that PublicHD has had some serious technical issues. The signs, however, are less than encouraging. The first logical places for users to check for status updates are PublicHD’s Twitter and Facebook accounts but just like the main site, they have completely disappeared.

PublicHD-twitter

Since PublicHD is, as its name suggests, a public site, its activities can be seen not only on its own domain but on other torrent sites too. For example, The Pirate Bay has a user account by the name of DibyaTPB, which is believed to be a PublicHD auto-uploading bot. After making hundreds of releases and rarely if ever having a break, yesterday DibyaTPB fell silent, indicating that the site is indeed completely offline.

Public-dibya

Furthermore, BOZX, another Pirate Bay account associated with PublicHD, also went quiet on Saturday. And, after 19,199 uploads, the corresponding account for BOZX on KickassTorrents was silenced too. At some point, it’s not clear when, the account was also renamed.

The disappearance of PublicHD is even more puzzling given that earlier this month the site’s operators were planning new and bigger things.

“Soon we are a going to have a makeover and a brand new PublicHD with tons of new features and stronger security system,” they said in an announcement.

It’s certainly feasible that the upgrades are underway now, but why that would go hand in hand with PublicHD’s decision to disappear themselves from social media thus keeping their users entirely in the dark makes little sense.

Rightsholders have issued a steady stream of complaints against PublicHD to Google since late 2012 but since the start of 2014 the number being processed has steadily increased, with April and May being the most active months in the site’s history.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.