Posts tagged ‘Other’

TorrentFreak: Disney Patents a Piracy Free Search Engine

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

disney-pirateDisney and other rightsholders are not happy with today’s search engines after repeatedly asking Google and Co. to promote legal content and remove pirate sites from search results.

While Google implemented several changes to satisfy these requests, Disney has also taken matters into its own hands.

A new patent awarded to Disney Enterprises this week describes a search engine through which pirated content is hard to find.

Titled “Online content ranking system based on authenticity metric values for web elements,” one of the patent’s main goals is to prevent pirated movies and other illicit content from ranking well in the search results.

According to Disney their patent makes it possible to “enable the filtering of undesirable search results, such as results referencing piracy websites.”

Disney believes that current search engines are using the wrong approach as they rely on a website’s “popularity.” This allows site owners to game the system in order to rank higher.

“For example, a manipulated page for unauthorized sales of drugs, movies, etc. might be able to obtain a high popularity rating, but what the typical user will want to see is a more authentic page,” they explain.

While this is a rather simplified description of the complex algorithms most search engines use, Disney believes it can do a better job.

In their patent they describe a system that re-ranks search results based on an “authenticity index”. This works twofold, by promoting sites that are more “authoritative” and filtering out undesirable content.

disneypirate

“In particular, embodiments enable more authoritative search results … to be ranked higher and be more visible to a user. Embodiments furthermore enable the filtering of undesirable search results, such as results referencing piracy websites, child pornography websites, and/or the like,” Disney writes.

While Disney’s idea of a search engine may sound appealing to some, deciding what counts as “authoritative” is still rather subjective. Google, for example, uses PageRank which is in part based on the number of quality links to websites.

Disney, however, suggests giving “official” sites priority when certain terms relate to a property of a company. These “authority” weights can include trademarks, copyrighted material, and domain name information.

This doesn’t only affect pirated content, Disney explains, it also means that a Wikipedia entry or IMDb listing for “Snow White and the Seven Dwarfs” will rank lower than the official Disney page of the film.

“The Disney.go.com web page may be associated with an authenticity weight that is greater than the authenticity weight associated with the encyclopedia web page because Disney.go.com is the official domain for The Walt Disney Company. As such, with respect to the Snow White and the Seven Dwarfs™ film, the Disney.go.com web page may be considered more authoritative (and thus more authentic) than the encyclopedia web page,” Disney writes.

In other words, official sites should be the top result for “brand” related searches, even if people are looking for background info or more balanced (re)views. For pirate sites there’s no place at all in the top results, even though Disney’s definition of a pirate site may also be rather subjective.

It’s unclear whether Disney has any plans to implement the patent in the wild. The company currently has a search engine but this only includes links to its own properties.

Disney search
disneysearchengine

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: KrebsOnSecurity Honored for Fraud Reporting

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Association of Certified Fraud Examiners today announced they have selected Yours Truly as the recipient of this year’s “Guardian Award,” an honor given annually to a journalist “whose determination, perseverance, and commitment to the truth have contributed significantly to the fight against fraud.”

acfeThe Guardian Award bears the inscription “For Vigilance in Fraud Reporting.”

Previous honorees include former Washington Post investigative reporter and two-time Pulitzer Prize winner Susan Schmidt; Diana Henriques, a New York Times contributing writer and author of The Wizard of Lies (a book about Bernie Madoff); and Allan Dodds Frank, a regular contributor to Fortune.com and The Daily Beast.

I’d like to thank the ACFE for this prestigious award, and offer a special note of thanks to all of you dear readers who continue to support my work as an independent journalist.

The ACFE’s blog post about the award is here.

/dev/ttyS0 : Reversing D-Link’s WPS Pin Algorithm

This post was syndicated from: /dev/ttyS0 and was written by: Craig. Original post: at /dev/ttyS0

While perusing the latest firmware for D-Link’s DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers:

Call to sub_4D56F8 from getWPSPinCode

Call to sub_4D56F8 from getWPSPinCode

I first began examining this particular piece of code with the hopes of controlling part of the format string that is passed to __system. However, this data proved not to be user controllable, as the value placed in the format string is the default WPS pin for the router.

The default WPS pin itself is retrieved via a call to sub_4D56F8. Since the WPS pin is typically programmed into NVRAM at the factory, one might expect sub_4D56F8 to simply be performing some NVRAM queries, but that is not the case:

The beginning of sub_4D56F8

The beginning of sub_4D56F8

This code isn’t retrieving a WPS pin at all, but instead is grabbing the router’s WAN MAC address. The MAC address is then split into its OUI and NIC components, and a tedious set of multiplications, xors, and shifts ensues (full disassembly listing here):

Break out the MAC and start munging the NIC

Break out the MAC and start munging the NIC

TorrentFreak: Manhunt Underway For “Possibly Armed” Kinox, BitShare and FreakShare Operators

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Just a few days ago news broke that police in Germany had carried out raids in several areas of the country.

They were looking for four suspects believed to be the key individuals behind a range of sites including Kino.to replacement Kinox.to, file-hosting sites FreakShare.com and BitShare.com, plus linking sites Boerse.sx and MyGully.com. Even streaming giant Movie4K was thrown into the mix.

While two people were arrested in Neuss and Dusseldorf, two brothers from a village near to the northern city of Lübeck evaded police and are said to be on the run. It is those two men who are now grabbing the headlines.

Police have just taken the somewhat unusual step of announcing a public manhunt for the brothers, publishing mugshots and their full names alongside details of their alleged crimes. This is something only usually carried out in exceptional and serious cases.

kinox-susp1Pictured right is Kastriot Selimi. Born in 1989, the 25-year-old was born in Kosovo and later became a German citizen.

According to police he is one of the founders of the “criminal organization” behind Kinox, FreakShare and BitShare. He also has connections to a range of other sites including stream4k.to, shared.sx, mygully.com and boerse.sx.

Kastriot Selimi’s alleged crimes include predatory blackmail, armed robbery, extortion, arson, copyright infringement and tax evasion. Police warn that he should be considered violent and could be armed.

kinox-susp2Pictured right is Kreshnik Selimi. Born in 1992, the 21-year-old was born in Sweden and later became a German citizen. He is the younger brother of Kastriot.

Kreshnik is accused of founding and operating the same sites as his sibling and is covered by the same international arrest warrant. He is being classified as violent and police are warning the public that he too could be armed.

Kreshnik Selimi’s alleged crimes include predatory blackmail, armed robbery, extortion, arson, copyright infringement and tax evasion.

According to information received by German publication Spiegel, the arson and extortion charges relate to alleged crimes carried out by the brothers against one of their former or even current business partners.

A spokesperson for the prosecutor’s office earlier revealed that the brothers had “made great efforts” to get rid of their competitors in the piracy market. “Sometimes even a car burst into flames,” he said.

According to the Attorney General’s office the brothers have evaded 1.3 million euros in taxes, which suggests that overall revenues were in excess of 6.5 million euros. Even if that amount is overblown, it seems likely that the pair have considerable resources at their disposal.

The brothers’ whereabouts aside, the big mystery is why the sites named above are still in operation. All remain online, despite their alleged operators being subjected to an international manhunt.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Chip & PIN vs. Chip & Signature

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.

I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So  I reached out to several experts to get their take on it.

Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa says it also is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”

BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.

Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.

So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.

Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada.

BK: What are some of the things that have pushed more banks in the US toward chip-and-signature?

Conroy: As I talk to the networks and the issuers who have made their decision about where to go, there are a few things that are moving folks toward chip-and-signature. The first is that we are the most competitive market in the world, and so as you look at the business case for chip-and-signature versus chip-and-PIN, no issuer wants to have the card in the wallet that is the most difficult card to use.

BK: Are there recent examples that have spooked some of the banks away from embracing chip-and-PIN?

Conroy: There was a Canadian issuer that — when they did their migration to chip — really botched their chip-and-PIN roll out, and consumers were forgetting their PIN at the point-of-sale. That issuer saw a significant dip in transaction volume as a result. One of the missteps this issuer made was that they sent their PIN mailers out too soon before you could actually do PIN transactions at the point of sale, and consumers forgot. Also, at the time they sent out the cards, [the bank] didn’t have the capability at ATMs or IVRs (automated, phone-based customer service systems) for consumers to reset their PINs to something they could remember.

BK: But the United States has a much more complicated and competitive financial system, so wouldn’t you expect more issuers to be going with chip-and-PIN?

Conroy: With consumers having an average of about 3.3 cards in their wallet, and the US being a far more competitive card market, the issuers are very sensitive to that. As I was doing my chip-and-PIN research earlier this year, there was one issuer that said quite bluntly, “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” So the issuers I spoke with wanted to keep it simple: Go to market with plain vanilla, and once we get this working, we can evaluate adding some sprinkles and toppings later.

BK: What about the retailers? I would think more of them are in favor of chip-and-PIN over signature.

Litan: Retailers want PINs because they strengthen the security of the point-of-sale (POS) transaction and lessen the chances of fraud at the POS (which they would have to eat if they don’t have chip-accepting card readers but are presented with a chip card). Also retailers have traditionally been paying lower rates on PIN transactions as opposed to signature transactions, although those rates have more or less converged over time, I hear.

BK: Can you talk about the ability to use these signature cards outside the US? That’s been a sticking point in the past, no?

Conroy: The networks have actually done a good job over the last year to 18 months in pushing the [merchant banks] and terminal manufacturers to include “no cardholder verification method” as one of the options in the terminals. Which means that chip-and-signature cards are increasingly working. There was one issuer I spoke with that had issued chip-and-signature cards already for their traveling customers and they said that those moves by the networks and adjustments overseas meant that their chip-and-signature cards were working 98 percent of the time, even at the unattended kiosks, which were some of the things that were causing problems a lot of the time.

BK: Is there anything special about banks that have chosen to issue chip-and-PIN cards over chip-and-signature?

Conroy: Where were are seeing issuers go with chip-and-PIN, largely it is issuers where consumers have a very compelling reason to pull that particular card out of their wallet. So, we’re talking mostly about merchants who are issuing their own cards and have loyalty points for using that card at that store. That is where we don’t see folks worrying about the attrition risks so much, because they have another point of stickiness for that card.

BK: What did you think about the White House announcement that specifically called out chip-and-PIN as the chip standard the government is endorsing?

Conroy: The White House announcement I thought that was pure political window dressing. Especially when they claimed to be taking the lead on credit card security.  Visa, for example, made their initial road map announcement back in 2011. And [the White House is] coming to the table three years later thinking that its going to influence the direction the market is taking when many banks have spent in some cases upwards of a year coding toward these specifications? That just seems ludicrous to me. The chip-card train has been out of the station for a long time. And it seemed like political posturing at its best, or worst, depending on how you look at it.

Litan: I think it is very significant. It’s basically the White House taking the side of the card acceptors and what they prefer. Whatever the government does will definitely help drive trends, so I think it’s a big statement.

BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.

