Posts tagged ‘Privacy’

TorrentFreak: Mega Demands Apology Over “Defamatory” Cyberlocker Report

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Yesterday the Digital Citizens Alliance released a new report that looks into the business models of “shadowy” file-storage sites.

Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” the report attempts to detail the activities of some of the world’s most-visited hosting sites.

While it’s certainly an interesting read, the NetNames study provides a few surprises, not least the decision to include New Zealand-based cloud storage site Mega.co.nz. There can be no doubt that there are domains of dubious standing detailed in the report, but the inclusion of Mega stands out as especially odd.

Mega was without doubt the most-scrutinized file-hosting startup in history and as a result has had to comply fully with every detail of the law. And, unlike some of the other sites listed in the report, Mega isn’t hiding away behind shell companies and other obfuscation methods. It also complies fully with all takedown requests, to the point that it even took down its founder’s music, albeit following an erroneous request.

With these thoughts in mind, TorrentFreak alerted Mega to the report and asked how its inclusion amid the terminology used has been received at the company.

Grossly untrue and highly defamatory

mega“We consider the report grossly untrue and highly defamatory of Mega,” says Mega CEO Graham Gaylard.

“Mega is a privacy company that provides end-to-end encrypted cloud storage controlled by the customer. Mega totally refutes that it is a cyberlocker business as that term is defined and discussed in the report prepared by NetNames for the Digital Citizens Alliance.”

Gaylard also strongly refutes the implication in the report that as a “cyberlocker”, Mega is engaged in activities often associated with such sites.

“Mega is not a haven for piracy, does not distribute malware, and definitely does not engage in illegal activities,” Gaylard says. “Mega is running a legitimate business alongside other cloud storage providers in a highly competitive market.”

The Mega CEO told us that one of the perplexing things about the report is that none of the criteria set out by the report for “shadowy” sites is satisfied by Mega, yet the decision was still taken to include it.

Infringing content and best practices

One of the key issues is, of course, the existence of infringing content. All user-uploaded sites suffer from that problem, from YouTube to Facebook to Mega and thousands of sites in between. But, as Gaylard points out, it’s the way those sites handle the issue that counts.

“We are vigorous in complying with best practice legal take-down policies and do so very quickly. The reality though is that we receive a very low number of take-down requests because our aim is to have people use our services for privacy and security, not for sharing infringing content,” he explains.

“Mega acts very quickly to process any take-down requests in accordance with its Terms of Service and consistent with the requirements of the USA Digital Millennium Copyright Act (DMCA) process, the European Union Directive 2000/31/EC and New Zealand’s Copyright Act process. Mega operates with a very low rate of take-down requests; less than 0.1% of all files Mega stores.”

Affiliate schemes that encourage piracy

One of the other “rogue site” characteristics as outlined in the report is the existence of affiliate schemes designed to incentivize the uploading and sharing of infringing content. In respect of Mega, Gaylard rejects that assertion entirely.

“Mega’s affiliate program does not reward uploaders. There is no revenue sharing or credit for downloads or Pro purchases made by downloaders. The affiliate code cannot be embedded in a download link. It is designed to reward genuine referrers and the developers of apps who make our cloud storage platform more attractive,” he notes.

The PayPal factor

As detailed in many earlier reports (1,2,3), over the past few years PayPal has worked hard to seriously cut down on the business it conducts with companies in the file-sharing space.

Companies, Mega included, now have to obtain pre-approval from the payment processor in order to use its services. The suggestion in the report is that large “shadowy” sites aren’t able to use PayPal due to its strict acceptance criteria. Mega, however, has a good relationship with PayPal.

“Mega has been accepted by PayPal because we were able to show that we are a legitimate cloud storage site. Mega has a productive and respected relationship with PayPal, demonstrating the validity of Mega’s business,” Gaylard says.

Public apology and retraction – or else

Gaylard says that these are just some of the points that Mega finds unacceptable in the report. The CEO adds that at no point was the company contacted by NetNames or Digital Citizens Alliance for its input.

“It is unacceptable and disappointing that supposedly reputable organizations such as Digital Citizens and NetNames should see fit to attack Mega when it provides the user end to end encryption, security and privacy. They should be promoting efforts to make the Internet a safer and more trusted place. Protecting people’s privacy. That is Mega’s mission,” Gaylard says.

“We are requesting that Digital Citizens Alliance withdraw Mega from that report entirely and issue a public apology. If they do not then we will take further action,” he concludes.

TorrentFreak asked NetNames to comment on Mega’s displeasure and asked the company if it stands by its assertion that Mega is a “shadowy” cyberlocker. We received a response (although not directly to our questions) from David Price, NetNames’ head of piracy analysis.

“The NetNames report into cyberlocker operation is based on information taken from the websites of the thirty cyberlockers used for the research and our own investigation of this area, based on more than a decade of experience producing respected analysis exploring digital piracy and online distribution,” Price said.

That doesn’t sound like a retraction or an apology, so this developing dispute may have a way to go.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Simply Secure announces itself

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

A new organization to “make security easy and fun” has announced itself in a blog post entitled “Why Hello, World!”. Simply Secure is targeting the usability of security solutions: “If privacy and security aren’t easy and intuitive, they don’t work. Usability is key.
The organization was started by Google and Dropbox; it also has the Open Technology Fund as one of its partners.
To build trust and ensure quality outcomes, one core component of our work will be public audits of interfaces and code. This will help validate the security and usability claims of the efforts we support.

More generally, we aim to take a page from the open-source community and make as much of our work transparent and widely-accessible as possible. This means that as we get into the nitty-gritty of learning how to build collaborations around usably secure software, we will share our developing methodologies and expertise publicly. Over time, this will build a body of community resources that will allow all projects in this space to become more usable and more secure.”

TorrentFreak: Copyright Holders Want Netflix to Ban VPN Users

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflixWith the launch of legal streaming services such as Netflix, movie and TV fans have less reason to turn to pirate sites.

At the same time, however, these legal options invite people from other countries where the legal services are more limited. This is also the case in Australia where up to 200,000 people are estimated to use the U.S. version of Netflix.

Although Netflix has geographical restrictions in place, these are easy to bypass with a relatively cheap VPN subscription. To keep these foreigners out, entertainment industry companies are now lobbying for a global ban on VPN users.

Simon Bush, CEO of AHEDA, an industry group that represents Twentieth Century Fox, Warner Bros., Universal, Sony Pictures and other major players said that some members are actively lobbying for such a ban.

Bush didn’t name any of the companies involved, but he confirmed to Cnet that “discussions” to block Australian access to the US version of Netflix “are happening now”.

If implemented, this would mean that all VPN users worldwide will no longer be able to access Netflix. That includes the millions of Americans who are paying for a legitimate account. They can still access Netflix, but would not be allowed to do so securely via a VPN.

According to Bush the discussions to keep VPN users out are not tied to Netflix’s arrival in Australia. The distributors and other rightsholders argue that they are already being deprived of licensing fees, because some Aussies ignore local services such as Quickflix.

“I know the discussions are being had…by the distributors in the United States with Netflix about Australians using VPNs to access content that they’re not licensed to access in Australia,” Bush said.

“They’re requesting for it to be blocked now, not just when it comes to Australia,” he adds.

While blocking VPNs would solve the problem for distributors, it creates a new one for VPN users in the United States.

The same happened with Hulu a few months ago, when Hulu started to block visitors who access the site through a VPN service. This blockade also applies to hundreds of thousands of U.S. citizens.

Hulu’s blocklist was implemented a few months ago and currently covers the IP-ranges of all major VPN services. People who try to access the site through one of these IPs are not allowed to view any content on the site, and receive the following notice instead:

“Based on your IP-address, we noticed that you are trying to access Hulu through an anonymous proxy tool. Hulu is not currently available outside the U.S. If you’re in the U.S. you’ll need to disable your anonymizer to access videos on Hulu.”

It seems that VPNs are increasingly attracting the attention of copyright holders. Just a week ago BBC Worldwide argued that ISPs should monitor VPN users for excessive bandwidth use, assuming they would then be pirates.

Considering the above we can expect the calls for VPN bans to increase in the near future.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: LinkedIn Feature Exposes Email Addresses

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing.

leakedinlogoLinkedIn has built much of its considerable worth on the age-old maxim that “it’s all about who you know”: As a LinkedIn user, you can directly connect with those you attest to knowing professionally or personally, but also you can ask to be introduced to someone you’d like to meet by sending a request through someone who bridges your separate social networks. Celebrities, executives or any other LinkedIn users who wish to avoid unsolicited contact requests may do so by selecting an option that forces the requesting party to supply the personal email address of the intended recipient.

LinkedIn’s entire social fabric begins to unravel if any user can directly connect to any other user, regardless of whether or how their social or professional circles overlap. Unfortunately for LinkedIn (and its users who wish to have their email addresses kept private), this is the exact risk introduced by the company’s built-in efforts to expand the social network’s user base.

According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users.

LinkedIn assumes that if an email address is in your contacts list, that you must already know this person. But what if your entire reason for signing up with LinkedIn is to discover the private email addresses of famous people? All you’d need to do is populate your email account’s contacts list with hundreds of permutations of famous peoples’ names — including combinations of last names, first names and initials — in front of @gmail.com, @yahoo.com, @hotmail.com, etc. With any luck and some imagination, you may well be on your way to an A-list LinkedIn friends list (or a fantastic set of addresses for spear-phishing, stalking, etc.).

LinkedIn lets you know which of your contacts aren't members.

LinkedIn lets you know which of your contacts aren’t members.

When you import your list of contacts from a third-party service or from a stand-alone file, LinkedIn will show you any profiles that match addresses in your contacts list. More significantly, LinkedIn helpfully tells you which email addresses in your contacts lists are not LinkedIn users.

It’s that last step that’s key to finding the email address of the targeted user to whom LinkedIn has just sent a connection request on your behalf. The service doesn’t explicitly tell you that person’s email address, but by comparing your email account’s contact list to the list of addresses that LinkedIn says don’t belong to any users, you can quickly figure out which address(es) on the contacts list correspond to the user(s) you’re trying to find.

Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information. Last month, the two researchers detailed how they were able to de-anonymize posts to Secret, an app-driven online service that allows people to share messages anonymously within their circle of friends, friends of friends, and publicly. In February, Seely more famously demonstrated how to use Google Maps to intercept FBI and Secret Service phone calls.

This time around, the researchers picked on Dallas Mavericks owner Mark Cuban to prove their point with LinkedIn. Using their low-tech hack, the duo was able to locate the Webmail address Cuban had used to sign up for LinkedIn. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

The Rhino guys really wanted Cuban’s help in spreading the word about what they’d found, but instead of messaging Cuban directly, Seely pursued a more subtle approach: He knew Cuban’s latest start-up was Cyber Dust, a chat messenger app designed to keep your messages private. So, Seely fired off a tweet complaining that “Facebook Messenger crosses all privacy lines,” and that as  result he was switching to Cyber Dust.

When Mark Cuban retweeted Seely’s endorsement of Cyber Dust, Seely reached out to Cyberdust CEO Ryan Ozonian, letting him known that he’d discovered Cuban’s email address on LinkedIn. In short order, Cuban was asking Rhino to test the security of Cyber Dust.

“Fortunately no major faults were found and those he found are already fixed in the coming update,” Cuban said in an email exchange with KrebsOnSecurity. “I like working with them. They look to help rather than exploit.. We have learned from them and I think their experience will be valuable to other app publishers and networks as well.”

Whether LinkedIn will address the issues highlighted by Rhino Security remains to be seen. In an initial interview earlier this month, the social networking giant sounded unlikely to change anything in response.

Corey Scott, director of information security at LinkedIn, said very few of the company’s members opt-in to the requirement that all new potential contacts supply the invitee’s email address before sending an invitation to connect. He added that email address-to-user mapping is a fairly common design pattern, and that is is not particularly unique to LinkedIn, and that nothing the company does will prevent people from blasting emails to lists of addresses that might belong to a targeted user, hoping that one of them will hit home.

“Email address permutators, of which there are many of them on the ‘Net, have existed much longer than LinkedIn, and you can blast an email to all of them, knowing that most likely one of those will hit your target,” Scott said. “This is kind of one of those challenges that all social media companies face in trying to prevent the abuse of [site] functionality. We have rate limiting, scoring and abuse detection mechanisms to prevent frequent abusers of this service, and to make sure that people can’t validate spam lists.”

In an email sent to this report last week, however, LinkedIn said it was planning at least two changes to the way its service handles user email addresses.

“We are in the process of implementing two short-term changes and one longer term change to give our members more control over this feature,” Linkedin spokeswoman Nicole Leverich wrote in an emailed statement. “In the next few weeks, we are introducing new logic models designed to prevent hackers from abusing this feature. In addition, we are making it possible for members to ask us to opt out of being discoverable through this feature. In the longer term, we are looking into creating an opt-out box that members can choose to select to not be discoverable using this feature.”

Darknet - The Darkside: Google DID NOT Leak 5 Million E-mail Account Passwords

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So a big panic hit the Internet a couple of days ago when it was alleged that Google had leaked 5 Million e-mail account passwords – and these had been posted on a Russian Bitcoin forum. I was a little sceptical, as Google tends to be pretty secure on that front and they had made [...]

The post Google DID NOT Leak 5 Million E-mail Account…

Read the full post at darknet.org.uk

Schneier on Security: The Concerted Effort to Remove Data Collection Restrictions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Since the beginning, data privacy regulation focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update).

Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft’s Craig Mundie argues this. So does the PCAST report. And the World Economic Forum. This is lobbying effort by US business. My guess is that the companies are much more worried about collection restrictions than use restrictions. They believe that they can slowly change use restrictions once they have the data, but that it’s harder to change collection restrictions and get the data in the first place.

We need to regulate collection as well as use. In a new essay, Chris Hoofnagle explains why.

Krebs on Security: Dread Pirate Sunk By Leaky CAPTCHA

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location.

leakyshipTor helps users disguise their identity by bouncing their traffic between different Tor servers, and by encrypting that traffic at every hop along the way. The Silk Road, like many sites that host illicit activity, relied on a feature of Tor known as “hidden services.” This feature allows anyone to offer a Web server without revealing the true Internet address to the site’s users.

That is, if you do it correctly, which involves making sure you aren’t mixing content from the regular open Internet into the fabric of a site protected by Tor. But according to federal investigators,  Ross W. Ulbricht — a.k.a. the “Dread Pirate Roberts” and the 30-year-old arrested last year and charged with running the Silk Road — made this exact mistake.

As explained in the Tor how-to, in order for the Internet address of a computer to be fully hidden on Tor, the applications running on the computer must be properly configured for that purpose. Otherwise, the computer’s true Internet address may “leak” through the traffic sent from the computer.

howtorworks

And this is how the feds say they located the Silk Road servers:

“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”

“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

For many Tor fans and advocates, The Dread Pirate Roberts’ goof will no doubt be labeled a noob mistake — and perhaps it was. But as I’ve said time and again, staying anonymous online is hard work, even for those of us who are relatively experienced at it. It’s so difficult, in fact, that even hardened cybercrooks eventually slip up in important and often fateful ways (that is, if someone or something was around at the time to keep a record of it).

A copy of the government’s declaration on how it located the Silk Road servers is here (PDF). A hat tip to Nicholas Weaver for the heads up about this filing.

A snapshop of offerings on the Silk Road.

A snapshop of offerings on the Silk Road.

lcamtuf's blog: Some notes on web tracking and related mechanisms

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Artur Janc and I put together a nice, in-depth overview of all the known fingerprinting and tracking vectors that appear to be present in modern browsers. This is an interesting, polarizing, and poorly-studied area; my main hope is that the doc will bring some structure to the discussions of privacy consequences of existing and proposed web APIs – and help vendors and standards bodies think about potential solutions in a more holistic way.

That’s it – carry on!

Darknet - The Darkside: Massive Celeb Leak Brings iCloud Security Into Question

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So this leak has caused quite a furore, normally I don’t pay attention to this stuff – but hey it’s JLaw and it’s a LOT of celebs at the same time – which indicates some kind of underlying problem. The massive list of over 100 celebs was posted originally on 4chan (of course) by an [...]

The post Massive Celeb Leak…

Read the full post at darknet.org.uk

TorrentFreak: Dotcom Loses Bid to Keep Assets Secret from Hollywood

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptop20th Century Fox, Disney, Paramount, Universal, Columbia Pictures and Warner Bros are engaged in a huge battle with Kim Dotcom.

They believe that legal action currently underway against the Megaupload founder could lead to them receiving a sizable damages award should they win their case. But Dotcom’s lavish lifestyle gives them concerns. The more he spends, the less they could receive should the money begin to run out.

Those concerns were addressed by the High Court’s Judge Courtney, who previously ordered Dotcom to disclose the details of his worldwide assets to his Hollywood adversaries. Dotcom filed an appeal which will be heard in October, but that date is beyond the ordered disclosure date.

As a result, Dotcom took his case to the Court of Appeal in the hope of staying the disclosure order.

That bid has now failed.

Dotcom’s legal team argued out that their client’s October appeal would be rendered pointless if he was required to hand over financial information in advance. They also insisted a stay would not negatively affect the studios since millions in assets are currently restrained in New Zealand and elsewhere.

However, as explained by the Court of Appeal, any decision to stay a judgment is a balancing act between the rights of the successful party (Hollywood) to enforce its judgment and the consequences for both parties should the stay be granted or denied.

While the Court agreed that Dotcom’s appeal would be rendered pointless if disclosure to Hollywood was ordered, it rejected that would have an effect on Dotcom.

“[T]he mere fact that appeal rights are rendered nugatory is not necessarily determinative and in the circumstances of this case I consider that this consequence carries little weight. This is because Mr Dotcom himself does not assert that there will be any adverse effect on him if deprived of an effective appeal,” the decision reads.

The Court also rejected the argument put forward by Dotcom’s lawyer that the disclosure of financial matters would be a threat to privacy and amounted to an “unreasonable search”.

The Court did, however, acknowledge that Dotcom’s appeal would deal with genuine issues. That said, the concern over him disposing of assets outweighed them in this instance.

In respect of the effect of a stay on the studios, the Court looked at potential damages in the studios’ legal action against the Megaupload founder. Dotcom’s expert predicted damages “well below” US$10m, while the studios’ expert predicted in excess of US$100m.

The Court noted that Dotcom has now revealed that his personal assets restrained in both New Zealand and Hong Kong are together worth “not less” than NZ$ 33.93 million (US$ 28.39m). However, all of Dotcom’s assets are subject to a potential claim from his estranged wife, Mona, so the Court judged Dotcom’s share to be around NZ$17m.

As a result the Court accepted that there was an arguable case that eventual damages would be more than the value of assets currently restrained in New Zealand.

As a result, Dotcom is ordered to hand the details of his financial assets, “wherever they are located”, to the lawyers acting for the studios. There are restrictions on access to that information, however.

“The respondents’ solicitors are not to disclose the contents of the affidavit to any person without the leave of the Court,” the decision reads.

As legal proceedings in New Zealand continue, eyes now turn to Hong Kong. In addition to Dotcom’s personal wealth subjected to restraining order as detailed above, an additional NZ$25m owned by Megaupload and Vestor Limited is frozen in Hong Kong. Next week Dotcom’s legal team will attempt to have the restraining order lifted.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: BTindex Exposes IP-Addresses of BitTorrent Users

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spyUnless BitTorrent users are taking steps to hide their identities through the use of a VPN, proxy, or seedbox, their downloading habits are available for almost anyone to snoop on.

By design the BitTorrent protocol shares the location of any user in the swarm. After all, without knowing where to send the data nothing can be shared to begin with.

Despite this fairly common knowledge, even some experienced BitTorrent users can be shocked to learn that someone has been monitoring their activities, let alone that their sharing activity is being made public for the rest of the world to see.

Like it or not, this is exactly what the newly launched torrent search engine BTindex is doing.

Unlike most popular torrent sites BTindex adds new content by crawling BitTorrent’s DHT network. This is already quite unique as most other sites get their content from user uploads or other sites. However, the most controversial part without doubt is that the IP-addresses of BitTorrent users are being shared as well.

People who download a file from The Pirate Bay or any other torrent site expose their IP-addresses via the DHT network. BTindex records this information alongside the torrent metadata. The number of peers are displayed in the search results and for each file a selection of IP-addresses is made available to the public.

The image below shows a selection of peers who shared a pirated copy of the movie “Transcendence,” this week’s most downloaded film.

Some IP-addresses sharing “Transcendence.”
btindexips

Perhaps even more worrying to some, the site also gives an overview of all recorded downloads per IP-address. While the database is not exhaustive there is plenty of dirt to be found on heavy BitTorrent users who have DHT enabled in their clients.

Below is an example of the files that were shared via the IP-address of a popular VPN provider.

Files shared by the IP-address of a popular VPN provider
btindexvpnips

Since all data is collected through the DHT network people can avoid being tracked by disabling this feature in their BitTorrent clients. Unfortunately, that only gives a false sense of security as there are plenty of other monitoring firms who track people by gathering IP-addresses directly from the trackers.

The idea to index and expose IP-addresses of public BitTorrent users is not entirely new. In 2011 YouHaveDownloaded did something similar. This site generated considerable interest but was shut down a few months after its launch.

If anything, these sites should act as a wake up call to people who regularly share files via BitTorrent without countermeasures. Depending on the type of files being shared, a mention on BTindex is probably the least of their worries.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: The Copyright Monopoly Should Be Dead And Buried Already

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

copyright-brandedEvery time somebody questions the copyright monopoly, and in particular, whether it’s reasonable to dismantle freedom of the press, freedom of assembly, freedom of speech, freedom of information, and the privacy of correspondence just to maintain a distribution monopoly for an entertainment industry, the same question pops up out of nowhere:

“How will the artists get paid?”.

The copyright industry has been absolutely phenomenal in misleading the public in this very simple matter, suggesting that artists’ income somehow depend on a distribution monopoly of publishers. If the facts were out, this debate would have been over 20 years ago and the distribution monopoly already abolished quite unceremoniously.

There are three facts that need to be established and hammered in whenever somebody asks this question.

First: Less than one percent of artists’ income comes from the copyright monopoly. Read that sentence again. The overwhelming majority of artists get their income today from student loans, day jobs, unemployment benefits, and so on and so forth. One of the most recent studies (“Copyright as Incentive”, in Swedish as “Upphovsrätten som incitament”, 2006) quotes a number of 0.9 per cent as the average income share of artists that can be directly attributed to the existence of the copyright monopoly. The report calls the direct share of artists’ income “negligible”, “insignificant”. However, close to one hundred per cent of publishers’ income – the income of unnecessary, parasitic middlemen – is directly attributable to the copyright monopoly today. Guess who’s adamant about defending it? Hint: not artists.

Second: 99.99% of artists never see a cent in copyright monopoly royalties. Apart from the copyright industry’s creative accounting and bookkeeping – arguably the only reason they ever had to call themselves the “creative industry” – which usually robs artists blind, only one in ten thousand artists ever see a cent in copyright-monopoly-related royalties. Yes, this is a real number: 99% of artists are never signed with a label, and of those who are, 99% of those never see royalties. It comes across as patently absurd to defend a monopolistic, parasitic system where only one in ten thousand artists make any money with the argument “how will the artists make money any other way?”.

Third: Artists’ income has more than doubled because of culture-sharing. Since the advent of hobby-scale unlicensed manufacturing – which is what culture-sharing is legally, since it breaks a manufacturing monopoly on copies – the average income for musicians has risen 114%, according to a Norwegian study. Numbers from Sweden and the UK show the same thing. This shift in income has a direct correlation to hobby-based unlicensed manufacturing, as the sales of copies is down the drain – which is the best news imaginable for artists, since households are spending as much money on culture before (or more, according to some studies), but are buying in sales channels where artists get a much larger piece of the pie. Hobby-based unlicensed manufacturing has meant the greatest wealth transfer from parasitic middlemen to artists in the history of recorded music.

As a final note, it should be told that even if artists went bankrupt because of sustained civil liberties, that would still be the way to go. Any artist that goes from plinking their guitar in the kitchen to wanting to sell an offering is no longer an artist, but an entrepreneur; the same rules apply to them as to every other entrepreneur on the planet. Specifically, they do not get to dismantle civil liberties because such liberties are bad for business. But as we see, we don’t even need to take that into consideration, for the entire initial premise is false.

Kill copyright, already. Get rid of it. It hurts innovation, creativity, our next-generation industries, and our hard-won civil liberties. It’s not even economically defensible.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: How to Set up Server-to-Server Sharing in ownCloud 7 on Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

Most of the buzz around The Cloud is devoted to commercial services such as Google’s online apps, Amazon’s cloud services, and tablets and smartphones that are shortchanged on storage because they want to suck you into commercial cloud services. While commercial cloud services can be convenient, they also have well-known downsides like service outages, and lack of privacy and security. If you live within reach of government snoop agencies (like anywhere on planet Earth), or are subject to laws such as the Sarbanes-Oxley Act (SOX) or Health Insurance Portability and Accountability Act (HIPAA), then you need to keep your data under your control. Which I think is the wisest policy in any case.

ownCloud is the friendliest and easiest private cloud implementation to set up and use. ownCloud 7 was released last week, and this is the most interesting release yet. It is more polished and robust, easier to administer, and the killer feature in this version is server-to-server sharing. This lets you easily connect your ownCloud file shares and build your own private cloud of clouds. And then, someday, rule the world. Or, just share files.

Installating ownCloud

ownCloud is nicely documented, which is nearly all I need to love it. Imagine a software product that actually wants you to be able to use it; an astonishing concept, to be sure. There are multiple installation methods documented in the ownCloud Administrators Manual, including a detailed how-to on installing it from scratch. The nice ownCloud peoples use the openSUSE Build Service to build binary packages for Ubuntu, CentOS, Debian, Fedora, openSUSE, Red Hat, and SUSE, which is what I use. This is how I installed it on my test Ubuntu 14.04 server.

First fetch and install the GPG signing key for the openSUSE repository for your Linux distribution. Note that each command must be one unbroken line, with no newlines:

$ wget http://download.opensuse.org/repositories/isv:ownCloud:community/xUbuntu_14.04/Release.key
$ sudo apt-key add - < Release.key

Now add the repository, update your package list, and install ownCloud:

$ sudo sh -c "echo 'deb
http://download.opensuse.org/repositories/isv:/ownCloud:/community/xUbuntu_14.04/ 
/' >> /etc/apt/sources.list.d/owncloud.list"
$ sudo apt-get update
$ sudo apt-get install owncloud

fig-1 createlogin on ownCloud

If you don’t already have a LAMP stack installed, the installer will pull it in for you. When installation is complete open a Web browser to http://localhost/owncloud, and you will see the nice blue ownCloud installation wizard. Your first task is to create an admin user, as in figure 1. Click the eyeball to expose your password, which you’ll probably want to do so you know what you typed.

Next, you have some database options. If you go with the default SQLite you don’t have to do anything except click the Finish Setup button. SQLite is fine for lightweight duties, but if you have busier and larger workloads then use MariaDB, MySQL, or PostgreSQL. The wizard displays a button with these databases whether they are installed or not, so make sure the one you want is already installed, and you have an administrator login. I chose MySQL/MariaDB (Ubuntu defaults to MariaDB). You can give your new database any name you want and the installer will create it (figure 2). You must also pass in your database administrator login.

fig-2-db-setup

And that’s it. You’re done. ownCloud 7 is installed. Click the Finish Setup button and you’ll be greeted with a cheery “Welcome to ownCloud!” banner, with links to client apps for desktop computers, Android devices, and iDevices. ownCloud supports multiple clients: you can use a Web browser on any platform, or download client apps for more functionality such as synchronization and nicer file, contacts, and calendar management.

Setting up Server-to-Server Sharing

And now, the moment you’ve been waiting for: setting up server-to-server sharing. This works only with ownCloud servers that have this feature, which at the moment is ownCloud 7. You need two ownCloud 7 servers to test this.

Before you can share anything, you need to set your server’s hostname as a trusted ownCloud server domain. Look for this section in /var/www/owncloud/config/config.php:

'trusted_domains' => 
  array (
    0 => 'localhost', 
 ),

/var/www/owncloud/config/config.php is created by the installation wizard. See /var/www/owncloud/config/config.sample.php to see a complete list of options.

By default your ownCloud server only lets you access the server via domains that are listed as trusted domains in this file. Only localhost is listed by default. My server hostname is studio, so if I try to log into ownCloud via http://studio/owncloud I get an error message: “You are accessing the server from an untrusted domain.” This example allows connections via localhost, hostname, and IP address:

'trusted_domains' => 
  array (
    0 => 'localhost', 1 => 'studio', 2 => '192.168.1.50',
 ),

If you forget to create and use these trusted domains, you won’t be able to set up network file shares.

Next, go to your ownCloud administration page, which you can find by clicking the little arrow next to your username at the top right, and click Admin. Make sure that Remote Shares are enabled (figure 3).

fig-3 remote-shares

There is one more important step, and that is to enable mod_rewrite on Apache, and then restart it. This is what you do on Ubuntu:

$ sudo a2enmod rewrite
$ sudo service apache2 restart

If you don’t do this, your share will fail with a message like “Sabre\DAV\Exception\NotAuthenticated: No basic authentication headers were found” in your ownCloud server log.

fig-4 ownCloud studio share

Now you must log into either http://hostname/owncloud, or http://ip-address/owncloud. Create a new directory and stuff a few files into it. Then click on Share. Click the Share Link checkbox, and it creates a nice URL like http://studio/owncloud/public.php?service=files&t=6b6fa9a714a32ef0af8a83dde358deec (figure 4). Remember that bit about trusted domains? If you forget to connect to your ownCloud server with them, and instead use http://localhost/owncloud, the share URL will be also be http://localhost/. Which is no good for sharing.

You can optionally set a password on this share, an expiration date, allow uploads, and send an email notification. Configuring ownCloud to send emails requires a bit of configuration, so please consult the fine Administrator’s manual to learn how to do this.

Connecting to a New Share

The easy way to test connecting to a new share is to open a second browser tab on your first ownCloud server. Copy the share link into this tab, and it will open to your share. Then click the Add to your ownCloud button (figure 5), and enter the address of your second ownCloud server. In my test lab that is stinkpad/owncloud.

fig-5 add to owncloud

If you’re not already logged in you’ll get the login page. After logging in you’ll be asked if you want to add the remote share. Click Add Remote Share, and you’re done (figure 6).

fig-6 add remote share on ownCloud

Congratulations. You have linked two ownCloud servers, and now that the grotty setup work is done, creating more is just a few easy mouse clicks.

TorrentFreak: Bleep… BitTorrent Unveils Serverless & Encrypted Chat Client

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

bleepEncrypted Internet traffic surged worldwide after the Snowden revelations, with several developers releasing new tools to enable people to better protect their privacy.

Today BitTorrent Inc. contributes with the release of BitTorrent Bleep, a communication tool that allows people to exchange information without the need for any central servers. Combined with state of the art end-to-end encryption, the company sees Bleep as the ideal tool to evade government snooping.

Bleep’s main advantage over some other encrypted messaging applications is the absence of central servers. This means that there are no logs stored, all metadata goes through other peers in the network.

“Many messaging apps are advertising privacy and security by offering end-to-end encryption for messages. But when it comes to handling metadata, they are still leaving their users exposed,” BitTorrent’s Farid Fadaie explains.

“We reimagined how modern messaging should work. Our platform enables us to offer features in Bleep that are unique and meaningfully different from what is currently available.”

Bleep Bleep
BleepScreen

The application’s development is still in the early stages and the current release only works on Windows 7 and 8. Support for other operating systems including popular mobile platforms will follow in the future.

Aspiring Bleep users can create an account via an email or mobile phone number, but an incognito mode without the need to provide any personal details is also supported.

The new messaging app is not the only ‘breach safe’ tool the company is currently working on. Last year BitTorrent launched its Sync application which provides a secure alternative to centralized cloud backup solutions such as Dropbox and Google Drive.

BitTorrent Inc. is inviting people to test the new Bleep application, but warns there are still some bugs.

Those who want to give BitTorrent Bleep a try can head over to BitTorrent’s experiments section to sign up for the pre-Alpha release.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: A Victory for Fair Use

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week I reported on a copyright infringement letter that I had received from Getty Images. The extremely hostile letter claimed that I was using a picture in violation of their copyright, ordered me to “cease and desist” using the picture, and demanded that I pay $475 in damages. Various outlets have referred to this letter as trolling and extortion.

Not being an attorney, I contacted my good friend, Mark D. Rasch. Mark is a well-known attorney in the computer security world. Mark headed the United States Department of Justice Computer Crime Unit for nine years and prosecuted cases ranging from computer crime and fraud to digital trespassing and viruses. If you’re old enough, then you remember the Hanover Hackers mentioned in The Cuckoo’s Egg, Robert Morris Jr. (first Internet worm), and Kevin Mitnick — Mark worked all of those prosecutions. He regularly speaks at conferences, appears in news interviews, and has taught cyberlaw to law enforcement and big universities. (If I were a big company looking for a chief privacy officer, I would hire him in a second.)

This letter from Getty had me concerned. But I can honestly say that, in the 12 years that I’ve known him, I have never seen Mark so animated about an issue. I have only ever seen him as a friendly guy who gives extremely informative advice. This time, I saw a side of Mark that I, as a friend, have never experienced. I would never want to be on the other side of the table from him. And even being on the same side was really intimidating. (Another friend told me that Mark has a reputation for being an aggressive bulldog. And this was my first time seeing his teeth.) His first advice to me was very straightforward. He said, “You have three options. One, do nothing. Two, send back a letter, and three, sue them.” Neither of us were fond of option #1. After a little discussion, I decided to do option #2 and prepare for #3.

First I sent the response letter. Then I took Mark’s advice and began to prepare for a lawsuit. Mark wanted me to take the initiative and file for a “Copyright Declaratory Judgment“. (Don’t wait for Getty.) In effect, I wanted the court to declare my use to be Fair Use.

Getty’s Reply

I honestly expected one of three outcomes from my response letter to Getty Images. Either (A) Getty would do nothing, in which case I would file for the Declaratory Judgment, or (B) Getty would respond with their escalation letter, demanding more money (in which case I would still file for the Declaratory Judgment), or (C) Getty would outright sue me, in which case I would respond however my attorney advised.

But that isn’t what happened. Remarkably, Getty backed down! Here’s the letter that they sent me (I’m only censoring email addresses):

From: License Compliance
To: Dr. Neal Krawetz
Subject: [371842247 Hacker Factor ]
Date: Tue, 22 Jul 2014 20:51:13 +0000

Dr. Krawetz:

We have reviewed your email and website and are taking no further action. Please disregard the offer letter that has been presented in this case. If you have any further questions or concerns, please do not hesitate to contact us.

Nancy Monson
Copyright Compliance Specialist
Getty Images Headquarters
605 Fifth Avenue South, Suite 400
Seattle WA 98104 USA
Phone 1 206 925 6125
Fax 1 206 925 5001
[redacted]@gettyimages.com

For more information about the Getty Images License Compliance Program, please visit http://company.gettyimages.com/license-compliance

Helpful information about image copyright rules and how to license stock photos is located at www.stockphotorights.com and Copyright 101.

Getty Images is leading the way in creating a more visual world. Our new embed feature makes it easy, legal, and free for anybody to share some of our images on websites, blogs, and social media platforms.
http://www.gettyimages.com/Creative/Frontdoor/embed

(c)2014 Getty Images, Inc.

PRIVILEGED AND CONFIDENTIAL
This message may contain privileged or confidential information and is intended only for the individual named. If you are not the named addressee or an employee or agent responsible for delivering this message to the intended recipient you should not disseminate, distribute or copy this e-mail or any attachments hereto. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail and any attachments from your system without copying or disclosing the contents. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Getty Images, 605 5th Avenue South, Suite 400. Seattle WA 98104 USA, www.gettyimages.com. PLEASE NOTE that all incoming e-mails will be automatically scanned by us and by an external service provider to eliminate unsolicited promotional e-mails (“spam”). This could result in deletion of a legitimate e-mail before it is read by its intended recipient at our firm. Please tell us if you have concerns about this automatic filtering.

Mark Rasch also pointed out that Getty explicitly copyrighted their email to me. However, the same Fair Use that permits me to use their pictures also permits me to post their entire email message. And that whole “PRIVILEGED AND CONFIDENTIAL” paragraph? That’s garbage and can be ignored because I never agreed to their terms.

Findings

In preparing to file the Copyright Declaratory Judgment, I performed my due diligence by checking web logs and related files for information pertaining to this case. And since Getty has recanted, I am making some of my findings public.

Automated Filing
First, notice how Getty’s second letter says “We have reviewed your email and website…” This clearly shows up in my web logs. Among other things, people at Getty are the only (non-bot) visitors to access my site via “nealkrawetz.org” — everyone else uses “hackerfactor.com”. In each case, the Getty users initially went directly to my “In The Flesh” blog entry (showing that they were not searching or just browsing my site.) Their automated violation bot also used nealkrawetz.org. The big catch is that nobody at Getty ever reviewed “In The Flesh” prior to mailing their extortion letter.

In fact, I can see exactly when their bot visited my web site. Here are all of my logs related to their bot:

2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:44 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/archives/423-In-The-Flesh.html | http://ops.picscout.com/QcApp/PreReport/Index/371842247?normalFlow=True
2014-06-14 23:06:39 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/categories/18-Phones | http://ops.picscout.com/QcApp/Infringer/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247

This listing shows:

  • The date/time (in PST)
  • The bot’s IP address (two in Israel and one in India; none from the United States)
  • The user-agent string sent by the bot
  • Where they went — they most went to “/” (my homepage), but there is exactly one that went to “/blog/index.php?/archives/423-In-The-Flesh.html”. That’s when they compiled their complaint.
  • The “Referer” string, showing what they clicked in order to get to my site. Notice how their accesses are associated with a couple of complaint numbers. “371842247″ is the number associated with their extortion letter. However, “371654690″ appears to be a second potential complaint.

Getty’s complaint has a very specific timestamp on the letter. It’s doesn’t just have a date. Instead, it says “7/10/2014 11:05:05am” — a very specific time. The clocks may be off by a few seconds, but that “11:05″ matches my log file — it is off by exactly 12 hours. (The letter is timestamped 11:05am, and my logs recorded 11:05pm.) This shows that the entire filing process is automated.

When I use my bank’s online bill-pay system, it asks me when I want to have the letter delivered. Within the United States, it usually means mailing the letter four days earlier. I believe that Getty did the exact same thing. They scanned my web site and then mailed their letter so it would be delivered exactly one-month later, and dated the letter 4 days 12 hours before delivery.

Getty’s automated PicScout system is definitely a poorly-behaved web bot. At no time did Getty’s PicScout system retrieve my robots.txt file, showing that it fails to abide by Internet standards. I am also certain that this was a bot since a human’s web browser would have downloaded my blog’s CSS style sheet. (PicScout only downloaded the web page.)

Failure to perform due diligence
I want to emphasize that there are no other accesses to that blog entry by any address associated with Getty within months before their complaint. As of this year (from January 2014 to July 23, 2014), people at Getty have only visited the “In The Flesh” web page 13 times: once by the PicScout bot, and 12 times after they received my reply letter. This shows that Getty never viewed the web page prior to sending their letter. In effect, their “infringement” letter is nothing more than trolling and an attempt to extort money. They sent the letter without ever looking at the context in which the picture is used.

My claim that Getty never manually reviewed my web site prior to mailing is also supported by their second letter, where they recanted their claim of copyright infringement. Having actually looked at my blog, they realized that it was Fair Use.

My web logs are not my only proof that no human at Getty viewed the blog page in the months prior to sending the complaint. Getty’s threatening letter mentions only one single picture that is clearly labeled with Getty’s ImageBank watermark. However, if any human had visited the web page, then they would have seen FOUR pictures that are clearly associated with Getty, and all four pictures were adjacent on the web page! The four pictures are:

The first picture clearly says “GettyImages” in the top left corner. The second picture (from their complaint) is watermarked with Getty’s ImageBank logo. The third and fourth pictures come from Getty’s iStockPhoto service. Each photo was properly used as part of the research results in that blog entry. (And right now, they are properly used in the research findings of this blog entry.)

After Getty received my reply letter, they began to visit the “In The Flesh” URL from 216.169.250.12 — Getty’s corporate outbound web proxy address. Based on the reasonable assumption that different browser user-agent strings indicate different people, I observed them repeatedly visiting my site in groups of 3-5 people. Most of them initially visited the “In The Flesh” page at nealkrawetz.org; a few users visited my “About Me” and “Services” web pages. I am very confident that these indicate their attorneys reviewing my reply letter and web site. This is the absolute minimum evaluation that Getty should have done before sending their extortion letter.

Legal Issues
Besides pointing out how my blog entry clearly falls under Fair Use, my attorney noted a number of items that I (as a non-lawyer person) didn’t see. For example:

  • In Getty’s initial copyright complaint, they assert that they own the copyright. However, the burden of proof is on Getty Images. Getty provided no proof that they are the actual copyright holder, that they acquired the rights legally from the photographer, that they never transferred rights to anyone else, that they had a model release letter from the woman in the photo, that the picture was never made public domain, and that the copyright had not expired. In effect, they never showed that they actually have the copyright.

  • Getty’s complaint letter claims that they have searched their records and found no license for me to use that photo. However, they provided no proof that they ever searched their records. At minimum, during discovery I would demand a copy of all of their records so that I could confirm their findings and proof of their search. (Remember, the burden of proof is on Getty, not on me.) In addition, I have found public comments that explicitly identify people with valid licenses who reported receiving these hostile letters from Getty. This brings up the entire issue regarding how Getty maintains and searches their records.
  • Assuming some kind of violation (and I am not admitting any wrong here), there is a three-year statute of limitations regarding copyright infringement. My blog entry was posted on March 18, 2011. In contrast, their complaint letter was dated July 10, 2014 — that is more than three years after the pictures were posted on my site.

Known Research
Copyright law permits Fair Use for many purposes, including “research”. Even Getty’s own FAQ explicitly mentions “research” as an acceptable form of Fair Use. The question then becomes: am I a researcher and does my blog report on research? (Among other things, this goes toward my background section in the Copyright Declaratory Judgment filing.)

As it turns out, my web logs are extremely telling. I can see each time anyone at any network address associated with Getty Images visits my site. For most of my blog entries, I either get no Getty visitors or a few visitors. However, each time I post an in-depth research entry on digital photo forensics, I see large groups of people at Getty visiting the blog entry. I can even see when one Getty person comes through, and then a bunch of other Getty people visit my site — suggesting that one person told his coworkers about the blog entry. In effect, employees at Getty Images have been regular readers of my blog since at least 2011. (For discovery, I would request a forensic image of every computer in Getty’s company that has accessed my web site in order to determine if they used my site for research.)

Getty users also use my online analysis service, FotoForensics. This service is explicitly a research service. There are plenty of examples of Getty users accessing the FotoForensics site to view analysis images, read tutorials, and even upload pictures with test files that have names like “watermark.jpg” and “watermark-removed.jpg”. This explicitly shows that they are using my site as a research tool.

(For the ultra paranoid people: I have neither the time nor the desire to track down every user in my web logs. But if you send me a legal threat, I will grep through the data.)

However, the list does not stop there. For example, the Harvard Reference Guide lists me as the example for citing research from a blog. (PDF: see PDF page 44, document page 42.) Not only does Getty use my site as a research resource, Harvard’s style guide uses me as the example for a research blog (my bold for emphasis).

Blogs are NOT acceptable academic sources unless as objects of research

Paraphrasing, Author Prominent:
Krawetz (2011) uses a blog to discuss advanced forensic image analysis techniques.

Paraphrasing, Information Prominent:
Blogs may give credence to opinion, in some cases with supporting evidence; for example the claim that many images of fashion models have been digitally enhanced (Krawetz 2011).

Reference List Model:
Krawetz, N 2011, ‘The hacker factor blog’, web log, viewed 15 November 2011, http://www.hackerfactor.com/blog/

I should also point out that the AP and Reuters have both been very aware of my blog — including a VP at the AP — and neither has accused me of copyright infringement. They appear to recognize this as Fair Use. Moreover, with one of blog entries on a Reuters photo (Without a Crutch), a Reuters editor referred to the blog entry as a “Great in-depth analysis” on Reuter’s web site (see Sep 30, 2011) and on her twitter feed. This shows that Getty’s direct competition recognize my blog as a research resource.

SLAPP
One of the things my attorney mentioned was California’s Anti-SLAPP law. Wikipedia explains SLAPP, or Strategic Lawsuit Against Public Participation, as “a lawsuit that is intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition.” Wikipedia also says:

The plaintiff’s goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs or simple exhaustion and abandons the criticism. A SLAPP may also intimidate others from participating in the debate. A SLAPP is often preceded by a legal threat. The difficulty is that plaintiffs do not present themselves to the Court admitting that their intent is to censor, intimidate or silence their critics.

In this case, Getty preceded to send me a legal threat regarding alleged copyright infringement. Then they demanded $475 and threatened more actions if I failed to pay it. In contrast, it would cost me $400 to file for a Declaratory Judgment (more if I lived in other states), and costs could rise dramatically if Getty filed a lawsuit against me. In either scenario, it places a financial burden on me if I want to defend my First Amendment rights.

In the United States, California has special anti-SLAPP legislation. While not essential, it helps that Getty has offices in California and a network trace shows that some packets went from Getty to my blog through routers in California. As Wikipedia explains:

To win an anti-SLAPP motion, the defendant must first show that the lawsuit is based on claims related to constitutionally protected activities, typically First Amendment rights such as free speech, and typically seeks to show that the claim lacks any basis of genuine substance, legal underpinnings, evidence, or prospect of success. If this is demonstrated then the burden shifts to the plaintiff, to affirmatively present evidence demonstrating a reasonable probability of succeeding in their case by showing an actual wrong would exist as recognized by law, if the facts claimed were borne out.

This isn’t even half of his legal advice. I could barely take notes fast enough as he remarked about topics like Rule 11, tortious interference with a business relationship, Groucho Marx’s reply to Warner Brothers, and how Getty’s repeated access to my web site could be their way to inflate potential damage claims (since damages are based on the number of views).

A Little Due Diligence Goes A Long Way

Although this entire encounter with Getty Images took less than two weeks, I was preparing for a long battle. I even contacted the Electronic Freedom Foundation (EFF) to see if they could assist. The day after Getty recanted, I received a reply from the EFF: no less than four attorneys wanted to help me. (Thank you, EFF!)

I strongly believe that Getty Images is using a “cookie cutter” style of complaint and is not actually interested in any lawsuit; they just want to extort money from people who don’t know their rights or don’t have the fortitude for a long defense (SLAPP). Getty Images made no effort to evaluate the content beyond an automated search bot, made no attempt to review the bot’s results, provided no evidence that they are the copyright holder, provided no proof that they tried to verify licenses, and threatened legal action against me if I did not pay up.

I am glad that I stood up for my First Amendment rights.

Darknet - The Darkside: Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas). And it turns out, every single browser will draw the image slightly [...]

The post Clear Your…

Read the full post at darknet.org.uk

Schneier on Security: Fingerprinting Computers By Making Them Draw Images

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

Article. Hacker News thread.

EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.

EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system — the White House is — and how to defend against it.

And a good story on BoingBoing.

TorrentFreak: BPI Rejects Use of Spotify-Owned “Stay Down” Pirate Tool

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

There are hundreds of millions of pirate files inhabiting the Internet and it’s fair to say that many of those are music tracks. As a result, the world’s leading record labels, who together claim 90%+ of the market, spend significant sums making those files more awkward to find.

For sites like The Pirate Bay, which point-blank refuses to remove any torrents whatsoever, the labels have little option than to head off to Google. There the search giant will remove Pirate Bay links from its indexes so that users won’t immediately find them.

However, rather than engaging a link whack-a-mole, the best solution by far is to remove the content itself. Perhaps surprisingly, many of the world’s leading file-lockers (even ones labeled ‘rogue’ by the United States), allow copyright holders direct back-end access to their systems so they can remove content themselves. It doesn’t really get any fairer than that, and here’s the issue.

This week, while looking at Google’s Transparency Report, TF noticed that during the past month massive file-hosting site 4shared became the record labels’ public enemy number one. In just four weeks, Google received 953,065 requests for 4shared links to be taken down, the majority of them from record labels. In fact, according to Google the BPI has complained about 4shared a mind-boggling 6.75 million times overall.

So, is 4shared refusing to cooperate with the BPI, hence the group’s endless complaints to Google? That conclusion might make sense but apparently it’s not the case. In fact, it appears that 4shared operates a removal system that is particularly friendly to music companies, one that not only allows them to take content down, but also keep it down.

“Throughout the years 4shared developed several tools for copyright owners to protect their content and established a special team that reacts to copyright claims in timely manner,” 4shared informs TorrentFreak.

“We don’t completely understand BPI’s reasons for sending claims to Google instead of using our tools. From our point of view the best and most effective way for copyright holders to find and remove links to the content they own is to use our music identification system.”

To find out more, TF spoke with the BPI. We asked them to comment on 4shared’s takedown tools and in the light of their existence why they choose to target Google instead. After a few friendly back-and-forth emails, the group declined to comment on the specific case.

“We prefer to comment on our overall approach on search rather than on individual sites, which is to focus on known sources of wide scale piracy and to use a number of tools to tackle this problem,” a BPI spokesman explained.

“Notice-sending represents just one part of the measures available to us, along with site blocking and working with the Police to reducing advertising on copyright infringing sites.”

We asked 4shared to reveal other copyright holders using their system, but the site declined on privacy grounds. However, it’s clear that the BPI isn’t a user and 4shared have their own ideas why that might be.

“It’s possible that BPI goes for quantity not quality,” TF was told.

“If they are trying to increase the number of links in reports or for PR reasons, they probably use a bot to harvest and send links to Google despite the fact that such an approach may also result in false claims.”

The “PR” angle is an interesting one. Ever since Google began publishing its Transparency Report rightsholders have used it to demonstrate how bad the piracy problem is. Boosting those numbers certainly helps the cause.

But is it possible, perhaps, that the BPI doesn’t trust the 4shared system. They didn’t answer our questions on that front either but it seems unlikely since 4shared uses EchoPrint, a solution purchased by Spotify earlier this year.

“Our music identification system which is based on Echoprint technology will not only find all matching content but will also restrict sharing of all potential future uploads of such content,” 4shared concludes.

Take-down-and-stay-down is the Holy Grail for anti-piracy companies. It’s a solution being pushed for in the United States in the face of what rightsholders say is a broken DMCA. On that basis there must be a good reason for the BPI not wanting to work with 4shared and it has to be said that the company’s “PR” theory proves more attractive than most.

The volume of notices in Google’s Transparency Report provide believable evidence of large-scale infringement and it’s certainly possible that the BPI would prefer to have 4shared blocked in the UK than work with the site’s takedown tools.

We’ll find out the truth in the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Even Script Kids Have a Right to Be Forgotten

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches, has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.

Indexeus[dot]org

Indexeus[dot]org

Indexeus boasts that it has a searchable database of “over 200 million entries available to our customers.” The site allows anyone to query millions of records from some of the larger data breaches of late — including the recent break-ins at Adobe and Yahoo! – listing things like email addresses, usernames, passwords, Internet address, physical addresses, birthdays and other information that may be associated with those accounts.

Who are Indexeus’s target customers? