Posts tagged ‘paypal’

Krebs on Security: Stress-Testing the Booter Services, Financially

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they’ve enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers.

Image:

Image:

By offering a low-cost, shared distributed denial-of-service (DDoS) attack infrastructure, these so-called “booter” and “stresser” services have attracted thousands of malicious customers and are responsible for hundreds of thousands of attacks per year. Indeed, KrebsOnSecurity has repeatedly been targeted in fairly high-volume attacks from booter services — most notably a service run by the Lizard Squad band of miscreants who took responsibility for sidelining the the Microsoft xBox and Sony Playstation on Christmas Day 2014.

For more than two months in the summer 2014, researchers with George Mason University, UC Berkeley’s International Computer Science Institute, and the University of Maryland began following the money, posing as buyers of nearly two dozen booter services in a bid to discover the PayPal accounts that booter services were using to accept payments. In response to their investigations, PayPal began seizing booter service PayPal accounts and balances, effectively launching their own preemptive denial-of-service attacks against the payment infrastructure for these services.

PayPal will initially limit reported merchant accounts that are found to violate its terms of service (turns out, accepting payments for abusive services is a no-no). Once an account is limited, the merchant cannot withdraw or spend any of the funds in their account. This results in the loss of funds in these accounts at the time of freezing, and potentially additional losses due to opportunity costs the proprietors incur while establishing a new account. In addition, PayPal performed their own investigation to identify additional booter domains and limited accounts linked to these domains as well.

The efforts of the research team apparently brought some big-time disruption for nearly two-dozen of the top booter services. The researchers said that within a day or two following their interventions, they saw the percentage of active booters quickly dropping from 70 to 80 percent to around 50 percent, and continuing to decrease to a low of around 10 percent that were still active.

ppintervention

While some of the booter services went out of business shortly thereafter, more than a half-dozen shifted to accepting payments via Bitcoin (although the researchers found that this dramatically cut down on the services’ overall number of active customers). Once the target intervention began, they found the average lifespan of an account dropped to around 3.5 days, with many booters’ PayPal accounts only averaging around two days before they were no longer used again.

The researchers also corroborated the outages by monitoring hacker forums where the services were marketed, chronicling complaints from angry customers and booter service operators who were inconvenienced by the disruption (see screen shot galley below).

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

A booter service proprietor advertising his wares on the forum Hackforums complains about Paypal repeatedly limiting his account.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

Another booter seller on Hackforums whinges about PayPal limiting the account he uses to accept attack payments from customers.

"It's a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more," says this now-defunct booter service to its former customers.

“It’s a shame PayPal had to shut us down several times causing us to take money out of our own pocket to purchase servers, hosting and more,” says this now-defunct booter service to its former customers.

Deadlyboot went dead after the PayPal interventions. So sad.

Deadlyboot went dead after the PayPal interventions. So sad.

Daily attacks from Infected Stresser dropped off precipitously following the researchers' work.

Daily attacks from Infected Stresser dropped off precipitously following the researchers’ work.

As I’ve noted in past stories on booter service proprietors I’ve tracked down here in the United States, many of these service owners and operators are kids operating within easy reach of U.S. law enforcement. Based on the aggregated geo-location information provided by PayPal, the researchers found that over 44% of the customer and merchant PayPal accounts associated with booters are potentially owned by someone in the United States.

ROOTED BOOTERS

The research team also pored over leaked and scraped data from three popular booter services —”Asylum Stresser,” another one called “VDO,” and the booter service referenced above called “Lizard Stresser.” All three of these booter services had been previously hacked by unknown individuals. By examining the leaked data from these services, the researchers found these three services alone had attracted over 6,000 subscribers and had launched over 600,000 attacks against over 100,000 distinct victims.

Data based on leaked databases from these three booter services.

Data based on leaked databases from these three booter services.

Like other booter services, Asylum, Lizard Stresser and VDO rely on a subscription model, where customers or subscribers can launch an unlimited number of attacks that have a duration typically ranging from 30 seconds to 1-3 hours and are limited to 1-4 concurrent attacks depending on the tier of subscription purchased. The price for a subscription normally ranges from $10-$300 USD per a month depending on the duration and number of concurrent attacks provided.

“We also find that the majority of booter customers prefer paying via PayPal and that Lizard Stresser, which only accepted Bitcoin, had a minuscule 2% signup to paid subscriber conversion rate compared to 15% for Asylum Stresser and 23% for VDO 1, which both accepted PayPal,” they wrote.

The research team found that some of the biggest attacks from these booter services take advantage of common Internet-based hardware and software — everything from consumer gaming consoles to routers and modems to Web site content management systems — that ships with networking features which can easily be abused for attacks and that are turned on by default.

Specific examples of these include DNS amplification attacks, network time protocol (NTP) attacksSimple Service Discovery Protocol (SSDP) attacks, and XML-RPC attacks. These attack methods are particularly appealing for booter services because they hide the true source of attacks and/or can amplify a tiny amount of attack bandwidth into a much larger assault on the victim. Such attack methods also offer the booter service virtually unlimited, free attack bandwidth, because there are tens of millions of misconfigured devices online that can be abused in these attacks.

Finally, the researchers observed a stubborn fact about these booter services that I’ve noted in several stories: That the booter service front-end Web sites where customers go to pay for service and order attacks were all protected by CloudFlare, a content distribution network that specializes in helping networks stay online in the fact of withering online attacks.

I have on several occasions noted that if CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and — more importantly — help eradicate the booter industry. The company has responded that this would lead to a slippery slope of censorship, but that it will respond to all proper requests from law enforcement regarding booters. I won’t rehash this debate again here (anyone interested in CloudFlare’s take on this should see this story).

In any case, the researchers note that they contacted CloudFlare’s abuse email on June 21st, 2014 to notify the company of the abusive nature of these services.

“As of the time of writing this paper, we have not received any response to our complaints and they continue to use CloudFlare,” the paper notes. “This supports the notion that at least for our set of booters CloudFlare is a robust solution to protect their frontend servers. In addition, crimeflare.com has a list of over 100 booters that are using CloudFlare’s services to protect their frontend servers.”

A copy of the research paper is available here (PDF).

Krebs on Security: Chinese VPN Service as Attack Platform?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Hardly a week goes by without a news story about state-sponsored Chinese cyberspies breaking into Fortune 500 companies to steal intellectual property, personal data and other invaluable assets. Now, researchers say they’ve unearthed evidence that some of the same Chinese hackers also have been selling access to compromised computers within those companies to help perpetuate future breaches.

The so-called “Great Firewall of China” is an effort by the Chinese government to block citizens from accessing specific content and Web sites that the government has deemed objectionable. Consequently, many Chinese seek to evade such censorship by turning to virtual private network or “VPN” services that allow users to tunnel their Internet connections to locations beyond the control of the Great Firewall.

terracottavpn

Security experts at RSA Research say they’ve identified an archipelago of Chinese-language virtual private network (VPN) services marketed to Chinese online gamers and those wishing to evade censorship, but which also appear to be used as an active platform for launching attacks on non-Chinese corporations while obscuring the origins of the attackers.

Dubbed by RSA as “Terracotta VPN” (a reference to the Chinese Terracotta Army), this satellite array of VPN services “may represent the first exposure of a PRC-based VPN operation that maliciously, efficiently and rapidly enlists vulnerable servers around the world,” the company said in a report released today.

The hacker group thought to be using Terracotta to launch and hide attacks is known by a number of code names, including the “Shell_Crew” and “Deep Panda.” Security experts have tied this Chinese espionage gang to some of the largest data breaches in U.S. history, including the recent attack on the U.S. Office of Personnel Management, as well as the breaches at U.S. healthcare insurers Anthem and Premera.

According to RSA, Terracotta VPN has more than 1,500 nodes around the world where users can pop up on the Internet. Many of those locations appear to be little more than servers at Internet service providers in the United States, Korea, Japan and elsewhere that offer cheap virtual private servers.

But RSA researchers said they discovered that many of Terracotta’s exit nodes were compromised Windows servers that were “harvested” without the victims’ knowledge or permission, including systems at a Fortune 500 hotel chain; a hi-tech manufacturer; a law firm; a doctor’s office; and a county government of a U.S. state.

The report steps through a forensics analysis that RSA conducted on one of the compromised VPN systems, tracking each step the intruders took to break into the server and ultimately enlist the system as part of the Terracotta VPN network.

“All of the compromised systems, confirmed through victim-communication by RSA Research, are Windows servers,” the company wrote. “RSA Research suspects that Terracotta is targeting vulnerable Windows servers because this platform includes VPN services that can be configured quickly (in a matter of seconds).”

RSA says suspected nation-state actors have leveraged at least 52 Terracotta VPN nodes to exploit sensitive targets among Western government and commercial organizations. The company said it received a specific report from a large defense contractor concerning 27 different Terracotta VPN node Internet addresses that were used to send phishing emails targeting users in their organization.

“Out of the thirteen different IP addresses used during this campaign against this one (APT) target, eleven (85%) were associated with Terracotta VPN nodes,” RSA wrote of one cyber espionage campaign it investigated. “Perhaps one of the benefits of using Terracotta for Advanced Threat Actors is that their espionage related network traffic can blend-in with ‘otherwise-legitimate’ VPN traffic.”

DIGGING DEEPER

RSA’s report includes a single screen shot of software used by one of the commercial VPN services marketed on Chinese sites and tied to the Terracotta network, but for me this was just a tease: I wanted a closer look at this network, yet RSA (or more likely, the company’s lawyers) carefully omitted any information in its report that would make it easy to locate the sites selling or offering the Terracotta VPN.

RSA said the Web sites advertising the VPN services are marketed on Chinese-language Web sites that are for the most part linked by common domain name registrant email addresses and are often hosted on the same infrastructure with the same basic Web content. Along those lines, the company did include one very useful tidbit in its report: A section designed to help companies detect servers that may be compromised warned that any Web servers seen phoning home to 8800free[dot]info should be considered hacked.

A lookup at Domaintools.com for the historic registration records on 8800free[dot]info show it was originally registered in 2010 to someone using the email address “xnt50@163.com.” Among the nine other domains registered to xnt50@163.com is 517jiasu[dot]cn, an archived version of which is available here.

Domaintools shows that in 2013 the registration record for 8800free[dot]info was changed to include the email address “jzbb@foxmail.com.” Helpfully, that email was used to register at least 39 other sites, including quite a few that are or were at one time advertising similar-looking VPN services.

Pivoting off the historic registration records for many of those sites turns up a long list of VPN sites registered to other interesting email addresses, including “adsyb@163.com,” “asdfyb@hotmail.com” and “itjsq@qq.com” (click the email addresses for a list of domains registered to each).

Armed with lists of dozens of VPN sites, it wasn’t hard to find several sites offering different VPN clients for download. I installed each on a carefully isolated virtual machine (don’t try this at home, kids!). Here’s one of those sites:

One of the sites offering the VPN software and service that RSA has dubbed "Terracotta."

A Google-translated version of one of the sites offering the VPN software and service that RSA has dubbed “Terracotta.”

All told, I managed to download, install and use at least three VPN clients from VPN service domains tied to the above-mentioned email addresses. The Chinese-language clients were remarkably similar in overall appearance and function, and listed exit nodes via tabs for several countries, including the Canada, Japan, South Korea and the United States, among others. Here is one of the VPN clients I played with in researching this story:

517vpnconnected

This one was far more difficult to use, and crashed repeatedly when I first tried to take it for a test drive:

us-vpn2

None of the VPN clients I tried would list the Internet addresses of the individual nodes. However, each node in the network can be discovered simply by running some type of network traffic monitoring tool in the background (I used Wireshark), and logging the address that is pinged when one clicks on a new connection.

RSA said it found more than 500 Terracotta servers that were U.S. based, but I must have gotten in on the fun after the company started notifying victim organizations because I found only a few dozen U.S.-based hosts in any of the VPN clients I checked. And most of the ones I did find that were based in the United States appeared to be virtual private servers at a handful of hosting companies.

The one exception I found was a VPN node tied to a dedicated Windows server for the Web site of a company in Michigan that manufactures custom-made chairs for offices, lounges and meeting rooms. That company did not return calls seeking comment.

In addition to the U.S.-based hosts, I managed to step through a huge number of systems based in South Korea. I didn’t have time to look through each record to see whether any of the Korean exit nodes were interesting, but here’s the list I came up with in case anyone is interested. I simply haven’t had time to look at and look up the rest of the clients in what RSA is calling the Terracotta network. Here’s a more simplified list of just the organizational names attached to each record.

Assuming RSA’s research is accurate (and I have no reason to doubt that it is) the idea of hackers selling access to hacked PCs for anonymity and stealth online is hardly a new one. In Sept. 2011, I wrote about how the Russian cybercriminals responsible for building the infamous TDSS botnet were selling access to computers sickened with the malware via a proxy service called AWMProxy, even allowing customers to pay for the access with PayPal, Visa and MasterCard.

It is, after all, incredibly common for malicious hackers to use systems they’ve hacked to help perpetrate future cybercrimes – particularly espionage attacks. A classified map of the United States obtained by NBC last week showing the victims of Chinese cyber espionage over the past five years lights up like so many exit nodes in a VPN network.

Source: NBC

Source: NBC

TorrentFreak: Bitcoin Bounties Aim to Turn Pirates Into Snitches

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

snitchWhile money may very well be the root of most evil, it’s still a commodity most people want to get their hands on. Trouble is, most financial systems rely on expensive middle-men who are always keen to retain a piece of the pie in return for their transactional skills.

For users of Bitcoin, however, things are somewhat different. The system relies on a peer-to-peer architecture which allows users to transact directly without needing an intermediary. And, of great value to privacy lovers, the system is somewhat less intrusive, unless users provide information about themselves as part of a purchase, for example.

These aspects have generated interest among those in the ‘pirate’ community, with some torrent sites now accepting donations via Bitcoin donations instead of through the troublesome PayPal. However, a service currently being promoted by a technology company will see Bitcoin used in the fight against piracy instead.

The solution comes from South Africa-based Custos Media Technologies who say that for a fee they can embed a “digital alarm” into movies and music that can alert content owners when their material is uploaded to torrent sites or other file-sharing platforms.

Developed by researchers at Stellenbosch University, the CustosTech system aims to discourage leaks and reward those who find them while exploiting the publicly accessible information associated with Bitcoin.

The concept is fairly straightforward. Content creators are given the opportunity to embed a unique identifying watermark into a movie, music track or other digital content before they sell or loan it to a customer or client. One suggested use that may catch the industry’s eye is when so-called ‘screeners’ are handed out to Academy members and critics.

However, instead of having a “For Your Consideration” watermark in the middle of the screen, protected movies in this scenario have a trick up their sleeve.

“Custos embeds watermarks into the analog and/or digital content of media items, which are imperceptible but difficult to remove. Each watermark contains a Bitcoin wallet, with a reward for anyone who anonymously claims it once the media has passed out of the control of the original recipient,” Custos explain.

“Media downloaders who want to search for such rewards (‘bounty hunters’) can do so anonymously, from anywhere in the world. The moment a bounty is claimed – and by the nature of cryptocurrencies, this can only happen once – the transaction reflects on the blockchain, and Custos notifies the media provider of the incident, and to which recipient the content was originally licensed.”

In other words, when content appears on a site somewhere, the first person to download it, view the code, and report it via a special Custos tool, wins the Bitcoin bounty. It’s essentially a people-powered leak reporting system that could lead to a number of possibilities for the content provider.

“[The person to whom the content was originally given] could then be subject to financial or legal penalties, or to reduced access to future content,” Custos explain.

“In this manner, authorised media users are strongly discouraged from actively sharing files or carelessly leaking them, while at the same time, they need not be inconvenienced by cumbersome security measures.”

The company is marketing CustosTech as a system that “turns the downloaders against the uploaders” and in some ways it’s difficult to argue with the assertion. Whether the system will prove popular enough with ‘snitches’ will remain to be seen – that will probably rely on the size of the ‘bounties’ up for grabs.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Krebs on Security: A Busy Week for Ne’er-Do-Well News

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and “swatting” attacks.

Ercan Findikoglu, posing with piles of cash.

Ercan Findikoglu, posing with piles of cash.

Prosecutors in New York had a big week. Appearing in the U.S. court system for the first time last week was Ercan “Segate” Findikoglu, a 33-year-old Turkish man who investigators say was the mastermind behind a series of Oceans 11-type ATM heists between 2011 and 2013 that netted thieves more than $55 million.

According to prosecutors, Findikoglu organized the so-called “ATM cashouts” by hacking into networks of several credit and debit card payment processors. With each processor, the intruders were able to simultaneously lift the daily withdrawal limits on numerous prepaid accounts and dramatically increase the account balances on those cards to allow ATM withdrawals far in excess of the legitimate card balances.

The cards were then cloned and sent to dozens of co-conspirators around the globe, who used the cards at ATMs to withdraw millions in cash in the span of just a few hours. Investigators say these attacks are known in the cybercrime underground as “unlimited operations” because the manipulation of withdrawal limits lets the crooks steal literally unlimited amounts of cash until the operation is shut down.

Two of the attacks attributed to Findikoglu and his alleged associates were first reported on this blog, including a February 2011 attack against Fidelity National Information Services (FIS), and a $5 million heist in late 2012 involving a card network in India. The most brazen and lucrative heist, a nearly $40 million cashout against the Bank of Muscat in Oman, was covered in a May 2013 New York Times piece, which concludes with a vignette about the violent murder of alleged accomplice in the scheme.

Also in New York, a Manhattan federal judge sentenced the co-creator of the “Blackshades” Trojan to nearly five years in prison after pleading guilty to helping hundreds of people use and spread the malware. Twenty-five year old Swedish national Alexander Yucel was ordered to forfeit $200,000 and relinquish all of the computer equipment he used in commission of his crimes.

As detailed in this May 2014 piece, Blackshades Users Had It Coming, the malware was sophisticated but marketed mainly on English language cybecrime forums to young men who probably would have a hard time hacking their way out of a paper back, let alone into someone’s computer. Initially sold via PayPal for just $40, Blackshades offered users a way to remotely spy on victims, and even included tools and tutorials to help users infect victim PCs. Many of Yucel’s customers also have been rounded up by law enforcement here in the U.S. an abroad.

Matthew Tollis

Matthew Tollis

In a small victory for people fed up with so-called “swatting” — the act of calling in a fake hostage or bomb threat to emergency services with the intention of prompting a heavily-armed police response to a specific address — 22-year-old Connecticut resident Matthew Tollis pleaded guilty last week to multiple swatting incidents. (In an unrelated incident in 2013, this reporter was the victim of swatting, which resulted in our home being surrounded by a dozen or so police and Yours Truly being handcuffed in front of the whole neighborhood).

Tollis admitted belonging to a group that called itself “TeAM CrucifiX or Die,” a loose-knit cadre of young Microsoft XBox and swatting enthusiasts which later renamed itself the “ISIS Gang.” Interestingly, these past few weeks have seen the prosecution of another alleged ISIS Gang member — 17-year-old Finnish miscreant who goes by the nicknames “Ryan” and “Zeekill.” Ryan, whose real name is Julius Kivimaki, was one of several individuals who claimed to be involved in the Lizard Squad attacks that brought down the XBox and Sony Playstation networks in December 2014.

Kivimaki is being prosecuted in Finland for multiple alleged offenses, including payment fraud, money laundering and telecommunications harassment. Under Finnish law, Kivimaki cannot be extradited, but prosecutors there are seeking at least two to three years of jail time for the young man, who will turn 18 in August.

Julius "Ryan" Kivimaki.

Julius “Ryan” Kivimaki.

