Posts tagged ‘Privacy’

Krebs on Security: Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

Schneier on Security: GoGo Wireless Adds Surveillance Capabilities for Government

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government.

The Hacker Factor Blog: Heartbreaker

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Update 2014-04-12: CloudFlare had evaluated the Heartbleed SSL bug and reached a similar conclusion to my own. They issued a public challenge in order to determine if it was possible to steal the private certificate. Well, someone stole it and completed the challenge. While it is time consuming, it is not impossible. This makes Heartbleed a serious bug. If you were vulnerable, then you should change certificates and require users to change passwords.

The quick way to tell if you are vulnerable: On the server, run ‘openssl version’. If you see “0.9.8″, then you are not at risk. If you see “1.anything” then you are vulnerable. And with thousands of kiddiez scanning for vulnerable servers over the last few days, you should assume that you have been compromised. Upgrade to “1.0.1g” (that is the version with the patch), restart the web server (to get the old version out of memory), install new certificates (may require another restart), and then inform users to change their passwords.

As I said at the end of this blog entry, I don’t mind saying I was wrong. Well: I was wrong. I’m leaving the rest of this blog entry unedited so you can see my original evaluation.

Earlier this week, there was an advisory about an SSL vulnerability. SSL is the Secure Sockets Layer protocol helps manage cryptography for online connections. When you use “HTTPS” in a URL, you are using HTTP (web traffic) over SSL.

I have previously written about some of the serious drawbacks regarding SSL. In particular, it is usually applied incorrectly and offers a sense of security that is unjustified. I refer to SSL as “better than nothing” security. It’s better than plain text, but it is not strong security.

Having said that, there is a difference between a “fundamental flaw” and an “implementation flaw”. A fundamental flaw is a vulnerability that exists because of the type of technology. It does not matter what SSL library you use because all of them will suffer from the same basic issues. For example, SSL without client-side certificates can always be hijacked by a man-in-the-middle attack. And virtually no web sites use client-side certificates.

In contrast, the recent “Heartbleed” vulnerability is an implementation flaw. This means that the problem is limited to the specific SSL software. If your server does not use OpenSSL 1.x — either because you are using an older version like OpenSSL 0.9.8 or because you are not using OpenSSL at all — then you are not vulnerable. (This is why Microsoft’s web services are not vulnerable. Microsoft does not use OpenSSL.)

However, most web services with SSL use OpenSSL. And they are likely running either version 1.0.1 (vulnerable) or 0.9.8 (not vulnerable).

From the media and other security experts, I keep hearing that this is a bad bug and you must change your password immediately! I don’t believe it. While there has been evidence that suggests an extremely serious bug, I have not yet been able to reproduce it in my own testing. Unless someone can actually demonstrate a password or server-side private certificate being stolen, I believe this may be FUD (fear, uncertainty, doubt).

Here’s why…

(Be sure to read the updates at the end of this blog entry.)

About the Bug

The bug is called “Heartbleed” because it causes an uninitialized memory leak from the heartbeat function. The heartbeat was added in December 2011. (Here’s the link to the source code changes at GitHub.)

The actual vulnerability happens in a couple of areas. Just look in the source for a memory allocation followed by a memcpy. For example, in the file ssl/d1_both.c, are a few lines that say:

buf = OPENSSL_malloc(1 + 2 + payload + padding);
p = buf;
/* Message Type */
/* Payload length (18 bytes here) */
s2n(payload, p);
/* Sequence number */
s2n(s->tlsext_hb_seq, p);
/* 16 random bytes */
RAND_pseudo_bytes(p, 16);

This code says to allocate some memory. The actual size is 3 bytes + the size of the payload + some padding. It then copies in 18 bytes of payload data and fills out the padding with random data. This code assumes that the payload will be 18 bytes and there will be an additional 16 bytes of random data. The problem is that the payload may be larger (up to 64K), causing almost 64K of memory to be uninitialized.

The concern is that the uninitialized memory may contain passwords, certificates, or other random data that may have been present in the computer’s memory. I think this concern is unfounded. In particular, OpenSSL is almost exclusively used on Linux, Mac OS X, and embedded systems. And these systems are not a concern when it comes to uninitialized memory leaks.

Test Time!

We can test what happens with uninitialized memory with a simple program:

#include <stdlib.h>
#include <stdio.h>
int main()
unsigned char *Mem;
int HasZero=1;
int i;
Mem = (unsigned char*)calloc(65536,1); /* allocate 64K and zero it out */
/* Store values in the memory */
for(i=0; i < 65536; i++)
Mem[i]= i&0xff; /* 0, 1, 2, ... 255, 0, 1, 2, ... */
/* Release the memory */
/* Get new, uninitialized memory */
Mem = (unsigned char*)malloc(65536);
/* Does it contain my data? */
for(i=0; i < 65536; i++)
if (Mem[i]!=0) { HasZero=0; }
if ((Mem[i] != 0) && (Mem[i] != (i&0xff)))
printf("Different! at %i\n",i);
if (i==65536)
if (HasZero) printf("All Zero!\n");
else printf("Same!\n");

This simple program allocates 64K of memory, initializes it, and then frees it. It then allocated an uninitialized memory block of 64K and checks to see if it contains the previous data. If the memory contains my own previous data, then it will print “Same!”, but if the memory is different then it will identify where the difference is located.

What actually happens depends on how your computer performs memory management. On Linux, this program always prints “Same!” because Linux reuses the same memory. If I allocate memory and then free it, then my next memory allocation will try to use the same already-freed memory. With OpenSSL, it has already allocated, used, and freed prior to hitting the vulnerable code. The worst thing that you will see is data that you have already seen. If there is a password, then it is because you already supplied it earlier. And if there is a certificate, then it is the certificate that you are already using.

On Mac OS X, this memory test program prints “All Zero!” because gcc on my Mac always initializes memory to zero. This means that my Mac will never leak passwords or certificates. By always zeroing memory, it removes any risk of an uninitialized memory leak from any program (not just OpenSSL).

With most big web sites, each thread is given its own memory allocation. So you should not see dirty memory between threads.

The embedded systems that I have played with all use the same “reuse” memory management seen with Linux. So I do not expect any risk there.

The only risks may come from some embedded devices that intermix memory streams. (I’m not aware of any off-hand, so let’s keep this theoretical.) In theory, two simultaneous SSL connections may call the same OpenSSL library instantiation on an embedded device. Let’s assume that the memory from one thread can be dirtied and reused by a different thread. Then we would have a big vulnerability. However, embedded devices are typically small — they have wimpy CPUs and limited memory. These devices are not going to handle thousands of simultaneous users and it isn’t going to store millions of passwords. Most likely, the person connecting is only going to see data from their own session.

There is a presentation from Jake Williams where his slides identify leaked information. However, I believe that the leaked information that he is seeing is his own session information. Yes, it should not be there. However, it does not compromise anyone except himself.

Two Years

The vulnerable OpenSSL code has been around for about two years. It was introduced in December 2011 and began to be distributed in March 2012. However, it was not widely adopted until after the first year. The question is not “did the vulnerability exist?” Rather, the question should be “has anyone known about it?”

As we have seen with the Target credit card compromise: if bad guys know about an exploit, then they will use it. If Heartbleed was being used to steal passwords for the last two years, then someone would have noticed it long before now. For example, someone would be asking why thousands of Gmail, Amazon, or other accounts have been compromised recently. Since there has been no massive compromise at any vulnerable sites, we can safely assume that nobody was using the exploit.

Detecting Vulnerable Sites

Since Heartbleed was announced, there has also been a few scripts that people can use to test whether sites are vulnerable to the uninitialized memory leak. However, I’ve found a different problem with those scripts…

I run a couple of sites that have OpenSSL with Apache web servers. The sites with default install scripts were correctly detected as either vulnerable or not vulnerable. However, my FotoForensics site was reporting “No SSL”, even though it definitely does run SSL. (WTF!)

I went line by line though my site’s configuration file until I found the cause. I have a line that says “SSLVerifyClient optional”. This is because my site optionally permits client-side certificates (for strong SSL security). The default configuration sets SSLVerifyClient to “None” (no client-certificate support). Setting this option to “optional” or “required” changes the SSL header just enough to cause the vulnerability scanners to fail to identify whether you are vulnerable.

This Apache configuration change does not stop the vulnerability. However, it does stop kiddiez with public scanner scripts from detecting the vulnerability. This is security-by-obscurity, but it will probably buy you a couple of days for patching your system. (And no, FotoForensics is not vulnerable. Thanks for asking.)

Wait… Panic!

I’ve seen lists of web sites that are vulnerable to Heartbleed. However, I have looked over the source code. I do not believe that the exploit poses a significant risk to arbitrary accounts. Changing passwords is always good advice. However, I do not believe that this is an exploit worthy of the current media hype.

If anyone has a proof-of-concept that shows actual theft of sensitive information (passwords or private certificates) from other users (not stealing from yourself), then please correct me! I don’t mind saying that I’m wrong when I’m wrong.

Update: I have managed to reproduce (one time) the private key leak. However, as far as I can tell, this exploit requires rebooting the server first! The server boots, loads the text certificate, decodes it to binary, and frees the text memory. The decoded cert is held in memory, so it is active memory (not free — no risk of exploit). However, the text certificate does get freed at the very beginning. This means an attacker has a very narrow window to request that uninitialized memory before it gets overwritten by some other malloc call. If your server has been up and running and in use and not “just rebooted”, then there is no risk of a certificate theft since the memory has been overwritten by other data. And even with a reboot, the attacker must be looking for it before someone else comes through with a regular SSL connection. So, yes, the private certificate can be leaked. However, there is such a narrow window for the exploit that it strikes me as a low risk.

Update 2014-04-11: CloudFlare has a wonderful technical write-up of the issue. They reach many of the same conclusions: (1) the exploit is platform-specific (both operating system and web server), so your risk will vary. And (2) the likelihood of losing the private certificate is extremely low (they say “may in fact be impossible”). However, they do point out that, with many common system architectures, it may be possible to retrieve user information from other connections. This means that I am understating the overall risk, but the media is still significantly overstating the risk. I am leaving the rest of my blog entry unmodified.

TorrentFreak: European ISPs Can Stop Logging User Data, Court Rules

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

europe-flagIn a landmark ruling, the European Court of Justice has declared Europe’s Data Retention directive to be a violation of Internet users’ privacy.

Under the Directive Internet providers and other telecom companies were required to log and store vast amounts of information, including who their subscribers communicate with, and what IP-addresses they use.

The local authorities could then use this information to fight serious crimes, but it was also been frequently used by third parties, in online piracy cases for example.

Today the Court ruled that the data collection requirements are disproportionate. In a case started by Digital Rights Ireland the Court effectively annulled the directive, and it’s now up to the individual member states to change local laws accordingly.

“The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality,” the Court states.

“By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data,” it adds.

The judgement has far-reaching implications for large telecom companies, but also for smaller businesses including many VPN providers. With the new ruling these companies are no longer required to log extensive amount of user data as was required under the EU Directive.

While many ISPs are waiting to see what local Governments decide, the Swedish provider Bahnhof immediately announced that it would wipe all subscriber data it stored.

“Bahnhof stops all data storage with immediate effect. In addition, we will delete the information that was already saved,” Bahnhof CEO Jon Karlung says.

There’s also resistance against the Court decision. The Dutch Minister of Justice Fred Teeven, for example, wants local ISPs to continue storing user data for law enforcement purposes.

The European Court of Justice judgement is a clear victory for privacy activists, but mostly for the public who will regain some of their online privacy. While the ruling specified that some data retention may be needed, broad and mandatory retention laws and NSA-style data dragnets are no longer the standard.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Mass Surveillance by Eavesdropping on Web Cookies

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting research:

Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the user’s IP address varies. Using simulated browsing profiles, we cluster network traffic by transitively linking shared unique cookies and estimate that for typical users over 90% of web sites with embedded trackers are located in a single connected component. Furthermore, almost half of the most popular web pages will leak a logged-in user’s real-world identity to an eavesdropper in unencrypted traffic. Together, these provide a novel method to link an identified individual to a large fraction of her entire web history. We discuss the privacy consequences of this attack and suggest mitigation strategies.

Blog post.

Schneier on Security: Ephemeral Apps

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there’s no record.

This notion is especially popular with young people, and these apps are an antidote to sites such as Facebook where everything you post lasts forever unless you take it down—and taking it down is no guarantee that it isn’t still available.

These ephemeral apps are the first concerted push against the permanence of Internet conversation. We started losing ephemeral conversation when computers began to mediate our communications. Computers naturally produce conversation records, and that data was often saved and archived.

The powerful and famous — from Oliver North back in 1987 to Anthony Weiner in 2011 — have been brought down by e-mails, texts, tweets and posts they thought private. Lots of us have been embroiled in more personal embarrassments resulting from things we’ve said either being saved for too long or shared too widely.

People have reacted to this permanent nature of Internet communications in ad hoc ways. We’ve deleted our stuff where possible and asked others not to forward our writings without permission. “Wall scrubbing” is the term used to describe the deletion of Facebook posts.

Sociologist danah boyd has written about teens who systematically delete every post they make on Facebook soon after they make it. Apps such as Wickr just automate the process. And it turns out there’s a huge market in that.

Ephemeral conversation is easy to promise but hard to get right. In 2013, researchers discovered that Snapchat doesn’t delete images as advertised; it merely changes their names so they’re not easy to see. Whether this is a problem for users depends on how technically savvy their adversaries are, but it illustrates the difficulty of making instant deletion actually work.

The problem is that these new “ephemeral” conversations aren’t really ephemeral the way a face-to-face unrecorded conversation would be. They’re not ephemeral like a conversation during a walk in a deserted woods used to be before the invention of cell phones and GPS receivers.

At best, the data is recorded, used, saved and then deliberately deleted. At worst, the ephemeral nature is faked. While the apps make the posts, texts or messages unavailable to users quickly, they probably don’t erase them off their systems immediately. They certainly don’t erase them from their backup tapes, if they end up there.

The companies offering these apps might very well analyze their content and make that information available to advertisers. We don’t know how much metadata is saved. In SnapChat, users can see the metadata even though they can’t see the content and what it’s used for. And if the government demanded copies of those conversations — either through a secret NSA demand or a more normal legal process involving an employer or school — the companies would have no choice but to hand them over.