Linux How-Tos and Linux Tutorials: MariaDB Practical How-to for Linux Admins

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

Mariadb logoShe who rules databases rules the world. Even if you don’t want to rule the world, knowing a good set of database commands will make your life easier.

Most likely you won’t be performing many manual operations on your MariaDB database, such as creating tables and adding data, because it will be manipulated by other programs that use database backends. The following commands are more real-world, and show how to recover a root password, see what is in your database, how to get help, and how to search for a particular text string.

Lost Root Password

When you install MariaDB on Linux you have the option to create a root password. Chances are you immediately forgot it. No worries, because as long as you have Linux root access you can get into MariaDB.

First stop your database if it’s running. On Red Hat Linux, CentOS, and Fedora use the systemctl command:

$ sudo systemctl stop mariadb.service

On Debian, Ubuntu, and Linux Mint you can still use the service command:

$ sudo service mysql stop
 * Stopping MariaDB database server mysqld  

Next, restart MariaDB with the mysqld_safe command, which is the safest way to start MariaDB. --skip-grant-tables starts the server with no user restrictions, so it’s wide open:

$ sudo mysqld_safe --skip-grant-tables --skip-networking &
[1] 11278
carla@studio:~/Documents/1articles/linuxcom$ 141029 19:37:57 mysqld_safe Logging to 
syslog.
141029 19:37:57 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql

The --skip-networking option prevents anyone from sneaking in over the network. Obviously, don’t use this if you’re logging in remotely. Now you can reset the root password by using the mysql command shell. Login to MariaDB, select the mysql database, reset the root password, and then immediately exit:

$ mysql -u root
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 1
Server version: 5.5.39-MariaDB-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]> update user set password=PASSWORD("new-password") where User='root';
Query OK, 4 rows affected (0.00 sec)
Rows matched: 4  Changed: 4  Warnings: 0
MariaDB [mysql]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
MariaDB [mysql]> exit
Bye

Now try logging in with your new password:

$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 2
Server version: 5.5.39-MariaDB-0ubuntu0.14.04.1 (Ubuntu)

Use this one-liner to change the password of any user without logging in to the MariaDB shell:

$ mysqladmin -u carla -p 'old-password' password 'new-password'

Debian’s Back Door

Debian stores the clear-text password for its system MariaDB user in /etc/mysql/debian.cnf:

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host     = localhost
user     = debian-sys-maint
password = LofpsiQCKOcGzoqJ

You can log in with this user and do whatever you want, including reset the root password. The permissions on this file should be read-write for root only.

Seeing What’s Inside

Be careful when you’re monkeying around with your database, because some things need to be there, such as certain system users. Log in, select the mysql database, and list your database users:

$ mysql -u root -p
password:
MariaDB [(none)]> use mysql;
Database changed
MariaDB [mysql]> SELECT user, host, password FROM user;
+------------------+------------+---------------+
| user             | host       | password      |
+------------------+------------+---------------+
| root             | localhost  | *F6FE8C583C17 |
| root             | 127.0.0.1  | *F6FE8C583C17 |
| root             | ::1        | *F6FE8C583C17 |
| debian-sys-maint | localhost  | *21B2FE94870C |
5 rows in set (0.00 sec)

If you did not set a root password then root’s password field will be empty. Unlike the debian-sys-maint password in the configuration file, these are all encrypted. Why so many root users? Because MariaDB cares about where users make connections from, so root gets all the local ones by default.

You can see all of your databases:

MariaDB [mysql]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| owncloud           |
| redbooks           |
| bluebooks          | 
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

information_schema, mysql, and performance_schema are all internal MariaDB databases. Do not delete or change them, or you will be very sorry. You can look inside them and see all of their table names:

MariaDB [mysql]> show tables;
+---------------------------+
| Tables_in_mysql           |
+---------------------------+
| columns_priv              |
| db                        |
| event                     |
| func                      |
| general_log               |

You can view the table structures, which shows all the columns in the tables, and all the variables that can assigned to users:

MariaDB [mysql]> describe user;
+------------+------------+------+-----+---------+-------+
| Field      | Type       | Null | Key | Default | Extra |
+------------+------------+------+-----+---------+-------+
| Host       | char(60)   | NO   | PRI |         |       |
| User       | char(16)   | NO   | PRI |         |       |
| Password   | char(41)   | NO   |     |         |       |
| Select_priv| enum       | NO   |     | N       |       |
| Insert_priv| enum       | NO   |     | N       |       |
| Update_priv| enum       | NO   |     | N       |       |

Now you see how we knew which fields to select when we listed database users. What if you want to see the data in the table? This example shows all of it:

MariaDB [mysql]> select * from user;

This will look like crap because there are so many fields, and you’ll need a giant screen for the output to display correctly. So let’s narrow it down and see who has superuser privileges:

MariaDB [mysql]> SELECT user, super_priv FROM user;
+------------------+------------+
| user             | super_priv |
+------------------+------------+
| root             | Y          |
| root             | Y          |
| root             | Y          |
| root             | Y          |
| debian-sys-maint | Y          |
| carla            | Y          |
| layla            | N          |
| toshi            | N          |

Now you know how to see which fields are in a table, and how to filter your searches with them.

Searching MariaDB For Arbitrary Text Strings

One way to search for an arbitrary bit of data is to dumb your databases into a text file, and then search the text file. This example formats the dump file with line breaks, so it is human-readable and grep-able:

$ mysqldump -u user -p --extended-insert=false --all-databases  > dbdump.txt

Of course you may dump selected databases:

$ mysqldump -u user -p --extended-insert=false --databases db2 db3 > dbdump.txt

Then grep the dumpfile for your search string, like this search for pinecones:

$ grep -i pinecones  dbdump.txt 
INSERT INTO `forest` VALUES (4,'PINECONE');
INSERT INTO `forest` VALUES (11,'PINECONES');
INSERT INTO `mountain` VALUES (21,'PINECONE');

This tell you which tables your search term is in– forest and mountain in this examples– and lists every occurrence of the search term.

MariaDB has detailed built-in help:

MariaDB [mysql]> help contents
You asked for help about help category: "Contents"
For more information, type 'help ', where  is one of the following
categories:
   Account Management
   Administration
   Compound Statements
   Data Definition
   Data Manipulation

MySQL isn’t going away, but MariaDB is quickly becoming the default database in Linux distros, and non-Oracle fans are replacing MySQL as fast as they can. Please visit MariaDB.com to read a lot more good documentation, and Moving from MySQL should be helpful to MySQL users who want to make the switch.

3Dtree image courtesy Wikimedia Commons, GPL

TorrentFreak: Pirate Site Operator Slapped With $10 Million in Damages

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

piracy-crimeIn August we reported how ABS-CBN was going after several website owners who link to pirated streams of its programming.

The Philippines-based company filed a lawsuit at a federal court in Oregon looking for millions of dollars in damages from two local residents, husband and wife.

The five sites they operated, including Pinoymoviefan.com and Watchfilipinotv.com, barely had any visitors. According to the main suspect, Jeff Ashby, he created them for his wife so she could enjoy entertainment from her home country.

‘I created these websites for my wife who is from the Philippines, so she and others who are far from the Philippines could enjoy materials from their culture that are otherwise unavailable to them, Jeff Ashby wrote to the court.

The sites in question didn’t store copies of the infringing media but merely provided links to other websites, and Ashby shut them down voluntarily as soon as he heard about the lawsuit.

Nevertheless, ABS-CBN branded Ashby a hardcore criminal. In one of their own news report they managed to get the L.A. police to agree with them.

“[Piracy is] supporting their ability to buy drugs and guns and engage in violence. And then, the support of global terrorism, which is a threat to everybody,” LA County Assistant Sheriff Todd Rogers told an ABS-CBN news outlet.

Now, just a few weeks later the case is over. The Oregon District Court ‘ruled’ in favor of ABS-CBN and ordered Jeff Ashby to pay a mind-blowing $10 million in damages.

The company nevertheless praises the ‘unprecedented’ victory in its own news coverage and warns that they will continue to pursue action against pirate sites.

“Jeff Ashby is the first of many pirates that we are pursuing,” says Elisha Lawrence, ABS-CBN’s Associate Vice President of Global Anti-Piracy.

“We have begun a relentless campaign to enforce against all pirate websites due to the numerous reports that these sites contain dangerous malware which cause substantial harm including identify theft of financial information and phishing attacks.”

While the $10 million may do well for PR purposes, the media conglomerate fails to mention that this isn’t a regular verdict. Instead, it’s a consent judgment (pdf) between ABS-CBN and Ashby which the court signed off on.

In other words, the $10 million in damages reported in public is a figure both parties agreed on, without putting up a fight. Needless to say, it’s likely that a separate deal was made behind the scenes.

In fact, a month before the consent judgment the court had already been informed that both parties had settled the case.

Most telling, perhaps, is the response of Jeff Ashby after he was ‘hit’ by the $10 million judgment. Instead of characterizing the damages as unfair and overblown, he now warns others not to mess with ABS-CBN.

“I wish to warn anyone who may be copying and/or publishing content owned by ABS-CBN without their permission, to stop immediately. Continuing without authorization can and will lead to very serious consequences,” Ashby comments.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: CSAM Month of False Postives – False Positives from Management, (Thu, Oct 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Often the start of a problem and its solution is receiving a call from a manger, project manager or other non-technical decision maker. Youll know going in that the problem is absolutely real, but the information going in might be a total red herring.

Some classic examples are:

The network is slow I ran a speed test, we should being seeing 10x the speed.

This is almost always a math error. The speed was measured in Bytes (upper case B), instead of bits (lower case B). Multiply by 8 and things should look better.

the network is slow our new web server takes 30 seconds to load the lead page

As most of you know, in a modern gigabit network, even on a busy network there just isnt anything on the network that will add a 30 second delay. 30 seconds in particular would have me checking for DNS issues first, especially for a new host or service. However, in this case, the client was loading their entire Java application (including the business logic) before the login page. The appdev answer to this would be to load the login page first, then load the app asynchronously in the background. The security answer to this is to question why you would load the application logic to an untrusted workstation on a hostile network (public internet).

The network is slow it must be a broadcast storm.

Its exceedingly rare to see a broadcast storm. Plus if the switches are configured correctly, if a broadcast storms does occur, it should be contained to a single Ethernet port, and it should either be rate limited or the port should be shut down, depending on your configuration.

When a non-technical person says broadcast storm, it really could mean anything that affects performance. Almost always it will end up being something server side DNS misconfigurations are a common thing (10-30 second delays on the first request), but it could also be an oversubscribed virtual infrastructure, coding errors, out of memory conditions, errors in programming, anything really.

The firewall is blocking our traffic

In some cases, especially if there is an egress filter, this can be the case. However, in many other cases it could be something else entirely. We recently worked on an issue where an AS400 (iSeries now I guess) was not connecting to the server. It turned out that the certificate needed for the connection was incorrect – the vendor had sent us a cert for a different site entirely. Wireshark did a great job in this case of saying LOOK HERE- THE PROBLEM IS HERE by giving us a Bad Certificate error – in bright red – in the main view.

