Posts tagged ‘Privacy’

Schneier on Security: Survey of Americans’ Privacy Habits Post-Snowden

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Pew Research has a new survey on Americans’ privacy habits in a post-Snowden world.

The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies:

34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government. For instance, 17% changed their privacy settings on social media; 15% use social media less often; 15% have avoided certain apps and 13% have uninstalled apps; 14% say they speak more in person instead of communicating online or on the phone; and 13% have avoided using certain terms in online communications.

[…]

25% of those who are aware of the surveillance programs (22% of all adults) say they have changed the patterns of their own use of various technological platforms “a great deal” or “somewhat” since the Snowden revelations. For instance, 18% say they have changed the way they use email “a great deal” or “somewhat”; 17% have changed the way they use search engines; 15% say they have changed the way they use social media sites such as Twitter and Facebook; and 15% have changed the way they use their cell phones.

Also interesting are the people who have not changed their behavior because they’re afraid that it would lead to more surveillance. From pages 22-23 of the report:

Still, others said they avoid taking more advanced privacy measures because they believe that taking such measures could make them appear suspicious:

“There’s no point in inviting scrutiny if it’s not necessary.”

“I didn’t significantly change anything. It’s more like trying to avoid anything questionable, so as not to be scrutinized unnecessarily.

“[I] don’t want them misunderstanding something and investigating me.”

There’s also data about how Americans feel about government surveillance:

This survey asked the 87% of respondents who had heard about the surveillance programs: “As you have watched the developments in news stories about government monitoring programs over recent months, would you say that you have become more confident or less confident that the programs are serving the public interest?” Some 61% of them say they have become less confident the surveillance efforts are serving the public interest after they have watched news and other developments in recent months and 37% say they have become more confident the programs serve the public interest. Republicans and those leaning Republican are more likely than Democrats and those leaning Democratic to say they are losing confidence (70% vs. 55%).

Moreover, there is a striking divide among citizens over whether the courts are doing a good job balancing the needs of law enforcement and intelligence agencies with citizens’ right to privacy: 48% say courts and judges are balancing those interests, while 49% say they are not.

At the same time, the public generally believes it is acceptable for the government to monitor many others, including foreign citizens, foreign leaders, and American leaders:

  • 82% say it is acceptable to monitor communications of suspected terrorists
  • 60% believe it is acceptable to monitor the communications of American leaders.
  • 60% think it is okay to monitor the communications of foreign leaders
  • 54% say it is acceptable to monitor communications from foreign citizens

Yet, 57% say it is unacceptable for the government to monitor the communications of U.S. citizens. At the same time, majorities support monitoring of those particular individuals who use words like “explosives” and “automatic weapons” in their search engine queries (65% say that) and those who visit anti-American websites (67% say that).

[…]

Overall, 52% describe themselves as “very concerned” or “somewhat concerned” about government surveillance of Americans’ data and electronic communications, compared with 46% who describe themselves as “not very concerned” or “not at all concerned” about the surveillance.

It’s worth reading these results in detail. Overall, these numbers are consistent with a worldwide survey from December. The press is spinning this as “Most Americans’ behavior unchanged after Snowden revelations, study finds,” but I see something very different. I see a sizable percentage of Americans not only concerned about government surveillance, but actively doing something about it. “Third of Americans shield data from government.” Edward Snowden’s goal was to start a national dialog about government surveillance, and these surveys show that he has succeeded in doing exactly that.

More news.

TorrentFreak: UK IP Chief Wants ISPs to Police Piracy Proactively

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

uk-flagMike Weatherley, a Conservative MP and Intellectual Property Adviser to UK Prime Minister David Cameron, has pushed various copyright related topics onto the political agenda since early last year.

Previously Weatherley suggested that search engines should blacklist pirate sites, kids should be educated on copyright ethics, and that persistent file-sharers should be thrown in jail.

In his latest proposal the UK MP targets information society service providers (ISSPs) including ISPs, who he believes could do more to fight piracy. The just-released 18-page report stresses that these companies have a moral obligation to tackle copyright infringement and can’t stand idly by.

The report (pdf) draws on input from various pro-copyright groups including the MPAA, BPI, and the Music Publishers Association. It offers various recommendations for the UK Government and the EU Commission to strengthen their anti-piracy policies.

One of the key points is to motivate Internet services and providers to filter content proactively. According to the report it’s feasible to “filter out infringing content” and to detect online piracy before it spreads.

The UK Government should review these systems and see what it can do to facilitate cooperation between copyright holders and Internet service providers.

“There should be an urgent review, by the UK Government, of the various applications and processes that could deliver a robust automated checking process regarding illegal activity being transmitted,” Weatherley advises.

In a related effort, Weatherley notes that Internet services should not just remove the content they’re asked to, but also police their systems to ensure that similar files are removed, permanently.

“ISSPs to be more proactive in taking down multiple copies of infringing works, not just the specific case they are notified of,” he recommends.

“This would mean ISSPs actively taking down multiple copies of the same work which are hosted on its services, not just the individual copy which is subject to the complaint. The MPA believe this principle could be extended further still to ensure that all copies of the infringing work are not just taken down…,” Weatherley explains.

This type of filtering is already used by YouTube, which takes down content based on fingerprint matches. However, the report suggests that regular broadband providers could also filter infringing content.

Concluding, Weatherley admits that it’s all too easy to simply demand that ISPs take the role of policemen, but at the same time he stresses that they have a “moral responsibility” to do more.

The UK MP presents an analogy of a landlord whose property is used for illegal activities. The landlord cannot be held liable for these activities, but he may have to take action if a third-party reports it.

“If the landlord is told that the garage is being used for illegal activity, and that this information is from a totally reliable source, then does the landlord have a moral obligation to report it?”

“I would argue that it is the duty of every citizen or company to do what they can to stop illegal activity and therefore the answer is, yes, the landlord should report the activity,” Weatherley notes.

Weatherley also believes that protecting the rights of copyright holders has priority over a “no monitoring” principle that would ensure users’ privacy. That is, if the monitoring is done right.

“There is also the question as to whether society will want to have their private activities monitored (even if automatically and entirely confidentially) and whether the trade off to a safer, fairer internet is a price worth paying to clamp down on internet illegal activity. My ‘vote’ would be “yes” if via an independent body …”

Overall, the recommendations will be welcomed by the industry groups who provided input. The report is not expected to translate directly into legislation, but they will be carefully weighed by the UK Government and the EU Commission when taking future decisions.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: Sign Up at irs.gov Before Crooks Do It For You

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.

Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.

“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”

In the following weeks, Kasper contacted the IRS, who told him they had no new information on his case. When he tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.

“When I called the IRS to fix this, and spent another hour on hold, they explained they could not tell me what the email address was due to privacy regulations,” Kasper recalled. “They also said they could not change the email address, all they could do was ban access to eServices for my account, which they did. It was something at least.”

FORM 4506

Undeterred, Kasper researched further and discovered that he could still obtain a copy of the fraudulent return by filling out the IRS Form 4506 (PDF) and paying a $50 processing fee. Several days later, the IRS mailed Kasper a photocopy of the fraudulent return filed in his name — complete with the bank name and account number that received the $8,936 phony refund filed in his name.

“That’s right, $50 just for the right to see my own return,” Kasper said. “And once again the right hand does not know what the left hand is doing, because it cost me just $50 to get them to ignore their own privacy rules. The most interesting thing about this strange rule is that the IRS also refuses to look at the account data itself until it is fully investigated. Banks are required by law to report suspicious refund deposits, but the IRS does not even bother to contact banks to let them know a refund deposit was reported fraudulent, at least in the case of individual taxpayers who call, confirm their identity and report it, just like I did.”

Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000. It also showed the routing number for First National Bank of Pennsylvania and the checking account number of the individual who got the deposit plus the date that they filed: January 31, 2015.

The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.

“The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”

MONEY MULING

On Wednesday, March 18, 2015, Kasper contacted First National Bank of Pennsylvania whose routing number was listed in the phony tax refund request, and reached their head of account security. That person confirmed a direct deposit by the IRS for $8,936.00 was made on February 9, 2015 into an individual checking account specifying Kasper’s full name and SSN in the metadata with the deposit.

“She told me that she could also see transactions were made at one or more branches in the city of Williamsport, PA to disburse or withdraw those funds and that several purchases were made by debit card in the city of Williamsport as well, so that at this point a substantial portion of the funds were gone,” Kasper said. “She further told me that no one from the IRS had contacted her bank to raise any questions about this account, despite my fraud report filed February 9, 2015.”

The head of account security at the bank stated that she would be glad to cooperate with the Williamsport Police if they provided the required legal request to allow her to release the name, address, and account details. The bank officer offered Kasper her office phone number and cell phone to share with the cops. The First National employee also mentioned that the suspect lived in the city of Williamsport, PA, and that this individual seemed to still be using the account.

Kasper said the local police in his New York hometown hadn’t bothered to respond to his request for assistance, but that the lieutenant at the Williamsport police department who heard his story took pity on him and asked him to write an email about the incident to his captain, which Kasper said he sent later that morning.

Just two hours later, he received a call from an investigator who had been assigned to the case. The detective then interviewed the individual who held the account the same day and told Kasper that the bank’s fraud department was investigating and had asked the person to return the cash.

“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”

For starters, the woman who owned the bank account that received his phony refund — a student at a local Pennsylvania university — said she got the transfer after responding to a Craigslist ad for a moneymaking opportunity.

Kasper said the detective learned that money was deposited into her account, and that she sent the money out to locations in Nigeria via Western Union wire transfer, keeping some as a profit, and apparently never suspecting that she might be doing something illegal.

“She has so far provided a significant amount of information, and I’m inclined to believe her story,” Kasper said. “Who would be crazy enough to deposit a fraudulent tax refund in their own checking account, as opposed to an untraceable debit card they could get at a convenience store. At the same time, wouldn’t somebody who could pull this off also have an explanation like this ready?”

The woman in question, whose name is being withheld from this story, declined multiple requests to speak with KrebsOnSecurity, threatening to file harassment claims if I didn’t stop trying to contact her. Nevertheless, she appears to have been an unwitting — if not unwilling — money mule in a scam that seeks to recruit the unwary for moneymaking schemes.

ANALYSIS

The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA)  — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.

To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

The KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

“I did it twice, and the first time it was related to my current address, one old address question, and one ‘which credit card did you get’ question,” Weaver said. “The second time it was two questions related to my current address, and two related to a car loan I paid off in 2007.”

The second time round, Weaver said a few minutes on Zillow.com gave him all the answers he needed for the KBA questions. Spokeo solved the “old address” questions for him with 100% accuracy.

“Zillow with my address answered all four of them, if you just assume ‘moved when I bought the house’,” he said. “In fact, I NEEDED to use Zillow the second time around, because damned if I remember when my house was built.  So with Zillow and Spokeo data, it isn’t even 1 in 256, it’s 1 in 4 the first time around and 1 in 16 the second, and you don’t need to guess blind either with a bit more Google searching.”

If any readers here doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee. This information is no longer secret (nor are the answers to KBA-based questions), and we are all made vulnerable to identity theft as long as institutions continue to rely on static information as authenticators. See my recent story on Apple Pay for another reminder of this fact.

Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress. In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.

Kasper said he’s grateful for the police report he was able to obtain from the the Pennsylvania authorities because it allows him to get a freeze on his credit file without paying the customary $5 fee in New York to place and thaw a freeze.

Credit freezes prevent would-be creditors from approving new lines of credit in your name — and indeed from even being able to view or “pull” your credit file — but a freeze will not necessarily block fraudsters from filing phony tax returns in your name.

Unless, of course, the scammers in question are counting on obtaining your tax transcripts through the IRS’s own Web site. According to the IRS, people with a credit freeze on their file must lift the freeze (with Experian, at least) before the agency is able to continue with the KBA questions as part of its verification process.

Schneier on Security: Reforming the FISA Court

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Brennan Center has a long report on what’s wrong with the FISA Court and how to fix it.

At the time of its creation, many lawmakers saw constitutional problems in a court that operated in total secrecy and outside the normal “adversarial” process…. But the majority of Congress was reassured by similarities between FISA Court proceedings and the hearings that take place when the government seeks a search warrant in a criminal investigation. Moreover, the rules governing who could be targeted for “foreign intelligence” purposes were narrow enough to mitigate concerns that the FISA Court process might be used to suppress political dissent in the U.S. — or to avoid the stricter standards that apply in domestic criminal cases.

In the years since then, however, changes in technology and the law have altered the constitutional calculus. Technological advances have revolutionized communications. People are communicating at a scale unimaginable just a few years ago. International phone calls, once difficult and expensive, are now as simple as flipping a light switch, and the Internet provides countless additional means of international communication. Globalization makes such exchanges as necessary as they are easy. As a result of these changes, the amount of information about Americans that the NSA intercepts, even when targeting foreigners overseas, has exploded.

Instead of increasing safeguards for Americans’ privacy as technology advances, the law has evolved in the opposite direction since 9/11…. While surveillance involving Americans previously required individualized court orders, it now happens through massive collection programs…involving no case-by-case judicial review. The pool of permissible targets is no longer limited to foreign powers — such as foreign governments or terrorist groups — and their agents. Furthermore, the government may invoke the FISA Court process even if its primary purpose is to gather evidence for a domestic criminal prosecution rather than to thwart foreign threats.

…[T]hese developments…have had a profound effect on the role exercised by the FISA Court. They have caused the court to veer off course, departing from its traditional role of ensuring that the government has sufficient cause to intercept communications or obtain records in particular cases and instead authorizing broad surveillance programs. It is questionable whether the court’s new role comports with Article III of the Constitution, which mandates that courts must adjudicate concrete disputes rather than issuing advisory opinions on abstract questions. The constitutional infirmity is compounded by the fact that the court generally hears only from the government, while the people whose communications are intercepted have no meaningful opportunity to challenge the surveillance, even after the fact.

Moreover, under current law, the FISA Court does not provide the check on executive action that the Fourth Amendment demands. Interception of communications generally requires the government to obtain a warrant based on probable cause of criminal activity. Although some courts have held that a traditional warrant is not needed to collect foreign intelligence, they have imposed strict limits on the scope of such surveillance and have emphasized the importance of close judicial scrutiny in policing these limits. The FISA Court’s minimal involvement in overseeing programmatic surveillance does not meet these constitutional standards.

[…]

Fundamental changes are needed to fix these flaws. Congress should end programmatic surveillance and require the government to obtain judicial approval whenever it seeks to obtain communications or information involving Americans. It should shore up the Article III soundness of the FISA Court by ensuring that the interests of those affected by surveillance are represented in court proceedings, increasing transparency, and facilitating the ability of affected individuals to challenge surveillance programs in regular federal courts. Finally, Congress should address additional Fourth Amendment concerns by narrowing the permissible scope of “foreign intelligence surveillance” and ensuring that it cannot be used as an end-run around the constitutional standards for criminal investigations.

Just Security post — where I copied the above excerpt. Lawfare post.

TorrentFreak: Guide: How File-Sharers Can Ruin Their Online Privacy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

unmaskedEvery single day one can hear do-gooders banging on endlessly about staying private on the Internet. It’s all encryption this and Edward Snowden that. Ignore them. They’re lunatics involved in a joint Illuminati / Scientologist conspiracy.

No, what Internet users need is a more care-free approach to online surveillance, one that allows them to relax into a zen-like state of blissful ignorance, free from the “Five Eyes” rantings of Kim Dotcom.

And there are plenty of real people already following this advice. Real events reported here on TF (and investigated by us over the past few months) have shown us that while operating in the world of file-sharing (especially if that involves releasing content or running a tracker) it is absolutely vital to lay down an easily followed trail of information. Here are some golden rules for doing just that.

Naming convention

If at all possible, file-sharers should incorporate their real-life names into their online nickname. Dave Mark Robinson should become DaveR at a minimum, but for greater effect DaveMR should be used. As adding in a date of birth allows significant narrowing down of identities, DaveMR1982 would be a near perfect choice.

This secret codename can then be used on any torrent site, but for best effect it should be used across multiple trackers at once so the user is more easily identified. But let’s not think too narrowly here.

As an added bonus, Dave should also ensure that the same nickname is used on sites that have absolutely nothing to do with his file-sharing. EBay profiles and YouTube accounts are perfect candidates, with the latter carrying some personally identifying videos, if at all possible. That said, Dave would be selling himself short if he didn’t also use the same names on…..

Social media

If Dave doesn’t have an active Facebook account which is easily linked to his file-sharing accounts, he is really missing out. Twitter is particularly useful when choosing the naming convention highlighted above since nicknames can often be cross-referenced with real names on Facebook, especially given the effort made in the previous section.

In addition to all the regular personal and family information readily input by people like Dave, file-sharing Facebook users really need to make sure they put up clear pictures of themselves and then ‘like’ content most closely related to the stuff they’re uploading. ‘Liking’ file-sharing related tools such as uTorrent is always recommended.

File-sharing sites

When DaveMR1982 signs up to (or even starts to run) a torrent site it’s really important that he uses an easy to remember password, ideally one used on several other sites. This could be a pet’s name, for example, but only if that pet gets a prominent mention on Facebook. Remember: make it easy for people, it saves so much time!

Dave’s participation in site forums is a must too. Ideally he will speak a lot about where he lives and his close family, as with the right care these can be easily cross-referenced with the information he previously input into Facebook. Interests and hobbies are always great topics for public discussion as these can be matched against items for sale on eBay, complete with item locations for added ease.

Also, Dave should never use a VPN if he wants his privacy shattered, with the no-log type a particular no-go. In the event he decides to use a seedbox he should pay for it himself using his own PayPal account, but only if that’s linked to his home address and personal bank account. Remember, bonus points for using the same nickname as earlier when signing up at the seedbox company!

Make friends and then turn them into enemies

Great friendships can be built on file-sharing sites but in order to maximize the risks of a major privacy invasion, personal information must be given freely to these almost complete strangers whenever possible.

In an ideal world, trusting relationships should be fostered with online ‘friends’ and then allowed to deteriorate into chaos amid a petty squabble, something often referred to in the torrent scene as a “tracker drama”. With any luck these people will discard friendships in an instant and spill the beans on a whim.

Domain registration

Under no circumstances should Dave register his domains with a protected WHOIS as although they can be circumvented, they do offer some level of protection. Instead (and to comply with necessary regulations) Dave should include his real home address and telephone number so he is easily identified.

If for some crazy reason that isn’t possible and Dave is forced to WHOIS-protect his domain, having other non-filesharing sites on the same server as his file-sharing site is always good for laying down breadcrumbs for the anti-privacy police. If the domains of those other sites don’t have a protected WHOIS, so much the better. Remember, make sure the address matches the home location mentioned on Facebook and the items for sale on eBay!

Conclusion

As the above shows, with practice it’s easy to completely compromise one’s privacy, whether participating in the file-sharing space or elsewhere. In the above guide we’ve simply cited some genuine real-life techniques used by people reported in previous TF articles published during the last year, but if you have better ideas at ruining privacy online, please feel free to add them in the comments.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Vuze Speeds Up Torrent Downloads Through “Swarm Merging”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

Vuze_bw_logoVuze is one of the most recognized BitTorrent brands. The client is used by millions of people each day and has a steadily growing user-base.

In recent years Vuze’s BitTorrent client has evolved into an all-in-one download solution, with built-in search, DVD-burning capabilities and device integration

While it’s certainly not the most lightweight client around, Vuze has some interesting options for more demanding BitTorrent users. With the latest 5.6 release the new “swarm merging” feature stands out.

The new feature allows users to find duplicate files shared elsewhere via BitTorrent, and combines the seeds and peers from multiple sources.

“Vuze automatically detects when two or more of your incomplete downloads share one or more files of identical size and will attempt to merge the torrent swarms to download the file faster or, possibly, complete an existing file with bad availability,” Vuze explains.

For example, if you download a copy of LibreOffice, Vuze can search for torrents that have the same files and combine these swarms. This is particularly useful when a torrent has no seeds or very few active ones.

Below is a screenshot of one download being pulled from two swarms. In this case it’s downloading 1.2MB per second from the original torrent and an additional 1.0MB per second from the merged swarm.

A merged swarm
SwarmMergeEx4

The merging feature makes use of Vuze’s swarm discovery tool and finds files through the Distributed Hash Table (DHT). It’s relatively primitive and based on file-sizes, but can be a life-safer nonetheless.

Another new feature that’s worth mentioning is improved support for the anonymous I2P network. While not mentioned in the official 5.6 release announcement, users who download a torrent with an I2P tracker are now prompted to install the corresponding plugin.

I2P plug
i2pvuze

This I2P plug will likely increase the number of users on the network, increasing the download speeds as well. Vuze believes that it makes sense to support I2P as many of its users are interested in communicating anonymously.

“I2P is used by many people who care about their privacy: activists, journalists, as well as the average person. The Vuze user can fall into all of these categories,” a Vuze spokesperson informs TF.

The latest stable release of Vuze for Mac, Linux and Windows is available at the official website. More details on the swarm merging feature can be found in the Vuze wiki.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: More <i>Data and Goliath</i> News

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Right now, the book is #6 on the New York Times best-seller list in hardcover nonfiction, and #13 in combined print and e-book nonfiction. This is the March 22 list, and covers sales from the first week of March. The March 29 list — covering sales from the second week of March — is not yet on the Internet. On that list, I’m #11 on the hardcover nonfiction list, and not at all on the combined print and e-book nonfiction list.

Marc Rotenberg of EPIC tells me that Vance Packard’s The Naked Society made it to #7 on the list during the week of July 12, 1964, and — by that measure — Data and Goliath is the most popular privacy book of all time. I’m not sure I can claim that honor yet, but it’s a nice thought. And two weeks on the New York Times best-seller list is super fantastic.

For those curious to know what sorts of raw numbers translate into those rankings, this is what I know. Nielsen Bookscan tracks retail sales across the US, and captures about 80% of the book market. It reports that my book sold 4,706 copies during the first week of March, and 2,339 copies in the second week. Taking that 80% figure, that means I sold 6,000 copies the first week and 3,000 the second.

My publisher tells me that Amazon sold 650 hardcovers and 600 e-books during the first week, and 400 hardcovers and 500 e-books during the second week. The hardcover sales ranking was 865, 949, 611, 686, 657, 602, 595 during the first week, and 398, 511, 693, 867, 341, 357, 343 during the second. The book’s rankings during those first few days don’t match sales, because Amazon records a sale for the rankings when a person orders a book, but only counts the sale when it actually ships it. So all of my preorders sold on that first day, even though they were calculated in the rankings during the days and weeks before publication date.

There are few new book reviews. There’s one from the Dealbook blog at the New York Times that treats the book very seriously, but doesn’t agree with my conclusions. (A rebuttal to that review is here.) A review from the Wall Street Journal was even less kind. This review from InfoWorld is much more positive.

All of this, and more, is on the book’s website.

There are several book-related videos online. The first is the talk I gave at the Harvard Bookstore on March 4th. The second and third are interviews of me on Democracy Now. I also did a more general Q&A with Gizmodo.

Note to readers. The book is 80,000 words long, which is a normal length for a book like this. But the book’s size is much larger, because it contains a lot of references. They’re not numbered, but if they were, there would be over 1,000 numbers. I counted all the links, and there are 1,622 individual citations. That’s a lot of text. This means that if you’re reading the book on paper, the narrative ends on page 238, even though the book continues to page 364. If you’re reading it on the Kindle, you’ll finish the book when the Kindle says you’re only 44% of the way through. The difference between pages and percentages is because the references are set in smaller type than the body. I warn you of this now, so you know what to expect. It always annoys me that the Kindle calculates percent done from the end of the file, not the end of the book.

And if you’ve read the book, please post a review on the book’s Amazon page or on Goodreads. Reviews are important on those sites, and I need more of them.

TorrentFreak: Pirate Party Becomes Iceland’s Most Popular Political Party

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-iceOn January 1, 2006, Rick Falkvinge founded the Swedish and first Pirate Party. The party has survived more than nine turbulent years while provoking heated discussion on copyright reform, privacy and freedom of speech.

The party is currently enjoying its second term in the European Parliament and in January 2014 Julia Reda MEP released her draft report for the overhaul of EU copyright. As pointed out by Falkvinge himself, that fact is worthy of a double take.

“A Pirate Party representative is writing the European Union’s official evaluation of the copyright monopoly, and listing a set of necessary changes,” he wrote in a TF column.

And today brings yet more news which prompts a second look at a surprising headline. According to a poll carried out in Iceland over the past week, the Pirate Party is now the country’s most popular political party. For a party founded locally less than two and a half years ago, that’s an astounding achievement.

Run between the 13th and 18th of March by MMR, a company experienced in measuring support for local political parties, the survey places the Pirates ahead of even the most established of political movements.

According to Visir, total public support for the Pirate Party is currently riding at 23.9%, that’s up from the 12.8% reported in the last MMR survey.

The Pirates have snatched the lead from the Independence Party, who led during the last poll with 25.5% but have now dropped to 23.4%. While that is a slim lead of just 0.5%, it is a lead nonetheless, and the gap between the Pirates and other parties is even more pronounced.

The Social Democratic Alliance polled at 15.5% and the Progressive Party now sits at just 11.0%, marginally ahead of the Green Party with 10.8% of the support.

Today’s results are an improvement over those reported in a separate survey published last week which put the Pirates in a marginal second place. That prompted cautious excitement from Pirate MP Helgi Hrafn Gunnarsson.

“I’m happy to see such a reception, but you also need to keep this in mind. Firstly, it’s not self-evident that this will be the result of the elections and not self-evident that this will go on. It’s important not to become arrogant because of this,” he said.

Speaking with TorrentFreak, Pirate Party founder Rick Falkvinge says the results of the poll are inspiring.

“This is an extraordinary accomplishment. Where we had the proof-of-concept in Sweden in 2009, and additional sparks of success in Germany in the following years, I didn’t really anticipate a Pirate Party measuring as its country’s very largest within a decade of founding the first one in 2006,” Falkvinge says

“The suddenly-within-reach prospect of actually taking up a prime ministry in the near term shows what you can accomplish when you’re calling out stale policies and governmental backroom shadiness for what they are. It also shows how the net generation just won’t stand for the holier-than-thou attitude that’s still being displayed by an old self-appointed elite toward the young future.

“Still, to get to this point requires extraordinary hard work, commitment, and dedication. Far more than just congratulations are in order. The Icelandic Pirate Party is an inspiration for the net generation of the entire world,” Falkvinge concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Errata Security: What ever it is, CISA isn’t cybersecurity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In the next couple months, Congress will likely pass CISA, the Cybersecurity Information Sharing Act. This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.

They did not consult us security experts when drafting this bill. If they had, we would have told them the idea doesn’t really work. Companies like IBM and Dell SecureWorks already have massive “cybersecurity information sharing” systems where they hoover up large quantities of threat information from their customers. This rarely allows them to prevent attacks as the CISA bill promises.

In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.

While CISA won’t prevent attacks, it will cause mass surveillance. Most of the information produced by countermeasures is in fact false-positives, triggering on innocent anomalies rather than malicious hackers. Your normal day-to-day activities on the Internet occasionally trigger these false-positives. When this information gets forwarded to law enforcement, it puts everyone in legal jeopardy. It may trigger an investigation, or it may just become evidence about you, for example, showing which porn sites you surf. It’s mass surveillance through random sampling.

That such mass surveillance is the goal is demonstrated by several clauses in the bill, such as how the information can be used in cases of sexual exploitation of minors. If CISA were about prevention, then it would be useless in such cases. But CISA isn’t about prevention, it’s about gathering information after the fact while prosecuting a crime.

Even if CISA could work, it would still be dampened by the fact that government is both incompetent and corrupt. The FBI and DHS do not have adequate technical expertise. We can see that from the incomplete and incorrect warnings they produce. That they are corrupt is demonstrated by whether something is a “cyber threat indicator” changes according to what is politically correct. Who receives the best information depends upon who is best politically connected. CISA even calls for loyalty oaths to the United States before the government will even consider sharing threat information. Conversely, the FBI today regularly threatens people to suppress them from sharing cyber threat information that would embarrass the politically connected.

I know all this because I’m one of the foremost experts in this field. I created BlackICE Guard, the first intrusion-prevention system (IPS). The IPS is one of the biggest producers of information the government wants to get their hands on. The IPS is also one of the biggest consumers of threat intelligence that government proposes sharing in the other direction. I have sat in the monitoring center gathering data from thousands of customers, and know from personal experience that it’s of limited value in preventing attacks. When I was favored by the FBI, I received special threat information others did not. When I was not in favor with the FBI, I received threats trying to stop me from embarrassing the politically connected.

In summary, CISA does not work. Private industry already has exactly the information sharing the bill proposes, and it doesn’t prevent cyber attacks as CISA claims. On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance. Even if it could work and privacy could be protected, CISA creates a corrupt system for the politically connected. This is a typical bad police state bill, and not one that anybody should take seriously as something that would stop hackers.

TorrentFreak: U.S. Net Neutrality Has a Massive Copyright Loophole

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

copyright-brandedIn 2007 we uncovered that Comcast was systematically slowing down BitTorrent traffic to ease the load on its network.

The Comcast case was the first to ignite a broad discussion about Net Neutrality. It became the setup for the FCC’s Open Internet Order which was released three years later.

This Open Internet Order was the foundation of the Net Neutrality rules the FCC adopted two weeks ago. The big change compared to the earlier attempt is that ISPs can now be regulated as carriers under Title II.

Interestingly, the exact language of the new rules remained secret until three days ago. The broader concepts, including a ban on paid prioritization and blocking were known, but the fine print was kept secret until everything was signed off on.

Perhaps unsurprisingly, the full text has quite a few caveats.

When we read the new rules it’s clear that the “copyright loophole” many activists protested against in the past is still there. In short, ISPs can still throttle or block certain types of traffic as long as it’s related to copyright infringement.

In its most recent order the FCC has listed the following rule:

“Nothing in this part prohibits reasonable efforts by a provider of broadband Internet access service to address copyright infringement or other unlawful activity.”

The FCC argues that copyright infringement hurts the economy, so ISPs are free to take appropriate measures against this type of traffic. This includes the voluntary censoring of pirate sites, something the MPAA and RIAA are currently lobbying for.

“For example, the no-blocking rule should not be invoked to protect copyright infringement, which has adverse consequences for the economy, nor should it protect child pornography. We reiterate that our rules do not alter the copyright laws and are not intended to prohibit or discourage voluntary practices undertaken to address or mitigate the occurrence of copyright infringement,” the FCC explains.

Interestingly, this issue has been pretty much absent from the discussion in recent months. This is curious as many activist groups, including the Electronic Frontier Foundation (EFF), protested heavily against the copyright loophole in the past, issuing warnings over massive collateral damage.

“Carving a copyright loophole in net neutrality would leave your lawful activities at the mercy of overbroad copyright filtering schemes, and we already have plenty of experience with copyright enforcers targeting legitimate users by mistake, carelessness, or design,” the EFF wrote at the time.

So why was there little outrage about the copyright loophole this time around? TF contacted EFF staff attorney Kit Walsh who admits that the issue didn’t get much attention, but that it’s certainly problematic.

“The language about ‘lawful’ content and applications creates a serious loophole that seems to leave it up to ISPs to make judgments about what content is lawful or infringes a copyright, subject to challenges after the fact about whether their conduct was ‘reasonable’,” Walsh says.

“It’s one thing to say that ISPs can block subject to a valid court order, quite another to let ISPs make decisions about the lawfulness of content for themselves,” he adds.

According to Walsh the issue is particularly concerning because many ISPs also have their own media properties. This means that their incentive to block copyright infringement may be greater than the incentive to protect fair use material.

For example, although the Net Neutrality rules prescribe no blocking and throttling, ISPs could still block access to The Pirate Bay and other alleged pirate sites as an anti-piracy measure. Throttling BitTorrent traffic in general is also an option, as long as it’s framed as reasonable network management.

A related concern is that ISPs can use privacy invasive technologies such as Deep Packet Inspection to monitor users’ traffic for possible copyright violations. The FCC didn’t include any protections against these practices. Instead, it simply noted that people can use SSL, VPNs and TOR to circumvent it.

“The FCC’s response to concerns about deep packet inspection is that users can just use SSL, VPNs and TOR,” Walsh says.

“Of course SSL, VPNs, and TOR are great tools for Internet users to preserve their privacy, but this approach of leaving users to fend for themselves isn’t a great start for the FCC on protecting the privacy of broadband subscribers,” he adds.

The above makes it clear that Net Neutrality has its limits. The problem remains, however, that it’s still unclear how far ISPs can go under the “copyright” and “network management” loopholes.

Previously, the EFF seriously doubted if it was a good idea at all to give FCC control over the Internet. However, as things stand now they are happy with the new rules, even though they aren’t perfect.

Title II regulation with forbearance was the main goal, and that was achieved. In addition, the EFF is also content with the bright line rules against blocking, throttling, and paid prioritization of “lawful” traffic.

“We won a large portion of what we argued for, thanks to a broad coalition of advocates and the voices of four million Americans, but we did not get everything we wanted. We’re clearly better off overall with the order than without, but we’re not going to hesitate to criticize the areas where the FCC gets it wrong,” Walsh says.

Fingers crossed….

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Sky Will Hand Over Customer Data in Movie Piracy Case

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

skyAny regular reader of these pages will be familiar with the term “copyright troll”. These companies have made a business model out of monitoring file-sharing networks for alleged copyright infringements, tracking down alleged offenders and then demanding hard cash to make supposed lawsuits go away.

The practice is widespread in the United States but also takes place in several countries around Europe. Wherever the location, the methods employed are largely the same. ‘Trolls’ approach courts with ‘evidence’ of infringement and demand that ISPs hand over the details of their subscribers so that the copyright holder can demand money from them.

During September 2014, TorrentFreak became aware of a UK court case that had just appeared before the Chancery Division. The title – TCYK LLP v British Sky Broadcasting Ltd – raised eyebrows. From experience we know that TCYK stands for The Company You Keep and is the title of the film of the same name directed and starring Robert Redford, appearing alongside Susan Sarandon and Shia LeBeouf.

While the movie itself is reportedly unremarkable, the response to it being unlawfully made available on file-sharing networks has been significant. In the United States TCYK LLC has filed dozens of copyright infringement lawsuits against Internet subscribers in many states including Illinois, Colorado, Ohio, Florida and Minnesota, to name a few. Those interested in their U.S-based activities can read about them extensively on ‘troll’ watching sites DTD and Fight Copyright Trolls.

The big news today, however, is that TCYK LLC is about to start demanding cash from customers of the UK’s second largest ISP, Sky Broadband. TorrentFreak approached Sky back in September for information on the case but after several emails back and forth the trail went cold. We can now reveal what has transpired.

Sometime during 2014 TCKY monitored BitTorrent swarms for individuals sharing their movies without permission. The company went to court to obtain what is known as a Norwich Pharmacal Order which would oblige Sky to hand over the identities of their subscribers to TCKY. TorrentFreak has now learned that an order has been granted.

In a letter now being sent out to Sky subscribers, the company warns of what is to come.

“We need to let you know about a court order made against Sky earlier this year that requires us to provide your name and address to another company,” the letters begin.

“A company called TCYK LLC, which owns the rights to several copyrighted films, has claimed that a number of Sky Broadband customers engaged in unlawful file-sharing of some of its films. In support of this claim, TCYK LLC says it has gathered evidence of individual broadband accounts (identified online by unique numbers called IP addresses) from which it claims the file sharing took place.”

Sky notes that it cannot vouch for the accuracy of the evidence but notes that the existence of the court order means that it must compromise its subscribers’ privacy. In several other countries ISPs have fought to keep their subscribers’ details secure so we asked Sky what efforts, if any, they took to do the same. At the time of publication we had received no response.

To its credit, however, Sky is warning its customers of what is likely to come next.

“It’s likely that TCYK LLC will contact you directly and may ask you to pay them compensation,” Sky notes.

sky

We’ll clarify something here. When TCYK get in touch their ONLY reason for doing so will be to obtain compensation. Many people will pay up out of fear since TCYK will imply (if not directly state) that a court case could follow if a settlement is not reached.

It is almost certain that these threats are mere bluster and again, to Sky’s credit, the company outlines potential weaknesses in TCYK’s case.

“We advise you to read the letter from TCYK LLC carefully. It may be that you are not aware of the things that are being claimed: for example, if other people have access to your Internet connection, or simply because you do not recall downloading or sharing the film.”

The facts are simple. If letter recipients did not download or share the film or did not authorize someone else to do so (i.e by specifically telling someone else that they can use their connection to download and share pirate content) then the subscriber is not responsible for the infringement and does not have to pay a penny.

If someone else did share TCYK’s film on the Internet connection in question then it is up to TCYK to identify that person by name. The bill payer is under no obligation to try to help TCYK to do so if they have no idea who that person is.

Sky conclude by suggesting that letter recipients either contact the Citizens Advice Bureau or a solicitor. TorrentFreak spoke with Michael Coyle from Lawdit Solicitors who has dealt with these kinds of cases previously.

“I am surprised that the [Court] Order was granted for the release of the names as the High Court has been particularly damning about speculative invoicing ‘claims’ – see in particular the words of HHJ Birss QC in Media CAT v Adams and HHJ Arnold (here),” Coyle told TF.

“Added to the fact that the Claimant is a notorious troll in the US adds to the mystery and we can only wait and see what the letters are demanding. [Letter recipients] should not panic and above should not pay until as such time as they’ve taken legal advice,” Coyle concludes.

In any event, recipients should read the following article detailing the Speculative Invoicing Handbook Second Edition, a publication which explains how UK copyright trolls operate and how they should be dealt with.

At the time of publication Sky Broadband had not responded to our request for comment.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: <i>Data and Goliath</i>’s Big Idea

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Data and Goliath is a book about surveillance, both government and corporate. It’s an exploration in three parts: what’s happening, why it matters, and what to do about it. This is a big and important issue, and one that I’ve been working on for decades now. We’ve been on a headlong path of more and more surveillance, fueled by fear­–of terrorism mostly­–on the government side, and convenience on the corporate side. My goal was to step back and say “wait a minute; does any of this make sense?” I’m proud of the book, and hope it will contribute to the debate.

But there’s a big idea here too, and that’s the balance between group interest and self-interest. Data about us is individually private, and at the same time valuable to all us collectively. How do we decide between the two? If President Obama tells us that we have to sacrifice the privacy of our data to keep our society safe from terrorism, how do we decide if that’s a good trade-off? If Google and Facebook offer us free services in exchange for allowing them to build intimate dossiers on us, how do know whether to take the deal?

There are a lot of these sorts of deals on offer. Wayz gives us real-time traffic information, but does it by collecting the location data of everyone using the service. The medical community wants our detailed health data to perform all sorts of health studies and to get early warning of pandemics. The government wants to know all about you to better deliver social services. Google wants to know everything about you for marketing purposes, but will “pay” you with free search, free e-mail, and the like.

Here’s another one I describe in the book: “Social media researcher Reynol Junco analyzes the study habits of his students. Many textbooks are online, and the textbook websites collect an enormous amount of data about how­–and how often­–students interact with the course material. Junco augments that information with surveillance of his students’ other computer activities. This is incredibly invasive research, but its duration is limited and he is gaining new understanding about how both good and bad students study­–and has developed interventions aimed at improving how students learn. Did the group benefit of this study outweigh the individual privacy interest of the subjects who took part in it?”

Again and again, it’s the same trade-off: individual value versus group value.

I believe this is the fundamental issue of the information age, and solving it means careful thinking about the specific issues and a moral analysis of how they affect our core values.

You can see that in some of the debate today. I know hardened privacy advocates who think it should be a crime for people to withhold their medical data from the pool of information. I know people who are fine with pretty much any corporate surveillance but want to prohibit all government surveillance, and others who advocate the exact opposite.

When possible, we need to figure out how to get the best of both: how to design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually.

The world isn’t waiting; decisions about surveillance are being made for us­–often in secret. If we don’t figure this out for ourselves, others will decide what they want to do with us and our data. And we don’t want that. I say: “We don’t want the FBI and NSA to secretly decide what levels of government surveillance are the default on our cell phones; we want Congress to decide matters like these in an open and public debate. We don’t want the governments of China and Russia to decide what censorship capabilities are built into the Internet; we want an international standards body to make those decisions. We don’t want Facebook to decide the extent of privacy we enjoy amongst our friends; we want to decide for ourselves.”

In my last chapter, I write: “Data is the pollution problem of the information age, and protecting privacy is the environmental challenge. Almost all computers produce personal information. It stays around, festering. How we deal with it­–how we contain it and how we dispose of it­–is central to the health of our information economy. Just as we look back today at the early decades of the industrial age and wonder how our ancestors could have ignored pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we addressed the challenge of data collection and misuse.”

That’s it; that’s our big challenge. Some of our data is best shared with others. Some of it can be ‘processed’­–anonymized, maybe­–before reuse. Some of it needs to be disposed of properly, either immediately or after a time. And some of it should be saved forever. Knowing what data goes where is a balancing act between group and self-interest, a trade-off that will continually change as technology changes, and one that we will be debating for decades to come.

This essay previously appeared on John Scalzi’s blog Whatever.

The diaspora* blog: diaspora* development monthly review, February 2015

This post was syndicated from: The diaspora* blog and was written by: Diaspora* Foundation. Original post: at The diaspora* blog

These are the changes made to diaspora*'s codebase during February. They will take effect with the release of diaspora* v0.5.0.0.

Say a big thank you to everyone who has helped improve diaspora* this month!

This list has been created by volunteers from the diaspora* community. We'd love help in creating a development review each month; if you would like to help us, get in touch via the related thread on Loomio.


Akash Agrawall @aka001

  • Added a dynamic change of the user's minimum age from the pod's config for the settings page #5639
  • Added the ability for podmins to lock / unlock accounts #5643
  • Improved the help section #5706

arlo gn @arlogn

  • Improved the styling of the photo stream on the profile page #5521

Augier @AugierLe42e

  • Removed the header from the sign-in page for the mobile view #5623
  • Added the ability to link to a specific help page #5667
  • Added a help section for chat #5665

Dennis Schubert @denschub

  • Removed the file extensions for SCSS imports commit

Dumitru Ursu @dimaursu

  • Added checks for the database collation and added a line to the example config for podmins #5624

Faldrian @Faldrian

  • Fixed the position of moderation buttons (remove/block/report) on reshares #5601
  • Added keyboard shortcuts for reshare (r), expand post (m), follow first link in a post (o) #5602
  • Improved the avatar error handling which displays a default avatar if the original one isn't found on the server #5638
  • Add the ability to add contacts in mobile version #5594

Flaburgan @Flaburgan

  • Removed the sign-up button from the header when registrations are disabled #5612
  • Unified the design of sign-up, sign-in and forgot password pages #5391
  • Unified the post control icon tooltip by using the tooltip plugin for the post report icon #5713

James Kiesel @gdpelican

  • Added the creation dates of posts to the JSON export #5597

Aurélie Giniouxe @giniouxe

  • Fixed the text of the change button on the privacy settings page #5671

goob @goobertron

  • Standardized capitalization throughout the UI #5588

Jonne Haß @jhass

  • Updated the locale files commit
  • Updated Spring commit
  • Added a missing translation commit
  • Added editorconfig to the codebase so all developers are able to agree on the same config for their editors (trailing whitespaces, etc.) #5666
  • Added a feature which removes Unicode format characters from posts, fixing unwanted behavior of the markdown renderer #5680
  • Updated Rails to version 4.2 #5501
  • Updated a lot of rubygems #5709
  • Removed the .css extension from SCSS files #5710

Marc Burt @MarcBurt

  • Added a spec to make sure that closed accounts don't change the total user figure in pod statistics #5351

Sam Radhakrishnan @sam09

  • Added length validation to profile location, fixing an error thrown by the server when a user tried to enter a location longer than 255 chars #5614
  • Made the website show the correct error message when the profile data validation fails #5619

SansPseudoFix @SansPseudoFix

  • Fixed overflow of formatted code in comments for the mobile website #5675

Steffen van Bergerem @svbergerem

  • Fixed the aspect dropdown on the people search page, which wasn't working when users were added after fetching them from another server #5632
  • Removed 'photo export' link from the settings page, which wasn't working #5634
  • Removed some unused files and fixed the syntax in some jasmine tests #5635
  • Added the JSHint javascript linter which looks for errors in our javascript codebase #5637
  • Fixed the timeagos for the notifications page and the notification dropdown. Added a 'no notifications yet' message when the user has no notifications #5417
  • Fixed a typo in a helper function #5647
  • Updated the jasmine testing framework #5649
  • Added hovercards for mentions #5652
  • Fixed the badge count and automatic scrolling for unread conversations #5646
  • Updated the sanitizer for markdown-it, which removes unknown html tags from posts before displaying them #5661
  • Fixed a pending spec for the tag stream #5663
  • Removed the unused function last_post from PeopleController #5664
  • Improved the integration test for hovercards #5650
  • Added a invitation link to the contacts page #5655
  • Added the ajax spinner and improved the comment box for Bootstrap streams #5672
  • Add the year as a separator to notifications page and fixed a bug with notifications which were displayed in the wrong order #5676 and #5677
  • Updated jasmine-ajax #5679
  • Added transistions for opacity changes of post control icons #5682
  • Fixed notifications for new conversation which where broken on the develop branch 5686
  • Fixed a bug on the notifications page: the conversation button was only displayed when you had less than 20 contacts. Now it depends on the number of contacts in the specific aspect #5691
  • Fixed the style of the 'show more posts' button for the mobile website #5683
  • Updated markdown-it-diaspora-mention and markdown-it-sanitizer which fixed a bug: mentions no longer add a trailing whitespace #5711

Piotr Klosinski @WebDevFromScratch

  • Update the stream when resharing a post #5699

Zach Rabinovich @zachrab

  • Disabled sending emails for deleted accounts. Previously, the server tried to send an email to an arbitrary address 5640

Lukas @Zauberstuhl @Zauberstuhl

  • Added the ability to link to remote user profiles #5659
  • Updated JSXC, the javascript xmpp client #5648

Schneier on Security: The TSA’s FAST Personality Screening Program Violates the Fourth Amendment

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New law journal article: “A Slow March Towards Thought Crime: How the Department of Homeland Security’s FAST Program Violates the Fourth Amendment,” by Christopher A. Rogers. From the abstract:

FAST is currently designed for deployment at airports, where heightened security threats justify warrantless searches under the administrative search exception to the Fourth Amendment. FAST scans, however, exceed the scope of the administrative search exception. Under this exception, the courts would employ a balancing test, weighing the governmental need for the search versus the invasion of personal privacy of the search, to determine whether FAST scans violate the Fourth Amendment. Although the government has an acute interest in protecting the nation’s air transportation system against terrorism, FAST is not narrowly tailored to that interest because it cannot detect the presence or absence of weapons but instead detects merely a person’s frame of mind. Further, the system is capable of detecting an enormous amount of the scannee’s highly sensitive personal medical information, ranging from detection of arrhythmias and cardiovascular disease, to asthma and respiratory failures, physiological abnormalities, psychiatric conditions, or even a woman’s stage in her ovulation cycle. This personal information warrants heightened protection under the Fourth Amendment. Rather than target all persons who fly on commercial airplanes, the Department of Homeland Security should limit the use of FAST to where it has credible intelligence that a terrorist act may occur and should place those people scanned on prior notice that they will be scanned using FAST.

TorrentFreak: Viacom Sues Nickelodeon Streaming Pirates

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

spongepirateNickelodeon is perhaps one of the world’s most recognizable brands when it comes to children’s entertainment. Its shows reach all corners of the globe and with characters such as SpongeBob Squarepants its a firm fan favorite with the younger generation.

A website that has clearly spotted the potential of exploiting of Nicklodeon’s content is Nick Reboot. Founded in 2012, NickReboot.com offers 24/7 live streaming of classic Nickelodeon TV shows from the 1990s and 2000s. Once on the site viewers are immediately confronted with a random Nick show playing alongside a chatbox.

“We air shows (both cartoons and live action) from the 90s and early 2000s that were shown on the United States Nickelodeon TV channel during that time (we also show some 80s content as well). This includes syndicated programming, original programming, station IDs, bumpers, and commercials,” the site explains.

“Shows are aired live and in random order, meaning that you are seeing what everyone else is seeing – just like live TV. There is no schedule set for when shows will be played.”

nick2

Free service aside, however, the site also offers a subscription service to those who don’t like the random order in which shows are played.

“Nick Reboot On Demand lets you watch what you want, when you want. Choose from our extensive library of shows, movies, and specials and re-live your childhood on your own schedule,” the site explains.

The site’s offers, both free and paid, have not gone unnoticed by Viacom. The media giant has just filed a lawsuit at United States District Court in California claiming not only copyright and trademark infringement but also cyber-squatting and unfair competition.

“Viacom, which owns the copyrights and trademarks in Viacom content,
including content airing on the Nickelodeon networks, never authorized Defendants’ use of Viacom’s copyrighted content or any Nickelodeon trademarks on the [Nickreboot.com] website. Viacom therefore brings this action to prevent the
continued willful infringement of its copyrights and trademarks,” the complaint reads.

“[Nickreboot.com] offers paid on-demand viewing to subscribers at the following price options: (a) $3.99 per month; (b) $9.99 for three months; (c) $19.99 for six months; and (d) $35.99 for one year. The [Nickreboot.com] website also accepts donations and offers extended site features for members who donate.”

nick1

Viacom says that the NickReboot website is operated out of San Diego and is causing damage to a business which currently reaches “more than 550 million households across approximately 140 territories” with products such as Yu-Gi-Oh!, Digimon, Power Rangers, Invader Zim and SpongeBob SquarePants.

In its complaint Viacom concedes it does not know the names of the John Does 1-5 targeted in its lawsuit but believes that the discovery process will reveal their true identities. First, the website’s registration details are currently obscured by the Whoisguard privacy service. Second, several payment processors and service providers also deal with the site.

Viacom want to compel these companies to give up the information they have on file so that action can be taken on several fronts.

Copyright and trademarks

“Viacom is informed and believes and on that basis alleges that Defendants are fully aware of Viacom’s exclusive rights, and have infringed Viacom’s rights willfully, maliciously and with wanton disregard,” the complaint notes, adding the company will seek the maximum statutory damages, actual damages and attorneys’ fees.

Next, Viacom wants to be compensated for abuse of its trademarks since Nick Reboot demonstrates “an intentional, willful, and malicious intent” to trade on the goodwill associated with Viacom’s IP.

“Defendants’ use of confusingly similar imitations of Viacom’s Nickelodeon Marks is likely to cause confusion, deception, and mistake by creating the false and misleading impression that Defendants’ pirated Viacom Works are produced, distributed, endorsed, sponsored, approved, or licensed by Viacom, or are associated or connected with Viacom,” the complaint reads.

“Defendants have caused and are likely to continue causing substantial injury to the public and to Viacom, and Viacom is entitled to injunctive relief and to recover Defendants’ profits, actual damages,enhanced profits and damages, costs, and reasonable attorneys’ fees.”

Cybersquatting

Viacom’s legal team states that the selection of the NickReboot.com domain name constitutes a deliberate effort to trade on the goodwill of Nickelodeon and cause confusion among the brand’s customers.

“Defendants registered the [Nickreboot.com] domain name, which fully incorporates the NICK word mark and is confusingly similar to the Nickelodeon Marks, with a bad faith intent to profit from the Nickelodeon Marks and the consequent confusion of Internet users without any reasonable grounds to believe that Defendants’ use and registration of the [Nickreboot.com] domain name was fair,” the company adds.

“In addition to costs and injunctive relief, Viacom is entitled to an order directing Defendants to forfeit the [Nickreboot.com] domain name and to transfer it to Viacom, and awarding Viacom statutory damages under 15U.S.C. § 1117(d).”

The media giant rounds off its complaint with a wave of claims based in unfair competition law. Viacom requests a permanent injunction to stop the defendants operating the website in question and using Viacom trademarks without permission.

All associated service providers, advertising agencies and financial institutions connected to the website should be added to the injunction, the media company says, and the domain name Nickreboot.com should be handed over immediately.

According to a page on the Nick Reboot site, the service “operates strictly under certain provisions listed in the doctrine of ‘fair use’ as codified in section 107 of the copyright law, and monitors the status of related industry legislation such as Bill S.978 (pending) for compliance,” but whether this means much to Viacom remains to be seen.

“Viacom respectfully demands a trial by jury on all claims and issues so triable,” the company concludes.

At the time of publication, NickReboot had not responded to our request for comment.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Which VPN Services Take Your Anonymity Seriously? 2015 Edition

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spyBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim, as several incidents have shown in the past.

By popular demand we now present the fourth iteration of our VPN services “logging” review. In addition to questions about logging practices, we also asked VPN providers about other privacy sensitive policies, so prospective users can make an informed decision.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

Below is the list of responses we received from various VPN providers, in their own words. In some cases we asked for further clarification. VPN providers who keep logs for longer than 7 days were excluded, and others who simply failed to respond.

Please note that several VPN companies listed here do log to some extent. We therefore divided the responses into a category of providers who keep no logs (page 1/2) and one for who keep usage and/or session logs (page 3). The order of the VPNs within each category holds no value.

We are also working on a convenient overview page as well as dedicated review pages for all providers, with the option for users to rate theirs and add a custom review. These will be added in the near future.

VPNs That keep No Logs

Private Internet Access

piavpn1. We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy.

2. We choose to operate in the US in order to provide no logging service, as there is no mandatory data retention law in the US. Additionally, our beloved clients are given access to some of the strongest consumer protection laws, and thus, are able to purchase with confidence.

3. We do not monitor our users, period. That said, we have a proprietary system in place to help mitigate abuse.

4. We utilize SendGrid as an external mailing system and encourage users to create an anonymous e-mail when signing up depending on their adversarial risk level. Our support system is in-house as we utilize Kayako.

5. We have a proprietary system in place that allows us to comply in full with DMCA takedown notices without disrupting our users’ privacy. Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others.

6. We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have.

7. We do not have a warrant canary in place at this time as the concept of a warrant canary is, in fact, flawed at this time, or in other words, is “security theater.”

8. We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.

9. We utilize a variety of payment systems including, but not limited to, PayPal, Stripe, Amazon, Google, Bitcoin, Stellar, CashU, Ripple, Most Major Store Bought Gift card, PIA Gift cards (available in retail stores for “cash”), and more. We utilize a hashing system to keep track of payments and credit them properly while ensuring the strongest levels of privacy for our users.

10. The most secure VPN connection and encryption algorithm that we would recommend to our users would be our suite of AES-256, RSA 4096 and SHA1 or 256. However, AES-128 should still be considered quite safe. For users of Private Internet Access specifically, we offer addon tools to help ensure our beloved clients’ privacies including:

– Kill Switch : Ensures that traffic is only routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic would simply not be routed.
– IPv6 Leak Protection : Protects clients from websites which may include IPv6 embeds which could leak IPv6 IP information.
– DNS Leak Protection : This is built in and ensures that DNS requests are made through the VPN on a safe, private no-log DNS daemon.
– Shared IP System : We mix clients’ traffic with many clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

11. We are currently using our own DNS caching.

12. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed our due diligence on. Our servers are located in: USA, Canada, UK, Switzerland, Amsterdam, Sweden, Paris, Germany, Romania, Hong Kong, Israel, Australia and Japan. We have over 2,000 servers deployed at the time of writing with over 1,000 in manufacture/shipment at this time.

Private Internet Access website

TorGuard

1. No logs are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network because since day one we engineered every aspect of the operation from the ground up, permitting us full control over the smallest details. In addition to a strict no logging policy we run a shared IP configuration that provides an added layer of anonymity to all users. With hundreds of active sessions sharing a single IP address at any given time it becomes impossible to back trace usage.

2. At the time of this writing our headquarters currently operates from the United States. Due to the lack of data retention laws in the US, our legal team has determined this location to be in the best interest of privacy for the time being. Although TorGuard’s HQ is in the US, we take the commitment to user privacy seriously and will uphold this obligation at all costs, even if it means transferring services or relocating company assets.

3. Our network team uses a combination of open source monitoring apps and custom developed tools to mitigate any ongoing abuse of our services. This allows us to closely monitor server load and uptime so we can pinpoint and resolve potential problems quickly. If abuse reports are received from an upstream provider, we block them in real-time by employing various levels of firewall rules to large blocks of servers. Should these methods fail, our team is quick to recycle entire IP blocks and re-deploy new servers as a last resort.

4. For basic troubleshooting and customer service purposes we utilize Livechatinc for our chat support. TorGuard staff does make use of Google Apps for company email, however no identifying client information like passwords, or billing info is ever shared among either of these platforms. All clients retain full control over account changes in our secure member’s area without any information passing through an insecure channel.

5. Because we do not host any content it is not possible for us to remove anything from a server. In the event a DMCA notice is received it is immediately processed by our abuse team. Due to our shared network configuration we are unable to forward any requests to a single user. In order to satisfy legal requirements from bandwidth providers we may temporarily block infringing protocols, ports, or IPs.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

7. No, at this time we do not have a warrant canary.

8. Yes, TorGuard was designed with the BitTorrent enthusiast in mind. P2P is allowed on all servers, although for best performance we suggest using locations that are optimized for torrents. Users can find these servers clearly labeled in our VPN software.

9. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Paysafecard, Alipay, CashU, Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

10. For best security we advise clients to use OpenVPN connections only and for encryption use AES256 with 2048bit RSA. Additionally, TorGuard VPN offers “Stealth” protection against DPI (Deep Packet Inspection) interference from a nosey ISP so you can access the open web freely even from behind the Great Firewall of China. These options are available on select locations and offer excellent security due to the cryptography techniques used to obfuscate traffic. Our VPN software uses OpenVPN exclusively and features built in DNS leak protection, an App Killswitch, and a connection Killswitch. We have also just released a built in WebRTC leak block feature for Windows Vista/7/8 users.

11. Yes, we offer private, no log DNS servers which can be obtained by contacting our support desk. By default we also use Google DNS and OpenDNS for performance reasons on select servers.

12. TorGuard currently maintains 1000+ servers in over 44 countries around the world and we continue to expand the network every month. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key. We have servers in Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, United Kingdom, USA, and Vietnam.

TorGuard website

IPVanish

ipvanish1. IPVanish has a zero-log policy. We keep NO traffic logs on any customer, ever.

2. IPVanish is headquartered in the US and thus operates under US law.

3. IPVanish monitors CPU utilization, bandwidth and connection counts. When thresholds are passed, a server may be removed from rotation as to not affect other users.

4. IPVanish does not use any external support tools that hold user information. We do, however, operate an opt-in newsletter that is hosted at Constant Contact. Customers are in no way obligated to sign up for the newsletter.

5. IPVanish keeps no logs of any user’s activity and responds accordingly.

6. IPVanish, like every other company, follows the law in order to remain in business. Only US law applies.

7. No.

8. P2P is permitted. IPVanish does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.

9. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked. User authentication and billing info are also managed on completely different and independent platforms.

10. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm. IPVanish’s service and software also currently provide DNS leak prevention. We are developing a kill switch in upcoming releases of our software.

11. IPVanish does use its own DNS servers. Local DNS is handled by the server a user connects to.

12. IPVanish is one of the only tier-1 VPN networks, meaning we own and operate every aspect of our VPN platform, including physical control of our VPN servers. This gives IPVanish users security and speed advantages over other VPN services. IPVanish servers can be found in over 60 countries including the US, UK, Canada, Netherlands and Australia.

IPVanish website

IVPN

ivpn1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability.

2. Gibraltar. In 2014 we decided to move the company from Malta to Gibraltar in light of the new 2015 EU VAT regulations which affect all VPN service providers based in the EU. The EU VAT regulations now require companies to collect two pieces of non-conflicting evidence about the location of a customer; this would be at a minimum the customer’s physical address and IP address.

3. We have built a number of bespoke systems over the last 5 years as we’ve encountered and addressed most types of abuse. At a high level we use Zabbix, an open-source monitoring tool that alerts us to incidents. As examples we have built an anti-spam rate-limiter based on iptables so we don’t have to block any email ports and forked a tool called PSAD which allows us to detect attacks originating from our own network in real time.

4. No. We made a strategic decision from the beginning that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

6. That would depend on the information with which we were provided. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we reply that we do not store any personal data, we only store a customer’s email address. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question. We have never been served with a valid court order.

7. Yes absolutely, we’ve published a canary since August 2014.

8. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

9. We accept Bitcoin, Cash and Paypal. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin (See part 7 of our advanced privacy guides). With Paypal we store the subscription ID in our system so we can associate incoming subscription payments. This information is deleted immediately when an account is terminated.

10. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys. The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

11. Yes. Once connected to the VPN all DNS requests are sent to our pool of internal recursive DNS servers. We do not use forwarding DNS servers that forward the requests to a public DNS server such as OpenDNS or Google.

12. We use dedicated servers leased from 3rd party data centers in each country where we have a presence. We employ software controls such as full disk encryption and no logging to ensure that if a server is ever seized it’s data is worthless. We also operate a multi-hop network so customers can choose an entry and exit server in different jurisdictions to make the adversaries job of correlating the traffic entering and exiting our network significantly more complicated. We have servers located in Switzerland, Germany, Iceland, Netherlands, Romania, France, Hong-Kong, USA, UK and Canada.

IVPN website

PrivateVPN

privatevpn1.We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user on PrivateVPN.

2. We operate in Swedish jurisdiction.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. No. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.

5. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

6. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

7. We’re working on a solution where we publish a statement that we haven’t received legal process. One we receive a legal process, this canary statement is removed.

8. Yes, we allow Torrent traffic.

9. PayPal, Payson, 2Chrckout and Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

10. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but we’re working on a protection that detects the DNS leak and fixes this by changing to a secure DNS server.

11. We use a DNS from Censurfridns.

12. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, FDCServers, Blix, Zen systems, Wholesale Internet, Creanova, UK2, Fastweb, Server.lu, Selectel, Amanah and Netrouting. We have servers located in: Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada and Ukraine.

PrivateVPN website

PRQ

1. No

2. Swedish

3. Our own.

4. No

5. We do not care about DMCA.

6. We only require a working e-mail address to be a customer, no other information is kept.

7. No.

8. As long as the usage doesn’t violate the ToS, we do not care.

9. None of the payment methods are linked to a user.

10. OpenVPN, customers have to monitor their service/usage.

11. Yes.

12. Everything is inhouse in Sweden.

PRQ website

Mullvad

mullvad1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.

2. Swedish.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. There is no such Swedish law that is applicable to us.

6. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

7. Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.

8. Yes.

9. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

10. OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).

11. Yes, we use our own DNS servers.

12. We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.

Mullvad website

BolehVPN

bolehvpn1. No.

2. Malaysia. This may change in the near future and we will post an announcement when this is confirmed.

3. We do monitor general traffic patterns to see if there is any unusual activity that would warrant a further investigation.

4. We use ZenDesk and Zopim but are moving to use OSTicket which is open source. This should happen in the next 1-2 months.

5. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

6. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on their validity and we will resist such requests if done without proper cause or legal backing.

7. Yes.

8. Yes it is allowed except on those marked Surfing-Streaming only which are restricted either due to the provider’s policies or limited bandwidth.

9. We use MolPay, PayPal, Coinbase, Coinpayments and direct deposits. On our system it is only marked with the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

10. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

11. Yes we do use our own DNS servers.

12. Our VPN servers are hosted by third parties however for competitive reasons, we rather not mention our providers (not that it would be hard to find out with some digging). However none of these servers hold anything sensitive as they are authenticated purely using PKI infrastructure and as long as our users regularly update their configurations they should be fine. We do however have physical control over the servers that handle our customer’s information.

BolehVPN website

NordVPN

nordvpn1. Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).

2. NordVPN is based out of Panama.

3. No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.

4. We use the third-party live support tool, but it is not linked to the customers’ accounts.

5. When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.

6.If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.

7. We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.

8. We do not restrict any BitTorrent or other file-sharing applications on most of our servers.

9. We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.

10. We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.

In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.

11. NordVPN has its own DNS servers, also our customers can use any DNS server they like.

12. Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.

NordVPN website

TorrentPrivacy


1. We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.

2. Our company is under Seychelles jurisdiction.

3. We do not monitor any user’s traffic or activity for any reason.

4. We use third-party solutions for user communications and emailing. Both are running on our servers.

5. We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.

6. It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.

7. No, we don’t bother our users.

8. Yes we support all kind of traffic on all servers.

9. We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.

10. We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.

11. Yes. We are using our own DNS servers.

12. We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.

TorrentPrivacy website

Proxy.sh

proxy1. We do not keep any log at all.

2. Republic of Seychelles. And of course, every jurisdiction where each of our servers are, for their specific cases.

3. IPtables, TCPdump and Wireshark, for which their use is always informed at least 24 hours in advance via our Network Alerts and/or Transparency Report.

4. All our emails, panels and support are in-house. We host our own WHMCS instance for billing and support. We host server details, project management and financial management on Redmine that we of course self-run. The only third-party connections we have are Google Analytics and Google Translate on our public website (not panel), for obvious convenience gains, but the data they fetch can easily be hidden or faked. We may also sometimes route email through Mandrill but never with user information. We also have our OpenVPN client’s code hosted at Github, but this is because we are preparing to open source it.

5. We block the affected port and explain to upstream provider and/or complainant that we cannot identify the user who did the infringement, and we can therefore not pass the notice on. We also publish a transparency report and send a copy to the Chilling Effects Clearinghouse. If there are too many infringements, we may block all ports and strengthen firewall rules to satisfy upstream provider, but this may lead us to simply drop the server on short-term due to it becoming unusable.

6. We first post the court order to public and inform our users through our blog, much-followed Twitter account, transparency report and/or network alert. If we are unable to do so, we use our warrant canary. Then, we would explain to the court that we have no technical capacity to identify the user and we are ready to give access to competent and legitimate forensic experts. To this date, no valid court order has been received and acknowledged by us.

7. Yes, proxy.sh/canary.

8. We do not discriminate activity across our network. We are unable to decrypt traffic to differentiate file-sharing traffic from other activities, and this would be against our ethics anyway. The use of BitTorrent and similar is solely limited to the fact you can whether open/use the ports you wish for it on a selected server.

9. We support hundreds of payment methods, from PayPal to Bitcoin through SMS to Ukash and Paysafecard. We use third-party payment providers who handle and carry themselves the payments and the associated user information needed for them (e.g. a name with a credit card). We never have access to those. When we need to identify a payment for a user, we always need to ask him or her for references (to then ask the payment provider if the payment exists) because we do not originally have them. Last but not least, we also have an option to kill accounts and turn them into completely anonymous tokens with no panel or membership link at all, for the most paranoid customers (in the positive sense of the term).

10. We currently provide Serpent in non-stable & limited beta and it is the strongest encryption algorithm we have. We also openly provide to our experienced users ECDH curve secp384r1 and curve22519 through a 4096-bit Diffie-Hellman key. We definitely recommend such a setup but it requires software compiling skills (you need OpenVPN’s master branch). This setup also allows you to enjoy OpenVPN’s XOR capacity for scrambling traffic. We also provide integration of TOR’s obfsproxy for similar ends. Finally, for more neophyte users, we provide 4096-bit RSA as default standard. It is the strongest encryption that latest stable OpenVPN provides. Cipher and hash are the strongest available and respectively 256-bit CBC/ARS and SHA512. Our custom OpenVPN client of course provides a kill switch and DNS leak protection.

11. Yes, we provide our own OpenNIC DNS servers as well as DNSCrypt capacity.

12. We use a mix of collocation (physically-owned), dedicated and virtual private servers – also known as a private/public cloud combination. All our VPN servers are running from RAM and are disintegrated on shutdown or reboot. About two-third of them are in the public cloud (especially for most exotic locations). Our network spans across more than 40 countries.

Proxy.sh website

HideIPVPN

hideipvpn1. We have revised our policy. Currently we store no logs related to any IP address. There is no way for any third-party to match user IP to any specific activity in the internet.

2. We operate under US jurisdiction.

3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than three VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP address of VPN server, there is no way any third party could connect any online activity to a user’s IP address.

4. We are using Google apps for incoming mail and our own mail server for outgoing mail.

5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make impossible to track who downloaded any data from the internet using our VPN.

6. We would reply that we do not have measures that would us allow to identify a specific user. It has not happened so far.

7. Currently not. We will consider if our customers would welcome such a feature. So far we have never been asked for such information.

8. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – reason for this is our agreements with data centers. We also have a specific VPN plan for torrents.

9. Currently HideIPVPN accepts the following methods: PayPal, Bitcoin, Credit & Debit cards, AliPay, Web Money, Yandex Money, Boleto Bancario, Qiwi.

10. We would say SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems. Both versions have a “kill switch” feature in case connection drops. Also, our apps are able to re-establish VPN connection and once active restart closed applications.

Currently our software does not provide DNS leak protection. However a new version of VPN client is in the works and will be updated with such a feature. We can let you know once it is out. At this time we can say it will be very soon.

11. For VPN we use Google DNS servers, and for SmartDNS we use our own DNS servers.

12. We don’t have physical control of our VPN servers. Servers are outsourced in premium datacenters with high quality tier1 networks. Countries now include – US/UK/NL/DE/CA

HideIPVPN website

BTGuard

btguard1. We do not keep any logs whatsoever.

2. United States

3. Custom programs that analyze traffic on the fly and do not store logs.

4. No, all data is stored on servers we control.

5. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

6. We would take every step within the law to fight such an order and it has never happened.

7. No.

8. Yes, all types of traffic our allowed with our services.

9. We accept PayPal and Bitcoin. All payments are linked to users’ accounts because they have to be for disputes and refunds.

10. We recommend OpenVPN and 128-bit blowfish. We offer instructions for some third party VPN monitoring software.

11. We use our own DNS servers.

12. We have physical control over all our servers. Our servers we offer services with are located in the Netherlands, Canada, and Singapore. Our mail servers are located in Luxembourg.

BTGuard website

SlickVPN

slickvpn1. SlickVPN does not log any traffic nor session data of any kind.

2. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We do not monitor any customer’s activity in any way. We have chosen to disallow outgoing SMTP which helps mitigate SPAM issues.

4. No. We do utilize third party email systems to contact clients who opt in for our newsletters.

5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

6. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

7. Yes. We maintain a passive warrant canary, updated weekly, and are investigating a way to legally provide a passive warrant canary which will be customized on a “per user” basis, allowing each user to check their account status individually. It is important to note that the person(s) responsible for updating our warrant canary are located outside of any of the countries where our servers are located.

8. Yes, all traffic is allowed.

9. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

10. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IP from leaking to the internet. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

11. Yes.

12. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties until we have enough traffic in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

SlickVPN website

OctaneVPN

octane1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written to disk on our gateways.

The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route incoming traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.

2. We operate two independent companies with different ownership structures – a network operations company and a marketing company. The network operations company operates out of Nevis. The marketing company operates under US jurisdiction and manages the website, customer accounts and support. The US company has no access to network operations and the Nevis company has no customer account data.

3. We are not in the business of monitoring customer traffic in any way. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues. We use a NAT firewall on incoming connections to our gateways to add an extra layer of security for our customers.

4. No. We do use a service to send generic emails.

5. Due to the structure of our network operations company, it is unusual that we would receive a notice. There should be no cause for the marketing company to receive a notice. If we receive a DMCA notice or its equivalent based on activity that occurred in the past, we respond that we do not host any content and have no logs.

If we receive a DMCA notice based on very recent activity and the customer’s current VPN session during which it was generated is still active on the gateway, we may put the account on hold temporarily and notify the customer. No customer data is used to respond to DMCA notices.

6. Our customers’ privacy is a top priority for us. We would proceed with a court order with complete transparency. A court order would likely be based on an issue traced to a gateway server IP address and would, therefore, be received by our our network operations company which is Nevis based. The validity of court orders from other countries would be difficult to enforce. The network company has no customer data.

Our marketing company is US based and would respond to an order issued by a court of competent jurisdiction. The marketing company does not have access to any data related to network operations or user activity, so there is not much information that a court order could reveal. This has not happened.

7. We are discussing internally and reviewing existing law related to how gag orders are issued to determine the best way to offer this measure of customer confidence.

8. Yes. We operate with network neutrality except for outgoing SMTP.

9. Bitcoin and other cryptocurriences such as Darkcoin, Credit/Debit Card, and PayPal. If complete payment anonymity is desired, we suggest using Bitcoin, DarkCoin, or a gift/disposable credit card. Methods such as PayPal or Credit/Debit card are connected to an account token so that future renewal payments can be properly processed and credited. We allow customers to edit their account information. With our US/Nevis operating structure, customer payment systems information is separate from network operations.

10. We recommend using the AES-256-CBC cipher with OpenVPN, which is used with our client. IPSec is available for native Apple device support and PPTP is offered for other legacy devices, but OpenVPN offers the best security and speed and is our recommended protocol

We provide both DNS and IP leak protection in our Windows and Mac OctaneVPN client. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection. This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts.

11. Yes and we physically control them. You can choose others if you prefer.

12. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host with third parties until volume at that location justifies a physical investment there. The hosted locations may have different providers based on geography. We operate gateways in over 44 countries and 90 cities. Upon booting, all our gateways load over our encrypted network from a master node and operate from encrypted ramdisk. If an entity took physical control of a gateway server, the ramdisk is encrypted and would vanish upon powering down.

OctaneVPN website

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

During September 2014, the Digital Citizens Alliance and Netnames teamed up to publish a brand new report. Titled ‘Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,’ it offered insight into the finances of some of the world’s most popular cyberlocker sites.

The report had its issues, however. While many of the sites covered might at best be considered dubious, the inclusion of Mega.co.nz – the most scrutinized file-hosting startup in history – was a real head scratcher. Mega conforms with all relevant laws and responds quickly whenever content owners need something removed. By any standard the company lives up to the requirements of the DMCA.

“We consider the report grossly untrue and highly defamatory of Mega,” Mega CEO Graham Gaylard told TF at the time. But now, just five months on, Mega’s inclusion in the report has come back to bite the company in a big way.

Speaking via email with TorrentFreak this morning, Gaylard highlighted the company’s latest battle, one which has seen the company become unable to process payments from customers. It’s all connected with the NetNames report and has even seen the direct involvement of a U.S. politician.

leahyAccording to Mega, following the publication of the report last September, SOPA and PIPA proponent Senator Patrick Leahy (Vermont, Chair Senate Judiciary Committee) put Visa and MasterCard under pressure to stop providing payment services to the ‘rogue’ companies listed in the NetNames report.

Following Leahy’s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to MEGA. As a result, Mega is no longer able to process payments.

“It is very disappointing to say the least. PayPal has been under huge pressure,” Gaylard told TF.

The company did not go without a fight, however.

“MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA,” the company explains.

paypalWhat makes the situation more unusual is that PayPal reportedly apologized to Mega for its withdrawal while acknowledging that company’s business is indeed legitimate.

However, PayPal also advised that Mega’s unique selling point – it’s end-to-end-encryption – was a key concern for the processor.

“MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA’s ‘unique encryption model’ presents an insurmountable difficulty,” Mega explains.

As of now, Mega is unable to process payments but is working on finding a replacement. In the meantime the company is waiving all storage limits and will not suspend any accounts for non-payment. All accounts have had their subscriptions extended by two months, free of charge.

Mega indicates that it will ride out the storm and will not bow to pressure nor compromise the privacy of its users.

“MEGA supplies cloud storage services to more than 15 million registered customers in more than 200 countries. MEGA will not compromise its end-to-end user controlled encryption model and is proud to not be part of the USA business network that discriminates against legitimate international businesses,” the company concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Everyone Wants You To Have Security, But Not from Them

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In December, Google’s Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: “If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else.”

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck’s show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don’t mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users’ security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I’m not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those “someones” will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they’re vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on Forbes.com.

SANS Internet Storm Center, InfoCON: green: 11 Ways To Track Your Moves When Using a Web Browser, (Tue, Feb 24th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

There are a number of different use cases to track users as they use a particular web site. Some of them are more sinister then others. For most web applications, some form of session tracking is required to maintain the users state. This is typically easily done using well configured cookies (and not the scope of this article). Session are meant to be ephemeral and will not persist for long.

On the other hand, some tracking methodsdo attempt to track the user over a long time, and in particular attempt to make it difficult to evade the tracking. This is sometimes done for advertisement purposes, but can also be done to stop certain attacks like brute forcing or to identify attackers that return to a site. In its worst case, from a private perspective, the tracking is done to follow a user across various web sites.

Over the years, browsers and plugins have provided a number of ways to restrict this tracking. Here are some of the more common techniques how tracking is done and how the user can prevent (some of) it:

1 – Cookies

Cookies are meant to maintain state between different requests. A browser will send a cookie with each request once it is set for a particular site. From a privacy point of view, the expiration time and the domain of the cookie are the most important settings. Most browsers will reject cookies set on behalf of a different site, unless the user permits these cookies to be set. A proper session cookie should not use an expiration date as it should expire as soon as the browser is closed. Most browser do offer means to review, control and delete cookies. In the past, a Cookie2 header was proposed for session cookies, but this header has been deprecated and browser stop supporting it.

https://www.ietf.org/rfc/rfc2965.txt

http://tools.ietf.org/html/rfc6265

2 – Flash Cookies (Local Shared Objects)

Flash has its own persistence mechanism. These flash cookies are files that can be left on the client. They can not be set on behalf of other sites (Cross-Origin), but one SWF scriptcan expose the content of a LSO to other scripts which can be used to implement cross-origin storage. The best way to prevent flash cookies from tracking you is to disable flash. Managing flash cookies is tricky and typically does require special plugins.

https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html

3 – IP Address

The IP address is probably the most basic tracking mechanism of all IP based communication, but not always reliable as users IP addresses may change at any time, and multiple users often share the same IP address. You can use various VPN products or systems like Tor to prevent your IP address from being used to track you, but this usually comes with a performance hit. Some modern JavaScript extension (RTC in particular) can be used to retrieve a users internal IP address, which can be used to resolve ambiguities introduced by NAT. But RTC is not yet implemented in all browsers. IPv6 may provide additional methods to use the IP address to identify users as you are less likely going to run into issues with NAT.

http://ipleak.net

4 – User Agent

The User-Agent string sent by a browser is hardly ever unique by default, but spyware sometimes modifies the User-Agent to add unique values to it. Many browsers allow adjusting the User-Agent and more recently, browsers started to reduce the information in the User-Agent or even made it somewhat dynamic to match the expected content. Non-Spyware plugins sometimes modify the User-Agent to indicate support for specific features.

5 – Browser Fingerprinting

A web browser is hardly ever one monolithic piece of software. Instead, web browsers interact with various plugins and extensions the user may have installed. Past work has shown that the combination of plugin versions and configuration options selected by the user tends to be amazingly unique and this technique has been used to derive unique identifiers. There is not much you can do to prevent this, other then minimize the number of plugins you install (but that may be an indicator in itself)

https://panopticlick.eff.org

6 – Local Storage

HTML 5 offers two new ways to store data on the client: Local Storage and Session Storage. Local Storage is most useful for persistent storage on the client, and with that user tracking. Access to local storage is limited to the site that sent the data. Some browsers implement debug features that allow the user to review the data stored. Session Storage is limited to a particular window and is removed as soon as the window is closed.

https://html.spec.whatwg.org/multipage/webstorage.html

7 – Cached Content

Browsers cache content based on the expiration headers provided by the server. A web application can include unique content in a page, and then use JavaScript to check if the content is cached or not in order to identify a user. This technique can be implemented using images, fonts or pretty much any content. It is difficult to defend against unless you routinely (e.g. on closing the browser) delete all content. Some browsers allow you to not cache any content at all. But this can cause significant performance issues. Recently Google has been seen using fonts to track users, but the technique is not new. Cached JavaScript can easily be used to set unique tracking IDs.

http://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/

http://fontfeed.com/archives/google-webfonts-the-spy-inside/

8 – Canvas Fingerprinting

This is a more recent technique and in essence a special form of browser fingerprinting. HTML 5 introduced a Canvas API that allows JavaScript to draw image in your browser. In addition, it is possible to read the image that was created. As it turns out, font configurations and other paramters are unique enough to result in slightly different images when using identical JavaScript code to draw the image. These differences can be used to derive a browser identifier. Not much you can do to prevent this from happening. I am not aware of a browser that allows you to disable the canvas feature, and pretty much all reasonably up to date browsers support it in some form.

https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

9 – Carrier Injected Headers

Verizon recently added injecting specific headers into HTTP requests to identify users. As this is done in flight, it only works for HTTP and not HTTPS. Each user is assigned a specific ID and the ID is injected into all HTTP requests as X-UIDH header. Verizon offers a for pay service that a web site can use to retrieve demographic information about the user. But just by itself, the header can be used to track users as it stays linked to the user for an extended time.

http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

10 – Redirects

This is a bit a varitation on the cached content tracking. If a user is redirected using a 301 (Permanent Redirect) code, then the browser will remember the redirect and pull up the target page right away, not visiting the original page first. So for example, if you click on a link to isc.sans.edu, I could redirect you to isc.sans.edu/index.html?id=sometrackingid. Next time you go to isc.sans.edu, your browser will automatically go direct to the second URL. This technique is less reliable then some of the other techniques as browsers differ in how they cache redirects.

https://www.elie.net/blog/security/tracking-users-that-block-cookies-with-a-http-redirect

11- Cookie Respawning / Syncing

Some of the methods above have pretty simple counter measures. In order to make it harder for users to evade tracking, sites often combine different methods and respawn cookies. This technique is sometimes refered to as Evercookie. If the user deletes for example the HTTP cookie, but not the Flash Cookie, the Flash Cookie is used to re-create the HTTP cookie on the users next visit.

https://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf

Any methods I missed (I am sure there have to be a couple…)


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Schneier on Security: AT&T Charging Customers to Not Spy on Them

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

AT&T is charging a premium for gigabit Internet service without surveillance:

The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program “works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing.” In other words, AT&T is performing deep packet inspection, a controversial practice through which internet service providers, by virtue of their privileged position, monitor all the internet traffic of their subscribers and collect data on the content of those communications.

What if customers do not want to be spied on by their internet service providers? AT&T allows gigabit service subscribers to opt out — for a $29 fee per month.

I have mixed feelings about this. On one hand, AT&T is forgoing revenue by not spying on its customers, and it’s reasonable to charge them for that lost revenue. On the other hand, this sort of thing means that privacy becomes a luxury good. In general, I prefer to conceptualize privacy as a right to be respected and not a commodity to be bought and sold.

TorrentFreak: The World’s Most Idiotic Copyright Complaint

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

picarddmcaAt least once a month TorrentFreak reports on the often crazy world of DMCA takedown notices. Google is kind enough to publish thousands of them in its Transparency Report and we’re only too happy to spend hours trawling through them.

Every now and again a real gem comes to light, often featuring mistakes that show why making these notices public is not only a great idea but also in the public interest. The ones we found this week not only underline that assertion in bold, but are actually the worst examples of incompetence we’ve ever seen.

German-based Total Wipes Music Group have made these pages before after trying to censor entirely legal content published by Walmart, Ikea, Fair Trade USA and Dunkin Donuts. This week, however, their earlier efforts were eclipsed on a massive scale.

wipedFirst, in an effort to ‘protect’ their album “Truth or Dare” on Maze Records, the company tried to censor a TorrentFreak article from 2012 on how to download anonymously. The notice, found here, targets dozens of privacy-focused articles simply because they have the word “hide” in them.

But it gets worse – much worse. ‘Protecting’ an album called “Cigarettes” on Mona Records, Total Wipes sent Google a notice containing not a single infringing link. Unbelievably one of the URLs targeted an article on how to use PGP on the Mac. It was published by none other than the EFF.

EFF-wipes

So that was the big punchline, right? Pfft, nowhere near.

Going after alleged pirates of the album “In To The Wild – Vol.7″ on Aborigeno Music, Total Wipes offer their pièce de résistance, the veritable jewel in their crown. The notice, which covers 95 URLs, targets no music whatsoever. Instead it tries to ruin the Internet by targeting the download pages of some of the most famous online companies around.

Some of the URLs in the most abusive notice ever

wipe-notice1

In no particular order, here is a larger selection of some of the download pages the notice attacks.

ICQ, RedHat, SQLite, Vuze, LinuxMint, WineHQ, Foxit, Calibre, Kodi/XBMC, Skype, Java, OpenOffice, Gimp, Ubuntu, Python, TeamViewer, MySQL, VLC, Joomla, Z-Zip, RaspberryPI, Unity3D, Apache, MalwareBytes, Pidgin, LibreOffice, VMWare, uTorrent, WinSCP, WhatsApp, Evernote, AMD, AVG, Origin, TorProject, PHPMyAdmin, Nginx, FFmpeg, phpbb, Plex, GNU, WireShark, Dropbox and Opera.

If you can bear to read it the full notice can be found here. Worryingly Total Wipes Music are currently filing notices almost every day. Google rejects many of them but it’s only a matter of time before some sneak through.

We’ve said it before but it needs to be said again. Some people can’t be trusted to send takedown notices and must lose their right to do so when they demonstrate this level of abuse. The sooner Google kicks these people out the better.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Co3 Systems Changes Its Name to Resilient Systems

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Today my company, Co3 Systems, is changing its name to Resilient Systems. The new name better reflects who we are and what we do. Plus, the old name was kind of dumb.

I have long liked the term “resilience.” If you look around, you’ll see it a lot. It’s used in human psychology, in organizational theory, in disaster recovery, in ecological systems, in materials science, and in systems engineering. Here’s a definition from 1991, in a book by Aaron Wildavsky called Searching for Safety: “Resilience is the capacity to cope with unanticipated dangers after they have become manifest, learning to bounce back.”

The concept of resilience has been used in IT systems for a long time.

I have been talking about resilience in IT security — and security in general — for at least 15 years. I gave a talk at an ICANN meeting in 2001 titled “Resilient Security and the Internet.” At the 2001 Black Hat, I said: “Strong countermeasures combine protection, detection, and response. The way to build resilient security is with vigilant, adaptive, relentless defense by experts (people, not products). There are no magic preventive countermeasures against crime in the real world, yet we are all reasonably safe, nevertheless. We need to bring that same thinking to the Internet.”

In Beyond Fear (2003), I spend pages on resilience: “Good security systems are resilient. They can withstand failures; a single failure doesn’t cause a cascade of other failures. They can withstand attacks, including attackers who cheat. They can withstand new advances in technology. They can fail and recover from failure.” We can defend against some attacks, but we have to detect and respond to the rest of them. That process is how we achieve resilience. It was true fifteen years ago and, if anything, it is even more true today.

So that’s the new name, Resilient Systems. We provide an Incident Response Platform, empowering organizations to thrive in the face of cyberattacks and business crises. Our collaborative platform arms incident response teams with workflows, intelligence, and deep-data analytics to react faster, coordinate better, and respond smarter.

And that’s the deal. Our Incident Response Platform produces and manages instant incident response plans. Together with our Security and Privacy modules, it provides IR teams with best-practice action plans and flexible workflows. It’s also agile, allowing teams to modify their response to suit organizational needs, and continues to adapt in real time as incidents evolve.

Resilience is a lot bigger than IT. It’s a lot bigger than technology. In my latest book, Data and Goliath, I write: “I am advocating for several flavors of resilience for both our systems of surveillance and our systems that control surveillance: resilience to hardware and software failure, resilience to technological innovation, resilience to political change, and resilience to coercion. An architecture of security provides resilience to changing political whims that might legitimize political surveillance. Multiple overlapping authorities provide resilience to coercive pressures. Properly written laws provide resilience to changing technological capabilities. Liberty provides resilience to authoritarianism. Of course, full resilience against any of these things, let alone all of them, is impossible. But we must do as well as we can, even to the point of assuming imperfections in our resilience.”

I wrote those words before we even considered a name change.

Same company, new name (and new website). Check us out.

Schneier on Security: New Book: <i>Data and Goliath</i>

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

After a year of talking about it, my new book is finally published.

This is the copy from the inside front flap:

You are under surveillance right now.

Your cell phone provider tracks your location and knows who’s with you. Your online and in-store purchasing patterns are recorded, and reveal if you’re unemployed, sick, or pregnant. Your e-mails and texts expose your intimate and casual friends. Google knows what you’re thinking because it saves your private searches. Facebook can determine your sexual orientation without you ever mentioning it.

The powers that surveil us do more than simply store this information. Corporations use surveillance to manipulate not only the news articles and advertisements we each see, but also the prices we’re offered. Governments use surveillance to discriminate, censor, chill free speech, and put people in danger worldwide. And both sides share this information with each other or, even worse, lose it to cybercriminals in huge data breaches.

Much of this is voluntary: we cooperate with corporate surveillance because it promises us convenience, and we submit to government surveillance because it promises us protection. The result is a mass surveillance society of our own making. But have we given up more than we’ve gained? In Data and Goliath, security expert Bruce Schneier offers another path, one that values both security and privacy. He shows us exactly what we can do to reform our government surveillance programs and shake up surveillance-based business models, while also providing tips for you to protect your privacy every day. You’ll never look at your phone, your computer, your credit cards, or even your car in the same way again.

And there’s a great quote on the cover:

“The public conversation about surveillance in the digital age would be a good deal more intelligent if we all read Bruce Schneier first.” –Malcolm Gladwell, author of David and Goliath

This is the table of contents:

Part 1: The World We’re Creating

Chapter 1: Data as a By-Product of Computing
Chapter 2: Data as Surveillance
Chapter 3: Analyzing our Data
Chapter 4: The Business of Surveillance
Chapter 5: Government Surveillance and Control
Chapter 6: Consolidation of Institutional Surveillance

Part 2: What’s at Stake

Chapter 7: Political Liberty and Justice
Chapter 8: Commercial Fairness and Equality
Chapter 9: Business Competitiveness
Chapter 10: Privacy
Chapter 11: Security

Part 3: What to Do About It

Chapter 12: Principles
Chapter 13: Solutions for Government
Chapter 14: Solutions for Corporations
Chapter 15: Solutions for the Rest of Us
Chapter 16: Social Norms and the Big Data Trade-off

I’ve gotten some great responses from people who read the bound galley, and hope for some good reviews in mainstream publications. So far, there’s one review.

You can buy the book at Amazon, Amazon UK, Barnes & Noble, Powell’s, Book Depository, or IndieBound — which routes your purchase through a local independent bookseller. E-books are available on Amazon, B&N, Apple’s iBooks store, and Google Play.

And if you can, please write a review for Amazon, Goodreads, or anywhere else.

Schneier on Security: Samsung Television Spies on Viewers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn’t just processed by the television; it may be forwarded over the Internet for remote processing. It’s literally Orwellian.

This discovery surprised people, but it shouldn’t have. The things around us are increasingly computerized, and increasingly connected to the Internet. And most of them are listening.

Our smartphones and computers, of course, listen to us when we’re making audio and video calls. But the microphones are always there, and there are ways a hacker, government, or clever company can turn those microphones on without our knowledge. Sometimes we turn them on ourselves. If we have an iPhone, the voice-processing system Siri listens to us, but only when we push the iPhone’s button. Like Samsung, iPhones with the “Hey Siri” feature enabled listen all the time. So do Android devices with the “OK Google” feature enabled, and so does an Amazon voice-activated system called Echo. Facebook has the ability to turn your smartphone’s microphone on when you’re using the app.

Even if you don’t speak, our computers are paying attention. Gmail “listens” to everything you write, and shows you advertising based on it. It might feel as if you’re never alone. Facebook does the same with everything you write on that platform, and even listens to the things you type but don’t post. Skype doesn’t listen — we think — but as Der Spiegel notes, data from the service “has been accessible to the NSA’s snoops” since 2011.

So the NSA certainly listens. It listens directly, and it listens to all these companies listening to you. So do other countries like Russia and China, which we really don’t want listening so closely to their citizens.

It’s not just the devices that listen; most of this data is transmitted over the Internet. Samsung sends it to what was referred to as a “third party” in its policy statement. It later revealed that third party to be a company you’ve never heard of — Nuance — that turns the voice into text for it. Samsung promises that the data is erased immediately. Most of the other companies that are listening promise no such thing and, in fact, save your data for a long time. Governments, of course, save it, too.

This data is a treasure trove for criminals, as we are learning again and again as tens and hundreds of millions of customer records are repeatedly stolen. Last week, it was reported that hackers had accessed the personal records of some 80 million Anthem Health customers and others. Last year, it was Home Depot, JP Morgan, Sony and many others. Do we think Nuance’s security is better than any of these companies? I sure don’t.

At some level, we’re consenting to all this listening. A single sentence in Samsung’s 1,500-word privacy policy, the one most of us don’t read, stated: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.” Other services could easily come with a similar warning: Be aware that your e-mail provider knows what you’re saying to your colleagues and friends and be aware that your cell phone knows where you sleep and whom you’re sleeping with — assuming that you both have smartphones, that is.

The Internet of Things is full of listeners. Newer cars contain computers that record speed, steering wheel position, pedal pressure, even tire pressure — and insurance companies want to listen. And, of course, your cell phone records your precise location at all times you have it on — and possibly even when you turn it off. If you have a smart thermostat, it records your house’s temperature, humidity, ambient light and any nearby movement. Any fitness tracker you’re wearing records your movements and some vital signs; so do many computerized medical devices. Add security cameras and recorders, drones and other surveillance airplanes, and we’re being watched, tracked, measured and listened to almost all the time.

It’s the age of ubiquitous surveillance, fueled by both Internet companies and governments. And because it’s largely happening in the background, we’re not really aware of it.

This has to change. We need to regulate the listening: both what is being collected and how it’s being used. But that won’t happen until we know the full extent of surveillance: who’s listening and what they’re doing with it. Samsung buried its listening details in its privacy policy — they have since amended it to be clearer — and we’re only having this discussion because a Daily Beast reporter stumbled upon it. We need more explicit conversation about the value of being able to speak freely in our living rooms without our televisions listening, or having e-mail conversations without Google or the government listening. Privacy is a prerequisite for free expression, and losing that would be an enormous blow to our society.

This essay previously appeared on CNN.com.

ETA (2/16): A German translation by Damian Weber.

Beyond Bandwidth: Securing Every Organization’s Most Valuable Asset: Data (Or, If You Don’t Know Where Your Data Is, Cybercriminals Will Find It For You)

This post was syndicated from: Beyond Bandwidth and was written by: Chris Richter. Original post: at Beyond Bandwidth

It’s hard to put a value on information, and yet it can be argued that data, especially now, can be the most valuable asset companies own. Unfortunately, it’s extremely difficult for organizations to assign a value to their intangible information assets, i.e. data. Without having established a value on its data assets, an organization will…

The post Securing Every Organization’s Most Valuable Asset: Data (Or, If You Don’t Know Where Your Data Is, Cybercriminals Will Find It For You) appeared first on Beyond Bandwidth.