Posts tagged ‘Privacy’

TorrentFreak: Dotcom Loses Bid to Keep Assets Secret from Hollywood

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptop20th Century Fox, Disney, Paramount, Universal, Columbia Pictures and Warner Bros are engaged in a huge battle with Kim Dotcom.

They believe that legal action currently underway against the Megaupload founder could lead to them receiving a sizable damages award should they win their case. But Dotcom’s lavish lifestyle gives them concerns. The more he spends, the less they could receive should the money begin to run out.

Those concerns were addressed by the High Court’s Judge Courtney, who previously ordered Dotcom to disclose the details of his worldwide assets to his Hollywood adversaries. Dotcom filed an appeal which will be heard in October, but that date is beyond the ordered disclosure date.

As a result, Dotcom took his case to the Court of Appeal in the hope of staying the disclosure order.

That bid has now failed.

Dotcom’s legal team argued out that their client’s October appeal would be rendered pointless if he was required to hand over financial information in advance. They also insisted a stay would not negatively affect the studios since millions in assets are currently restrained in New Zealand and elsewhere.

However, as explained by the Court of Appeal, any decision to stay a judgment is a balancing act between the rights of the successful party (Hollywood) to enforce its judgment and the consequences for both parties should the stay be granted or denied.

While the Court agreed that Dotcom’s appeal would be rendered pointless if disclosure to Hollywood was ordered, it rejected that would have an effect on Dotcom.

“[T]he mere fact that appeal rights are rendered nugatory is not necessarily determinative and in the circumstances of this case I consider that this consequence carries little weight. This is because Mr Dotcom himself does not assert that there will be any adverse effect on him if deprived of an effective appeal,” the decision reads.

The Court also rejected the argument put forward by Dotcom’s lawyer that the disclosure of financial matters would be a threat to privacy and amounted to an “unreasonable search”.

The Court did, however, acknowledge that Dotcom’s appeal would deal with genuine issues. That said, the concern over him disposing of assets outweighed them in this instance.

In respect of the effect of a stay on the studios, the Court looked at potential damages in the studios’ legal action against the Megaupload founder. Dotcom’s expert predicted damages “well below” US$10m, while the studios’ expert predicted in excess of US$100m.

The Court noted that Dotcom has now revealed that his personal assets restrained in both New Zealand and Hong Kong are together worth “not less” than NZ$ 33.93 million (US$ 28.39m). However, all of Dotcom’s assets are subject to a potential claim from his estranged wife, Mona, so the Court judged Dotcom’s share to be around NZ$17m.

As a result the Court accepted that there was an arguable case that eventual damages would be more than the value of assets currently restrained in New Zealand.

As a result, Dotcom is ordered to hand the details of his financial assets, “wherever they are located”, to the lawyers acting for the studios. There are restrictions on access to that information, however.

“The respondents’ solicitors are not to disclose the contents of the affidavit to any person without the leave of the Court,” the decision reads.

As legal proceedings in New Zealand continue, eyes now turn to Hong Kong. In addition to Dotcom’s personal wealth subjected to restraining order as detailed above, an additional NZ$25m owned by Megaupload and Vestor Limited is frozen in Hong Kong. Next week Dotcom’s legal team will attempt to have the restraining order lifted.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: BTindex Exposes IP-Addresses of BitTorrent Users

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spyUnless BitTorrent users are taking steps to hide their identities through the use of a VPN, proxy, or seedbox, their downloading habits are available for almost anyone to snoop on.

By design the BitTorrent protocol shares the location of any user in the swarm. After all, without knowing where to send the data nothing can be shared to begin with.

Despite this fairly common knowledge, even some experienced BitTorrent users can be shocked to learn that someone has been monitoring their activities, let alone that their sharing activity is being made public for the rest of the world to see.

Like it or not, this is exactly what the newly launched torrent search engine BTindex is doing.

Unlike most popular torrent sites BTindex adds new content by crawling BitTorrent’s DHT network. This is already quite unique as most other sites get their content from user uploads or other sites. However, the most controversial part without doubt is that the IP-addresses of BitTorrent users are being shared as well.

People who download a file from The Pirate Bay or any other torrent site expose their IP-addresses via the DHT network. BTindex records this information alongside the torrent metadata. The number of peers are displayed in the search results and for each file a selection of IP-addresses is made available to the public.

The image below shows a selection of peers who shared a pirated copy of the movie “Transcendence,” this week’s most downloaded film.

Some IP-addresses sharing “Transcendence.”
btindexips

Perhaps even more worrying to some, the site also gives an overview of all recorded downloads per IP-address. While the database is not exhaustive there is plenty of dirt to be found on heavy BitTorrent users who have DHT enabled in their clients.

Below is an example of the files that were shared via the IP-address of a popular VPN provider.

Files shared by the IP-address of a popular VPN provider
btindexvpnips

Since all data is collected through the DHT network people can avoid being tracked by disabling this feature in their BitTorrent clients. Unfortunately, that only gives a false sense of security as there are plenty of other monitoring firms who track people by gathering IP-addresses directly from the trackers.

The idea to index and expose IP-addresses of public BitTorrent users is not entirely new. In 2011 YouHaveDownloaded did something similar. This site generated considerable interest but was shut down a few months after its launch.

If anything, these sites should act as a wake up call to people who regularly share files via BitTorrent without countermeasures. Depending on the type of files being shared, a mention on BTindex is probably the least of their worries.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: The Copyright Monopoly Should Be Dead And Buried Already

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

copyright-brandedEvery time somebody questions the copyright monopoly, and in particular, whether it’s reasonable to dismantle freedom of the press, freedom of assembly, freedom of speech, freedom of information, and the privacy of correspondence just to maintain a distribution monopoly for an entertainment industry, the same question pops up out of nowhere:

“How will the artists get paid?”.

The copyright industry has been absolutely phenomenal in misleading the public in this very simple matter, suggesting that artists’ income somehow depend on a distribution monopoly of publishers. If the facts were out, this debate would have been over 20 years ago and the distribution monopoly already abolished quite unceremoniously.

There are three facts that need to be established and hammered in whenever somebody asks this question.

First: Less than one percent of artists’ income comes from the copyright monopoly. Read that sentence again. The overwhelming majority of artists get their income today from student loans, day jobs, unemployment benefits, and so on and so forth. One of the most recent studies (“Copyright as Incentive”, in Swedish as “Upphovsrätten som incitament”, 2006) quotes a number of 0.9 per cent as the average income share of artists that can be directly attributed to the existence of the copyright monopoly. The report calls the direct share of artists’ income “negligible”, “insignificant”. However, close to one hundred per cent of publishers’ income – the income of unnecessary, parasitic middlemen – is directly attributable to the copyright monopoly today. Guess who’s adamant about defending it? Hint: not artists.

Second: 99.99% of artists never see a cent in copyright monopoly royalties. Apart from the copyright industry’s creative accounting and bookkeeping – arguably the only reason they ever had to call themselves the “creative industry” – which usually robs artists blind, only one in ten thousand artists ever see a cent in copyright-monopoly-related royalties. Yes, this is a real number: 99% of artists are never signed with a label, and of those who are, 99% of those never see royalties. It comes across as patently absurd to defend a monopolistic, parasitic system where only one in ten thousand artists make any money with the argument “how will the artists make money any other way?”.

Third: Artists’ income has more than doubled because of culture-sharing. Since the advent of hobby-scale unlicensed manufacturing – which is what culture-sharing is legally, since it breaks a manufacturing monopoly on copies – the average income for musicians has risen 114%, according to a Norwegian study. Numbers from Sweden and the UK show the same thing. This shift in income has a direct correlation to hobby-based unlicensed manufacturing, as the sales of copies is down the drain – which is the best news imaginable for artists, since households are spending as much money on culture before (or more, according to some studies), but are buying in sales channels where artists get a much larger piece of the pie. Hobby-based unlicensed manufacturing has meant the greatest wealth transfer from parasitic middlemen to artists in the history of recorded music.

As a final note, it should be told that even if artists went bankrupt because of sustained civil liberties, that would still be the way to go. Any artist that goes from plinking their guitar in the kitchen to wanting to sell an offering is no longer an artist, but an entrepreneur; the same rules apply to them as to every other entrepreneur on the planet. Specifically, they do not get to dismantle civil liberties because such liberties are bad for business. But as we see, we don’t even need to take that into consideration, for the entire initial premise is false.

Kill copyright, already. Get rid of it. It hurts innovation, creativity, our next-generation industries, and our hard-won civil liberties. It’s not even economically defensible.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Set up Server-to-Server Sharing in ownCloud 7 on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

Most of the buzz around The Cloud is devoted to commercial services such as Google’s online apps, Amazon’s cloud services, and tablets and smartphones that are shortchanged on storage because they want to suck you into commercial cloud services. While commercial cloud services can be convenient, they also have well-known downsides like service outages, and lack of privacy and security. If you live within reach of government snoop agencies (like anywhere on planet Earth), or are subject to laws such as the Sarbanes-Oxley Act (SOX) or Health Insurance Portability and Accountability Act (HIPAA), then you need to keep your data under your control. Which I think is the wisest policy in any case.

ownCloud is the friendliest and easiest private cloud implementation to set up and use. ownCloud 7 was released last week, and this is the most interesting release yet. It is more polished and robust, easier to administer, and the killer feature in this version is server-to-server sharing. This lets you easily connect your ownCloud file shares and build your own private cloud of clouds. And then, someday, rule the world. Or, just share files.

Installating ownCloud

ownCloud is nicely documented, which is nearly all I need to love it. Imagine a software product that actually wants you to be able to use it; an astonishing concept, to be sure. There are multiple installation methods documented in the ownCloud Administrators Manual, including a detailed how-to on installing it from scratch. The nice ownCloud peoples use the openSUSE Build Service to build binary packages for Ubuntu, CentOS, Debian, Fedora, openSUSE, Red Hat, and SUSE, which is what I use. This is how I installed it on my test Ubuntu 14.04 server.

First fetch and install the GPG signing key for the openSUSE repository for your Linux distribution. Note that each command must be one unbroken line, with no newlines:

$ wget http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_14.04/Release.key
$ sudo apt-key add - < Release.key

Now add the repository, update your package list, and install ownCloud:

$ sudo sh -c "echo 'deb
http://download.opensuse.org/repositories/isv:/ownCloud:/community/xUbuntu_14.04/ 
/' >> /etc/apt/sources.list.d/owncloud.list"
$ sudo apt-get update
$ sudo apt-get install owncloud

fig-1 createlogin on ownCloud

If you don’t already have a LAMP stack installed, the installer will pull it in for you. When installation is complete open a Web browser to http://localhost/owncloud, and you will see the nice blue ownCloud installation wizard. Your first task is to create an admin user, as in figure 1. Click the eyeball to expose your password, which you’ll probably want to do so you know what you typed.

Next, you have some database options. If you go with the default SQLite you don’t have to do anything except click the Finish Setup button. SQLite is fine for lightweight duties, but if you have busier and larger workloads then use MariaDB, MySQL, or PostgreSQL. The wizard displays a button with these databases whether they are installed or not, so make sure the one you want is already installed, and you have an administrator login. I chose MySQL/MariaDB (Ubuntu defaults to MariaDB). You can give your new database any name you want and the installer will create it (figure 2). You must also pass in your database administrator login.

fig-2-db-setup

And that’s it. You’re done. ownCloud 7 is installed. Click the Finish Setup button and you’ll be greeted with a cheery “Welcome to ownCloud!” banner, with links to client apps for desktop computers, Android devices, and iDevices. ownCloud supports multiple clients: you can use a Web browser on any platform, or download client apps for more functionality such as synchronization and nicer file, contacts, and calendar management.