We need port 443 open, in both directions

This is NEVER the case, but is commonly seen in vendor documentation. Either you need an outbound port (possibly an update to the egress filter), or an inbound port open. There are very few in both directions requirements – special cases like IPSEC VPNs encapsulated in UDP (NAT-T) for instance will have both a source and destination port of udp/500. In most cases, when the requirement is in both directions or bidirectional, its a bit of a treasure hunt to figure out what they mean (usually its outbound).

The moral of the story? I guess the first one is that if somebody tells you that the problem is the network, 70% of the time its not the network. More importantly though, is that if you get a business problem from a business person, its not something to minimize. You might not be able to count on all the information you get going in, but if they tell you something is slow or not usable, its their system, they are usually correct in at least identifying that the problem is real.

Please, use our comment form and fill us in on any recent false positives from a non-technical source that youve seen. Extra points if it was a real problem, but the initial info started you off in the wrong direction.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: Hacker News metrics (first rough approach)

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

I’m not a huge fan of Hacker News[1]. My impression continues to be that it ends up promoting stories that align with the Silicon Valley narrative of meritocracy, technology will fix everything, regulation is the cancer killing agile startups, and discouraging stories that suggest that the world of technology is, broadly speaking, awful and we should all be ashamed of ourselves.

But as a good data-driven person[2], wouldn’t it be nice to have numbers rather than just handwaving? In the absence of a good public dataset, I scraped Hacker Slide to get just over two months of data in the form of hourly snapshots of stories, their age, their score and their position. I then applied a trivial test:

  1. If the story is younger than any other story
  2. and the story has a higher score than that other story
  3. and the story has a worse ranking than that other story
  4. and at least one of these two stories is on the front page

then the story is considered to have been penalised.

(note: “penalised” can have several meanings. It may be due to explicit flagging, or it may be due to an automated system deciding that the story is controversial or appears to be supported by a voting ring. There may be other reasons. I haven’t attempted to separate them, because for my purposes it doesn’t matter. The algorithm is discussed here.)

Now, ideally I’d classify my dataset based on manual analysis and classification of stories, but I’m lazy (see [2]) and so just tried some keyword analysis:

Keyword Penalised Unpenalised
Women 13 4
Harass 2 0
Female 5 1
Intel 2 3
x86 3 4
ARM 3 4
Airplane 1 2
Startup 46 26

A few things to note:

  1. Lots of stories are penalised. Of the front page stories in my dataset, I count 3240 stories that have some kind of penalty applied, against 2848 that don’t. The default seems to be that some kind of detection will kick in.
  2. Stories containing keywords that suggest they refer to issues around social justice appear more likely to be penalised than stories that refer to technical matters
  3. There are other topics that are also disproportionately likely to be penalised. That’s interesting, but not really relevant – I’m not necessarily arguing that social issues are penalised out of an active desire to make them go away, merely that the existing ranking system tends to result in it happening anyway.

This clearly isn’t an especially rigorous analysis, and in future I hope to do a better job. But for now the evidence appears consistent with my innate prejudice – the Hacker News ranking algorithm tends to penalise stories that address social issues. An interesting next step would be to attempt to infer whether the reasons for the penalties are similar between different categories of penalised stories[3], but I’m not sure how practical that is with the publicly available data.

(Raw data is here, penalised stories are here, unpenalised stories are here)

[1] Moving to San Francisco has resulted in it making more sense, but really that just makes me even more depressed.
[2] Ha ha like fuck my PhD’s in biology
[3] Perhaps stories about startups tend to get penalised because of voter ring detection from people trying to promote their startup, while stories about social issues tend to get penalised because of controversy detection?

comment count unavailable comments

SANS Internet Storm Center, InfoCON: green: Hacking with the Oldies!, (Thu, Oct 30th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Recently we seem to have a theme of new bugs in old code – first (and very publically) openssl and bash. This past week weve had a bunch more, less public but still neat bugs.

First, a nifty bug in strings - CVE-2014-8485, with more details here http://lcamtuf.blogspot.ca/2014/10/psa-dont-run-strings-on-untrusted-files.html
a problem in wget with ftp: https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access
and now the ftp client (found first in BSD) – http://cxsecurity.com/issue/WLB-2014100174

These all share some common ground, where data that the code legitimately should be processing can be crafted to execute an arbitrary command on the target system. The other common thing across these as that these utilities are part of our standard, trusted toolkit – we all use these every day.

Who knew? Coders who wrote stuff in C back in the day didnt always write code that knew how much was too much of a good thing. Now that were all looking at problems with bounds checking on input data, expect to see at least a couple more of these!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Matthew Garrett: On joining the FSF board

This post was syndicated from: Matthew Garrett and was written by: Matthew Garrett. Original post: at Matthew Garrett

I joined the board of directors of the Free Software Foundation a couple of weeks ago. I’ve been travelling a bunch since then, so haven’t really had time to write about it. But since I’m currently waiting for a test job to finish, why not?

It’s impossible to overstate how important free software is. A movement that began with a quest to work around a faulty printer is now our greatest defence against a world full of hostile actors. Without the ability to examine software, we can have no real faith that we haven’t been put at risk by backdoors introduced through incompetence or malice. Without the freedom to modify software, we have no chance of updating it to deal with the new challenges that we face on a daily basis. Without the freedom to pass that modified software on to others, we are unable to help people who don’t have the technical skills to protect themselves.

Free software isn’t sufficient for building a trustworthy computing environment, one that not merely protects the user but respects the user. But it is necessary for that, and that’s why I continue to evangelise on its behalf at every opportunity.

However.

Free software has a problem. It’s natural to write software to satisfy our own needs, but in doing so we write software that doesn’t provide as much benefit to people who have different needs. We need to listen to others, improve our knowledge of their requirements and ensure that they are in a position to benefit from the freedoms we espouse. And that means building diverse communities, communities that are inclusive regardless of people’s race, gender, sexuality or economic background. Free software that ends up designed primarily to meet the needs of well-off white men is a failure. We do not improve the world by ignoring the majority of people in it. To do that, we need to listen to others. And to do that, we need to ensure that our community is accessible to everybody.

That’s not the case right now. We are a community that is disproportionately male, disproportionately white, disproportionately rich. This is made strikingly obvious by looking at the composition of the FSF board, a body made up entirely of white men. In joining the board, I have perpetuated this. I do not bring new experiences. I do not bring an understanding of an entirely different set of problems. I do not serve as an inspiration to groups currently under-represented in our communities. I am, in short, a hypocrite.

So why did I do it? Why have I joined an organisation whose founder I publicly criticised for making sexist jokes in a conference presentation? I’m afraid that my answer may not seem convincing, but in the end it boils down to feeling that I can make more of a difference from within than from outside. I am now in a position to ensure that the board never forgets to consider diversity when making decisions. I am in a position to advocate for programs that build us stronger, more representative communities. I am in a position to take responsibility for our failings and try to do better in future.

People can justifiably conclude that I’m making excuses, and I can make no argument against that other than to be asked to be judged by my actions. I hope to be able to look back at my time with the FSF and believe that I helped make a positive difference. But maybe this is hubris. Maybe I am just perpetuating the status quo. If so, I absolutely deserve criticism for my choices. We’ll find out in a few years.

comment count unavailable comments

TorrentFreak: Google Glass Now Banned in US Movie Theaters Over Piracy Fears

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

Google Glass poses a significant threat to the movie industry, Hollywood believes. The advent of the wearable technology has sparked fears that it could be used for piracy.

This January the FBI dragged a man from a movie theater in Columbus, Ohio, after theater staff presumed his wearing of Google Glass was a sign that he was engaged in camcorder piracy.

At the time the MPAA shrugged off the incident as an unfortunate mistake, claiming that it had seen “no proof that it is currently a significant threat that could result in content theft.” This has now changed.

Starting today Google Glass is no longer welcome in movie theaters. The new ban applies to all US movie theaters and doesn’t include an exception for prescription glasses.

The MPAA and the National Association of Theatre Owners (NATO) stress that they welcome technological innovations and recognize the importance of wearables for consumers. However, the piracy enabling capabilities of these devices can’t be ignored.

“As part of our continued efforts to ensure movies are not recorded in theaters, however, we maintain a zero-tolerance policy toward using any recording device while movies are being shown,” MPAA and NATO state.

“As has been our long-standing policy, all phones must be silenced and other recording devices, including wearable devices, must be turned off and put away at show time. Individuals who fail or refuse to put the recording devices away may be asked to leave,” they add.

Cautioning potential pirates, the movie groups emphasize that theater employees will take immediate action when they spot someone with wearable recording devices. Even when in doubt, the local police will be swiftly notified.

“If theater managers have indications that illegal recording activity is taking place, they will alert law enforcement authorities when appropriate, who will determine what further action should be taken.”

The wearable ban is now part of the MPAA’s strict set of anti-piracy practices. These instruct movie theater owners to be on the lookout for suspicious individuals who may have bad intentions.

Aside from the wearables threat, the best practices note that all possible hidden camera locations in the theater should be considered, including cup holders. In addition, employees should be alert for possible concealed recording equipment, as often seen in the movies.

“Movie thieves are very ingenious when it comes to concealing cameras. It may be as simple as placing a coat or hat over the camera, or as innovative as a specially designed concealment device,” it warns.

To increase vigilance among movie theater employees, a $500 bounty is being placed on the heads of those who illegally camcord a movie.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: How to Tell Data Leaks from Publicity Stunts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone’s time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims.

dataleakThe following scenario plays out far too often. E-fame seekers post a fake database dump to a site like Pastebin and begin messaging journalists on Twitter and other social networks, claiming that the dump is “proof” that a particular company has been hacked. Inevitably, some media outlets will post stories questioning whether the company was indeed hacked, and the damage has been done.

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

According to Nixon, the easiest way to check a leak claim is to run a simple online search for several of its components. As Nixon explains, seeking out unique-looking artifacts — such as odd passwords or email addresses — very often reveals that the supposed leak is in fact little more than a recycled leak from months or years prior. While this may seem like an obvious tip, it’s appalling at how often reporters fail to take even this basic step in fact-checking a breach claim.

A somewhat more advanced test seeks to measure how many of the “leaked” accounts are already registered at the supposedly breached organization. Most online services do not allow two different user accounts to have the same email address, so attempting to sign up for an account using an email address in the claimed leak data is an effective way to test leak claims. If several of the email addresses in the claimed leak list do not already have accounts associated with them at the allegedly breached Web site, the claim is almost certainly bogus.

uniquenesstest

To determine whether the alleged victim site requires email uniqueness for user accounts, the following test should work: Create two different accounts at the service, each using unique email addresses. Then attempt to change the one of the account’s email address to the others. If the site disallows that change, no duplicate emails are allowed, and the analysis can proceed.

Importantly, Nixon notes that these techniques only demonstrate a leak is fake — not that a compromise has or hasn’t occurred. One of the sneakier ways that ne’er-do-wells produce convincing data leak claims is through the use of what’s called a “combolist.” With combolists, miscreants will try to build lists of legitimate credentials from a specific site using public lists of credentials from previous leaks at other sites.

