Posts tagged ‘Privacy’

Darknet - The Darkside: Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas). And it turns out, every single browser will draw the image slightly [...]

The post Clear Your…

Read the full post at darknet.org.uk

Schneier on Security: Fingerprinting Computers By Making Them Draw Images

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

Article. Hacker News thread.

EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.

EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system — the White House is — and how to defend against it.

And a good story on BoingBoing.

TorrentFreak: BPI Rejects Use of Spotify-Owned “Stay Down” Pirate Tool

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

There are hundreds of millions of pirate files inhabiting the Internet and it’s fair to say that many of those are music tracks. As a result, the world’s leading record labels, who together claim 90%+ of the market, spend significant sums making those files more awkward to find.

For sites like The Pirate Bay, which point-blank refuses to remove any torrents whatsoever, the labels have little option than to head off to Google. There the search giant will remove Pirate Bay links from its indexes so that users won’t immediately find them.

However, rather than engaging a link whack-a-mole, the best solution by far is to remove the content itself. Perhaps surprisingly, many of the world’s leading file-lockers (even ones labeled ‘rogue’ by the United States), allow copyright holders direct back-end access to their systems so they can remove content themselves. It doesn’t really get any fairer than that, and here’s the issue.

This week, while looking at Google’s Transparency Report, TF noticed that during the past month massive file-hosting site 4shared became the record labels’ public enemy number one. In just four weeks, Google received 953,065 requests for 4shared links to be taken down, the majority of them from record labels. In fact, according to Google the BPI has complained about 4shared a mind-boggling 6.75 million times overall.

So, is 4shared refusing to cooperate with the BPI, hence the group’s endless complaints to Google? That conclusion might make sense but apparently it’s not the case. In fact, it appears that 4shared operates a removal system that is particularly friendly to music companies, one that not only allows them to take content down, but also keep it down.

“Throughout the years 4shared developed several tools for copyright owners to protect their content and established a special team that reacts to copyright claims in timely manner,” 4shared informs TorrentFreak.

“We don’t completely understand BPI’s reasons for sending claims to Google instead of using our tools. From our point of view the best and most effective way for copyright holders to find and remove links to the content they own is to use our music identification system.”

To find out more, TF spoke with the BPI. We asked them to comment on 4shared’s takedown tools and in the light of their existence why they choose to target Google instead. After a few friendly back-and-forth emails, the group declined to comment on the specific case.

“We prefer to comment on our overall approach on search rather than on individual sites, which is to focus on known sources of wide scale piracy and to use a number of tools to tackle this problem,” a BPI spokesman explained.

“Notice-sending represents just one part of the measures available to us, along with site blocking and working with the Police to reducing advertising on copyright infringing sites.”

We asked 4shared to reveal other copyright holders using their system, but the site declined on privacy grounds. However, it’s clear that the BPI isn’t a user and 4shared have their own ideas why that might be.

“It’s possible that BPI goes for quantity not quality,” TF was told.

“If they are trying to increase the number of links in reports or for PR reasons, they probably use a bot to harvest and send links to Google despite the fact that such an approach may also result in false claims.”

The “PR” angle is an interesting one. Ever since Google began publishing its Transparency Report rightsholders have used it to demonstrate how bad the piracy problem is. Boosting those numbers certainly helps the cause.

But is it possible, perhaps, that the BPI doesn’t trust the 4shared system. They didn’t answer our questions on that front either but it seems unlikely since 4shared uses EchoPrint, a solution purchased by Spotify earlier this year.

“Our music identification system which is based on Echoprint technology will not only find all matching content but will also restrict sharing of all potential future uploads of such content,” 4shared concludes.

Take-down-and-stay-down is the Holy Grail for anti-piracy companies. It’s a solution being pushed for in the United States in the face of what rightsholders say is a broken DMCA. On that basis there must be a good reason for the BPI not wanting to work with 4shared and it has to be said that the company’s “PR” theory proves more attractive than most.

The volume of notices in Google’s Transparency Report provide believable evidence of large-scale infringement and it’s certainly possible that the BPI would prefer to have 4shared blocked in the UK than work with the site’s takedown tools.

We’ll find out the truth in the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Even Script Kids Have a Right to Be Forgotten

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.

Indexeus[dot]org

Indexeus[dot]org

Indexeus boasts that it has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! – listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts.

Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online.

Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline.

The brains behind Indexeus — a gaggle of young men in their mid- to late teens or early 20s — envisioned the service as a way to frighten fellow hackers into paying to have their information removed or “blacklisted” from the search engine. Those who pay “donations” of approximately $1 per record (paid in Bitcoin) can not only get their records expunged, but that price also buys insurance against having their information indexed by the search engine in the event it shows up in future database leaks.

The team responsible for Indexeus explains the rationale for their project with the following dubious disclaimer:

“The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.”

Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.

Indeed, the search engine was even indexing user accounts stolen from witza.net, the site operated by Hackforums administrator Jesse LaBrocca and used to process payments for Hackforums who wish to upgrade the standing of their accounts on the forum.

WHO RUNS INDEXEUS?

The individual who hired programmers to help him build Indexeus uses the nickname “Dubitus” on Hackforums and other forums. For the bargain price of $25 and two hours of your time on a Saturday, Dubitus also sells online instructional training on “doxing” people — working backwards from someone’s various online personas to determine their real-life name, address and other personal data.

Dubitus claims to be a master at something he calls “Web detracing,” which is basically removing all of the links from your online personas that might allow someone to dox you. I have no idea if his training class is any good, but it wasn’t terribly difficult to find this young man in the real world.

Dubitus offering training for  "doxing" and "Web detracing."

Dubitus offering training for “doxing” and “Web detracing.”

Contacted via Facebook by KrebsOnSecurity, Jason Relinquo, 23, from Lisbon, Portugal, acknowledged organizing and running the search engine. He also claims his service was built merely as an educational tool.

“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” Relinquo said. “I wouldn’t have won the NATO Cyberdefense Competition if I didn’t have a bigger picture in my mind. Just keep that in yours.”

Relinquo said that to address criticisms that his service was a shakedown, he recently modified the terms of service so that users don’t have to pay to have their information removed from the site. Even so, it remains unclear how users would prove that they are the rightful owner of specific records indexed by the service.

Jason Relinquo

Jason Relinquo

“We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.”

Asked which sort of legal complications were bedeviling his project, Relinquo cited the so-called “right to be forgotten,” data protection and privacy laws in Europe that were strengthened by a May 2014 decision by the European Court of Justice in a ruling against Google. In that case, the EU’s highest court ruled that individuals have a right to request the removal of Internet search results, including their names, that are “inadequate, irrelevant or no longer relevant, or excessive.”

I find it difficult to believe that Indexeus’s creators would be swayed by such technicalities, given that  that the service was set up to sell passwords to members of a forum known to be frequented by people who will use them for malicious purposes. In any case, I doubt this is the last time we will hear of a service like this. Some 822 million records were exposed in more than 2,160 separate data breach incidents last year, and there is plenty of room for competition and further specialization in the hacked-data search engine market.

The Hacker Factor Blog: Dear Getty Images Legal Department

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For the last few years, Getty Images has operated an aggressive anti-copyright infringement campaign. In 2011, they purchased PicScout to search the Internet for potential unlicensed uses of their pictures. Then they began sending out very scary-sounding takedown notices. These letters include a “cease and desist” paragraph as well as a bill for the unauthorized use.

I just received one of these letter. Here’s the 7-page (3.4 MB) letter: PDF. (The only thing I censored was the online access code for paying online.) They billed me $475 for a picture used on my blog. (If you log into their site, it’s $488 with tax.)

A number of news outlets as well as the blogosphere have begun reporting on these letters from Getty Images. For example:

  • International Business Times: “Getty Images Lawsuits: Enforcement Or Trolling? Fear Of Letters Dwindling, Stock-Photo Giant Hits Federal Courts”

  • The DG Group: “Image Copyright Infringement And Getty Images Scam Letter”
  • Extortion Letter Info: “Reporting on Getty Images & Stock Photo Settlement Demand Letters (Copyright Trolls, ‘Extortion’ Letters, ‘Shadown’ Letters)”
  • Women in Business: “Are You Being Set Up For Copyright Infringement? As Technology Becomes More Invasive Copyright Infringement Scams Flourish”
  • RyanHealy.com: “Getty Images Extortion Letter”
  • someguy72 @ Reddit: He states that he purchased the pictures legally from Getty and still received an infringement notice. His advice: if you purchase a picture from Getty, the “save your records FOREVER… they will come after you, years later and you might not have PROOF of PURCHASE, and then you will be screwed.”

As far as I can tell, this is an extortion racket. (I’m surprised that there hasn’t been a class-action lawsuit against Getty Images yet.) The basic premise is that they send out a threatening letter with a price tag. Some people will fear the strongly-worded letter and simply pay the amount. If you ignore it, then they send more letters with greater dollar amounts. If you call them up, the forums say that you can usually negotiate a lower amount. However, sometimes you may not actually owe anything at all.

Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.

But here’s the thing… There are some situations where you can use the image without a license. It is in the Copyright law under the heading “Fair Use” (US Copyright Law Title 17 Section 107; in some countries, it’s called “Fair Dealing”). This is an exception from copyright enforcement. Basically, if you’re using the picture as art on your web site or to promote a product, then you are violating their copyright. (You should negotiate a lower rate.) However, if you use it for criticism, comment, news reporting, teaching, scholarship, or research, then you are allowed to use the picture.

For example, I have many blog entries where I forensically evaluate pictures. I do this to show techniques, criticize content, identify deceptive practices, etc. If Fair Use did not exist, then I would be unable to criticize or expose deception from media outlets. In effect, they would be censoring my freedom of speech by preventing me from directly addressing the subject.

Reply To Getty

The picture in question is one that is on an older blog entry: In The Flesh. This blog entry criticizes the media outlets Time and Salon for promoting misleading and hostile software. (It’s hostile because the demo software installs malware.) The software, False Flesh, claims to make people in any picture appear nude. The pictures in my blog entry are used to demonstrate some of the deceptive practices. Specifically, the pictures of nude women on the software’s web site did not come from their software.