Finally, investigators with Europol announced the arrest of five individuals in Ukraine who are suspected of developing, exploiting and distributing the ZeuS and SpyEye malware — well known banking Trojans that have been used to steal hundreds of millions of dollars from consumers and small businesses.

According to Europol, each cybercriminal in the group had their specialty, but that the group as a whole specialized in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks.

“On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities,” Europol said. “This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks

The Europol statement on the action is otherwise light on details, but says the group is suspected of using Zeus and SpyEye malware to steal at least EUR 2 million from banks and their customers.

yovko in a nutshell: За българската кирилица

This post was syndicated from: yovko in a nutshell and was written by: Yovko Lambrev. Original post: at yovko in a nutshell

Миналата година, около месец след 24 май, попаднах на тази статия в Капитал, а оттам научих и за инициативата “За българска кирилица”. Преди два дни статия в Култура ми напомни отново за нея. Силно препоръчвам и двете статии на всеки, който се интересува от темата, както и “Кратка история на кирилската азбука” на Иван Илиев, защото това е тема, която далеч по-истински е свързана с националната ни идентичност, отколкото шумното развяване на патриотарски тези за много морета и Ботев и Левски (с безкрайното ми уважение и към двамата!).

Скоро обяснявах на група познати аржентинци и колумбийци, че ние българите не ползваме руска азбука, а исторически погледнато руската азбука е проекция на българската. И всъщност азбуката се нарича кирилица. Гледаха ме изключително изненадано, и вътрешно в мен остана усещането, че не ми повярваха особено. Дано съм ги накарал да погледнат поне в Wikipedia.

Водил съм този разговор с много чужденци. И винаги предизвиквам изнедани погледи. Защото темата с произхода на азбуката ни е една от тези теми, които ние българите не сме си отвоювали в световната културна история и се отнасяме към това твърде срамежливо.

Всъщност обаче, като човек който прекарва 2/3 от денонощието си в Интернет или пред някакъв компютър – исторически съм прав, но на практика трябва да призная, че леко заблуждавам хората. Защото de facto, ние българите, не само, че с времето сме възприели реформираната кирилица, но поради факта, че мнозинството от компютърните кирилски шрифтове (начертания) са руски, сме позагърбили много сериозно българските начертания или изписвания на буквите и пишем най-често наистина с руска кирилица по компютрите си, а оттам и в Интернет, книгите, печатните медии и навсякъде. Ако не разбирате за какво говоря, това само потвърждава тезата. Тогава се върнете към линковете в началото на този текст и прочетете манифеста на инициативата “За българска кирилица”.

Ако искате да направите нещо повече на практика – а точно днес е хубав повод за това – можете да инсталирате на компютъра си шрифтове, с които да пишете (а така и да популяризирате) българската кирилица. Ето моите две предложения – едното е за serif, а другото за sans-serif шрифт.

Първото е изключително красивият Barkentina на българският художник Кирил Златков, който на всичко отгоре е и безплатен за лична употреба и можете да си свалите свободно негово копие, например от тук. Въпреки това под бутона Download ще видите и бутон donate (чрез PayPal) – би било чудесно да подкрепите автора му със сума по ваша преценка.

Второто предложение не е безплатно, още по-малко е свободно, но пък е един от най-достъпните български шрифтове на пазара. Нарича се Helen и стандартния лиценз за до 5 компютъра за българската (cyrillic) версия струва 40 EUR, което е хубав подарък за семейните компютри по повод днешния празник.

Честит 24 май!

Оригинален линк: “За българската кирилица” – Някои права запазени

TorrentFreak: MPAA Complained So We Seized Your Funds, PayPal Says

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

paypaldeniedFor several years PayPal has been trying to limit how much business it does with sites involved with copyright infringement. Unsurprisingly torrent sites are high up on the payment processors “do not touch” list.

For that reason it is quite rare to see PayPal offered as a donation method on the majority of public sites as these are spotted quite quickly and often shut down. It’s unclear whether PayPal does its own ‘scouting’ but the company is known to act upon complaints from copyright holders as part of the developing global “Follow the Money” anti-piracy strategy.

This week Andrew Sampson, the software developer behind new torrent search engine ‘Strike‘, discovered that when you have powerful enemies, bad things can happen.

With no advertising on the site, Sampson added his personal PayPal account in case anyone wanted to donate. Quickly coming to the conclusion that was probably a bad idea, Sampson removed the button and carried on as before. One month later PayPal contacted him with bad news.

“We are contacting you as we have received a report that your website https://getstrike.net is currently infringing upon the intellectual property of Motion Picture Association of America, Inc.,” PayPal began.

“Such infringement also violates PayPal’s Acceptable Use Policy. Therefore your account has been permanently limited.”

Strike-paypal

It isn’t clear why PayPal waited for a month after donations were removed from Strike to close Sampson’s six-year-old account but the coder believes that his public profile (he doesn’t hide his real identity) may have led to his issues.

“It seems someone at the MPAA realized I took donations using PayPal from some of my other LEGAL open source projects (like https://github.com/Codeusa/Borderless-Gaming) and was able to get the email of my account,” the dev told TF.

While Sampson had regularly been receiving donations from users of his other open source projects, he says he only received $200 from users of Strike, a small proportion of the $2,500 in his personal account when PayPal shut it down.

“That money was earned through legitimate freelance work and was going to be used specifically for my rent/car payment so it kind of sucks,” he says.

While it’s going to be a painful 180 day wait for Sampson to get his money back from PayPal, the lack of options for receiving donations on his other projects could prove the most damaging moving forward. Sampson does accept Bitcoin, but it’s nowhere near as user-friendly as PayPal.

Of course, this is all part of the MPAA’s strategy. By making sites like Strike difficult to run, they hope that developers like Sampson will reconsider their positions and move on. And in this case they might just achieve their aims.

“I’ve allowed someone else to manage the site for the time being. It will operate as it normally does but I need a bit to clear my head and don’t want anything to do with it as it’s become quite stressful,” Sampson says.

“I think the MPAA is playing low ball tactics against a developer who just wanted a better search engine. I don’t condone piracy, but I sure as hell understand why it happens.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Mega Consults Legal Team Over New Piracy Report

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

nopiracyIn September 2014, NetNames published a report titled Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions.

While the report was informative in many respects, NetNames made the questionable decision to include cloud-hosting service Mega.co.nz. Granted, Mega’s Kim Dotcom connections might paint the site in an unfavorable light in some eyes, but the fact remains that Mega.co.nz covers all the bases when it comes to copyright law.

And let’s face it – the site has had no other choice. As the most scrutinized file-hosting startup in history, any breach (even of the overseas DMCA) would prove absolutely catastrophic. Nevertheless and largely thanks to the NetNames report, payment processors including Visa, Mastercard and PayPal recently pulled the plug on the company.

Then this week, just eight months after the NetNames report, came another turn of the screw. Titled The Revenue Sources for Websites Making Available Copyright Content Without Consent in the EU, a new MPA-commissioned report published by Incopro examined the money-making techniques of more than 600 ‘unauthorized’ sites in the file-sharing space.

The study’s overarching tone is that the sites surveyed are criminal enterprises run by shady individuals aiming to get rich on the backs of the entertainment industries. In respect of many sites on the list it is difficult to argue with the assertion. But, yet again, Mega.co.nz finds itself on the list alongside the likes of The Pirate Bay and other similarly copyright-hostile domains.

Just as we did following the NetNames report, TorrentFreak contacted the report’s authors and asked why Mega, a company with robust copyright protection mechanisms, had been included in the report. We received no response to what shouldn’t have been a particularly difficult question.

It’s worth pointing out, however, that Incopro do list the factors that get hosting sites on the list. They say the factors “are drawn from case law” and are “typically used by courts” to “determine the status” of a site. They’re listed in bold below:

Users are not charged for storage of files, instead revenue is accrued from subscription fees permitting download; per-download charges; and/or advertising

While the above could indeed describe an infringing site if bad intent was present, it also describes the business model of YouTube. It seems unlikely that a court would find a site illegal on this basis alone.

Anonymity for Users: The use of the service can be enjoyed in complete anonymity

Allowing users to be anonymous is no indication of criminality, unless a service intentionally encourages its users to commit a crime. For the record, Mega users are not anonymous – the service logs user IP addresses to counter abuse.

Anonymity for the Operators: Quite often the operators of the site will also be anonymous or based in jurisdictions where enforcement of the rule of law is quite difficult. Such sites tend to move less frequently, but will do so in response to perceived threats of legal action.

While anonymity for operators can be an indication that facing the law isn’t a key priority, it is blatantly clear that Mega.co.nz is going nowhere. The company and its directors are registered in New Zealand, are public faces, and are currently pursuing a stock market listing. The Pirate Bay this most certainly isn’t.

Inducement/Reward Scheme: Rewards for uploaders of large and popular files (with a particular emphasis on file size, i.e. additional rewards for popular files of over 200 megabytes, which are consistent with long-form copyright-protected audiovisual content).

It is well known that some of the most shadowy file-hosting services use these kinds of affiliate schemes to attract uploaders of pirated content, but their presence alone is not an indicator of criminality. Again, YouTube is happy to share revenues with uploaders of popular files. In any event, Mega offers no such scheme.

Ability to share files in the following formats (all consistent with long-form copyright-protected AV content): .rar, .zip, .avi, .wmv, .mpg, .mhv, .mp4, .divx, .xvid, .flv, .mov and .mpeg.

That the hosting of these filetypes can result in a site being labeled as infringing is beyond ridiculous and doesn’t even warrant a detailed rebuttal.

Free access for stored files is limited (in an attempt to encourage the purchase of premium membership) by methods such as increased wait times, bandwidth throttling, caps on the number of downloads freely accessed and online advertising.

Again, many of these techniques are indeed employed by some of the most notorious file-hosters but on their own they are not indications of criminality. However, the important thing here is that none apply to Mega.

Enabling Sharing of Links: Provision of ‘forum codes’ and ‘URL codes’ to facilitate the incorporation of links on third party indexing and linking sites.