This technique works because a fair percentage of users re-use passwords at multiple sites. Armed with various account-checking programs, e-fame seekers can quickly build a list of working credential pairs for any number of sites, and use that information to back up claims that the site has been hacked.

Account checking tools sold on the cybercriminal underground by one vendor.

Account checking tools sold on the cybercriminal underground by one vendor.

But according to Nixon, there are some basic patterns that appear in lists of credentials that are essentially culled from combolists.

“Very often, you can tell a list of credentials is from a combolist because the list will be nothing more than username and password pairs, instead of password hashes and a whole bunch of other database information,” Nixon said.

A great example of this came earlier this month when multiple media outlets repeated a hacker’s claim that he’d stolen a database of almost seven million Dropbox login credentials. The author of that hoax claimed he would release on Pastebin more snippets of Dropbox account credentials as he received additional donations to his Bitcoin account. Dropbox later put up a blog post stating that the usernames and passwords posted in that “leak” were likely stolen from other services.

Other ways of vetting a claimed leak involve more detailed and time-intensive research, such as researching the online history of the hacker who’s making the leak claims.

“If you look at the motivation, it’s mostly ego-driven,” Nixon said. “They want to be a famous hacker. If they have a handle attached to the claim — a name they’ve used before — that tells me that they want a reputation, but that also means I can check their history to see if they have posted fake leaks in the past. If I see a political manifesto at the top of a list of credentials, that tells me that the suspected leak is more about the message and the ego than any sort of breach disclosure.”

Nixon said while attackers can use the techniques contained in her paper to produce higher quality fake leaks, the awareness provided by the document will provide a greater overall benefit to the public than to the attackers alone.

“For the most part, there are a few fake breaches that get posted over and over again on Pastebin,” she said. “There is just a ton of background noise, and I would say only a tiny percentage of these breach claims are legitimate.”

A full copy of the Deloitte report is available here (PDF).

TorrentFreak: Joker is Cool But Not the New Popcorn Time

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

While BitTorrent’s underlying technology has remained mostly unchanged over the past decade, innovators have found new ways to make it more presentable. Torrent clients have developed greatly and private tracker systems such as What.cd’s Gazelle have shown that content can be enhanced with superior cataloging and indexing tools.

This is where Popcorn Time excelled when it debuted earlier this year. While it was the same old torrent content underneath, the presentation was streets ahead of anything seen before. With appetites whetted, enthused BitTorrent fans have been waiting for the next big thing ever since.

Recently news circulated of a new service which in several headlines yesterday was heralded as the new Popcorn Time. Joker.org is a web-based video service with super-clean presentation. It’s premise is straightforward – paste in a magnet link or upload a torrent file from your computer then sit back and enjoy the show.

joker-1

Not only does Joker work, it does so with elegance. The interface is uncluttered and intuitive and the in-browser window can be expanded to full screen. Joker also provides options for automatically downloading subtitles or uploading your own, plus options for skipping around the video at will.

While these features are enough to please many visitors to the site, the big questions relate to what is going on under the hood.

Popcorn Time, if we’re forced to conduct a comparison, pulls its content from BitTorrent swarms in a way that any torrent client does. This means that the user’s IP address is visible both to the tracker and all related peers. So, has Joker successfully incorporated a torrent client into a web browser to enable live video streaming?

Last evening TF put that question to the people behind Joker who said they would answer “soon”. Hours later though and we’re still waiting so we’ll venture that the short answer is “no”.

Decentralized or centralized? That is the question..

The most obvious clues become evident when comparing the performance of popular and less popular torrents after they’ve been added to the Joker interface. The best seeded torrents not only tend to start immediately but also allow the user to quickly skip to later or earlier parts of the video. This suggests that the video content has been cached already and isn’t being pulled live and direct from peers in a torrent swarm.

Secondly, torrents with less seeds do not start instantly. We selected a relatively poorly seeded torrent of TPB AFK and had to wait for the Joker progress bar to wind its way to 100% before we could view the video. That took several minutes but then played super-smoothly, another indication that content is probably being cached.

joker-2

To be absolutely sure we’d already hooked up Wireshark to our test PC in advance of initiating the TPB AFK download. If we were pulling content from a swarm we might expect to see the IP addresses of our fellow peers sending us data. However, in their place were recurring IP addresses from blocks operated by the same UK ISP hosting the Joker website.

Conclusion

Joker is a nice website that does what it promises extremely well and to be fair to its creators they weren’t the ones making the Popcorn Time analogies. However, as a free service Joker faces a dilemma.

By caching video itself the site is bound by the usual bandwidth costs associated with functionally similar sites such as YouTube. While Joker provides greater flexibility (users can order it to fetch whichever content they like) it still has to pump video directly to users after grabbing it from torrent swarms. This costs money and at some point someone is going to have to pay.

In contrast, other than running the software download portal and operating the APIs, Popcorn Time has no direct video-related bandwidth costs since the user’s connection is being utilized for transfers. The downside is that users’ IP addresses are visible to the outside world, a problem Joker users do not have.

Finally and to address the excited headlines, comparing Joker to Popcorn Time is premature. The site carries no colorful and easy to access indexes of movies which definitely makes it a lot less attractive to newcomers. That being said, this lack of content curation enhances Joker’s legal footing.

Overall, demand is reportedly high. The developers told TF last evening that they were “overloaded” and were working hard to fix issues. Currently the service appears stable. Only time will tell how that situation develops.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Dotcom Tries To Reclaim Millions Seized in Hong Kong

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

For many months the New Zealand courts have been dealing with the thorny issue of Kim Dotcom. The entrepreneur’s case has traversed the legal system, with claim and counterclaim, decision followed by appeal.

The key topic of Dotcom’s possible extradition to the United States aside, much of the courtroom action has centered around the Megaupload founder’s assets. On the one hand Dotcom has been trying to reclaim his property, and on the other United States-based entertainment companies have been trying to lock it down in preparation for any future damages payout.

But as the fight simmers in New Zealand and largely stalls in the U.S., Dotcom’s legal representatives are fighting to reestablish control of his wealth in a third territory.

Over in Hong Kong, lawyers for Dotcom are attempting to take back HK$330 million (US$42.55m) in assets that were seized by local authorities when Megaupload was shut down in January 2012.

While Dotcom’s servers were being sealed off in the United States and his mansion raided in New Zealand, the Megaupload chief’s Hong Kong offices were being raided by 100 customs officers following allegations of copyright infringement and money laundering.

The seized assets are being held under a restraining order but Dotcom’s legal team are arguing that it should be set aside. In April 2014, Megaupload initiated legal action against the government and now its legal team is accusing the secretary for justice of failing to provide a “full and frank disclosure” of the facts when the application for seizure was made.

“We are applying for [the order] to be set aside because the court has misrepresented the true position,” Dotcom lawyer Gerard McCoy SC told SCMP yesterday.

In a feature that has become a hallmark of the pre-shutdown activity surrounding Megaupload, the Hong Kong restraining order was made ex parte, meaning that the defendants in the case were not allowed to put their side of the story. Dotcom’s lawyers say that in such circumstances the prosecution is under obligation to exercise additional caution

“Did the secretary for justice put his cards on the table face up? This application is a clear example of the duty either being ignored or simply misunderstood,” McCoy said.

According to the lawyer the prosecution deliberately withheld crucial information from the court when applying for the restraining order, not least the fact that Megaupload could not be served with a criminal complaint in the United States as it did not have a US mailing address.

“None of this was ever brought to the attention of the judge. It was all put to one side and never raised,” McCoy said.

In an interview with TorrentFreak in December 2011 before the raid, Dotcom spoke warmly of Hong Kong. “I should write a book about doing business in Hong Kong, that’s how good it is,” he said. “People there leave you alone and they are happy for your success.”

But according to McCoy, one month later the fate of Dotcom, his co-defendants, and his Megaupload empire was sealed in a matter of minutes.

“In about six or seven minutes, the applicant has dealt with the position of nine defendants and managed to freeze a massive amount of money. There is not one word about Megaupload, not a jot, not a tittle,” he told the court.

If the case goes in Dotcom’s favor there could be big implications for the entrepreneur. Not only could he regain tens of millions of dollars in wealth, but he could also be in a position to file a multi-billion dollar civil claim for damages. Before its shutdown, Megaupload was valued at a cool two billion dollars.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: We Know You’re A Dog

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Usually when I read about “new” findings in computer security, they are things that I’ve known about for years. Car hacking, parasitic file attachments, and even changes in phishing and spamming. If you’re active in the computer security community, then most of the public announcements are probably not new to you. But Wired just reported on something that I had only learned about a few months ago.

I had previously mentioned that I was looking for alternate ways to ban users who violate the FotoForensics terms of service. Specifically, I’m looking at HTTP headers for clues to identify if the web client is using a proxy.

One of the things I discovered a few months ago was the “X-UIDH” header that some web clients send. As Wired and Web Policy mentioned, Verizon is adding this header to HTTP requests that go over their network and it can be used to track users.

Miswired

As is typical for Wired, they didn’t get all of the details correct.

  • Wired says that the strings are “about 50 letters, numbers, and characters”. I’ve only seen 56 and 60 character sequences. The data appears to be a base64-encoded binary set. If you base64 decode the sequence, then you’ll see that it begins with a text number, like “379612345″ and it is null-terminated. I don’t know what this is, but it is unique per account. It could be the user’s account number. After that comes a bunch of binary data that I have not yet decoded.

  • Wired says that the string follows the user. This is a half-truth. If you change network addresses, then only the first part of the base64 X-UIDH value stays the same. The rest changes. If services only store the X-UIDH string, then they will not be tracking you. But if they decode the string and use the decoded number, then services can track you regardless of your Verizon-assigned network address.
  • Wired makes it sound like Verizon adds the header to most Verizon clients. However, it isn’t added by every Verizon service. I’ve only seen this on some Verizon Wireless networks. User with FIOS or other Verizon services do not get exposed by this added header. And even people who use Verizon Wireless may not have it added, depending on their location. If your dynamically assigned hostname says “myvzw.com”, then you might be tagged. But if it isn’t, then you’re not.
  • The X-UIDH header is only added when the web request uses HTTP. I have not seen it added to any HTTPS headers. However, most web services use HTTP. And even services like eBay and Paypal load some images with HTTP even when you use HTTPS to connect to the service. So this information will be leaked.

The Wired article focused on how this can be used by advertisers. However, it can also be used by banks as part of a two-part authentication: something you know (your username and password) and something you are (your Verizon account number).

Personally, I’ve been planning to use it for a much more explicit purpose. I’ve mentioned that I am legally required to report people who upload child porn to my server. And while I am usually pro-privacy, I don’t mind reporting these people because there is a nearly one-to-one relationship between people who have child porn and people who abuse children. So… wouldn’t it be wonderful if I could also provide their Verizon account number along with my required report? (Let’s make it extremely easy for the police to make an arrest.)

