Posts tagged ‘Other’

TorrentFreak: Private Torrent Site Operators Face Criminal Trial

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In 2009, in the wake of the first Pirate Bay trial and the guilty verdict handed to its operators, other admins with file-sharing sites in Sweden began to reconsider their positions.

Piling on the pressure, Antipiratbyrån (now Rights Alliance) wrote to several sites warning them to end their copyright-infringing activities or face the consequences.

While most simply ignored the threats, some decided it was time to close down. One pair, SweDVDR and SoftMP3, did so alongside the release of their source code. This led to the creation of two new sites which eventually merged into one to become ‘eXcelleNT’, or XNT as it was known in public.


For two years the site grew in size and reputation but in 2011 things came crashing down. Just as promised 24 months earlier, Antipiratbyrån / Rights Alliance investigated the site and filed a complaint with the police. In May the authorities pounced, arresting a man in Borlänge, Sweden, and another in the Stockholm area a day later. The site’s server was seized in Germany.

“We believe that the men have been administering and managing the site together,” said prosecutor Frederick Ingblad at the time.

In April 2014, almost three years after the raids, prosecutor Ingblad announced that the men had been prosecuted and would be heading to court. This week they appeared before the Falu District Court to appear before a criminal copyright infringement trial.

“On this file-sharing site 1,050 different types of movies and TV shows were made available to the public illegally without rightholders’ approval,” Ingblad said this week.

The case, which received support from German authorities, centers around the unauthorized distribution of movies and TV shows between March and May 2011, including content owned by Warner Bros. and Disney.

The men, aged 23 and 24, stand accused of operating XNT in a case similar to the one involving The Pirate Bay in 2009. However, while the man from Borlänge admits to running the site, he feels no crime has been committed since he uploaded no content himself and only provided a sharing platform.

His lawyer, Sven-Erik Charles, goes even further. Charles believes that his client can not be convicted of infringement in Sweden since any crimes were committed overseas

“The issue in this lawsuit is where the crime were committed, abroad or in Sweden. This particular site’s server was located in Germany,” he said.

With most private BitTorrent trackers there’s an issue with site funding that’s usually overcome by users making donations. In this case XNT also received voluntary payments from its users – $6,500 to be precise. However, according to, the prosecutor has already determined that money was not the motivation behind the site and the men didn’t get rich as a result.

“It’s about the desire to compete with other sites, you want to be the quickest to upload some movies and become the greatest, pure and simple,” Ingblad said.

As noted following the Supreme Court decision earlier this week, 1000 movies and TV shows is way above the newly-established threshold for file-sharers to avoid custodial sentences. The men have other concerns too, however. As expected the entertainment companies represented by Rights Alliance have also lodged a multi-million claim for damages.

The men’s fate on both counts will be determined in the coming weeks.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: Ask a nerd

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It’s on the right side of the debate (FBI’s evidence pointing to North Korea is bad), but it’s still crap.

For example, it says: “One hears a lot in cybersecurity circles that the government has “solved” the attribution problem“. That’s not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he’s not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality — you really ought to consult technical people.

He then says: “it is at least possible that some other nation is spoofing a North Korean attack“. This is moronic, accepting most of the FBI’s premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security — it required no special sophistication by the hacker. Anybody could’ve done this.

He then talks about the FBI “admitting that it knew about the tools and signatures that North Korea used in past attacks and exploitations and yet still was either unwilling or unable to stop the attack on Sony“. Just because The Phantom leaves behind his signature glove in his cat burglaries doesn’t mean police can stop him robbing the Pink Panther diamond. It’s perfectly reasonable to find similarities in computer viruses without that information being helpful in stopping future viruses. This is one of those things that seems only plausible to those completely ignorant of technology, which is why you ought to consult a techy first to see if you are off-base.

He then says “There are many, many steps the government will need to take to keep our networks more secure“. That’s a political line by fascists, like “government needs to keep the trains running on time”. Neither is a particular need; both are justifications for police states. A cyber police states is not the appropriate response to the Sony hack.

In summary, while this Lawfare post appears to be on my side (not enough North Korea evidence), it’s actually on the opposite side. It accepts all the basic premises by the government but only disagrees with them on one point. In actuality, much more is wrong with the government’s argument than the lack of evidence.

SANS Internet Storm Center, InfoCON: green: Which NTP Servers do You Need to Patch?, (Sat, Dec 20th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

(Also see our earlier diary about thisvulnerability)

While people generally know where their real NTP servers are, all to often they dont know that theyve got a raft of accidental NTP servers – boxes that have NTP enabled without the system maintainers knowing about it. Common servers on the network like routers or switches (often when these are NTP clients, they are also NTP servers), PBXs and VOIP gateways, mail servers, certificate authorities and so on.

In these days of auto-updates, you would think that most NTP servers would be patched against the vulnerabilities found by the Google team and described in story written up by Johannes earlier this evening.

However, it only took until the second host checked to find a very out of date server. Unfortunately, its the main NTP server of a large Canadian ISP (Oops). What I also found along the way was that many servers only report 4 as a version, and that from the -sV switch, not from ntp-info. So depending on your internal servers and how they are configured, it may be time for us to start using authenticated scans using tools like Nessus to get service versions for our NTP servers. Hopefully that”>C:\”>Nmap scan report for (x.x.x.x)
Host is up (0.0045s latency).
rDNS record for x.x.x.x:
123/udp open ntp NTP v4
| ntp-info:
| receive time stamp: 2014-12-20T02:47:52
|”>version: ntpd 4.1.1c-rc1@1.836 Thu Feb 13 12:17:19 EST 2003 (1)
| processor: i686
| system: Linux2.4.20-8smp
| leap: 0
| stratum: 3
| precision: -17
| rootdelay: 11.079
| rootdispersion: 33.570
| peer: 32471
| refid: x.x.x.x
| reftime: 0xd83f5fad.b46b9c30
| poll: 10
| clock: 0xd83f61d5.3a71ef30
| state: 4
| offset: -0.329
| frequency: 46.365
| jitter: 3.468
|_”>Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 180.08 seconds

This server on the other hand, doesnt report the version in the ntp-info output. -sV reports version 4, but that”>C:\ “>Nmap scan report for (y.y.y.y)
Host is up (0.010s latency).
123/udp open ntp NTP v4
| ntp-info:
|_”>Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.24 seconds

But really, after this year of vulnerabilties that weve seen in basic system services, its about time that folks took the SANS Top 20 to heart – the SANS Critical Controls that you really should be looking at if its your goal to secure your network – . The top 5 in the list sum up your first line of defense against stuff like this. Know whats on your network, know whats running on that, have a formal program of patches and updates, and scan regularly for new hosts, new services and new vulnerabilities. If its your thought that a single scan for this one vulnerability is the most important thing on your plate (or scanning for heartbleed or shellshock was earlier this year), then you have already lost – it”>Quick Addendum/Update (Johannes):

CentOS and other Linux distros did release updates. However, the version string may not change. Check the Build Date. For example, on CentOS6:
Before patch:ntpd 4.2.6p5@1.2349-o Sat Nov 23 18:21:48 UTC 2013 (1)
After patch:”>”>” type=”cosymantecnisbfw”>

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Errata Security: Sony hack was the work of SPECTRE

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn’t work — hacking needs to be understood in its own terms.