I looked at the picture mentioned in Getty’s complaint and how it was being used in the blog entry. I really thought it was permitted under Copyright Fair Use. However, I’m not an attorney. So… I checked with an attorney about the Getty complaint and my use of the picture. I was actually surprised that he didn’t start his answer with “that depends…” (If you’ve every worked with an attorney, then you know any discussion about legality begins with them saying “that depends…”) Instead, he said outright “it’s clearly fair use.”

Personally, I’m offended that Getty Images made no attempt to look at the context in which the picture is used.

Rather than ignoring them, I sent them a letter:

Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033

July 15, 2014

Legal Department
Getty Images
605 5th Ave S, Suite 400
Seattle, WA
98104

Dear Getty Images Legal Department,

I received your copyright infringement notification dated “7/10/2014 11:05:06 AM”, case number 371842247, on July 14, 2014. I have reviewed the image, the use of the picture on my web site, and discussed this situation with an attorney. It is my strong belief that I am clearly using the picture within the scope of Copyright Fair Use (Title 17 Section 107).

Specifically:

  • The blog entry, titled “In The Flesh”, criticizes the media outlets Time and Salon for promoting deceptive software. The software is called “False Flesh” and claims to turn any photo of a person into a nude. I point out that installing the False Flesh demo software will install malware.

  • The blog entry discloses research findings regarding the False Flesh software: there is no identified owner for the software and the sample pictures they use to demonstrate their software are not from their software. I specifically traced their sample images to pictures from sites such as Getty Images. I forensically evaluate the pictures and explicitly point out the misrepresentation created by these images on the False Flesh web site.
  • The picture is used on my web site to criticize the media reports by exposing fraud and misrepresentation associated with the product. It is also included as part of a demonstration for tracking and identifying potentially fraudulent products in general.
  • The blog entry reports on these findings to the public in order to educate people regarding the deceptive nature of False Flesh and the risks from using this software.
  • The image that you identified is not used is the blog entry to promote any products or services and is directly related to the comments, criticism, and research covered in the blog entry. The use is not commercial in nature. This goes toward the purpose and character, which is to identify fraud and misrepresentation in a product promoted by Time and Salon.
  • As described in the blog entry, I found sample images on the False Flesh web site and used TinEye and other forensic methods to identify the sources. This was used to prove that the False Flesh software did not generate any of their sample images.
  • I did not use the full-size version of this particular picture and it includes the Getty Images Image Bank watermark. The blog entry explicitly identifies that the source for the False Flesh picture was Getty Images and not False Flesh. I point out that False Flesh used the picture in a deceptive manner.
  • I believe that my use of this picture has no adverse effect on the potential market for the image.

I believe that this covers the Copyright Fair Use requirements for criticism, comment, teaching, research, and reporting.

Getty Images acknowledges Fair Use in their FAQ concerning license requirements:
http://company.gettyimages.com/license-compliance/faq/#are-there-limitations-on-a-copyright-owners-rights

Specifically, Getty Images calls out education and research. As a computer security and forensic researcher, I use this blog to describe tools and techniques, evaluate methodologies, and to identify deceptive practices. I believe that this specific blog entry, and my blog in general, clearly fit both of these areas.

As stated in this letter, the picture’s appearance on my blog is Fair Use and I have the right under copyright law to use the image without your consent. This letter serves as notice that any DMCA takedown or blocking notices to any third party would be in bad faith.

Sincerely,

/s/ Dr. Neal Krawetz

Chilling Effect

My blog in general reports on findings related to computer security and forensics. Many of these blog entries heavily focus on scams, fraud, and abuse from media outlets. Many of my blog entries (reports) have been repeated by news outlets, and some of my blog entries have had a direct effect on changing insecure and unethical practices. This includes a series of blog entries that exposed digital manipulation in World Press Photo’s annual contest (influencing changes in this year’s contest rules) and a paper on fundamental problems with credit card payment systems that lead to changes in the Visa security standards.

While this could be a wide-spread extortion racket, it could also be Getty’s way of testing the waters before going after some blog entries where I openly and explicitly criticize them for releasing digitally altered photos.

My primary concern is the chilling effect this could have. If I pay the extortion, then it opens me for more claims from Getty; I have previously criticized them for providing digitally altered photos and performed analysis to prove it. It also opens the way for similar claims from the Associated Press, Reuters, and every other media outlet that I have openly criticized. All of my blog entries that explicitly expose digital misrepresentation, report on media manipulation, and even those that disclose methods for evaluating content will be at risk.

In effect, bowing to this one threatening letter would force me to close my blog since I would no longer be allowed to freely write — report, comment, disclose research, and educate others — on topics related to media manipulation and digital photo analysis. I consider Getty’s attempt to censor my blog’s content to be an unacceptable attack on my freedom of speech.

Darknet - The Darkside: Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

We’ve talked a lot about using a password manager to secure, generate and manage your passwords – way back since 2008 when we introduced you to the Password Hasher Firefox Extension. Since then we’ve also mentioned it multiple times in articles where plain text passwords were leaked during hacks, such as the Cupid Media hack…

Read the full post at darknet.org.uk

Darknet - The Darkside: dirs3arch – HTTP File & Directory Brute Forcing Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

dirs3arch is a simple command line tool designed to brute force directories and files in websites. It’s a HTTP File & Directory Brute Forcing Tool similar to DirBuster. Features Keep alive connections Multithreaded Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc). Recursive brute forcing…

Read the full post at darknet.org.uk

The Hacker Factor Blog: Master of My Domain

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I receive all sorts of email. Some real, and some junk. I used to have a lot of fun with the junk mailers. Nearly two decades ago, I would spend a few hours hunting them down. Then I would do really mean things to them. I had created a method of determining the spammer’s motivation based on how their spam content was formed. If you know their motivation, then you know what they value. Attacking the thing they value would cause them to stop spamming. (Seriously — I ended up stopping dozens of spammers.)

For example, “List Makers” would collect mailing lists and then sell them off to other spammers. Their email messages were designed to verify if the email address was valid. One List Maker used a web form for people to “opt out”. (Opting out with his system resulted in even more spam since you validated your mailing address.) I wrote a script to iterate through his web site and acquired his list — and I made sure he noticed it. I then informed a few universities and companies about their addresses that were in the list — allowing them to create better filters. With his list stolen, he had nothing to sell. He rewrote his script to block my IP address. No problem — I relayed through hundreds of proxies and stole his list again — and again I made sure that he knew it was stolen. That’s when he stopped sending spam.

And then there was Jason in Spokane, Washington. He wasn’t very anonymous and he had an open directory with his mailing lists. I had his name and city, but nothing else. That’s when some friends in the UIUC Library school offered to help. (Librarians are really terrifying when they start searching public records. Never piss off a librarian.) In 24 hours, we knew his full name, address, phone number, previous employer, reason he was fired (misusing computers at work), his parent’s contact information, his girlfriend’s info, and much more.

I began posting about this to a UUNet newsgroup. Meanwhile, in an email, I had politely asked Jason to stop spamming. His reply showed a strong control of cut-and-paste but a lack of spelling: he called me a “LOOSER” (not “LOSER”) and replicated the sentence a few dozen times. Then he subscribed my email address to hundreds of newsgroups. Back in 1997, that created a denial-of-service attack by flooding my email box. (I was online at the time and immediately unsubscribed.)

Eventually, I posted his personal information online. I had wanted people to physically protest and picket outside his home. But that isn’t what happened… Instead, something happened that I never expected: Hundreds of people around the world called Jason’s phone number to complain and request no more spam. First Jason stopped answering the phone. Then he changed his phone number. Within hours, someone else found Jason’s new number and posted it. Meanwhile, people found other information that I had not made public: they began calling his church, his parents, and his girlfriend. (“I’m not his girlfriend! I’m just a girl who is his friend, and I’m not even his friend anymore!”)

Jason stopped sending spam. And his friend who actually ran the spam operation also stopped. (He switched from spam to life enhancement and get rich quick products.)

(All of this was long before CAN-SPAM and related legislation was passed.)

Suffice to say, I don’t use a standard spam filter. I have other ways to rapidly filter email.

New Domain!

An email that I received a few weeks ago really got my attention. It was spam, and it said that the domain “fotoforensic.com” was going to be available soon. The spammer wanted me to pay him for the domain name.

I quickly checked the DNS registration information and was startled to see that I was not the listed registrant!

Registry Domain ID: 1804179046_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-07-15 14:36:48
Creation Date: 2013-05-27 01:32:41
Registrar Registration Expiration Date: 2014-05-27 01:32:41
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nish Patel
Registrant Organization:
Registrant Street: c/o GoDaddy Redemption Services
Registrant Street: 14455 N. Hayden Road, Suite 219
Registrant City: Scottsdale
Registrant State/Province: AZ
Registrant Postal Code: 85260
Registrant Country: United States
Registrant Phone: +1.4805058877
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:

I was on the phone — and on hold with GoDaddy — when I realized what was happening. I own “fotoforensics.com” (plural) and this Nish Patel person had registered “fotoforensic.com” (singular). After a year of cybersquatting, he let the domain expire. We were in that period where the domain would cost Patel a huge late fee to reclaim before it goes up for auction.

The guy at GoDaddy was extremely helpful. He pointed out that this was a very rare and lucky situation for me. Since the cybersquatter had used GoDaddy and I used GoDaddy, it meant that it would go to the GoDaddy auction site before going public. If it went public, some other cybersquatter would likely snatch it. But I could grab it before it left GoDaddy. And best of all, I was the only person registered for this domain at the GoDaddy auction.

A while ago, I had received a spam email from a cybersquatter. (Was that a year ago? Two years ago? I didn’t really pay attention.) He had wanted a few hundred dollars for “fotoforensic.com” — I had ignored him and forgotten about it. But then I received this spam email about the domain coming up for grabs. I ended up getting it for $4 — that’s $10 to register for the auction and $10 for the domain, minus $16 in credit that I already had at GoDaddy. A $4 domain is much better than paying hundreds to a cybersquatter.