Unique, and yet…

One other thing that Wired and other outlets failed to mention is that Verizon isn’t the only service that does this kind of tracking. Verizon adds in an “X-UIDH” header. But they are not alone. Two other examples are Vodafone and AT&T. Vodafone inserts an X-VF-ACR header and AT&T Mobility LLC (network AS20057) adds in an “x-acr” header. These headers can be used for the same type of user-specific tracking and identification.

And it isn’t even service providers. If your web antivirus software performs real-time network scanning, then there’s a good chance that it is adding in unique headers that can be used to track you. I’ve even identified a few headers that are inserted by specific nation-states. If I see the presence of certain HTTP headers, then I immediately know the country of origin. (I’m not making this info public yet because I don’t want Syria to change the headers. Oops…)

Business as usual

For over a decade, it has been widely known in the security field that users can be tracked based on their HTTP headers. In fact, the EFF has an online test that determines how unique your HTTP header is. (The EFF also links to a paper on this topic.) According to them, my combination of operating system, time zone, web browser, and browser settings makes my system “unique among the 4,645,400 tested so far.” Adding in yet-another header doesn’t make me more unique.

When I drive my car, I am in public. People can see my car and they can see me. While I believe that the entire world isn’t watching me, I am still in public. My car’s make and model is certainly not unique, but the various scratches and dents are. When I drive to my favorite restaurant, they know it is me before I get out of the car. By the same means, my HTTP header is distinct. For some uses, it is even unique. When I visit my favorite web sites, they can identify me by my browser’s HTTP header.

Continuing with this analogy, my car has a license plate. Anyone around me can see it and it is unique. With the right software, someone can even identify “me” from my license plate. Repainting my car doesn’t change the license plate. These unique tracking IDs that are added by various ISPs are no different from a license plate. The entire world may not be able to see it, but anywhere you go, it goes with you and it is not private.

The entire argument that these IDs violate online privacy is flawed. You never had privacy to begin with. Moreover, these unique tags do not make you any more exposed or any more difficult to track. And just as you can take specific steps to reduce your traceability in public, you still have options to reduce your traceability online.

Errata Security: No evidence feds hacked Attkisson

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Former CBS journalist Sharyl Attkisson is coming out with a book claiming the government hacked her computer in order to suppress reporting on Benghazi. None of her “evidence” is credible. Instead, it’s bizarre technobabble. Maybe her book is better, but those with advance copies quoting excerpts  make it sound like the worst “ninjas are after me” conspiracy theory.

Your electronics are not possessed by demons

Technology doesn’t work by magic. Each symptom has a specific cause.

Attkisson says “My television is misbehaving. It spontaneously jitters, mutes, and freeze-frames”. This is not a symptom of hackers. Instead, it’s a common consumer complaint caused by the fact that cables leading to homes (and inside the home) are often bad. My TV behaves like this on certain channels.

She says “I call home from my mobile phone and it rings on my end, but not at the house”, implying that her phone call is being redirected elsewhere. This is a common problem with VoIP technologies. Old analog phones echoed back the ring signal, so the other side had to actually ring for you to hear it. New VoIP technologies can’t do that. The ringing is therefore simulated and has nothing to do with whether it’s ringing on the other end. This is a common consumer complaint with VoIP systems, and is not a symptom of hacking.

She says that her alarm triggers at odd hours in the night. Alarms work over phone lines and will trigger when power is lost on the lines (such as when an intruder cuts them). She implies that the alarm system goes over the VoIP system on the FiOS box. The FiOS box losing power or rebooting in the middle of the night can cause this. This is a symptom of hardware troubles on the FiOS box, or Verizon maintenance updating the box, not hackers.

She says that her computer made odd “Reeeeee” noises at 3:14am. That’s common. For one thing, when computers crash, they’ll make this sound. I woke two nights ago to my computer doing this, because the WiMax driver crashed, causing the CPU to peg at 100%, causing the computer to overheat and for the fan to whir at max speed. Other causes could be the nightly Timemachine backup system. This is a common symptom of bugs in the system, but not a symptom of hackers.

It’s not that hackers can’t cause these problems, it’s that they usually don’t. Even if hackers have thoroughly infested your electronics, these symptoms are still more likely to be caused by normal failure than by the hackers themselves. Moreover, even if a hacker caused any one of these symptoms, it’s insane to think they caused them all.

Hacking is not sophisticated

There’s really no such thing as a “sophisticated hack“. That’s a fictional trope, used by people who don’t understand hacking. It’s like how people who don’t know crypto use phrases like “military grade encryption” — no such thing exists, the military’s encryption is usually worse than what you have on your laptop or iPhone.

Hacking is rarely sophisticated because the simplest techniques work. Once I get a virus onto your machine, even the least sophisticated one, I have full control. I can view/delete all your files, view the contents of your screen, control your mouse/keyboard, turn on your camera/microphone, and so on. Also, it’s trivially easy to evade anti-virus protection. There’s no need for me to do anything particularly sophisticated.

We are experts are jaded and unimpressed. Sure, we have experience with what’s normal hacking, and might describe something as abnormal. But here’s the thing: ever hack I’ve seen has had something abnormal about it. Something strange that I’ve never seen before doesn’t make a hack “sophisticated”.

Attkisson quotes an “expert” using the pseudonym “Jerry Patel” saying that the hack is “far beyond the abilities of even the best nongovernment hackers”. Government hackers are no better than nongovernment ones — they are usually a lot worse. Hackers can earn a lot more working outside government. Government hackers spend most of their time on paperwork, whereas nongovernment hackers spend most of their time hacking. Government hacker skills atrophy, while nongovernment hackers get better and better.

That’s not to say government hackers are crap. Some are willing to forgo the larger paycheck for a more stable job. Some are willing to put up with the nonsense in government in order to be able to tackle interesting (and secret) problems. There are indeed very good hackers in government. It’s just that it’s foolish to assume that they are inherently better than nongovernmental ones. Anybody who says so, like “Jerry Patel”, is not an expert.

Contradictory evidence

Attkisson quotes one expert as saying intrusions of this caliber are “far beyond the the abilities of even the best nongovernment hackers”, while at the same time quoting another expert saying the “ISP address” is a smoking gun pointing to a government computer.

Both can’t be true. Hiding ones IP address is the first step in any hack. You can’t simultaneously believe that these are the most expert hackers ever for deleting log files, but that they make the rookie mistake of using their own IP address rather than anonymizing it through Tor or a VPN. It’s almost always the other way around: everyone (except those like the Chinese who don’t care) hides their IP address first, and some forget to delete the log files.

Attkisson quotes experts saying non-expert things. Patel’s claims about logfiles and government hackers are false. Don Allison’s claims about IP addresses being a smoking gun is false. It may be that the people she’s quoting aren’t experts, or that her ignorance causes her to misquote them.

Technobabble

Attkisson quotes an expert as identifying an “ISP address” of a government computer. That’s not a term that has any meaning. He probably meant “IP address” and she’s misquoting him.

Attkisson says “Suddenly data in my computer file begins wiping at hyperspeed before my very eyes. Deleted line by line in a split second”. This doesn’t even make sense. She claims to have videotaped it, but if this is actually a thing, it sounds like more something kids do to scare people, not what real “sophisticated” hackers do.

So far, none of the quotes I’ve read from the book use any technical terminology that I, as an expert, feel comfortable with.

Lack of technical details

We don’t need her quoting (often unnamed) experts to support her conclusion. Instead, she could just report the technical details.

For example, instead of quoting what an expert says about the government IP address, she could simply report the IP address. If it’s “75.748.86.91″, then we can judge for ourselves whether it’s the address of a government computer. That’s important because nobody I know believes that this would be a smoking gun — maybe if we knew more technical details she could change our minds.

Maybe that’s in her book, along with pictures of the offending cable attached to the FiOS ONT, or the pictures of her screen deleting at “hyperspeed”. So far, though, none of those with advanced copies have released these details.

Lastly, she’s muzzled the one computer security “expert” that she named in the story so he can’t reveal any technical details, or even defend himself against charges that he’s a quack.

Conclusion

Attkisson’s book isn’t out yet. The source material for this post if from those with advance copies quoting her [1]][2]. But, everything quoted so far is garbled technobabble from fiction rather that hard technical facts.


Disclosure: Some might believe this post is from political bias instead of technical expertise. The opposite is true. I’m a right-winger. I believe her accusations that CBS put a left-wing slant on the news. I believe the current administration is suppressing information about the Benghazi incident. I believe journalists with details about Benghazi have been both hacked and suppressed. It’s just that in her case, her technical details sounds like a paranoid conspiracy theory.

Monty says: MariaDB foundation trademark agreement

This post was syndicated from: Monty says and was written by: Michael "Monty" Widenius. Original post: at Monty says

We have now published the trademark agreement between the MariaDB Corporation (formerly SkySQL) and the MariaDB Foundation. This agreement guarantees that MariaDB Foundation has the rights needed to protect the MariaDB server project!

With this protection, I mean to ensure that the MariaDB Foundation in turn ensures that anyone can be part of MariaDB development on equal terms (like with any other open source project).

I have received some emails and read some blog posts from people who are confusing trademarks with the rights and possibilities for community developers to be part of an open source project.

The MariaDB foundation was never created to protect the MariaDB trademark. It was created to ensure that what happened to MySQL would never happen to MariaDB: That people from the community could not be part of driving and developing MySQL on equal terms as other companies.

I have personally never seen a conflict with having one company own the trademark of an open source product, as long as anyone can participate in the development of the product! Having a strong driver for an open source project usually ensures that there are more full-time developers working on a project than would otherwise be possible. This makes the product better and makes it useful for more people. In most cases, people are participating in an open source project because they are using it, not because they directly make money on the project.

This is certainly the case with MySQL and MariaDB, but also with other projects. If the MySQL or the MariaDB trademark would have been fully owned by a foundation from a start, I think that neither project would have been as successful as they are! More about this later.

Some examples of open source projects that have the trademark used or owned by a commercial parent company are WordPress (wordpress.com and WordPress.org) and Mozilla.

Even when it comes to projects like Linux that are developed by many companies, the trademark is not owned by the Linux Foundation.

There has been some concern that MariaDB Corporation has more developers and Maria captains (people with write access to the MariaDB repositories) on the MariaDB project than anyone else. This means that the MariaDB Corporation has more say about the MariaDB roadmap than anyone else.

This is right and actually how things should be; the biggest contributors to a project are usually the ones that drive the project forward.

This doesn’t, however, mean that no one else can join the development of the MariaDB project and be part of driving the road map.

The MariaDB Foundation was created exactly to guarantee this.

It’s the MariaDB Foundation that governs the rules of how the project is developed, under what criteria one can become a Maria captain, the rights of the Maria captains, and how conflicts in the project are resolved.

Those rules are not yet fully defined, as we have had very few conflicts when it comes to accepting patches. The work on these rules have been initiated and I hope that we’ll have nice and equal rules in place soon. In all cases the rules will be what you would expect from an open source project. Any company that wants to ensure that MariaDB will continue to be a free project and wants to be part of defining the rules of the project can join the MariaDB Foundation and be part of this process!