But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrorist organization in the James Bond films that is independent of all governments. Let’s imagine that it’s SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.
This trope adequately explains the FBI “evidence” pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren’t controlled by North Korea.
The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn’t make sense if the Sony hack were purely the work of the North Koreans.
SPECTRE’s organization is highly modular, with different groups doing different things. Indeed, different arms of SPECTRE might be working for both sides of a conflict at the same time without each knowing about it. One arm of SPETRE develops malware. Another arm uses that to break into companies and steal credit card numbers. Another arm converts those credit cards numbers to cash.
It’s quite possible that the Sony hack was the work of a single SPECTRE agent. We’ll call him #8. Certainly, #8 uses the resources of SPECTRE to carry out the attack, and other resources will be called in to profit from the attack, but it’s largely an independent operation. In other words, “Guardians of Peace” can refer to a single guy — a largely independent operator who is unaware of those parts of SPECTRE who have interacted with Iran and North Korea. Thus, once he got into Sony, other members of SPECTRE contacted their North Korean customers and said “hey, we have an opportunity, give us $1 million and we’ll shut down that film you hate”. Once they got the cash, they directed #8 to make the threat.
My story of SPECTRE better explains the evidence in the Sony case than the FBI’s story of a nation-state attack. In both cases, there are fingerprints leading to North Korea. In my story, North Korea is a customer. In the FBI’s story, North Korea is in charge. However, my story better explains how everything is in English, how there are also Iranian fingerprints, and how the threats over The Interview came more than a week after the attack. The FBI’s story is weak and full of holes, my story is rock solid.
I scan the Internet. I find compromised machines all over the place. Hackers have crappy opsec, so that often leads me to their private lairs (i.e. their servers and private IRC chat rooms). There are a lot of SPECTRE-like organizations throughout the world, in Eastern Europe, South America, the Islamic world, and Asia. At the bottom, we see idiot kids defacing websites. The talented move toward the top of the organization, which has nebulous funding likely from intelligence operations or Al Qaeda, though virtually none of their activities are related to intelligence/cyberwar/cyberterror (usually, stealing credit cards for porn sites).
My point is this. Our government has created a single story of “nation state hacking”. When that’s the only analogy that’s available, all the evidence seems to point in that direction. But hacking is more complex than that. In this post, I present a different analogy, one that better accounts for all the evidence, but one in which North Korea is no longer the perpetrator.

Errata Security: The FBI’s North Korea evidence is nonsense

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The FBI has posted a press release describing why they think it’s North Korea. While there may be more things we don’t know, on its face it’s complete nonsense. It sounds like they’ve decided on a conclusion and are trying to make the evidence fit. They don’t use straight forward language, but confusing weasel words, like saying “North Korea actors” instead of simply “North Korea”. They don’t give details.

The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch.

Here’s the thing with computer evidence: you don’t need to keep it secret. It wouldn’t harm Sony and wouldn’t harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don’t need to take the FBI’s word for it, we should be able to see the evidence ourselves. In other words, instead of saying “IP addresses associated with North Korea”, then can tell us what those IP addresses are, like “”.

But the FBI won’t do that. They aren’t in the business of protection but control. The idea that Americans should protect themselves and decide for themselves is anathema to the FBI.

TorrentFreak: Hollywood Tries to Crush Popcorn Time, Again

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

popcornThis year Popcorn Time became an instant hit by offering BitTorrent-powered streaming inside an easy-to-use Netflix-style interface.

The breakthrough app had Hollywood concerned but luckily for them the developers shut it down after a few weeks, saying that they wanted to move on with their lives.

It was never revealed whether Hollywood forces had threatened the developers, but an MPAA update that surfaced as part of the Sony leaks now reveals that this was indeed the case.

In the MPAA’s “first quarter update,” sent to the movie studio heads in March, the group stated that it had “scored a major victory in shutting down the key developers of Popcorn Time.”

The MPAA added that the investigative and enforcement actions required collaboration on three continents, which they hoped would prevent Popcorn Time from becoming a “major piracy threat.”

Unfortunately for Hollywood the threat didn’t go away. The Open Source project was quickly picked up by others and in recent months several popular forks gained steady user-bases., one of the most-used forks, has since turned into a bigger threat than the original application. As a result, Hollywood is trying its best to dismantle it.

Previously the fork had its domain name suspended and over the past few weeks found itself being kicked out by various hosting providers. Complaints from the Hollywood backed anti-piracy group BREIN were to blame.

The hosting troubles resulted in long periods of downtime, which isn’t good for morale among the developers.

“We had a tough two weeks with a few shut downs that came unexpectedly. We moved our service through three different hosting companies in these weeks,” the team tells TF.

“All caved after a few hours to a day or two, after ‘some’ copyright organization contacted them, saying suddenly that they don’t want to host our ‘illegal’ domain. We were shocked actually to see how quickly these organizations work.”

While might have been down, they’re not out yet. The team is determined to keep its software available and will be releasing new updates to the app today.

“BREIN is on our backs? Well, we found a new hosting company which we hope will be more cooperative, and we’re releasing updates for both Windows and Mac today to show everyone that business is as usual.”

“No one said it was gonna be easy, but what doesn’t kill you, makes you stronger, and we’re not into dying… ;-),” the team concludes.

Whether other Popcorn Time forks have had similar problems recently is unknown, but the above makes it clear that Hollywood is still determined to crush these popular apps.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: FBI: North Korea to Blame for Sony Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.

“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.

Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.


Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.

“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”

Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.

Headquarters of the Chongryon in Japan.

Headquarters of the Chongryon in Japan.

According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks.

While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.

In any case, it’s unlikely that U.S. officials relish the conclusion that North Korea is the aggressor in this attack, because it forces the government to respond in some way and few of the options are particularly palatable. The top story on the front page of the The Wall Street Journal today is an examination of what the U.S. response to this incident might look like, and it seems that few of the options on the table are appealing to policymakers and intelligence agencies alike.

The WSJ story notes that North Korea’s only connections to the Internet run through China, but that pressuring China to severe or severely restrict those connections is unlikely to work.

Likewise, engaging in a counter-attack could prove fruitless, or even backfire, the Journal observed, “in part because the U.S. is able to spy on North Korea by maintaining a foothold on some of its computer systems. A retaliatory cyberstrike could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said policy makers remain squeamish about deploying cyberweapons against foreign targets.”


If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working — and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.

A critical step that many organizations fail to take is keeping a basic but comprehensive and ongoing inventory of the all of the organization’s IT assets. Identifying where the most sensitive and mission-critical data resides (identifying the organization’s “crown jewels”) is another essential exercise, but too many organizations fail to take the critical step of encrypting this vital information.

Over the past several years, we’ve seen a remarkable shift toward more destructive attacks. Most organizations are accustomed to tackling malware infestations within their IT environments, but few are prepared to handle fast-moving threats designed to completely wipe data from storage drives across the network.

As I note in my book Spam Nation, miscreants who were once content to steal banking information and blast out unsolicited commercial email increasingly are using their skills to hold data for ransom using malware tools such as ransomware. I’m afraid that as these attackers become better at situational awareness — that is, gaining a better understanding of who their victims are and the value of the assets the intruders have under their control — these attacks and ransom demands will become more aggressive and costly in the months ahead.

Schneier on Security: Lessons from the Sony Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment’s computer systems and began revealing many of the Hollywood studio’s best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama’s presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of “The Interview,” a satire targeting that country’s dictator, after the hackers made some ridiculous threats about terrorist violence.

Your reaction to the massive hacking of such a prominent company will depend on whether you’re fluent in information-technology security. If you’re not, you’re probably wondering how in the world this could happen. If you are, you’re aware that this could happen to any company (though it is still amazing that Sony made it so easy).