One of Many

Still, I wanted to know more about this “Nish Patel” guy. As far as I can tell, he is a professional cybersquatter, located in China. Someone with his name has currently registered over 25,000 domain names!

A quick search also turned up lots of lawsuits for cybersquatting and trademark infringement. (Patel lost every one of them.) For example:

  • Lorillard Licensing Company, LLC v. Nish Patel
  • WIPO Arbitration case D2013-1127: Compagnie Générale des Etablissements Michelin v. Nish Patel/Above.com Domain Privacy
  • WIPO Arbitration case D2013-0655: Atos IT Services UK Limited v. Nish Patel/Above.com Domain Privacy
  • WIPO Arbitration case D2013-0114: LEGO Juris A/S v. Above.com Domain Privacy / Ready Asset, Nish Patel

While WIPO arbitration is not free, the $1500 to protest up to five domains is likely cheaper than anything the cybersquatter wants. (If it comes down to it, I’d rather pay the attorneys and WIPO than a cybersquatter.)

Online

The domain auction at GoDaddy closed a few days ago (I won). The domain was transferred to me today and it’s already pointing to FotoForensics.com. This way, if someone types the domain name a little wrong (forgetting the plural), they will still be redirected to the site.

I find it ironic that (1) the cybersquatter got nothing for his effort — and ended up spending more money than me, (2) a spammer notified me about the domain name — and earned nothing for his efforts, and (3) owning the domain actually does help me since I know a few people who have typed the domain name wrong — by forgetting the final ‘s’. This is a good start to the week.

TorrentFreak: Google Services Among 472 Sites Blocked For World Cup ‘Piracy’

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

With the World Cup now heading to its semi-final stages, FIFA and its distribution partners are pushing hard to stem the tide of unauthorized content.

While FIFA has even gone as far as taking action against Twitter avatars, news today shows that its affiliates are also prepared to disrupt the activities of hundreds of sites and countless millions of Internet users if that means protecting their copyrights.

The development follows legal action initiated by Multi Screen Media PVT Ltd, a Sony Entertainment Television subsidiary in India. Earlier this year the company obtained a license from FIFA to broadcast the 2014 World Cup to Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan and Sri Lanka. Of course, content is now being made available elsewhere without permission, so the company has decided to do something about that.

In a statement to the High Court in Delhi, counsel for Multi Screen Media explained that “various websites are indulging in hosting, streaming, providing access to” infringing content causing substantial loss of revenue not just for the company, but also to the government due to lost tax on TV subscription fees.

The list of ‘infringing’ sites supplied to the High Court is huge – 479 sites in all – and contains well known sharing sites including The Pirate Bay, torrent storage site Torrage, 1337x, Demonoid, and dozens of file-hosting sites.

Quite amazingly, however, the list also contains entirely legitimate sites including Google Docs, Google Video, Google URL shortener Goo.gl, and Kim Dotcom’s Mega.co.nz. None escape the criticism of Sony or the High Court.

“Learned counsel for the plaintiff submits that many of the websites [in the list] are anonymous in nature and it is virtually impossible to locate the owners of such websites or contact details of such owners. It is further submitted that many of these Rogue Websites also hide behind domain privacy services offered by various domain name Registrars,” the judge wrote in his decision.

“[Websites] listed below, or any other website identified by the Plaintiff are restrained, from in any manner hosting, streaming, broadcasting, rebroadcasting, retransmitting, exhibiting, making available for viewing and downloading, providing access to and / or communicating to the public, displaying, uploading, modifying, publishing, updating and/or sharing (including to its subscribers and users), through the internet, in any manner whatsoever,” he continued.

With that Judge V. Kameswar Rao issued an order for the country’s ISPs to block the 479 sites in question – Google’s included – plus “such other websites that may subsequently be notified by the Plaintiff to be infringing of its exclusive rights.”

While the Judge granting a blocking order against Google is bad enough, one has to question how the company’s services ended up on the High Court application in the first place. That is the responsibility of local anti-piracy company Markscan, who compiled the list for Multi Screen Media. Markscan were featured in a TorrentFreak article last month when they sent dozens of erroneous takedown notices to Google, again on behalf of a Sony company.

“We want to assure you that we deploy technology, in addition to best efforts of our teams, to ensure that we do not impact legal content on yours, or any other website,” they told us at the time. Users of Google Docs, Goo.gl and Google Video may beg to differ.

While some local ISPs have already initiated blockades, Google told Indian news outlet Medianama that there had been “no interruption of our services mentioned in the order.”

The High Court order was issued June 23, alongside an instruction to distribute the summons to the defendant sites by July 22, 2014.

Update: MediaNama is reporting that it has obtained a copy of an updated court order that isn’t yet available on the Delhi High Court website. The update reveals blocking requests for 219 sites, down from the 472 in the original order. No Google websites are in the updated list but many torrent and other file-sharing sites remain.