Even worse, if the FBI or NSA demanded that American companies secretly store those conversations and not tell their users, breaking their promise of deletion, the companies would have no choice but to comply.

That last bit isn’t just paranoia.

We know the U.S. government has done this to companies large and small. Lavabit was a small secure e-mail service, with an encryption system designed so that even the company had no access to users’ e-mail. Last year, the NSA presented it with a secret court order demanding that it turn over its master key, thereby compromising the security of every user. Lavabit shut down its service rather than comply, but that option isn’t feasible for larger companies. In 2011, Microsoft made some still-unknown changes to Skype to make NSA eavesdropping easier, but the security promises they advertised didn’t change.

This is one of the reasons President Barack Obama’s announcement that he will end one particular NSA collection program under one particular legal authority barely begins to solve the problem: the surveillance state is so robust that anything other than a major overhaul won’t make a difference.

Of course, the typical Snapchat user doesn’t care whether the U.S. government is monitoring his conversations. He’s more concerned about his high school friends and his parents. But if these platforms are insecure, it’s not just the NSA that one should worry about.

Dissidents in the Ukraine and elsewhere need security, and if they rely on ephemeral apps, they need to know that their own governments aren’t saving copies of their chats. And even U.S. high school students need to know that their photos won’t be surreptitiously saved and used against them years later.

The need for ephemeral conversation isn’t some weird privacy fetish or the exclusive purview of criminals with something to hide. It represents a basic need for human privacy, and something every one of us had as a matter of course before the invention of microphones and recording devices.

We need ephemeral apps, but we need credible assurances from the companies that they are actually secure and credible assurances from the government that they won’t be subverted.

This essay previously appeared on

The Hacker Factor Blog: Locating Pictures

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

There’s a question that I often receive regarding photos: Where was this picture taken? Basically, they have a photo and want to identify the location. This comes up in legal cases, media requests, and just odd photos found online. (With news outlets, they usually follow it up with “and when was it taken?”) Tracking a photo to a location is usually a very difficult problem. Unfortunately, there are no generic or automated solutions.

However, just because it is a hard problem does not mean it is impossible. (Sometimes it is impossible, but not always.) Usually it just takes time and a dedication to tracking down clues.

The easy way

When people think about identifying where a photo was taken, they immediately think about embedded GPS coordinates. And the truth is, if GPS information exists in the picture’s metadata, then that is a great place to begin.

Unfortunately, very very very few pictures contain GPS information. At FotoForensics, we’re getting close to a half-million unique picture uploads, and only about 1% of them contain GPS metadata. There are reasons that GPS information is so hard to find:

  • Unavailable. GPS data is almost exclusively associated with smartphones. Very few point-and-shoot cameras have built-in GPS.

  • Disabled. For devices with GPS chips, there is usually an option to disable geo-stamping photos. Some devices default to “off” and are never turned on, while others may default to “on” but have users intentionally turn it off. There’s also the GPS system itself; lots of people turn off GPS on their smartphones because it will drain your battery. If your phone’s GPS is disabled then your camera will not include GPS information in the picture.

    There are other ways for a device to geolocate without using GPS. Some smartphones can get a rough estimate using nearby wireless access point identifiers (SSIDs) or by finding nearby cell towers. But to the camera’s function that looks up GPS information, this is all the same. If your device cannot geolocate then there will not be a location recorded with the picture.

  • Stripped. Processing a picture with a graphics program, or uploading it to an online service like Facebook or Twitter, can (and usually will) alter or remove metadata. This includes removing GPS information. Even if the data was there at the beginning, it is not there anymore.

Of course, even if the GPS information is present, it does not mean it is accurate. I’m sure that people with smartphones have noticed the accuracy issue. When you first turn on the mapping program, it will draw a huge circle on the map. The circle may span a couple of miles. It does not mean that you are in the center of the circle; it’s indicating that you are “somewhere” in that circle — you could be near the center or somewhere along the edge. After a few minutes, the device has time to synchronize and better narrow down the region — denoted with a smaller circle. Eventually it may become a dot that identifies your location to within a few feet.

With GPS metadata, there are fields for location and accuracy. Unfortunately, most mobile devices only fill out the location data and not the accuracy information. This means that the extremely precise GPS location stored in the metadata may be off by a mile. Even if the GPS location pinpoints a house, you cannot be certain that the photo was taken in that house — it could have been captured a half-mile away.

Another place to look is in metadata annotations. If the picture came from a media outlet, then there’s probably metadata that identifies “where” the photo was taken, even if it is just a city name. Unfortunately, most online news sites resave images prior to publishing, and that can strip out these annotations.

Looking Closer

GPS information and annotations in metadata are nice when they exist. Unfortunately, they may not exist. And even if they are present, they may still not be very accurate or reliable. That means geolocating a photo must rely on the photo’s content. There are different clues in the photo’s content that may help identify the location. Some of these may be very precise (geolocation) while others may help you narrow down a region (geo-fencing), country, or at least rule out some parts of the world.

The easiest photos are the ones with unique and notable landmarks: statues, distinct buildings, street signs… Even photos of mountain ranges or generic streets may be enough to find the location. If the camera was fairly close to the subject, then you can probably identify the photographer’s position to within a few feet. A long distance shot may narrow it down to an area.

For very notable objects, such as scenic views, distinct statues, or elements seen at tourist stops, you may be able to find the location by uploading the picture to TinEye or Google Image Search. If other people have photographed the same object from about the same position, then these image search engines may be able to identify other photos from the same spot.

In my opinion, TinEye is better at finding similar photos, but Google may annotate the search results with a text name or description. In either case, you will probably need to visit the resulting web pages in order to see if any page mentions where the photographer was located. (Knowing that the photo’s content shows “New York City” is not the same as geolocating a photographer who was standing at the foot of the Statue of Liberty.)

Different cities and countries have different building styles. If you can identify the style, then you may be able to identify where the photo was taken. There’s been a few advances in this research area (for example, PDF). Unfortunately, as far as I know, there are no public image search engines that do this type of matching.

Usually, you just happen to find someone who recognizes the style and can help narrow down a location. (That’s one of the benefits of turning a photo over to a large social group like Reddit — there is likely someone who will recognize something.) However, even this can be somewhat inaccurate. For example, neighboring countries (e.g., Poland and Germany) can have similar architectural styles. In California, there’s a city called Solvang that looks like Denmark. Most American cities have a “Chinatown” that uses Chinese architecture, and China has rebuilt cities from countries like France and Italy.

If you cannot identify a city or a country, then you can probably still identify regions to exclude. For example, do you see any text in the photo? If the street signs are only in English, then you are probably not looking at any Asian, African, or middle-Eastern countries. (Non-English speaking countries either do not use English letters or include multiple languages on the signs.)

Currency can be another great clue. If I see Mexican pesos, then I’m thinking Mexico. Sure, it could be a Spanish-language classroom in the United States, but then other clues would tip you off that it’s a classroom. (Like maybe, desks?) It could also be someone from Mexico who lives in Canada and has decorated his home with trinkets from his homeland. But unless you have a reason to suspect another country, a best-guess is to use what you see. If everything looks like Mexico, then it’s probably Mexico.

Exclusion cannot tell you where a photo was taken. However, it can help identify where the photo was not taken. (Photo showing a tropical beach? It’s probably not the South Pole or Northern Europe.)

Picture Time!

To give you an example of geolocation, consider this photo that was recently trending at FotoForensics:

My question is: where was this photo taken? Or more specifically, where was the photographer standing and what direction was the photographer facing?

Sure, you could go to the forum where the picture was being discussed and the city is identified, but let’s assume that you do not have that information. (And anyway, the forum does not tell you the exact location where the photographer was standing or the direction the camera is facing.) In real life, you may have nothing more than a photo; assume that you just have this photo and nothing else. Also, let’s assume that you are like me and you do not know the area and do not recognize the street.

Here’s how I walked through it to identify the location (your approach may be different):

  1. Metadata. First, let’s go for the easy clues and start with the metadata. Maybe we will get lucky and find GPS coordinates or a textual description. Unfortunately, this picture has no informative metadata. (It’s been stripped, but it was still worth the time to look.)

  2. Search. Using TinEye and Google Image Search turned up no useful results.
  3. License Plates. Someday I hope to have a database of license plate formats (colors, layouts, etc.), but I do not have that today. However, I know that long, rectangular, and yellow (with or without the blue strip on the left) is European. So I can immediately rule out Africa, Asian, Australia, North America, and South America. (While the cars could have been shipped to another country, we go with what it most likely.)
  4. English. All of the text is in English. European and English-only? That’s an island like England, Ireland, or Scotland. It’s not the European mainland. (This is geo-fencing — narrowing down a location to a region or area.)
  5. Bank. Now I can start looking up text. I see an HSBC ATM machine. I know that HSBC is a bank and it’s found in the British Isles. (While HSBC is found in lots of other countries, it does not exclude my current geo-fenced area.)
  6. Store. I do not know what “Waitrose” is, but I can type the word into Google. It turns out, Waitrose is a grocery store in England. That narrows down my search to one of about 300 locations. (I know, 300 seems like a lot, but it’s smaller than “anywhere in the world.”)
  7. Web. The Waitrose corporate website allows you to select a branch. (There’s 339 of them right now.) Each branch contains a small picture of the location. Non-programmers will need to go one-by-one and look at each picture. Fortunately, I’m a programmer. It took me a few minutes to write a small script to harvest all of their store pictures. I thought I would use these thumbnail images to rule out locations. (No red brick. No black awning. Not on a corner…) Instead, I got lucky:

    The green advertisement on the wall in the photo is blue in the thumbnail, and the HSBC ATM is missing, but it’s the same location. According to their corporate headquarters, this is Waitrose Wilmslow.

  8. Address. Unfortunately, the corporate web site does not provide a numerical street address or GPS location. All they say is: “Church Street, Wilmslow, Cheshire, SK9 1AY”. (Not being from England, this looks to me like a description and not a mailing address.) Fortunately, I can type this into Google Maps and find the street. Using Google Street View, I can find the address: 4 Church Street, Wilmslow, England, UK.

    The street view shows me the exact location. The photographer had to be standing in the street, facing North. (Not where the mouse has highlighted the road — the photographer was standing a little to the right.) Even if he was using a telephoto lens, he would still need to be somewhere down the street, facing North.

Now we have answered the questions. We know where the photographer was standing and the direction the camera was facing.

Digging Deeper

Armed with this information, there’s a few other things I can now tell about this photo. For example, the Google Street View shows that there are cameras everywhere. You can even see one in the photo above the “Waitrose” sign. If this photo was showing a crime, then there are cameras that recorded the photographer.

Looking at the shadows, we can see that they fall to the North (toward the store) and not to the left or right. So this was likely taken in the middle of the day. And is that the photographer reflected in the car’s mirror?

The corporate web site’s thumbnail was timestamped November 2010 and it lacked the ATM. The Google Street View is timestamped (lower-left) September 2012 and it shows the ATM. So sometime between November 2010 and September 2012, the ATM was installed. This means that the photo was taken sometime after November 2010. If I contacted Waitrose, then I suspect we could narrow down the date based on the advertisements that are visible. While we probably would not find the exact date, I believe that we could narrow it down to a month or less. Together with the camera information (assuming at least one camera on the street still has the pictures available), we can even identify the exact moment — and possibly even watch the photographer come and go.

With Google Street View, we can even tell a little more about the building. For example, watching the building while moving down the street permits us to see the framed advertisement change. It it a scrolling billboard. The green advertisement in the photo, the blue advertisement in the corporate thumbnail, and the picture seen in the Google Street View could all be part of the same scrolling ad series.

Using Bing’s street view of the same address (requires Internet Explorer), there is one image that shows part of the green banner scrolling into place. So it is part of the rotation cycle. Unfortunately, Bing doesn’t display any date information related to the street view. However… In the photo’s upper-left corner is a yellow and black sign. This same sign is seen in the Google Street View, but it is not present in the Bing street view. If we knew when that black-and-yellow sign appeared, then we could further narrow down the date range.

(If we cheat, then we can look at the forum. The posting was made on 21-November-2013, so the date range is November 2010 to 21-November-2013. The person claims to have taken the photo “a few weeks ago”, so that would be October or early November 2013.)

Needles and Haystacks

The good news is that many pictures can be geolocated to a specific location. However, there is no generic or automated solution. Right now, every photo is a unique challenge, and some may be very time-consuming.

(And for the people who really want to know: I think the license plates are real. It’s hard to tell from the photo due to multiple resaves, but the UK permits people to look up the vehicles based on the plate and manufacturer. Both license plates exist and they match the vehicles.)

Schneier on Security: An Open Letter to IBM’s Open Letter

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week, IBM published an “open letter” about “government access to data,” where it tried to assure its customers that it’s not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers.

At the outset, we think it is important for IBM to clearly state some simple facts:

  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.

  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
  • IBM does not put “backdoors” in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.

To which I ask:

  • We know you haven’t provided data to the NSA under PRISM. It didn’t use that name with you. Even the NSA General Counsel said: “PRISM was an internal government term that as the result of leaks became the public term.” What program did you provide data to the NSA under?

  • It seems rather obvious that you haven’t provided the NSA with any data under a bulk collection surveillance program. You’re not Google; you don’t have bulk data to that extent. So why the caveat? And again, under what program did you provide data to the NSA?
  • Okay, so you say that you haven’t provided any data stored outside the US to the NSA under a national security order. Since those national security orders prohibit you from disclosing their existence, would you say anything different if you did receive them? And even if we believe this statement, it implies two questions. Why did you specifically not talk about data stored inside the US? And why did you specifically not talk about providing data under another sort of order?
  • Of course you don’t provide your source code to the NSA for the purpose of accessing client data. The NSA isn’t going to tell you that’s why it wants your source code. So, for what purposes did you provide your source code to the government? To get a contract? For audit purposes? For what?
  • Yes, we know you need to comply with all local laws, including US laws. That’s why we don’t trust you — the current secret interpretations of US law requires you to screw your customers. I’d really rather you simply said that, and worked to change those laws, than pretending that you can convince us otherwise.

EDITED TO ADD (3/25): One more thing. This article says that you are “spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government.” Do you not know that National Security Letters require you to turn over requested data, regardless of where in the world it is stored? Or do you just hope that your customers don’t realize that?