To understand any given episode of hacking, you need to understand who your adversary is. I’ve spent decades dealing with Internet hackers (as I do now at my current firm), and I’ve learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus­people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so.

But even scarier are the high-skill, high-focus attacks­the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame, which many in the IT world suspect were created by the U.S.; Turla, a piece of malware that many blame on the Russian government; and a huge snooping effort called GhostNet, which spied on the Dalai Lama and Asian governments, leading many of my colleagues to blame China. (We’re mostly guessing about the origins of these attacks; governments refuse to comment on such issues.) China has also been accused of trying to hack into the New York Times in 2010, and in May, Attorney General Eric Holder announced the indictment of five Chinese military officials for cyberattacks against U.S. corporations.

This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and posted them. If you’ve heard the IT-security buzz phrase “advanced persistent threat,” this is it.

There is a key difference among these kinds of hacking. In the first two categories, the attacker is an opportunist. The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do.

But a skilled, determined attacker wants to attack a specific victim. The reasons may be political: to hurt a government or leader enmeshed in a geopolitical battle. Or ethical: to punish an industry that the hacker abhors, like big oil or big pharma. Or maybe the victim is just a company that hackers love to hate. (Sony falls into this category: It has been infuriating hackers since 2005, when the company put malicious software on its CDs in a failed attempt to prevent copying.)

Low-focus attacks are easier to defend against: If Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often, it isn’t. We’re much better at such relative security than we are at absolute security.

That is why security experts aren’t surprised by the Sony story. We know people who do penetration testing for a living­real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker­and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren’t sufficiently skilled, good security may protect you completely.

It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won’t end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn’t have to leave so much information exposed. And they didn’t have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.

For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama or insulted its stars­or if their response systems had been agile enough to kick the hackers out before they grabbed everything.

My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations­gossip, medical conditions, love lives­exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.

This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn’t something markets can fix.

This essay previously appeared on the Wall Street Journal CIO Journal.

Raspberry Pi: Pi HomeGuard: helping people stay independent longer

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

Several people have mentioned the idea of using the Pi to help relatives and carers support older people in their own homes by monitoring aspects of their daily routine as well as things like the indoor temperature, but until now, we hadn’t seen anyone write up a system they’d implemented. So we were very interested when we received an email from Jamie Grant, telling us how he had used a Raspberry Pi-based home monitoring system to help him support his late mother in maintaining her independence.

HomeCare Guardian screenshot from 2012

An early Pi adopter, one of Jamie’s first projects was home power monitoring. After installing a system to plot electricity usage in his own home using CurrentCost hardware and a Raspberry Pi, he was struck by the “kettle spike”, a power spike that shows clearly that someone is up and making tea. His mother was very elderly, was living alone and had a worsening serious illness, and it occurred to him that the kettle spike would provide a useful indication that she was OK. He decided to install the system at her house, adding some wireless PiR (passive infrared) motion and door sensors. Jamie called this first version HomeCare Guardian; power and sensor data were displayed in a simple webpage. Here’s another screenshot, showing the system in 2013, after about a year of development:

HomeCare Guardian screenshot, 2013

From this single page, Jamie could see whether his mum was OK and going about her usual daily routine, and a sensor at the front door indicated when she took a taxi journey to visit her friends and when she returned. He says,

I found Homecare Guardian a great comfort and my sister and I used it daily to check on her condition. Near the end mum was more forgetful and sometimes left her front door open, we could see whenever this happened and I would call round and check she was alright.

Mum managed to stay totally independent and was only admitted to our local hospital for her last week where she got the best possible care.

Jamie has continued working on the wireless sensors and their power requirements: his latest PiR motion sensor is powered by just two AA batteries and has a battery life of over a year, and his new door sensor has an estimated battery life of over three years. With sensors for motion, door opening, indoor temperature and water (to provide flood alerts) ready to go, he hopes to add a humidity sensor soon. The same system, he observes, could also be used for checking an unoccupied property for flood or frost risk as well as other aspects of security. Very recently he has been working with an Android app developer, and they’re hoping to add an alerts app facility soon.

The system has been renamed as Pi HomeGuard, and you can see a working live site, all running off a Raspberry Pi, at Jamie is interested in taking this prototype further and making it more widely available, and would be glad to make contact with people who’d like to become involved; if this describes you, say so in the comments, and we’ll put you in touch.

Schneier on Security: SS7 Vulnerabilities

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There are security vulnerability in the phone-call routing protocol called SS7.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes — such as keeping calls connected as users speed down highways, switching from cell tower to cell tower — that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

Some details:

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function — a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

We’ll learn more when the researchers present their results.

TorrentFreak: Google & MPAA Publicly Slam Each Other Over Piracy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mpaa-logoEven after running for weeks, the fallout from the Sony hacking fiasco is showing no signs of waning. In fact in some areas it appears that matters are only getting worse.

Earlier this month a TF report revealed how the MPAA (with a SOPA defeat still ringing loudly in its ears) is still intent on bringing website blocking to the United States.

The notion that Hollywood was intent on reintroducing something so unpopular didn’t sit well with critics, but that was only the beginning. A subsequent article in The Verge revealed a campaign by the MPAA to attack “Goliath” – a codeword for Google – by “convincing state prosecutors to take up the fight” against the search giant.

The MPAA budgeted $500,000 for the project with costs potentially rising to $1.175 million. The Hollywood group subsequently called on SOPA-supporting Mississippi State Attorney General Jim Hood to attack Google, which he did.

The New York times has a copy of the letter he sent to the search giant – worryingly it was almost entirely drafted by the MPAA’s lawfirm Jenner and Block.

After a week of “no comment” from Google, the company has just broken its silence. In a statement from SVP and General Counsel Kent Walker, Google questions the MPAA’s judgment over its SOPA-like aims and apparent manipulation of an Attorney General.

“Almost three years ago, millions of Americans helped stop a piece of congressional legislation—supported by the MPAA—called the Stop Online Piracy Act (SOPA). If passed, SOPA would have led to censorship across the web. No wonder that 115,000 websites—including Google—participated in a protest, and over the course of a single day, Congress received more than 8 million phone calls and 4 million emails, as well as getting 10 million petition signatures,” Walker writes.

“We are deeply concerned about recent reports that the Motion Picture Association of America (MPAA) led a secret, coordinated campaign to revive the failed SOPA legislation through other means, and helped manufacture legal arguments in connection with an investigation by Mississippi State Attorney General Jim Hood.”

Then, in what can only be a huge embarrassment for the MPAA and the Attorney General, Walker turns to the letter AG Hood sent to him in 2013.

“The MPAA did the legal legwork for the Mississippi State Attorney General.
The MPAA then pitched Mississippi State Attorney General Jim Hood, an admitted SOPA supporter, and Attorney General Hood sent Google a letter making numerous accusations about the company,” Walker explains.

“The letter was signed by General Hood but was actually drafted by an attorney at Jenner & Block — the MPAA’s law firm. As the New York Times has reported, the letter was only minimally edited by the state Attorney General before he signed it.”

The Google SVP ends with a shot at the MPAA and questions its self-professed position as an upholder of the right to free speech.

“While we of course have serious legal concerns about all of this, one disappointing part of this story is what this all means for the MPAA itself, an organization founded in part ‘to promote and defend the First Amendment and artists’ right to free expression.’ Why, then, is it trying to secretly censor the Internet?” Walker concludes.

Without delay, Google’s public comments were pounced upon by the MPAA who quickly published a statement of their own. It pulls no punches.