Original List of 472 Sites to Be Blocked

1. cdn.playwire.com

2. embedupload.com

3. 1fichier.com

4. crocko.com

5. multiupload.nl

6. uppit.com

7. solidfiles.com

8. bayfiles.net

9. tusfiles.net

10. bitshare.com

11. muchshare.net

12. mega.co.nz

13. share-online.biz

14. sendspace.com

15. real4download.com

16. telugump3.biz

17. wapkafiles.com

18. telugumasthi.wapka.me

19. telugustar.net

20. myteluguwap.net

21. s1.myteluguwap.net

22. s2.myteluguwap.net

23. filestube.to

24. ul.to

25. mightyupload.com

26. uploaded.net

27. freakshare.com

28. putlocker.com

29. uploadable.ch

30. safelinking.net

31. ultramegabit.com

32. terafile.co

33. fileom.com

34. d01.megashares.com

35. dizzcloud.com

36. lumfile.com

37. fileparadox.in

38. nitrobits.com

39. filemonkey.in

40. fastshare.cz

41. keep2share.cc

42. k2s.cc

43. sharerepo.com

44. depositfiles.com

45. rapidshare.com

46. filerio.com

47. goo.gl

48. fcore.eu

49. anonfiles.com

50. adf.ly

51. megafiles.se

52. exashare.com

53. primeshare.tv

54. uploadc.com

55. epicshare.net

56. dwn.so

57. uploadhero.com

58. dfiles.eu

59. thefile.me

60. nosupload.com

61. uploadsat.com

62. shareflare.net

63. letitbit.net

64. filesfrog.net

65. unlimitzone.com

66. uploadrocket.net

67. secureupload.eu

68. hulkfile.eu

69. tusfiles.co.nz

70. filehoot.com

71. jumbofiles.com

72. usefile.com

73. clicktoview.org

74. 180upload.nl

75. hitfile.net

76. easybytez.com

77. crisshare.com

78. vip-file.com

79. ufile.eu

80. jheberg.net

81. dl.free.fr

82. 2shared.com

83. sharebeast.com

84. cramit.in

85. ryushare.com

86. teluguworld.asia

87. twap.in

88. vshare.eu

89. 108.59.3.225:182

90. megafilesfactory.com

91. 199.91.152.94

92. 205.196.121.39

93. 199.91.152.86

94. 199.91.154.157

95. 205.196.123.194

96. 205.196.123.8

97. 205.196.123.182

98. mhnwap.wapka.me

99. mhnwap.wapka.mobi

100. realitytelevisionportal.eu

101. dorabuzz.in

102. foncity.in

103. toonvideos.in

104. bestcartoon.wapka.mobi

105. wap.dorabuzz.in

106. playpanda.net

107. play44.net

108. shared.sx

109. mega-vids.com

110. promptfile.com

111. 4upfiles.com

112. filemoney.com

113. lemuploads.com

114. anysend.com

115. luckyshare.net

116. filedap.com

117. junocloud.me

118. filevice.com

119. v-vids.com

120. quickyshare.net

121. tumi.tv

122. mp4star.com

123. sockshare.ws

124. uploadcrazy.net

125. uploadboy.com

126. putlocker.ws

127. filenuke.net

128. docs.google.com

129. dotsemper.com

130. upload.com

131. cloudyvideos.com

132. v.youku.com

133. movzap.com

134. googlevideo.com

135. vertor.eu

136. dramautubes.com

137. nosvideo.com

138. vreer.com

139. vidxden.com

140. divxstage.eu

141. rapidvideo.tv

142. vidspot.net

143. freshvideo.net

144. vidbux.com

145. vidplay.net

146. vidup.me

147. video.tt

148. modovideo.com

149. youwatch.org

150. magnovideo.com

151. videobam.com

152. sharexvid.com

153. videoslasher.com

154. nowvideo.ch

155. donevideo.com

156. videozed.net

157. vidhog.com

158. vidzi.tv

159. streamin.to

160. thevideo.me

161. vidzbeez.com

162. divxpress.com

163. nubestream.com

164. divxstream.net

165. videobb.com

166. divxden.com

167. mixturecloud.com

168. divxstage.net

169. videowood.tv

170. hostingbulk.com

171. playit.pk

172. movpod.net

173. daclips.com

174. slickvid.com

175. videofun.me

176. video44.net

177. yucache.net

178. moevideos.net

179. videomega.tv

180. vidpaid.com

181. sharevid.org

182. zuzvideo.com

183. video.vidcrazy.net

184. videovalley.net

185. videoboxone.com

186. vidcrazy.net

187. vodu.ch

188. watchfreeinhd.com

189. veehd.com

190. movdivx.com

191. blip.tv

192. animeuploads.com

193. videohub.ws

194. hdwide.co

195. stormvid.co

196. neovid.me

197. hawkhd.me

198. streamland.cc

199. vidshark.ws

200. vidspace.cc

201. vids.bz

202. play.flashx.tv

203. videoweed.es

204. torrenthound.com

205. nowvideo.sx

206. limetorrents.com

207. novamov.com

208. torrentfunk.com

209. torrents.net

210. wapkafile.com

211. thepiratebay.org

212. torlock.com

213. movshare.net

214. unblockedpiratebay-proxy.com

215. thetorrent.org

216. torrentz.sx

217. thepiratebay.se.unblock.to

218. nowdownload.ch

219. sockshare.com

220. bittorrent.pm

221. uptobox.com

222. torrage.com

223. vidbux.com

224. muchshare.net

225. sumotorrent.sx

226. torrentdownload.ws

227. vidup.me

228. btmon.com

229. ryushare.com

230. uploadable.ch

231. thepiratebay.se

232. 1337x.to

233. video.tt

234. bthunter.org

235. tusfiles.net

236. 1337x.org

237. swankshare.com

238. 1337xproxy.in

239. torrentz.dj

240. torrentcrazy.ee

241. filesbomb.in

242. torrentz.is

243. torrentz.am

244. kickassunblock.net

245. torrent.tm

246. uploadboy.com

247. oc.o2.vc

248. ineedtorrent.net

249. torrenthoundproxy.com

250. torcache.kickassunblock.net

251. kickasstor.net

252. streamupload.org

253. arabloads.net

254. torrentsnet.come.in

255. torrentz.to

256. filesfrog.net

257. 3gparena.in

258. dl.free.fr

259. divxstage.eu

260. play.flashx.tv

261. download-abc.com

262. filmsmaza.com

263. glotorrents.com

264. coolmoviez.com

265. 62.210.201.55:81

266. fuckyourcrew.org

267. mimti1.moviesmobile.net

268. sandy1.moviesmobile.net

269. sandy3.moviesmobile.net

270. sandy4.moviesmobile.net

271. thepiratebay.mk

272. dev.torrentz.pro

273. uploaded.net

274. torrentmoviemafia.com

275. 1337x.pw

276. share1.moviesmobile.net

277. share2.moviesmobile.net

278. share3.moviesmobile.net

279. share4.moviesmobile.net

280. bayproxy.me

281. sarthaktv.in

282. p2p4ever.com

283. tny.cz

284. torrent-loco.com.ar

285. piraattilahti.org

286. punjabwap.com

287. torrent.ee

288. torrentz.asia

289. fromplay.org

290. proxybay.pw

291. vertor.com

292. katshore.org

293. nl.malaysiabay.org

294. demonoid.ph

295. kickasstorrents.come.in

296. putlocker.cz

297. proxybay.eu

298. vertor.eu

299. 3gparina.in

300. 89.248.162.148

301. fromplay.com

302. etorrent.co.kr

303. fun4buddy.com

304. livetvindian.com

305. ontohinbd.com

306. pc.rdxhd.com

307. seedpeer.me

308. ukcast.tv

309. ezcast.tv

310. xuscacamusca.se

311. crichd.in

312. 122.155.203.9

313. http://www.0dian8.com/

314. http://www.114nba.com/

315. http://360bo.com/

316. http://51live.com/

317. http://www.52waha.com/

318. http://bf.5xzb.com/

319. http://allsport-live.net/

320. http://www.antibookers.ru/

321. http://www.assistirtvonlineaovivo.tv/

322. http://atdhe.eu/

323. http://atdhe.so/

324. http://atdhe.xxx/

325. http://www.atdhe24.net/

326. http://www.azhibo.com/

327. http://barcelonastream.com/

328. http://www.coolsport.tv/schedule-coolsport-tv.html

329. http://www.tvole.com/

330. http://www.drakulastream.eu/

331. http://esportesaovivo.com/

332. http://www.feed2all.eu/type/football.html

333. http://gofirstrowuk.eu/

334. http://www.footballstreaming.info/

335. http://www.frombar.com/

336. http://www.futebolaovivo.net/inicio.php

337. http://www.online.futebolaovivogratis.org/

338. http://gooool.org/

339. http://www.rajangan.me/

340. http://www.hahasport.com/

341. http://hdzhibo.com/

342. http://neolive.net/

343. http://www.kanqiu.tv/

344. http://livesport4u.com/

345. http://livetv.sx/

346. http://meczelive.tv/

347. http://www.megatvonline.co/

348. http://tvonline.megavertvonline.net/live/

349. http://myp2p.pw/

350. http://nogomya.ch/

351. http://www.p2p-hd.com/

352. http://qmzhibo.com/

353. http://rntplayer.com/

354. http://www.rojadirecta.me/

355. http://www.seezb.net/

356. http://www.sport.net/

357. http://sport5online.com/

358. http://sportlemon.ge/

359. http://sportlemontv.eu/

360. http://sportlive.lt/

361. http://www.sportlv.info/

362. http://www.sportp2p.com/

363. http://www.stopstream.tv/

364. http://thefirstrow.biz/

365. http://www.feed4u.net/

366. http://www.time4tv.com/

367. http://torrent-tv.ru/

368. http://tvaovivogratis.net/

369. http://tvonlinexat.com/

370. http://www.usagoals.tv/

371. http://vipbox.net/

372. http://www.vipboxuk.co/

373. http://www.wasu.cn/

374. http://www.wiziwig.tv/

375. http://wszhibo.com/

376. http://www.look-tvs.com/

377. http://www.yaomtv.com.cn/

378. http://www.zhiboche.com/

379. http://zqnow.com/

380. http://www.24livestreamtv.com/brazil-2014-fifa-world-cup-football-
live-streaming-online-tv/

381. http://acefootball.eu/

382. http://al3ablive.info/

383. http://atdhe.ru/

384. http://atdhe.ge/

385. http://atdhe.sx/

386. http://atdhe.ws/

387. http://bongdatructuyen.info/

388. http://www.bongdatructuyen.vn/

389. http://bongdatv.net/

390. http://bongdaup.com/

391. http://www.majika.biz/

392. http://btvsports.com/

393. http://canalesdetv.com/

394. http://capodeportes.net/

395. http://www.catedralhd.tk/

396. http://www.cv55.eu/

397. http://desistreams.tv/

398. http://desportogratis.com/

399. http://dinozap.com/

400. http://drhtv.com.pl/

401. http://epctv.com/

402. http://zonasports.to/

403. http://fancylive.com/

404. http://feed2all.eu/

405. http://www.firstrows.eu/

406. http://firstrows.biz/

407. http://firstrowsports.ge/

408. http://footballhd.ru/

409. http://footdirect24.com/

410. http://freefootball.ws/

411. http://freehdspor.com/

412. http://freelivefussball.de/

413. http://freelivesport.eu/

414. http://fsicrew.info/

415. http://fussball-live-streams.com/

416. http://futbolarg.tv/

417. http://www.futbol-envivo.com/

418. http://futbolsinlimites.pw/

419. http://futebolaovivogratis.org/

420. http://goatd.net/

421. http://hdembed.com/

422. http://funkeysports.com/

423. http://hdsports.me/

424. http://www.hdstreams.tv/index.php

425. http://iraqgoals.in/

426. http://jokerplanete.com/

427. http://lesoleildelanuit.wf/

428. http://life-sport.org/

429. http://livesportv.com/

430. http://max-deportv.com/

431. http://megaviptv.net/

432. http://milloxtv.me/

433. http://myp2p.cm/

434. http://myp2p.ec/

435. http://newsoccertv.com/

436. http://nowwatchtvlive.com/

437. http://onlinemoviesportsandtv.com/

438. http://online–soccer.eu/

439. http://portugaldesportivo.com/

440. http://premier-league-live.net/

441. http://qxzhibo.com/

442. http://realtvsport.com/

443. http://real-tv-sport.com/

444. http://www.redzer.tv/

445. http://s247.tv/

446. http://sambasoccer.pw/

447. http://skysport.tv/

448. http://soccerembed.com/

449. http://soccertoall.net/

450. http://softsportstv.eu/

451. http://www.sportsbeech.tv/

452. http://sports-x.net/

453. http://sportz-hd.eu/

454. http://stadium-live.com/

455. http://stream-foot.tv/

456. http://streamhd.eu/

457. http://streamking.org/

458. http://todaytv.me/

459. http://www.tvonlinepc.eu/

460. http://totbet.net/

461. http://tructiepbongda.com/

462. http://tvembed.com/

463. http://tvembed.eu/

464. http://tv-link.in/

465. http://tv-porinternet.com/

466. http://tvsport24.info/

467. http://u-peak.me/

468. http://vipbox.co/

469. http://vipracing.co.in/

470. http://vtv4u.eu/

471. http://whoopwhoop.tv/

472. http://wiziwigfootball.com/

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: Web Exploits from Microsoft

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week was very depressing. Right now, I’m just trying to get back into the swing of work and programming to help me past the shock. (There was a death in my family.) Until things get back to normal, here’s a topic that I’ve been meaning to write about…

Microsoft Web Errors

For the longest time, the web logs at FotoForensics has had a periodic error message. Since the error doesn’t hurt anything, I never paid it much attention. The error looks like:

[Tue Mar 04 03:17:12 2014] [error] [client 157.55.33.80] (36)File name too long: access to /)\xc3
\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82
\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb5\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a
\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\xac\xe2\x84\xa2\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3
\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a
\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf
\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80
\x9a\xc3\x82\xc2\xb1\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xa9: failed

The key elements are the “File name too long: access to” and a bunch of binary garbage. On my server, this type of error appears a few times daily. The IP address varies, but (almost) always traces to Microsoft in Redmond, Washington. The IP addresses appear to be associated with Microsoft web bots that scan and index the Internet.

Looking up the error message with Google shows many other people who have noticed this same thing. Some of the postings date back to 2005.

Most of the forums focus on the error message and end with no conclusion beyond “it’s harmless”. A few of the postings did mention that it mainly comes from Microsoft and seems to be associated with the Bing search bot.

Cause and Effect

Last month, I tracked down the cause of this error. I configured my test server just like the FotoForensics system and submitted the same URL to it. I managed to reproduce the same error message in the error.log file. I then began stripping out fields in my .htaccess file until the error went away.