Providing a URL to stored content indicates that a site is pirate? Watch out Dropbox!

The most important factors, the ones that really matter

Although not listed directly for hosting sites, Incopro does note that other factors can determine whether a site is likely infringing or not for the purposes of its report. This is where the meat of their claims against Mega and any other site should really hold up.

The clear (and often stated) purpose of the sites is copyright infringement and facilitation of copyright infringement.

The sites are highly structured and the content is referenced, categorized, curated and moderated.

The operators are believed to exercise control over the content on the website.

The sites provide guidance and deploy a variety of means of encouragement to
users in accessing and making available content and advertise the availability of content on third party sites.

The sites either don’t operate a takedown policy at all or such policies are mere window-dressing or even a sham.

To even the most casual observer it must be clear Mega does not fit into any of these categories. Most importantly the company has a robust DMCA-style policy that has even seen it remove its own founder’s music following a bogus DMCA complaint.

Conclusion

When a site fails to meet any of the criteria for inclusion in a piracy report yet still finds itself included, one needs to ask why. Sadly (and like NetNames before them) the creators of this otherwise enlightening report refuse to answer that simple question.

So why then have two big reports, both of which are likely to shape policy in the coming months and years, branded a legitimate file-hosting site a piracy haven?

If it’s because Mega is breaking the law, the aggrieved parties should step up to the plate and say so. Better still, those funding the report (the MPA) should have their lawyers do something about it.

If, however, it’s because Kim Dotcom founded Mega and everything he touches must now be destroyed at all costs, people should have the nerve to admit it. As noted earlier, both reports have their merits, but when suspicions of hidden agendas become apparent, their value is only diminished.

Mega informs TorrentFreak it is analyzing the report with its lawyers.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: MPA Report Advises Outreach Campaign Against ‘Pirate’ Ads

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mpaAs part of their war against the unauthorized sharing of copyrighted material online, entertainment industry groups and their affiliates commission reports to highlight how so-called ‘pirate’ sites operate.

In 2014, for example, research company NetNames published a report detailing the revenue streams for so-called ‘cyberlockers’. It was later used by a U.S. senator to pressure Visa and Mastercard to stop doing business with such sites.

With continued lobbying efforts in mind, a new report commissioned by the Motion Picture Association (MPA) has again been examining how so-called ‘pirate’ sites generate their income.

The study, carried out by UK-based Incopro, analyzes the revenue sources for the 250 most popular sites offering access to unlicensed content in Germany, Spain, France, Italy and United Kingdom. Due to some overlap in each country’s “most-popular 250″ list, 622 sites in three categories (hosting, linking only, P2P) were examined overall.

Advertising, cash – or both

The company looked at two key areas of revenue generation – monies received from companies who advertise on the sites (intentionally or otherwise) and monies received from users who either pay or donate via payment methods including Visa, MasterCard and Bitcoin.

In its analysis Incopro found that 550 of the 622 sites surveyed carried advertising and 142 offered at least one payment method. An overlap between the two groups meant that 122 sites carried advertising and also accepted payments. With just 52 sites out of 622 carrying no advertising and accepting no payments, a total of 570 sites (91.6%) had at least one source of revenue.

The sources of revenue for each of the three site categories were broken down revealing that ‘linking only’ and ‘P2P portal’ sites rely heavily on advertising. ‘Hosting’ sites tended to have both advertising and payments, with free users being shown advertising and premium users often paying to avoid them.

incop-1

Key advertising intermediaries

Since advertising is viewed as the most important source of revenue for the majority of the sites in the report, Incopro has attempted to identify which advertising intermediaries are responsible. While several companies each served up to 55 sites in the report, three entities are highlighted as market leaders.

“Analysis found that AdCash, Propellerads/OnClickAds….and DirectREV were the top three intermediaries to serve adverts across all unique sites in this study,” Incopro reports.

Noting that the report concentrates on the intermediaries delivering adverts to the 622 sites, Incopro says that opportunities exist to disrupt the flow of ads.

“One possible approach to this would be to engage with the Content Delivery Networks (CDNs) which do not serve the adverts independently but cache the creative elements that are called by ad tags served by other intermediaries. Consideration should be given to approaching the leading CDNs and working with them to block adverts served to unauthorised sites,” the company writes.

Advertising categories

Incopro says that the adverts observed in the study were placed into standard categories such as entertainment (5%), tech (5.9%), retail (6.6%), business/finance (7.4%), games (10%), adult (10.4%) and gambling (18.1%).

However, due to the high number of deceptive ads appearing on ‘pirate’ sites the company had to create a new group (‘Trick button/Malware’) which accounted for 31.5% of the total, the biggest group by far.

“The Trick Button/Malware types of advert typically do not mention the advertiser in the initial ad, and thus they are a form of ‘bait-and-switch’,” the company says.

“Typically, the user is presented with a button that says ‘download’ and/or ‘play’. Believing that these will lead to the desired file, the user then clicks the button. Once clicked, the user is prompted to download an executable file containing a potentially unwanted program.

“These Trick Buttons are a common feature of unauthorized sites and are worth looking at in more detail given the potentially damaging financial and emotional effect on the user.”

Finding that two companies (RevenueHits and Matomy Market) were responsible for up to 89% of these kinds of ads to the sites they serve, Incopro advises that some kind of campaign could be effective in turning users away from the sites serving them.

“Given the likelihood that end users will encounter potentially harmful software from these types of adverts across all types of site, awareness and outreach campaigns around this issue could be reinforced to help to discourage use of unauthorized sites,” the company writes.

Top advertisers

Regular European visitors to file-sharing related sites will be well aware of the high number of ads served up from gambling companies. Unsurprisingly the Incopro report reaches the same conclusion, finding that four out of the top five most prolific advertisers (Trick button ads excluded) are gambling companies.

incop-2

“These companies may not be aware that their adverts are appearing on these sites and should be considered for an approach in order to once again frustrate the ability of an unauthorised site to generate ad revenue,” the report reads.

“For this reason, Trick button/PUP adverts have been excluded from this section in order to concentrate on companies that are potentially approachable.”

Payment methods

As highlighted earlier, 142 out of the 622 sites studied accept payments from users. Of interest, however, is how many different payment methods are utilized by those sites – 83 in all. In total, four broad areas were identified, as detailed in the image below.

incop-3

“Host sites were the primary location for payment methods and accounted for 91% of all payment methods detected. Payment to the host site was predominantly via a ‘premium’ subscription service whereas other site types were more likely to accept payment for donations,” the report notes.

Advising again on possible mitigation measures, the report suggests that pressure on payment companies of all kinds could limit the use of their systems on “infringing” sites.

“Visa and MasterCard, the most observed payment service providers in this study, have responded to notifications in the past. In the same way that the major global Brands would most likely not wish to be associated with infringing websites because it could affect their reputation, these companies may feel the same,” Incopro writes.

“In the same way that the payment card providers can be asked to take action, payment processors can also be asked to take similar action to prevent transactions on those merchant accounts where they are facilitating the revenue generation of unauthorized sites.”

Despite best efforts so far, the image below reveals that the usual big names are still servicing the top “infringing” sites.

incop-4

Conclusions

Overall, Incopro concludes that advertising is far and away the biggest source of revenue for the sites in their study.

“Given this reliance on advertising, concerted effort should be made by brands, agencies, and where possible, the authorities, to work together to persuade the various intermediaries to undermine these revenue streams,” the company says.

“Regarding payment methods, analysis has shown that the payment methods observed broadly consist of four transaction types on the unauthorized websites studied. These are the payment service providers like Visa and MasterCard, payment processors such as Liqpay and Dalpay, virtual wallets such as Google Wallet, RoboKassa and PayPal and resellers such as VIPKeys. Engagement with the first three
is recommended. Resellers should be examined as a separate issue,” the company concludes.

Just like the NetNames report before it, this MPA-commissioned report will be cited by entertainment industry companies during the months to come to put yet more pressure on advertisers and payment companies alike. Whether that will be enough to stifle the revenue arms race will remain to be seen.

The full report can be downloaded here (pdf)

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Mega’s Bid For Stock Exchange Listing Falls Through

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

During the first quarter of 2014, cloud-storage service Mega.co.nz announced its intention to hit the New Zealand stock exchange.

After being launched by Megaupload founder Kim Dotcom just a year earlier, the news was well received. However, in keeping with the complex life of the entrepreneur, the mission would not be straightforward.

In a process that began last March, Mega said it would aim for a backdoor listing on the New Zealand stock exchange via a reverse takeover of an existing company, TRS Investments.

In tandem, TRS said it had reached agreement to buy Mega Ltd through a share issue to Mega shareholders. Documents filed with the stock exchange put Mega’s value at NZ$210 million (US$155.7m).

Once the acquisition had been completed TRS planned to change its name to Mega but after several delays in previous months it became evident this morning that the deal would not be going ahead.

“As previously advised to the market, the proposed acquisition of Mega was conditional upon shareholder approval being obtained on or before 29 May 2015. It has become evident that this condition will not be satisfied within this time frame,” TRS said in a notice to the market.

“TRS has been advised overnight by Mega that the shareholders of Mega will not agree to an extension of the conditional date. As a consequence it will be the case that on 29 May, the conditions to the acquisition will not be satisfied, the share sale deed entered into between TRS and the Mega shareholders will terminate, and the proposed acquisition of Mega will not proceed.”

Speaking with TorrentFreak, Mega CEO Graham Gaylard acknowledged the development as a disappointment but insisted that the company had not been disadvantaged as a result.

“It’s disappointing that we could not make it work, given the amount of time and effort that Mega put into the transaction, but it is not seen as a setback for Mega. The company continues on as a private company,” Gaylard said.

The Mega CEO also confirmed that the company wouldn’t give up on its stock market aspirations.

“An exchange listing is definitely still on the horizon, but plans for this have not been worked on,” he said.