“Google’s effort to position itself as a defender of free speech is shameful. Freedom of speech should never be used as a shield for unlawful activities and the internet is not a license to steal,” the statement begins.

“Google’s blog post today is a transparent attempt to deflect focus from its own conduct and to shift attention from legitimate and important ongoing investigations by state attorneys general into the role of Google Search in enabling and facilitating illegal conduct – including illicit drug purchases, human trafficking and fraudulent documents as well as theft of intellectual property.”

And, in a clear indication that the MPAA feels it acted appropriately, the Hollywood group lets Google know that nothing will change.

“We will seek the assistance of any and all government agencies, whether federal, state or local, to protect the rights of all involved in creative activities,” the MPAA concludes.

The statements by both Google and the MPAA indicate that in this fight the gloves are now well and truly off. Will ‘David’ slay ‘Goliath’? Who will get hurt in the crossfire?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Source Code in TV and Films: Yay ! A new hacker movie called Blackhat will be out in the…

This post was syndicated from: Source Code in TV and Films and was written by: Source Code in TV and Films. Original post: at Source Code in TV and Films

Yay ! A new hacker movie called Blackhat will be out in the upcoming months ! Its trailer ( already contains lines of codes (obviously), here’s the first screen I got.


This is the code.
The section right here, it looks incomplete.
He’s still writing. But what for?
Caption is talking about the comment
//TODO Add check administrator privileges
The code itself looks like a bunch of random characters with some rare functions like GetIPAdress, there’s even asdf word here and there. I bet they just smashed there keyboards in post-prod, like any other movie.

SANS Internet Storm Center, InfoCON: green: Exploit Kit Evolution During 2014 – Nuclear Pack, (Thu, Dec 18th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This is a guest diary submitted by Brad Duncan.

Nuclear exploit kit (also known as Nuclear Pack) has been around for years. Version 2.0 of Nuclear Pack was reported in 2012 [1] [2]. Blogs like have mentioned version 3.0 of Nuclear Pack in posts during 2013 [3] [4].

This month, Nuclear Pack changed its traffic patterns. The changes are significant enough that I wonder if Nuclear Pack is at version 4. Or is this merely an evolution of version 3, as weve seen throughout 2014? Lets look at the traffic.

In January 2014, traffic from Nuclear Pack was similar to what Id seen in 2013. Here” />

2014 saw Fiesta exploit kit-style URLs from Nuclear Pack. Also, like other exploit kits, Nuclear sent Flash and Silverlight exploits. Here” />

The above example has Silverlight, Flash, PDF and IE exploits. In each case, a payload was sent to the vulnerable VM. The traffic consists of two TCP streams.” />

These patterns are not far off from the beginning of the year. I only saw additional exploits from Nuclear Pack that I hadnt noticed before.

In December 2014, Nuclear Pack moved to a different URL structure. I first noticed this on a pcap from [7]. Initially, Id mistaken the traffic for Angler exploit kit.” />

Here” />

Since the change in URL patterns, Nuclear Pack is XOR-ing the malware payload. The image below shows an example where one of payloads is XOR-ed with the ASCII string: DvnQkxI

The change in traffic patterns is fairly significant for Nuclear Pack. I havent found any reason on why the change occurred. Is this merely an evolution, or do these changes indicate a new version of Nuclear Pack?


Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at










(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Complex Solutions to a Simple Problem

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

My inbox has been flooded of late with pitches for new technologies aimed at making credit cards safer and more secure. Many of these solutions are exceedingly complex and overwrought — if well-intentioned — responses to a problem that we already know how to solve. Here’s a look at a few of the more elaborate approaches.

A promotion for the Siren Swipe technology.

A promotion for the Siren Swipe technology.

Some of these ideas may have benefited from additional research into where financial institutions actually experience most of their fraud losses. Hint: Lost-and-stolen fraud is minuscule compared to losses from other types of fraud, such as counterfeit cards and online fraud. Case in point: A new product called Safe Swipe. From their pitch:

“The basic premise of our solution, Safe Swipe…is a technology which ‘marries’ your smart mobile device, phone, tablet and or computer to your credit/debit card(s). We’ve developed a Geo-Locator software program which triangulates your location with the POS device and your mobile phone so that if your phone and credit card are not within a certain predetermined range of one another the purchase would be challenged. In addition, we incorporated an ON/OFF type switch where you can ‘Lock Down’ your credit/debit card from your mobile device making it useless should it ever be stolen.”

The truth is that you can “lock down” your credit card if it’s lost or stolen by calling your credit card company and reporting it as such.  Along these lines, I received multiple pitches from the folks who dreamed up a product/service called “Siren Swipe.” Check it out:

“The SIREN SWIPE system immediately notifies local police (via the local 911 center) of a thief’s location (ie merchant address) once heswipes a card that has already been reported stolen,” the folks at this company said in an email pitch to KrebsOnSecurity. “SIREN SWIPE has the potential to drastically impact the credit card fraud landscape because although card credentials being stolen is a forgone conclusion, which cards thieves decide to actually use is not.  For a thief browsing a site like Rescator, the knowledge that using certain banks’ cards could result in an immediate police response can make thieves avoid using these banks’ stolen cards over and over again.  And in the best case scenario, a carder site admin could just decide not to sell subscribing banks’ cards in the interest of customer service.”

The sad truth is that, for the most part, cops generally have more important things to do than chase around the street urchins who end up using stolen credit and debit cards, and they’re not going to turn on the dome lights and siren over something like this. Also, the signals for fraud are all backwards here: The fraudsters know to use criminal card-checking services before buying and/or using stolen cards, so they don’t generally end up using a pile of cards that have already been cancelled.

A diagram explaining Quantum Secure Authentication.

A diagram explaining Quantum Secure Authentication.

My favorite overwrought solution to making credit cards more secure comes from researchers in the Netherlands, who recently put out a paper announcing a card security idea they’re calling Quantum-Secure Authentication. According to its creators, this approach relies on “the unique quantum properties of light to create a secure question-and-answer exchange that cannot be spoofed or copied. From their literature:

“Traditional magnetic-stripe-only cards are relatively simple to use but simple to copy. Recently, banks have begun issuing so-called ‘smart cards’ that include a microprocessor chip to authenticate, identify & enhance security. But regardless of how complex the code or how many layers of security, the problem remains that an attacker who obtains the information stored inside the card can copy or emulate it. The new approach…avoids this risk entirely by using the peculiar quantum properties of photons that allow them to be in multiple locations at the same time to convey the authentication questions & answers. Though difficult to reconcile with our everyday experiences, this strange property of light can create a fraud-proof Q&A exchange, like those used to authorize credit card transactions.”

The main reason so many of these newfangled technologies are even being proposed is that the United States lags 20 years behind Europe and the rest of the world in adopting chip/smartcard technology in credit and debit cards. This is starting to change on both the card-issuing side (the banks) and the merchant side. Most of the biggest banks are already issuing chip cards, with smaller institutions following suit next year. In October 2015, merchants that haven’t yet installed card swipe terminals that accept chip cards will be liable for all of the fraud costs on any fraudulent transaction involving a chip card.

It’s unclear how much appetite there is for new technology to help banks fight card fraud, when so many financial institutions have yet to roll out chip cards. A payments fraud survey released this week by the Federal Reserve Bank of Minneapolis found that “high percentages of surveyed financial institutions report that fraud prevention costs exceed actual losses for many types of payments, especially wire, cash, and ACH payments. This trend is even more striking for non-financial respondents. In every payment category, a higher percentage of such firms responded that prevention costs exceed fraud losses.”