The cause is pretty straightforward: enabling Apache’s mod_rewrite is all it takes to cause this error. It appears that mod_rewrite uses a fixed buffer length and this URL is too long for the buffer. The error message is harmless and the client receives an HTTP 403 error message. Between the URL being invalid and the overflow being caught, this seem to be a harmless error.

Except…

I have trouble believing that Microsoft would be doing this by accident. I mean, they have been doing this since at least 2005. According to Wikipedia, Bing was not introduced until 2009 (sounds right to me). In early 2005, Bing’s predecessor (MSN Search) introduced a picture search engine. I’m sure there were other changes to their search engine, but that’s about the time when this type of error began to appear.

If it was a bug, I would have expected it to stop or change when they rolled out Bing. Since it did not stop, it appears to be intentional.

Hidden Purpose

I don’t mind if errors show up in my web logs, but I don’t want users to see errors. Seeing a generic “File not found” does not help users who want to find the file. I actually like how 4chan returns a random web page that clearly tells the user that the content is no longer available. But at minimum, I want to return a blank web page.

While trying to return a blank page, I noticed how this bug really works…

Apache permits every directory to have a .htaccess file for controlling or restricting access. This gives users directory-level control. If I want to return a blank page in place of an HTTP 403 error message, I can simply add a control line to my .htaccess file:

ErrorDocument 403 ” “

This line says to return a fixed string whenever there is a 403 error. And the fixed string is a single space. The result is a blank web page.

The problem is, this line didn’t work as long as I had “RewriteEngine on” in my .htaccess file (enabling mod_rewrite). Apache seems to process mod_rewrite before the ErrorDocument line, even if the ErrorDocument line comes first in the file.

The default Apache 403 error message is pretty basic. It returns a very simple error page:

Forbidden

You don’t have permission to access /)\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2
\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb5\xc3\x83\xc6\x92
\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3
\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\xac\xe2\x84\xa2\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5
\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2
\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3
\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb1\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83
\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xa9
on this server.


Apache/2.2.22 (Ubuntu) Server at test-server Port 80

And there it is! The error identifies the server’s version information at the bottom of the error message. Moreover, a user-level .htaccess file cannot prevent this version information from being disclosed. Microsoft is intentionally exploiting this bug so that they can collect information about the server and version being used. This way, Microsoft can tell how many servers are running Apache (and what versions). This is a boon for competitive marketing and market share statistics.

At this point, I expect people to point out that my HTTP header already says the server and version in the HTTP “Server” field. However, the Server field reflects the front-end server, even if the request is actually processed by some back-end server. (Web servers can be chained together.) In contrast, the error message comes from any back-end server that processed the request. In my configuration, the front-end and back-end are the same. However, that isn’t the case for many banks, social networks, and large-scale web services. In effect, Microsoft is harvesting the version information found on the back-end servers.

Keep in mind, this information disclosure does not stop with one URL. Microsoft appends the long garbage characters to lots of different URLs on my site. If any URL silently redirects to a different server, then Microsoft will be able to see the version string change. This permits Microsoft to map out my back-end server architecture.

Mitigating Exposure

So how do you stop this information disclosure? The answer is relatively easy: place the ErrorDocument line in the only configuration file that is processed prior to the user-level .htaccess files. On my server, that’s “/etc/apache2/httpd.conf”. By default, the httpd.conf file is empty. On my server, it now contains one line:

ErrorDocument 403 ” “

You’ll need to restart the server when you change the httpd.conf file. And make absolutely sure that the httpd.conf file does not contain “RewriteEngine on” — or else the ErrorDocument line will not be processed.

By doing this change, the server will always return a blank page instead of the default 403 error message. The errors still appear in my error.log file, but the user’s browser only sees a 403 error code with a single space web page. Moreover, Microsoft seems to have noticed that I made this change. They used to send garbage to my server a few times every day. Since making this configuration change, Microsoft reduced their garbage queries (8 in the last week, and only on Sundays and Wednesdays).

TorrentFreak: Tough New Piracy Law Sees No Takers in More Than a Year

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

For many years regular file-sharers in Norway have been largely free to go about their business with little concern for the consequences. A 2011 decision disallowed the only entity licensed to collect information on P2P networks from doing so, meaning that tracking pirates without permission would breach privacy laws.

In 2011 under significant rightsholder pressure, the Ministry of Culture announced amendments to the country’s Copyright Act alongside promises to give the entertainment industries the tools to go after pirates. Two years later in July 2013 the new law went into effect and as promised it gave the pirate hunters a sporting chance.

Out went the days of restrictions on P2P user monitoring and in came a system whereby groups seeking to spy on pirates only needed to get permission from the country’s Data Inspectorate. The big MPAA affiliates obtained permission within the first few months and promised to target uploaders, but what followed next?

Since it’s been a full 12 months since the start of the new law and seven months since the MPA obtained clearance to monitor, Hardware.no filed some questions with the Ministry of Culture to find out the state of play. It also contacted the Post and Telecommunications Authority to find out if any personal details of file-sharers had been handed over to copyright holders.

“The short answer is no,” said Deputy Director Elisabeth Aarsæther.

“From our point of view it looks like the word ‘share’ means go ahead and ‘steal’ among users. I cannot say for certain that nothing will happen going forward, but we have not received any requests so far.”

Aarsæther said that the lack of requests might have something to do with the greater number of legal services now available online. However, there also appears to be a lack of interest from copyright holders who only need to register with the authorities in order to collect IP addresses.

“We took stock moments ago, and we have not received any new messages in a long time,” senior Data Inspectorate adviser Guro Skåltveit told Hardware. “There are currently twelve entities who have advised us and can now collect data.”

Eleven of that dozen registered back in the fall of 2013, and they include a successful application from the Norwegian Pirate Party. Thus far in 2014 there has only been one new application. None have sought personal details.

Finally the new law allows for the blocking of sites confirmed to breach copyright law, but again there has been little visible movement on that front. The industries’ main target, the infamous Pirate Bay, remains accessible in the country despite threats to have it blocked in court. However, this process was expected to take some time, particularly since local ISPs are refusing to do anything voluntarily.

After lobbying hard for new laws over many years one might have expected rightsholders to use every tool available to them as quickly as possible, but for some reason they’re gathering dust 12 months on. It may well be that chasing down individuals has become unpalatable, especially alongside efforts to woo consumers with better legal offerings.

Time will tell what the strategy is going forward, but for now Norwegian file-sharers can rest easy. Their next challenge probably won’t be a letter in the post, but the puzzle of how to unblock The Pirate Bay.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Schneier: NSA Targets Privacy Conscious for Surveillance

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Bruce Schneier has a good summary of recently reported information about the US National Security Agency (NSA) targeting of users searching for or reading information about Tor and The Amnesic Incognito Live System (Tails), which certainly could include readers of this site. “Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever. [...] It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.” Also see reports in Linux Journal (which was specifically noted in the XKeyscore rules) and Boing Boing.

Schneier on Security: NSA Targets the Privacy-Conscious for Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “bridges@torproject.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.

[...]

It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.

[...]

There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.

It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.

EDITED TO ADD (7/3): The BoingBoing story says that this was first published on Tagesschau. Can someone who can read German please figure out where this originated.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

EDITED TO ADD (7/3): More news stories. Thread on Reddit. I don’t expect this to get much coverage in the US mainstream media.

EDITED TO ADD (7/3): Here is the code. In part:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/

$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
word(‘linux’
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
tor ‘);
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
// END_DEFINITION

// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint(‘ct_mo/TAILS’)=
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION

Hacker News and Slashdot threads. ArsTechnica and Wired articles.

EDITED TO ADD (7/4): EFF points out that it is illegal to target someone for surveillance solely based on their reading:

The idea that it is suspicious to install, or even simply want to learn more about, tools that might help to protect your privacy and security underlies these definitions — and it’s a problem. Everyone needs privacy and security, online and off. It isn’t suspicious to buy curtains for your home or lock your front door. So merely reading about curtains certainly shouldn’t qualify you for extra scrutiny.

Even the U.S. Foreign Intelligence Surveillance Court recognizes this, as the FISA prohibits targeting people or conducting investigations based solely on activities protected by the First Amendment. Regardless of whether the NSA is relying on FISA to authorize this activity or conducting the spying overseas, it is deeply problematic.

Schneier on Security: NSA Targets Privacy Conscious for Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

This code demonstrates the ease with which an XKeyscore rule can analyze the full content of intercepted connections. The fingerprint first checks every message using the “email_address” function to see if the message is to or from “bridges@torproject.org”. Next, if the address matched, it uses the “email_body” function to search the full content of the email for a particular piece of text – in this case, “https://bridges.torproject.org/”. If the “email_body” function finds what it is looking for, it passes the full email text to a C++ program which extracts the bridge addresses and stores them in a database.

[...]

It is interesting to note that this rule specifically avoids fingerprinting users believed to be located in Five Eyes countries, while other rules make no such distinction. For instance, the following fingerprint targets users visiting the Tails and Linux Journal websites, or performing certain web searches related to Tails, and makes no distinction about the country of the user.

[...]

There are also rules that target users of numerous other privacy-focused internet services, including HotSpotShield, FreeNet, Centurian, FreeProxies.org, MegaProxy, privacy.li and an anonymous email service called MixMinion as well as its predecessor MixMaster. The appid rule for MixMinion is extremely broad as it matches all traffic to or from the IP address 128.31.0.34, a server located on the MIT campus.

It’s hard to tell how extensive this is. It’s possible that anyone who clicked on this link — with the embedded torproject.org URL above — is currently being monitored by the NSA. It’s possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don’t know what else the NSA harvests about people who it selects in this manner.

Whatever the case, this is very disturbing.

EDITED TO ADD (7/3): The BoingBoing story says that this was first published on Tagesschau. Can someone who can read German please figure out where this originated.

And, since Cory said it, I do not believe that this came from the Snowden documents. I also don’t believe the TAO catalog came from the Snowden documents. I think there’s a second leaker out there.

EDITED TO ADD (7/3): More news stories. Thread on Reddit. I don’t expect this to get much coverage in the US mainstream media.

EDITED TO ADD (7/3): Here is the code. In part:

// START_DEFINITION
/*
These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.
*/

$TAILS_terms=word(‘tails’ or ‘Amnesiac Incognito Live System’) and
word(‘linux’
or ‘ USB ‘ or ‘ CD ‘ or ‘secure desktop’ or ‘ IRC ‘ or ‘truecrypt’ or ‘
tor ‘);
$TAILS_websites=(‘tails.boum.org/’) or (‘linuxjournal.com/content/linux*’);
// END_DEFINITION

// START_DEFINITION
/*
This fingerprint identifies users searching for the TAILs (The Amnesic
Incognito Live System) software program, viewing documents relating to
TAILs,
or viewing websites that detail TAILs.
*/
fingerprint(‘ct_mo/TAILS’)=
fingerprint(‘documents/comsec/tails_doc’) or web_search($TAILS_terms) or
url($TAILS_websites) or html_title($TAILS_websites);
// END_DEFINITION

Hacker News and SlashDot threads. ArsTechnica and Wired articles.

Schneier on Security: Goldman Sachs Demanding E-Mail Be Deleted

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.

The breach occurred on June 23 and included “highly confidential brokerage account information,” Goldman said in a complaint filed last Friday in a New York state court in Manhattan.

[...]

Goldman said the contractor meant to email her report, which contained the client data, to a “gs.com” account, but instead sent it to a similarly named, unrelated “gmail.com” account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google’s “incident response team” reported on June 26 that the email cannot be deleted without a court order.

“Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs,” the bank said.

“By contrast, Google faces little more than the minor inconvenience of intercepting a single email – an email that was indisputably sent in error,” it added.

EDITED TO ADD (7/7): Google deleted the unread e-mail, without waiting for a court order.

Schneier on Security: Goldman Sachs Demanding E-Mail be Deleted

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Goldman Sachs is going to court to demand that Google retroactively delete an e-mail it accidentally sent.

The breach occurred on June 23 and included “highly confidential brokerage account information,” Goldman said in a complaint filed last Friday in a New York state court in Manhattan.

[...]

Goldman said the contractor meant to email her report, which contained the client data, to a “gs.com” account, but instead sent it to a similarly named, unrelated “gmail.com” account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google’s “incident response team” reported on June 26 that the email cannot be deleted without a court order.

“Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs’ clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs,” the bank said.

“By contrast, Google faces little more than the minor inconvenience of intercepting a single email – an email that was indisputably sent in error,” it added.

The Hacker Factor Blog: Needing a Time Out

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I’m not a big sports fan. I think American Football is too slow — 10 seconds of action followed by 12 minutes of watching big guys in spandex stand around doesn’t do it for me. Basketball has evolved to a game for tall people who can make baskets from anywhere in the court… so why do they even bothering running around? Want to make basketball exciting? Add obstacles and make the baskets move around!

Non-American Football (aka soccer) is too exhausting — the people keep running and there are not many points. Also, I think the game is too violent (in the stands, not on the field). If I want to watch a low-point high-excitement game, I’ll watch ice hockey. Lots of action, lots of strategy, and the fights are among the players. Blood bounces on ice, slashing is illegal, and when players fall down, they ain’t faking it.

While I do not care much for sports, I find the technologies behind the scenes to be fascinating. The cameras, motion tracking technologies, synchronized clocks, high-speed networks, and real-time computation infrastructures are just amazing. The few stadiums that I have toured have had almost as much digital security as a Las Vegas casino. The network operation center (NOC) at most stadiums rival the NOC at Defcon. (At Defcon, good luck getting to the NOC’s door. And I doubt you’ll get past the doorway.)

If you do manage to get into the NOC, then everything sensitive is hidden, every place you stand is pre-planned, and everything you touch is closely watched.

World Cup Soccer Football

Over the last 24 hours, there has been a story about the World Cup wifi password being captured in a photo.

The big screen on the right side shows login information for a wireless network. The wireless identifier (SSID) says “WORLDCUP” and the password is “b5a2112014″. The news articles all report this as being a huge security lapse since the photo reveals this sensitive information.

Here’s a few sample news articles about the photo:

  • The Hacker News: FIFA World Cup Security Team Accidentally Reveals their Wi-Fi Password
  • Geek.com: World Cup 2014 Wi-Fi password accidentally shared with the world
  • International Business Times: World Cup Security Overlord Accidentally Reveals Internal Wi-Fi Password in Epic Fail
  • Popular Mechanics: Whoops! World Cup Security Shares Its Wi-Fi Password With the World
  • Gizmodo: World Cup Security Team Accidentally Shares Its Awful Wi-Fi Password

Most of the news articles do not identify when this photo was taken. At best, they cite Twitter postings from June 23-25. And most articles do not cite any direct sources.

Dated News

The oldest version of the picture that I know of is from June 22nd:
http://imgsapp2.correiobraziliense.com.br/app/noticia_127983242361/2014/06/22/433890/20140621233924335925i.jpg

The URL to the picture contains the timestamp “2014/06/22″. The photo also contains a timestamp in the filename: 2014-06-21 23:39:24 (20140621233924). However, we don’t know the timezone used for either timestamp. Assuming the timestamps reflect the photo’s time and the news article’s time, then it means the photo was taken before the news article was written. (Good — I’d be concerned if the article came before the photo.)

There is a third timestamp provided by the web server. The “Last-Modified” header embedded in the HTTP request denotes when the file was uploaded to the server: Last-Modified Mon, 23 Jun 2014 23:46:46 GMT. As far as I can tell, the photo was captured late on June 21st, post-processed (resized, recolored, and possibly cropped), associated with a story on June 22, and uploaded to the server on June 23rd. (Since I have yet to see a full-sized near-original version of this picture, I will simply assume that it has not been digitally altered.)

I see a few possible reasons for delaying the photo by nearly 48 hours. For example, maybe someone thought the picture was not interesting. It took a few days for someone to decide it was newsworthy.

Another option is that they were planning to use the picture later. In particular, June 23rd was the same day that Croatia played Mexico and Croatia’s flag is on the front monitors. It makes sense that they would use the photo to discuss the game.

Then again, this picture has definitely been resized and post-processed. I have no idea where the hosting site found the picture. I may not be looking at the oldest online version — the delay may represent the time it took to propagate to this web site.

In any case, it took about 24 hours for someone to notice the wifi password and post it to Twitter. Then it took another 4-5 days to be picked up by the mass media.

Newsworthy

Now we know that the media is reporting on old news. The second question is: how bad is this information leak?

Keep in mind: We don’t know if that password was sensitive or intended to be accessible. I have been in many locations where the wifi password was prominently displayed for everyone in the area. My local coffee shop has a sign taped to the cash register: “The Wireless Password is: BUYSOMETHING”. The oil change place that I use has their wireless password on a sign behind the register (it’s the manager’s name). I have even seen sensitive network operation centers with the wifi password written on whiteboards.

If this World Cup password was sensitive, then I am certain that it was changed long before the major media outlets reported on the story.

If it is not sensitive, then perhaps they didn’t care if the password was public — maybe it was intended for site visitors. Maybe it is intended for everyone.

And how accessible is this wifi access point? If wireless access requires you to be in the shielded room of their NOC, then disclosing the password creates ZERO additional risk since it is not accessible by anyone outside the room. (And if the risk is standing inside the room, then they have bigger concerns than the wifi password.)

Room with a View

The photo allegedly shows the IT security team and the configuration of the room is typical for a NOC or datacenter. There’s the individual operator workstations and the NOC screens at the front of the room for sharing information. If there is any ongoing activity, the operators can readily share the information on the big screens. This allows them to work independently or as a team.

In fact, the only thing that I find odd is the lack of a telephone at each desk. Every NOC that I have seen has had at least one telephone within reach of each desk.

The photo of the room also shows a few other things:

  • There is no activity on the big screens. If the NOC is not in use, then the screens are usually powered off. If the NOC is in use, then they screens will contain information — anything from network dumps and traffic analysis to camera feeds or news coverage. In the photo, the screens show big banners that, to me, appear to have been placed there for the photographer.

    For a comparison, consider the view of the NOC when President Bush visited the NSA back in 2006:

    Bush and his entourage are standing in front of the main screens. The screens show various network monitoring tools. (And even this was certainly a photo-op and not mission critical information.)

  • There’s only two people “working” in the World Cup’s NOC. They are sitting at the front desk and staring at blank monitors. If there is anything on the monitors, it is not visible from this photo. The vertical monitor looks like it has an open web browser with a blank web page.

    If this NOC were actually in use, I would expect to see more people and more activity on their monitors. And while people might lean over and work at the same station, they are more likely to work at their own desks. Again, to me this looks staged for a photo-op. It would not surprise me if there were other people in the room, standing outside the camera’s view.

If they took the time to cover the screens, hide content from the monitors, and pose NOC workers, then I have no doubt that everything shown in the photo has been cleared for release. This includes the wifi login information seen on the right-most front display.

OMG! THE SKY IS BLUE!

The folks at Hacker News wrote:

Wifi Network: WORLDCUP
Password: b5a2112014

The password appears to be “brazil2014″ in leet speak. I think it’s completely unguessable and the most secure one for this highly considered World Cup event. Haaa!

Yes, Hacker News actually wrote “Haaa!”

If this wireless login information was intended to be private, then this would be embarrassing. However, if they wanted it to be private, then they probably would not have remembered to cover every screen and clear the room except for the sensitive login information on the screen. Moreover, I doubt that they would set the private SSID to be “WORLDCUP”. (Every NOC that I have seen uses random letters or cryptic sequences for non-public SSIDs.) I suspect that Hacker News — and every other news outlet — is getting overly excited about a public access point.

To me, this picture does not appear to leak sensitive information, provide any exploitable risk, or offer any source of embarrassment for the World Cup management. What is embarrassing is reading news articles that fail to cite their sources, fail to identify when the photo was taken, and fail to identify if this is a risk or just a lot of nothing. Honestly, I’m not finding this World Cup action to be very exciting at all.

TorrentFreak: Comcast Must Share Six-Strikes Warnings with Copyright Troll, Court Rules

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

comcastLast year the RIAA and MPAA teamed up with five of the largest Internet providers in the U.S. to begin issuing warnings to alleged copyright infringers.

As part of this partnership the ISPs have to store all warnings their customers receive. Opponents feared that this data could be used against these individuals in court, which is specifically permitted under the agreement.

“The Content Owner Representatives [MPAA / RIAA] or any other member of the Participating Content Owners Group may use such reports or data as the basis for seeking a Subscriber’s identity through a subpoena or order or other lawful process,” the agreement reads.

However, as it turns out, the first legal consequences aren’t a result of action taken by Hollywood or the major record labels. They come from the adult video publisher Malibu Media, a so-called copyright troll that has filed over 750 lawsuits against alleged infringers this year alone.

In their case against Kelley Tashiro, a middle-aged female nurse from Indianapolis, the company had trouble proving that an infringement actually took place. But instead of backing down, they put their money on the six-strikes warnings databases.

Malibu asked the court to order Comcast to release all data being held as part of the Copyright Alert System. While Malibu is not part of the program, this data may show that the Internet connection was used to share pirated content on more occasions.

“DMCA notices and six strike notices are relevant because these notices may prove a pattern of infringement or notice that infringement is occurring or both,” Malibu noted in its motion.

A copy of the recorded copyright infringements wasn’t enough for Malibu though, the company also asked for details of Tashiro’s bandwidth consumption, suggesting that this could indicate whether she is an infringer or not.

“Bandwidth usage is relevant because people who are heavy BitTorrent users use significantly more bandwidth than normal internet users,” the company’s sweeping generalization reads.

This week Indiana District Court Judge Mark Dinsmore granted Malibu’s motion, which means that Comcast will be ordered to share the requested evidence.

“Plaintiff’s Motion is GRANTED. Plaintiff may serve a third party subpoena on Comcast and Comcast should comply with Plaintiff’s Subpoena Duces Tecum
for deposition as outlined in Plaintiff’s Motion,” the Judge writes.

order-comcast

Comcast has not yet responded to the order, but considering the sensitivity of the subject the Internet provider is expected to file an appeal.

Currently it’s not known whether Tashiro has ever received a copyright alert, but the RIAA, MPAA and other participants in the Copyright Alerts System will not be pleased with these latest developments.

The Center for Copyright Information, which oversees the program, has always emphasized that the program respects the privacy of Internet subscribers. Having it used against alleged downloaders by copyright holders that are not even part of the scheme is bad PR for them, to say the least.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: SCOTUS’s new Rummaging Doctrine

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Electronic privacy is current ruled by the “Third Party Doctrine” from the case Smith, Miller, and Katz. I think SCOTUS just largely replaced that with the “Rummaging Doctrine” in Riley v California.

The Third Party Doctrine was the principle that once you give up your data to a third party, that data is no longer covered by the Fourth Amendment. That’s because you no longer have a “reasonable expectation of privacy”. Thus, you have no reasonable expectation of privacy in your phone call records, so the police can grab them without a warrant.

Riley changes the direction of that arrow. It’s no longer about your privacy, it’s about the government’s power — the power that comes from unrestrained rummaging through a person’s effects. It’s not longer about whether I want something private, it’s about whether the police properly wants something revealed. The properness is defined as the idea that police must already have good reason to suspect somebody of a crime, and must only be looking for evidence of that specific crime. They can’t go on fishing expeditions.

SCOTUS goes so far as to declare the revolution, that it’s right and proper to take up arms against governments who rummage through our effects. They cite the case of John Adams taking up arms against the ‘writs of assistance’, which were search warrants that never expired allowing British agents to search indiscriminately. The modern version of such writs is the Verizon court order renewed every three months for the last 8 years demanding all phone metadata. I think the court is signalling a complete exoneration of Edward Snowden leaking that writ to the public.

Right now, the government can go to Yahoo and request the last 15 years of my email stored on their servers, without a warrant, just in case I might’ve commit a crime. Right now, the government grabs all my phone and financial records, even though they don’t suspect me of a crime, and then apply computer algorithms puting that data together in order to see if evidence of crime falls out. To travel on planes, I first have to prove to the government that I’m innocent. That’s rummaging in full ‘writs of assistance’ style, and I’m pretty sure SCOTUS just said they are going to strike that stuff down.

Errata Security: Riley v California: support cloud privacy too?

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Today, in Riley v California, SCOTUS struck down warrantless cellphone searches during arrest. However, I think more importantly, they are setting things for a future battle over cloud privacy. They could have decided the case on narrow grounds (such as in Alito’s concurring opinion), but they chose instead broad grounds.

Today, the police can grab your old emails stored in the cloud. This is based on two existing decisions.

 In Smith v Maryland, SCOTUS said government can grab your phone records (who you dialed) without a warrant. The idea is the “third party doctrine”, that you gave up your “reasonable expectation of privacy” when you gave the information to a third party.

In US v Miller, SCOTUS said the same thing about bank records. Old emails, stored on a server (rather than in transmit between two parties) are considered the same sort of “record”. Other information in the cloud, such as your photos backed up on Apple, Google, or Amazon cloud, likewise are mere “business records”. Storing things in the cloud forfeits Fourth Amendment rights.

Today’s decision, Riley v California, gives a lot of ammunition to overturn these decisions with regard to cloud information. The court says the following on page 21:

Cell phone users often may not know whether particular information is stored on the device or in the cloud, and it generally makes little difference.

It’s meant one way, to show how a search incident of an arrest doesn’t automatically extend to servers in, say, Germany. But this is worded in a way that (one could argue) now goes the other way: the expectation of privacy for the device in their pocket extends to the data in the cloud.

On page 23 is an even better nugget for us privacy weenies:

The sources of potential pertinent information are virtually unlimited, so applying the Gant standard to cell phones would in effect give “police officers unbridled discretion to rummage at will among a person’s private effects.”

That is the entirety of the “cloud privacy” argument. Smith v Maryland was predicated on the idea that a pen register had limited utility to law enforcement. In today’s “cloud”, the opposite is true. All a person’s effects are in the cloud, including not only data mentioned here (such as whether they were texting while driving), but personal correspondence, photos with EXIF location data, that novel they’ve been writing, their search history, and so on. The power of the government to rummage through a person’s effects is unrivaled in history — and is why searches of cloud information should not be allowed without a warrant.

On page 24, the court talks about Smith v Maryland, and how the call log on the phone differs from a pen register list of phone number’s dialed:

call logs typically contain more than just phone numbers; they include any identifying information that an individual might add, such as the label “my house” in Wurie’s case

This circumscribes Smith v Maryland to just phone numbers — signaling it might not apply to more extensive information, like names associated with numbers.

On page 3, the court compares a modern cellphone to history objects that might be on a person:

Cell phones differ in both a quantitative and qualitative sense from other objects taht might be carried on an arrestee’s person. Notably, modern cell phones have an immense storage capacity. Before cell phones, a search of a person was limited by physical realities and generally constituted only a narrow intrusion on privacy.

That, and the continuing discussion, applies equally to cloud data compared pen-register and bank records. Historically, they were limited and only constituted a narrow intrusion on privacy. Today, arbitrary police access of the cloud would represent a wide intrusion on privacy.

Further on page 3, SCOTUS says:

A decade ago officers might have occasionally stumbled across a highly personal item such as a diary, but today many of the more than 90% of American adults who own cell phones keep on their person a digital record of nearly every aspect of their lives.

…and by extension, the same argument applies to the cloud. American adults have a reasonable expectation of privacy over a digital record that covers 90% of their lives.

On page 25 is this wonderful statement:

We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime. … Privacy comes at a cost. 

Part of the justification for the “third-party doctrine” is that technology allows criminals to move things around to whichever has the most protection. If warrants are required to search cellphones, then criminals will move information onto this safe haven. Therefore, the argument goes, we shouldn’t give them safe havens. I think SCOTUS is arguing against this — signaling that they don’t mind making the police’s job harder.

Many commentators have pointed out this statement:

That is like saying a ride on horseback is materially indistinguishable from a flight to the moon.

What SCOTUS is signaling here is that technology obsoletes previous decisions. In other words, modern cellphone records that the NSA has been monitoring may actually be substantially different than the pen register taps in Smith v Maryland.

And finally, damnit, SCOTUS said this:

Our cases have recognized that the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces being the Revolution itself. In 1761, the patriot James Otis delivered a speech in Boston denouncing the use of writs of assistance. A young John Adams was there, and he would later write that “every man of a a crowed audience appeared to me to go away, as I did, ready to take arms against writs of assistance.”

I’m not a lawyer, but a revolutionary. I don’t care about precedent. I believe a Right to Cloud Privacy exists even if I believe that a logical adherence to precedent means that SCOTUS can’t find such a right. That government can rummage through 90% of our personal effects in an unrestrained search for evidence of criminal activity is intolerable. I’m heartened by the fact that SCOTUS seems, actually, ready to agree with me.

Darknet - The Darkside: Hackers Recreate NSA Snooping Kit Using Off-the-shelf Parts

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So some curious hardware hackers grabbed the leaked catalogue that detailed the hardware involved in the NSA Snooping Kit, and have recreated some of the ‘high-tech’ top secret tools with off-the-shelf parts and items that can be bought from Kickstarter. I mean some of it seems pretty simplistic though, a monitor mirror and a hardware…

Read the full post at darknet.org.uk

TorrentFreak: Respect for File-Sharers’ Privacy Keeps Swiss on US Watch List

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

congressOver the past 12 years the Congressional International Anti-Piracy Caucus has worked to highlight enforcement practices in need of improvement and to place countries perceived to be falling short of United States standards under the spotlight.

Yesterday the caucus became the International Creativity and Theft-Prevention Caucus, a change of name shunning the term ‘piracy’ in favor of an artist-focused theme that furthers the notion that infringement is the same as stealing.