The Hacker Factor Blog: Phone calls with Brangelina

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Lots of web sites give advice for stopping telemarketeers. Some advice is good, but some is bad or just naive. For example, over at WiseGeek is advice like “registered on any government sponsored ‘do not call’ list”. Virtually all of the calls that I receive don’t bother checking the no-call lists and enrolling has done nothing to lower the volume of these undesirable calls. A few years ago, the FTC realized that the no-call lists are a complete failure and offered $50,000 to anyone who could come up with a solution.

In contrast, Erica Elson wrote some great tips over at LifeHacker: “I’m a Telemarketer. Here’s How to Get Rid of Me“. Most of her tips are very useful:

  • “Don’t immediately hang up the phone.” Telemarketeers will view this as a non-response and call you back later.
  • “Don’t give up mid-conversation and hang up without an explanation.” Again, this is a non-response so they will try to call you again later.
  • “Don’t let the telemarketer call you back at another time.” That’s just inviting them to call you.
  • “Don’t get irrationally angry at the telemarketer.” I agree with this. They are used to rejection and will mark you for a call-back just out of spite.
  • “Don’t engage with the telemarketer in any way.” She says that this gives them a false hope, leading to more calls. This is good advice for most people. But personally, I disagree with this tactic.

In my experience, there are two types of telemarketers: honest and dishonest. For the honest ones, allow them to talk for a few seconds. If they pause, say something like, “I’m listening” or “Please continue”. Then at the next pause, say “Remove me from your calling list”. Not “Could you please remove me” or “I’d like to be removed”, but the more forceful “Remove me”. This way, they don’t have an optional way to interpret the request.

There’s a reason for letting them speak a little bit and not starting off the call with “Remove me…” Although they may be from a legitimate company (honest), that doesn’t mean they are not slimy. Some telemarketers hear the removal request coming and hang up before you can finish the sentence. If they don’t hear you say the full sentence then it doesn’t count. By letting them talk for a moment, it catches them off guard and guarantees that you will get the full sentence out. (They never expected you to say that out of the blue.)

For the dishonest ones, no amount of asking to be removed will make a difference. They’re not legitimate anyway.

Collecting Calls

At my office, there are two types of unsolicited phone calls that I receive often. I previously mentioned one of them: the fake IT support call. The other common calls are from people who want money to help me find more clients. For both of these types of calls, I usually try to find out who they are before playing along. I want their company name, address, and phone number. Inevitably, they will lie to me.

In my previous IT Support call example (MP3), he gave me a fake company name, fake phone number, and told me that his address “won’t be relevant” before he hung up. That was on February 2.

About a month later (March 18), I received another one of these calls (MP3). This guy was a horrible script reader — he clearly has a written paragraph that he used. Still, I pressed him for more information. Keep in mind, he’s a quiet talker and kept mumbling at the end of each sentence.

Q: “What is your name?”
A: “My name is Brad. Brad Willis[mumbled].”

Q: “What is your company?”
A: “Cyber Support. I told you at the beginning[mumbled].”

Good thing I record calls. He did not previously state his company’s name. A quick search for that company name turns up official scam warnings issued from Microsoft. There’s also a warning from Malwarebytes (one of the comments explicitly mentions “Cyber Support”) and other people had similar words of warning. Make no mistake: this is a scam. Real people who get this call should hang up by now.

Q: “What is your company’s phone number?”
A: “Company’s phone number? Right now, we are connected. I do believe we are connected and talking over the phone. Right? And you don’t have to worry about anything…”

This is a refusal to answer. A legitimate company will always give you a phone number. Since he doesn’t want to provide it, I pushed him again for this information.

Q: “No problem. What is your company’s phone number? Just in case we get disconnected and I need to call you back, or if I have problems in the future?”
A: “201-259-2658″

Area code 201 is New Jersey. The area code and prefix (201-259) is a Verizon cellphone based in New Brunswick, New Jersey. A search for the phone number turns up other people who reported receiving unsolicited “fix your computer” calls from this same number. One of the reports even claimed to speak to “Brad” a few days before he called me.

As with this review, I asked for more information:

Q: “And where are you located?”
A: “You said you wanted the number and I gave it to you. Now you want where we are located? We are located in New York City. Anything else? Any other information you want? You want me personal number?”
Q: “Sure!”
A: “You want my personal number??”
Q: “Sure! You offered! Yeah!”
A: “Okay. Note down the number I am giving you. 206-239-4603.”

He didn’t give me his company’s address, but he did give me another phone number. Area code 206 is Washington State and 206-239 is a Qwest landline phone in Seattle. I doubt that this is really his phone number.

After giving me his phone numbers, he hung up on me. A real company would not have hung up. This call was definitely a scam. Personally, I’m kind of disappointed that he hung up. Since I’m playing with him, I was ready to have him fix my computer. (I was working from my Raspberry Pi and it always runs slow.)

*Ring* *Ring* Hello?

Every now and then I get calls that want to offer me government jobs. I didn’t start to get calls like this until I signed up with Dun & Bradstreet and the CAGE system back in 2010. Those two services have only led to spam and unsolicited phone calls — even though I selected every one of the “do not give out my information” options. In 2012, I explicitly tried to get removed from their lists. I know that I got removed from CAGE back in 2012 and earlier this month I think I finally got removed from Dun & Bradstreet. Yet, these unsolicited and undesirable calls keep coming…

A few days ago I received an unsolicited telephone call that asked me if I wanted to work direct with the government through a five-year no-bid contract. My “scam” radar immediately went off because the automated message never told me who was calling me.

The recording only wanted to me press “1″ to work with the government and “2″ to be added to a list. There were no other options… so I pressed “0″, hoping to speak to an operator. Instead, it just replayed the message. So I chose “1″.

The phone was quickly answered by someone named Angela. However, she mumbled her company name. “Federal Express Consulting”? “Fredricksberg Consulting”? Something like that. Entering variations of the name into Google did not identify any likely companies.

Anyway, Angela had trouble finishing sentences. She wanted “to reach the owner of… Hello?” but she didn’t name my company. In fact, she never asked who I was and she never validated that she had reached the correct number or office. Was she speaking with a decision maker or someone who just answered a ringing phone? Did she even know my company’s name?

Telemarketers follow a script. Fortunately for me, I also follow a script. My script basically says:

  1. If he/she did not identify their company in the first few seconds, then ask why they did not identify themselves. The FCC has requirements and one of them is that the caller must identify their name and company.

  2. Find out who they are: name, phone, and address. Other information is a bonus.
  3. Find out what they know about me. Do they know my name? My address? My company’s name? Do they know what my company does? I must not confirm anything about myself (including my name) and I must not provide them with hints. This deters them from cold-reading me and allows me to find out how they learned about me.
  4. Ask them about the no-call list. If they know my name or my telephone’s area code (area codes map to states), then they know what state and country I am in. There is a national do-not-call list and the Colorado no-call list. I’m registered with both of them. Telemarketers are legally required to consult with those lists before contacting me. (And if they checked with those lists, then they should never contact me.)
  5. Tell them to remove me from their calling lists.

My actual script is more like a decision tree. If they are taking a survey, if they sound nice, if they hesitate, etc. I have plenty of options. (As an aside: Does anyone know of any good, public system for flowcharting these decisions and option? I think having the tree public would make for a great open-source project.)

With Angela’s call, she sounded like a bored script reader. So, I followed the decision tree for aggressively handling the call. I may speak sternly, but I never yell and I never get mad. With this tactic, my questions are more important than hers, so I want her to answer every one of my questions before we move on to the next question. As a social engineering exercise, my goal is to keep her off balance by keeping her off the script. This increases the likelihood of her getting frustrated and telling me exactly what I want to know.

Q: “Why did your automated recording not identify your company name?”
A: “Uh… that’s… I would wonder about… It is a recorded message. I have to tell you the truth, and we’re calling regarding a five year GSA contract with the Federal government. And I can identify myself, which is [unclear]Fredricksburg consulting…” (back to the script)

Q: “Do you know where I am located?”
A: “As of this point, because you are right now an inbound call. Sir, our reception department has probably 50-60% of your company information in our system because you might quality for GSA.” (back to the script)

How can I be an inbound call if they called me? That’s how telemarketers work. An automated system establishes the call and then you are connected to the next available drone. Anyway, she did not answer my question.

Q: “What company do you think you have called?”
A: “Uh… okay… I see a name: Kravitz. And I don’t know if you are a consulting firm as well or if you have products or if you. Okay, I know a little more, sir. You do IT services.”

At this point, it is clear that she doesn’t know my company name, doesn’t know what I do, and grossly overestimated that “50-60%” that she knows about my company. When enrolling with D&B and CCR/SAM, you have to provide a business category. For D&B, I had entered the code for “Other IT”. For CCR, I selected “OSHA SIC code: 7379 Computer Related Services, Not Elsewhere Classified”. The information that Angela provided strongly suggests that she is working on partial information provided by D&B.

I explicitly informed her that I do not do “IT Services”. I view IT Services as something akin to system administration. I try not to provide sysadmin services to anyone except myself and my father (and that’s only because I think it’s rude to hang up on my father).

Of course, Angela used this as an excuse to get back to her script:

Well then, I can tell you how that works, sir. Businesses work with us. We are the number one in the nation for awarding GSA contracts and what we can give you is of no harm. We can give you information in how to obtain a GSA contract. Information, if you qualify for GSA, which, the requirements would be your business… you would need to be a minimum two years in business. Your products and services.

This kind of reminds me of the movie The Truman Show. At one point in the movie, Truman (played by Jim Carrey) blurts out “Who are you talking to???” Angela says that businesses work with her company. But she also says that she doesn’t know if I’m a business or what I offer… So why she still talking to me?

Also, that “minimum two years in business” sounds familiar. The calls from Dun & Bradstreet kept saying (incorrectly) that I had been in business for four years.

I thought Angela had gone on long enough, so I decided to ask more questions and take her off-script. (I like how she stutters every time she goes off-script.)

Q: “Are you aware that the number you have called is on the no-call list?”
A: “That I wouldn’t know, sir. And, uh, we we we’ve been called, we’ve been told that businesses, that you are a business, sir. You can be looked up in the yellow pages or I don’t know if you have a number that has been restricted. I don’t know.”

Angela, you just lied to me. My company isn’t listed in the yellow pages. And earlier you stated that you didn’t know if I was a business. In fact, you still haven’t told me my business’s name.

Q: “What is your company’s address?”
A: “Interest! To…”

She must have misheard me. She tried to go back on script!

Q: “Address. Street address.”
A: “Address. And why would you need our address, sir?”
Q: “So I would know who I am talking to.”
A: “Of course… The address is GSA Application Services, Tampa Road in Oldsmar, Florida.”

Bingo — this is why we keep her off-balance and stay off-script. Google finds this company name very quickly. The address is 4035 Tampa Road, Oldsmar, FL 34677. (Some records say that their address number is 4033, 3925, or 3875, but they are all on Tampa Road.) The company has two web sites, but neither returns anything (a blank page and a server not found). Also, the name “GSA Application Services” is not the same name that Angela gave me earlier (“Federal Express Consulting” or something like that). There’s a comment on about this company:

Run away. The Sprecher organization, to which this shell company belongs, has a history of felony embezzlement and fraud. Research this company carefully before you give them a dime. Check the other names they use, too. GSA 1000, GSA Preview, GSA Greenville, GSA Tampa, Federal Verification, Countryside Publishing. Check the Florida Attorney General’s website for a status on the AG’s investigation into the Sprecher organization for deceptive practices.

They have similar reviews at the Ripoff Report, Complaints Board, and with the Florida Better Business Bureau.

According to the various write-ups, this company will ask me for a few thousand dollars (non-refundable) and then fail to deliver a GSA contract. Of the many names that this company has gone by, the funniest is the Lewisburg Group. According to one person (who claimed to work at the company for a short duration), this name is funny because the company owner spent several years in Federal Prison at the Lewisburg Penitentiary.

This is explicitly why it is important to know exactly who is calling you. They sound helpful. They sound like something I might be interested in. But when you push them for their contact information, they turn out to be a scam.

However… we’re only half-way through this call. And I’m not done yet.

Q: “What is your company’s phone number?”
A: “My phone number is 502-410-2779 and my name is Angela.”

That phone number is for Louisville, Kentucky. Searches for this phone number turn up lots of complaints about telemarketers pushing government contracts.

Q: “You can remove me…”
A: “I can’t. I can’t.”
Q: “Remove me from your calling list.”
A: “Sir, stay on the line until I get your number completely. I show it is 970-282. Because as I said, we are sending out recorded messages to all small businesses. You have an option to say ‘I’m interested in government contracting’ and…”

Notice the delay tactic. She says I have to stay on the line while she reads my phone number to me. Then she reads a little bit of the number and goes back to the sales script. However, she explicitly said “970″. That means she knows I am in Colorado. (Area code 970 is only found in Colorado and the prefix 282 places me in Fort Collins.)

A: “I’m about to get the last four digits. And please verify your phone number, sir. I have 970-282..”
Q: “Why do I need to verify it? I’m the person who answered the phone.”
A: “Because I have not dialed out. You are one of 20 thousand business that we are calling today. I mean, how can I verify who you are right now? Unless you speak to me and verify your company information.”

I’m glad I recorded this. She tries to make me think that I called her, but that definitely is not the case. The laws regarding telemarketers are very clear about this: if the person who answers the phone requests to be removed, then the telemarketer must remove them. This is not a debate point.

At this point, I just want to keep her off script:

Q: “If you are in the United States then you should have run that number past the no-call list. I am listed.”
A: “Sir, you know why we are calling? US Federal Government uh GSA uh…”
Q: “I am not Federal Government.”
A: “But sir, you kind of putting words in my mouth. We are not outsource and we do not want to be outsourced. We want to help US American economy. If you want to be part of it. But right now I put your number down. 970-[redacted]. And sir, it sometimes takes 48 hours sometimes before we have purged out all these numbers. I appreciate your patience and I wish you a wonderful day.”

I like how she says “US American economy” with her thick foreign accent. She tries to make me feel guilty about not participating in the economy because I want to be removed from her calling list. And who was talking about outsourcing? I can only assume that she accidentally jumped to a different part of her script.

At this point, I’ve kept her off-script. However, that won’t be enough to keep them from calling me again. Time to put the fear of Gawd in her:

Q: “This call has been recorded and will be posted online.”
A: [long pause] “Sir, really. I mean, that makes no sense. You have not. And I tell you something right now. You did something unlawful. Because you have not told me that you recorded me. You are not at liberty to record me.”
Q: “Oh sure I am! I’m in Colorado. Colorado is a one [click] call state. Hello?”

I meant to say a “one party state”, but it doesn’t matter because she hung up on me before she could hear that. As she was arguing with me, you could hear the panic in her voice. (And you can probably hear the smile on my face.) And at the very end, you can hear her under my voice saying “Thank you for your time!” *click*

Let me make this abundantly clear for every telemarketer that calls me: I will record you. As stated in 18 U.S.C. §2511(2)(d), Federal law permits recording as long as at least one party on the phone is aware that the call is being recorded. Only 12 states override the Federal law and require full-consent. The remaining 38 states — including Colorado (where I and my recording device are located) — only need one party to consent. I am in Colorado, I am on the phone, and I consent to recording these unsolicited cold-calls.

Her reaction to being recorded brings up one other issue. Her company cold-called me with a business offer. Had she known that the call was being recorded, would she have given me the same sales pitch? I caught her in a couple of lies. Would she have still lied to me if she knew she was being recorded? (This goes toward those reviews that mentioned ‘deceptive business practices’.) Then again, I’ve had plenty of telemarketers hang up immediately when I say that the call is being recorded. A legitimate offer would never be concerned about being recorded.

Here’s the entire recorded phone call: MP3. The only thing I redacted was my own phone number (you’ll hear it as a warble sound). However, I left my area code (970) since that identifies a phone in Colorado.

The Hacker Factor Blog: Take it to the Street

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

My office has over a half-dozen telephone numbers. Landlines, cellphones, skype, VoIP, Google Voice, and more. I give out different phone numbers to different people. Family only uses one number. Business contacts use one of two numbers, and telemarketers universally use a different set of numbers that do not overlap with my real business contacts. I find it ironic that all of these numbers will make phones in my office ring, yet very few people ever call me.

One of the phone numbers is through Google Voice. So far, telemarketers won’t bother me on that number. In contrast, my direct office numbers receive lots of telemarketers. When the phone rings, I look at my web browser that is logged into Google. If they are calling the Google Voice number, then I answer it as a business call. If it comes from the business line (not via Google voice), then I turn on the recorder and prepare for a telemarketer…

Revisiting Dun and Bradstreet

Over the last two weeks I had a number of interesting phone calls. One was from a person calling from Dun & Bradstreet. D&B provides corporate credit ratings. The caller was a very pushy marketeer who wanted me to provide them with more personal information so they can give my business a credit rating.

Almost a year ago, I wrote about a similar phone call. This time, I recorded the call. I am really amazed that it is virtually the same as my previous write-up. There were a number of things about this phone call that rubbed me the wrong way:

  1. Not required. The telemarketer tried to tell me that a low credit rating would hurt my chances of getting a corporate loan or acquiring investors. However, he also pointed out that I did not have enough information on file for them to generate a credit rating. I didn’t see how having “no information” would damage my corporate credit.

    The truth is, there are no laws or regulations that require me to have a D&B corporate profile. A company looking me up may consult D&B, but will also check other sources. Having no record or an incomplete record at D&B will not hurt my business prospects. For example, there are plenty of companies that keep wanting to issue me credit on a business account or invest in my offerings, even though I have no credit rating from D&B.

  2. Required information. If my business credit rating is based on information that I provide about my company, then how does that make D&B a reliable third-party? They are just repeating to their clients whatever I tell them to repeat. If I wanted to game the system, I would only tell D&B good things about myself. That would lead to a strong credit rating.
  3. Accuracy. The telemarketer repeatedly emphasized that D&B verifies information. Yet, the little bit of information that they had about my company was grossly inaccurate. Moreover, it would be trivial to verify without consulting me. This makes me wonder: how are they verifying the information? If they require me to provide the data and the verification, then they are not verifying “my company’s credit”. And if they cannot verify something as simple as the year my company was founded, then I don’t have much faith in their credibility service.
  4. Removal. In 2010, I created a D&B account because it was needed to register with another service. After only receiving spam and telemarketer calls, I requested that they delete my account. Between 2010 and 2012, the account had accurate information. Sometime after my deletion request, the account was changed (by D&B) to only have a minimum amount of information. The guy on the phone explicitly told me that D&B will create an account for my company if someone asks them about my company… So they create an account for me, populate it with false information, and then pressure me to verify and validate so they can issue me a business credit rating. Since the information was incorrect and the account was undesirable, I asked him to delete the account — and he refused.

To me, this sounded like a scam and I tweeted about it on March 3rd.

The follow-up call…

After my tweet, things got kind of interesting… On March 7th, I received another call from D&B. This time, the woman on the phone wanted to talk to me about my tweet. She explicitly referenced it.

The nice lady wanted to know more about my previous phone call. She was friendly, polite, and apologetic. She made it clear that the previous caller was from “Dun and Bradstreet Credibility Corp”, which is not the same as “Dun and Bradstreet”. (Something about an external service to help fill out data. I still don’t understand the exact distinction between the two since Dun & Bradstreet Credibility Corp only exists as a web page on Dun & Bradstreet’s web site.)

To make a long story short, she said that the caller handled the situation poorly and they would remove my account from their systems. A few days later, I received another call from D&B verifying my request to be removed. As far as I know, my account has officially been removed.

Amazingly, nobody on any of these calls ever asked to validate that I am me. I’m just some guy who answered the phone. And since they never validated the person they were talking to, I still don’t think highly of their “verification” capabilities.

Although I recorded each of these calls, I will not release them publicly… unless someone representing D&B calls me again and asks about my corporate credit information.

However, I also recorded another call that came in shortly after the D&B saga. This other call is the kind of unsolicited business offering that made me want nothing to do with D&B and the government’s CCR/SAM system. I can directly trace the unsolicited call to either D&B or CCR/SAM based on the information that the telemarketer provided to me. (You needed a D&B account to get a CCR account and a CCR CAGE code to apply for government contracts. I never received a government contract, but I did receive a ton of spam, which is why I wanted out.) That unsolicited phone call will be my next blog entry.

TorrentFreak: Which VPN Services Take Your Anonymity Seriously? 2014 Edition

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

boxedBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim.

Following a high-profile case of an individual using an ‘anonymous’ VPN service that turned out to be not so private, TorrentFreak decided to ask a selection of VPN services some tough questions.

By popular demand we now present the third iteration of our VPN services “logging” review. In addition to questions about logging policies we also asked VPN providers about their stance towards file-sharing traffic, and what they believe the most secure VPN is.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

3. What tools are used to monitor and mitigate abuse of your service?

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

7. Which payment systems do you use and how are these linked to individual user accounts?

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

What follows is the list of responses from the VPN services, in their own words. Providers who didn’t answer our questions directly or failed by logging everything were excluded. Please note, however, that several VPN companies listed here do log to some extent. The order of the lists holds no value.

Private Internet Access

1. We absolutely do not log any traffic nor session data of any kind, period. We have worked hard to meticulously fork all daemons that we utilize in order to achieve this functionality. It is definitely not an easy task, and we are very proud of our development team for helping Private Internet Access to achieve this unique ability.

2. We operate out of the US which is one of the few, if only, countries without a mandatory data retention law. We explored several other jurisdictions with the help of our professional legal team, and the US is still ideal for privacy-based VPN services.

We severely scrutinize the validity of any and all legal information requests. That being said, since we do not hold any traffic nor session data, we are unable to provide any information to any third-party. Our commitment and mission to preserve privacy is second to none.

3. We do not monitor any traffic, period. We block IPs/ports as needed to mitigate abuse when we receive a valid abuse notification.

4. We do not host any content and are therefore unable to remove any of said content. Additionally, our mission is to preserve and restore privacy on the Internet and society. As such, since we do not log or monitor anything, we’re unable to identify any users of our service.

5. Once again, we do not log any traffic or session data. Additionally, unlike the EU and many other countries, our users are protected by legal definition. For this reason, we’re unable to identify any user of our service. Lastly, consumer protection laws exist in the US, unlike many other countries. We must abide by our advertised privacy policy.

6. We do not discriminate against any kind of traffic/protocol on any of our servers, period. We believe in a free, open, and uncensored internet.

7. Bitcoin, Ripple, PayPal, Google Play (Mobile), OKPay, CashU, Amazon and any major Gift Card. We support plenty of anonymous payment methods. For this reason, the highest risk users should definitely use Bitcoin, Ripple or a major gift card with an anonymous e-mail account when subscribing to our privacy service.

8. We’re the only provider to date that provides a plethora of encryption cipher options. We recommend, mostly, using AES-128, SHA1 and RSA2048.

Private Internet Access website


btguard1. We do not keep any logs whatsoever.

2. The jurisdiction is Canada. Since we do not have log files, we have no information to share. We do not communicate with any third parties. The only event in which we would even communicate with a third-party is if we received a court order. We would then be forced to notify them we have no information. This has not happened yet.

3. If serious abuse is reported we enable tcpdump to confirm the abuse and locate the user. These dumps are immediately removed. If the user is abusing our service they will be terminated permanently but we have never shared user information with a 3rd party.

4. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

5. We take every step within the law to fight such an order.

6. Yes, all types of traffic our allowed with our services.

7. We accept PayPal and Bitcoin. All payments are linked to users accounts because they have to be for disputes and refunds.

8. 256-bit AES is the most secure. However 128-bit blowfish is plenty good. If you’re concerned about surveillance agencies such as the NSA, their capabilities are shrouded in secrecy and claiming to be able to protect you is offering you nothing but speculation. As far as what’s publicly available for deciphering encryption, both of the encryptions I mentioned are more than sufficient.

BTGuard website


1. TorGuard does not store any IP address or time stamps on any VPN and proxy servers, not even for a second. Further, we do not store any logs or time stamps on user authentication servers connected to the VPN. In this way it is not even possible to match an external time stamp to a user that was simultaneously logged in. Because the VPN servers utilize a shared IP configuration, there can be hundreds of users sharing the same IP at any given moment further obfuscating the ability to single out any specific user on the network.

2. TorGuard is a privately owned company with parent ownership based in Nevis and our headquarters currently located in the US. Our legal representation at the moment is comfortable with the current corporate structuring however we wouldn’t hesitate to move all operations internationally should the ground shift beneath our feet. We now offer VPN access in 23+ countries worldwide and maintain all customer billing servers well outside US borders.

We would only be forced to communicate with a third-party in the event that our legal team received a court ordered subpoena to do so. This has yet to happen, however if it did we would proceed with complete transparency and further explain the nature of TorGuard’s shared VPN configuration. We have no logs to investigate, and thus no information to share.

3. Our network team uses commercial monitoring software with custom scripts to keep an eye on individual server load and service status/uptime so we can identify problems as fast as possible. If abuse reports are received from an upstream provider, we block it by employing various levels of filtering and global firewall rules to large clusters of servers. Instead of back tracing abuse by logging, our team mitigates things in real-time. We have a responsibility to provide fast, abuse-free VPN services for our clients and have perfected these methods over time.

4. In the event of receiving a DMCA notice, the request is immediately processed by our abuse team. Because it is impossible for us to locate which user on the server is actually responsible for the violation, we temporarily block the infringing server and apply global rules depending on the nature of the content and the server responsible. The system we use for filtering certain content is similar to keyword blocking but with much more accuracy. This ensures the content in question to no longer pass through the server and satisfies requirements from our bandwidth providers.

5. Due to the nature of shared VPN services and how our network is configured, it is not technically possible to effectively identity or single out one active user from a single IP address. If our legal department received a valid subpoena, we would proceed with complete transparency from day one. Our team is prepared to defend our client’s right to privacy to the fullest extent of the law.

6. BitTorrent is only allowed on select server locations. TorGuard now offers a variety of protocols like http/socks proxies, OpenVPN, SSH Tunnels, SSTP VPN and Stealth VPN (DPI Bypass), with each connection method serving a very specific purpose for usage. Since BitTorrent is largely bandwidth intensive, we do not encourage torrent usage on all servers. Locations that are optimized for torrent traffic include endpoints in: Canada, Netherlands, Iceland, Sweden, Romania, Russia and select servers in Hong Kong. This is a wide range of locations that works efficiently regardless of the continent you are trying to torrent from.

7. We currently accept payments through all forms of credit or debit card, PayPal, OKPAY, and Bitcoin. During checkout we may ask the user to verify a billing phone and address but this is simply to prevent credit card fraud, spammers, and keep the network running fast and clean. After payment it is possible to change this to something generic that offers more privacy. No VPN or Proxy usage can be linked back to a billing account due to the fact we hold absolutely no levels of logging on any one of our servers, not even timestamps!

8. For best security we advise clients to choose OpenVPN connections only, and if higher encryption is called for use AES256 bit. This option is available on many locations and offers excellent security without degrading performance. For those that are looking to defeat Deep Packet Inspection firewalls (DPI) like what is encountered in countries such as China or Iran, TorGuard offers “Stealth” VPN connections in the Netherlands, UK and Canada. Stealth connections feature OpenVPN obfuscation technology that causes VPN traffic to appear as regular connections, allowing VPN access even behind the most strict corporate wifi networks or government regulated ISPs.

TorGuard website

1. We do not log any information on our VPN servers. The only scenario is if a technical issue arises, but we request permission from the user first, and we only do it for the duration of the job, and then it is removed.

2. We are in the process of moving jurisdictions away from Australia at present as we are unsure what our current government plans to do in regards to our privacy. We have not decided where yet.

3. Only SMTP port 25 is filtered to mitigate spam, but we are working on some tools to make it easier for users to send mail.

4. Any DMCA request is ignored, as we have no logs to do anything about them.

5. Same as above, as we do not log, so we are unable to provide any information. If the law attempts to make us do such things, we will move our business to a location where that cannot occur, and if that fails we will close up shop before we provide any information.

6. All protocols are allowed with our service, with the only exception of SMTP port 25 currently being filtered.

7. At present we only accept PayPal and CC (processed by PayPal), but we are looking into alternative types of payments. We go out of our way to make sure that PayPal transactions are not linked to the users, we generate a unique key per transaction to verify payment for the account is made, and then nuke that unique key. Bitcoin and Litecoin are also on the agenda.