The Fed survey (PDF), which quizzed both banks and corporations, found that about half of the financial institutions that experienced payment fraud losses reported increases in those losses, while three quarters of the non-financial firms responded that loss rates had remained about the same over the prior year.

“In keeping with previous surveys, signature debit transactions are the payment type cited by the largest number of financial institutions as accounting for high levels of payments fraud losses (92% of financial service companies), while checks are cited by 75% of non-financial companies,” the Fed concluded. “While this finding could suggest that companies are overcompensating in prevention vis-à-vis likely losses, it is also possible that risk mitigation strategies and fraud prevention investments have indeed been effective.”

Schneier on Security: The Limits of Police Subterfuge

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

“The next time you call for assistance because the Internet service in your home is not working, the ‘technician’ who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and — ­when he shows up at your door, impersonating a technician­ — let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have ‘consented’ to an intrusive search of your home.”

This chilling scenario is the first paragraph of a motion to suppress evidence gathered by the police in exactly this manner, from a hotel room. Unbelievably, this isn’t a story from some totalitarian government on the other side of an ocean. This happened in the United States, and by the FBI. Eventually — I’m sure there will be appeals — higher U.S. courts will decide whether this sort of practice is legal. If it is, the county will slide even further into a society where the police have even more unchecked power than they already possess.

The facts are these. In June, Two wealthy Macau residents stayed at Caesar’s Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests’ Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

The FBI claims that their actions are no different from any conventional sting operation. For example, an undercover policeman can legitimately look around and report on what he sees when he invited into a suspect’s home under the pretext of trying to buy drugs. But there are two very important differences: one of consent, and the other of trust. The former is easier to see in this specific instance, but the latter is much more important for society.

You can’t give consent to something you don’t know and understand. The FBI agents did not enter the hotel room under the pretext of making an illegal bet. They entered under a false pretext, and relied on that for consent of their true mission. That makes things different. The occupants of the hotel room didn’t realize who they were giving access to, and they didn’t know their intentions. The FBI knew this would be a problem. According to the New York Times, “a federal prosecutor had initially warned the agents not to use trickery because of the ‘consent issue.’ In fact, a previous ruse by agents had failed when a person in one of the rooms refused to let them in.” Claiming that a person granting an Internet technician access is consenting to a police search makes no sense, and is no different than one of those “click through” Internet license agreements that you didn’t read saying one thing and while meaning another. It’s not consent in any meaningful sense of the term.

Far more important is the matter of trust. Trust is central to how a society functions. No one, not even the most hardened survivalists who live in backwoods log cabins, can do everything by themselves. Humans need help from each other, and most of us need a lot of help from each other. And that requires trust. Many Americans’ homes, for example, are filled with systems that require outside technical expertise when they break: phone, cable, Internet, power, heat, water. Citizens need to trust each other enough to give them access to their hotel rooms, their homes, their cars, their person. Americans simply can’t live any other way.

It cannot be that every time someone allows one of those technicians into our homes they are consenting to a police search. Again from the motion to suppress: “Our lives cannot be private — ­and our personal relationships intimate­ — if each physical connection that links our homes to the outside world doubles as a ready-made excuse for the government to conduct a secret, suspicionless, warrantless search.” The resultant breakdown in trust would be catastrophic. People would not be able to get the assistance they need. Legitimate servicemen would find it much harder to do their job. Everyone would suffer.

It all comes back to the warrant. Through warrants, Americans legitimately grant the police an incredible level of access into our personal lives. This is a reasonable choice because the police need this access in order to solve crimes. But to protect ordinary citizens, the law requires the police to go before a neutral third party and convince them that they have a legitimate reason to demand that access. That neutral third party, a judge, then issues the warrant when he or she is convinced. This check on the police’s power is for Americans’ security, and is an important part of the Constitution.

In recent years, the FBI has been pushing the boundaries of its warrantless investigative powers in disturbing and dangerous ways. It collects phone-call records of millions of innocent people. It uses hacking tools against unknown individuals without warrants. It impersonates legitimate news sites. If the lower court sanctions this particular FBI subterfuge, the matter needs to be taken up — ­and reversed­ — by the Supreme Court.

This essay previously appeared in The Atlantic.

TorrentFreak: Researchers Make BitTorrent Anonymous and Impossible to Shut Down

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

triblerThe Pirate Bay shutdown has once again shows how vulnerable the BitTorrent ‘landscape’ is to disruptions.

With a single raid the largest torrent site on the Internet was pulled offline, dragging down several other popular BitTorrent services with it.

A team of researchers at Delft University of Technology has found a way to address this problem. With Tribler they’ve developed a robust BitTorrent client that doesn’t rely on central servers. Instead, it’s designed to keep BitTorrent alive, even when all torrent search engines, indexes and trackers are pulled offline.

“Tribler makes BitTorrent anonymous and impossible to shut down,” Tribler’s lead researcher Dr. Pouwelse tells TF.

“Recent events show that governments do not hesitate to block Twitter, raid websites, confiscate servers and steal domain names. The Tribler team has been working for 10 years to prepare for the age of server-less solutions and aggressive suppressors.”

To top that, the most recent version of Tribler that was released today also offers anonymity to its users through a custom-built in Tor network. This allows users to share and publish files without broadcasting their IP-addresses to the rest of the world.

“The public was beginning to lose the battle for Internet freedom, but today we are proud to be able to present an attack-resilient and censorship-resilient infrastructure for publishing,” Dr. Pouwelse says.

After thorough tests of the anonymity feature earlier this year, it’s now built into the latest release. Tribler implemented a Tor-like onion routing network which hides who is seeding or sharing files. Users can vary the number of “hops” the client uses to increase anonymity.

“Tribler creates a new dedicated network for anonymity that is in no way connected to the main Tor network. By using Tribler you become part of a Tor-like network and help others become anonymous,” Dr. Pouwelse says.

“That means you no longer have any exposure in any swarm, either downloading or seeding,” he adds.

Tribler_anonymous_downloading_in action__select_your_privacy_level_for_each_torrent

The downside to the increase in privacy is higher bandwidth usage. After all, users themselves also become proxies and have to relay the transfers of others. In addition, the anonymity feature may also slow down transfer speeds depending on how much other users are willing to share.

“We are very curious to see how fast anonymous downloads will be. It all depends on how social people are, meaning, if they leave Tribler running and help others automatically to become anonymous. If a lot of Tribler users turn out to be sharing and caring, the speed will be sufficient for a nice downloading experience,” Pouwelse says.

Another key feature of Tribler is decentralization. Users can search for files from within the application, which finds torrents through other peers instead of a central server. And if a tracker goes offline, the torrent will continue to download with the help of other users too.

The same decentralization principle applies to spam control. Where most torrent sites have a team of moderators to delete viruses, malware and fake files, Tribler uses user-generated “channels” which can be “liked” by others. If more people like a channel, the associated torrents get a boost in search results.


Overall the main goal of the University project is to offer a counterweight to the increased suppression and privacy violations the Internet is facing. Supported by million of euros in taxpayer money, the Tribler team is confident that it can make the Internet a bit safer for torrent users.

“The Internet is turning into a privacy nightmare. There are very few initiatives that use strong encryption and onion routing to offer real privacy. Even fewer teams have the resources, the energy, technical skills and scientific know-how to take on the Big and Powerful for a few years,” Pouwelse says.

