Posts tagged ‘Privacy’

TorrentFreak: TV Companies Will Sue VPN Providers “In Days”

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

As Internet users demand more freedom online alongside an ability to consume media in a manner of their choosing, tools allowing them to do so are gaining in popularity.

Notable has been the rise of VPN services, which not only provide an increased level of privacy but also allow users to appear in any country they choose. This opens up a whole new world of content availability – such as better service from Netflix – often at better prices than those offered on home turf.

While popular with consumers, this behavior is frowned upon by distribution companies that spend huge sums of money on content licensing deals specific to their regions of coverage. Losing customers to overseas providers isn’t part of their plan and now some are doing something about it.

Earlier this month media companies SKY, TVNZ, Lightbox and MediaWorks told several Kiwi ISPs that if they don’t stop providing VPN services to their subscribers, legal trouble would be on the horizon.

Within days one of their targets, Unlimited Internet, pulled its VPN service after receiving a letter from a lawfirm claiming breaches of the Copyright Act. However, CallPlus and Bypass Network Services have no intention of caving in to the media giants’ demands.

“To receive without warning a grossly threatening legal letter like that from four of the largest companies in New Zealand is not something we are used to,” wrote Bypass CEO Patrick Jordan-Smith in a letter to the media companies.

“It smacks of bullying to be honest, especially since your letter doesn’t actually say why you think we are breaching copyright.”

Pulling no punches and describing his adversaries as a “gang”, Jordan-Smith likens the threats to those employed by copyright trolls in the United States.

“Your letter gets pretty close to the speculative invoicing type letters that lawyers for copyright owners sometimes send in the US ‘pay up or shutdown or else were are going to sue you’! Not fair,” he writes.

“We have been providing the Global Mode facility for 2 years. In all that time, none of your Big Media Gang have ever written to us. We assumed they were OK with Global Mode and we continued to spend money innovating the facility and providing innovative NZ ISPs with a service that their customers were telling them they wanted – a service that lets people pay for content rather than pirate it.”

The response from Bypass hasn’t been well received by the media companies who now say they will carry through with their threats to sue over breaches of copyright.

“Our position has not changed and unless they remove the unlawful service we will begin court action in the next few days,” says TVNZ chief executive, Kevin Kenrick.

“Each of our businesses invests significant sums of money into the rights to screen content sourced legitimately from the creators and owners of that copyrighted material. This is being undermined by the companies who profit from promoting illegitimate ways to access that content.”

Claiming that the action is aimed at defending the value of content rights in the digital world, Kenrick says that the legal action is not consumer focused.

“This is not about taking action against individual consumers or restricting choice, indeed each of our businesses are investing heavily in more choice so New Zealanders can have legitimate access to the latest TV shows and movies,” the CEO concludes.

While the commercial position of the TVNZ chief is understandable, his claim that this legal action isn’t aimed at reducing choice simply doesn’t stack up. Kiwis using Netflix locally get access to around 220 TV series and 900 movies, while those using a VPN to tunnel into the United States enjoy around 940 TV series and 6,170 movies, something which Bypass Networks believes is completely legal.

“[We provide our service] on our understanding that geo-unblocking to allow people to digitally import content purchased overseas is perfectly legal. If you say it is not, then we are going to need a lot more detail from you to understand why,” Jordan-Smith informs his adversaries.

“Simply sending us a threatening letter, as frightening as that may be, does not get us there and is not a fair reason for us to shut down our whole business.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Two Thoughtful Essays on the Future of Privacy

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Paul Krugman argues that we’ll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them:

Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today — that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now. Well, one thing that’s very clear if you spend any time around the rich — and one of the very few things that I, who by and large never worry about money, sometimes envy — is that rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.

And it’s fairly obvious how smart wristbands could replicate some of that for the merely affluent. Your reservation app provides the restaurant with the data it needs to recognize your wristband, and maybe causes your table to flash up on your watch, so you don’t mill around at the entrance, you just walk in and sit down (which already happens in Disney World.) You walk straight into the concert or movie you’ve bought tickets for, no need even to have your phone scanned. And I’m sure there’s much more — all kinds of context-specific services that you won’t even have to ask for, because systems that track you know what you’re up to and what you’re about to need.

Daniel C. Dennett and Deb Roy look at our loss of privacy in evolutionary terms, and see all sorts of adaptations coming:

The tremendous change in our world triggered by this media inundation can be summed up in a word: transparency. We can now see further, faster, and more cheaply and easily than ever before — and we can be seen. And you and I can see that everyone can see what we see, in a recursive hall of mirrors of mutual knowledge that both enables and hobbles. The age-old game of hide-and-seek that has shaped all life on the planet has suddenly shifted its playing field, its equipment and its rules. The players who cannot adjust will not last long.

The impact on our organizations and institutions will be profound. Governments, armies, churches, universities, banks and companies all evolved to thrive in a relatively murky epistemological environment, in which most knowledge was local, secrets were easily kept, and individuals were, if not blind, myopic. When these organizations suddenly find themselves exposed to daylight, they quickly discover that they can no longer rely on old methods; they must respond to the new transparency or go extinct. Just as a living cell needs an effective membrane to protect its internal machinery from the vicissitudes of the outside world, so human organizations need a protective interface between their internal affairs and the public world, and the old interfaces are losing their effectiveness.

TorrentFreak: Hollywood Seeks Net Neutrality Exceptions to Block Pirates

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

throttleThe Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet) is legislation that governs the use of the Internet in Brazil. Under development since 2009, among other key issues the Marco Civil is aimed at protecting online privacy rights and net neutrality principles.

The law, which passed last April, was fast-tracked in the wake of revelations from Edward Snowden indicating that the U.S. had been spying on President Dilma Rousseff’s emails and phone calls, those of Brazil’s biggest oil company, and the communications of millions of citizens.

After being in place for a year, Brazil is now rolling out the Marco Civil’s secondary legislation, with the Ministry of Justice announcing a public consultation process allowing stakeholders to contribute to the development of the law.

One of the organizations getting involved is the Motion Picture Association, the international big brother to the United States’ MPAA. According to the MPA, which counts all the big movie studios among its members, the Marco Civil’s net neutrality provisions present an obstacle to rightsholders seeking to protect their content online.

In a submission to Justice Minister José Eduardo Cardozo, the Motion Picture Association expresses concern that the legislation’s current wording is too tight and that exceptions need to be introduced in order to deal with online piracy.

“[Our] position is that the regulation should contain cases of exception to the general rule of net neutrality, enabling the judiciary to determine that traffic to a given illegal repository can be blocked,” the MPA writes.

“The aforementioned suggestion is based on the premise that an adequate service must be in harmony with the possibility of allowing the judiciary to block access to content that, based on judicial scrutiny, is illegal for any reason, from a case of child pornography and trafficking of illegal substances, to the case of systematic disregard for the consumer and violation of intellectual property rights.”

The MPA notes that due to the borderless nature of the Internet anyone can access content from any location. This presents challenges on a national level when undesirable content is made available from other parts of the world, the group says.

“For content hosted within a national territory a judge may issue a removal order, or in the case of breaches in the copyright field, the rightsholder can send a takedown notice to the ISP, requesting that the content is rendered unavailable,” the MPA states.

“However, when the content is hosted in a foreign nation, the Brazilian court order may [not have jurisdiction] or produce the expected results for months, perhaps years, after the court order has been issued.”

According to the MPA there is only one way to remedy this kind of impotence but the way the law is currently worded, the solution remains elusive.

“In these cases the Brazilian courts only have only one option: to order service providers to implement technical measures to block Internet traffic when it has been established that services are illegal,” the MPA notes.

“Without a clear provision for these techniques, in the midst of regulations, the current wording of the Marco Civil deprives courts of this possibility, leaving them unable to address such threats.”

The net neutrality debate is a sensitive one and one that has the potential to seriously affect Hollywood’s interests. With that in mind the MPA and MPAA will be keen to ensure that any new legislation, whether overseas or on home turf, won’t hinder the pursuit and monitoring of online pirates.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: Tweaking Ubuntu Unity to Better Suit Your Needs

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Unity scopes choice

Ubuntu Unity. Never before has there been a user interface to bring about such polar opinions. Users either love it or hate it—there’s very little middle ground. One of the reasons so many lay claim to their dislike of Unity is the lack of configuration options.

If you compare Unity to the likes of Xfce, you will certainly find that Unity does, in fact, lack a certain amount of available options. However, that does not mean the shell is locked down such that it cannot be configured. In fact, you’ll be surprised at just how much you can do with Unity. That is my goal here, to introduce you to some Unity tweaks you can easily manage in order to make the default Ubuntu desktop work perfectly for you.

Privacy

One issue that Ubuntu gets hit hard on is privacy. There are certain elements of Unity that make the interface incredibly efficient. One element is Scopes. With Scopes you can, from within the Dash, search anywhere—both locally and online—for anything. Problem is, some users see this as an invasion of their privacy. Thankfully, the developers of Unity foresaw this and ensured that users can easily configure Scopes to best suit their privacy needs.

First, let’s see how you can fine-tune Scopes to include (or exclude) locations from the web. Say, for example, you aren’t overly concerned about the privacy of your search results, but don’t want include all sources or categories in your results. Let me show you how.

  1. Open the Unity Dash (either clicking the Ubuntu logo on the Launcher or by clicking the Super key on your keyboard).

  2. When the Dash opens, click on Filter results.

  3. From the listing, enable and disable the sources and/or categories to fit your needs. (Figure 1)

When you set a filter, it should stick—so the next time you go to search using the Dash, the same categories and sources should remain.

For those that take their privacy seriously, you can completely disable online search results. To do this, follow these steps:

  1. Open the Dash.

  2. Type settings and, when it appears in the results, click to open the Settings tool.

  3. Click on Security & Privacy.

  4. Click on the When searching in the Dash ON/OFF slider (Figure 2) until it is set to OFF.

tweak unity 2

NOTE: Once you’ve disabled online search results, you will still see all local search results (which will include all locally attached drives).

Unity Tweak Tool

The Unity Tweak Tool is a must have for those who want to tweak Ubuntu Unity. With it you can not only tweak options (that aren’t available in the standards Settings tool) for Unity, but for the Window Manager, Appearance, and System. Configuration categories within the Unity Tweak Tool include:

  • Launcher

  • Search

  • Panel

  • Switcher

  • Web Apps.

Within each category you will find plenty of options to tweak.

To install the Unity Tweak Tool, simply open up the Ubuntu Software Center, search for “tweak”, and click to install. Once installed, you will find this tool as easy to use as the standard Settings tool.