Setting up Server-to-Server Sharing

And now, the moment you’ve been waiting for: setting up server-to-server sharing. This works only with ownCloud servers that have this feature, which at the moment is ownCloud 7. You need two ownCloud 7 servers to test this.

Before you can share anything, you need to set your server’s hostname as a trusted ownCloud server domain. Look for this section in /var/www/owncloud/config/config.php:

'trusted_domains' => 
  array (
    0 => 'localhost', 
 ),

/var/www/owncloud/config/config.php is created by the installation wizard. See /var/www/owncloud/config/config.sample.php to see a complete list of options.

By default your ownCloud server only lets you access the server via domains that are listed as trusted domains in this file. Only localhost is listed by default. My server hostname is studio, so if I try to log into ownCloud via http://studio/owncloud I get an error message: “You are accessing the server from an untrusted domain.” This example allows connections via localhost, hostname, and IP address:

'trusted_domains' => 
  array (
    0 => 'localhost', 1 => 'studio', 2 => '192.168.1.50',
 ),

If you forget to create and use these trusted domains, you won’t be able to set up network file shares.

Next, go to your ownCloud administration page, which you can find by clicking the little arrow next to your username at the top right, and click Admin. Make sure that Remote Shares are enabled (figure 3).

fig-3 remote-shares

There is one more important step, and that is to enable mod_rewrite on Apache, and then restart it. This is what you do on Ubuntu:

$ sudo a2enmod rewrite
$ sudo service apache2 restart

If you don’t do this, your share will fail with a message like “Sabre\DAV\Exception\NotAuthenticated: No basic authentication headers were found” in your ownCloud server log.

fig-4 ownCloud studio share

Now you must log into either http://hostname/owncloud, or http://ip-address/owncloud. Create a new directory and stuff a few files into it. Then click on Share. Click the Share Link checkbox, and it creates a nice URL like http://studio/owncloud/public.php?service=files&t=6b6fa9a714a32ef0af8a83dde358deec (figure 4). Remember that bit about trusted domains? If you forget to connect to your ownCloud server with them, and instead use http://localhost/owncloud, the share URL will be also be http://localhost/. Which is no good for sharing.

You can optionally set a password on this share, an expiration date, allow uploads, and send an email notification. Configuring ownCloud to send emails requires a bit of configuration, so please consult the fine Administrator’s manual to learn how to do this.

Connecting to a New Share

The easy way to test connecting to a new share is to open a second browser tab on your first ownCloud server. Copy the share link into this tab, and it will open to your share. Then click the Add to your ownCloud button (figure 5), and enter the address of your second ownCloud server. In my test lab that is stinkpad/owncloud.

fig-5 add to owncloud

If you’re not already logged in you’ll get the login page. After logging in you’ll be asked if you want to add the remote share. Click Add Remote Share, and you’re done (figure 6).

fig-6 add remote share on ownCloud

Congratulations. You have linked two ownCloud servers, and now that the grotty setup work is done, creating more is just a few easy mouse clicks.

TorrentFreak: Bleep… BitTorrent Unveils Serverless & Encrypted Chat Client

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

bleepEncrypted Internet traffic surged worldwide after the Snowden revelations, with several developers releasing new tools to enable people to better protect their privacy.

Today BitTorrent Inc. contributes with the release of BitTorrent Bleep, a communication tool that allows people to exchange information without the need for any central servers. Combined with state of the art end-to-end encryption, the company sees Bleep as the ideal tool to evade government snooping.

Bleep’s main advantage over some other encrypted messaging applications is the absence of central servers. This means that there are no logs stored, all metadata goes through other peers in the network.

“Many messaging apps are advertising privacy and security by offering end-to-end encryption for messages. But when it comes to handling metadata, they are still leaving their users exposed,” BitTorrent’s Farid Fadaie explains.

“We reimagined how modern messaging should work. Our platform enables us to offer features in Bleep that are unique and meaningfully different from what is currently available.”

Bleep Bleep
BleepScreen

The application’s development is still in the early stages and the current release only works on Windows 7 and 8. Support for other operating systems including popular mobile platforms will follow in the future.

Aspiring Bleep users can create an account via an email or mobile phone number, but an incognito mode without the need to provide any personal details is also supported.

The new messaging app is not the only ‘breach safe’ tool the company is currently working on. Last year BitTorrent launched its Sync application which provides a secure alternative to centralized cloud backup solutions such as Dropbox and Google Drive.

BitTorrent Inc. is inviting people to test the new Bleep application, but warns there are still some bugs.

Those who want to give BitTorrent Bleep a try can head over to BitTorrent’s experiments section to sign up for the pre-Alpha release.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: A Victory for Fair Use

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week I reported on a copyright infringement letter that I had received from Getty Images. The extremely hostile letter claimed that I was using a picture in violation of their copyright, ordered me to “cease and desist” using the picture, and demanded that I pay $475 in damages. Various outlets have referred to this letter as trolling and extortion.

Not being an attorney, I contacted my good friend, Mark D. Rasch. Mark is a well-known attorney in the computer security world. Mark headed the United States Department of Justice Computer Crime Unit for nine years and prosecuted cases ranging from computer crime and fraud to digital trespassing and viruses. If you’re old enough, then you remember the Hanover Hackers mentioned in The Cuckoo’s Egg, Robert Morris Jr. (first Internet worm), and Kevin Mitnick — Mark worked all of those prosecutions. He regularly speaks at conferences, appears in news interviews, and has taught cyberlaw to law enforcement and big universities. (If I were a big company looking for a chief privacy officer, I would hire him in a second.)

This letter from Getty had me concerned. But I can honestly say that, in the 12 years that I’ve known him, I have never seen Mark so animated about an issue. I have only ever seen him as a friendly guy who gives extremely informative advice. This time, I saw a side of Mark that I, as a friend, have never experienced. I would never want to be on the other side of the table from him. And even being on the same side was really intimidating. (Another friend told me that Mark has a reputation for being an aggressive bulldog. And this was my first time seeing his teeth.) His first advice to me was very straightforward. He said, “You have three options. One, do nothing. Two, send back a letter, and three, sue them.” Neither of us were fond of option #1. After a little discussion, I decided to do option #2 and prepare for #3.

First I sent the response letter. Then I took Mark’s advice and began to prepare for a lawsuit. Mark wanted me to take the initiative and file for a “Copyright Declaratory Judgment“. (Don’t wait for Getty.) In effect, I wanted the court to declare my use to be Fair Use.

Getty’s Reply

I honestly expected one of three outcomes from my response letter to Getty Images. Either (A) Getty would do nothing, in which case I would file for the Declaratory Judgment, or (B) Getty would respond with their escalation letter, demanding more money (in which case I would still file for the Declaratory Judgment), or (C) Getty would outright sue me, in which case I would respond however my attorney advised.

But that isn’t what happened. Remarkably, Getty backed down! Here’s the letter that they sent me (I’m only censoring email addresses):

From: License Compliance
To: Dr. Neal Krawetz
Subject: [371842247 Hacker Factor ]
Date: Tue, 22 Jul 2014 20:51:13 +0000

Dr. Krawetz:

We have reviewed your email and website and are taking no further action. Please disregard the offer letter that has been presented in this case. If you have any further questions or concerns, please do not hesitate to contact us.

Nancy Monson
Copyright Compliance Specialist
Getty Images Headquarters
605 Fifth Avenue South, Suite 400
Seattle WA 98104 USA
Phone 1 206 925 6125
Fax 1 206 925 5001
[redacted]@gettyimages.com

For more information about the Getty Images License Compliance Program, please visit http://company.gettyimages.com/license-compliance

Helpful information about image copyright rules and how to license stock photos is located at www.stockphotorights.com and Copyright 101.

Getty Images is leading the way in creating a more visual world. Our new embed feature makes it easy, legal, and free for anybody to share some of our images on websites, blogs, and social media platforms.
http://www.gettyimages.com/Creative/Frontdoor/embed

(c)2014 Getty Images, Inc.

PRIVILEGED AND CONFIDENTIAL
This message may contain privileged or confidential information and is intended only for the individual named. If you are not the named addressee or an employee or agent responsible for delivering this message to the intended recipient you should not disseminate, distribute or copy this e-mail or any attachments hereto. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail and any attachments from your system without copying or disclosing the contents. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Getty Images, 605 5th Avenue South, Suite 400. Seattle WA 98104 USA, www.gettyimages.com. PLEASE NOTE that all incoming e-mails will be automatically scanned by us and by an external service provider to eliminate unsolicited promotional e-mails (“spam”). This could result in deletion of a legitimate e-mail before it is read by its intended recipient at our firm. Please tell us if you have concerns about this automatic filtering.

Mark Rasch also pointed out that Getty explicitly copyrighted their email to me. However, the same Fair Use that permits me to use their pictures also permits me to post their entire email message. And that whole “PRIVILEGED AND CONFIDENTIAL” paragraph? That’s garbage and can be ignored because I never agreed to their terms.

Findings

In preparing to file the Copyright Declaratory Judgment, I performed my due diligence by checking web logs and related files for information pertaining to this case. And since Getty has recanted, I am making some of my findings public.

Automated Filing
First, notice how Getty’s second letter says “We have reviewed your email and website…” This clearly shows up in my web logs. Among other things, people at Getty are the only (non-bot) visitors to access my site via “nealkrawetz.org” — everyone else uses “hackerfactor.com”. In each case, the Getty users initially went directly to my “In The Flesh” blog entry (showing that they were not searching or just browsing my site.) Their automated violation bot also used nealkrawetz.org. The big catch is that nobody at Getty ever reviewed “In The Flesh” prior to mailing their extortion letter.

In fact, I can see exactly when their bot visited my web site. Here are all of my logs related to their bot:

2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:44 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/archives/423-In-The-Flesh.html | http://ops.picscout.com/QcApp/PreReport/Index/371842247?normalFlow=True
2014-06-14 23:06:39 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/categories/18-Phones | http://ops.picscout.com/QcApp/Infringer/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247

This listing shows:

  • The date/time (in PST)
  • The bot’s IP address (two in Israel and one in India; none from the United States)
  • The user-agent string sent by the bot
  • Where they went — they most went to “/” (my homepage), but there is exactly one that went to “/blog/index.php?/archives/423-In-The-Flesh.html”. That’s when they compiled their complaint.
  • The “Referer” string, showing what they clicked in order to get to my site. Notice how their accesses are associated with a couple of complaint numbers. “371842247″ is the number associated with their extortion letter. However, “371654690″ appears to be a second potential complaint.

Getty’s complaint has a very specific timestamp on the letter. It’s doesn’t just have a date. Instead, it says “7/10/2014 11:05:05am” — a very specific time. The clocks may be off by a few seconds, but that “11:05″ matches my log file — it is off by exactly 12 hours. (The letter is timestamped 11:05am, and my logs recorded 11:05pm.) This shows that the entire filing process is automated.

When I use my bank’s online bill-pay system, it asks me when I want to have the letter delivered. Within the United States, it usually means mailing the letter four days earlier. I believe that Getty did the exact same thing. They scanned my web site and then mailed their letter so it would be delivered exactly one-month later, and dated the letter 4 days 12 hours before delivery.

Getty’s automated PicScout system is definitely a poorly-behaved web bot. At no time did Getty’s PicScout system retrieve my robots.txt file, showing that it fails to abide by Internet standards. I am also certain that this was a bot since a human’s web browser would have downloaded my blog’s CSS style sheet. (PicScout only downloaded the web page.)