After the Pirate Bay raid last week Tribler enjoyed a 30% increase in users and they hope that this will continue to grow during the weeks to come.

Those who want to give it a spin are welcome to download Tribler here. It’s completely Open Source and with a version for Windows, Mac and Linux. In addition, the Tribler team also invites researchers to join the project.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: What they miss about Uber/Lyft pay

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In this story, writer Timothy B. Lee (@binarybits) becomes a Lyft driver for a week. He focuses on the political questions, such as the controversially low pay. He makes the same mistakes that everyone else makes.

Lyft (and Uber) pay can be low for the same reason McDonalds is open at midnight. In absolute terms, McDonalds loses money staying open late. But, when you take into account all the sunk costs for operating during the day, they would lose even more money by not remaining open late. In other words, staying open late is marginally better.

The same is true of Lyft/Uber drivers. I take Uber/UberX on a regular basis and always interview the drivers. Without exception, it’s a side business.

This one time, my UberX driver was a college student. He spent his time between pickups studying. When calculating wait-time plus drive-time, he may have been earning minimum wage. However, when calculating just drive-time, he was earning a great wage for a student — better than other jobs open to students.

Without exception, all the Uber black-car drivers have their own business. They have fixed contracts with companies to drive employees/clients. Or, they have more personal relationships with rich executives, driving them to/from work on a daily basis. They just use Uber to fill in the gaps. They already in invest in the care and maintenance of the black car, and would be sitting around waiting anyway, so anything they earn from Uber is gravy on the top.

I always ask drivers if they derive 100% of their income from Uber/UberX, and (with the exception of the student) they’ve all said “no”. The same is likely true for Lee. It’s unlikely he was just sitting in his car staring out into space while waiting for the next pickup. It’s more likely that he writing his next Vox piece, or researching his next Bitcoin/Anonymous book.

Some drivers do earn 100% of their incoming from Lyft/UberX — right now. Drivers tell me of their friends who are only driving temporarily, while hunting for a new job. In other words, while they are working full time at UberX at the moment, it’s only a few months out of the year while between other jobs. They’ve already invested in buying a car and insurance — rather than these being difficult costs during a period of unemployment, they are benefits.

Leftists wanting to ban unregulated innovation focus on “wages”, but that’s nonsense. If wages were as bad as claimed, drivers wouldn’t be doing it. If drivers had a better alternative, they’d be doing it. Indeed, as I mentioned above, that’s what some were doing: driving while looking for better jobs. Thus, the argument that drivers don’t earn enough wages is false on its face.

Instead, what’s going on is that the “sharing” economy is really the “marginal” economy. You can’t report on its as if it’s a replacement for a full time job — you have to report on it as it fits within other jobs or lifestyle. Great marginal wages may suck when compared against full time wages, but that completely misses the point of this innovation.

TorrentFreak: The Pirate Bay’s Facebook Page Is Shut Down Too

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

tpbfacebookMore than a week has passed since The Pirate Bay’s servers were pulled offline, and now the same is happening to the site’s official Facebook page.

With more than 470,000 likes TPB’s Facebook page had quite a reach, although the last status update dates back to last year. Since then the page was mostly used by ‘fans’ to share TPB related news stories, and most recently links to Pirate Bay alternatives.

Those who try to access the page today are out of luck though, as Facebook informs them that “the page isn’t available” and that it “may have been removed.”

It’s unclear what the reason behind the removal is. It could have been initiated by The Pirate Bay crew itself but it’s also possible that Facebook was asked to shut it down for alleged links to copyright infringing material.


If The Pirate Bay crew deleted the page the motivation may have been to cover its tracks. Swedish authorities have confirmed that there’s a new criminal investigation ongoing into the site’s operators, which may have prompted some to cut their ties.

That said, TPB’s official Twitter profile, which hasn’t been updated since December last year, remains online.

The Pirate Bay crew have remained pretty much silent over the past few days. Earlier this week a message was relayed through “Mr 10100100000″ who suggested that no decision has yet been made on a potential return.

“Will we reboot? We don’t know yet. But if and when we do, it’ll be with a bang,” Mr 10100100000 said.

Meanwhile, most of the site’s users are flocking to the Pirate Bay copies that are floating around, or one of the other popular torrent sites. This mass migration caused trouble at ExtraTorrent yesterday, who were briefly offline due to a “sudden increase in user traffic.”

At the same time, groups using the “Anonymous” moniker claimed to have hacked both the Swedish Government and the New Zealand police in a retaliatory move, while a better known “Anonymous” group distanced itself from The Pirate Bay.

“We do not support the return of The Pirate Bay itself. We used to be the activist arm behind this website and what it stood for, but we feel like The Pirate Bay doesn’t represent our message anymore,” the latter group said.

And so the storm continues.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Is the polkit Grinch Going to Steal your Christmas?, (Wed, Dec 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Alert Logic published a widely publizised blog outlining a common configuration problem with Polkit. To help with dissemination, Alert Logic named the vulnerability Grinch [1] .

In some ways, this isnt so much a vulnerability, as more a common overlypermissive configuration of many Linux systems. It could easily be leveraged to escalate privileges beyond the intent of the polkitconfiguration.

Lets first step back: In the beginning, there was sudo. Sudo served the Unix community well for many decades. I had to Google this myself, but looks like sudo initially was developed in 1986 [2]. Sudois relatively simple in its approach. A simple configuration file outlines who can run what command as what user. Of course, it isnt always as simple, as some software (e.g. many editors) allow the user to spawn shells, but for the most part administrators have found ways to fix these problems over the years. Most importantly, proper ly configured sudo requires the user to enter a password.

Polkit works differently then sudo. With sudo, I configure which software a user is allowed to run as root (or another user). With polkit, I configure which privileges a user is allowed to take advantage of while running a particular piece of software.

The problem pointed out by Alert Logic is two fold. First of all, the default polkitconfiguration on many Unix systems (e.g. Ubuntu), does not require authentication. Secondly, the polkit configuration essentially just maps the wheels group, which is commonly used for sudo users, to the polkit Admin. This gives users in the wheel group access to administrative functions, like installing packages, without having to enter a password.

The main risk is privilege escalation. With sudo, an attacker would have to enter the users password after compromising a lesser user account in the wheel group. With polkit, all it takes is to install a package using the polkit tool pkcon, which takes advantage of the loose polkit configuration to install packages.

What should you do? What is the risk?

First, have a relaxed christmas and enjoy it with your family. Next, take a look around your network and narrow down how is a member of the wheel group. Only administrators should be a member of the group (people who change system configurations and install software for a living). If you got some time between now and Jan 1st: Read up on Polkit and educate yourself as to what it does.

After new year: Make sure you understand how polkit action are logged, and start reviewing them. Polkit is still new, so many system administrators dont know about it and may ignore the alerts.

Of course, Shellshock and this Polkitissue make a great 1-2 punch to get root on a Unix system. But I doubt a system still vulnerable to Shellshock has no other privilege escalation vulnerability. So I dont think it this is such a huge issue. Fix Shellshock first if that is the case.

And as always, make sure to read the original Alert Logic document to get all the details.


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Backblaze Blog | The Life of a Cloud Backup Company: 2014 Year In Review

This post was syndicated from: Backblaze Blog | The Life of a Cloud Backup Company and was written by: Gleb Budman. Original post: at Backblaze Blog | The Life of a Cloud Backup Company


Seven years ago we started on a mission to make storing data astonishingly easy and low-cost so that no one loses their wedding photos, curated music, work files, or any of the other items from their computers. In 2014, I’m proud to say we made a good dent in that mission. Here are a few of the highlights from our 2014 year in review.

We launched an Android app to complement our existing iPhone app and increased restore sizes on hard drives to 4 TB and by 2x on flash drives to 128 GB so our customers could access more of their data faster. Email Notifications and Backup Summaries ensured they knew their data was safely backed up. Our refer-a-friend program gave our customers and their friends months of Backblaze for free. Upgrades to support iOS 8, Apple OS X Mavericks, and hundreds of smaller updates to keep improving the service for our customers.

I am incredibly grateful to the community that has supported us over the years. Another 11 incredible people joined our team to help us scale, plus a few interns (one of whom just won a $100,000 national science award.)

On Twitter, Facebook, and other digital places we talked with you virtually and then met many of you in person at Macworld, RootsTech, and many other events.

We wrote 75 blog posts such as those sharing a bunch of data on hard drive reliability, the impact of temperature on a hard drive, and which hard drive SMART stats matter. Since about 1,000,000 of you read these posts, we revamped our blog platform and will strive to continue sharing learning worthy of your time reading.

The simplicity of the product our customers see hides the wild scale of the systems and operations required to support it. We introduced a new 270 TB Storage Pod this year, scaled up to store over 100,000,000 GB of customer data, and opened a huge new 500 petabyte data center. Our support team answered their 100,000th ticket. Our customers recovered over 6 billion files that would have been irretrievably lost.

Famed consumer product reviewer Walt Mossberg recommends Backblaze and makes it his personal service. Gizmag calls Backblaze one of the easiest to use. And Deloitte ranks Backblaze the 128th fastest growing company in North America, with 917% revenue growth over five years.

So with 2015 imminently arriving, where do we go? Keep focusing on making storing data astonishingly easy and low-cost. One of the things I’m incredibly proud of our team for is being able to support a 1000% increase in per-customer data storage while keeping the $5 unlimited pricepoint unchanged. Thus, a lot of what we have planned will continue to be in the background – enhancing our massive cloud storage system to scale bigger, be more cost-efficient, and work ever better – so that our customers can continue to store more and more data, easier and easier.

A huge thank you to all of you: our customers, our community, our partners, and our employees for helping us make this happen.


Author information

Gleb Budman

Co-founder and CEO of Backblaze. Founded three prior companies. He has been a speaker at GigaOm Structure, Ignite: Lean Startup, FailCon, CloudCon; profiled by Inc. and Forbes; a mentor for Teens in Tech; and holds 5 patents on security.

Follow Gleb on: Twitter / LinkedIn / Google+

The post 2014 Year In Review appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

TorrentFreak: Icefilms Downtime Causes Concern, But Site Will Return

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Without doubt the past seven days have shaken the file-sharing world to its core. Last Tuesday the Internet’s most famous file-sharing site, invincible according to many accounts, fell following a raid by Swedish police.

That kind of surprise can lead people to panic when other similar sites have downtime at the same time. For the past 24 hours concern has been growing over Icefilms, a movie and streaming portal with a strong online following.

Sometime yesterday morning, Icefilms disappeared offline. Visitors to the site reported various issues, from no page loading to redirections to another domain. Most, however, were confronted with the image shown below.


While much preferable to a law enforcement notice, the image itself has been causing concern among Icefilms users due to it being hosted on Amazon rather than the site’s own server.

But despite the worries a source familiar with the situation informs TF that there is nothing to be concerned about. Icefilms currently has hosting issues to overcome, hence placing the image on another server. The site itself should be back to its full glory within days.

Even when the Pirate Bay raid is disregarded, it’s easy to see why Icefilms users have been panicking. Firstly, the first few pages of Google are almost useless when it comes to getting information about the site. In fact, Icefilms itself is completely absent from Google search results.

However, if one turns to Bing then results are restored to their former glory. In fact, Bing even provides a convenient Icefilms search engine as the first result.


Only adding to the confusion is Icefilms’ inclusion in a recent blocking order. Last month the UK High Court ordered ISPs to block 32 domains following an application by the Motion Picture Association. In recent weeks the leading service providers responded by blocking access to

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Swedish ISP Refuses to Block The Pirate Bay

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate bayIn many countries around the world The Pirate Bay has become a focal point for rightsholders seeking website blocking injunctions. Portrayed as the worst-of-the-worst, the site has been named in many ISP liability lawsuits.

But while the site disappeared last week, pending legal action concerning it has not. The most recent lawsuit was filed in November by Universal Music, Sony Music, Warner Music, Nordisk Film and the Swedish Film Industry against Swedish service provider Bredbandsbolaget.

In papers filed at the Stockholm District Court, the plaintiffs attempt to hold Bredbandsbolaget liable for the copyright-infringing actions of its pirating subscribers. The entertainment companies say that in order to put itself in the clear the ISP should block its customers from accessing The Pirate Bay and popular streaming portal Swefilmer.

Just over a month later and Bredbandsbolaget (Broadband Company) has now submitted its response to the Court. The ISP completely opposes the entertainment companies’ demand to block content and services.

“Bredbandsbolaget’s role is to provide its subscribers with access to the Internet, thereby contributing to the free flow of information and the ability for people to reach each other and communicate,” the company said in a statement.

Bredbandsbolaget says that its job is to deliver a broadband service to its customers, not control or block specified content or services. Noting that the company will not monitor the communications of its subscribers, the ISP says that it’s a fundamental principle of the “Open Internet” that carriers can not be held responsible for the traffic carried on their networks.

“Bredbandsbolaget does not block content or services based on individual organizations’ requests. There is no legal obligation for operators to block either The Pirate Bay or Swefilmer,” the company explains.

“There are other legal means to stop infringement of rights, but there is no provision in Swedish law that forces an Internet provider to block its subscribers’ access to services and content.”

While the motivation behind the lawsuit is to obtain a ruling that will ease blocking of additional sites in future, stopping Swedish users from accessing sharing services could prove more difficult than in other territories. The country has a long history of sharing files and services such as The Pirate Bay have become embedded in its Internet culture.

It’s also worth noting that at least for now The Pirate Bay doesn’t even exist so blocking it would be futile. Whether the entertainment companies will proceed with their case as planned if TPB stays down remains to be seen, but it’s certainly possible they might seek to include the many copycat sites that have appeared following the site’s demise.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: C is for Cookie

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

When people are banned for uploading prohibited content to FotoForensics, they have the option to contest the ban. They can fill out an online unban request form, or they can send an email request.

The problem with unban requests via email is that users forget to include information that I require in order to identify the ban. Right now, there’s about 4,000 active bans on the site. Without some basic information, I’ll be unable to match the ban to the user’s unban request.

For this reason, we released a web-based contact form last March. When people fill out the unban form, it automatically gathers information that is needed to identify the user’s ban. This includes the user’s network address, user-agent string, and other header information. (This is passive, not active; we do not need to run any client-side code to do this. The user is already providing this information with each web request.) With this web form, users just ask to be unbanned and the server automatically identifies the ban rule. This way, we have all the information we need.

What starts with the letter “C”?

A few months ago, I banned someone who decided to send me an unban request in an email. He did not use the online form because, as he put it, “Your site requires cookies.” At the time, I thought he was just a nut-job. Not because he was worried about web cookies, but because my FotoForensics site doesn’t use cookies.

When I first designed FotoForensics back in 2012, I used a default server installation. By default, Apache + PHP enables web cookies for tracking sessions. Since the public (HTTP) web site does not use sessions, I disabled cookies. I think they were enabled for the first few months, but they haven’t been used for over two years.