One particular feature you might want to pay close attention to is the Web Apps category. Unity Web Apps brings desktop integration for particular websites and services (such as Amazon, Google Drive, or Facebook). By default Web Apps is enabled and Amazon and (the now defunct) Ubuntu One are installed. If you open the Ubuntu Software Center and do a search for “webapps”, you’ll find a number of additional apps to be integrated into Unity. The only caveat to adding Web Apps is that many of them simply offer little more than a shortcut to the website and no other features. To this end, many users opt to disable this Unity feature. The easiest way to do so is through Unity Tweak Tool. From within the Web Apps tab, switch the Integration prompts to OFF (Figure 3) and Unity will no longer prompt you to integrate sites.

Unity web apps disable

You should also uncheck any authorized domains already associated with Web Apps. This doesn’t actually remove Webapps integration, but you will not be prompted to include services and sites that happen to be available.

Workspace switcher

Oddly enough workspaces, a feature that has been a part of the Linux landscape for over a decade, defaults to off on the latest iterations of Linux. For many users, workspaces was one of the most efficient means of managing a busy Linux desktop.

Fortunately, workspaces can be enabled without having to install any third-party software. However, the setting is a bit hidden. Here’s how to enable workspaces:

  1. Open the Dash and type “settings” (no quotes)

  2. From the Settings window, click Appearance

  3. Click on the Behavior tab

  4. Click to enable workspaces (Figure 4).

tweak unity 4

To switch between workspaces, either click on the Workspace icon in the Launcher or tap and hold Ctrl+Alt and then tap either the right or left arrow key. You can also tap the Super+s key and then tap the arrow key to move to the workspace you want to use and hit the Enter key to give that workspace focus.

NOTE: You can also configure workspaces within the Unity Tweak Tool (where you can also configure the number of both vertical and horizontal workspaces).

Hotcorners

One oft-forgotten feature of Unity is hotcorners. What this feature does is set each corner of your desktop to a certain behavior. The available behaviors are:

  • Toggle desktop

  • Show workspace

  • Toggle windows spread

  • Spread all windows.

There are actually eight hotcorners that can be configured through the Unity Tweak Tool. From the Tweak Tool main window, click Hotcorners and then make sure the feature is set to ON (Figure 5).

Unity hotcorners

For each available hotcorner, click the drop-down and select the behavior you want to associate with that location.

There is one caveat to using this feature. If you have multiple monitors, setting the corners and edges can get tricky because hotcorners treats both monitors as one—so the right corners and edge of the left monitor and the left corners and edge of the right monitor will not function as hotcorners. Personally, I set the bottom hotcorner with the Spread all Windows and it works on both monitors.

Window controls

Finally, if you’re one of those that cannot stand the Close, Minimize, and Maximize buttons on the upper left corner of the windows, you can change that with the help of the Unity Tweak Tool. From the Overview, click on Window Controls and then select between the Left or Right layout (Figure 7).

unity window control

You do not have to be constrained within the default look and feel of Unity. With the addition of a single tool and a bit of poking around, you can find plenty of tweaks to help make Unity best fit your needs and work more efficiently.

Have you found a tweak for Unity that would help make users’ experiences even more productive? If so, feel free to share in the comments.

TorrentFreak: Anti-Piracy Threats Trigger Massive Surge in VPN Usage

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

ausThis week news broke that the makers of Dallas Buyers Club have the court’s approval to go after 4,726 alleged movie pirates in Australia, opening the door to many more copyright lawsuits.

Around the same time the country’s largest Internet providers submitted their online anti-piracy code, announcing that 200,000 piracy warnings will be sent out each year.

Facing increased monitoring and potential legal action many file-sharers have taken counter measures, hiding their IP-addresses so their sharing activities can no longer be linked to their ISP account.

Early March, the initial announcement of the warning letters already increased interest in VPNs and other anonymizing services, but this week’s surge broke new records.

Data from Google trends reveals that interest in anonymizing services has soared, with searches for “VPN” quadrupling in recent weeks. This effect, shown in the graph below, is limited to Australia and likely a direct result of the recent anti-piracy threats.

aussievpn

The effects are clearly noticeable at VPN providers as well, in both traffic and sales. TorGuard, a VPN and BitTorrent proxy provider, has seen the number of Australian visitors spike this week, for example.

“Over the past week TorGuard has seen a massive jump in Australian subscribers. Traffic from this region is currently up over 150% and recent trends indicate that the upsurge is here to stay,” TorGuard’s Ben Van der Pelt tells us.

“VPN router sales to Australia have also increased significantly with AU orders now representing 50% of all weekly shipments.”

TorGuard traffic from Australia
TorGuardAU

The recent events are expected to drive tens of thousands of new users to anonymizing services. However, it appears that even before the surge they were already commonly used Down Under.

A survey among 1,008 Australians early March showed that 16% of the respondents already used VPNs or Tor to increase privacy. The Essential survey shows that anonymizing tools are most prevalent among people aged 18-34.

While copyright holders don’t like the increased interest in these evasion tools, it may not all be bad news.

In fact, to a certain degree it shows that pirates are spooked by the new initiatives. Where some decide to go underground, others may choose to pirate less. And for the “trolls” there are still plenty of unsecured file-sharers out there.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Errata Security: Stop making the NSA the bogeyman of privacy

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Snowden is my hero, but here’s the thing: the NSA is the least of our worries. Firstly, their attention is foreign, not domestic. Secondly, they are relatively uncorrupt. Our attention should be focused on the corrupt domestic law-enforcement agencies, like the ATF, DEA, and FBI.

I mention this because a lot of people seem concerned that the “cyber threat sharing” bills in congress (CISA/CISPA) will divulge private information to the NSA. This is nonsense. The issue is private information exposed to the FBI and other domestic agencies. It’s the FBI, ATF, or DEA that will come break down your door and arrest you, not the NSA.
We see that recently where the DEA (Drug Enforcement Administration) has been caught slurping up international phone records going back to the 1990s. This appears as bad as the NSA phone records program that started the Snowden disclosures.
I know the FBI is corrupt because I’ve experienced it personally, when they threatened me in order to suppress a conference talk. We know they are corrupt in the way they hide cellphone interception devices (“stingray”) from public disclosure. We know they are corrupt because their headquarters is named after J Edgar Hoover, the notoriously corrupt head of the FBI during much of the last century. 
For all that the FBI is horrid, the DEA and the ATF are worse. These are truly scary police-state style agencies which we allow operate only because their focus is so narrow. Every gun store owner I know has stories of obviously dodgy characters trying to buy guns who they are certain are actually ATF agents doing “sting” operations. One of the many disturbing elements of the “fast and furious” ATF scandal is how they strong-armed gun store owners into complying.
In any case, even if you hate the NSA the most, the NSA’s frightening ability to monitor everything outside the United States means they probably don’t need the domestic “cyber threat information”.
My point is this: stop making the NSA the bogeyman of privacy. Domestic agencies, namely the FBI, are a far greater danger.

TorrentFreak: ISP Pulls VPN Service After Geo-Unblocking Legal Threats

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

youtube_copyright_sadfaceWhile VPN services have always been associated with privacy, in recent years they have bloomed into tools providing much more than a simple way to stay cloaked online.

For a relatively small fee, users of the most popular VPN services can tunnel out of their country of origin and reappear in any one of dozens of countries around the world. This opens up a whole new world of media consumption opportunities.

Citizens of the United States, for example, can access BBC iPlayer just like any other Brit might, while those in the UK looking to sample the widest possible Netflix offering can easily tunnel right back into the U.S.

This cross-border content consumption is not popular with entertainment companies and distributors. It not only undermines their ability to set prices on a per-region basis, but also drives a truck through hard-negotiated licensing agreements.

Tired of dealing with ISPs including Slingshot who offer a dedicated ‘global mode‘ VPN service for customers, last week media companies in New Zealand ran out of patience.

“We pay considerable amounts of money for content rights, particularly exclusive content rights. These rights are being knowingly and illegally impinged, which is a significant issue that may ultimately need to be resolved in court in order to provide future clarity for all parties involved,” Lightbox, MediaWorks, SKY, and TVNZ said in a joint statement.

“This is not about taking action against consumers; this is a business-to-business issue and is about creating a fair playing field.”

Before being granted limited local access to Netflix just last month, Kiwis were required to level their own playing fields by paying for a VPN service and an account at an overseas supplier in order to legally obtain a decent range of premium content. However, the media companies now want to bring an end to that free choice via legal action. Today they claimed their first scalp.

This morning Unlimited Internet became the first ISP to respond to media company pressure by pulling its geo-unblocking service known as “TV VPN” after receiving a warning letter from a lawfirm.

The letter, which has been sent out to several local ISPs, informs Unlimited Internet that its VPN service infringes the Copyright Act of 1994.

Unlimited Internet director Ben Simpson says that while his company doesn’t necessarily agree with that assertion, it has taken down the service nonetheless.

“Geo-unblocking services are a direct result of consumer demand for access to content that is not made available to the New Zealand market,” Simpson says.

“To be on the safe side, we have taken legal advice on this matter and I have made a firm call that we will sit on the sideline until a legal precedent has been set.”

Currently there are no signs that other ISPs intend to cave in to the media companies’ demands but even if all Kiwi companies cease their VPN activities, the problem will persist. International VPN providers, such as those listed here, will be more than happy to provide services to New Zealanders enabling them to tunnel into any country they choose.

The other possibility is that consumers will shun paying for content and turn back to file-sharing networks instead. If they do those VPNs will still come in handy but for entirely different reasons, ones that will see entertainment companies missing out on the spoils altogether.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: Getting Started with Command Line Encryption Tools on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Falko Timme. Original post: at Linux How-Tos and Linux Tutorials

Encryption is the process of encoding messages or information in such a way that only authorized parties can read them. With almost no privacy in this digital generation of our’s, encryption of our data is one of the most required tools. Most of the applications like gmail encrypt our data, but the data on your system is still unsecured and there are hackers or unauthorised users waiting to access them. One way to minimize the risk of data theft is to encrypt the data that is present even on our local system. This tutorial demonstrates several methods of encrypting the data on Linux systems using commandline tools.

Read more at HowtoForge

TorrentFreak: iiNet loses Dallas Buyers Club Piracy Case

This post was syndicated from: TorrentFreak and was written by: Ben Jones. Original post: at TorrentFreak

dallasBack in 2012, the Australian High Court ruled that ISP iiNet was not responsible for the copyright infringements of its customers. Stymied by that ruling, many Australian file-sharers breathed a sigh of relief, as Antipodean users are usually amongst the last to get content, forgotten in the long-tail of media distribution.

Conversely, it also meant that they were one of the last English-speaking (and English common-law) countries to see the appearance of so-called ‘Speculative Invoicing’, more commonly known as copyright trolling. However, “Down Under” couldn’t escape forever, and eventually the trolls washed up on the shore, in the shape of mega-troll “Dallas Buyers Club” (DBC).

The model should be familiar to most of our readers. A company (or its representative) joins a BitTorrent swarm, and “observes” a number of peers on the torrent. It then applies for a court order for the ISP to hand over the identities behind all those IP addresses so they can be pressured for cash settlement.

The big question was whether the Australian courts would allow for the discovery of subscriber details but in a decision released just minutes ago the courts said ‘yes’. Letters to be sent out to the 4,726 consumers involved will first have to be approved by the court, a move designed to reduce DBC’s ability to overstate the case and the potential penalties involved.

Following a similar ruling in Canada last February, this is the second time these kinds of restrictions have been placed on Dallas Buyers Club/Voltage Pictures. UK ‘trolls’ are also subjected to the same oversight in their initial letters to consumers but subsequent correspondence flies completely under the radar with no court involvement.

In today’s case the judge also ruled that the privacy of the 4726 accounts should be protected but placed no cap on damages. The precise restrictions and justifications will become clear when the verdict is published later today.

The case comes amid growing regulations, with the Australian Government pushing for a voluntary 3-strikes system as well as site-blocking legislation. These two things, combined with today’s ruling, means that VPN use is expected to skyrocket in Australia.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

LWN.net: Tor Summer of Privacy

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

The Tor Project and the Electronic Freedom Foundation (EFF) have announced
a mentoring program entitled the “Tor Summer of Privacy” (TorSoP). Akin to the
Google Summer of Code, TorSoP will provide financial support and
mentorship for a group of students to work on privacy-related free
software. Three student positions are available this year;
applications will be accepted through April 10. More details
(including project ideas) are provided on the TorSoP page.

Errata Security: The .onion address

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

A draft RFC for Tor’s .onion address is finally being written. This is a proper thing. Like the old days of the Internet, people just did things, then documented them later. Tor’s .onion addresses have been in use for quite a while (I just setup another one yesterday). It’s time that we documented this for the rest of the community, to forestall problems like somebody registering .onion as a DNS TLD.

One quibble I have with the document is section 2.1, which says:

1. Users: human users are expected to recognize .onion names as having different security properties, and also being only available through software that is aware of onion addresses.

This certain documents current usage, where Tor is a special system run separately from the rest of the Internet. However, it appears to deny a hypothetical future were Tor is more integrated.
For example, imagine a world where Chrome simply integrates Tor libraries, and that whenever anybody clicks on an .onion link, that it automatically activates the Tor software, establishes a circuit, and grabs the indicated page — all without the user having to be aware of Tor. This could do much to increase the usability of the software.
Unfortunately, this has security risks. An .onion web page with a non-onion <IMG> tag would totally unmask the user, which would presumably not go over Tor in this scenario. One could imagine, therefore, that it would operate like Chrome’s “Incognito” mode does today. In such a scenario, no cookies or other information should cross the boundary. In addition, any link followed from the .onion page should be enforced to also go over Tor. Like Chrome’s little spy guy icon on the window, it would be good to have something onion shaped identifying the window.
Therefore, I suggest some text like the following:
1b. Some systems may desire to integrate .onion addresses transparently. An example would be web browsers allowing such addresses to be used like any other hyperlinks. Such system MUST nonetheless maintain the anonymity guarantee of Tor, with visual indicators, and blocking the sharing of identifying data between the two modes.


The Tor Project opposes transparent integration into browsers. They’ve probably put a lot of thought into this, and are the experts, so I’d defer to them. With that said, we should bend over backwards to make security, privacy, and anonymity an invisible part of all normal products.

Darknet - The Darkside: Google Revoking Trust In CNNIC Issued Certificates

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So another digital certificate fiasco, once again involving China from CNNIC (no surprise there) – this time via Egypt. Google is going to remove all CNNIC and EV CAs from their products, probably with the next version of Chrome that gets pushed out. As of yet, no action has been taken by Firefox – or […]

The post Google Revoking…

Read the full post at darknet.org.uk

Errata Security: War on Hackers: a Clear and Present Danger

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

A typical hacker, according to @Viss

President Obama has upped his war on hackers by declaring a “state of emergency“. This triggers several laws that grant him expanded powers, such as seizing the assets of those suspected of hacking, or taking control of the Internet.

One one hand, this seems reasonable. Hackers from China and Russia are indeed a threat, causing billions in economic damage every year, by stealing money and intellectual property. This declaration specifically targets these issues. Presumably, in the next few weeks, we’ll see announcements from the Treasure Department seizing assets from Chinese companies known to have stolen intellectual property via hacking.

But on the other hand, it’s problematic. Declarations of emergency tend to be permanent. We already operate under 30 declarations of emergencies dating back to the Korean war. Once government grabs new powers, it tends not to give them back. Also, this really isn’t an “emergency”, the hacking it addresses goes back a decade. It’s obvious corruption of the “emergency” provisions in the law for the President to bypass congress and rule by decree.

Moreover, while tailored specifically to the threats of foreign hackers, it ultimately affects everyone everywhere. It allows the government to bypass due process and seize the assets of anybody suspected of hacking. The federal government already widely abuses “asset forfeiture” laws, seizing a billion dollars annually. This executive order expands such activities (although “freezing” isn’t quite the same as “forfeiture”).

Of particular concern are “security researchers”. The only way to secure systems is to attack them. Securing systems means pointing out flaws, which inevitably embarrasses the powerful, who then lobby government for assistance in dealing with these pesky “hackers”.

The White House knows this is a potential problem, and clarifies that it doesn’t intend to use this Executive Order to go after security researchers. But this is bogus. Whether somebody is a “good guy” or a “bad guy” is merely a matter of perspective. For example, I regularly scan the entire Internet. The security research community broadly agrees this is a good thing, but the powerful disagree. I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real — giving the government the ability to declare my scans “malicious” and to seize all my assets. It’s the Treasury Department who makes these decisions — from their eyes, “security research” is indistinguishable from witchcraft, so all us researchers are malicious.

This last week, we saw a DDoS attack by China against a key Internet infrastructure company known as “GitHub”. The evidence clearly points to the Chinese government as the culprit — yet the President has remained silent on the issue. In contrast, the President readily spoke out against North Korea based on flimsy evidence. These new powers granted by the Executive Order do nothing to stop such an attack. With proposed laws, such as CISA surveillance expansion law, or the extensions to the CFAA, we see that the government is eager to obtain new powers, but reluctant to actually use the powers it already has to defend against hackers.

The reason the government is hesitant is that China is a thorny problem. North Korea is an insignificant country, so we bully them whenever it’s convenient. In contrast, China’s economy rivals our own. Moreover, trade intertwines our economies. Logical next steps to address hacking involve economic sanctions that will hurt both countries. What the government will do to address Chinese hacking then becomes a political question. No matter how many powers we give government, no matter how much we sacrifice privacy rights, stopping foreign hackers becomes a political question of foreign policy.

The conclusion is this: from the point of view of government, this Executive Order (and the follow-on actions by the Treasury Department) are a reasonable response to recent hacking. But the reality is that it’s a power grab by government, granting them new powers to bypass our rights, that they are unlikely to ever give up. It’s unlikely to solve the problem of foreign hacking, but will do much to expand the cyber police state.

Schneier on Security: The Eighth Movie-Plot Threat Contest

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s April 1, and time for another Movie-Plot Threat Contest. This year, the theme is Crypto Wars II. Strong encryption is evil, because it prevents the police from solving crimes. (No, really — that’s the argument.) FBI Director James Comey is going to be hard to beat with his heartfelt litany of movie-plot threats:

“We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?”

[…]

“I’ve heard tech executives say privacy should be the paramount virtue,” Comey said. “When I hear that, I close my eyes and say, ‘Try to imagine what that world looks like where pedophiles can’t be seen, kidnappers can’t be seen, drug dealers can’t be seen.'”

(More Comey here.)

Come on, Comey. You might be able to scare noobs like Rep. John Carter with that talk, but you’re going to have to do better if you want to win this contest. We heard this same sort of stuff out of then-FBI director Louis Freeh in 1996 and 1997.

This is the contest: I want a movie-plot threat that shows the evils of encryption. (For those who don’t know, a movie-plot threat is a scary-threat story that would make a great movie, but is much too specific to build security policies around. Contest history here.) We’ve long heard about the evils of the Four Horsemen of the Internet Apocalypse — terrorists, drug dealers, kidnappers, and child pornographers. (Or maybe they’re terrorists, pedophiles, drug dealers, and money launderers; I can never remember.) Try to be more original than that. And nothing too science fictional; today’s technology or presumed technology only.

Entries are limited to 500 words — I check — and should be posted in the comments. At the end of the month, I’ll choose five or so semifinalists, and we can all vote and pick the winner.

The prize will be signed copies of the 20th Anniversary Edition of the 2nd Edition of Applied Cryptography, and the 15th Anniversary Edition of Secrets and Lies, both being published by Wiley this year in an attempt to ride the Data and Goliath bandwagon.

Good luck.

The Hacker Factor Blog: Chinese Sayings

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I recently blogged about Google ending support for Google Code. I had pointed out that the recommended solution was to move from Google Code to Github and that we should hope Github doesn’t go away anytime soon. I swear that was just a snide comment and not displaying any insider knowledge of what happened next…

About a week later, GitHub announced that they were under a very large scale denial-of-service attack. According to GitHub’s blog:

The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.

The folks at TechCrunch elaborated on the targeted attack:

Specifically, security experts report that the attackers were redirecting search traffic from overseas users of the Chinese search engine Baidu, and were targeting two pages in particular. One page was run by Greatfire.org, a site that reports on the government censorship in China, and the other linked to a copy of the New York Times’ Chinese language website.

To put things into perspective, the denial of service attack last year against my own site lasted 24 hours and prevented the public from accessing the server. This attack against GitHub appears to have recently ended — after 118 hours! And the attack only caused short outages. (I am very impressed at Github’s ability to withstand a massive network attack like this.)

Chinese Proverb: A cornered dog will jump over the wall.

In a press conference yesterday, Chinese officials were asked about the network attack. (Note: This quote comes from a web page posted in English on a Chinese government web site.)

Q: First, officials from Puntland, Somalia said that more and more ships from Iran, the ROK and China are involved in illegal fishing off the Somali waters. UN officials said that the rise of illegal fishing may lead to rampant piracy. Has China asked its fishermen to stop illegal fishing? Second, a report says that a US website was under hacker attack, and the source of the attack was from China. How do you respond?

A: On your first question, the Chinese government is opposed to illegal fishing, and we have been asking Chinese citizens to fish in accordance with the law. We also hope countries concerned can take tangible steps to safeguard the security and rights and interests of the Chinese fishermen.

On your second question, it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I’d like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner.

As ZDNet noted, China’s Foreign Ministry spokesperson Hua Chunying did not deny the attack. Moreover, Hua tried to spin it as if China was the victim.

Chinese Proverb: An offender sues the victim first.

I watch the logs on my web server very closely. I regularly see network attacks against the server. Most attacks are from automated bots looking for known vulnerabilities. However, occasionally there are manual attacks or novel 0-day attacks. (None have been successful, but I still keep an eye on the server.)

Geolocating a network address back to a source is relatively straightforward. You start with the network address of the client and you reference some public data that maps addresses to locations. Identifying the country is relatively easy. Identifying the city or something more specific may be less accurate. Typically, if a network address traces to “Denver, Colorado”, what it really means is “in or near Denver, Colorado” — it may be Aurora, Littleton, Boulder, or even Colorado Springs, but it’s probably not Pueblo, Ted’s Place, or anywhere outside Colorado.

Of course, hostile attackers could use proxies. But those kind of attacks typically do not use network addresses from the same subnets.

At FotoForensics, a solid 60% all network attacks come from addresses that geolocate to China. The next largest countries (20% and 10% respectively) are from the United States and Russia. With the USA, attacks typically come from everywhere — there is no particular subnet or hosting location. These attacks likely represent infected computers and botnets. In contrast, Russia is usually isolated to specific network addresses. But China? I see entire subnets attacking my site. When one address gets banned, another address in the same subnet continues where the last one left off.

Recently I noticed that the attacks from China follow one of two patterns.

Attack Pattern #1: “Scan bot”
A bot first attacks my secure-shell (ssh) server. It tries a couple of brute-force login attempts as “root” and then gets banned. Immediately after the ban (within 2 seconds), there is a web bot from a different network address in China that accesses “/” or “/favicon.ico”. I know this is a bot because a real user’s client would download my logo image, style sheet, and other dependency files.

I’m not sure what the Chinese web bot is looking for, but I suspect that it is something in the HTTP header. If they see it, then they will likely attack. And since I’m not seeing the web attack, I must not be returning whatever it is they are looking for.

Attack Pattern #2: “The Follow-up”
My site gets visitors from all over the world. But in any given hour, I may only receive a small sample of countries using my online service. I may go hours without a legitimate user accessing FotoForensics from China. But when they do, there seems to be a consistent pattern.

First, the user accesses my site. This is harmless and they use the site as intended. Then, between 5 and 15 minutes later, a bot from a different subnet in China will attempt to attack my ssh server.

For example…
A user at 111.186.106.xx (Kunming, CN) used my site at 29/Mar/2015:08:51:44 -0600.
This was followed by an attack against my ssh server from 221.229.166.28 (Shancheng, CN).

On 29/Mar/2015:06:34:45, a user at 180.76.6.xx (Beijing, CN) visited my site. This was followed by ssh attacks from 58.218.204.241 (Shancheng, CN).

The attacks in my logs look like:

root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)

I checked these attack addresses against various DNS blacklists that track network attacks. Every single one of these addresses are known attackers. For example, CBL.AbuseAt.org lists 221.229.166.28, 221.229.166.30 and 221.229.166.254 as known hostile addresses that perform network attacks. The site Blocklist.de also lists them as known attackers. And websworld.org shows similar ssh attacks coming from these addresses as well as a ton of other Chinese network addresses. (Currently Websworld lists 62 addresses that have attacked their ssh servers — 58 of them are from China.)

It has reached the point where I have blacklisted entire subnets from China that have only been used to attack my server. For example, I have banned 211.229.166.0/24 since many of the addresses in that range have attacked my server and none have been used for legitimate uses.

I find this second attack pattern to be very disturbing and very consistent. First a user in China accesses my site, and then an attack comes in 5-15 minutes later. It is disturbing because it appears that the Chinese government actively tracks every web site their citizens access, and then they queue up the site for a follow-up attack.

If this were just a botnet, then it would not be predictable. However, it is very predictable. If nobody from China visits my site in an hour, then there are none of these ssh attacks from China. As soon as someone from China visits my site, I can expect and receive an attack within 15 minutes.

The second question becomes: is this the Chinese government or someone else? To answer that, we just need to look at the users who visit my site. In order to queue up these attacks, “someone” must be able to watch all traffic out of China. As far as I can tell, only the Chinese government is configured to watch all packets that leave their country. An individual user can monitor their local subnet, but not the entire country. A compromised router can monitor a region, but not the entire country. So either all of China has been compromised and is being used to attack everyone, or the Chinese government is actively monitoring all traffic and queuing up sites to attack. (The third option is that this is a very long-term and consistent coincidence. But a 100% predictability rate over weeks does not seem coincidental to me.)

Chinese Proverb: A thief cries “Stop thief!”

The Chinese government is well-known for performing cyber attacks. Some of the attacks are espionage, while others attempt to identify dissidents. I can only assume that these latest attacks are China’s new method to automate compromises, identify critics, and silence online voices.

The Chinese official said, “it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it”. Whether it is a long-term denial of service that tries to silence voices or wide-spread network attacks, there is no question whether these attacks trace to China or whether the Chinese government permits these attacks. In my case, these attacks are not speculation; they form a consistent, repeatable, and predictable pattern. I also have no doubt that if the Github security staff say the attacks trace to China, then it came from China. Since the Chinese government attempts to filter all content in and out of their country, it is reasonable to believe that they could mitigate or stop these attacks if they wanted it stopped.

The only thing odd is the Chinese official saying that she finds it “odd” that these attacks keep being blamed on China. Perhaps the Foreign Ministry spokesperson should adopt a British idiom: “if the cap fits, wear it.

The Hacker Factor Blog: Chinese Sayings

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I recently blogged about Google ending support for Google Code. I had pointed out that the recommended solution was to move from Google Code to Github and that we should hope Github doesn’t go away anytime soon. I swear that was just a snide comment and not displaying any insider knowledge of what happened next…

About a week later, GitHub announced that they were under a very large scale denial-of-service attack. According to GitHub’s blog:

The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.

The folks at TechCrunch elaborated on the targeted attack:

Specifically, security experts report that the attackers were redirecting search traffic from overseas users of the Chinese search engine Baidu, and were targeting two pages in particular. One page was run by Greatfire.org, a site that reports on the government censorship in China, and the other linked to a copy of the New York Times’ Chinese language website.

To put things into perspective, the denial of service attack last year against my own site lasted 24 hours and prevented the public from accessing the server. This attack against GitHub appears to have recently ended — after 118 hours! And the attack only caused short outages. (I am very impressed at Github’s ability to withstand a massive network attack like this.)

Chinese Proverb: A cornered dog will jump over the wall.

In a press conference yesterday, Chinese officials were asked about the network attack. (Note: This quote comes from a web page posted in English on a Chinese government web site.)

Q: First, officials from Puntland, Somalia said that more and more ships from Iran, the ROK and China are involved in illegal fishing off the Somali waters. UN officials said that the rise of illegal fishing may lead to rampant piracy. Has China asked its fishermen to stop illegal fishing? Second, a report says that a US website was under hacker attack, and the source of the attack was from China. How do you respond?

A: On your first question, the Chinese government is opposed to illegal fishing, and we have been asking Chinese citizens to fish in accordance with the law. We also hope countries concerned can take tangible steps to safeguard the security and rights and interests of the Chinese fishermen.

On your second question, it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I’d like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner.

As ZDNet noted, China’s Foreign Ministry spokesperson Hua Chunying did not deny the attack. Moreover, Hua tried to spin it as if China was the victim.

Chinese Proverb: An offender sues the victim first.

I watch the logs on my web server very closely. I regularly see network attacks against the server. Most attacks are from automated bots looking for known vulnerabilities. However, occasionally there are manual attacks or novel 0-day attacks. (None have been successful, but I still keep an eye on the server.)

Geolocating a network address back to a source is relatively straightforward. You start with the network address of the client and you reference some public data that maps addresses to locations. Identifying the country is relatively easy. Identifying the city or something more specific may be less accurate. Typically, if a network address traces to “Denver, Colorado”, what it really means is “in or near Denver, Colorado” — it may be Aurora, Littleton, Boulder, or even Colorado Springs, but it’s probably not Pueblo, Ted’s Place, or anywhere outside Colorado.

Of course, hostile attackers could use proxies. But those kind of attacks typically do not use network addresses from the same subnets.

At FotoForensics, a solid 60% all network attacks come from addresses that geolocate to China. The next largest countries (20% and 10% respectively) are from the United States and Russia. With the USA, attacks typically come from everywhere — there is no particular subnet or hosting location. These attacks likely represent infected computers and botnets. In contrast, Russia is usually isolated to specific network addresses. But China? I see entire subnets attacking my site. When one address gets banned, another address in the same subnet continues where the last one left off.

Recently I noticed that the attacks from China follow one of two patterns.

Attack Pattern #1: “Scan bot”
A bot first attacks my secure-shell (ssh) server. It tries a couple of brute-force login attempts as “root” and then gets banned. Immediately after the ban (within 2 seconds), there is a web bot from a different network address in China that accesses “/” or “/favicon.ico”. I know this is a bot because a real user’s client would download my logo image, style sheet, and other dependency files.

I’m not sure what the Chinese web bot is looking for, but I suspect that it is something in the HTTP header. If they see it, then they will likely attack. And since I’m not seeing the web attack, I must not be returning whatever it is they are looking for.

Attack Pattern #2: “The Follow-up”
My site gets visitors from all over the world. But in any given hour, I may only receive a small sample of countries using my online service. I may go hours without a legitimate user accessing FotoForensics from China. But when they do, there seems to be a consistent pattern.

First, the user accesses my site. This is harmless and they use the site as intended. Then, between 5 and 15 minutes later, a bot from a different subnet in China will attempt to attack my ssh server.

For example…
A user at 111.186.106.xx (Kunming, CN) used my site at 29/Mar/2015:08:51:44 -0600.
This was followed by an attack against my ssh server from 221.229.166.28 (Shancheng, CN).

On 29/Mar/2015:06:34:45, a user at 180.76.6.xx (Beijing, CN) visited my site. This was followed by ssh attacks from 58.218.204.241 (Shancheng, CN).

The attacks in my logs look like:

root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)

I checked these attack addresses against various DNS blacklists that track network attacks. Every single one of these addresses are known attackers. For example, CBL.AbuseAt.org lists 221.229.166.28, 221.229.166.30 and 221.229.166.254 as known hostile addresses that perform network attacks. The site Blocklist.de also lists them as known attackers. And websworld.org shows similar ssh attacks coming from these addresses as well as a ton of other Chinese network addresses. (Currently Websworld lists 62 addresses that have attacked their ssh servers — 58 of them are from China.)

It has reached the point where I have blacklisted entire subnets from China that have only been used to attack my server. For example, I have banned 211.229.166.0/24 since many of the addresses in that range have attacked my server and none have been used for legitimate uses.

I find this second attack pattern to be very disturbing and very consistent. First a user in China accesses my site, and then an attack comes in 5-15 minutes later. It is disturbing because it appears that the Chinese government actively tracks every web site their citizens access, and then they queue up the site for a follow-up attack.

If this were just a botnet, then it would not be predictable. However, it is very predictable. If nobody from China visits my site in an hour, then there are none of these ssh attacks from China. As soon as someone from China visits my site, I can expect and receive an attack within 15 minutes.

The second question becomes: is this the Chinese government or someone else? To answer that, we just need to look at the users who visit my site. In order to queue up these attacks, “someone” must be able to watch all traffic out of China. As far as I can tell, only the Chinese government is configured to watch all packets that leave their country. An individual user can monitor their local subnet, but not the entire country. A compromised router can monitor a region, but not the entire country. So either all of China has been compromised and is being used to attack everyone, or the Chinese government is actively monitoring all traffic and queuing up sites to attack. (The third option is that this is a very long-term and consistent coincidence. But a 100% predictability rate over weeks does not seem coincidental to me.)

Chinese Proverb: A thief cries “Stop thief!”

The Chinese government is well-known for performing cyber attacks. Some of the attacks are espionage, while others attempt to identify dissidents. I can only assume that these latest attacks are China’s new method to automate compromises, identify critics, and silence online voices.

The Chinese official said, “it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it”. Whether it is a long-term denial of service that tries to silence voices or wide-spread network attacks, there is no question whether these attacks trace to China or whether the Chinese government permits these attacks. In my case, these attacks are not speculation; they form a consistent, repeatable, and predictable pattern. I also have no doubt that if the Github security staff say the attacks trace to China, then it came from China. Since the Chinese government attempts to filter all content in and out of their country, it is reasonable to believe that they could mitigate or stop these attacks if they wanted it stopped.

The only thing odd is the Chinese official saying that she finds it “odd” that these attacks keep being blamed on China. Perhaps the Foreign Ministry spokesperson should adopt a British idiom: “if the cap fits, wear it.

The Hacker Factor Blog: Chinese Sayings

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I recently blogged about Google ending support for Google Code. I had pointed out that the recommended solution was to move from Google Code to Github and that we should hope Github doesn’t go away anytime soon. I swear that was just a snide comment and not displaying any insider knowledge of what happened next…

About a week later, GitHub announced that they were under a very large scale denial-of-service attack. According to GitHub’s blog:

The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.

The folks at TechCrunch elaborated on the targeted attack:

Specifically, security experts report that the attackers were redirecting search traffic from overseas users of the Chinese search engine Baidu, and were targeting two pages in particular. One page was run by Greatfire.org, a site that reports on the government censorship in China, and the other linked to a copy of the New York Times’ Chinese language website.

To put things into perspective, the denial of service attack last year against my own site lasted 24 hours and prevented the public from accessing the server. This attack against GitHub appears to have recently ended — after 118 hours! And the attack only caused short outages. (I am very impressed at Github’s ability to withstand a massive network attack like this.)

Chinese Proverb: A cornered dog will jump over the wall.

In a press conference yesterday, Chinese officials were asked about the network attack. (Note: This quote comes from a web page posted in English on a Chinese government web site.)

Q: First, officials from Puntland, Somalia said that more and more ships from Iran, the ROK and China are involved in illegal fishing off the Somali waters. UN officials said that the rise of illegal fishing may lead to rampant piracy. Has China asked its fishermen to stop illegal fishing? Second, a report says that a US website was under hacker attack, and the source of the attack was from China. How do you respond?

A: On your first question, the Chinese government is opposed to illegal fishing, and we have been asking Chinese citizens to fish in accordance with the law. We also hope countries concerned can take tangible steps to safeguard the security and rights and interests of the Chinese fishermen.

On your second question, it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I’d like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner.

As ZDNet noted, China’s Foreign Ministry spokesperson Hua Chunying did not deny the attack. Moreover, Hua tried to spin it as if China was the victim.

Chinese Proverb: An offender sues the victim first.

I watch the logs on my web server very closely. I regularly see network attacks against the server. Most attacks are from automated bots looking for known vulnerabilities. However, occasionally there are manual attacks or novel 0-day attacks. (None have been successful, but I still keep an eye on the server.)

Geolocating a network address back to a source is relatively straightforward. You start with the network address of the client and you reference some public data that maps addresses to locations. Identifying the country is relatively easy. Identifying the city or something more specific may be less accurate. Typically, if a network address traces to “Denver, Colorado”, what it really means is “in or near Denver, Colorado” — it may be Aurora, Littleton, Boulder, or even Colorado Springs, but it’s probably not Pueblo, Ted’s Place, or anywhere outside Colorado.

Of course, hostile attackers could use proxies. But those kind of attacks typically do not use network addresses from the same subnets.

At FotoForensics, a solid 60% all network attacks come from addresses that geolocate to China. The next largest countries (20% and 10% respectively) are from the United States and Russia. With the USA, attacks typically come from everywhere — there is no particular subnet or hosting location. These attacks likely represent infected computers and botnets. In contrast, Russia is usually isolated to specific network addresses. But China? I see entire subnets attacking my site. When one address gets banned, another address in the same subnet continues where the last one left off.

Recently I noticed that the attacks from China follow one of two patterns.

Attack Pattern #1: “Scan bot”
A bot first attacks my secure-shell (ssh) server. It tries a couple of brute-force login attempts as “root” and then gets banned. Immediately after the ban (within 2 seconds), there is a web bot from a different network address in China that accesses “/” or “/favicon.ico”. I know this is a bot because a real user’s client would download my logo image, style sheet, and other dependency files.

I’m not sure what the Chinese web bot is looking for, but I suspect that it is something in the HTTP header. If they see it, then they will likely attack. And since I’m not seeing the web attack, I must not be returning whatever it is they are looking for.

Attack Pattern #2: “The Follow-up”
My site gets visitors from all over the world. But in any given hour, I may only receive a small sample of countries using my online service. I may go hours without a legitimate user accessing FotoForensics from China. But when they do, there seems to be a consistent pattern.

First, the user accesses my site. This is harmless and they use the site as intended. Then, between 5 and 15 minutes later, a bot from a different subnet in China will attempt to attack my ssh server.

For example…
A user at 111.186.106.xx (Kunming, CN) used my site at 29/Mar/2015:08:51:44 -0600.
This was followed by an attack against my ssh server from 221.229.166.28 (Shancheng, CN).

On 29/Mar/2015:06:34:45, a user at 180.76.6.xx (Beijing, CN) visited my site. This was followed by ssh attacks from 58.218.204.241 (Shancheng, CN).

The attacks in my logs look like:

root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.254 Tue Mar 31 06:38 – 06:38 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)
root ssh:notty 221.229.166.30 Tue Mar 31 06:02 – 06:02 (00:00)

I checked these attack addresses against various DNS blacklists that track network attacks. Every single one of these addresses are known attackers. For example, CBL.AbuseAt.org lists 221.229.166.28, 221.229.166.30 and 221.229.166.254 as known hostile addresses that perform network attacks. The site Blocklist.de also lists them as known attackers. And websworld.org shows similar ssh attacks coming from these addresses as well as a ton of other Chinese network addresses. (Currently Websworld lists 62 addresses that have attacked their ssh servers — 58 of them are from China.)

It has reached the point where I have blacklisted entire subnets from China that have only been used to attack my server. For example, I have banned 211.229.166.0/24 since many of the addresses in that range have attacked my server and none have been used for legitimate uses.

I find this second attack pattern to be very disturbing and very consistent. First a user in China accesses my site, and then an attack comes in 5-15 minutes later. It is disturbing because it appears that the Chinese government actively tracks every web site their citizens access, and then they queue up the site for a follow-up attack.

If this were just a botnet, then it would not be predictable. However, it is very predictable. If nobody from China visits my site in an hour, then there are none of these ssh attacks from China. As soon as someone from China visits my site, I can expect and receive an attack within 15 minutes.

The second question becomes: is this the Chinese government or someone else? To answer that, we just need to look at the users who visit my site. In order to queue up these attacks, “someone” must be able to watch all traffic out of China. As far as I can tell, only the Chinese government is configured to watch all packets that leave their country. An individual user can monitor their local subnet, but not the entire country. A compromised router can monitor a region, but not the entire country. So either all of China has been compromised and is being used to attack everyone, or the Chinese government is actively monitoring all traffic and queuing up sites to attack. (The third option is that this is a very long-term and consistent coincidence. But a 100% predictability rate over weeks does not seem coincidental to me.)

Chinese Proverb: A thief cries “Stop thief!”

The Chinese government is well-known for performing cyber attacks. Some of the attacks are espionage, while others attempt to identify dissidents. I can only assume that these latest attacks are China’s new method to automate compromises, identify critics, and silence online voices.

The Chinese official said, “it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it”. Whether it is a long-term denial of service that tries to silence voices or wide-spread network attacks, there is no question whether these attacks trace to China or whether the Chinese government permits these attacks. In my case, these attacks are not speculation; they form a consistent, repeatable, and predictable pattern. I also have no doubt that if the Github security staff say the attacks trace to China, then it came from China. Since the Chinese government attempts to filter all content in and out of their country, it is reasonable to believe that they could mitigate or stop these attacks if they wanted it stopped.

The only thing odd is the Chinese official saying that she finds it “odd” that these attacks keep being blamed on China. Perhaps the Foreign Ministry spokesperson should adopt a British idiom: “if the cap fits, wear it.

Schneier on Security: Survey of Americans’ Privacy Habits Post-Snowden

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Pew Research has a new survey on Americans’ privacy habits in a post-Snowden world.

The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies:

34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. For instance, 17% changed their privacy settings on social media; 15% use social media less often; 15% have avoided certain apps and 13% have uninstalled apps; 14% say they speak more in person instead of communicating online or on the phone; and 13% have avoided using certain terms in online communications.

[…]

25% of those who are aware of the surveillance programs (22% of all adults) say they have changed the patterns of their own use of various technological platforms “a great deal” or “somewhat” since the Snowden revelations. For instance, 18% say they have changed the way they use email “a great deal” or “somewhat”; 17% have changed the way they use search engines; 15% say they have changed the way they use social media sites such as Twitter and Facebook; and 15% have changed the way they use their cell phones.

Also interesting are the people who have not changed their behavior because they’re afraid that it would lead to more surveillance. From pages 22-23 of the report:

Still, others said they avoid taking more advanced privacy measures because they believe that taking such measures could make them appear suspicious:

“There’s no point in inviting scrutiny if it’s not necessary.”

“I didn’t significantly change anything. It’s more like trying to avoid anything questionable, so as not to be scrutinized unnecessarily.

“[I] don’t want them misunderstanding something and investigating me.”

There’s also data about how Americans feel about government surveillance:

This survey asked the 87% of respondents who had heard about the surveillance programs: “As you have watched the developments in news stories about government monitoring programs over recent months, would you say that you have become more confident or less confident that the programs are serving the public interest?” Some 61% of them say they have become less confident the surveillance efforts are serving the public interest after they have watched news and other developments in recent months and 37% say they have become more confident the programs serve the public interest. Republicans and those leaning Republican are more likely than Democrats and those leaning Democratic to say they are losing confidence (70% vs. 55%).

Moreover, there is a striking divide among citizens over whether the courts are doing a good job balancing the needs of law enforcement and intelligence agencies with citizens’ right to privacy: 48% say courts and judges are balancing those interests, while 49% say they are not.

At the same time, the public generally believes it is acceptable for the government to monitor many others, including foreign citizens, foreign leaders, and American leaders:

  • 82% say it is acceptable to monitor communications of suspected terrorists
  • 60% believe it is acceptable to monitor the communications of American leaders.
  • 60% think it is okay to monitor the communications of foreign leaders
  • 54% say it is acceptable to monitor communications from foreign citizens

Yet, 57% say it is unacceptable for the government to monitor the communications of U.S. citizens. At the same time, majorities support monitoring of those particular individuals who use words like “explosives” and “automatic weapons” in their search engine queries (65% say that) and those who visit anti-American websites (67% say that).

[…]

Overall, 52% describe themselves as “very concerned” or “somewhat concerned” about government surveillance of Americans’ data and electronic communications, compared with 46% who describe themselves as “not very concerned” or “not at all concerned” about the surveillance.

It’s worth reading these results in detail. Overall, these numbers are consistent with a worldwide survey from December. The press is spinning this as “Most Americans’ behavior unchanged after Snowden revelations, study finds,” but I see something very different. I see a sizable percentage of Americans not only concerned about government surveillance, but actively doing something about it. “Third of Americans shield data from government.” Edward Snowden’s goal was to start a national dialog about government surveillance, and these surveys show that he has succeeded in doing exactly that.

More news.

TorrentFreak: UK IP Chief Wants ISPs to Police Piracy Proactively

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

uk-flagMike Weatherley, a Conservative MP and Intellectual Property Adviser to UK Prime Minister David Cameron, has pushed various copyright related topics onto the political agenda since early last year.

Previously Weatherley suggested that search engines should blacklist pirate sites, kids should be educated on copyright ethics, and that persistent file-sharers should be thrown in jail.

In his latest proposal the UK MP targets information society service providers (ISSPs) including ISPs, who he believes could do more to fight piracy. The just-released 18-page report stresses that these companies have a moral obligation to tackle copyright infringement and can’t stand idly by.

The report (pdf) draws on input from various pro-copyright groups including the MPAA, BPI, and the Music Publishers Association. It offers various recommendations for the UK Government and the EU Commission to strengthen their anti-piracy policies.

One of the key points is to motivate Internet services and providers to filter content proactively. According to the report it’s feasible to “filter out infringing content” and to detect online piracy before it spreads.

The UK Government should review these systems and see what it can do to facilitate cooperation between copyright holders and Internet service providers.

“There should be an urgent review, by the UK Government, of the various applications and processes that could deliver a robust automated checking process regarding illegal activity being transmitted,” Weatherley advises.

In a related effort, Weatherley notes that Internet services should not just remove the content they’re asked to, but also police their systems to ensure that similar files are removed, permanently.

“ISSPs to be more proactive in taking down multiple copies of infringing works, not just the specific case they are notified of,” he recommends.

“This would mean ISSPs actively taking down multiple copies of the same work which are hosted on its services, not just the individual copy which is subject to the complaint. The MPA believe this principle could be extended further still to ensure that all copies of the infringing work are not just taken down…,” Weatherley explains.

This type of filtering is already used by YouTube, which takes down content based on fingerprint matches. However, the report suggests that regular broadband providers could also filter infringing content.

Concluding, Weatherley admits that it’s all too easy to simply demand that ISPs take the role of policemen, but at the same time he stresses that they have a “moral responsibility” to do more.

The UK MP presents an analogy of a landlord whose property is used for illegal activities. The landlord cannot be held liable for these activities, but he may have to take action if a third-party reports it.

“If the landlord is told that the garage is being used for illegal activity, and that this information is from a totally reliable source, then does the landlord have a moral obligation to report it?”

“I would argue that it is the duty of every citizen or company to do what they can to stop illegal activity and therefore the answer is, yes, the landlord should report the activity,” Weatherley notes.

Weatherley also believes that protecting the rights of copyright holders has priority over a “no monitoring” principle that would ensure users’ privacy. That is, if the monitoring is done right.

“There is also the question as to whether society will want to have their private activities monitored (even if automatically and entirely confidentially) and whether the trade off to a safer, fairer internet is a price worth paying to clamp down on internet illegal activity. My ‘vote’ would be “yes” if via an independent body …”

Overall, the recommendations will be welcomed by the industry groups who provided input. The report is not expected to translate directly into legislation, but they will be carefully weighed by the UK Government and the EU Commission when taking future decisions.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: Sign Up at irs.gov Before Crooks Do It For You

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank name and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Experian, at least) before the agency is able to continue with the KBA questions as part of its verification process.

The Hacker Factor Blog: Oh FCC

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Two months ago, the FCC began to hint about their position on net neutrality. At the time, I blogged about the impact of any net neutrality ruling. While consumers say they want net neutrality, the solution being demanded would end up being bad for consumers. It’s a case of “be careful what you wish for, because you just might get it.”

One month ago, the FCC released a short 5-page summary of their findings. (Only the first two of the five pages are interesting.) I followed it up with a second blog entry that detailed how the proposed solution (no blocking, no throttling, and no paid prioritization) will end up making the Internet unusable.

Two weeks ago, the FCC released their 400-page detailed ruling on net neutrality. I had been slowing reading the FCC’s ruling. Although the FCC claims that this is pro-consumer, I am not convinced. The more I read it over, the more I believe that it is very anti-consumer. I even think that the entire report is written to undermine any enforcement options.

Backhanded Support

The first thing I noticed in their report is in their basis for their findings. In the FCC’s 400-page report, they list previous court cases in an attempt to show established authority. For example, the FCC wrote in paragraph 7:

Just over a year ago, the D.C. Circuit in Verizon v. FCC struck down the Commission’s 2010 conduct rules against blocking and unreasonable discrimination. But the Verizon court upheld the Commission’s finding that Internet openness drives a “virtuous cycle” in which innovations at the edges of the network enhance consumer demand, leading to expanded investments in broadband infrastructure that, in turn, spark new innovations at the edge.

This shows justification for enforcing net neutrality.

And on page 22, paragraph 71:

Despite upholding the Commission’s authority and the basic rationale supporting the Open Internet Order, the court struck down the no-blocking and antidiscrimination rules as at odds with section 3(51) of the Communications Act, holding that it prohibits the Commission from exercising its section 706 authority to impose common carrier regulation on a service not classified as a “telecommunications service,” and section 332(c)(2), which prohibits common carrier treatment of “private mobile services.”

This shows justification for reclassifying ISPs as a telecommunication utility.

The thing that got me is how these citations emphasize how the courts ruled against the FCC: “the court struck down”. Perhaps it’s because I’m not an attorney, but I didn’t see any justification examples in this report where the courts ruled in favor of the FCC. In effect, if someone wants to legally challenge this FCC ruling, then this document explicitly lists the arguments that should be used to overrule the FCC. This isn’t supporting net neutrality; it is a how-to manual for defeating this ruling.

Undermining Support

The FCC’s ruling has three basic rules: no blocking, no throttling, and no paid prioritization. But in each case, the FCC undermines the requirement. For example:

  • Page 7 footnote 17: No blocking and no throttling only applies to certain services and certain application, and the FCC does not list the services or applications.

  • Page 7: The FCC emphasizes that this only applies to “legal” network traffic. But since ISPs are not courts, they are not in a position to determine whether something is “legal”. This means that ISPs have two options. ISPs can assume everything is legal, leading to my previous arguments that this ruling will lead to more botnets, more network attacks, and more spam. The alternative is that ISPs can make a judgment call, which gives them the option to ignore this ruling if the ISP can justify it as a common practice.
  • Pages 11 and 100: The FCC says no blocking, no throttling, and no prioritization for primary business purposes. However, the FCC leaves the door open for secondary business purposes.
  • Page 11: The FCC first says no blocking and no throttling but then permits “reasonable network management”. In effect, ISPs can continue to impede and censor network traffic as long as it is considered reasonable. Moreover, the FCC provides no basis for determining if it is reasonable.
  • Page 11, paragraph 35: The whole “no blocking/throttling/prioritization” requirements do not apply to services that do not go over the Internet. But the Internet is a fuzzy gray line… Where does “the Internet” begin? If Comcast has a peering agreement with Verizon, then the peering agreement reduces traffic passed over the cloud. Since it doesn’t go “over the Internet”, is it exempt? The big ISPs have hundreds of peering agreements, so lots of traffic can become exempt.

    Similarly, traffic between the consumer and the ISP is not “over the Internet”, so the ISP could block/throttle/prioritize over the last mile connection.

In effect, the FCC first says what broadband providers cannot do, and then leaves a huge enforcement gap that permits them to continue doing it.

Best Left Unsaid

There are four main issues regarding net neutrality. However, this FCC ruling only addresses three of them. There’s an entire issue that the FCC failed to address! The key issues are:

  1. Blocking. The FCC says “no blocking”.
  2. Throttling. The FCC says “no throttling”.
  3. Paid prioritization. The FCC says “no paid prioritization”.
  4. Interception. The FCC says nothing about this.

You know when you type the wrong domain name into the browser’s address bar? Sometimes it says “server not found”. But with some ISPs, you see a page that says “this domain is for sale!” and shows you a list of ads. The ISP is not “blocking” any sites since the sites do not exist. Instead, they are hijacking the “not found” error and redirecting users to their own pages. Sadly, this type of error hijacking is very common. Comcast does it. Verizon does it. Sprint, T-Mobile, and many other ISPs all intercept DNS traffic.

This type of DNS hijacking/interception is not addressed by the FCC’s ruling, so it is still permitted.

Do we still celebrate if nothing changes?

The new FCC requirements for broadband providers were made public on 12-Mar-2015. However, the rules do not take effect until 60 days after they are published in the Federal Register. (And they have not been published in the Federal Register yet, so the 60-day clock hasn’t even started.) Already a few lawsuits have been filed. The claims by US Telecom (representing AT&T and Verizon) and Alamo Broadband Inc. (representing themselves) are focused on the reclassification as a utility and not the blocking, throttling, and prioritization issues.

I find it ironic that Jon Banks, US Telecom’s senior vice president, is quoted by the LA Times as saying, “As our industry has said many times, we do not block or throttle traffic and FCC rules prohibiting blocking or throttling will not be the focus of our appeal”. It is as if Banks does not remember the whole Comcast/Verizon/AT&T throttling Netflix issue that drove this FCC decision. (Is Jon Banks senile, ignorant, or intentionally misrepresenting recent history?)

In any case, the challenges are currently focused on the reclassification as a utility. This is because this part of the FCC ruling has serious implications with regards to how ISPs operate. Nobody is challenging the blocking, throttling, or prioritization issues yet — I assume that is because the FCC regulations are so weak as to be meaningless.

In effect, I think that the FCC released something that, on the surface, seems to pacify consumers. However, outside of the reclassification as a utility, it actually has virtually no impact. The new rules places restrictions on blocking, throttling, and prioritization, but then undermines any enforcement options. Moreover, the 400-page report details how ISPs should argue in court in order to have the new regulations struck down.

The Hacker Factor Blog: Oh FCC

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Two months ago, the FCC began to hint about their position on net neutrality. At the time, I blogged about the impact of any net neutrality ruling. While consumers say they want net neutrality, the solution being demanded would end up being bad for consumers. It’s a case of “be careful what you wish for, because you just might get it.”

One month ago, the FCC released a short 5-page summary of their findings. (Only the first two of the five pages are interesting.) I followed it up with a second blog entry that detailed how the proposed solution (no blocking, no throttling, and no paid prioritization) will end up making the Internet unusable.

Two weeks ago, the FCC released their 400-page detailed ruling on net neutrality. I had been slowing reading the FCC’s ruling. Although the FCC claims that this is pro-consumer, I am not convinced. The more I read it over, the more I believe that it is very anti-consumer. I even think that the entire report is written to undermine any enforcement options.

Backhanded Support

The first thing I noticed in their report is in their basis for their findings. In the FCC’s 400-page report, they list previous court cases in an attempt to show established authority. For example, the FCC wrote in paragraph 7:

Just over a year ago, the D.C. Circuit in Verizon v. FCC struck down the Commission’s 2010 conduct rules against blocking and unreasonable discrimination. But the Verizon court upheld the Commission’s finding that Internet openness drives a “virtuous cycle” in which innovations at the edges of the network enhance consumer demand, leading to expanded investments in broadband infrastructure that, in turn, spark new innovations at the edge.

This shows justification for enforcing net neutrality.

And on page 22, paragraph 71:

Despite upholding the Commission’s authority and the basic rationale supporting the Open Internet Order, the court struck down the no-blocking and antidiscrimination rules as at odds with section 3(51) of the Communications Act, holding that it prohibits the Commission from exercising its section 706 authority to impose common carrier regulation on a service not classified as a “telecommunications service,” and section 332(c)(2), which prohibits common carrier treatment of “private mobile services.”

This shows justification for reclassifying ISPs as a telecommunication utility.

The thing that got me is how these citations emphasize how the courts ruled against the FCC: “the court struck down”. Perhaps it’s because I’m not an attorney, but I didn’t see any justification examples in this report where the courts ruled in favor of the FCC. In effect, if someone wants to legally challenge this FCC ruling, then this document explicitly lists the arguments that should be used to overrule the FCC. This isn’t supporting net neutrality; it is a how-to manual for defeating this ruling.

Undermining Support

The FCC’s ruling has three basic rules: no blocking, no throttling, and no paid prioritization. But in each case, the FCC undermines the requirement. For example:

  • Page 7 footnote 17: No blocking and no throttling only applies to certain services and certain application, and the FCC does not list the services or applications.

  • Page 7: The FCC emphasizes that this only applies to “legal” network traffic. But since ISPs are not courts, they are not in a position to determine whether something is “legal”. This means that ISPs have two options. ISPs can assume everything is legal, leading to my previous arguments that this ruling will lead to more botnets, more network attacks, and more spam. The alternative is that ISPs can make a judgment call, which gives them the option to ignore this ruling if the ISP can justify it as a common practice.
  • Pages 11 and 100: The FCC says no blocking, no throttling, and no prioritization for primary business purposes. However, the FCC leaves the door open for secondary business purposes.
  • Page 11: The FCC first says no blocking and no throttling but then permits “reasonable network management”. In effect, ISPs can continue to impede and censor network traffic as long as it is considered reasonable. Moreover, the FCC provides no basis for determining if it is reasonable.
  • Page 11, paragraph 35: The whole “no blocking/throttling/prioritization” requirements do not apply to services that do not go over the Internet. But the Internet is a fuzzy gray line… Where does “the Internet” begin? If Comcast has a peering agreement with Verizon, then the peering agreement reduces traffic passed over the cloud. Since it doesn’t go “over the Internet”, is it exempt? The big ISPs have hundreds of peering agreements, so lots of traffic can become exempt.

    Similarly, traffic between the consumer and the ISP is not “over the Internet”, so the ISP could block/throttle/prioritize over the last mile connection.

In effect, the FCC first says what broadband providers cannot do, and then leaves a huge enforcement gap that permits them to continue doing it.

Best Left Unsaid

There are four main issues regarding net neutrality. However, this FCC ruling only addresses three of them. There’s an entire issue that the FCC failed to address! The key issues are:

  1. Blocking. The FCC says “no blocking”.
  2. Throttling. The FCC says “no throttling”.
  3. Paid prioritization. The FCC says “no paid prioritization”.
  4. Interception. The FCC says nothing about this.

You know when you type the wrong domain name into the browser’s address bar? Sometimes it says “server not found”. But with some ISPs, you see a page that says “this domain is for sale!” and shows you a list of ads. The ISP is not “blocking” any sites since the sites do not exist. Instead, they are hijacking the “not found” error and redirecting users to their own pages. Sadly, this type of error hijacking is very common. Comcast does it. Verizon does it. Sprint, T-Mobile, and many other ISPs all intercept DNS traffic.

This type of DNS hijacking/interception is not addressed by the FCC’s ruling, so it is still permitted.

Do we still celebrate if nothing changes?

The new FCC requirements for broadband providers were made public on 12-Mar-2015. However, the rules do not take effect until 60 days after they are published in the Federal Register. (And they have not been published in the Federal Register yet, so the 60-day clock hasn’t even started.) Already a few lawsuits have been filed. The claims by US Telecom (representing AT&T and Verizon) and Alamo Broadband Inc. (representing themselves) are focused on the reclassification as a utility and not the blocking, throttling, and prioritization issues.

I find it ironic that Jon Banks, US Telecom’s senior vice president, is quoted by the LA Times as saying, “As our industry has said many times, we do not block or throttle traffic and FCC rules prohibiting blocking or throttling will not be the focus of our appeal”. It is as if Banks does not remember the whole Comcast/Verizon/AT&T throttling Netflix issue that drove this FCC decision. (Is Jon Banks senile, ignorant, or intentionally misrepresenting recent history?)

In any case, the challenges are currently focused on the reclassification as a utility. This is because this part of the FCC ruling has serious implications with regards to how ISPs operate. Nobody is challenging the blocking, throttling, or prioritization issues yet — I assume that is because the FCC regulations are so weak as to be meaningless.

In effect, I think that the FCC released something that, on the surface, seems to pacify consumers. However, outside of the reclassification as a utility, it actually has virtually no impact. The new rules places restrictions on blocking, throttling, and prioritization, but then undermines any enforcement options. Moreover, the 400-page report details how ISPs should argue in court in order to have the new regulations struck down.

The Hacker Factor Blog: Oh FCC

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Two months ago, the FCC began to hint about their position on net neutrality. At the time, I blogged about the impact of any net neutrality ruling. While consumers say they want net neutrality, the solution being demanded would end up being bad for consumers. It’s a case of “be careful what you wish for, because you just might get it.”

One month ago, the FCC released a short 5-page summary of their findings. (Only the first two of the five pages are interesting.) I followed it up with a second blog entry that detailed how the proposed solution (no blocking, no throttling, and no paid prioritization) will end up making the Internet unusable.

Two weeks ago, the FCC released their 400-page detailed ruling on net neutrality. I had been slowing reading the FCC’s ruling. Although the FCC claims that this is pro-consumer, I am not convinced. The more I read it over, the more I believe that it is very anti-consumer. I even think that the entire report is written to undermine any enforcement options.

Backhanded Support

The first thing I noticed in their report is in their basis for their findings. In the FCC’s 400-page report, they list previous court cases in an attempt to show established authority. For example, the FCC wrote in paragraph 7:

Just over a year ago, the D.C. Circuit in Verizon v. FCC struck down the Commission’s 2010 conduct rules against blocking and unreasonable discrimination. But the Verizon court upheld the Commission’s finding that Internet openness drives a “virtuous cycle” in which innovations at the edges of the network enhance consumer demand, leading to expanded investments in broadband infrastructure that, in turn, spark new innovations at the edge.

This shows justification for enforcing net neutrality.

And on page 22, paragraph 71:

Despite upholding the Commission’s authority and the basic rationale supporting the Open Internet Order, the court struck down the no-blocking and antidiscrimination rules as at odds with section 3(51) of the Communications Act, holding that it prohibits the Commission from exercising its section 706 authority to impose common carrier regulation on a service not classified as a “telecommunications service,” and section 332(c)(2), which prohibits common carrier treatment of “private mobile services.”

This shows justification for reclassifying ISPs as a telecommunication utility.

The thing that got me is how these citations emphasize how the courts ruled against the FCC: “the court struck down”. Perhaps it’s because I’m not an attorney, but I didn’t see any justification examples in this report where the courts ruled in favor of the FCC. In effect, if someone wants to legally challenge this FCC ruling, then this document explicitly lists the arguments that should be used to overrule the FCC. This isn’t supporting net neutrality; it is a how-to manual for defeating this ruling.

Undermining Support

The FCC’s ruling has three basic rules: no blocking, no throttling, and no paid prioritization. But in each case, the FCC undermines the requirement. For example:

  • Page 7 footnote 17: No blocking and no throttling only applies to certain services and certain application, and the FCC does not list the services or applications.

  • Page 7: The FCC emphasizes that this only applies to “legal” network traffic. But since ISPs are not courts, they are not in a position to determine whether something is “legal”. This means that ISPs have two options. ISPs can assume everything is legal, leading to my previous arguments that this ruling will lead to more botnets, more network attacks, and more spam. The alternative is that ISPs can make a judgment call, which gives them the option to ignore this ruling if the ISP can justify it as a common practice.
  • Pages 11 and 100: The FCC says no blocking, no throttling, and no prioritization for primary business purposes. However, the FCC leaves the door open for secondary business purposes.
  • Page 11: The FCC first says no blocking and no throttling but then permits “reasonable network management”. In effect, ISPs can continue to impede and censor network traffic as long as it is considered reasonable. Moreover, the FCC provides no basis for determining if it is reasonable.
  • Page 11, paragraph 35: The whole “no blocking/throttling/prioritization” requirements do not apply to services that do not go over the Internet. But the Internet is a fuzzy gray line… Where does “the Internet” begin? If Comcast has a peering agreement with Verizon, then the peering agreement reduces traffic passed over the cloud. Since it doesn’t go “over the Internet”, is it exempt? The big ISPs have hundreds of peering agreements, so lots of traffic can become exempt.

    Similarly, traffic between the consumer and the ISP is not “over the Internet”, so the ISP could block/throttle/prioritize over the last mile connection.

In effect, the FCC first says what broadband providers cannot do, and then leaves a huge enforcement gap that permits them to continue doing it.

Best Left Unsaid

There are four main issues regarding net neutrality. However, this FCC ruling only addresses three of them. There’s an entire issue that the FCC failed to address! The key issues are:

  1. Blocking. The FCC says “no blocking”.
  2. Throttling. The FCC says “no throttling”.
  3. Paid prioritization. The FCC says “no paid prioritization”.
  4. Interception. The FCC says nothing about this.

You know when you type the wrong domain name into the browser’s address bar? Sometimes it says “server not found”. But with some ISPs, you see a page that says “this domain is for sale!” and shows you a list of ads. The ISP is not “blocking” any sites since the sites do not exist. Instead, they are hijacking the “not found” error and redirecting users to their own pages. Sadly, this type of error hijacking is very common. Comcast does it. Verizon does it. Sprint, T-Mobile, and many other ISPs all intercept DNS traffic.

This type of DNS hijacking/interception is not addressed by the FCC’s ruling, so it is still permitted.

Do we still celebrate if nothing changes?

The new FCC requirements for broadband providers were made public on 12-Mar-2015. However, the rules do not take effect until 60 days after they are published in the Federal Register. (And they have not been published in the Federal Register yet, so the 60-day clock hasn’t even started.) Already a few lawsuits have been filed. The claims by US Telecom (representing AT&T and Verizon) and Alamo Broadband Inc. (representing themselves) are focused on the reclassification as a utility and not the blocking, throttling, and prioritization issues.

I find it ironic that Jon Banks, US Telecom’s senior vice president, is quoted by the LA Times as saying, “As our industry has said many times, we do not block or throttle traffic and FCC rules prohibiting blocking or throttling will not be the focus of our appeal”. It is as if Banks does not remember the whole Comcast/Verizon/AT&T throttling Netflix issue that drove this FCC decision. (Is Jon Banks senile, ignorant, or intentionally misrepresenting recent history?)

In any case, the challenges are currently focused on the reclassification as a utility. This is because this part of the FCC ruling has serious implications with regards to how ISPs operate. Nobody is challenging the blocking, throttling, or prioritization issues yet — I assume that is because the FCC regulations are so weak as to be meaningless.

In effect, I think that the FCC released something that, on the surface, seems to pacify consumers. However, outside of the reclassification as a utility, it actually has virtually no impact. The new rules places restrictions on blocking, throttling, and prioritization, but then undermines any enforcement options. Moreover, the 400-page report details how ISPs should argue in court in order to have the new regulations struck down.

Schneier on Security: Reforming the FISA Court

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Brennan Center has a long report on what’s wrong with the FISA Court and how to fix it.

At the time of its creation, many lawmakers saw constitutional problems in a court that operated in total secrecy and outside the normal “adversarial” process…. But the majority of Congress was reassured by similarities between FISA Court proceedings and the hearings that take place when the government seeks a search warrant in a criminal investigation. Moreover, the rules governing who could be targeted for “foreign intelligence” purposes were narrow enough to mitigate concerns that the FISA Court process might be used to suppress political dissent in the U.S. — or to avoid the stricter standards that apply in domestic criminal cases.

In the years since then, however, changes in technology and the law have altered the constitutional calculus. Technological advances have revolutionized communications. People are communicating at a scale unimaginable just a few years ago. International phone calls, once difficult and expensive, are now as simple as flipping a light switch, and the Internet provides countless additional means of international communication. Globalization makes such exchanges as necessary as they are easy. As a result of these changes, the amount of information about Americans that the NSA intercepts, even when targeting foreigners overseas, has exploded.

Instead of increasing safeguards for Americans’ privacy as technology advances, the law has evolved in the opposite direction since 9/11…. While surveillance involving Americans previously required individualized court orders, it now happens through massive collection programs…involving no case-by-case judicial review. The pool of permissible targets is no longer limited to foreign powers — such as foreign governments or terrorist groups — and their agents. Furthermore, the government may invoke the FISA Court process even if its primary purpose is to gather evidence for a domestic criminal prosecution rather than to thwart foreign threats.

…[T]hese developments…have had a profound effect on the role exercised by the FISA Court. They have caused the court to veer off course, departing from its traditional role of ensuring that the government has sufficient cause to intercept communications or obtain records in particular cases and instead authorizing broad surveillance programs. It is questionable whether the court’s new role comports with Article III of the Constitution, which mandates that courts must adjudicate concrete disputes rather than issuing advisory opinions on abstract questions. The constitutional infirmity is compounded by the fact that the court generally hears only from the government, while the people whose communications are intercepted have no meaningful opportunity to challenge the surveillance, even after the fact.

Moreover, under current law, the FISA Court does not provide the check on executive action that the Fourth Amendment demands. Interception of communications generally requires the government to obtain a warrant based on probable cause of criminal activity. Although some courts have held that a traditional warrant is not needed to collect foreign intelligence, they have imposed strict limits on the scope of such surveillance and have emphasized the importance of close judicial scrutiny in policing these limits. The FISA Court’s minimal involvement in overseeing programmatic surveillance does not meet these constitutional standards.

[…]

Fundamental changes are needed to fix these flaws. Congress should end programmatic surveillance and require the government to obtain judicial approval whenever it seeks to obtain communications or information involving Americans. It should shore up the Article III soundness of the FISA Court by ensuring that the interests of those affected by surveillance are represented in court proceedings, increasing transparency, and facilitating the ability of affected individuals to challenge surveillance programs in regular federal courts. Finally, Congress should address additional Fourth Amendment concerns by narrowing the permissible scope of “foreign intelligence surveillance” and ensuring that it cannot be used as an end-run around the constitutional standards for criminal investigations.

Just Security post — where I copied the above excerpt. Lawfare post.

TorrentFreak: Guide: How File-Sharers Can Ruin Their Online Privacy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

unmaskedEvery single day one can hear do-gooders banging on endlessly about staying private on the Internet. It’s all encryption this and Edward Snowden that. Ignore them. They’re lunatics involved in a joint Illuminati / Scientologist conspiracy.

No, what Internet users need is a more care-free approach to online surveillance, one that allows them to relax into a zen-like state of blissful ignorance, free from the “Five Eyes” rantings of Kim Dotcom.

And there are plenty of real people already following this advice. Real events reported here on TF (and investigated by us over the past few months) have shown us that while operating in the world of file-sharing (especially if that involves releasing content or running a tracker) it is absolutely vital to lay down an easily followed trail of information. Here are some golden rules for doing just that.

Naming convention

If at all possible, file-sharers should incorporate their real-life names into their online nickname. Dave Mark Robinson should become DaveR at a minimum, but for greater effect DaveMR should be used. As adding in a date of birth allows significant narrowing down of identities, DaveMR1982 would be a near perfect choice.

This secret codename can then be used on any torrent site, but for best effect it should be used across multiple trackers at once so the user is more easily identified. But let’s not think too narrowly here.

As an added bonus, Dave should also ensure that the same nickname is used on sites that have absolutely nothing to do with his file-sharing. EBay profiles and YouTube accounts are perfect candidates, with the latter carrying some personally identifying videos, if at all possible. That said, Dave would be selling himself short if he didn’t also use the same names on…..

Social media

If Dave doesn’t have an active Facebook account which is easily linked to his file-sharing accounts, he is really missing out. Twitter is particularly useful when choosing the naming convention highlighted above since nicknames can often be cross-referenced with real names on Facebook, especially given the effort made in the previous section.

In addition to all the regular personal and family information readily input by people like Dave, file-sharing Facebook users really need to make sure they put up clear pictures of themselves and then ‘like’ content most closely related to the stuff they’re uploading. ‘Liking’ file-sharing related tools such as uTorrent is always recommended.

File-sharing sites

When DaveMR1982 signs up to (or even starts to run) a torrent site it’s really important that he uses an easy to remember password, ideally one used on several other sites. This could be a pet’s name, for example, but only if that pet gets a prominent mention on Facebook. Remember: make it easy for people, it saves so much time!

Dave’s participation in site forums is a must too. Ideally he will speak a lot about where he lives and his close family, as with the right care these can be easily cross-referenced with the information he previously input into Facebook. Interests and hobbies are always great topics for public discussion as these can be matched against items for sale on eBay, complete with item locations for added ease.

Also, Dave should never use a VPN if he wants his privacy shattered, with the no-log type a particular no-go. In the event he decides to use a seedbox he should pay for it himself using his own PayPal account, but only if that’s linked to his home address and personal bank account. Remember, bonus points for using the same nickname as earlier when signing up at the seedbox company!

Make friends and then turn them into enemies

Great friendships can be built on file-sharing sites but in order to maximize the risks of a major privacy invasion, personal information must be given freely to these almost complete strangers whenever possible.

In an ideal world, trusting relationships should be fostered with online ‘friends’ and then allowed to deteriorate into chaos amid a petty squabble, something often referred to in the torrent scene as a “tracker drama”. With any luck these people will discard friendships in an instant and spill the beans on a whim.

Domain registration

Under no circumstances should Dave register his domains with a protected WHOIS as although they can be circumvented, they do offer some level of protection. Instead (and to comply with necessary regulations) Dave should include his real home address and telephone number so he is easily identified.

If for some crazy reason that isn’t possible and Dave is forced to WHOIS-protect his domain, having other non-filesharing sites on the same server as his file-sharing site is always good for laying down breadcrumbs for the anti-privacy police. If the domains of those other sites don’t have a protected WHOIS, so much the better. Remember, make sure the address matches the home location mentioned on Facebook and the items for sale on eBay!

Conclusion

As the above shows, with practice it’s easy to completely compromise one’s privacy, whether participating in the file-sharing space or elsewhere. In the above guide we’ve simply cited some genuine real-life techniques used by people reported in previous TF articles published during the last year, but if you have better ideas at ruining privacy online, please feel free to add them in the comments.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.