Some of the things that I think went wrong with MySQL and would not have happened if we had created a foundation similar to the MariaDB Foundation for MySQL early on:

  • Claims that companies like Google and Ebay can’t get their patches into MySQL if they don’t pay (this was before MySQL was bought by Sun).
  • Closed source components in MySQL, developed by the company that owns the trademark to MySQL (almost happened to MySQL in Sun and has happened in MySQL Enterprise from Oracle).
  • Not giving community access to the roadmap.
  • Not giving community developers write access to the official repositories of MySQL.
  • Hiding code and critical test cases from the community.
  • No guarantee that a patch will ever be reviewed.

The MariaDB Foundation guarantees that the above things will never happen to MariaDB. In addition, the MariaDB Foundation employs people to perform reviews, provide documentation, and work actively to incorporate external contributions into the MariaDB project.

This doesn’t mean that anyone can push anything into MariaDB. Any changes need to follow project guidelines and need to be reviewed and approved by at least one Maria captain. Also no MariaDB captain can object to the inclusion of a given patch except on technical merits. If things can’t be resolved among the captains and/or the user community, the MariaDB Foundation has the final word.

I claimed earlier that MariaDB would never have been successful if the trademark had been fully owned by a foundation. The reason I can claim this is that we tried to do it this way and it failed! If we would have continued on this route MariaDB would probably be a dead project today!

To be able to understand this, you will need a little background in MariaDB history. The main points are:

  • Some parts of the MariaDB team and I left Sun in February 2009 to work on the Maria storage engine (now renamed to Aria).
  • Oracle started to acquire Sun in April 2009.
  • Monty Program Ab then hired the rest of the MariaDB engineers and started to focus on MariaDB.
  • I was part of founding SkySQL in July 2010, as a home for MySQL support, consultants, trainers, and sales people.
  • The MariaDB Foundation was announced in November 2012.
  • Monty Program Ab and SkySQL Ab joined forces in April 2013.
  • SkySQL Ab renamed itself to MariaDB Corporation in October 2014

During the 4 years before the MariaDB foundation was formed, I had contacted most of the big companies that had MySQL to thank them for their success and to ask them to be part of MariaDB development. The answers were almost all the same:

We are very interested in you succeeding, but we can’t help you with money or resources until we are using MariaDB ourselves. This is only going to happen when you have proved that MariaDB will take over MySQL.”

It didn’t help that most of the companies that used to pay for MySQL support had gotten scared of MySQL being sold to Oracle and had purchased 2-4 year support contracts to protect themselves against sudden price increases in MySQL support.

In May 2012, after 4 years and spending close to 4 million Euros of my own money, to make MariaDB possible, I realized that something would have to change.

I contacted some of the big technology companies in Silicon Valley and asked if they would be interested in being part of creating a MariaDB Foundation, where they could play bigger roles. The idea was that all the MariaDB developers from Monty Program Ab, the MariaDB trademark and other resources would move to the foundation. For this to happen, I need guarantees that the foundation would have resources to pay salaries to the MariaDB developers for at least the next 5 years.

In the end two companies showed interest in doing this, but after months of discussions they both said that “now was not yet the right time to do this”.

In the end I created the MariaDB Foundation with a smaller role, just to protect the MariaDB server, and got some great companies to support our work:

  • Booking.com
  • SkySQL (2 years!)
  • Parallels (2 years!)
  • Automattic
  • Zenimax

There was also some smaller donations from a variety of companies.

See the whole list at https://mariadb.org/en/supporters.

During this time, SkySQL had become the biggest supporter of MariaDB and also the biggest customer of Monty Program Ab. SkySQL provided front line support for MySQL and MariaDB and Monty Program Ab did the “level 3″ support (bug fixes and enhancements for MariaDB).

In the end there were only two ways to go forward to secure the financing of the MariaDB project:

a) Get investors for Monty Program Ab
b) Sell Monty Program Ab.

Note that neither of the above options would have been possible if Monty Program Ab had not owned the MariaDB trademark!

Selling to SkySQL was in the end the right and logical thing to do:

  • They have good investors who are committed to SkySQL and MariaDB.
  • Most of the people in the two companies already know each other as most come from the old MySQL team.
  • The MariaDB trademark was much more known than SkySQL and by owning it would make it much easier for SkySQL to expand their business.
  • As SkySQL was the biggest supporter of the MariaDB project this felt like the right thing to do.

However, to ensure the future of the MariaDB project, SkySQL and Monty Program Ab both agreed that the MariaDB Foundation was critically needed and we had to put a formal trademark agreement in place. Until now there was just a verbal promise for the MariaDB trademarks to the foundation and we had to do this legally right.

This took, because of a lot of reasons too boring to bring up here, much longer time than expected. You can find the trademark agreement publicly available here.

However, now this is finally done and I am happy to say that the future of MariaDB, as an open source project, is protected and there will never again be a reason for me to fork it!

So feel free to join the MariaDB project, either as a developer or community contributor or as a member of the MariaDB Foundation!

Errata Security: The deal with the FTDI driver scandal

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The FTDI driver scandal is in the news, so I thought I’d write up some background, and show what a big deal this is.

Devices are connected to your computer using a serial port. Such devices include keyboards, mice, flash drives, printers, your iPhone, and so on. The original serial port standard called RS232 was created in 1962. It got faster over the years (75-bps to 115-kbps), but ultimately, the technology became obsolete.

In 1998, the RS232 standards was replaced by the new USB standard. Not only is USB faster (a million times so), it’s more complex and smarter. The initials stand for “Universal Serial Bus“, and it truly is universal. Not only does your laptop have USB ports on the outside for connecting to things like flash drives, it interconnects much of the things on the inside of your computer, such as your keyboard, Bluetooth, SD card reader, and camera.

What FTDI sells is a chip that converts between the old RS232 and the new USB. It allows old devices to be connected to modern computers. Even new devices come with RS232 instead of USB simply because it’s simple and reliable.

The FTDI chip is a simple devices that goes for about $2. While there are competitors (such as Silicon Labs), FTDI is by far the most popular vendor of RS232-to-USB converters. This $2 may sound cheap, but relatively expensive for small devices which cost less than $50. That $2 is often greater than the profit margin on the entire device. Therefore, device manufacturers have a strong incentive to find cheaper alternatives.

That’s where clones come in. While the FTDI sells them for $2, the raw chips cost only pennies to manufacture. Clone chips are similarly cheap to manufacture, and can be sold for a fraction of FTDI’s price. On Alibaba, people are advertising “real” FTDI chips for between $0.10 and $1 apiece, with the FTDI logo on the outside and everything. They are, of course, conterfeits.

FTDI is understandably upset about this. They have to sell millions of chips to make back development and support costs, which they can’t do with clones undercutting them.

FTDI’s strategy was to release a driver update that intentionally disabled the clone chips. Hardware devices in a computer need software drivers to operate. Clone chips use the same drivers from FTDI. Therefore, FTDI put code in their software that attacked the clones, disabling them. The latest FTDI driver through Windows Update contains this exploit. If your computer automatically updates itself, it may have downloaded this new driver.

Every USB devices comes with a vendor identifier (VID) and a product identifier (PID). It’s these two numbers that tells operating systems like Windows or Linux which driver to load. What FTDI did was reprogram these numbers to zero. This, in effect, ruined the devices. From that point on, they can no longer be recognized, either by FTDI’s driver or any other. In theory, somebody could write software that reprogrammed them back to the original settings, but for the moment, they are bricked (meaning, the hardware is no more useful than a brick).

This can have a devastating effect. One place that uses RS232 heavily is industrial control systems, the sort of thing that controls the power grid. This means installing the latest Windows update on one of these computers could mean blacking out an entire city.

FTDI’s actions are unprecedented. Never before has a company released a driver that deliberately damages hardware. Bad driver updates are common. Counterfeits aren’t perfect clones, therefore a new driver may fail to work properly, either intentionally or unintentionally. In such cases, users can simply go back to the older, working driver. But when FTDI changes the hardware, the old drivers won’t work either.. Because the VID/PIDs have been reprogrammed, the operating system can no longer figure out which drives to load for the device..

Many people have gotten upset over this, but it’s a complex debate.

One might think that the evil buyers of counterfeits are getting what they deserve. After all, satellite TV providers have been known to brick counterfeit access cards. But there is a difference. Buyers of satellite cards know they are breaking the rules, whereas buyers of devices containing counterfeit chips don’t. Most don’t know what chips are inside a device. Indeed, many times even the manufacturers don’t know the chips are counterfeit.

On the other hand, ignorance of the law is no excuse. Customers buying devices with clone chips harm FTDI whether they know it or not. They have the responsibility to buy from reputable vendors. It’s not FTDI’s fault that the eventual end customer chose poorly.

It rankles that FTDI would charge $2 for a chip that costs maybe $0.02 to manufacturer, but it costs money to develop such chips. It likewise costs money to maintain software drivers for over 20 operating systems, ranging from Windows to Linux to VxWorks. It can easily cost $2 million for all this work, while selling only one million chips. If companies like FTDI cannot get a return on their investment in RND, then there will be a lot less RND — and that will hurt all of us.

One way to protect RND investment is draconian intellectual-property laws. Right now, such laws are are a cure that’s worse than the disease. The alternative to bad laws is to encourage companies like FTDI to protect themselves. What FTDI did is bad, but at least nobody held a gun to anybody’s head.

Counterfeits have another problem: they are dangerous. From nuclear control systems to airplane navigation systems to medical equipment, electronics are used in places where failure costs human lives. These systems are validated using the real chips. Replacing them with counterfeits can lead to human lives lost. However, counterfeit chips have been widespread for decades with no documented loss of life, so this danger is so far purely theoretical.

Separate from the counterfeit issue is the software update issue. In the last decade we’ve learned that software is dynamic. It must be updated on a regular basis. You can’t deploy a device and expect it to run unmodified for years. That’s because hackers regularly find flaws in software, even simple drivers, so they must be patched to prevent hacker intrusions. Many industries, such as medical devices and industrial control systems, are struggling with this concept, putting lives at risk due to hackers because they are unwilling to put lives at (lesser) risk when changing software. They need more trust in the software update process. However, this action by FTDI has threatened that trust.

Conclusion

As a typical Libertarian, I simultaneously appreciate the value of protecting RND investments while hating the current draconian government regime of intellectual property protection. Therefore, I support FTDI’s actions. On the other hand, this isn’t full support — there are problems with their actions.


Update: As Jose Nazario points out, when Microsoft used Windows Update to disable pirated copies of WinXP, pirates stopped updating to fix security flaws. This resulted in hackers breaking into desktops all over the Internet, endangering the rest of us. Trust in updates is a big thing.

TorrentFreak: RIAA: The Pirate Bay Assaults Fundamental Human Rights

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

tpbfistFollowing in the footsteps of Hollywood’s MPAA, the RIAA has now submitted its overview of “notorious markets” to the Office of the US Trade Representative (USTR).

These submissions help to guide the U.S. Government’s position toward foreign countries when it comes to copyright enforcement. The RIAA’s report (odt) includes more than 50 alleged pirate sites, but it is the introduction that draws most attention.

Neil Turkewitz, RIAA Executive Vice President, informs the Government that some of the rogue websites, and their supporters, falsely argue that they aid freedom of speech and counter censorship.

Specifically, the RIAA describes The Pirate Bay and other pirate sites as an assault on our humanity, suggesting that the right to protect one’s copyrights trumps freedom of expression.

“Some observers continue to suggest that the protection of expression is a form of censorship or restriction on fundamental freedoms, and some pirate sites cloak themselves in the language of freedom to justify themselves—sites like The Pirate Bay…” Turkewitz writes.

“We must end this assault on our humanity and the misappropriation of fundamental human rights. If the protection of expression is itself a restriction on freedom of expression, then we have entered a metaphysical Wonderland that stands logic on its head, and undermines core, shared global values about personhood,” he adds.

The RIAA says it’s hopeful that the piracy threat can be addressed if society and legitimate companies stop doing business with these sites. To do so, the public must stop conflating anti-piracy measures with censorship.

“We may not be able to eradicate piracy—there will always be an isolated number of individuals or enterprises who are prepared to steal whatever they can, but we can—and must—stop providing moral cover by conflating copyright enforcement with censorship, or by misapplying notions of Internet freedom or permissionless innovation so that they extend to an embrace of lawlessness.”

In recent months copyright holders have often hammered on payment processors and advertising networks to stop doing business with pirate sites. The RIAA reiterates this in their USTR submission, but also points a finger at the ISPs, at least indirectly.

According to the RIAA, BitTorrent indexing sites make deals with hosting providers to pay lower fees if they have more traffic. While this is standard business for most ISPs, the industry group frames it as an indirect source of revenue for the pirate sites.

“Indexing services can, and usually do, generate revenue from one or more of the following: advertising, user donations and suspected arrangements with ISPs whereby reduced fees are offered in return for increased traffic on the sites. The particular financial model, structure and approach vary from site to site,” Turkewitz notes.

Finally, the RIAA admits that some torrent sites process DMCA takedown notices, but believes that this is only an attempt to “appear” legitimate. In reality the infringing content is re-uploaded almost instantly, so the problem remains.

“As a result, copyright owners are forced into an endless ‘cat and mouse’ game, which requires considerable resources to be devoted to chasing infringing content, only for that same infringing content to continually reappear,” the report reads.

Without specifying what, Turkewitz notes that torrent site owners have to do more if they really want to become legitimate services.

“It is imperative that BitTorrent site operators take reasonable measures to prevent the distribution of infringing torrents or links and to implement measures that would prevent the indexing of infringing torrents,” he writes.

In addition to torrent sites the submission also lists various cyberlockers, blogs and linking sites which allegedly deserve the label “notorious market.”

Below is the RIAA’s full list as it was reported to the USTR. These, and the other submissions will form the basis of the U.S. Government’s Special 301 Out-of-Cycle Review of Notorious Markets, which is expected to come out later this year.

- vKontakte
- EX.UA
- The Pirate Bay
- KickAss.to
- Torrentz.eu
- Bitsnoop.com
- ExtraTorrent.cc
- Isohunt.to
- Zamunda
- Arena.bg
- Torrenthound.com
- Fenopy.se
- Monova.org
- Torrentreactor.net
- Sumotorrent.sx
- Seedpeer.me
- Torrentdownloads.me
- 4shared.com
- Uploaded.net
- Oboom.com
- Zippyshare.com
- Rapidgator.net
- Turbobit.net
- Ulozto.cz
- Sdílej.cz
- Hell Spy
- HellShare
- Warez-dk.org
- Freakshare.com
- Bitshare.com
- Letitbit.net
- 1fichier.com
- Filestube.to
- Music.so.com
- Verycd.com
- Gudanglagu.com
- Thedigitalpinoy.org
- Todaybit.com
- Chacha.vn
- Zing.vn
- Songs.to
- Boerse.to
- Mygully.com
- Wawa-mania.ec
- Bajui.com
- Goear.com
- Pordescargadirecta.com
- Exvagos.com
- Degraçaémaisgostoso.org
- Baixeturbo.org
- Hitsmp3.net
- Musicasparabaixar.org
- Sapodownloads.net
- Sonicomusica.com
- Jarochos.net
- Rnbexclusive.se
- Newalbumreleases.net

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Raspberry Pi: Real-time depth perception with the Compute Module

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: We’ve got a number of good friends at Argon Design, a tech consultancy in Cambridge. (James Adams, our Director of Hardware, used to work there; as did my friend from the time of Noah, @eyebrowsofpower; the disgustingly clever Peter de Rivaz, who wrote Penguins Puzzle, is an Argon employee; and Steve Barlow, who heads Argon up, used to run AlphaMosaic, which became Broadcom’s Cambridge arm, and employed several of the people who work at Pi Towers back in the day.)

We gave the Argon team a Compute Module to play with this summer, and they set David Barker, one of their interns, to work with it. Here’s what he came up with: thanks David, and thanks Argon!

This summer I spent 11 weeks interning at a local tech company called Argon Design, working with the new Raspberry Pi Compute Module. “Local” in this case means Cambridge, UK, where I am currently studying for a mathematics degree. I found the experience extremely valuable and a lot of fun, and I have learnt a great deal about the hardware side of the Raspberry Pi. And here I would like to share a bit of what I did.

15012793237a

My assignment was to develop an example of real-time video processing on the Raspberry Pi. Argon know a lot about the Pi and its capabilities and are experts in real-time video processing, and we wanted to create something which would demonstrate both. The problem we settled on was depth perception using the two cameras on the Compute Module. The CTO, Steve Barlow, who has a good knowledge of stereo depth algorithms gave me a Python implementation of a suitable one.

15199366805a

The algorithm we used is a variant of one which is widely used in video compression. The basic idea is to divide each frame into small blocks and to find the best match with blocks from other frames – this tells us how far the block has moved between the two images. The video version is designed to detect motion, so it tries to match against the previous few frames. Meanwhile, the depth perception version tries to match the left and right camera images against each other, allowing it to measure the parallax between the two images.

The other main difference from video compression is that we used a different measure of correlation between blocks. The one we used is designed to work well in the presence of sharp edges and when the exposure differs between the cameras. This means that it is considerably more accurate, at the cost of being more expensive to calculate.

When I arrived, my first task was to translate this algorithm from Python to C, to see what sort of speeds we could reasonably expect. While doing this, I made several algorithmic improvements. This turned out to be extremely successful – the final C version was over 1000 times as fast as the original Python version, on the same hardware! However, even with this much improvement, it was still taking around a second to process a moderate-sized image on the Pi’s ARM core. Clearly another approach was needed.

There are two other processors on the Pi: a dual-core video processing unit called the VPU and a 12-core GPU, both of which are part of the VideoCore block. They both run at a relatively slow 250MHz, but are designed in such a way that they are actually much faster than the ARM core for video and imaging tasks. The team at Argon has done a lot of VideoCore programming and is familiar with how to get the best out of these processors. So I set about rewriting the program, from C into VPU assembler. This sped up the processing on the Pi to around 90 milliseconds. Dropping the size of the image slightly, we eventually managed to get the whole process – get image from cameras, process on VPU, display on screen – to run at 12fps. Not bad for 11 weeks’ work!

I also coded up a demonstration app, which can do green-screen-free background removal, as well as producing false-colour depth maps. There are screenshots below; the results are not exactly perfect, but we are aware of several ways in which this could be improved. This was simply a matter of not having enough time – implementing the algorithm to the standard of a commercial product, rather than a proof-of-concept, would have taken quite a bit longer than the time I had for my internship.

To demonstrate our results, we ran the algorithm on a standard image pair produced by the University of Tsukuba. Below are the test images, the exact depth map, and our calculated one.

Tsukuba_L
Tsukuba_R

groundtruth

StereoViewC

We also set up a simple scene in our office to test the results on some slightly more “real-world” data:

all_image

colour_map

bg-224

However, programming wasn’t the only task I had. I also got to design and build a camera mount, which was quite a culture shock compared to the software work I’m used to.

15012987398a

Liz: I know that stereo vision is something a lot of compute module customers have been interested in exploring. David has made a more technical write-up of this case study available on Argon’s website for those of you who want to look at this problem in more…depth. (Sorry.)

 

TorrentFreak: Torrent Site Uses Google To Resurrect Taken Down Content

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Founded in 2003, UK-based FileSoup was one of the original torrent sites but in 2009 two former administrators of the site were arrested following a FACT investigation.

Two years later, however, the case collapsed and the men were free to go. Now, more than three years on, the FileSoup domain has been resurrected.

It’s a search engine / proxy, but not as we know it

The new site has no connections to the original owner, but there are several unique aspects to the relaunch of FileSoup that make for an interesting project.

On a basic level FileSoup acts as a meta-search engine variant. It covers four major torrent sites – The Pirate Bay, KickassTorrents, Torrentz and ExtraTorrent – each selectable via a drop-down box. It also acts as a reverse proxy for these sites to unblock them in countries where they are inaccessible, the UK for example.

filesoup

Improving on search results

But FileSoup is no ordinary proxy. Instead of simply mirroring the content it finds on sites such as KickassTorrents, it actually attempts to improve on the results by caching third party site indexes.

“Let’s say Kickass.to receives a [DMCA] notice and deletes the content. We are not simply proxying but also caching the site. This means we can provide the page content even if Kickass.to has deleted the URL due to a DMCA complaint,” FileSoup informs TorrentFreak.

So in theory (and given time to cache – the site is still getting off the ground), FileSoup should be able to provide access to content previously taken down from other sites it proxies. To see whether it’s anywhere near to that goal, we conducted a search for one of the most talked-about franchises of the year – Expendables.

The images below show the results from FileSoup and KickassTorrents for exactly the same search. FileSoup returned 139 results while KickAss returned 115. Also notable, aside from the inserted ads, is the prominence of highly-seeded Expendables 3 results in the top placed positions on FileSoup.

file-v-kick

kick-v-file

Other searches produced varied results but since FileSoup is just getting off the ground it will need more time to cache significant amounts of taken-down content. But what happens when FileSoup itself is subjected to takedown notices of its own?

“When FileSoup receives a DMCA abuse notice we create a new URL address for the same content. After that this URL lives till the next DMCA abuse notice,” the team explain.

The Necromancer – using Google DMCA notices bypass Google’s takedowns

The operators of FileSoup also addressed indirect search engine takedowns. Every week rightsholders force Google to remove torrent listings from its search results. For this problem FileSoup says it has a solution, and a controversial one it is too.

The team behind the site say they have developed a web crawler designed to pull the details of content subjected to DMCA notices from two sources – Google’s Transparency Report and the Chilling Effects Clearing House. From here the links are brought back to life.