Keep in mind, I am only talking about the public FotoForensics web site. (The blog software at sets cookies, but it doesn’t use them unless you login… and I disabled the login interface since nobody besides me needs access.) Also, the private FotoForensics site (used by admins) uses HTTPS and does use cookies for tracking login sessions. But the public HTTP FotoForensics site does not use cookies. To confirm this, you can use httpfox for Firefox and the standalone wireshark sniffer. Both of these network analyzers show the entire HTTP headers sent between the web browser and FotoForensics web server. Neither should show any cookies being sent.

Cookie! Cookie! Cookie starts with “C”!

Web cookies are a cute way to save state between web requests. These short character sequences are sent from the web site to the browser and then returned by the browser during subsequent requests. The browser does not modify the cookie’s contents (without special JavaScript code); the browser only returns data that the server sent it.

The browser associates the cookie with a web site. The next time the browser contacts the site, it uploads the cookie. With any request, the server may change the cookie value.

The network flow typically looks like:

  1. Web browser connects to server and says “give me this web page”.
  2. Server provides the page and says “here’s a cookie!”
  3. Browser then requests the “CSS” style information and says “and here’s the cookie you gave me.”
  4. Server returns the CSS information. The server also knows, based on the unique cookie, that this data is going specifically to you and not to just “anybody”.
  5. Browser then requests each picture on the page. With each picture, it also says “and here’s the cookie!”
  6. Server sees each picture request and the unique tracking cookie and returns each picture.

Some cookies are used for uniquely tracking users. Other cookies contain configuration settings for that web site.

The one important aspect about cookies is that they do not span domains. If your browser receives a cookie from “”, then it will only send it to “”. Your browser won’t send the “” cookie to,, or any other web site. Cookies only go back to the domain that generated them.

What else starts with “C”?

Back to my cookie issue…

We are currently receiving about one unban request every 1-3 weeks. However, two of the last four unban requests have included cookies. This is really odd since the cookies did not come from my site.

I finally started tracking this problem. Specifically, I have been looking for web browsers that upload cookies that didn’t come from me. For example, on 2014-12-15, FotoForensics received 909 unique file uploads and 1,253 total uploads. The site was accessed by 4,738 users. (It was a relatively slow day.) Of all of those, a total of 33 requests included cookies. (Less than 1%.)

I started to look over the cookies to see if there was anything consistent.

  • Some cookies really look like Google Analytics. I see the utma, utmb, utmc, and utmz cookie values.

  • Some cookies are clearly marketing trackers. For example, one person’s cookie included a “mindsparktb” value. That’s — an online advertiser. That cookie even mentioned something called “TOOLBAR_CLEANER”. That’s known malware by Mindspark. Another person’s cookie said “SUPER-CRSRDR”. That’s associated with another ad-based computer virus.

    Basically, both of these people have web browsers that are infected with ad-based viruses. Every web site they visit will have words underlined with links to ads. (You should only see 6 hyperlinks in this entire blog entry — 3 near the beginning, 2 in this section, and 1 at the end. If you see more hyperlinked words, then you’re infected. Those extra ad links are not coming from me! They are coming from a virus that is installed on your computer.) The people who supplied Google Analytics cookie data could also be infected with malware.

  • There’s a browser plugin called “ImTranslator” that adds in cookies when it translates pages.
  • A few of the cookies really look suspicious… It almost looks like their ISP, or someone in the middle of the network transfer, may be inserting tracking cookies. I’ll need more data before I can determine if this is specific to certain ISPs in Saudi Arabia and the Czech Republic, or something else.

Cookies should never be sent to the wrong domain. It should never happen. It isn’t like it’s an accident — the software in all of these browsers explicitly forbids it. I ran these observations by a few of my friends (SM, JK, BT). They all reached the same conclusion: there’s no legitimate reason for this to be happening. We were able to come up with three possible scenarios:

  • Option #1: The web browsers are infected with one or more viruses and they are inserting cookies incorrectly.

  • Option #2: The browser is using a network connection (ISP or proxy network) that is tagging web traffic and filtering out the cookies prior to forwarding packets to my service.
  • Option #3: The user had previously accessed my site through a proxy that was adding tracking cookies. Later, the user came to my site without the proxy and ended up sending the cookies. Without the proxy to intercept, there was nothing to stop me from seeing the cookies that the tagging proxy had associated with my web site.

Good enough for me

With most of the cookies that I am seeing, it really looks like a user with an infected computer (option #1). This begs the next question: what do I do about it?

On one hand, I want to tell these users that they have a problem. I could easily configure my site to inform users when I detect unexpected cookies. I could even create a special web page for people who “just want to check”. Seriously: this is easy to make. I could warn them that they may have malware installed on their computers.

But then there’s the “no good deed” issue. I’m sure that some people won’t distinguish detection from cause. They will blame me for infecting their computers. Or worse: they will beg me to help them de-worm their systems. (I don’t work for individuals for a reason: individuals are crazy. If they don’t accuse you for creating the problem, then they’ll blame you for failing to read their minds.)

Or maybe there is something else going on that I’m not seeing.

TorrentFreak: Pirate Bay Shutdown Doesn’t Stop People From Sharing

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

download-keyboardThere is no denying that The Pirate Bay played a central role in the torrent ecosystem.

As one of the few well-moderated sites it was the source for dozens, if not hundreds of other torrent sites. And with millions of visitors per day the site also had the largest user-base.

With an event like this, one could expect that BitTorrent usage would have been severely impacted, but it appears that people have found their way to one of the many alternatives.

TF reached out to the operator of Demonii, the tracker that was used for all Pirate Bay torrents, and it appears that the Pirate Bay raid isn’t affecting its traffic much.

“Not much is happening differently on our side due to the TPB downtime. I cannot see any anomalies or differences,” the Demonii operator told us.

“Since all the torrents are pretty much mirrored by KickassTorrents and Torrentz, it seems that the downtime hasn’t stopped people from downloading or uploading at all,” he adds.

The connections per minute to the Demonii tracker remain relatively stable, hovering around the 25 million mark, with a peak during the weekends. The graph below shows the pattern for the past week with the Pirate Bay raid (last Tuesday) included.

Demonii weekly stats

The monthly graph suggests that traffic over the past several days has been a fraction lower than the weeks before, but the impact is relatively low.

“In terms of connections we are looking at roughly 2,880,000 connections per minute at peak hours and about 2,160,000 connections per minute at the lowest,” Demonii’s operator says.

Demonii month stats

If The Pirate Bay remains down for a longer period of time problems may arise on a different level though. TPB has traditionally been one of the best moderated sites, which helped to prevent malware and other scams from spreading.

In theory others could take over this role, but if more sites topple the quality element may become an issue. For now, however, most people seem to be sharing as much as usual.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services. Harmer: Overview of Qt3D 2.0 – Part 1

This post was syndicated from: and was written by: ris. Original post: at

Sean Harmer covers the revival
of Qt3D, a 3D framework. “With OpenGL taking a much more prominent position in Qt 5’s graphical stack — OpenGL is the underpinning of Qt Quick 2’s rendering power — and with OpenGL becoming a much more common part of customer projects, KDAB decided that it would be good for us and for the Qt community at large if we took over maintainership and development of the Qt3D module. To this end, several KDAB engineers have been working hard to bring Qt3D back to life and moreover to make it competitive to other modern 3D frameworks.

This article is the first in a series that will cover the capabilities, APIs, and implementation of Qt3D in detail.”