Failure to perform due diligence
I want to emphasize that there are no other accesses to that blog entry by any address associated with Getty within months before their complaint. As of this year (from January 2014 to July 23, 2014), people at Getty have only visited the “In The Flesh” web page 13 times: once by the PicScout bot, and 12 times after they received my reply letter. This shows that Getty never viewed the web page prior to sending their letter. In effect, their “infringement” letter is nothing more than trolling and an attempt to extort money. They sent the letter without ever looking at the context in which the picture is used.

My claim that Getty never manually reviewed my web site prior to mailing is also supported by their second letter, where they recanted their claim of copyright infringement. Having actually looked at my blog, they realized that it was Fair Use.

My web logs are not my only proof that no human at Getty viewed the blog page in the months prior to sending the complaint. Getty’s threatening letter mentions only one single picture that is clearly labeled with Getty’s ImageBank watermark. However, if any human had visited the web page, then they would have seen FOUR pictures that are clearly associated with Getty, and all four pictures were adjacent on the web page! The four pictures are:

The first picture clearly says “GettyImages” in the top left corner. The second picture (from their complaint) is watermarked with Getty’s ImageBank logo. The third and fourth pictures come from Getty’s iStockPhoto service. Each photo was properly used as part of the research results in that blog entry. (And right now, they are properly used in the research findings of this blog entry.)

After Getty received my reply letter, they began to visit the “In The Flesh” URL from 216.169.250.12 — Getty’s corporate outbound web proxy address. Based on the reasonable assumption that different browser user-agent strings indicate different people, I observed them repeatedly visiting my site in groups of 3-5 people. Most of them initially visited the “In The Flesh” page at nealkrawetz.org; a few users visited my “About Me” and “Services” web pages. I am very confident that these indicate their attorneys reviewing my reply letter and web site. This is the absolute minimum evaluation that Getty should have done before sending their extortion letter.

Legal Issues
Besides pointing out how my blog entry clearly falls under Fair Use, my attorney noted a number of items that I (as a non-lawyer person) didn’t see. For example:

  • In Getty’s initial copyright complaint, they assert that they own the copyright. However, the burden of proof is on Getty Images. Getty provided no proof that they are the actual copyright holder, that they acquired the rights legally from the photographer, that they never transferred rights to anyone else, that they had a model release letter from the woman in the photo, that the picture was never made public domain, and that the copyright had not expired. In effect, they never showed that they actually have the copyright.

  • Getty’s complaint letter claims that they have searched their records and found no license for me to use that photo. However, they provided no proof that they ever searched their records. At minimum, during discovery I would demand a copy of all of their records so that I could confirm their findings and proof of their search. (Remember, the burden of proof is on Getty, not on me.) In addition, I have found public comments that explicitly identify people with valid licenses who reported receiving these hostile letters from Getty. This brings up the entire issue regarding how Getty maintains and searches their records.
  • Assuming some kind of violation (and I am not admitting any wrong here), there is a three-year statute of limitations regarding copyright infringement. My blog entry was posted on March 18, 2011. In contrast, their complaint letter was dated July 10, 2014 — that is more than three years after the pictures were posted on my site.

Known Research
Copyright law permits Fair Use for many purposes, including “research”. Even Getty’s own FAQ explicitly mentions “research” as an acceptable form of Fair Use. The question then becomes: am I a researcher and does my blog report on research? (Among other things, this goes toward my background section in the Copyright Declaratory Judgment filing.)

As it turns out, my web logs are extremely telling. I can see each time anyone at any network address associated with Getty Images visits my site. For most of my blog entries, I either get no Getty visitors or a few visitors. However, each time I post an in-depth research entry on digital photo forensics, I see large groups of people at Getty visiting the blog entry. I can even see when one Getty person comes through, and then a bunch of other Getty people visit my site — suggesting that one person told his coworkers about the blog entry. In effect, employees at Getty Images have been regular readers of my blog since at least 2011. (For discovery, I would request a forensic image of every computer in Getty’s company that has accessed my web site in order to determine if they used my site for research.)

Getty users also use my online analysis service, FotoForensics. This service is explicitly a research service. There are plenty of examples of Getty users accessing the FotoForensics site to view analysis images, read tutorials, and even upload pictures with test files that have names like “watermark.jpg” and “watermark-removed.jpg”. This explicitly shows that they are using my site as a research tool.

(For the ultra paranoid people: I have neither the time nor the desire to track down every user in my web logs. But if you send me a legal threat, I will grep through the data.)

However, the list does not stop there. For example, the Harvard Reference Guide lists me as the example for citing research from a blog. (PDF: see PDF page 44, document page 42.) Not only does Getty use my site as a research resource, Harvard’s style guide uses me as the example for a research blog (my bold for emphasis).

Blogs are NOT acceptable academic sources unless as objects of research

Paraphrasing, Author Prominent:
Krawetz (2011) uses a blog to discuss advanced forensic image analysis techniques.

Paraphrasing, Information Prominent:
Blogs may give credence to opinion, in some cases with supporting evidence; for example the claim that many images of fashion models have been digitally enhanced (Krawetz 2011).

Reference List Model:
Krawetz, N 2011, ‘The hacker factor blog’, web log, viewed 15 November 2011, http://www.hackerfactor.com/blog/

I should also point out that the AP and Reuters have both been very aware of my blog — including a VP at the AP — and neither has accused me of copyright infringement. They appear to recognize this as Fair Use. Moreover, with one of blog entries on a Reuters photo (Without a Crutch), a Reuters editor referred to the blog entry as a “Great in-depth analysis” on Reuter’s web site (see Sep 30, 2011) and on her twitter feed. This shows that Getty’s direct competition recognize my blog as a research resource.

SLAPP
One of the things my attorney mentioned was California’s Anti-SLAPP law. Wikipedia explains SLAPP, or Strategic Lawsuit Against Public Participation, as “a lawsuit that is intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition.” Wikipedia also says:

The plaintiff’s goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs or simple exhaustion and abandons the criticism. A SLAPP may also intimidate others from participating in the debate. A SLAPP is often preceded by a legal threat. The difficulty is that plaintiffs do not present themselves to the Court admitting that their intent is to censor, intimidate or silence their critics.

In this case, Getty preceded to send me a legal threat regarding alleged copyright infringement. Then they demanded $475 and threatened more actions if I failed to pay it. In contrast, it would cost me $400 to file for a Declaratory Judgment (more if I lived in other states), and costs could rise dramatically if Getty filed a lawsuit against me. In either scenario, it places a financial burden on me if I want to defend my First Amendment rights.

In the United States, California has special anti-SLAPP legislation. While not essential, it helps that Getty has offices in California and a network trace shows that some packets went from Getty to my blog through routers in California. As Wikipedia explains:

To win an anti-SLAPP motion, the defendant must first show that the lawsuit is based on claims related to constitutionally protected activities, typically First Amendment rights such as free speech, and typically seeks to show that the claim lacks any basis of genuine substance, legal underpinnings, evidence, or prospect of success. If this is demonstrated then the burden shifts to the plaintiff, to affirmatively present evidence demonstrating a reasonable probability of succeeding in their case by showing an actual wrong would exist as recognized by law, if the facts claimed were borne out.

This isn’t even half of his legal advice. I could barely take notes fast enough as he remarked about topics like Rule 11, tortious interference with a business relationship, Groucho Marx’s reply to Warner Brothers, and how Getty’s repeated access to my web site could be their way to inflate potential damage claims (since damages are based on the number of views).

A Little Due Diligence Goes A Long Way

Although this entire encounter with Getty Images took less than two weeks, I was preparing for a long battle. I even contacted the Electronic Freedom Foundation (EFF) to see if they could assist. The day after Getty recanted, I received a reply from the EFF: no less than four attorneys wanted to help me. (Thank you, EFF!)

I strongly believe that Getty Images is using a “cookie cutter” style of complaint and is not actually interested in any lawsuit; they just want to extort money from people who don’t know their rights or don’t have the fortitude for a long defense (SLAPP). Getty Images made no effort to evaluate the content beyond an automated search bot, made no attempt to review the bot’s results, provided no evidence that they are the copyright holder, provided no proof that they tried to verify licenses, and threatened legal action against me if I did not pay up.

I am glad that I stood up for my First Amendment rights.

Darknet - The Darkside: Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas). And it turns out, every single browser will draw the image slightly [...]

The post Clear Your…

Read the full post at darknet.org.uk

Schneier on Security: Fingerprinting Computers By Making Them Draw Images

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

Article. Hacker News thread.

EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.

EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system — the White House is — and how to defend against it.

And a good story on BoingBoing.

TorrentFreak: BPI Rejects Use of Spotify-Owned “Stay Down” Pirate Tool

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

There are hundreds of millions of pirate files inhabiting the Internet and it’s fair to say that many of those are music tracks. As a result, the world’s leading record labels, who together claim 90%+ of the market, spend significant sums making those files more awkward to find.

For sites like The Pirate Bay, which point-blank refuses to remove any torrents whatsoever, the labels have little option than to head off to Google. There the search giant will remove Pirate Bay links from its indexes so that users won’t immediately find them.

However, rather than engaging a link whack-a-mole, the best solution by far is to remove the content itself. Perhaps surprisingly, many of the world’s leading file-lockers (even ones labeled ‘rogue’ by the United States), allow copyright holders direct back-end access to their systems so they can remove content themselves. It doesn’t really get any fairer than that, and here’s the issue.

This week, while looking at Google’s Transparency Report, TF noticed that during the past month massive file-hosting site 4shared became the record labels’ public enemy number one. In just four weeks, Google received 953,065 requests for 4shared links to be taken down, the majority of them from record labels. In fact, according to Google the BPI has complained about 4shared a mind-boggling 6.75 million times overall.

So, is 4shared refusing to cooperate with the BPI, hence the group’s endless complaints to Google? That conclusion might make sense but apparently it’s not the case. In fact, it appears that 4shared operates a removal system that is particularly friendly to music companies, one that not only allows them to take content down, but also keep it down.

“Throughout the years 4shared developed several tools for copyright owners to protect their content and established a special team that reacts to copyright claims in timely manner,” 4shared informs TorrentFreak.

“We don’t completely understand BPI’s reasons for sending claims to Google instead of using our tools. From our point of view the best and most effective way for copyright holders to find and remove links to the content they own is to use our music identification system.”

To find out more, TF spoke with the BPI. We asked them to comment on 4shared’s takedown tools and in the light of their existence why they choose to target Google instead. After a few friendly back-and-forth emails, the group declined to comment on the specific case.

“We prefer to comment on our overall approach on search rather than on individual sites, which is to focus on known sources of wide scale piracy and to use a number of tools to tackle this problem,” a BPI spokesman explained.

“Notice-sending represents just one part of the measures available to us, along with site blocking and working with the Police to reducing advertising on copyright infringing sites.”

We asked 4shared to reveal other copyright holders using their system, but the site declined on privacy grounds. However, it’s clear that the BPI isn’t a user and 4shared have their own ideas why that might be.

“It’s possible that BPI goes for quantity not quality,” TF was told.

“If they are trying to increase the number of links in reports or for PR reasons, they probably use a bot to harvest and send links to Google despite the fact that such an approach may also result in false claims.”

The “PR” angle is an interesting one. Ever since Google began publishing its Transparency Report rightsholders have used it to demonstrate how bad the piracy problem is. Boosting those numbers certainly helps the cause.

But is it possible, perhaps, that the BPI doesn’t trust the 4shared system. They didn’t answer our questions on that front either but it seems unlikely since 4shared uses EchoPrint, a solution purchased by Spotify earlier this year.

“Our music identification system which is based on Echoprint technology will not only find all matching content but will also restrict sharing of all potential future uploads of such content,” 4shared concludes.

Take-down-and-stay-down is the Holy Grail for anti-piracy companies. It’s a solution being pushed for in the United States in the face of what rightsholders say is a broken DMCA. On that basis there must be a good reason for the BPI not wanting to work with 4shared and it has to be said that the company’s “PR” theory proves more attractive than most.

The volume of notices in Google’s Transparency Report provide believable evidence of large-scale infringement and it’s certainly possible that the BPI would prefer to have 4shared blocked in the UK than work with the site’s takedown tools.

We’ll find out the truth in the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Even Script Kids Have a Right to Be Forgotten

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.

Indexeus[dot]org

Indexeus[dot]org

Indexeus boasts that it has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! – listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts.

Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online.

Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline.

The brains behind Indexeus — a gaggle of young men in their mid- to late teens or early 20s — envisioned the service as a way to frighten fellow hackers into paying to have their information removed or “blacklisted” from the search engine. Those who pay “donations” of approximately $1 per record (paid in Bitcoin) can not only get their records expunged, but that price also buys insurance against having their information indexed by the search engine in the event it shows up in future database leaks.

The team responsible for Indexeus explains the rationale for their project with the following dubious disclaimer:

“The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.”

Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.

Indeed, the search engine was even indexing user accounts stolen from witza.net, the site operated by Hackforums administrator Jesse LaBrocca and used to process payments for Hackforums who wish to upgrade the standing of their accounts on the forum.

WHO RUNS INDEXEUS?

The individual who hired programmers to help him build Indexeus uses the nickname “Dubitus” on Hackforums and other forums. For the bargain price of $25 and two hours of your time on a Saturday, Dubitus also sells online instructional training on “doxing” people — working backwards from someone’s various online personas to determine their real-life name, address and other personal data.

Dubitus claims to be a master at something he calls “Web detracing,” which is basically removing all of the links from your online personas that might allow someone to dox you. I have no idea if his training class is any good, but it wasn’t terribly difficult to find this young man in the real world.

Dubitus offering training for  "doxing" and "Web detracing."

Dubitus offering training for “doxing” and “Web detracing.”

Contacted via Facebook by KrebsOnSecurity, Jason Relinquo, 23, from Lisbon, Portugal, acknowledged organizing and running the search engine. He also claims his service was built merely as an educational tool.

“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” Relinquo said. “I wouldn’t have won the NATO Cyberdefense Competition if I didn’t have a bigger picture in my mind. Just keep that in yours.”

Relinquo said that to address criticisms that his service was a shakedown, he recently modified the terms of service so that users don’t have to pay to have their information removed from the site. Even so, it remains unclear how users would prove that they are the rightful owner of specific records indexed by the service.

Jason Relinquo

Jason Relinquo

“We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.”

Asked which sort of legal complications were bedeviling his project, Relinquo cited the so-called “right to be forgotten,” data protection and privacy laws in Europe that were strengthened by a May 2014 decision by the European Court of Justice in a ruling against Google. In that case, the EU’s highest court ruled that individuals have a right to request the removal of Internet search results, including their names, that are “inadequate, irrelevant or no longer relevant, or excessive.”

I find it difficult to believe that Indexeus’s creators would be swayed by such technicalities, given that  that the service was set up to sell passwords to members of a forum known to be frequented by people who will use them for malicious purposes. In any case, I doubt this is the last time we will hear of a service like this. Some 822 million records were exposed in more than 2,160 separate data breach incidents last year, and there is plenty of room for competition and further specialization in the hacked-data search engine market.

The Hacker Factor Blog: Dear Getty Images Legal Department

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For the last few years, Getty Images has operated an aggressive anti-copyright infringement campaign. In 2011, they purchased PicScout to search the Internet for potential unlicensed uses of their pictures. Then they began sending out very scary-sounding takedown notices. These letters include a “cease and desist” paragraph as well as a bill for the unauthorized use.

I just received one of these letter. Here’s the 7-page (3.4 MB) letter: PDF. (The only thing I censored was the online access code for paying online.) They billed me $475 for a picture used on my blog. (If you log into their site, it’s $488 with tax.)

A number of news outlets as well as the blogosphere have begun reporting on these letters from Getty Images. For example:

  • International Business Times: “Getty Images Lawsuits: Enforcement Or Trolling? Fear Of Letters Dwindling, Stock-Photo Giant Hits Federal Courts”

  • The DG Group: “Image Copyright Infringement And Getty Images Scam Letter”
  • Extortion Letter Info: “Reporting on Getty Images & Stock Photo Settlement Demand Letters (Copyright Trolls, ‘Extortion’ Letters, ‘Shadown’ Letters)”
  • Women in Business: “Are You Being Set Up For Copyright Infringement? As Technology Becomes More Invasive Copyright Infringement Scams Flourish”
  • RyanHealy.com: “Getty Images Extortion Letter”
  • someguy72 @ Reddit: He states that he purchased the pictures legally from Getty and still received an infringement notice. His advice: if you purchase a picture from Getty, the “save your records FOREVER… they will come after you, years later and you might not have PROOF of PURCHASE, and then you will be screwed.”

As far as I can tell, this is an extortion racket. (I’m surprised that there hasn’t been a class-action lawsuit against Getty Images yet.) The basic premise is that they send out a threatening letter with a price tag. Some people will fear the strongly-worded letter and simply pay the amount. If you ignore it, then they send more letters with greater dollar amounts. If you call them up, the forums say that you can usually negotiate a lower amount. However, sometimes you may not actually owe anything at all.

Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.

But here’s the thing… There are some situations where you can use the image without a license. It is in the Copyright law under the heading “Fair Use” (US Copyright Law Title 17 Section 107; in some countries, it’s called “Fair Dealing”). This is an exception from copyright enforcement. Basically, if you’re using the picture as art on your web site or to promote a product, then you are violating their copyright. (You should negotiate a lower rate.) However, if you use it for criticism, comment, news reporting, teaching, scholarship, or research, then you are allowed to use the picture.

For example, I have many blog entries where I forensically evaluate pictures. I do this to show techniques, criticize content, identify deceptive practices, etc. If Fair Use did not exist, then I would be unable to criticize or expose deception from media outlets. In effect, they would be censoring my freedom of speech by preventing me from directly addressing the subject.

Reply To Getty

The picture in question is one that is on an older blog entry: In The Flesh. This blog entry criticizes the media outlets Time and Salon for promoting misleading and hostile software. (It’s hostile because the demo software installs malware.) The software, False Flesh, claims to make people in any picture appear nude. The pictures in my blog entry are used to demonstrate some of the deceptive practices. Specifically, the pictures of nude women on the software’s web site did not come from their software.

I looked at the picture mentioned in Getty’s complaint and how it was being used in the blog entry. I really thought it was permitted under Copyright Fair Use. However, I’m not an attorney. So… I checked with an attorney about the Getty complaint and my use of the picture. I was actually surprised that he didn’t start his answer with “that depends…” (If you’ve every worked with an attorney, then you know any discussion about legality begins with them saying “that depends…”) Instead, he said outright “it’s clearly fair use.”

Personally, I’m offended that Getty Images made no attempt to look at the context in which the picture is used.

Rather than ignoring them, I sent them a letter:

Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033

July 15, 2014

Legal Department
Getty Images
605 5th Ave S, Suite 400
Seattle, WA
98104

Dear Getty Images Legal Department,

I received your copyright infringement notification dated “7/10/2014 11:05:06 AM”, case number 371842247, on July 14, 2014. I have reviewed the image, the use of the picture on my web site, and discussed this situation with an attorney. It is my strong belief that I am clearly using the picture within the scope of Copyright Fair Use (Title 17 Section 107).

Specifically:

  • The blog entry, titled “In The Flesh”, criticizes the media outlets Time and Salon for promoting deceptive software. The software is called “False Flesh” and claims to turn any photo of a person into a nude. I point out that installing the False Flesh demo software will install malware.

  • The blog entry discloses research findings regarding the False Flesh software: there is no identified owner for the software and the sample pictures they use to demonstrate their software are not from their software. I specifically traced their sample images to pictures from sites such as Getty Images. I forensically evaluate the pictures and explicitly point out the misrepresentation created by these images on the False Flesh web site.
  • The picture is used on my web site to criticize the media reports by exposing fraud and misrepresentation associated with the product. It is also included as part of a demonstration for tracking and identifying potentially fraudulent products in general.
  • The blog entry reports on these findings to the public in order to educate people regarding the deceptive nature of False Flesh and the risks from using this software.
  • The image that you identified is not used is the blog entry to promote any products or services and is directly related to the comments, criticism, and research covered in the blog entry. The use is not commercial in nature. This goes toward the purpose and character, which is to identify fraud and misrepresentation in a product promoted by Time and Salon.
  • As described in the blog entry, I found sample images on the False Flesh web site and used TinEye and other forensic methods to identify the sources. This was used to prove that the False Flesh software did not generate any of their sample images.
  • I did not use the full-size version of this particular picture and it includes the Getty Images Image Bank watermark. The blog entry explicitly identifies that the source for the False Flesh picture was Getty Images and not False Flesh. I point out that False Flesh used the picture in a deceptive manner.
  • I believe that my use of this picture has no adverse effect on the potential market for the image.

I believe that this covers the Copyright Fair Use requirements for criticism, comment, teaching, research, and reporting.

Getty Images acknowledges Fair Use in their FAQ concerning license requirements:
http://company.gettyimages.com/license-compliance/faq/#are-there-limitations-on-a-copyright-owners-rights

Specifically, Getty Images calls out education and research. As a computer security and forensic researcher, I use this blog to describe tools and techniques, evaluate methodologies, and to identify deceptive practices. I believe that this specific blog entry, and my blog in general, clearly fit both of these areas.

As stated in this letter, the picture’s appearance on my blog is Fair Use and I have the right under copyright law to use the image without your consent. This letter serves as notice that any DMCA takedown or blocking notices to any third party would be in bad faith.

Sincerely,

/s/ Dr. Neal Krawetz

Chilling Effect

My blog in general reports on findings related to computer security and forensics. Many of these blog entries heavily focus on scams, fraud, and abuse from media outlets. Many of my blog entries (reports) have been repeated by news outlets, and some of my blog entries have had a direct effect on changing insecure and unethical practices. This includes a series of blog entries that exposed digital manipulation in World Press Photo’s annual contest (influencing changes in this year’s contest rules) and a paper on fundamental problems with credit card payment systems that lead to changes in the Visa security standards.

While this could be a wide-spread extortion racket, it could also be Getty’s way of testing the waters before going after some blog entries where I openly and explicitly criticize them for releasing digitally altered photos.

My primary concern is the chilling effect this could have. If I pay the extortion, then it opens me for more claims from Getty; I have previously criticized them for providing digitally altered photos and performed analysis to prove it. It also opens the way for similar claims from the Associated Press, Reuters, and every other media outlet that I have openly criticized. All of my blog entries that explicitly expose digital misrepresentation, report on media manipulation, and even those that disclose methods for evaluating content will be at risk.

In effect, bowing to this one threatening letter would force me to close my blog since I would no longer be allowed to freely write — report, comment, disclose research, and educate others — on topics related to media manipulation and digital photo analysis. I consider Getty’s attempt to censor my blog’s content to be an unacceptable attack on my freedom of speech.

Darknet - The Darkside: Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

We’ve talked a lot about using a password manager to secure, generate and manage your passwords – way back since 2008 when we introduced you to the Password Hasher Firefox Extension. Since then we’ve also mentioned it multiple times in articles where plain text passwords were leaked during hacks, such as the Cupid Media hack…

Read the full post at darknet.org.uk

Darknet - The Darkside: dirs3arch – HTTP File & Directory Brute Forcing Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

dirs3arch is a simple command line tool designed to brute force directories and files in websites. It’s a HTTP File & Directory Brute Forcing Tool similar to DirBuster. Features Keep alive connections Multithreaded Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc). Recursive brute forcing…

Read the full post at darknet.org.uk

The Hacker Factor Blog: Master of My Domain

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I receive all sorts of email. Some real, and some junk. I used to have a lot of fun with the junk mailers. Nearly two decades ago, I would spend a few hours hunting them down. Then I would do really mean things to them. I had created a method of determining the spammer’s motivation based on how their spam content was formed. If you know their motivation, then you know what they value. Attacking the thing they value would cause them to stop spamming. (Seriously — I ended up stopping dozens of spammers.)

For example, “List Makers” would collect mailing lists and then sell them off to other spammers. Their email messages were designed to verify if the email address was valid. One List Maker used a web form for people to “opt out”. (Opting out with his system resulted in even more spam since you validated your mailing address.) I wrote a script to iterate through his web site and acquired his list — and I made sure he noticed it. I then informed a few universities and companies about their addresses that were in the list — allowing them to create better filters. With his list stolen, he had nothing to sell. He rewrote his script to block my IP address. No problem — I relayed through hundreds of proxies and stole his list again — and again I made sure that he knew it was stolen. That’s when he stopped sending spam.

And then there was Jason in Spokane, Washington. He wasn’t very anonymous and he had an open directory with his mailing lists. I had his name and city, but nothing else. That’s when some friends in the UIUC Library school offered to help. (Librarians are really terrifying when they start searching public records. Never piss off a librarian.) In 24 hours, we knew his full name, address, phone number, previous employer, reason he was fired (misusing computers at work), his parent’s contact information, his girlfriend’s info, and much more.

I began posting about this to a UUNet newsgroup. Meanwhile, in an email, I had politely asked Jason to stop spamming. His reply showed a strong control of cut-and-paste but a lack of spelling: he called me a “LOOSER” (not “LOSER”) and replicated the sentence a few dozen times. Then he subscribed my email address to hundreds of newsgroups. Back in 1997, that created a denial-of-service attack by flooding my email box. (I was online at the time and immediately unsubscribed.)

Eventually, I posted his personal information online. I had wanted people to physically protest and picket outside his home. But that isn’t what happened… Instead, something happened that I never expected: Hundreds of people around the world called Jason’s phone number to complain and request no more spam. First Jason stopped answering the phone. Then he changed his phone number. Within hours, someone else found Jason’s new number and posted it. Meanwhile, people found other information that I had not made public: they began calling his church, his parents, and his girlfriend. (“I’m not his girlfriend! I’m just a girl who is his friend, and I’m not even his friend anymore!”)

Jason stopped sending spam. And his friend who actually ran the spam operation also stopped. (He switched from spam to life enhancement and get rich quick products.)

(All of this was long before CAN-SPAM and related legislation was passed.)

Suffice to say, I don’t use a standard spam filter. I have other ways to rapidly filter email.

New Domain!

An email that I received a few weeks ago really got my attention. It was spam, and it said that the domain “fotoforensic.com” was going to be available soon. The spammer wanted me to pay him for the domain name.

I quickly checked the DNS registration information and was startled to see that I was not the listed registrant!

Registry Domain ID: 1804179046_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-07-15 14:36:48
Creation Date: 2013-05-27 01:32:41
Registrar Registration Expiration Date: 2014-05-27 01:32:41
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nish Patel
Registrant Organization:
Registrant Street: c/o GoDaddy Redemption Services
Registrant Street: 14455 N. Hayden Road, Suite 219
Registrant City: Scottsdale
Registrant State/Province: AZ
Registrant Postal Code: 85260
Registrant Country: United States
Registrant Phone: +1.4805058877
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:

I was on the phone — and on hold with GoDaddy — when I realized what was happening. I own “fotoforensics.com” (plural) and this Nish Patel person had registered “fotoforensic.com” (singular). After a year of cybersquatting, he let the domain expire. We were in that period where the domain would cost Patel a huge late fee to reclaim before it goes up for auction.

The guy at GoDaddy was extremely helpful. He pointed out that this was a very rare and lucky situation for me. Since the cybersquatter had used GoDaddy and I used GoDaddy, it meant that it would go to the GoDaddy auction site before going public. If it went public, some other cybersquatter would likely snatch it. But I could grab it before it left GoDaddy. And best of all, I was the only person registered for this domain at the GoDaddy auction.

A while ago, I had received a spam email from a cybersquatter. (Was that a year ago? Two years ago? I didn’t really pay attention.) He had wanted a few hundred dollars for “fotoforensic.com” — I had ignored him and forgotten about it. But then I received this spam email about the domain coming up for grabs. I ended up getting it for $4 — that’s $10 to register for the auction and $10 for the domain, minus $16 in credit that I already had at GoDaddy. A $4 domain is much better than paying hundreds to a cybersquatter.

One of Many

Still, I wanted to know more about this “Nish Patel” guy. As far as I can tell, he is a professional cybersquatter, located in China. Someone with his name has currently registered over 25,000 domain names!

A quick search also turned up lots of lawsuits for cybersquatting and trademark infringement. (Patel lost every one of them.) For example:

  • Lorillard Licensing Company, LLC v. Nish Patel
  • WIPO Arbitration case D2013-1127: Compagnie Générale des Etablissements Michelin v. Nish Patel/Above.com Domain Privacy
  • WIPO Arbitration case D2013-0655: Atos IT Services UK Limited v. Nish Patel/Above.com Domain Privacy
  • WIPO Arbitration case D2013-0114: LEGO Juris A/S v. Above.com Domain Privacy / Ready Asset, Nish Patel

While WIPO arbitration is not free, the $1500 to protest up to five domains is likely cheaper than anything the cybersquatter wants. (If it comes down to it, I’d rather pay the attorneys and WIPO than a cybersquatter.)

Online

The domain auction at GoDaddy closed a few days ago (I won). The domain was transferred to me today and it’s already pointing to FotoForensics.com. This way, if someone types the domain name a little wrong (forgetting the plural), they will still be redirected to the site.

I find it ironic that (1) the cybersquatter got nothing for his effort — and ended up spending more money than me, (2) a spammer notified me about the domain name — and earned nothing for his efforts, and (3) owning the domain actually does help me since I know a few people who have typed the domain name wrong — by forgetting the final ‘s’. This is a good start to the week.

TorrentFreak: Google Services Among 472 Sites Blocked For World Cup ‘Piracy’

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

With the World Cup now heading to its semi-final stages, FIFA and its distribution partners are pushing hard to stem the tide of unauthorized content.

While FIFA has even gone as far as taking action against Twitter avatars, news today shows that its affiliates are also prepared to disrupt the activities of hundreds of sites and countless millions of Internet users if that means protecting their copyrights.

The development follows legal action initiated by Multi Screen Media PVT Ltd, a Sony Entertainment Television subsidiary in India. Earlier this year the company obtained a license from FIFA to broadcast the 2014 World Cup to Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan and Sri Lanka. Of course, content is now being made available elsewhere without permission, so the company has decided to do something about that.

In a statement to the High Court in Delhi, counsel for Multi Screen Media explained that “various websites are indulging in hosting, streaming, providing access to” infringing content causing substantial loss of revenue not just for the company, but also to the government due to lost tax on TV subscription fees.

The list of ‘infringing’ sites supplied to the High Court is huge – 479 sites in all – and contains well known sharing sites including The Pirate Bay, torrent storage site Torrage, 1337x, Demonoid, and dozens of file-hosting sites.

Quite amazingly, however, the list also contains entirely legitimate sites including Google Docs, Google Video, Google URL shortener Goo.gl, and Kim Dotcom’s Mega.co.nz. None escape the criticism of Sony or the High Court.

“Learned counsel for the plaintiff submits that many of the websites [in the list] are anonymous in nature and it is virtually impossible to locate the owners of such websites or contact details of such owners. It is further submitted that many of these Rogue Websites also hide behind domain privacy services offered by various domain name Registrars,” the judge wrote in his decision.

“[Websites] listed below, or any other website identified by the Plaintiff are restrained, from in any manner hosting, streaming, broadcasting, rebroadcasting, retransmitting, exhibiting, making available for viewing and downloading, providing access to and / or communicating to the public, displaying, uploading, modifying, publishing, updating and/or sharing (including to its subscribers and users), through the internet, in any manner whatsoever,” he continued.

With that Judge V. Kameswar Rao issued an order for the country’s ISPs to block the 479 sites in question – Google’s included – plus “such other websites that may subsequently be notified by the Plaintiff to be infringing of its exclusive rights.”

While the Judge granting a blocking order against Google is bad enough, one has to question how the company’s services ended up on the High Court application in the first place. That is the responsibility of local anti-piracy company Markscan, who compiled the list for Multi Screen Media. Markscan were featured in a TorrentFreak article last month when they sent dozens of erroneous takedown notices to Google, again on behalf of a Sony company.

“We want to assure you that we deploy technology, in addition to best efforts of our teams, to ensure that we do not impact legal content on yours, or any other website,” they told us at the time. Users of Google Docs, Goo.gl and Google Video may beg to differ.

While some local ISPs have already initiated blockades, Google told Indian news outlet Medianama that there had been “no interruption of our services mentioned in the order.”

The High Court order was issued June 23, alongside an instruction to distribute the summons to the defendant sites by July 22, 2014.

Update: MediaNama is reporting that it has obtained a copy of an updated court order that isn’t yet available on the Delhi High Court website. The update reveals blocking requests for 219 sites, down from the 472 in the original order. No Google websites are in the updated list but many torrent and other file-sharing sites remain.

Original List of 472 Sites to Be Blocked

1. cdn.playwire.com

2. embedupload.com

3. 1fichier.com

4. crocko.com

5. multiupload.nl

6. uppit.com

7. solidfiles.com

8. bayfiles.net

9. tusfiles.net

10. bitshare.com

11. muchshare.net

12. mega.co.nz

13. share-online.biz

14. sendspace.com

15. real4download.com

16. telugump3.biz

17. wapkafiles.com

18. telugumasthi.wapka.me

19. telugustar.net

20. myteluguwap.net

21. s1.myteluguwap.net

22. s2.myteluguwap.net

23. filestube.to

24. ul.to

25. mightyupload.com

26. uploaded.net

27. freakshare.com

28. putlocker.com

29. uploadable.ch

30. safelinking.net

31. ultramegabit.com

32. terafile.co

33. fileom.com

34. d01.megashares.com

35. dizzcloud.com

36. lumfile.com

37. fileparadox.in

38. nitrobits.com

39. filemonkey.in

40. fastshare.cz

41. keep2share.cc

42. k2s.cc

43. sharerepo.com

44. depositfiles.com

45. rapidshare.com

46. filerio.com

47. goo.gl

48. fcore.eu

49. anonfiles.com

50. adf.ly

51. megafiles.se

52. exashare.com

53. primeshare.tv

54. uploadc.com

55. epicshare.net

56. dwn.so

57. uploadhero.com

58. dfiles.eu

59. thefile.me

60. nosupload.com

61. uploadsat.com

62. shareflare.net

63. letitbit.net

64. filesfrog.net

65. unlimitzone.com

66. uploadrocket.net

67. secureupload.eu

68. hulkfile.eu

69. tusfiles.co.nz

70. filehoot.com

71. jumbofiles.com

72. usefile.com

73. clicktoview.org

74. 180upload.nl

75. hitfile.net

76. easybytez.com

77. crisshare.com

78. vip-file.com

79. ufile.eu

80. jheberg.net

81. dl.free.fr

82. 2shared.com

83. sharebeast.com

84. cramit.in

85. ryushare.com

86. teluguworld.asia

87. twap.in

88. vshare.eu

89. 108.59.3.225:182

90. megafilesfactory.com

91. 199.91.152.94

92. 205.196.121.39

93. 199.91.152.86

94. 199.91.154.157

95. 205.196.123.194

96. 205.196.123.8

97. 205.196.123.182

98. mhnwap.wapka.me

99. mhnwap.wapka.mobi

100. realitytelevisionportal.eu

101. dorabuzz.in

102. foncity.in

103. toonvideos.in

104. bestcartoon.wapka.mobi

105. wap.dorabuzz.in

106. playpanda.net

107. play44.net

108. shared.sx

109. mega-vids.com

110. promptfile.com

111. 4upfiles.com

112. filemoney.com

113. lemuploads.com

114. anysend.com

115. luckyshare.net

116. filedap.com

117. junocloud.me

118. filevice.com

119. v-vids.com

120. quickyshare.net

121. tumi.tv

122. mp4star.com

123. sockshare.ws

124. uploadcrazy.net

125. uploadboy.com

126. putlocker.ws

127. filenuke.net

128. docs.google.com

129. dotsemper.com

130. upload.com

131. cloudyvideos.com

132. v.youku.com

133. movzap.com

134. googlevideo.com

135. vertor.eu

136. dramautubes.com

137. nosvideo.com

138. vreer.com

139. vidxden.com

140. divxstage.eu

141. rapidvideo.tv

142. vidspot.net

143. freshvideo.net

144. vidbux.com

145. vidplay.net

146. vidup.me

147. video.tt

148. modovideo.com

149. youwatch.org

150. magnovideo.com

151. videobam.com

152. sharexvid.com

153. videoslasher.com

154. nowvideo.ch

155. donevideo.com

156. videozed.net

157. vidhog.com

158. vidzi.tv

159. streamin.to

160. thevideo.me

161. vidzbeez.com

162. divxpress.com

163. nubestream.com

164. divxstream.net

165. videobb.com

166. divxden.com

167. mixturecloud.com

168. divxstage.net

169. videowood.tv

170. hostingbulk.com

171. playit.pk

172. movpod.net

173. daclips.com

174. slickvid.com

175. videofun.me

176. video44.net

177. yucache.net

178. moevideos.net

179. videomega.tv

180. vidpaid.com

181. sharevid.org

182. zuzvideo.com

183. video.vidcrazy.net

184. videovalley.net

185. videoboxone.com

186. vidcrazy.net

187. vodu.ch

188. watchfreeinhd.com

189. veehd.com

190. movdivx.com

191. blip.tv

192. animeuploads.com

193. videohub.ws

194. hdwide.co

195. stormvid.co

196. neovid.me

197. hawkhd.me

198. streamland.cc

199. vidshark.ws

200. vidspace.cc

201. vids.bz

202. play.flashx.tv

203. videoweed.es

204. torrenthound.com

205. nowvideo.sx

206. limetorrents.com

207. novamov.com

208. torrentfunk.com

209. torrents.net

210. wapkafile.com

211. thepiratebay.org

212. torlock.com

213. movshare.net

214. unblockedpiratebay-proxy.com

215. thetorrent.org

216. torrentz.sx

217. thepiratebay.se.unblock.to

218. nowdownload.ch

219. sockshare.com

220. bittorrent.pm

221. uptobox.com

222. torrage.com

223. vidbux.com

224. muchshare.net

225. sumotorrent.sx

226. torrentdownload.ws

227. vidup.me

228. btmon.com

229. ryushare.com

230. uploadable.ch

231. thepiratebay.se

232. 1337x.to

233. video.tt

234. bthunter.org

235. tusfiles.net

236. 1337x.org

237. swankshare.com

238. 1337xproxy.in

239. torrentz.dj

240. torrentcrazy.ee

241. filesbomb.in

242. torrentz.is

243. torrentz.am

244. kickassunblock.net

245. torrent.tm

246. uploadboy.com

247. oc.o2.vc

248. ineedtorrent.net

249. torrenthoundproxy.com

250. torcache.kickassunblock.net

251. kickasstor.net

252. streamupload.org

253. arabloads.net

254. torrentsnet.come.in

255. torrentz.to

256. filesfrog.net

257. 3gparena.in

258. dl.free.fr

259. divxstage.eu

260. play.flashx.tv

261. download-abc.com

262. filmsmaza.com

263. glotorrents.com

264. coolmoviez.com

265. 62.210.201.55:81

266. fuckyourcrew.org

267. mimti1.moviesmobile.net

268. sandy1.moviesmobile.net

269. sandy3.moviesmobile.net

270. sandy4.moviesmobile.net

271. thepiratebay.mk

272. dev.torrentz.pro

273. uploaded.net

274. torrentmoviemafia.com

275. 1337x.pw

276. share1.moviesmobile.net

277. share2.moviesmobile.net

278. share3.moviesmobile.net

279. share4.moviesmobile.net

280. bayproxy.me

281. sarthaktv.in

282. p2p4ever.com

283. tny.cz

284. torrent-loco.com.ar

285. piraattilahti.org

286. punjabwap.com

287. torrent.ee

288. torrentz.asia

289. fromplay.org

290. proxybay.pw

291. vertor.com

292. katshore.org

293. nl.malaysiabay.org

294. demonoid.ph

295. kickasstorrents.come.in

296. putlocker.cz

297. proxybay.eu

298. vertor.eu

299. 3gparina.in

300. 89.248.162.148

301. fromplay.com

302. etorrent.co.kr

303. fun4buddy.com

304. livetvindian.com

305. ontohinbd.com

306. pc.rdxhd.com

307. seedpeer.me

308. ukcast.tv

309. ezcast.tv

310. xuscacamusca.se

311. crichd.in

312. 122.155.203.9

313. http://www.0dian8.com/

314. http://www.114nba.com/

315. http://360bo.com/

316. http://51live.com/

317. http://www.52waha.com/

318. http://bf.5xzb.com/

319. http://allsport-live.net/

320. http://www.antibookers.ru/

321. http://www.assistirtvonlineaovivo.tv/

322. http://atdhe.eu/

323. http://atdhe.so/

324. http://atdhe.xxx/

325. http://www.atdhe24.net/

326. http://www.azhibo.com/

327. http://barcelonastream.com/

328. http://www.coolsport.tv/schedule-coolsport-tv.html

329. http://www.tvole.com/

330. http://www.drakulastream.eu/

331. http://esportesaovivo.com/

332. http://www.feed2all.eu/type/football.html

333. http://gofirstrowuk.eu/

334. http://www.footballstreaming.info/

335. http://www.frombar.com/

336. http://www.futebolaovivo.net/inicio.php

337. http://www.online.futebolaovivogratis.org/

338. http://gooool.org/

339. http://www.rajangan.me/

340. http://www.hahasport.com/

341. http://hdzhibo.com/

342. http://neolive.net/

343. http://www.kanqiu.tv/

344. http://livesport4u.com/

345. http://livetv.sx/

346. http://meczelive.tv/

347. http://www.megatvonline.co/

348. http://tvonline.megavertvonline.net/live/

349. http://myp2p.pw/

350. http://nogomya.ch/

351. http://www.p2p-hd.com/

352. http://qmzhibo.com/

353. http://rntplayer.com/

354. http://www.rojadirecta.me/

355. http://www.seezb.net/

356. http://www.sport.net/

357. http://sport5online.com/

358. http://sportlemon.ge/

359. http://sportlemontv.eu/

360. http://sportlive.lt/

361. http://www.sportlv.info/

362. http://www.sportp2p.com/

363. http://www.stopstream.tv/

364. http://thefirstrow.biz/

365. http://www.feed4u.net/

366. http://www.time4tv.com/

367. http://torrent-tv.ru/

368. http://tvaovivogratis.net/

369. http://tvonlinexat.com/

370. http://www.usagoals.tv/

371. http://vipbox.net/

372. http://www.vipboxuk.co/

373. http://www.wasu.cn/

374. http://www.wiziwig.tv/

375. http://wszhibo.com/

376. http://www.look-tvs.com/

377. http://www.yaomtv.com.cn/

378. http://www.zhiboche.com/

379. http://zqnow.com/

380. http://www.24livestreamtv.com/brazil-2014-fifa-world-cup-football-
live-streaming-online-tv/

381. http://acefootball.eu/

382. http://al3ablive.info/

383. http://atdhe.ru/

384. http://atdhe.ge/

385. http://atdhe.sx/

386. http://atdhe.ws/

387. http://bongdatructuyen.info/

388. http://www.bongdatructuyen.vn/

389. http://bongdatv.net/

390. http://bongdaup.com/

391. http://www.majika.biz/

392. http://btvsports.com/

393. http://canalesdetv.com/

394. http://capodeportes.net/

395. http://www.catedralhd.tk/

396. http://www.cv55.eu/

397. http://desistreams.tv/

398. http://desportogratis.com/

399. http://dinozap.com/

400. http://drhtv.com.pl/

401. http://epctv.com/

402. http://zonasports.to/

403. http://fancylive.com/

404. http://feed2all.eu/

405. http://www.firstrows.eu/

406. http://firstrows.biz/

407. http://firstrowsports.ge/

408. http://footballhd.ru/

409. http://footdirect24.com/

410. http://freefootball.ws/

411. http://freehdspor.com/

412. http://freelivefussball.de/

413. http://freelivesport.eu/

414. http://fsicrew.info/

415. http://fussball-live-streams.com/

416. http://futbolarg.tv/

417. http://www.futbol-envivo.com/

418. http://futbolsinlimites.pw/

419. http://futebolaovivogratis.org/

420. http://goatd.net/

421. http://hdembed.com/

422. http://funkeysports.com/

423. http://hdsports.me/

424. http://www.hdstreams.tv/index.php

425. http://iraqgoals.in/

426. http://jokerplanete.com/

427. http://lesoleildelanuit.wf/

428. http://life-sport.org/

429. http://livesportv.com/

430. http://max-deportv.com/

431. http://megaviptv.net/

432. http://milloxtv.me/

433. http://myp2p.cm/

434. http://myp2p.ec/

435. http://newsoccertv.com/

436. http://nowwatchtvlive.com/

437. http://onlinemoviesportsandtv.com/

438. http://online–soccer.eu/

439. http://portugaldesportivo.com/

440. http://premier-league-live.net/

441. http://qxzhibo.com/

442. http://realtvsport.com/

443. http://real-tv-sport.com/

444. http://www.redzer.tv/

445. http://s247.tv/

446. http://sambasoccer.pw/

447. http://skysport.tv/

448. http://soccerembed.com/

449. http://soccertoall.net/

450. http://softsportstv.eu/

451. http://www.sportsbeech.tv/

452. http://sports-x.net/

453. http://sportz-hd.eu/

454. http://stadium-live.com/

455. http://stream-foot.tv/

456. http://streamhd.eu/

457. http://streamking.org/

458. http://todaytv.me/

459. http://www.tvonlinepc.eu/

460. http://totbet.net/

461. http://tructiepbongda.com/

462. http://tvembed.com/

463. http://tvembed.eu/

464. http://tv-link.in/

465. http://tv-porinternet.com/

466. http://tvsport24.info/

467. http://u-peak.me/

468. http://vipbox.co/

469. http://vipracing.co.in/

470. http://vtv4u.eu/

471. http://whoopwhoop.tv/

472. http://wiziwigfootball.com/

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: Web Exploits from Microsoft

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week was very depressing. Right now, I’m just trying to get back into the swing of work and programming to help me past the shock. (There was a death in my family.) Until things get back to normal, here’s a topic that I’ve been meaning to write about…

Microsoft Web Errors

For the longest time, the web logs at FotoForensics has had a periodic error message. Since the error doesn’t hurt anything, I never paid it much attention. The error looks like:

[Tue Mar 04 03:17:12 2014] [error] [client 157.55.33.80] (36)File name too long: access to /)\xc3
\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82
\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb5\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a
\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\xac\xe2\x84\xa2\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3
\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a
\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf
\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80
\x9a\xc3\x82\xc2\xb1\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xa9: failed

The key elements are the “File name too long: access to” and a bunch of binary garbage. On my server, this type of error appears a few times daily. The IP address varies, but (almost) always traces to Microsoft in Redmond, Washington. The IP addresses appear to be associated with Microsoft web bots that scan and index the Internet.

Looking up the error message with Google shows many other people who have noticed this same thing. Some of the postings date back to 2005.

Most of the forums focus on the error message and end with no conclusion beyond “it’s harmless”. A few of the postings did mention that it mainly comes from Microsoft and seems to be associated with the Bing search bot.

Cause and Effect

Last month, I tracked down the cause of this error. I configured my test server just like the FotoForensics system and submitted the same URL to it. I managed to reproduce the same error message in the error.log file. I then began stripping out fields in my .htaccess file until the error went away.

The cause is pretty straightforward: enabling Apache’s mod_rewrite is all it takes to cause this error. It appears that mod_rewrite uses a fixed buffer length and this URL is too long for the buffer. The error message is harmless and the client receives an HTTP 403 error message. Between the URL being invalid and the overflow being caught, this seem to be a harmless error.

Except…

I have trouble believing that Microsoft would be doing this by accident. I mean, they have been doing this since at least 2005. According to Wikipedia, Bing was not introduced until 2009 (sounds right to me). In early 2005, Bing’s predecessor (MSN Search) introduced a picture search engine. I’m sure there were other changes to their search engine, but that’s about the time when this type of error began to appear.

If it was a bug, I would have expected it to stop or change when they rolled out Bing. Since it did not stop, it appears to be intentional.

Hidden Purpose

I don’t mind if errors show up in my web logs, but I don’t want users to see errors. Seeing a generic “File not found” does not help users who want to find the file. I actually like how 4chan returns a random web page that clearly tells the user that the content is no longer available. But at minimum, I want to return a blank web page.

While trying to return a blank page, I noticed how this bug really works…

Apache permits every directory to have a .htaccess file for controlling or restricting access. This gives users directory-level control. If I want to return a blank page in place of an HTTP 403 error message, I can simply add a control line to my .htaccess file:

ErrorDocument 403 ” “

This line says to return a fixed string whenever there is a 403 error. And the fixed string is a single space. The result is a blank web page.

The problem is, this line didn’t work as long as I had “RewriteEngine on” in my .htaccess file (enabling mod_rewrite). Apache seems to process mod_rewrite before the ErrorDocument line, even if the ErrorDocument line comes first in the file.

The default Apache 403 error message is pretty basic. It returns a very simple error page:

Forbidden

You don’t have permission to access /)\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2
\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb5\xc3\x83\xc6\x92
\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3
\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\xac\xe2\x84\xa2\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5
\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2
\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3
\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb1\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83
\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xa9
on this server.


Apache/2.2.22 (Ubuntu) Server at test-server Port 80

And there it is! The error identifies the server’s version information at the bottom of the error message. Moreover, a user-level .htaccess file cannot prevent this version information from being disclosed. Microsoft is intentionally exploiting this bug so that they can collect information about the server and version being used. This way, Microsoft can tell how many servers are running Apache (and what versions). This is a boon for competitive marketing and market share statistics.

At this point, I expect people to point out that my HTTP header already says the server and version in the HTTP “Server” field. However, the Server field reflects the front-end server, even if the request is actually processed by some back-end server. (Web servers can be chained together.) In contrast, the error message comes from any back-end server that processed the request. In my configuration, the front-end and back-end are the same. However, that isn’t the case for many banks, social networks, and large-scale web services. In effect, Microsoft is harvesting the version information found on the back-end servers.

Keep in mind, this information disclosure does not stop with one URL. Microsoft appends the long garbage characters to lots of different URLs on my site. If any URL silently redirects to a different server, then Microsoft will be able to see the version string change. This permits Microsoft to map out my back-end server architecture.

Mitigating Exposure

So how do you stop this information disclosure? The answer is relatively easy: place the ErrorDocument line in the only configuration file that is processed prior to the user-level .htaccess files. On my server, that’s “/etc/apache2/httpd.conf”. By default, the httpd.conf file is empty. On my server, it now contains one line:

ErrorDocument 403 ” “

You’ll need to restart the server when you change the httpd.conf file. And make absolutely sure that the httpd.conf file does not contain “RewriteEngine on” — or else the ErrorDocument line will not be processed.

By doing this change, the server will always return a blank page instead of the default 403 error message. The errors still appear in my error.log file, but the user’s browser only sees a 403 error code with a single space web page. Moreover, Microsoft seems to have noticed that I made this change. They used to send garbage to my server a few times every day. Since making this configuration change, Microsoft reduced their garbage queries (8 in the last week, and only on Sundays and Wednesdays).

TorrentFreak: Tough New Piracy Law Sees No Takers in More Than a Year

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

For many years regular file-sharers in Norway have been largely free to go about their business with little concern for the consequences. A 2011 decision disallowed the only entity licensed to collect information on P2P networks from doing so, meaning that tracking pirates without permission would breach privacy laws.

In 2011 under significant rightsholder pressure, the Ministry of Culture announced amendments to the country’s Copyright Act alongside promises to give the entertainment industries the tools to go after pirates. Two years later in July 2013 the new law went into effect and as promised it gave the pirate hunters a sporting chance.

Out went the days of restrictions on P2P user monitoring and in came a system whereby groups seeking to spy on pirates only needed to get permission from the country’s Data Inspectorate. The big MPAA affiliates obtained permission within the first few months and promised to target uploaders, but what followed next?

Since it’s been a full 12 months since the start of the new law and seven months since the MPA obtained clearance to monitor, Hardware.no filed some questions with the Ministry of Culture to find out the state of play. It also contacted the Post and Telecommunications Authority to find out if any personal details of file-sharers had been handed over to copyright holders.

“The short answer is no,” said Deputy Director Elisabeth Aarsæther.

“From our point of view it looks like the word ‘share’ means go ahead and ‘steal’ among users. I cannot say for certain that nothing will happen going forward, but we have not received any requests so far.”

Aarsæther said that the lack of requests might have something to do with the greater number of legal services now available online. However, there also appears to be a lack of interest from copyright holders who only need to register with the authorities in order to collect IP addresses.

“We took stock moments ago, and we have not received any new messages in a long time,” senior Data Inspectorate adviser Guro Skåltveit told Hardware. “There are currently twelve entities who have advised us and can now collect data.”

Eleven of that dozen registered back in the fall of 2013, and they include a successful application from the Norwegian Pirate Party. Thus far in 2014 there has only been one new application. None have sought personal details.

Finally the new law allows for the blocking of sites confirmed to breach copyright law, but again there has been little visible movement on that front. The industries’ main target, the infamous Pirate Bay, remains accessible in the country despite threats to have it blocked in court. However, this process was expected to take some time, particularly since local ISPs are refusing to do anything voluntarily.

After lobbying hard for new laws over many years one might have expected rightsholders to use every tool available to them as quickly as possible, but for some reason they’re gathering dust 12 months on. It may well be that chasing down individuals has become unpalatable, especially alongside efforts to woo consumers with better legal offerings.

Time will tell what the strategy is going forward, but for now Norwegian file-sharers can rest easy. Their next challenge probably won’t be a letter in the post, but the puzzle of how to unblock The Pirate Bay.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Schneier: NSA Targets Privacy Conscious for Surveillance

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Bruce Schneier has a good summary of recently reported information about the US National Security Agency (NSA) targeting of users searching for or reading information about Tor and The Amnesic Incognito Live System (Tails), which certainly could include readers of this site. “Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever. [...] It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.” Also see reports in Linux Journal (which was specifically noted in the XKeyscore rules) and Boing Boing.

Schneier on Security: NSA Targets the Privacy-Conscious for Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “bridges@torproject.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.

[...]

It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.

[...]

There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.

It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.

EDITED TO ADD (7/3): The BoingBoing story says that this was first published on Tagesschau. Can someone who can read German please figure out where this originated.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

EDITED TO ADD (7/3): More news stories. Thread on Reddit. I don’t expect this to get much coverage in the US mainstream media.

EDITED TO ADD (7/3): Here is the code. In part:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/

$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
word(‘linux’
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
tor ‘);
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
// END_DEFINITION

// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint(‘ct_mo/TAILS’)=
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION

Hacker News and Slashdot threads. ArsTechnica and Wired articles.

EDITED TO ADD (7/4): EFF points out that it is illegal to target someone for surveillance solely based on their reading:

The idea that it is suspicious to install, or even simply want to learn more about, tools that might help to protect your privacy and security underlies these definitions — and it’s a problem. Everyone needs privacy and security, online and off. It isn’t suspicious to buy curtains for your home or lock your front door. So merely reading about curtains certainly shouldn’t qualify you for extra scrutiny.

Even the U.S. Foreign Intelligence Surveillance Court recognizes this, as the FISA prohibits targeting people or conducting investigations based solely on activities protected by the First Amendment. Regardless of whether the NSA is relying on FISA to authorize this activity or conducting the spying overseas, it is deeply problematic.

Schneier on Security: NSA Targets Privacy Conscious for Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “bridges@torproject.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.

[...]

It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.

[...]

There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.

It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.

EDITED TO ADD (7/3): The BoingBoing story says that this was first published on Tagesschau. Can someone who can read German please figure out where this originated.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

EDITED TO ADD (7/3): More news stories. Thread on Reddit. I don’t expect this to get much coverage in the US mainstream media.

EDITED TO ADD (7/3): Here is the code. In part:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/

$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
word(‘linux’
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
tor ‘);
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
// END_DEFINITION

// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint(‘ct_mo/TAILS’)=
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION

Hacker News and SlashDot threads. ArsTechnica and Wired articles.

Schneier on Security: Goldman Sachs Demanding E-Mail be Deleted

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.

The breach occurred on June 23 and included “highly confidential brokerage account information,” Goldman said in a complaint filed last Friday in a New York state court in Manhattan.

[...]

Goldman said the contractor meant to email her report, which contained the client data, to a “gs.com” account, but instead sent it to a similarly named, unrelated “gmail.com” account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google’s “incident response team” reported on June 26 that the email cannot be deleted without a court order.

“Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs,” the bank said.

“By contrast, Google faces little more than the minor inconvenience of intercepting a single email – an email that was indisputably sent in error,” it added.

Schneier on Security: Goldman Sachs Demanding E-Mail Be Deleted

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.

The breach occurred on June 23 and included “highly confidential brokerage account information,” Goldman said in a complaint filed last Friday in a New York state court in Manhattan.

[...]

Goldman said the contractor meant to email her report, which contained the client data, to a “gs.com” account, but instead sent it to a similarly named, unrelated “gmail.com” account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google’s “incident response team” reported on June 26 that the email cannot be deleted without a court order.

“Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs,” the bank said.

“By contrast, Google faces little more than the minor inconvenience of intercepting a single email – an email that was indisputably sent in error,” it added.

EDITED TO ADD (7/7): Google deleted the unread e-mail, without waiting for a court order.

The Hacker Factor Blog: Needing a Time Out

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I’m not a big sports fan. I think American Football is too slow — 10 seconds of action followed by 12 minutes of watching big guys in spandex stand around doesn’t do it for me. Basketball has evolved to a game for tall people who can make baskets from anywhere in the court… so why do they even bothering running around? Want to make basketball exciting? Add obstacles and make the baskets move around!