The Watch List

As usual there are international winners and losers in the caucus report. On the up are Italy and the Philippines, with the former taking especially drastic steps to combat online file-sharing, including the blocking of ‘pirate’ sites by an administrative body, no court process required.

“In light of the reforms undertaken and a greater commitment to enforcing the law, both nations were removed from the Special 301 Report for the first time in its 25 year history. The caucus applauds Italy and the Philippines for undertaking reforms that recognize the importance of fostering creativity,” the report reads.

But in terms of improvements, the praise stopped there. In the file-sharing space, Switzerland came under attack after a momentous court decision four years ago

The Swiss file-sharing privacy safe haven

The controversy surrounds the so-called ‘Logistep Decision‘. The Logistep anti-piracy outfit became infamous in the latter half of the last decade for their work providing tracking services for copyright trolls in Europe and the UK.

In 2010 following several years of legal wrangling and controversy, the Swiss Federal Supreme Court ordered the anti-piracy outfit to stop harvesting the IP addresses of file-sharers. Underlining the notion that IP addresses are private data, the court’s decision effectively outlawed the tracking of file-sharers in Switzerland with the aim of later filing a lawsuit.

In its report the caucus says that Switzerland’s timeline (18 months minimum) for bringing the country “back up to international standards for protection of copyright” is unacceptable so the country will remain on the Watch List. That position is unlikely to change anytime soon considering the long Swiss tradition of respecting privacy.

Russia

Unsurprisingly the main site mentioned in respect of Russia is local Facebook variant vKontakte. The site has come under sustained attacks from both the RIAA and MPAA and the caucus is happy to keep up the pressure in 2014, despite Russia’s efforts to really tighten up local copyright law.

“The Caucus urges the Russian Government to take prompt action against websites that actively facilitate the theft of copyrighted materials, in particular vKontakte which was again named as a Notorious Market while remaining one of the most highly trafficked websites in Russia. Given the scale of online piracy emanating from Russia, it is crucial the Russia take serious and large scale action to enforce the law against rogue actors and end their status as a haven for digital piracy,” the report reads.

China and India

As expected, China is yet again subjected to criticism, despite clear signs that the country is changing its attitudes towards IP enforcement.

“Though the climate for intellectual property has improved, driven in part by a growing domestic creative sector within China, the scale of piracy remains massive, inflicting substantial harm to American and Chinese creators,” the caucus says.

And despite playing host to a large local creative industry, the caucus says that India is not doing enough to protect IP either, with high rates of camcorder movie piracy and a lack of effective notice-and-takedown procedures both aggravating factors.

Follow-the-money

Given the current collaborations between governments and the private sector with their “follow-the-money” approach to dealing with infringement, it’s no surprise that the caucus has focused a section of its report on this initiative.

Current momentum sees strong international efforts to eliminate the appearance of major brands’ advertising on ‘rogue’ sites and the caucus reports further progress on that front. The Association of National Advertisers (ANA), American Association of Advertising Agencies (4As), and Interactive Advertising Bureau (IAB) have all reported taking “concrete steps” towards evaluating “digital ad assurance” technologies to keep revenue away from pirate sites.

In a response, RIAA Executive Vice President Neil Turkewitz praised the caucus for its efforts.

“Their work on advertising has already led to various improvements, and we hope that soon the lure of generating money from advertising will no longer be viable for sites serving as distribution hubs for infringing content,” Turkewitz said.

Echoing the words of Italian Ambassador Claudio Bisogniero, who had been invited to the report’s unveiling in recognition of his country’s anti-piracy achievements, the MPAA reiterated that the protection of copyright on the Internet is essential to the development of business.

“At the MPAA, we couldn’t agree more, and deeply appreciate the steps being taken by the caucus to help protect the creative industries and the millions of workers they employ – both here in the United States and abroad,” the MPAA conclude.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: PR will be first up against the wall when the revolution comes

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Forbes.com interviews leaders on “10 Ways to Fix Cybersecurity“. It’s useless — in fact (as I’ll demonstrate below) worse than useless.

The problem is that these leaders aren’t experts, they are fluff; their technical competence extends only as far as knowing who to call in IT to turn on their computer (at least, as far as the executives go). You wouldn’t ask them how to fix cybersecurity anymore than you’d ask basketball fans, or even owners, how to fix the team. Instead, you ask the experts, like coaches. Steve Ballmer was the CEO of Microsoft for the last decade, but you wouldn’t ask him how to fix cybersecurity any more than you’d ask him to coach the LA Clippers.

The corporate executives in this list do as media training taught them: bridge whatever question is asked to the answer you want to give.

Microsoft’s big emphasis right now is on the “cloud”. For $99 a year, you get a license of Microsoft Office (Word, Excel, PowerPoint, Access) for 5 members of your family, plus access to the cloud version of Office, plus 5 terabytes of cloud storage (that’s right, I said terabytes). Things like their Surface tablet are designed specifically as an extension to the cloud rather than a stand alone device.

Thus, when asking Scott Charney, Microsoft’s VP, on how to fix cybersecurity, his answer starts with “In the world of cloud services and big data, …“. At this point in the discussion,. he hasn’t even finished listening to the question before he starts in with this answer. It’s the same answer he gives to everything, including “would you like fries with that” or “how’s my hair look?”.

Likewise,  the senior VP of Cisco starts his answer “Each connection in the Internet of Things…“. I’ll give you one guess what Cisco is pimping right now. If you guessed “Internet of Things” (IoT), then you’d be right.

I don’t even know what The Chertoff Group really does, other than sell access to the government. But CEO’s answer starts with “Corporate America rarely grows 100% organically anymore. M&A is almost always involved.” What? They sell cybersecurity for mergers and acquisitions? That sounds odd. Well, that’s indeed what they do, front and center on their webpage.

Google has it’s fingers in lots of pies, of course. One of their big things is competing against Microsoft with cloud-based office applications. An enormous number of organizations tired of managing Exchange have moved to GMail as their cloud-based email solution. Thus, the answer to the question from Google is “we should have users work with a single interface, like a browser, through which they can do multiple things“. In other words, stop using Microsoft Office installed on your Surface table, just use Google cloud-only solution instead, using Chrome.

The Forbes post asked this question of non-corporate people as well, such as the Chair of the Federal Trade Commission. Her answer was, of course, focused on laws/regulation: “Online security for children’s information is of particular concern. The Children’s Online Privacy Protection Act gives parents the right to control the collection of personal information from their kids.” She is, of course, defending COPA, a draconian law that was mostly struck down by the Supreme Court for infringing on civil rights, because children.

One of the sillier answers was from Daniel Suarez, the author of cyberpunk thrillers. His answer is “What we need is an Apollo-like national project to build a new, secure network for critical infrastructure that would use a separate protocol, proprietary hardware, dedicated fiber-optic lines and powerful encryption to eliminate all but the most elite interlopers.” Of course, it’s in the nature of scifi authors to think big, but the point I want to make is his use of the phrase “powerful encryption”. There is no such thing. There’s only two types of encryption, that which works and that which doesn’t. When encryption doesn’t work, your neighbor’s pre-teen can break it, such as when she breaks into your WEP WiFi home router. When encryption works, not even the NSA can break it with their billions of dollars invested in supercomputers, which means Edward Snowden is safe sending email with PGP encryption. Phrases like “military grade encryption” or “powerful encryption” are just tropes you see in fiction, they don’t exist in the real world. I point this out to communicate the degree of fluff in Suarez’s answer.

The final example is that of Christopher Soghoian of the ACLU. You’d expect him to stand up for civil rights but he doesn’t. He’s less a defender of civil rights and more a garden variety left-winger, so his solution to cybersecurity is to regulate evil corporations and defend the poor consumer with a “powerful privacy and data-security regulator that can set data security rules for companies and enforce them“. We are headed rapidly toward a cyber-police-state, with the right-wing exploiting fear of cyberterrorists to pass laws, and the left-wing exploiting trumped up fears of evil corporations to likewise pass even more laws restricting freedom.

The point I’m trying to show is that none of these were honest answers to Kashmir’s question. All were answers designed to exploit the question in order to further their agendas.

And that’s the problem with with cybersecurity. The solution is stop asking these sorts of people, and start listening to technical people.

One example is this post from Meredith Patterson, a techie, where she answers essentially the same question. Her answer is “Follow the OWASP best practices and focus on your responsibility to your customers“. That’s a vastly better answer than any of the above 10 answers.

But nobody is going to listen, because for one things it’s technical, and for another thing, Meredith isn’t a VP or Chairwoman or a sci-fi author or a member of the ACLU. Instead, she’s just a run of the mill techie who knows stuff.

If the journalists want to do anything other than help public figures further their agendas, then instead of quoting those fluffs, they should be talking to techies like Meredith.

(…with apologies to Kashmir Hill, she does great stuff .. it’s just this particular post was appalling).

Update: Chris Soghoian has solid technical chops. I can personally attest to some of them, he’s also worked in computer science, so probably has even more than I’ve seen. I don’t mean to imply that, unlike the executives I trash, that’s he’s lacking in skill. I only mean to imply he’s left-wing, and that his answer serves his political agenda.

Also, Brian Krebs, while a journalist, has direct first hand experience worth listening to in the realm of cybersecurity.

LWN.net: [$] Android without the mothership

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The success of Android has brought Linux to many millions of new users and
that, in turn, has increased the development community for Linux itself.
But those who value free software and privacy can be forgiven for seeing
Android as a step backward in some ways; Android systems include
significant amounts of proprietary software, and they report vast amounts of
information back to the Google mothership. But Android is, at its heart,
an open-source system, meaning that it should be possible to cast it into a
more freedom- and privacy-respecting form. Your editor has spent some time
working on that goal; the good news is that it is indeed possible to create
a (mostly) free system on the Android platform.

Darknet - The Darkside: SHODAN – Expose Online Devices (Wind Turbines, Power Plants & More!)

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Web search engines, such as Google and Bing, are great for finding websites. But what if you’re interested in [...]

The post SHODAN…

Read the full post at darknet.org.uk