In the meantime Mega continues to grow. Gaylard informs TF that the company now has 18 million registered users, with an additional one million users signing up every month. The majority are on the company’s extremely generous free tier, so the challenge moving forward will be to upgrade as many as possible to premium subscription status.

That has not been without difficulty, however. While feedback from Mega’s customers is generally positive, action taken against the site in the United States has proved somewhat of a hindrance.

According to Mega, Senator Patrick Leahy put payment processors under pressure to stop providing services to certain file-hosting companies listed in a Netnames report published last year.

Following Leahy’s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to Mega, ostensibly on the basis that since content on Mega is encrypted, no one can confirm whether it is legitimate or not.

Following a period in which Mega could accept no payments, it is now able to do so through resellers. It’s a less than ideal situation but considering the levels of service offered by the company, it will be one that it hopes customers will take in their stride.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: PayIvy Sells Your Online Accounts Via PayPal

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts.

A PayIvy seller advertising Netflix accounts for a dollar apiece.

A PayIvy seller advertising Netflix accounts for a dollar apiece. Unlike most sites selling hacked accounts, this one takes PayPal.

Marketed and sold by a Hackforums user named “Sh1eld” as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.

There is no central index of items for sale via PayIvy per se, but this catalog of cached sales threads offers a fairly representative glimpse: License keys for Adobe and Microsoft software products, user account credentials in bulk for services like Hulu, Netflix, Spotify, DirecTV and HBO Go, as well as a raft of gaming accounts at Origin, Steam, PlayStation and XBox Live. Other indexes at archive.is and PayIvy’s page at Reddit reveal similar results.

It’s not clear how or why PayPal isn’t shutting down most of these merchants, but some of the sellers clearly are testing things to see how far they can push it: In just five minutes of searching online, I found several PayIvy sellers who were accepting PayPal payments via PayIvy for…wait for it…hijacked PayPal accounts! The fact that PayIvy takes PayPal as payment means that buyers can purchase hacked accounts with [stolen] credit cards — or, worse yet, stolen PayPal accounts.

Jack Christin, Jr., associate general counsel at PayPal, said while the site itself is not in violation of its Acceptable Use Policies (AUP), there have been cases where PayPal has identified accounts selling goods that violate its policy and in those cases, the company has have exited those merchants from its system. 

“PayPal proactively monitors sellers with PayPal accounts who use the Paylvy platform to ensure the products they are selling are in compliance with our AUP, and we take appropriate action when violations are discovered,” Christin said.

The proprietor of PayIvy (quite possibly this guy, according to many of his fellow Hackforums users) makes money off of the service by selling “premium” accounts, which apparently offer repeat sellers a way to better track and manage their sales. Appropriately enough, among his ebook offerings via PayIvy is a tutorial on how to avoid getting one’s account banned or limited by PayPal. PayIvy did not respond to requests for comment.

Sh1eld makes clear how he feels about his users selling hacked accounts to pay services via his site in this thread, where he posts about takedown requests from a company representing Netflix.

“We are not under any obligation to follow any site’s TOS [terms of service],” he wrote. “However, we will take actions regarding copyrighted content, malicious files, or child pornography.”

I wonder how this individual would feel about people selling stolen PayIvy premium accounts?

If you’re curious about the underground’s interest in and valuation of your online accounts, take a look at my primers on this subject, including The Value of a Hacked Email Account and the Value of a Hacked PC. Want pointers on how to avoid becoming the next victim? Check out my Tools for a Safer PC tutorial.

TorrentFreak: Guide: How File-Sharers Can Ruin Their Online Privacy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

unmaskedEvery single day one can hear do-gooders banging on endlessly about staying private on the Internet. It’s all encryption this and Edward Snowden that. Ignore them. They’re lunatics involved in a joint Illuminati / Scientologist conspiracy.

No, what Internet users need is a more care-free approach to online surveillance, one that allows them to relax into a zen-like state of blissful ignorance, free from the “Five Eyes” rantings of Kim Dotcom.

And there are plenty of real people already following this advice. Real events reported here on TF (and investigated by us over the past few months) have shown us that while operating in the world of file-sharing (especially if that involves releasing content or running a tracker) it is absolutely vital to lay down an easily followed trail of information. Here are some golden rules for doing just that.

Naming convention

If at all possible, file-sharers should incorporate their real-life names into their online nickname. Dave Mark Robinson should become DaveR at a minimum, but for greater effect DaveMR should be used. As adding in a date of birth allows significant narrowing down of identities, DaveMR1982 would be a near perfect choice.

This secret codename can then be used on any torrent site, but for best effect it should be used across multiple trackers at once so the user is more easily identified. But let’s not think too narrowly here.

As an added bonus, Dave should also ensure that the same nickname is used on sites that have absolutely nothing to do with his file-sharing. EBay profiles and YouTube accounts are perfect candidates, with the latter carrying some personally identifying videos, if at all possible. That said, Dave would be selling himself short if he didn’t also use the same names on…..

Social media

If Dave doesn’t have an active Facebook account which is easily linked to his file-sharing accounts, he is really missing out. Twitter is particularly useful when choosing the naming convention highlighted above since nicknames can often be cross-referenced with real names on Facebook, especially given the effort made in the previous section.

In addition to all the regular personal and family information readily input by people like Dave, file-sharing Facebook users really need to make sure they put up clear pictures of themselves and then ‘like’ content most closely related to the stuff they’re uploading. ‘Liking’ file-sharing related tools such as uTorrent is always recommended.

File-sharing sites

When DaveMR1982 signs up to (or even starts to run) a torrent site it’s really important that he uses an easy to remember password, ideally one used on several other sites. This could be a pet’s name, for example, but only if that pet gets a prominent mention on Facebook. Remember: make it easy for people, it saves so much time!

Dave’s participation in site forums is a must too. Ideally he will speak a lot about where he lives and his close family, as with the right care these can be easily cross-referenced with the information he previously input into Facebook. Interests and hobbies are always great topics for public discussion as these can be matched against items for sale on eBay, complete with item locations for added ease.

Also, Dave should never use a VPN if he wants his privacy shattered, with the no-log type a particular no-go. In the event he decides to use a seedbox he should pay for it himself using his own PayPal account, but only if that’s linked to his home address and personal bank account. Remember, bonus points for using the same nickname as earlier when signing up at the seedbox company!

Make friends and then turn them into enemies

Great friendships can be built on file-sharing sites but in order to maximize the risks of a major privacy invasion, personal information must be given freely to these almost complete strangers whenever possible.

In an ideal world, trusting relationships should be fostered with online ‘friends’ and then allowed to deteriorate into chaos amid a petty squabble, something often referred to in the torrent scene as a “tracker drama”. With any luck these people will discard friendships in an instant and spill the beans on a whim.

Domain registration

Under no circumstances should Dave register his domains with a protected WHOIS as although they can be circumvented, they do offer some level of protection. Instead (and to comply with necessary regulations) Dave should include his real home address and telephone number so he is easily identified.

If for some crazy reason that isn’t possible and Dave is forced to WHOIS-protect his domain, having other non-filesharing sites on the same server as his file-sharing site is always good for laying down breadcrumbs for the anti-privacy police. If the domains of those other sites don’t have a protected WHOIS, so much the better. Remember, make sure the address matches the home location mentioned on Facebook and the items for sale on eBay!

Conclusion

As the above shows, with practice it’s easy to completely compromise one’s privacy, whether participating in the file-sharing space or elsewhere. In the above guide we’ve simply cited some genuine real-life techniques used by people reported in previous TF articles published during the last year, but if you have better ideas at ruining privacy online, please feel free to add them in the comments.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Mega Ponders Legal Action in Response to Damaging Paypal Ban

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mega_logoSeptember last year the Digital Citizens Alliance and NetNames released a report that looked into the business models of “shadowy” file-storage sites.

Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” the report offers insight into the money streams that end up at these alleged pirate sites.

The research claims that the sites in question are mostly used for copyright infringement. But while there are indeed many shadowy hosting services, many were surprised to see the Kim Dotcom-founded Mega.co.nz on there.

For entertainment industry groups the report offered an opportunity to put pressure on Visa and MasterCard. In doing so they received support from U.S. Senator Patrick Leahy, who was also the lead sponsor of the defunct controversial Protect IP Act (PIPA).

Senator Leahy wrote a letter to the credit card companies claiming that the sites mentioned in the report have “no legitimate purpose or activity,” hoping they would cut their connections to the mentioned sites.

Visa and MasterCard took these concerns to heart and pressed PayPal to cut off its services to Mega, which eventually happened late last month. Interestingly, PayPal cited Mega’s end-to-end-encryption as one of the key problems, as that would make it harder to see what files users store.

The PayPal ban has been a huge blow for Mega, both reputation-wise and financially. And the realization that the controversial NetNames report is one of the main facilitators of the problems is all the more frustrating.

TorrentFreak spoke with CEO Graham Gaylard, who previously characterized the report as “grossly untrue and highly defamatory,” to discuss whether Mega still intends to take steps against the UK-based NetNames for their accusations.

Initially, taking legal action against NetNames for defamation was difficult, as UK law requires the complaining party to show economic damage. However, after the PayPal ban this shouldn’t be hard to do.

Gaylard is traveling through Europe at the moment and he notes that possible repercussions against the damaging report are high on the agenda.

“Yes, I am here to see Mega’s London-based legal counsel to discuss the next steps in progressing the NetNames’ response,” Gaylard informs TF.

Mega’s CEO couldn’t release any details on a possible defamation lawsuit, but he stressed that his company will fiercely defend itself against smear campaigns.

“Mega has been operating, and continues to operate a completely legitimate and transparent business. Unfortunately now, with the blatant, obvious, political pressure and industry lobbying against Mega, Mega needs to defend itself and will now cease taking a passive stance,” Gaylard says.

According to the CEO Mega is running a perfectly legal business. The allegation that it’s a piracy haven is completely fabricated. Like any other storage provider, there is copyrighted content on Mega’s servers, but that’s a tiny fraction of the total stored.