Non-American Football (aka soccer) is too exhausting — the people keep running and there are not many points. Also, I think the game is too violent (in the stands, not on the field). If I want to watch a low-point high-excitement game, I’ll watch ice hockey. Lots of action, lots of strategy, and the fights are among the players. Blood bounces on ice, slashing is illegal, and when players fall down, they ain’t faking it.

While I do not care much for sports, I find the technologies behind the scenes to be fascinating. The cameras, motion tracking technologies, synchronized clocks, high-speed networks, and real-time computation infrastructures are just amazing. The few stadiums that I have toured have had almost as much digital security as a Las Vegas casino. The network operation center (NOC) at most stadiums rival the NOC at Defcon. (At Defcon, good luck getting to the NOC’s door. And I doubt you’ll get past the doorway.)

If you do manage to get into the NOC, then everything sensitive is hidden, every place you stand is pre-planned, and everything you touch is closely watched.

World Cup Soccer Football

Over the last 24 hours, there has been a story about the World Cup wifi password being captured in a photo.

The big screen on the right side shows login information for a wireless network. The wireless identifier (SSID) says “WORLDCUP” and the password is “b5a2112014″. The news articles all report this as being a huge security lapse since the photo reveals this sensitive information.

Here’s a few sample news articles about the photo:

  • The Hacker News: FIFA World Cup Security Team Accidentally Reveals their Wi-Fi Password
  • Geek.com: World Cup 2014 Wi-Fi password accidentally shared with the world
  • International Business Times: World Cup Security Overlord Accidentally Reveals Internal Wi-Fi Password in Epic Fail
  • Popular Mechanics: Whoops! World Cup Security Shares Its Wi-Fi Password With the World
  • Gizmodo: World Cup Security Team Accidentally Shares Its Awful Wi-Fi Password

Most of the news articles do not identify when this photo was taken. At best, they cite Twitter postings from June 23-25. And most articles do not cite any direct sources.

Dated News

The oldest version of the picture that I know of is from June 22nd:
http://imgsapp2.correiobraziliense.com.br/app/noticia_127983242361/2014/06/22/433890/20140621233924335925i.jpg

The URL to the picture contains the timestamp “2014/06/22″. The photo also contains a timestamp in the filename: 2014-06-21 23:39:24 (20140621233924). However, we don’t know the timezone used for either timestamp. Assuming the timestamps reflect the photo’s time and the news article’s time, then it means the photo was taken before the news article was written. (Good — I’d be concerned if the article came before the photo.)

There is a third timestamp provided by the web server. The “Last-Modified” header embedded in the HTTP request denotes when the file was uploaded to the server: Last-Modified Mon, 23 Jun 2014 23:46:46 GMT. As far as I can tell, the photo was captured late on June 21st, post-processed (resized, recolored, and possibly cropped), associated with a story on June 22, and uploaded to the server on June 23rd. (Since I have yet to see a full-sized near-original version of this picture, I will simply assume that it has not been digitally altered.)

I see a few possible reasons for delaying the photo by nearly 48 hours. For example, maybe someone thought the picture was not interesting. It took a few days for someone to decide it was newsworthy.

Another option is that they were planning to use the picture later. In particular, June 23rd was the same day that Croatia played Mexico and Croatia’s flag is on the front monitors. It makes sense that they would use the photo to discuss the game.

Then again, this picture has definitely been resized and post-processed. I have no idea where the hosting site found the picture. I may not be looking at the oldest online version — the delay may represent the time it took to propagate to this web site.

In any case, it took about 24 hours for someone to notice the wifi password and post it to Twitter. Then it took another 4-5 days to be picked up by the mass media.

Newsworthy

Now we know that the media is reporting on old news. The second question is: how bad is this information leak?

Keep in mind: We don’t know if that password was sensitive or intended to be accessible. I have been in many locations where the wifi password was prominently displayed for everyone in the area. My local coffee shop has a sign taped to the cash register: “The Wireless Password is: BUYSOMETHING”. The oil change place that I use has their wireless password on a sign behind the register (it’s the manager’s name). I have even seen sensitive network operation centers with the wifi password written on whiteboards.

If this World Cup password was sensitive, then I am certain that it was changed long before the major media outlets reported on the story.

If it is not sensitive, then perhaps they didn’t care if the password was public — maybe it was intended for site visitors. Maybe it is intended for everyone.

And how accessible is this wifi access point? If wireless access requires you to be in the shielded room of their NOC, then disclosing the password creates ZERO additional risk since it is not accessible by anyone outside the room. (And if the risk is standing inside the room, then they have bigger concerns than the wifi password.)

Room with a View

The photo allegedly shows the IT security team and the configuration of the room is typical for a NOC or datacenter. There’s the individual operator workstations and the NOC screens at the front of the room for sharing information. If there is any ongoing activity, the operators can readily share the information on the big screens. This allows them to work independently or as a team.

In fact, the only thing that I find odd is the lack of a telephone at each desk. Every NOC that I have seen has had at least one telephone within reach of each desk.

The photo of the room also shows a few other things:

  • There is no activity on the big screens. If the NOC is not in use, then the screens are usually powered off. If the NOC is in use, then they screens will contain information — anything from network dumps and traffic analysis to camera feeds or news coverage. In the photo, the screens show big banners that, to me, appear to have been placed there for the photographer.

    For a comparison, consider the view of the NOC when President Bush visited the NSA back in 2006:

    Bush and his entourage are standing in front of the main screens. The screens show various network monitoring tools. (And even this was certainly a photo-op and not mission critical information.)

  • There’s only two people “working” in the World Cup’s NOC. They are sitting at the front desk and staring at blank monitors. If there is anything on the monitors, it is not visible from this photo. The vertical monitor looks like it has an open web browser with a blank web page.

    If this NOC were actually in use, I would expect to see more people and more activity on their monitors. And while people might lean over and work at the same station, they are more likely to work at their own desks. Again, to me this looks staged for a photo-op. It would not surprise me if there were other people in the room, standing outside the camera’s view.

If they took the time to cover the screens, hide content from the monitors, and pose NOC workers, then I have no doubt that everything shown in the photo has been cleared for release. This includes the wifi login information seen on the right-most front display.

OMG! THE SKY IS BLUE!

The folks at Hacker News wrote:

Wifi Network: WORLDCUP
Password: b5a2112014

The password appears to be “brazil2014″ in leet speak. I think it’s completely unguessable and the most secure one for this highly considered World Cup event. Haaa!

Yes, Hacker News actually wrote “Haaa!”

If this wireless login information was intended to be private, then this would be embarrassing. However, if they wanted it to be private, then they probably would not have remembered to cover every screen and clear the room except for the sensitive login information on the screen. Moreover, I doubt that they would set the private SSID to be “WORLDCUP”. (Every NOC that I have seen uses random letters or cryptic sequences for non-public SSIDs.) I suspect that Hacker News — and every other news outlet — is getting overly excited about a public access point.

To me, this picture does not appear to leak sensitive information, provide any exploitable risk, or offer any source of embarrassment for the World Cup management. What is embarrassing is reading news articles that fail to cite their sources, fail to identify when the photo was taken, and fail to identify if this is a risk or just a lot of nothing. Honestly, I’m not finding this World Cup action to be very exciting at all.

TorrentFreak: Comcast Must Share Six-Strikes Warnings with Copyright Troll, Court Rules

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

comcastLast year the RIAA and MPAA teamed up with five of the largest Internet providers in the U.S. to begin issuing warnings to alleged copyright infringers.

As part of this partnership the ISPs have to store all warnings their customers receive. Opponents feared that this data could be used against these individuals in court, which is specifically permitted under the agreement.

“The Content Owner Representatives [MPAA / RIAA] or any other member of the Participating Content Owners Group may use such reports or data as the basis for seeking a Subscriber’s identity through a subpoena or order or other lawful process,” the agreement reads.

However, as it turns out, the first legal consequences aren’t a result of action taken by Hollywood or the major record labels. They come from the adult video publisher Malibu Media, a so-called copyright troll that has filed over 750 lawsuits against alleged infringers this year alone.

In their case against Kelley Tashiro, a middle-aged female nurse from Indianapolis, the company had trouble proving that an infringement actually took place. But instead of backing down, they put their money on the six-strikes warnings databases.

Malibu asked the court to order Comcast to release all data being held as part of the Copyright Alert System. While Malibu is not part of the program, this data may show that the Internet connection was used to share pirated content on more occasions.

“DMCA notices and six strike notices are relevant because these notices may prove a pattern of infringement or notice that infringement is occurring or both,” Malibu noted in its motion.

A copy of the recorded copyright infringements wasn’t enough for Malibu though, the company also asked for details of Tashiro’s bandwidth consumption, suggesting that this could indicate whether she is an infringer or not.

“Bandwidth usage is relevant because people who are heavy BitTorrent users use significantly more bandwidth than normal internet users,” the company’s sweeping generalization reads.

This week Indiana District Court Judge Mark Dinsmore granted Malibu’s motion, which means that Comcast will be ordered to share the requested evidence.

“Plaintiff’s Motion is GRANTED. Plaintiff may serve a third party subpoena on Comcast and Comcast should comply with Plaintiff’s Subpoena Duces Tecum
for deposition as outlined in Plaintiff’s Motion,” the Judge writes.

order-comcast

Comcast has not yet responded to the order, but considering the sensitivity of the subject the Internet provider is expected to file an appeal.

Currently it’s not known whether Tashiro has ever received a copyright alert, but the RIAA, MPAA and other participants in the Copyright Alerts System will not be pleased with these latest developments.

The Center for Copyright Information, which oversees the program, has always emphasized that the program respects the privacy of Internet subscribers. Having it used against alleged downloaders by copyright holders that are not even part of the scheme is bad PR for them, to say the least.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: SCOTUS’s new Rummaging Doctrine

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Electronic privacy is current ruled by the “Third Party Doctrine” from the case Smith, Miller, and Katz. I think SCOTUS just largely replaced that with the “Rummaging Doctrine” in Riley v California.

The Third Party Doctrine was the principle that once you give up your data to a third party, that data is no longer covered by the Fourth Amendment. That’s because you no longer have a “reasonable expectation of privacy”. Thus, you have no reasonable expectation of privacy in your phone call records, so the police can grab them without a warrant.

Riley changes the direction of that arrow. It’s no longer about your privacy, it’s about the government’s power — the power that comes from unrestrained rummaging through a person’s effects. It’s not longer about whether I want something private, it’s about whether the police properly wants something revealed. The properness is defined as the idea that police must already have good reason to suspect somebody of a crime, and must only be looking for evidence of that specific crime. They can’t go on fishing expeditions.

SCOTUS goes so far as to declare the revolution, that it’s right and proper to take up arms against governments who rummage through our effects. They cite the case of John Adams taking up arms against the ‘writs of assistance’, which were search warrants that never expired allowing British agents to search indiscriminately. The modern version of such writs is the Verizon court order renewed every three months for the last 8 years demanding all phone metadata. I think the court is signalling a complete exoneration of Edward Snowden leaking that writ to the public.

Right now, the government can go to Yahoo and request the last 15 years of my email stored on their servers, without a warrant, just in case I might’ve commit a crime. Right now, the government grabs all my phone and financial records, even though they don’t suspect me of a crime, and then apply computer algorithms puting that data together in order to see if evidence of crime falls out. To travel on planes, I first have to prove to the government that I’m innocent. That’s rummaging in full ‘writs of assistance’ style, and I’m pretty sure SCOTUS just said they are going to strike that stuff down.