8. At present we offer 128 bit for PPTP and 256 bit for OpenVPN, We plan to offer stronger encryption for the security conscious. website


vikingvpn1. No. We run a zero knowledge network and are unable to tie a user to an IP address.

2. United States, they don’t have data retention laws, despite their draconian surveillance programs. The only information we share with anyone is billing information to our payment gateway. This can be anonymized by using a pre-paid anonymous card. If asked to share specific data about our users and their habits, we would be unable to do so, because we don’t have any logs of that data.

3. That is mostly confidential information. However, we can assure our users that we do not use logging to achieve this goal.

4. In the event of a DMCA notice, we send out the DMCA policy published on our website. We haven’t yet received a VALID DMCA notice.

5. We exhaust all legal options to protect our users. Failing that, we would provide all of our logs, which do not actually exist. If required to wiretap a user under a National Security Letter, we have a passively triggered Warrant Canary. We would also likely choose to shut down our service and put it up elsewhere.

6. Yes. Those ports are all open, and we have no data caps.

7. We currently only take credit cards. Our payment provider is far more restrictive than we ever imagined they would be. We’re still trying to change payment providers. Fortunately, by using a pre-paid credit card, you can still have totally anonymous service from us.

8. A strong handshake (either RSA-4096+ or a non-standard elliptic curve as the NIST curves are suspect). A strong cipher such as AES-256-CBC or AES-256-GCM encryption (NOT EDE MODE). At least SHA1 for data integrity checks. SHA2 and the newly adopted SHA3 (Skein) hash functions are also fine, but slower and provide no real extra assurances of data integrity, and provide no further security beyond SHA1. The OpenVPN HMAC firewall option to harden the protocol against Man-in-the-Middle and Man-on-the-Side attacks.

VikingVPN website


ivpn1. IVPN’s top priority is the privacy of its customers. We use non-persistent logs (stored in memory) which are deleted after 10 minutes. That tiny window gives us the ability to troubleshoot connection issues, whilst still making it practically impossible for any 3rd party to match an IP to a time-stamp.

2. IVPN is incorporated in Malta. We would ignore any request to share data unless it was served by a legal authority with jurisdiction in Malta in which case we would inform them that we don’t have the data to share. If we were served a subpoena which compelled us to log traffic we would find a way to inform our customers and relocate to a new jurisdiction.

3. We use a tool called PSAD to mitigate attacks originating from customers on our network. We also use rate-limiting in iptables to mitigate SPAM.

4. We ensure that our network providers understand the nature of our business and that we do not host any content. As a condition of the safe harbor provisions they are required to inform us of each infringement which includes the date, title of the content and the IP address of the gateway through which it was downloaded. We simply respond to each notice confirming that we do not host the content in question.

5. Assuming the court order is requesting an identity based on a timestamp and IP, our legal department would respond that we don’t have any record of the user’s identity nor are we legally compelled to do so.

6. We ‘allow’ BitTorrent on all servers except gateways based in the USA. Our USA network providers are required to inform us of each copyright infringement and are required to process our response putting undue strain on their support resources (hundreds per day). For this reason providers won’t host our servers in the USA unless we take measures to mitigate P2P activity.

7. We currently accept Bitcoin, Cash and PayPal. No information relating to a customers payment account is stored with the exception of automated PayPal subscriptions where we are required to store the subscription ID in order to assign it to an invoice (only for the duration of the subscription after which it is deleted). Of course PayPal will always maintain a record that you have sent funds to IVPN but that is all they have. If you need to be anonymous to IVPN and don’t wish to be identified as a customer then we recommend using Bitcoin or cash.

8. We recommend and offer OpenVPN using the strongest AES-256 cipher. For key exchange and authentication 2048-bit RSA keys are used (which RSA claims are sufficient until 2030).

IVPN website


1. We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user.

2. We operate in Swedish jurisdiction. Since we do not log any IP addresses we have nothing to disclose. Circumstances doesn’t matter in this case, we have no information regarding our customers’ IP addresses and activity on the Internet. Therefore we have no information to share with any 3rd party.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

5. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

6. Yes, we allow Torrent traffic.

7. PayPal, Payson and Plimus. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

8. OpenVPN TUN with AES-256. On top is a 2048-bit DH key.

PrivatVPN website


1. No. Wo do not log anything and we only require a working e-mail address to be a customer.

2. Swedish. We do not share information with anyone.

3. Not disclosed.

4. Put it in the trash where it belongs!

5. None, since we do not have any customer information and no logs.

6. We host anything as long as it’s not SPAM related or child porn.

7. Visa/Mastercard, Bitcoin, PayPal. No correlation between payment data and customer data.

8. We provide OpenVPN services (along with dedicated servers and other hosting services).

PRQ website


tigervpn1. Absolutely not! We built tigerVPN to purge all data once the transmission of a IP package was completed successfully. Its impossible to trace back any customer. On top of that we decided to use shared IPs in order to further randomize and anonymize our customers. The combination of having absolutely no logs at all and multiple customers per IP, wipes our customers digital footprint

2. We are a limited liability company in Slovakia. Slovakia does not have any data retention programs and furthermore encourage ISP’s to protect their customers privacy on the net. We are not required to share any information with 3rd party hence it would be illegal thanks to the law of telecom secrecy.

3. Since we don’t keep logs, we can’t monitor abusive behavior, which is the price for building a customer secure environment!

4. We can’t comply since we can’t identify customers, therefore it’s pointless to follow any requests. We have a specific folder for these eMails ;-)

5. Same as above. We seriously can’t tell which customer did what, when, where, at any given time.

6. It’s allowed on all servers although we gently ask our customers to use either Romania or Netherlands. Some infrastructure service providers do not want file sharing so it happened to us that we were asked to move our servers due to file sharing. We found some reliable partners in Romania and Netherlands which tolerate p2p so we kindly ask our customers to use these server parks.

7. Customers can pay with Visa, Mastercard and Debit. On top of that we also use PayPal. We use hash keys and tokens to identify a payment but it’s not logged or linked to the customer. We had to do this anyway hence we are a PCI Level 1 compliant merchant. Therefore we are not allowed to store any card or payment data with the records of our customers. These keys are pointless for anyone else so there is no chance to build a connection.

8. We offer PPTP, L2TP and OpenVPN, while out of nature OpenVPN comes with the highest encryption and algorithm. L2TP and OpenVPN are 256bit SSL encrypted while PPTP comes with a solid 128bit. Although our customers are individual and have their own sense of why and what to use, we recommend L2TP as solid protocol. It’s less geeky and more secure than PPTP, but our customers can pick any of them in all the 47 network nodes around the globe.

tigerVPN website


1. No. This would make both us and our users more vulnerable so we
certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users share each address, both for IPv4 and our upcoming IPv6 support.

2. Swedish jurisdiction. Under no circumstance we will share information with a third-party. First of all we take pains to not actually possess information that could be of interest to third parties, to the extent possible. In the end there is no practical way for the Swedish government to get information about our users from us.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. There is no such Swedish law that is applicable to us.

5. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our
users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

6. Yes.

7. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

8. We use OpenVPN. We also provide PPTP because some people want it but we strongly recommend against it. Encryption algorithms and key lengths are important but often get way too much attention at the expense of other important but harder to measure things such as leaks and computer security.

Mullvad website

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Darknet - The Darkside: NSA Large Scale TURBINE Malware Also Target Sysadmins

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So more revelations coming out about the NSA from the latest batch of documents leaked by Edward Snowden. This time they detail a huge malware infection system created for widespread infections, it seems fairly advanced with the ability to spit out different types of malware depending on the target. Other than the TURBINE malware engine,…

Read the full post at

The Hacker Factor Blog: Making a Mint

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I may be a techie, but I’m also a slow adopter of new technologies. I used OS/2 long after the rest of the world moved on. I didn’t get my first DVD player until they stopped making VCR tapes, and I still don’t have anything blu-ray. If it works, I use it. But I’ve been bit too many times by brand new technologies that are buggy or surpassed by their competitions. For example, I do not install the latest-greatest patches until other people have installed them and the patches are known to not cause catastrophic failures. (If I criticize a company or industry for being too slow to adapt, then they have to be very slow to adapt.)

For the last few months, I have had a wide variety of people ask me about Bitcoin. What is it, how does it work, what are the risks. These questions have been coming in steadily since the end of last year — before the recent Bitcoin problems. I guess it took a while, but Bitcoin has finally hit mainstream and regular people want to know about it.

Shortly before the whole “Mt.Gox vanished” issue, I had been interrogated by two groups of people in the banking industry. They have had an increase in customer inquiries regarding Bitcoin. Each group asked me the same initial question: “Why do you think about Bitcoin?” Each time, I gave them the same two-word answer: Stay away. Then I would follow it up with a detailed explanation. (One of the banks were so grateful for the discussion with me that they sent me a very nice thank-you card.)

How it works

For people who don’t know about Bitcoin, consider this a very superficial and high-level description. Bitcoin is a digital currency. There are no physical coins or paper money.

Bitcoin isn’t tied to “the gold standard” or any national currency. The price is based strictly on demand. As a result, the value can fluctuate wildly. But in my opinion, this really isn’t any different than the stock market. Stocks may fluctuate wildly based on nothing more than speculation and demand. I don’t view this as a reason to avoid Bitcoin.

(For people who get confused with my capitalization, I’m using ‘Bitcoin’ to refer to the concept and ‘bitcoin’ to reference an amount of currency.)

People can exchange bitcoins like money or trading cards. People can exchange bitcoins for goods or service. When all is said and done, you need some way to exchange bitcoins for a state-run currency. This controls the actual value. If you want to buy in, I will happily take your dollars and give you what we agree to be an equivalent amount in bitcoins. If you want to cash out, I can take your bitcoins and give you money. Since the value is based on demand, the exchange rate is really whatever someone thinks they can get.

Pieces of Eight

The next question is usually “how do people get bitcoins?” There’s really two ways: buy them or mine them. (People can also ask for donations. But I’m ignoring these handouts.)

The easy way to get bitcoins is to find someone who has bitcoins and pay them real money for some of this digital currency.

The alternative is mining. Bitcoin mining is an easy concept but is neither straightforward nor easy. Conceptually, there’s a mathematical problem that can be solved, but solving it takes time. After your computer solves the problem (which could take weeks or months), you receive some bitcoins for your effort. (The work is performed on a block of data. Each completed block currently pays something like 25 bitcoins.)

Because the work is extremely time-consuming, lots of people may work together on a single block. These groups of workers are called pools. By joining a pool, you are likely to get paid faster. However, since the 25 bitcoins need to be distributed between all of the pool members, you are likely to only receive a fraction of a bitcoin. (25 bitcoins at an exchange rate of $600 per bitcoin is $15,000. If there are 100,000 members in the pool and everyone does an equal amount of work, then you might get around 15 cents for your assistance.)

The ability to generate bitcoins means that no centralized entity controls the market and there is a limited supply of bitcoins. The supply is limited to the speed of the miners and how fast the newly mined bitcoins are introduced into the open market. This also leads to some of the volatility. If a miner hordes their bitcoins, it could drive up the price. If they release a flood of bitcoins, it could lower the value.

Fortunately, you can always get a piece of something. Like the stock market and most currencies, you don’t need to work in whole values. I can own 1.213 shares of stock in a company. Fractions of a US dollar include quarters (25%), dimes (10%), nickels (5%), and pennies (1% of a whole dollar). Similarly, you can own a fraction of a bitcoin. Bitcoins can be segmented into really tiny fractions. Even if the price for a full bitcoin is $800, I can still buy a fraction of a bitcoin for $5.

Feeling Shafted

At first glance, mining for bitcoins sounds pretty easy. You download a program to do the mining, go to bed, and in the morning you will have money. Right?

Well, no.

I have a spare computer and decided to try do some bitmining. Getting started is anything but easy.

  1. The first thing you need is a digital wallet to hold your bitcoins. lists a few options. However, none of these are easy to use. (Virtually no documentation and poor user interfaces.)

    After first configuring my wallet, I should have a zero balance. However, I could not check my balance until the wallet synchronized with the Bitcoin cloud. The software I am using started by saying that I had over 200 weeks worth of data to synchronize. It took nearly 24 hours to complete, but when it finished I could see my current balance: $0.00.

    As far as I can tell, Bitcoin requires synchronizing against every transaction since “day 1″. Right now, it takes about 24 hours to be ready to start using Bitcoin… and everyday it will take a little longer for someone to start up from scratch because there are more transactions to synchronize. (This seems like really poor long-term planning.)

  2. After you get your wallet configured, you need to setup an account with one or more pools. They require your public bitcoin account identifier. My bitcoin wallet has that value, but it wasn’t trivial to find. The pools that I joined also require me to create a ‘worker’ account within my ‘pool’ account. I still don’t understand exactly what that is or how to use it, but I set it up.
  3. You’re going to need some bitcoin mining software. Again, there are lots of options, but none have documentation or clear instructions for configuring and running. I downloaded 4 different ones, and only managed to get one of them to work. The other 3 say “no device found” or similar errors. I guess they want some kind of hardware acceleration that I don’t have or don’t know how to enable.

    The mining software also wants the login information for my pool membership. (I couldn’t tell if they wanted the main account or the worker account. I tried the worker account and it is running, so I hope I configured it correctly.)

The good news is that I think I finally got it working. At least, my computer looks busy and says it is processing 32 khash/s (32,000 hashes per second — that’s probably considered slow; I switch from ‘scrypt’ to ‘sha256d’ and am getting 18,536 khash/s). The bad news is that I won’t know if it is actually working until I (hopefully) see a few slivers of bitcoin in my account.

This entire experience reminds my of my blog entry on Open Source Sucks. Lack of documentation, hard to use software, poor usability, and lots of forums with incomplete assistance. I’m a techie and I nearly gave up.

What’s the opposite of anonymous?

A lot of people refer to bitcoins as an anonymous currency. Then again, a lot of people in the bitcoin community say it is not anonymous. The fact is, they are both right.

With regular banking transactions, it is relatively easy to see who owns an account and even where the money comes from. Bank auditors can even follow the money trail. If you pay for something with a credit card, then an auditor can identify your bank account that paid off the credit card, how the credit card was used, and even what store you shopped at. Since sales receipts identify items purchased, the trail even shows the auditor what you bought. As long as you use current bank and credit services, it is really difficult to stay anonymous.

If you want anonymity, then you use cash. Cash removes the transaction history. The auditors may know that you withdrew $200 in cash from an ATM or that you deposited $500 in cash, but they don’t know how the money exchanged hands or what was purchased. Was your $500 deposit just you putting back your earlier withdraws, or was it payment for something?

With Bitcoin, the transaction histories are public information. We can see that a bitcoin was transferred between accounts. We can even trace a sliver of bitcoin back through the transaction history and identify every account that ever touched it. However, you cannot easily tell who owns an account or what was traded in exchange for the bitcoin transfer. The account owner and purpose of the exchange is unidentified.

To reiterate, banking permits you to track accounts, transfers, and purchases. Cash allows you to watch the endpoints (accounts) but not the exchanges. And Bitcoin permits watching the transfers but not the exchanges or the account owners. In this regard, Bitcoin is great in that it offers a third option for money management.

Too good to be true

Excluding the hard-to-use software, Bitcoin looks like a great system. The value is no riskier than the stock market, no central government manages it, and it gives you a way to watch transactions without identifying what was traded or who it was traded between. So why don’t I like Bitcoin?

  • No FDIC. In the United States, bank accounts are insured by the US Treasury. If the bank gets robbed, I do not lose anything. Even with credit cards, I’m only liable for the first $50 in fraudulent charges. But with Bitcoin? There is no insurance. You assume all risk. If someone steals the password to your virtual wallet, then you will lose all of your money and you will have no recourse.

  • Lost Wallet. Your Bitcoin wallet is cryptographically protected by a password. If you forget your password, then you will lose everything in your wallet. (No reminder hints, no backdoors, no administrative resets.) Similarly, if your hard drive crashes and takes your only copy of your wallet, then you lose everything.

    This is very different from the banking and cash currency world. If I don’t remember my bank account number, the banker can look it up. If I lose my credit card, the credit card company will quickly issue me a replacement. And if my cash burns up in a house fire, I can show the ashes to the Department of Treasury and they will replace every bill. (First they verify that the ashes account for the claimed amount of currency.) But if I lose my bitcoin wallet? It’s gone.

  • Central Hubs Vanish. As I understand it, your bitcoin wallet doesn’t actually hold any currency. Instead, it holds a claim ticket. Specifically, it holds the cryptographic key pairs needed to spend the currency. The actual currency is held elsewhere — in the blockchain (which contains the transaction history). A copy of the blockchain is stored on every client, which is why the initial synchronization takes so long.

    Some people like to store their wallets in an outsource hub. So… what happens if the places holding the currency vanishes? Well, you’re out of luck. In this regard, Bitcoin can be a lot like storing your money in somebody else’s mattress.

    The only good news here is that there is some redundancy. If a single hub vanishes, like when Mt.Gox vanished, the redundancy ensures that money does not evaporate. (It does nothing to stop theft, but does stop losing the main blockchain.)

  • No Transfer Delay. Bitcoin promotes this as a benefit. Let’s say you want to transfer money from the US to the UK. With cash, you would need to mail it (expensive and takes at least 24 hours). With bank transfers, you’re looking at a few days. But with Bitcoin? The transfer is measured in minutes. This is because there are no banking regulations and every transaction is authenticated and nonrepudiated (you authorized it and you cannot deny authorizing it).

    The bad news is, if you accidentally transfer the wrong amount ($1000 instead of $10.00 — forgot the period, oops) then the money is gone. Period. No delay.

    The problem gets worse if the seller decides to not ship the item. You have no recourse to get your money back. With a bank transfer or credit card transaction, you can report the fraud and they can recover the funds. With cash and a receipt, you have legal recourse. But since Bitcoin is not a recognized currency, you might be on your own.

    As I understand it, it is this lack of transfer delay and inability to recall funds that led to the closings of the Mt.Gox and Flexcoin central hubs. There’s also been reported thefts at other hubs, like Poloniex. Details of the thefts are just beginning to trickle out. But at a high level, someone managed to get whatever they needed to authenticate bitcoin transfers. Then they initiated transfers. Since there is no delay and no recall, the money was immediately stolen. 750,000 bitcoins from Mt.Gox (about $446 million) and 896 bitcoins from Flexcoin (about $600,000). Right now, I haven’t seen anything that says these thefts are related.

    If the compromises happened at the hubs, then Bitcoin has a fundamental flaw. The cryptocurrency is supposed to require a cryptographic challenge that uses the credentials only found in your bitcoin wallet. However, there may be another explanation. Recently there has been malware that attempts to steal your bitcoin wallet. This could easily lead to large thefts is someone with a large number of bitcoins gets infected.

  • Evaporation. Even though there are people mining bitcoins right now, there are a finite number of bitcoins. There will come a day when bitcoin mining won’t be needed because every bitcoin will be found.

    The problem is, people lose bitcoins. If you forget your wallet’s password, the currency is lost. If you throw out an old hard drive and forgot that it contained $7.5 million in bitcoin, then the bitcoins are lost. With a government’s mint, they can account for shrinkage due to loss and print up more money as needed. But the total number of available bitcoins is only going to shrink. This will drive up the price of bitcoins and force people to use smaller and smaller fractions of bitcoins.

  • Laundering. The anonymity that Bitcoin provides is ideal for money launderers. You convert your dirty money to bitcoin (through an unsuspecting middle-man who happily exchanges bitcoins for cash), transfer the money around, and then cash out with untraceable currency. It’s really no surprise to me that the drug bazaar Silk Road was caught with $3.5 million in bitcoin.

    Of course, if bitcoin is only used for transfers related to illegal activity, then it makes bitcoin users suspect. So the illegal-activity bitcoin community needs regular people to use bitcoin for non-illegal purposes. This gives their illegal activity anonymity by hiding among the general population.

  • Competing Technologies. I know a guy who invested a lot of money into laserdisc and betamax, only to have both technologies never take off. By the same means, Bitcoin is not the only digital currency available. There are dozens of competing technologies here. The real question becomes: which will survive and which will vanish? Like the stock market, you don’t want to be heavily invested when it crashes from $800 per bitcoin to a penny stock. (It would be like investing real money in Second Life, only to have the game drop out of popularity.)
  • Experimental. I think this is the most important aspect that everyone seems to ignore. Bitcoin is an experimental technology. Why would anyone invest more than a few real dollars in bitcoin? Major investments into an experimental technology is nothing except an extremely high risk.

Show Me The Money!

Bitcoin does have interesting benefits, but I see it as too high risk for any kind of serious investment. People who want to invest are better off playing the real stock market. And people who want anonymity are better off with cash.

If this write-up didn’t completely scare you away from using Bitcoin — or if it did scare you and you want to get rid of your bitcoins — then feel free to send me a bitcoin donation.

Update 2014-03-08: I have rewritten part of the central hubs section, thanks to a few of the people who have left comments with corrections.

TorrentFreak: Privacy Disaster: Type IP Address, Get Internet User’s Phone Number

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

spyWebsites can’t function without them and a user must be allocated one before he or she can begin using the Internet. Without doubt, IP addresses one of the most important elements underpinning today’s online experience.

While website IP addresses are necessarily public information, IP addresses of individual users are by their very nature a lot more sensitive. Rather than identifying a web server designed to attract traffic, IP addresses operated by regular Internet users are often considered personal information.

Of course, it’s fairly common knowledge that the IP addresses of file-sharers become publicly visible when they enter BitTorrent swarms for example, but matching those IP addresses to real-life identities is a complex process wrapped up in privacy laws designed to protect the consumer. During the past week, however, it became evident that users of a Scandinavian ISP could be traced back to their real-life identities simply by using their IP address.

Discovered by Norwegian site Dinside, this privacy disaster stems from the software installed on routers supplied by local ISP NextGenTel. By simply entering the IP address of another NextGenTel user into a standard web browser, users were presented with a webpage containing router status information. The page also revealed the telephone number of the user behind the entered IP address.

Armed with a telephone number and a directory site such as, all it took was a few clicks to find out the name and address of the person behind not only the telephone number, but also the original IP address.

After being alerted to the issue NextGenTel took action to fix the security hole by updating the relevant software, but the episode is a shining example of how years of care over personal information can be undone in an instant.

One of Norway’s biggest privacy cases in recent times involved a BitTorrent user who allegedly leaked a hit local movie to The Pirate Bay. Law firm Simonsen had the IP address of the leaker but desperately needed to convert that into a real-life identity in order to pursue legal action. That case went all the way to the Supreme Court when the ISP behind that IP address refused to hand over its customer’s private details.

Needless to say, that lengthy process would have been endlessly easier if that customer had been a NextGenTel customer. Simonsen could’ve accessed the Internet via NextGenTel, entered the IP address into their web browser, and used the telephone number to reach their target there and then – or called round for a visit, whichever was easier.

In a comment to Dinside, NextGenTel CTO Jørn E. Hodne said his company were taking the matter seriously and were attempting to put things right by fixing software and reporting themselves to the country’s Data Inspectorate.

“We’ve started the [software] update and even reported the matter to the Inspectorate,” Hodne said. “The world we live in is very complex, but this is our responsibility.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

TorrentFreak: ‘Domains by Proxy’ Hands Over Personal Details of “Pirate” Site Owner

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

domain-proxyRepresenting the major Hollywood studios, the Motion Picture Association (MPA) regularly patrols the Internet for sites that host or link to pirated movies.

In recent months the group has approached several site owners requesting them to take down their sites, or face legal action.

One way to identify the owners of said sites is through domain WHOIS information, which is publicly available. However, this becomes problematic when site owners use so-called domain privacy services, which hide their personal details from the public. At least, that’s what’s assumed.

As it turns out, not all of these services are as private as one might think. The operator of a linking site learned this the hard way when ‘Domains by Proxy‘ shared his personal details with the MPA.

The domain privacy service, which is owned by GoDaddy founder Bob Parsons, handed over his personal details without a subpoena, or any form of due process.

“We have received a possible legal complaint regarding your domain name,” Domains By Proxy informed the site owner.

“Since we were provided with proof the complainant owns a potentially applicable copyright, we have disclosed your identity for the limited purpose of this complaint so that the complainant can communicate directly with you to seek resolution.”

The site owner, who prefers to remain anonymous, was shocked when he received the message. He says his website doesn’t host any copyrighted material and assumed that Domains by Proxy would at least notify him before sharing any personal details.

Soon after the email from Domains by Proxy arrived, the Motion Picture Association reached out to the domain owner, using the name and email address provided by the domain privacy service.

“This Notice requires you to immediately take effective measures to end and prevent further copyright infringement. All opportunities provided by the Website to download, stream or otherwise obtain access to the Entertainment Content should be disabled permanently,” the movie industry group wrote.

“If you fail to take the immediately required action to end and prevent further copyright infringements the MPA and the MPA Members expressly reserve the right to pursue all remedies available,” MPA added.

MPA email

Needless to say, the domain owner does not agree with Domains by Proxy’s action. He says that the MPA obtained his personal details without providing actual proof. In addition, he doesn’t understand why his personal details had to be handed over, as all emails directed to the email listed in the WHOIS are forwarded to him anyway.

“Domain by Proxy automatically adds, so any organization can contact the domain owners directly. There is no need to ask personal details from the WHOIS service without any proof of copyright infringements,” the domain owner tells TF.

“Other web services, such as LeaseWeb, don’t give details directly to MPA but force you to disable the service instead. Domains by Proxy should do the same I think,” he adds.

TF reached out to Domains by Proxy for a comment on the situation, but the company hasn’t responded yet. With the slogan “your identity is nobody’s business but ours” it’s odd to see that they hand over private details of customers so easily, but those who read the company’s privacy policy can see that this is common practice.

“We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process, to protect our property and rights or the property and rights of a third-party,” the privacy policy reads.

As it turns out, Domains by Proxy is judge and jury here, while due process is completely absent. That’s not really an ideal policy for a company that trades on people’s privacy rights.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

Darknet - The Darkside: Target CIO Beth Jacob Resigns After Huge Breach

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So the latest news this week is that the Target CIO Beth Jacob has resigned, it seems to be somewhat linked to the massive heist of credit card details from Target that took place in December last year. To be fair it was a fairly complex, high-level attack and I’m pretty sure most companies would [...]

The post Target CIO Beth Jacob Resigns…

Read the full post at

Darknet - The Darkside: EyeWitness – A Rapid Web Application Triage Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

EyeWitness is a rapid web application triage tool designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. The author would love for EyeWitness to identify more default credentials of various web applications. So as you find devices which utilizes default credentials, please e-mail…

Read the full post at

Errata Security: RSAC Keynote: support your local sherif

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

RSA Security chairman Art Coviello opened his company’s conference with a discussion of “BSAFE backdoor” controversy [video]. Rather than defending his company’s mistakes in the affair, he seemed to justify them with a four-point plan calling for greater powers for law enforcement.

#1 “Renounce the use of cyber-weapons, and the use of the Internet for waging war”

This is sure to be a crowd-pleaser, touching upon the “0-day” debate in our community, but it’s wholly without substance.

We already use the Internet for waging war, whether it’s servicemen sending emails back home, or using Internet connectivity to control drones on the battlefield. Internet is communications, and communications is essential to warfare. We no longer have the ability to communicate without using the Internet. In modern warfare, all sides use the Internet for waging war.

Of course, that’s not precisely what he meant (I think). Instead, he probably refers to attacking each other through cyberspace. But it’s the same thing. If we are raining down terror from Internet-controlled drones, then that control mechanism, the Internet, becomes fair game. We can’t tell the victims of drone attacks that while shooting back at the drones is allowed by the rules of war, that hacking or viruses are somehow morally reprehensible and off limits. It’s the same with outer space: our use of GPS for precision-guided missiles and satellite communications means waging war in space, even though no military action has yet taken place in space. We are just lucky we haven’t attacked somebody yet with the ability to put ball-bearings in low-orbit taking out our GPS system — and the ability to launch anything into space for a decade.

In short, his idea “renouncing the use of the Internet for waging war” demonstrates a total lack of understanding of the issue.

He’s more on target with “cyber-weapons”. Our community has a legitimate debate over “military 0days”, and how the military’s purchase of 0days outbids bug bounties that serve to protect us by closing vulnerabilities.

However, the blanket statement about “cyber-weapons” ignores this complex issue, and treads bad ground. The argument seems tailor-made to appeal to the EFF crowd, but these people don’t renounce cyber-weapons as a principle. Instead, they defend their use, such as claiming Anonymous hackers were justified in using LOIC (a DDoS tool) against PayPal.

There is also the issue that virtually all “weapons” in cyberspace are dual-use: used by defenders as well as attackers. To outsiders, Nmap and Metasploit seem like evil tools with no legitimate purposes, but in fact they are most heavily used by defenders in protecting their networks against hackers. Again, the EFF hotly defends the use of such tools. That’s why the debate in our community centers on “0days”: it’s the one tool that doesn’t seem to be particularly useful to defenders.

Then there is the issue about whether code is speech (again, something the EFF defends). Virtually all “cyber-weapons” are open-source (except for the 0-days). Restricting them becomes an intolerable offense to basic rights.

In short, what Coviello is talking about is the same logic used by law enforcement in the 1990s, when encryption was classified as a munition and tightly controlled. The consequence was that it left good people open to attack. While this point looks initially like a sop to the anti-war crowd, it is in fact an attack on our liberties.

#2 “Cooperate internationally in the investigation, apprehension, and prosecution of cyber-criminals”

Our job in the cybersec community is to defend computers against hackers. That doesn’t automatically make us tools of the state for prosecuting cyber-criminals.

For one thing, the definition of “cyber-criminal” is overly broad. Unlocking your iPhone makes you a cybercriminal. Incrementing a number in a URL makes you a cybercriminal. Spoofing your MAC address makes you a cybercriminal. Posting to Facebook can make you a cybercriminal.

World wide, most countries are oppressive regimes. Certainly we aren’t going to aid law enforcement internationally and help those regimes. Even in the mostly “free” country of the United States, law enforcement has taken on the appearance of a police state. The U.S. jails over 1% of it’s population, which is 10 times more than any other free country. Half of all young black men are in the system, such as in jail or on parole. Even whites are more likely to be in jail in the United States than in Europe.

Yes, we in this community work on the side of law enforcement when it comes to real crimes like stealing money or murder. For a broad range of other things, we oppose law enforcement. Indeed, many of us live in constant fear that law enforcement will come up with a novel interpretation of the law in order deem previous common whitehat activities as cybercrime.

As in his first principle, Coviello reveals that he has gone back on the principles of RSA from the 1990 and is now taking the side of law enforcement against citizens. His comments seem to indicate that he’d find mandatory key escrow a good feature of encryption.

#3 “Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected around the world”

Here Coviello is completely at odds with the rest of the cybersec community.

Yes, limited intellectual property protections for a limited time are the lifeblood of the modern economy, especially a “knowledge economy” like the United States. But, our zeal to protect intellectual property has lead to a cyber-police-state, where the DMCA is used to chill speech and patent trolls destroy innovation.

In justifying this principle, Coviello says “The rule of law must rule”. I’m not sure what he means by that. The phrase “rule of law” doesn’t mean the principle that law must crack down on wrongdoers. Instead, the phrase means that everyone is subject equally to the law, even the powerful. It means whichever laws we have, they should be applied equally.

And the lack of even treatment under the law is exactly why people are upset with the current intellectual property regime. One example is how Disney appears to have tailored copyright law to its own benefit at the expense of everyone else. Another example is how the DMCA is wholly unbalanced between the powerful and the powerless.

We see a theme developing here: Coviello (and by extension RSA) is clearly coming down on the side of law enforcement against individual rights.

#4 “Respect and ensure the privacy of all individuals”

Unlike Coviello’s first three points, this seems reasonable. Maybe he isn’t such a bad guy.

But, later in his remarks, it’s clear that he’s not really standing up for privacy. He says “Governments have a duty to create and enforce a balance … that embraces individual rights and collective security“. It’s quite clear from the nature of his arguments where he sees the correct balance — toward maximum security, and consequently, minimal individual rights.


My translation of Coviello’s comments is this: “If we had backdoored our crypto, would that have been such a bad thing?“. Betraying customer trust on behalf of the government is consistent with his entire speech: trusting the NSA, trusting NIST, and most of all, trusting the good intentions of the police state.

Masscan: I spend more attention on the first principle about “cyberweapon” than the remaining three. I get the impression it’s targeted at me, since I build cyberweapons (like my masscan tool). I get the impression he’s saying “don’t condemn us for our bad behavior, we aren’t as bad as those cyberweapon builders! Condemn them instead!!“. Everything you wanted to know about the security-focused Blackphone (ars technica)

This post was syndicated from: and was written by: ris. Original post: at

Ars technica provides
some details
on the security focused Blackphone. “While Geeksphone is handling the hardware, Silent Circle is handling the software. The Blackphone runs a Google-less version of Android called “PrivatOS.” Besides removing the user-tracking Google parts, most of the Blackphone’s security and privacy advantages seem to come from the integration of Silent Circle apps. The suite of apps mentioned at the event were the existing Silent Phone and Silent Text apps, and a new product called “Silent Contacts.” Silent Phone and Silent Text encrypt your phone calls, text messages, and file transfers to other users of the apps.

TorrentFreak: Pirate Bay Teams Up With Lund University and Becomes “Research Bay”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

research-bay-3The Pirate Bay renamed itself to The Research Bay today for a new collaboration with the Cybernorms research group at Lund University.

The notorious BitTorrent site has changed its iconic logo and is encouraging visitors to take part in the survey, which examines people’s file-sharing habits and their views on privacy and copyright-related issues.

The study is the third iteration of a longitudinal study which has already enjoyed participation from 170,000 Pirate Bay users.

To learn more, TF talked to Stefan Larsson, one of the researchers involved in the project. Larsson believes that it’s crucial to document values and norms of The Pirate Bay and its users, as it’s one of the defining Internet icons of our times.

“It is the biggest, most popular and most resilient hub for free file-sharing, and collects invaluable information on values, norms and conceptions of the file-sharing community,” Larsson says.

“Also, it is one of the most interesting phenomena of our times in itself, in the intersection of social, legal and technological change,” he adds.

The previous surveys have already resulted in some unique insights which have been published in several academic articles.

For example, the researchers found that the majority of Pirate Bay users planned to use VPNs or other measures to become more anonymous. Another observation is that only a small percentage of Pirate Bay users contribute to the site. Most people are relatively passive downloaders.

These and other statistics are also available to the public on the Survey Bay website which launched a few months ago.

Larsson tells TF that one of the key goals of the project is to look for trends and changes over time among Pirate Bay users. By repeating the survey the researchers can see how attitudes and behaviors of Pirate Bay users develop.

In addition, the latest survey also includes new questions to tap into newer trends, among other things.

“We have added some stuff, for example a method for measuring the strength of social norms, which we’ve done in smaller surveys before, as well as questions on when and how – if ever – authorities should collect and process information on internet behavior,” Larsson says.

The Research Bay project runs from 25 to 27 February, and survey will be linked from The Pirate Bay homepage during these days. People who are interested in taking part can do so here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

The Hacker Factor Blog: Linking Up

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I have a fondness for standards. Even if there is a non-standard option that may be better or faster, I like to be able to do something once and know it will be supported everywhere. For example, I recently griped about Internet Explorer’s unexpected HTML issues. But really, the problem was how IE was defaulting to an old backwards compatibility mode and not with the HTML or JavaScript. One change to the HTML head tag (to disable IE’s emulation mode) and everything just worked. Because I used HTML and JavaScript that is either standard or widely adopted, I did not have to modify existing code to make page function properly.

However, I still had to make one little change for Internet Explorer. It’s all of these “one little change” items that I don’t like. I should not need to modify my system with custom changes for every single web browser and online service. Every custom tweak becomes a maintenance nightmare.

I have been fighting with this same nightmare for the last few days. Since last August, every analysis page at FotoForensics has had a Twitter link at the bottom. Anyone can easily click to share the analysis page with Twitter. One click and your tweet is pre-populated with the URL for sharing.

Recently I hit the part on my to-do list where I want to add in links to other social networking sites beyond Twitter. Unfortunately, each one seems to be a special case.

Like: It’s not just for valley girls.

I’m sure you’ve seen these sharing buttons on lots of web sites. “Pin-It!” “Like!” “+1″ Clicking on the icon typically opens a new window that is pre-populated with the page’s URL, title, and maybe a short description. If you’re not already logged into Pinterest, Facebook, or Google+, then you’ll be prompted to login. If you’re logged in, you have the option to edit the posting or just share it as-is.

The concept is nice — it simplifies usability, reduces the risk of a typo in the URL or text, and makes sharing more convenient. From the indirect marketing viewpoint, easier sharing means more word-of-mouth advertisement for the service.

There are three things you need in order to make this work. First, you need an icon for each service. Second, you need HTML code that people can click on. And third, you need some custom code on your server.

Such Cute Buttons!

Getting the buttons is the easy part. You can either draw your own or download pre-made icons. I took the easier route. I went to and found a pre-made set that I liked. The real nice thing about this online service is that you can sort by license (I only selected icons that are free for commercial use without attribution). You can either browse the collection or search for something specific.

In my case, I found a few icons that I liked and they were all in the same collection. I then used one as a template for creating additional icons. For example, the Google icon was almost what I wanted, but it needed a plus sign. So I edited the icon, shifted over the “g” and added a “+”. And while the set has nice icons for Digg, Facebook, and Twitter, it was missing an icon for Reddit. So I used the Twitter icon as a template, changed the coloring, and replaced the icon with the Reddit android. Total time? About 2 minutes.


The next step requires adding HTML to each page. Fortunately for FotoForensics and most blog software, this really just means adding it once to a template.

Almost every online service wants you to link to their JavaScript code, load their CSS styles, and link to them. For example, Twitter wants you to include code like:

<a href=”” class=”twitter-share-button” data-url=”http://myurl“>Tweet</a>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?’http’:'https’;if(!d.getElementById(id)){js=d.createElement(s);;js.src=p+’://’;fjs.parentNode.insertBefore(js,fjs);}}(document, ‘script’, ‘twitter-wjs’);</script>

While this can be convenient, it’s also going to significantly slow down your web page’s load time. The full page won’t load until all of the components from all of the various third-party services load. There’s also a privacy issue here: Twitter receives the web Referrer header and can tell what page you are visiting. If the page contains login credentials in the URL, then Twitter can track you.

My preference is to forget all of the third-party links and just use a simple URL to submit the page. While I do use JavaScript a little, my code is significantly smaller than Twitter’s recommended JavaScript and it doesn’t need to wait for any third-party web requests. And best yet: Twitter cannot spy on your web browsing unless you click on the Twitter link. Here’s my icon that links to Twitter:

<img title=’Twitter’ onclick=’““, “Twitter”, “height=500,width=500,left=100,top=100,resizable=yes,scrollbars=yes, toolbar=yes,menubar=no,location=no,directories=no,status=yes”)’ src=’smimg/twitter.png’>

This code displays an HTML image. I gave it a “title” that says “Twitter” when you hover the mouse over it. I also defined an onclick() event. Clicking on the icon will open a new window that is ready to share my URL to Twitter. (Be sure to URI-encode the URL.)

I have similar code for Reddit, Pinterest, Facebook, and Google+.

<img title=’Reddit’ onclick=’““, “Reddit”, “height=600,width=600,left=100,top=100,resizable=yes,scrollbars=yes, toolbar=yes,menubar=no,location=no,directories=no,status=yes”)’ src=’smimg/reddit.png’>

<img title=’Pinterest’ onclick=’““, “Pinterest”, “height=600,width=600,left=100,top=100,resizable=yes,scrollbars=yes, toolbar=yes,menubar=no,location=no,directories=no,status=yes”)’ src=’smimg/pinterest.png’>

<img title=’Facebook’ onclick=’““, “Facebook”, “height=600,width=600,left=100,top=100,resizable=yes,scrollbars=yes, toolbar=yes,menubar=no,location=no,directories=no,status=yes”)’ src=’smimg/facebook.png’>

<img title=’Google+’ onclick=’““, “Google+”, “height=600,width=600,left=100,top=100,resizable=yes,scrollbars=yes, toolbar=yes,menubar=no,location=no,directories=no,status=yes”)’ src=’smimg/google.png’>

Each of the service URLs take slightly different parameters, but it isn’t very complex. For example, most services want “url=” to point to your page’s URL; only Facebook wants “u=”. Pinterest requires both “url=” for the web page and “media=” for a representative picture. Pinterest also permits an optional “description=” that includes text. Reddit has additional options for specifying the title, description, etc. (Since FotoForensics doesn’t have a title, description, or other information about the picture, I leave it for the user to fill out.)

Some people don’t like putting the onclick inside the img tags. It’s easy enough to wrap the img tag with an anchor tag.

Server Bound

So far, I have very simple code that will work on all modern browsers. The next part is the hard part. Some online services try to automatically fill in additional information. The problem is, none of them follow the same standards. This mean that you need header code on every web page that is service-specific. This is a huge waste of bandwidth since 99% of the time the people visiting the web page are not from that service…

Starting with Twitter… Twitter offers the ability to register your site. If someone posts a link to your site, then your server can embed a picture or small article preview that appears with the tweet. I detailed how to set this up in my Twitter Cards blog entry. After registering, you need to have some additional meta fields in the header block.


<title>FotoForensics – Analysis</title>

<meta name=”description” content=”foto forensics, photo forensics, error level analysis” />

<meta http-equiv=”Content-Type” content=”text/html;charset=utf-8″ />
<link rel=”stylesheet” type=”text/css” href=”/style.css” />
<meta name=”twitter:card” content=”photo”>
<meta name=”twitter:url” content=”http://…”>
<meta name=”twitter:image” content=”http://…”>
<meta name=”twitter:image:src” content=”http://…”>
<meta name=”og:url” content=”http://…”>
<meta name=”og:image” content=”http://…”>

To mitigate bandwidth, I only include this if the request is coming from Twitter.