“We created a technology that crawls DMCA notices and resurrects the torrent webpage under a different URL so it can appear in search results again. It was rather complicated to sharpen it, but eventually it works pretty well. We will use it on FileSoup.com for all the websites we proxy,” FileSoup explain.

“It will lead to a situation when KickaAss.FileSoup.com (for example) will have more pages indexed in Google than the original Kickass.to because we will revive pages banned by DMCA within Google search results. We call this technology the Necromancer.”

The idea of manipulating publicly available sources of copyright notices to reactivate access to infringing content is not new but this is the first time that a site has publicly admitted to putting theory into practice. Whether FileSoup will be able to pull this off remains to be seen, but if it does it could signal the biggest game of whac-a-mole yet.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: MPAA Reports The Pirate Bay to The U.S. Government

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoResponding to a request from the Office of the US Trade Representative (USTR), the MPAA has sent in its annual list of rogue websites.

TorrentFreak obtained a copy of the MPAA’s latest submission. The Hollywood group targets a wide variety of websites which they claim are promoting the illegal distribution of movies and TV-shows, with declining incomes and lost jobs in the movie industry as a result.

These sites and services not only threaten the movie industry, but according to the MPAA they also put consumers at risk through identity theft and by spreading malware.

“It is important to note that websites that traffic in infringing movies, television shows, and other copyrighted content do not harm only the rights holder. Malicious software or malware, which puts Internet users at risk of identity theft, fraud, and other ills, is increasingly becoming a source of revenue for pirate sites,” MPAA writes.

Below is an overview of the “notorious markets” the MPAA reported to the Government. The sites are listed in separate categories and each have a suspected location, as defined by the movie industry group.

Torrent Sites

BitTorrent remains the most popular P2P software as the global piracy icon, MPAA notes. The Pirate Bay poses one of the largest threats here. Based on data from Comscore, the MPAA says that TPB has about 40 million unique visitors per month, which appears to be a very low estimate.

“Thepiratebay.se (TPB) claims to be the largest BitTorrent website on the Internet with a global Alexa rank of 91, and a local rank of 72 in the U.S. Available in 35 languages, this website serves a wide audience with upwards of 43.5 million peers,” MPAA writes.

“TPB had 40,551,220 unique visitors in August 2014 according to comScore World Wide data. Traffic arrives on this website through multiple changing ccTLD domains and over 90 proxy websites that assist TPB to circumvent site blocking actions.”

For the first time the MPAA also lists YIFY/YTS in its overview of notorious markets. The MPAA describes YTS as one of the most popular release groups, and notes that these are used by the Popcorn Time streaming application.

“[Yts.re] facilitates the downloading of free copies of popular movies, and currently lists more than 5,000 high-quality movie torrents available to download for free,” MPAA writes.

“Additionally, the content on Yts.re supports desktop torrent streaming application ‘Popcorn Time’ which has an install base of 1.4 million devices and more than 100,000 active users in the United States alone.”

The full list of reported torrent sites is as follows:

- Kickass.to (Several locations)
- Thepiratebay.se (Sweden)
- Torrentz.eu (Germany/Luxembourg)
- Rutracker.org (Russia)
- Yts.re (Several locations)
-Extratorrent.cc (Ukraine)
-Xunlei.com (China)

The mention of Xunlei.com is interesting as the Chinese company signed an anti-piracy deal with the MPA earlier this year. However, according to the MPAA piracy is still rampant, and there is no evidence that Xunlei has fulfilled its obligations.

Direct Download and Streaming Cyberlockers

The second category of pirate sites reported by the MPAA are cyberlockers. The movie industry group points out that these sites generate million of dollars in revenue, citing the recently released report from Netnames.

Interestingly, the MPAA doesn’t include 4shared and Mega, the two services who discredited the report in question. As in previous submissions VKontakte, Russia’s equivalent of Facebook, is also listed as a notorious market.

- VK.com (Russia)
- Uploaded.net (Netherlands)
- Rapidgator.net (Russia)
- Firedrive.com (New Zealand)
- Nowvideo.sx and the “Movshare Group” (Panama/Switzerland/Netherlands)
- Netload.in (Germany)

Linking Websites

The largest category in terms of reported sites represents linking websites. These sites don’t host the infringing material, but only link to it. The full list of linking sites is as follows.

- Free-tv-video-online.me (Canada)
- Movie4k.to (Romania)
- Primewire.ag (Estonia)
- Watchseries.lt (Switzerland)
- Putlocker.is (Switzerland)
- Solarmovie.is (Latvia)
- Megafilmeshd.net (Brazil)
- Filmesonlinegratis.net (Brazil)
- Watch32.com (Germany)
- Yyets.com (China)
- Cuevana.tv (Argentina)
- Viooz.ac (Estonia)
- Degraçaemaisgostoso.org (Brazil)
- Telona.org (Brazil)

The inclusion of Cuevana.tv is noteworthy as the website stopped offering direct links to infringing content earlier this year. Instead, it now direct people to its custom “Popcorn Time” equivalent “Storm.”

Finally, the MPAA lists one Usenet provider, the German based Usenext.com. This service was included because, unlike other providers, it allegedly heavily markets itself to P2P users.

Later this year the US Trade Representative will use the submissions of the MPAA and other parties to make up its final list of piracy havens. The U.S. Government will then alert the countries where these sites are operating from, hoping that local authorities take action.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Big Pirate Sites ‘Raided’, Admins on the Run

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

policedownloadIn June 2011, police across Europe coordinated to carry out the largest anti-piracy operation the continent had ever seen. Their target was Kino.to and its affiliates, a huge illegal movie streaming operation with links to Spain, France and the Netherlands.

Ultimately several people went to jail and Kino.to disappeared, but it didn’t take long for replacement site Kinox.to to take up the slack. It’s been clear for some time that anti-piracy groups have had their eyes on the popular site and now action appears to have been taken.

Last week investigators acting on behalf of the Attorney General carried out raids in several regions of Germany looking for four main suspects.

A raid on a house in a village near to the northern city of Lübeck aimed to secure two brothers, aged 21 and 25 years-old. This pair, who reportedly live with their parents, are said to be the main operators of Kinox.to. According to Der Spiegel, the raid drew a blank.

In total, six homes and businesses were searched and arrest warrants were successfully executed in Neuss and Dusseldorf. Two individuals, said to key players, were detained.

According to prosecutor’s office spokesman Wolfgang Klein, a Berlin-based payment service used by the suspects was also raided to ensure their “tax liability” – a reported 1.3 million euros – is met.

In addition to commercial copyright infringement and tax evasion, the defendants are accused of a range of other crimes including fraud, extortion and arson.

Klein said the defendants had “made great efforts” to get rid of their competitors in the piracy market, utilizing verbal tactics and those of a more direct nature.

“They used all means and also carried out threats,” he said. “Sometimes even a car burst into flames.”

And from here the plot only thickens.

According to a letter sent by anti-piracy outfit GVU to its members, the people behind Kinox.to are also behind a string of other sites including streaming giant Movie4K.to. The ring of services is said to extend to pirate linking sites Boerse.sx and MyGully.com, and GVU even connects file-hosting services FreakShare.com and BitShare.com to the operation.

The prosecutor’s office says “lots of data” and “assets” were secured following the raids but at this point the location of the missing brothers remains unknown. Some reports suggest that they may have even left Germany a while back. Adding to the confusion, Lars Sobiraj at Tarnkappe says his sources suggest that the brothers in control of Kinox are in fact much older and 21 and 25.

Nevertheless, whether it was published by the brothers or someone else, an update has appeared on Kinox.to mocking GVU and thanking them for the attention.

“GVU: You make yourself more ridiculous than you are. But THANK YOU again for the extreme (priceless) advertising !!” the post reads.

And that’s one of the key points. Along with all of the other mentioned sites, Kinox.to and Movie4K remain operational. In fact, as far as we can see, not a single site is down.

Perhaps inevitably this has led to speculation that some kind of honey pot could be in operation, but according to lawyer Christian Solmecke, that seems unlikely.

“From my perspective, the users of kinox.to have committed no offense, because the pure consumption of streaming services is not illegal [in Germany]. This is certainly the case whenever any copy of the stream is produced on your own computer,” Solmecke says.

“In addition, the GVU – which here apparently launched the criminal complaint – is also known normally to tackle the problem at its root. This means that the company is going in against the big fish, which has been shown again with the current raids too.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: ‘Replay’ Attacks Spoof Chip Card Charges

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — event fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

A chip card. Image: First Data

A chip card. Image: First Data

The New England bank initially considered the possibility that the perpetrators had somehow figured out how to clone chip cards and had encoded the cards with their customers’ card data. In theory, however, it should not be possible to easily clone a chip card. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the card very difficult and expensive to counterfeit.

In addition, there are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

And this is exactly what has bank fraud fighters scratching their heads: Why would the perpetrators go through all the trouble of taking plain old magnetic stripe cards stolen in the Home Depot breach (and ostensibly purchased in the cybercrime underground) and making those look like EMV transactions? Why wouldn’t the scammers do what fraudsters normally do with this data, which is simply to create counterfeit cards and use the phony cards to buy gift cards and other high-priced merchandise from big box retailers?

More importantly, how were these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place?

The New England bank said MasterCard initially insisted that the charges were made using physical chip-based cards, but the bank protested that it hadn’t yet issued its customers any chip cards. Furthermore, the bank’s processor hadn’t even yet been certified by MasterCard to handle chip card transactions, so why was MasterCard so sure that the phony transactions were chip-based?

EMV ‘REPLAY’ ATTACKS?

MasterCard did not respond to multiple requests to comment for this story. Visa also declined to comment on the record. But the New England bank told KrebsOnSecurity that in a conversation with MasterCard officials the credit card company said the most likely explanation was that fraudsters were pushing regular magnetic stripe transactions through the card network as EMV purchases using a technique known as a “replay” attack.

According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

“The bad guys knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls,” Litan said. “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it. Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

The thieves also seem to be messing with the transaction codes and other aspects of the EMV transaction stream. Litan said it’s likely that the perpetrators of this attack had their own payment terminals and were somehow able to manipulate the transaction fields in each charge.

“I remember when I went to Brazil a couple of y ears ago, their biggest problem was merchants were taking point-of-sale systems home, and the running stolen cards through them,” she said. “I’m sure they could rewire them to do whatever they wanted. That was the biggest issue at the time.”

The New England bank shared with this author a list of the fraudulent transactions pushed through by the scammers in Brazil. The bank said MasterCard is currently in the process of checking with the Brazilian merchants to see whether they had physical transactions that matched transactions shown on paper.

In the meantime, it appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Litan said attacks like this one illustrate the importance of banks setting up EMV correctly. She noted that while the New England bank was able to flag the apparent EMV transactions as fraudulent in part because it hadn’t yet begun issuing EMV cards, the outcome might be different for a bank that had issued at least some chip cards.

“There’s going to be a lot of confusion when banks roll out EMV, and one thing I’ve learned from clients is how hard it is to implement properly,” Litan said. “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”