To illustrate this, Gaylard mentions that they only receive a few hundred takedown notices per month. In addition, he notes more than 99.7% of the 18 million files that are uploaded per day are smaller than 20MB in size, not enough to share a movie or TV-show.

These statistics are certainly not the hallmark of a service with “no legitimate purpose or activity,” as was claimed.

While the PayPal ban is a major setback, Mega is still doing well in terms of growth. They have 15 million registered customers across 200 countries, and hundreds of thousands of new users join every month.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: France’s New Online Piracy Battle Prepares For Launch

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-cardAcross Europe countries are continuing their struggle with online piracy but France was the first brave enough to introduce a system of warning file-sharers.

The so-called Hadopi law received widespread coverage, with praise and criticism arriving from many corners, but the big question of whether the process has been effective has never been definitively answered.

Whatever the program’s achievements, if any, the French are still looking to reduce online copyright infringement in an attempt to boost the creative sector. Now the government has announced the next wave in its continuing anti-piracy drive.

Fleur Pellerin, France’s Minister of Culture and Communication, has now presented a paper to the Council of Ministers outlining a plan of action against all sites involved in online piracy. The range will be broad, to include sites that not only stream or offer copyrighted material for download, but also those that “take advantage” of pirate content in other ways.

The first part of the program is a familiar one. In common with the United States and the United Kingdom (1,2)where similar programs have been in place for some time, France will seek to deprive piracy related websites of their revenue streams with a particular focus on those that utilize advertising.

On March 23 at the Ministry of Culture and Communication, advertisers and advertising agencies will come together with representatives from rightsholder bodies to sign an anti-piracy charter. The agreement will formalize a commitment to keep advertising off platforms deemed to benefit from online piracy.

The next phase also mirrors developments elsewhere, particularly in the United States under pressure from government. Being able to process payments is crucial for some online file-sharing sites, particularly those in the file-hosting sector that rely on subscriptions to stay afloat. Moves already taken by Visa, MasterCard and PayPal are already underway elsewhere and negotiations in France will now commence with a view to the signing of an agreement in June 2015.

Continuing on the financial front the French Government says it will mobilize to fight against those benefiting from illegal channels of revenue and will consider “all the tax consequences of these activities.”

Site blocking is another anti-piracy method utilized extensively elsewhere and it’s clear that the French wish to follow the same path. Blocks against a handful of sites already exist but the Minister of Culture says that enhanced judicial efficiency and a system to monitor the effectiveness of these and other measures will be introduced.

Effectively rightsholders will still have to go to court to get sites blocked, but unlike the UK where they are relatively free to keep adding sites to blocklists as and when they see fit, in France they will still have to go back to court for enhanced blocking, if a site moves domain or introduces proxies for example.

Also on the cards is a sharpening of coordination between departments responsible for dealing with online piracy. To this end the Ministry of the Interior will assume responsibility for the direction of the fight against cybercrime.

Finally, the government will look at the role that sites like YouTube play in the distribution of unauthorized content. Sites will be expected to streamline their processes in ways that make it easier for rightsholders to monitor and remove unauthorized material.

Whether these measures will prove to be a boost to the entertainment sector remains to be seen, but it’s now clear that a coordinated and revenue-attacking response to dealing with piracy is now developing on a global scale.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Cyberlocker Traffic Plummets, But Not Mega

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

uploadIn the file-sharing world sites tend to be split into two camps – those that facilitate access to content held elsewhere (torrent sites) and those that host the content themselves.

What to call the sites in this latter category largely depends on the context. The generic “file-hoster” monicker works well for all, but the more recent term “cyberlocker” has somehow become associated with sites that have some kind of “rogue” business model attached.

Last September, Netnames produced a report about ‘cyberlockers’ and annoyed the operators of Mega.co.nz by categorizing the site as some kind of illicit operation. This week, only adding to the controversy, Mega revealed that U.S. government pressure had led to PayPal withdrawing its services from the company.

This week, several months after the publication of the NetNames report, we decided to take a look at how the file-hosting sites listed have been doing on the traffic front. According to Alexa they are mostly on a significant downward trend, but as we shall see that’s not universally the case. In fact, Mega appears to be doing particularly well.

The big losers

All of the sites in this section lost significant overall traffic during 2014 and early 2015. 4shared, Zippyshare, Turbobit, BitShare, LetitBit, FreakShare, 1fichier and 2shared all had big downward trends and, as illustrated by the charts below, October time seems to mark the beginning of most of the bad news.

cyber-1

That date closely coincides with Google’s downranking of sites for which it receives the most infringement notices. The change hit many major torrent sites causing immediate drops in traffic, but for others the change only seems to have brought good news.

The big winners

Mega.co.nz, a site included in the NetNames report but not indexed by Google due to the site’s own restrictions, appears to have reaped rewards where others have failed. Following a slump in the summer of 2014, the period since October 2014 has been nothing but a success story for the Kim Dotcom-founded operation.

cyber-2

Another site bucking the downward trend is UptoBox, a site which NetNames claims has around six million monthly users and $1.7 million in annual revenues. Despite Google receiving close to 368,000 complaints about the site, UpToBox has been doing better than ever since October 2014 when most of the other sites started to suffer. Only a small slump in January 2015 spoiled the party.

cyber3

The others

RapidGator is one of the most popular file-hosting sites around but had a bit of a disappointing 2014. After starting the year strongly as one of the 500 most popular sites in the world, the site embarked on a steady downward trend and like most it took a big hit at the start of October when Google’s down-ranking began.

Between then and the end of 2014 it regained traffic to position itself where it had been during the summer. But in January came a new slump which took the site back down to its lowest traffic levels to date.

Another site on a general downward trend is Uploaded.net, but again the site’s traffic demonstrates some interesting features. After taking a big hit in October the site recovered somewhat, only to peak and begin dropping off again.

cyber-4

Overall

It’s fair to say that the majority of the big sites in the NetNames report are on a downward trend but sites like Mega are clearly able to buck the trend. Whether that’s due to the company’s charismatic founder, its end-to-end encryption or simply by being a good provider with a great service is up for debate. Nevertheless, an ability to avoid Google downranking punishments is certainly a plus and one that the company will be keen to maintain.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Which VPN Services Take Your Anonymity Seriously? 2015 Edition

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spyBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim, as several incidents have shown in the past.

By popular demand we now present the fourth iteration of our VPN services “logging” review. In addition to questions about logging practices, we also asked VPN providers about other privacy sensitive policies, so prospective users can make an informed decision.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

Below is the list of responses we received from various VPN providers, in their own words. In some cases we asked for further clarification. VPN providers who keep logs for longer than 7 days were excluded, and others who simply failed to respond.

Please note that several VPN companies listed here do log to some extent. We therefore divided the responses into a category of providers who keep no logs (page 1/2) and one for who keep usage and/or session logs (page 3). The order of the VPNs within each category holds no value.

We are also working on a convenient overview page as well as dedicated review pages for all providers, with the option for users to rate theirs and add a custom review. These will be added in the near future.

VPNs That keep No Logs

Private Internet Access

piavpn1. We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy.

2. We choose to operate in the US in order to provide no logging service, as there is no mandatory data retention law in the US. Additionally, our beloved clients are given access to some of the strongest consumer protection laws, and thus, are able to purchase with confidence.

3. We do not monitor our users, period. That said, we have a proprietary system in place to help mitigate abuse.

4. We utilize SendGrid as an external mailing system and encourage users to create an anonymous e-mail when signing up depending on their adversarial risk level. Our support system is in-house as we utilize Kayako.

5. We have a proprietary system in place that allows us to comply in full with DMCA takedown notices without disrupting our users’ privacy. Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others.

6. We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have.

7. We do not have a warrant canary in place at this time as the concept of a warrant canary is, in fact, flawed at this time, or in other words, is “security theater.”

8. We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.

9. We utilize a variety of payment systems including, but not limited to, PayPal, Stripe, Amazon, Google, Bitcoin, Stellar, CashU, Ripple, Most Major Store Bought Gift card, PIA Gift cards (available in retail stores for “cash”), and more. We utilize a hashing system to keep track of payments and credit them properly while ensuring the strongest levels of privacy for our users.

10. The most secure VPN connection and encryption algorithm that we would recommend to our users would be our suite of AES-256, RSA 4096 and SHA1 or 256. However, AES-128 should still be considered quite safe. For users of Private Internet Access specifically, we offer addon tools to help ensure our beloved clients’ privacies including:

– Kill Switch : Ensures that traffic is only routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic would simply not be routed.
– IPv6 Leak Protection : Protects clients from websites which may include IPv6 embeds which could leak IPv6 IP information.
– DNS Leak Protection : This is built in and ensures that DNS requests are made through the VPN on a safe, private no-log DNS daemon.
– Shared IP System : We mix clients’ traffic with many clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

11. We are currently using our own DNS caching.

12. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed our due diligence on. Our servers are located in: USA, Canada, UK, Switzerland, Amsterdam, Sweden, Paris, Germany, Romania, Hong Kong, Israel, Australia and Japan. We have over 2,000 servers deployed at the time of writing with over 1,000 in manufacture/shipment at this time.

Private Internet Access website

TorGuard

1. No logs are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network because since day one we engineered every aspect of the operation from the ground up, permitting us full control over the smallest details. In addition to a strict no logging policy we run a shared IP configuration that provides an added layer of anonymity to all users. With hundreds of active sessions sharing a single IP address at any given time it becomes impossible to back trace usage.

2. At the time of this writing our headquarters currently operates from the United States. Due to the lack of data retention laws in the US, our legal team has determined this location to be in the best interest of privacy for the time being. Although TorGuard’s HQ is in the US, we take the commitment to user privacy seriously and will uphold this obligation at all costs, even if it means transferring services or relocating company assets.

3. Our network team uses a combination of open source monitoring apps and custom developed tools to mitigate any ongoing abuse of our services. This allows us to closely monitor server load and uptime so we can pinpoint and resolve potential problems quickly. If abuse reports are received from an upstream provider, we block them in real-time by employing various levels of firewall rules to large blocks of servers. Should these methods fail, our team is quick to recycle entire IP blocks and re-deploy new servers as a last resort.

4. For basic troubleshooting and customer service purposes we utilize Livechatinc for our chat support. TorGuard staff does make use of Google Apps for company email, however no identifying client information like passwords, or billing info is ever shared among either of these platforms. All clients retain full control over account changes in our secure member’s area without any information passing through an insecure channel.

5. Because we do not host any content it is not possible for us to remove anything from a server. In the event a DMCA notice is received it is immediately processed by our abuse team. Due to our shared network configuration we are unable to forward any requests to a single user. In order to satisfy legal requirements from bandwidth providers we may temporarily block infringing protocols, ports, or IPs.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

7. No, at this time we do not have a warrant canary.

8. Yes, TorGuard was designed with the BitTorrent enthusiast in mind. P2P is allowed on all servers, although for best performance we suggest using locations that are optimized for torrents. Users can find these servers clearly labeled in our VPN software.

9. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Paysafecard, Alipay, CashU, Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

10. For best security we advise clients to use OpenVPN connections only and for encryption use AES256 with 2048bit RSA. Additionally, TorGuard VPN offers “Stealth” protection against DPI (Deep Packet Inspection) interference from a nosey ISP so you can access the open web freely even from behind the Great Firewall of China. These options are available on select locations and offer excellent security due to the cryptography techniques used to obfuscate traffic. Our VPN software uses OpenVPN exclusively and features built in DNS leak protection, an App Killswitch, and a connection Killswitch. We have also just released a built in WebRTC leak block feature for Windows Vista/7/8 users.

11. Yes, we offer private, no log DNS servers which can be obtained by contacting our support desk. By default we also use Google DNS and OpenDNS for performance reasons on select servers.

12. TorGuard currently maintains 1000+ servers in over 44 countries around the world and we continue to expand the network every month. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key. We have servers in Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, United Kingdom, USA, and Vietnam.

TorGuard website

IPVanish

ipvanish1. IPVanish has a zero-log policy. We keep NO traffic logs on any customer, ever.

2. IPVanish is headquartered in the US and thus operates under US law.

3. IPVanish monitors CPU utilization, bandwidth and connection counts. When thresholds are passed, a server may be removed from rotation as to not affect other users.

4. IPVanish does not use any external support tools that hold user information. We do, however, operate an opt-in newsletter that is hosted at Constant Contact. Customers are in no way obligated to sign up for the newsletter.

5. IPVanish keeps no logs of any user’s activity and responds accordingly.

6. IPVanish, like every other company, follows the law in order to remain in business. Only US law applies.

7. No.

8. P2P is permitted. IPVanish does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.

9. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked. User authentication and billing info are also managed on completely different and independent platforms.

10. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm. IPVanish’s service and software also currently provide DNS leak prevention. We are developing a kill switch in upcoming releases of our software.

11. IPVanish does use its own DNS servers. Local DNS is handled by the server a user connects to.

12. IPVanish is one of the only tier-1 VPN networks, meaning we own and operate every aspect of our VPN platform, including physical control of our VPN servers. This gives IPVanish users security and speed advantages over other VPN services. IPVanish servers can be found in over 60 countries including the US, UK, Canada, Netherlands and Australia.

IPVanish website

IVPN

ivpn1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability.

2. Gibraltar. In 2014 we decided to move the company from Malta to Gibraltar in light of the new 2015 EU VAT regulations which affect all VPN service providers based in the EU. The EU VAT regulations now require companies to collect two pieces of non-conflicting evidence about the location of a customer; this would be at a minimum the customer’s physical address and IP address.

3. We have built a number of bespoke systems over the last 5 years as we’ve encountered and addressed most types of abuse. At a high level we use Zabbix, an open-source monitoring tool that alerts us to incidents. As examples we have built an anti-spam rate-limiter based on iptables so we don’t have to block any email ports and forked a tool called PSAD which allows us to detect attacks originating from our own network in real time.

4. No. We made a strategic decision from the beginning that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

6. That would depend on the information with which we were provided. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we reply that we do not store any personal data, we only store a customer’s email address. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question. We have never been served with a valid court order.

7. Yes absolutely, we’ve published a canary since August 2014.

8. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

9. We accept Bitcoin, Cash and Paypal. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin (See part 7 of our advanced privacy guides). With Paypal we store the subscription ID in our system so we can associate incoming subscription payments. This information is deleted immediately when an account is terminated.

10. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys. The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

11. Yes. Once connected to the VPN all DNS requests are sent to our pool of internal recursive DNS servers. We do not use forwarding DNS servers that forward the requests to a public DNS server such as OpenDNS or Google.

12. We use dedicated servers leased from 3rd party data centers in each country where we have a presence. We employ software controls such as full disk encryption and no logging to ensure that if a server is ever seized it’s data is worthless. We also operate a multi-hop network so customers can choose an entry and exit server in different jurisdictions to make the adversaries job of correlating the traffic entering and exiting our network significantly more complicated. We have servers located in Switzerland, Germany, Iceland, Netherlands, Romania, France, Hong-Kong, USA, UK and Canada.

IVPN website

PrivateVPN

privatevpn1.We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user on PrivateVPN.

2. We operate in Swedish jurisdiction.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. No. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.

5. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

6. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

7. We’re working on a solution where we publish a statement that we haven’t received legal process. One we receive a legal process, this canary statement is removed.

8. Yes, we allow Torrent traffic.

9. PayPal, Payson, 2Chrckout and Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

10. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but we’re working on a protection that detects the DNS leak and fixes this by changing to a secure DNS server.

11. We use a DNS from Censurfridns.

12. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, FDCServers, Blix, Zen systems, Wholesale Internet, Creanova, UK2, Fastweb, Server.lu, Selectel, Amanah and Netrouting. We have servers located in: Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada and Ukraine.

PrivateVPN website

PRQ

1. No

2. Swedish

3. Our own.

4. No

5. We do not care about DMCA.

6. We only require a working e-mail address to be a customer, no other information is kept.

7. No.

8. As long as the usage doesn’t violate the ToS, we do not care.

9. None of the payment methods are linked to a user.

10. OpenVPN, customers have to monitor their service/usage.

11. Yes.

12. Everything is inhouse in Sweden.

PRQ website

Mullvad

mullvad1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.

2. Swedish.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. There is no such Swedish law that is applicable to us.

6. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

7. Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.

8. Yes.

9. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

10. OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).

11. Yes, we use our own DNS servers.

12. We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.

Mullvad website

BolehVPN

bolehvpn1. No.

2. Malaysia. This may change in the near future and we will post an announcement when this is confirmed.

3. We do monitor general traffic patterns to see if there is any unusual activity that would warrant a further investigation.

4. We use ZenDesk and Zopim but are moving to use OSTicket which is open source. This should happen in the next 1-2 months.

5. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

6. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on their validity and we will resist such requests if done without proper cause or legal backing.

7. Yes.

8. Yes it is allowed except on those marked Surfing-Streaming only which are restricted either due to the provider’s policies or limited bandwidth.

9. We use MolPay, PayPal, Coinbase, Coinpayments and direct deposits. On our system it is only marked with the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

10. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

11. Yes we do use our own DNS servers.

12. Our VPN servers are hosted by third parties however for competitive reasons, we rather not mention our providers (not that it would be hard to find out with some digging). However none of these servers hold anything sensitive as they are authenticated purely using PKI infrastructure and as long as our users regularly update their configurations they should be fine. We do however have physical control over the servers that handle our customer’s information.

BolehVPN website

NordVPN

nordvpn1. Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).

2. NordVPN is based out of Panama.

3. No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.

4. We use the third-party live support tool, but it is not linked to the customers’ accounts.

5. When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.

6.If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.

7. We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.

8. We do not restrict any BitTorrent or other file-sharing applications on most of our servers.

9. We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.

10. We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.

In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.

11. NordVPN has its own DNS servers, also our customers can use any DNS server they like.

12. Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.

NordVPN website

TorrentPrivacy


1. We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.

2. Our company is under Seychelles jurisdiction.

3. We do not monitor any user’s traffic or activity for any reason.

4. We use third-party solutions for user communications and emailing. Both are running on our servers.

5. We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.

6. It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.

7. No, we don’t bother our users.

8. Yes we support all kind of traffic on all servers.

9. We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.

10. We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.

11. Yes. We are using our own DNS servers.

12. We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.

TorrentPrivacy website

Proxy.sh

proxy1. We do not keep any log at all.

2. Republic of Seychelles. And of course, every jurisdiction where each of our servers are, for their specific cases.

3. IPtables, TCPdump and Wireshark, for which their use is always informed at least 24 hours in advance via our Network Alerts and/or Transparency Report.

4. All our emails, panels and support are in-house. We host our own WHMCS instance for billing and support. We host server details, project management and financial management on Redmine that we of course self-run. The only third-party connections we have are Google Analytics and Google Translate on our public website (not panel), for obvious convenience gains, but the data they fetch can easily be hidden or faked. We may also sometimes route email through Mandrill but never with user information. We also have our OpenVPN client’s code hosted at Github, but this is because we are preparing to open source it.

5. We block the affected port and explain to upstream provider and/or complainant that we cannot identify the user who did the infringement, and we can therefore not pass the notice on. We also publish a transparency report and send a copy to the Chilling Effects Clearinghouse. If there are too many infringements, we may block all ports and strengthen firewall rules to satisfy upstream provider, but this may lead us to simply drop the server on short-term due to it becoming unusable.

6. We first post the court order to public and inform our users through our blog, much-followed Twitter account, transparency report and/or network alert. If we are unable to do so, we use our warrant canary. Then, we would explain to the court that we have no technical capacity to identify the user and we are ready to give access to competent and legitimate forensic experts. To this date, no valid court order has been received and acknowledged by us.

7. Yes, proxy.sh/canary.

8. We do not discriminate activity across our network. We are unable to decrypt traffic to differentiate file-sharing traffic from other activities, and this would be against our ethics anyway. The use of BitTorrent and similar is solely limited to the fact you can whether open/use the ports you wish for it on a selected server.

9. We support hundreds of payment methods, from PayPal to Bitcoin through SMS to Ukash and Paysafecard. We use third-party payment providers who handle and carry themselves the payments and the associated user information needed for them (e.g. a name with a credit card). We never have access to those. When we need to identify a payment for a user, we always need to ask him or her for references (to then ask the payment provider if the payment exists) because we do not originally have them. Last but not least, we also have an option to kill accounts and turn them into completely anonymous tokens with no panel or membership link at all, for the most paranoid customers (in the positive sense of the term).

10. We currently provide Serpent in non-stable & limited beta and it is the strongest encryption algorithm we have. We also openly provide to our experienced users ECDH curve secp384r1 and curve22519 through a 4096-bit Diffie-Hellman key. We definitely recommend such a setup but it requires software compiling skills (you need OpenVPN’s master branch). This setup also allows you to enjoy OpenVPN’s XOR capacity for scrambling traffic. We also provide integration of TOR’s obfsproxy for similar ends. Finally, for more neophyte users, we provide 4096-bit RSA as default standard. It is the strongest encryption that latest stable OpenVPN provides. Cipher and hash are the strongest available and respectively 256-bit CBC/ARS and SHA512. Our custom OpenVPN client of course provides a kill switch and DNS leak protection.

11. Yes, we provide our own OpenNIC DNS servers as well as DNSCrypt capacity.

12. We use a mix of collocation (physically-owned), dedicated and virtual private servers – also known as a private/public cloud combination. All our VPN servers are running from RAM and are disintegrated on shutdown or reboot. About two-third of them are in the public cloud (especially for most exotic locations). Our network spans across more than 40 countries.

Proxy.sh website

HideIPVPN

hideipvpn1. We have revised our policy. Currently we store no logs related to any IP address. There is no way for any third-party to match user IP to any specific activity in the internet.

2. We operate under US jurisdiction.

3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than three VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP address of VPN server, there is no way any third party could connect any online activity to a user’s IP address.

4. We are using Google apps for incoming mail and our own mail server for outgoing mail.

5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make impossible to track who downloaded any data from the internet using our VPN.

6. We would reply that we do not have measures that would us allow to identify a specific user. It has not happened so far.

7. Currently not. We will consider if our customers would welcome such a feature. So far we have never been asked for such information.

8. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – reason for this is our agreements with data centers. We also have a specific VPN plan for torrents.

9. Currently HideIPVPN accepts the following methods: PayPal, Bitcoin, Credit & Debit cards, AliPay, Web Money, Yandex Money, Boleto Bancario, Qiwi.

10. We would say SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems. Both versions have a “kill switch” feature in case connection drops. Also, our apps are able to re-establish VPN connection and once active restart closed applications.

Currently our software does not provide DNS leak protection. However a new version of VPN client is in the works and will be updated with such a feature. We can let you know once it is out. At this time we can say it will be very soon.

11. For VPN we use Google DNS servers, and for SmartDNS we use our own DNS servers.

12. We don’t have physical control of our VPN servers. Servers are outsourced in premium datacenters with high quality tier1 networks. Countries now include – US/UK/NL/DE/CA

HideIPVPN website

BTGuard

btguard1. We do not keep any logs whatsoever.

2. United States

3. Custom programs that analyze traffic on the fly and do not store logs.

4. No, all data is stored on servers we control.

5. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

6. We would take every step within the law to fight such an order and it has never happened.

7. No.

8. Yes, all types of traffic our allowed with our services.

9. We accept PayPal and Bitcoin. All payments are linked to users’ accounts because they have to be for disputes and refunds.

10. We recommend OpenVPN and 128-bit blowfish. We offer instructions for some third party VPN monitoring software.

11. We use our own DNS servers.

12. We have physical control over all our servers. Our servers we offer services with are located in the Netherlands, Canada, and Singapore. Our mail servers are located in Luxembourg.

BTGuard website

SlickVPN

slickvpn1. SlickVPN does not log any traffic nor session data of any kind.

2. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We do not monitor any customer’s activity in any way. We have chosen to disallow outgoing SMTP which helps mitigate SPAM issues.

4. No. We do utilize third party email systems to contact clients who opt in for our newsletters.

5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

6. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

7. Yes. We maintain a passive warrant canary, updated weekly, and are investigating a way to legally provide a passive warrant canary which will be customized on a “per user” basis, allowing each user to check their account status individually. It is important to note that the person(s) responsible for updating our warrant canary are located outside of any of the countries where our servers are located.

8. Yes, all traffic is allowed.

9. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

10. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IP from leaking to the internet. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

11. Yes.

12. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties until we have enough traffic in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

SlickVPN website

OctaneVPN

octane1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written to disk on our gateways.

The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route incoming traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.

2. We operate two independent companies with different ownership structures – a network operations company and a marketing company. The network operations company operates out of Nevis. The marketing company operates under US jurisdiction and manages the website, customer accounts and support. The US company has no access to network operations and the Nevis company has no customer account data.

3. We are not in the business of monitoring customer traffic in any way. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues. We use a NAT firewall on incoming connections to our gateways to add an extra layer of security for our customers.

4. No. We do use a service to send generic emails.

5. Due to the structure of our network operations company, it is unusual that we would receive a notice. There should be no cause for the marketing company to receive a notice. If we receive a DMCA notice or its equivalent based on activity that occurred in the past, we respond that we do not host any content and have no logs.

If we receive a DMCA notice based on very recent activity and the customer’s current VPN session during which it was generated is still active on the gateway, we may put the account on hold temporarily and notify the customer. No customer data is used to respond to DMCA notices.

6. Our customers’ privacy is a top priority for us. We would proceed with a court order with complete transparency. A court order would likely be based on an issue traced to a gateway server IP address and would, therefore, be received by our our network operations company which is Nevis based. The validity of court orders from other countries would be difficult to enforce. The network company has no customer data.

Our marketing company is US based and would respond to an order issued by a court of competent jurisdiction. The marketing company does not have access to any data related to network operations or user activity, so there is not much information that a court order could reveal. This has not happened.

7. We are discussing internally and reviewing existing law related to how gag orders are issued to determine the best way to offer this measure of customer confidence.

8. Yes. We operate with network neutrality except for outgoing SMTP.

9. Bitcoin and other cryptocurriences such as Darkcoin, Credit/Debit Card, and PayPal. If complete payment anonymity is desired, we suggest using Bitcoin, DarkCoin, or a gift/disposable credit card. Methods such as PayPal or Credit/Debit card are connected to an account token so that future renewal payments can be properly processed and credited. We allow customers to edit their account information. With our US/Nevis operating structure, customer payment systems information is separate from network operations.

10. We recommend using the AES-256-CBC cipher with OpenVPN, which is used with our client. IPSec is available for native Apple device support and PPTP is offered for other legacy devices, but OpenVPN offers the best security and speed and is our recommended protocol

We provide both DNS and IP leak protection in our Windows and Mac OctaneVPN client. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection. This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts.

11. Yes and we physically control them. You can choose others if you prefer.

12. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host with third parties until volume at that location justifies a physical investment there. The hosted locations may have different providers based on geography. We operate gateways in over 44 countries and 90 cities. Upon booting, all our gateways load over our encrypted network from a master node and operate from encrypted ramdisk. If an entity took physical control of a gateway server, the ramdisk is encrypted and would vanish upon powering down.

OctaneVPN website

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

During September 2014, the Digital Citizens Alliance and Netnames teamed up to publish a brand new report. Titled ‘Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,’ it offered insight into the finances of some of the world’s most popular cyberlocker sites.

The report had its issues, however. While many of the sites covered might at best be considered dubious, the inclusion of Mega.co.nz – the most scrutinized file-hosting startup in history – was a real head scratcher. Mega conforms with all relevant laws and responds quickly whenever content owners need something removed. By any standard the company lives up to the requirements of the DMCA.

“We consider the report grossly untrue and highly defamatory of Mega,” Mega CEO Graham Gaylard told TF at the time. But now, just five months on, Mega’s inclusion in the report has come back to bite the company in a big way.

Speaking via email with TorrentFreak this morning, Gaylard highlighted the company’s latest battle, one which has seen the company become unable to process payments from customers. It’s all connected with the NetNames report and has even seen the direct involvement of a U.S. politician.

leahyAccording to Mega, following the publication of the report last September, SOPA and PIPA proponent Senator Patrick Leahy (Vermont, Chair Senate Judiciary Committee) put Visa and MasterCard under pressure to stop providing payment services to the ‘rogue’ companies listed in the NetNames report.

Following Leahy’s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to MEGA. As a result, Mega is no longer able to process payments.

“It is very disappointing to say the least. PayPal has been under huge pressure,” Gaylard told TF.

The company did not go without a fight, however.

“MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA,” the company explains.

paypalWhat makes the situation more unusual is that PayPal reportedly apologized to Mega for its withdrawal while acknowledging that company’s business is indeed legitimate.

However, PayPal also advised that Mega’s unique selling point – it’s end-to-end-encryption – was a key concern for the processor.

“MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA’s ‘unique encryption model’ presents an insurmountable difficulty,” Mega explains.

As of now, Mega is unable to process payments but is working on finding a replacement. In the meantime the company is waiving all storage limits and will not suspend any accounts for non-payment. All accounts have had their subscriptions extended by two months, free of charge.

Mega indicates that it will ride out the storm and will not bow to pressure nor compromise the privacy of its users.

“MEGA supplies cloud storage services to more than 15 million registered customers in more than 200 countries. MEGA will not compromise its end-to-end user controlled encryption model and is proud to not be part of the USA business network that discriminates against legitimate international businesses,” the company concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.