Facebook wants a different set of information:


<meta name=”og:title” content=”My Title” />
<meta name=”og:description” content=”My Description” />
<meta name=”og:type” content=”website” />
<meta name=”og:site_name” content=”My Site Name” />
<meta name=”og:url” content=”http://myurl” />
<meta name=”og:image” content=”http://myurl/image1″ />
<meta name=”og:image” content=”http://myurl/image2″ />
<meta name=”og:image” content=”http://myurl/image3″ />

All of the og: fields are from the Open Graph Protocol. (It would be a nice standard if more sites supported it.) When the user clicks on the Facebook button, it calls a script at This script goes to the URL (specified by the “u=” parameter) and harvests these og fields. Facebook uses these extra meta fields to pre-populate the posting.

There’s just a few problems with Facebook… If you do not specify an image using “og:image”, then Facebook will try to grab the first image on the page. This is probably your site’s top banner and probably not what you want.

Also, if you specify multiple og:image tags, then the user can select the picture to post. It’s a nice feature, but Facebook does not list the pictures in any deterministic order. Specifically, if you have three “og:image” records, then Facebook will request all 3 pictures at the same time. The first picture to return will be listed first and the last picture to return will be listed last. In other words, the order is arbitrary.

I ended up fighting to make Google+ work. As far as I can tell, Google+ only obeys a few of the og tags. Google really wants a ‘canonical’ tag for the URL and an “image_src” for the representative image.


<link rel=”canonical” href=”http://myurl” />
<link rel=”image_src” href=”http://myurl/image” />

I actually had one other problem with Google. It turns out that Google queries the web page from the Google corporate proxy ( This proxy was banned at FotoForensics for uploading full-frontal nudity on 4-Feb-2014 at 16:08:40 GMT. (Yes, there are people at Google who are using the corporate network to view porn.) I’ll probably end up adding in a special rule to identify whether it is Google’s post-bot (don’t ban) or a Google employee (ban!).

And for people keeping score: first Google tried to upload every picture at imgur to FotoForensics, then it tried to submit words and text, and then it tried to guess URLs. Now their employees are uploading porn. What happened to “do no evil”? My site currently has more custom code to address abuses from Google than specific code for any other web service. Compared to Google, the automated vulnerability scan-and-attack bots from China and the Netherlands are downright friendly.

Unlike Google+, Facebook, or Twitter, Reddit does not appear to harvest anything from my web site. There is no need for any custom code on my server to support Reddit.

Weakest Link

I like the idea of linking to social media sites. Users can see content and easily share it with other people. The thing that I do not like is the requirement to have service-specific code on my site. Having a URL to easily share with a service is not a problem. However, the requirement for service-specific headers defeats the purpose of the web and further segments the Internet. We used to have web sites that only worked with specific browsers. Now we have web sites that cannot be easily shared across social networks.

ps. If you find any problems with the social network buttons at FotoForensics, please let me know!

SANS Internet Storm Center, InfoCON: green: Explicit Trusted Proxy in HTTP/2.0 or…not so much, (Mon, Feb 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

ISC Handler Rob sent the team a draft RFC currently under review by the IETF that seemingly fits quite nicely in the "What could possibly go wrong?" category.

Take a second and read Explicit Trusted Proxy in HTTP/2.0 then come back for further discussion.

Collect jaw from floor, and recognize that what's being proposed "buggers the CA concept and browser implementation enough to allow ISP’s to stand up “trusted proxies” to MITM and cache SSL content in the name of "increasing performance." Following are highlights of my favorite content from this poorly oddly written draft, as well as some initial comments:

  • "This document addresses proxies that act as intermediary for HTTP2 traffic and therefore the security and privacy implications of having those proxies in the path need to be considered."

    • We agree. :-)
  • "Users should be made aware that, different than end-to-end HTTPS, the achievable security level is now also dependent on the security features/capabilities of the proxy as to what cipher suites it supports, which root CA certificates it trusts, how it checks certificate revocation status, etc.  Users should also be made aware that the proxy has visibility to the actual content they exchange with Web servers, including personal and sensitive information."

    • All I have is "wow".
  • There are opt-out options, sure, but no one's every disguised or abused such options, right?

    • Opt out 1 (proxy certificate): "If the user does not give consent, or decides to opt out from the proxy for a specific connection, the user-agent will negotiate HTTP2 connection using "h2" value in the Application Layer Protocol    Negotiation (ALPN) extension field.  The proxy will then notice that the TLS connection is to be used for a https resource or for a http resource for which the user wants to opt out from the proxy."    
    • Opt out 2 (captive proxy): "Specifies how an user can opt out (i.e. refuse) the presence of a Proxy for all the subsequent requests toward "http" URI resources while it stays in that network."
  • Section 7's title is Privacy Considerations. None are listed.

    • Er? Here, I'll write the section for you. Opt in and you have no privacy.
  • The draft states that the Via general-header field MUST be used by the user-agent to indicate the presence of the secure proxy between the User-Agent and the server on requests, and between the origin server and the User-Agent on responses in order to signal the presence of a Proxy in between, or loosely translated into MITM. 

    • And if it's not used? Session disallowed? Appears not:

      • The draft has said MUST re: the Via header but then says…

        • "If any of the following checks fails the User-Agent should immediately exit this Proxy mode:
          1.  the server's certificate is issued by a trusted CA and the certificate is valid;
          2.  the Extended Key Usage extension is present in the certificate and indicates the owner of this certificate is a proxy;
          3.  the server possesses the private key corresponding to the certificate."
      • …but says nothing about what happens if the headers are wrong or Via is not used.
  • Love this one: "To further increase the security, the validation by the CA could also include technical details and processes relevant for the security.  The owner could for example be obliged to apply security patches in a timely fashion."

    • Right…because everyone patches in a timely fashion. And the Patch Police agency to enforce this control will be…?

Maybe I'm reading this wrong and don't know what I'm talking about (common), but we think this draft leaves much to be desired.

What do readers think? Imagine this as industry standard in the context of recent NSA allegations or other similar concerns. Feedback and comments invited and welcome.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Why Is The Copyright Monopoly Necessary, Anyway?

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

copyright-brandedI sometimes try to hold the copyright monopoly to the same legislative quality standards as other laws.

It fails laughably at the “necessary, effective, and proportionate” test, where a law must be necessary (meet an identified legislative need), effective (solve that problem effectively), and proportionate (not cause worse damage in the process).

Most of the time, the copyright monopoly fails all three tests, and when legislators have this pointed out to them, they shift uncomfortably in their chairs and change the subject.

I don’t know any profession except legislation that gets away with such abysmal quality assurance.

Most of the time, the discussion focuses on the “effective” and “proportional” parts of copyright legislation, illustrating how it is absolutely toothless in the absence of draconian privacy invasions, which is exactly what the copyright industry is tenaciously pushing for – which brings us to the “proportional” part right in the next sentence.

For once, though, “necessary” is up for debate. Is the copyright monopoly even necessary to solve a real problem? If so, what specific problem is it trying to solve? This passage is notably absent from most copyright monopoly legislations: “The purpose of this law is X”. If you were arguing for the introduction of such a monopoly today, how would you justify it? Could you conceivably do so?

To that effect, a new book, Without Copyright, was published recently. It reminds us of a sobering fact – even though the copyright monopoly was created in 1554 in England by “Bloody” Mary I in order to persecute political dissenters, it didn’t have much of an international effect until the 1900s. The copyright monopolies only protected authors of books in their own countries; outside the author’s own country, it was generally a free-for-all, and nowhere moreso than in the United States.

The international convention that turns copyright monopolies international is known as the Berne Convention, and it is overseen by the UN organization WIPO (the only UN organization to be funded by outside private interests). The United States ratified the Berne Convention only when it became geopolitically important to aggressively push its monopolies onto other countries, as described in The History of Copyright. More specifically, the United States ratified international copyright monopolies on March 1, 1989.

That’s very recent. To put it in perspective, that’s a newer event than Mario Bros, Die Hard, The Princess Bride, and The Legend of Zelda. It’s over fifteen years after the introduction of TCP/IP, the communications protocol of the modern Internet.

The U.S. had recognized some international monopolies to a very limited degree before that point. But before 1891, only citizens and residents of the United States could qualify for copyright monopolies at all. In today’s words of the United States: America was a rogue piracy state, plain and simple. That begs the obvious question – if there was no copyright monopoly, how did the writers make money, and since we have been told this always depends on the copyright monopoly, why were any books written at all in this time period?

But books were written before 1891. Tons of them. And there’s nothing to indicate more books were written after the United States accepted international monopolies, neither in the 1891 change nor in the 1989 change.

The answer, it turns out, was very simple. There wasn’t really any need for the copyright monopoly. There was a whole slew of tools available for publishers and authors to enforce business terms and make their agreed money, where – notably – not a single one of them involved lawyers. And this was considered modern times.

So that lets us return to the question:

How necessary is the copyright monopoly, anyway?

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

TorrentFreak: Canadian Court Slaps Restrictions on Copyright Trolling

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Do individuals using BitTorrent to download copyright material from the Internet via their ISP have a right to remain anonymous so that they remain out of reach to rightsholders? If so, what remedy will rightsholders have to prevent such infringement?

These questions and more have been under consideration in the Federal Court in Toronto as part of a case involving US-based movie studio and known copyright troll Voltage Pictures (“The Hurt Locker”) versus 2,000 currently anonymous Internet subscribers of local ISP TekSavvy.

Voltage say that via local anti-piracy company Canipre they tracked the Teksavvy customers downloading and sharing their movies online without permission and as a result want Teksavvy to hand over the alleged pirates names and addresses.

CIPPIC – protecting subscribers

The case has been dragging on for some time with third parties such as the Canadian Internet Policy and Public Interest Clinic (CIPPIC) getting involved in order to protect the subscribers’ rights. CIPPIC believes Voltage are nothing more than “copyright trolls” sending settlement letters to alleged pirates in order to extract hard cash from them.

trollVoltage’s previous actions in this area are well-known, with court documents showing that the movie company has filed 22 similar lawsuits in the United States, each with the same pattern. Various flaws exist in the company’s modus operandi, CIPPIC say, not least that an IP address in isolation does not identify an individual.

CIPPIC adds that Teksavvy shouldn’t hand anything over to Voltage, as this will “infringe the privacy rights of the subscribers and may affect the scope of protection offered to anonymous online activity.” CIPPIC fears that any ruling in this case could have a detrimental effect on whistle-blowers and others who leak documents in the public interest.

Voltage’s stance

For their part, Voltage believe that since they have a case under the Copyright Act, Teksavvy should be ordered to hand over the subscribers’ personal details.

Relying on a ruling in BMG Canada Inc. v Doe, 2005, Voltage says it has met all conditions therein (such as having a bona fide case, being reliant on the court/Teksavvy for information to proceed, and promising to reimburse Teksavvy for costs incurred), while adding that it “fully intends to pursue claims against the subscribers.”

The balancing act

So, should the court issue an order which compels Teksavvy to hand over the information to Voltage and, if so, what kind of protections could be baked into the order to minimize invasion of privacy for the Internet users involved?

“Privacy considerations should not be a shield for wrongdoing and must yield to an injured party’s request for information from non-parties. This should be the case irrespective of the type of right the claimant holds,” the Court writes in its ruling.

“Copyright is a valuable asset which should not be easily defeated by infringers. The difficulty in this case is that it is not clear that the protection of copyright is the sole motivating factor supporting Voltage’s claim in this Court. [Evidence] suggests but does not prove that Voltage may have ulterior motives in commencing this action and may be a copyright troll.”

Despite its concerns, the Court notes that Voltage has established a bona fide claim and as a copyright holder its rights outweigh the privacy rights of alleged infringers. However, it also notes that it would be taking steps to “ensure that privacy rights are invaded in the most minimal way possible.”

Privacy concerns and the trolling threat

For its part, Voltage previously argued that the alleged infringers had already made their IP addresses public when they joined BitTorrent swarms and therefore should not be able to remain anonymous in legal action.

The court accepted that stance to a degree but noted that the “specter raised of the copyright troll” and the “very real specter of flooding the Court with an enormous number of cases involving the subscribers, many of whom may have perfectly good defenses to the alleged infringement” had to be considered.

dollar-moneyInterestingly, the Court pointed out that damage provisions are limited by the Copyright Act and may prove to be “minuscule” when compared to the cost, time and effort expended when pursuing any claim against an alleged infringer. Here, the Court seems to have an eye on whether this exercise can be a profitable one for Voltage, and whether it should or not.

Also of interest is the Court’s examination of other ‘trolling’ cases in the United States and UK, particularly those involving ACS:Law and adult movie company GoldenEye. Alongside privacy issues, the Court looked at how the involvement of a consumer group in the latter case had influenced the letters of claim eventually sent out by GoldenEye.

Conclusion: Voltage get the green light, but must proceed with caution

The Federal Court notes that evidence exists to show that Voltage is a troll-like operation but the evidence was not compelling enough to put the brakes on the exercise. Voltage has a right to the subscriber information held by Teksavvy following the issue of a relevant order, the Court said.

However, in line with recent cases in the UK, the Federal Court says it intends to maintain control over the process by appointing a Case Management Judge to monitor “the conduct of Voltage in its dealings with the alleged infringers.”

Furthermore, the settlement letters sent out by Voltage will have to be approved by the Court and CIPPIC, and must include a copy of the court order and a clear statement that no court has yet found any recipient liable for infringement or liable to pay damages. This addresses concerns from past cases in the UK where letters implied that a court had already found guilt.

Other restrictions involve Teksavvy, who must be fully reimbursed for their costs incurred when handing over information, which will be restricted to names and addresses only. This data may not be handed to any other entity, including to the public or media.

Significant restrictions to protect subscribers

Describing the above safeguards as “significant”, Canadian lawyer Michael Geist says that the restrictions could affect the financial viability of troll-type activity.

“Given the cap on liability and the increased legal costs the court involvement will create (not to mention paying legal fees for the ISP), it calls into question whether copyright trolling litigation is economically viable in Canada. The federal court was clearly anxious to discourage such tactics and its safeguards certainly make such actions less likely,” Geist concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

Darknet - The Darkside: The Mask AKA Careto Espionage Malware

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So the latest buzz going around is caused by a hacking group that appears to be Spanish and is called The Mask or Careto. The reason there is a fair amount of buzz is their next level espionage malware that has been targeting government institutions, diplomatic offices and embassies, energy, oil and gas companies, research [...]

The post The Mask…

Read the full post at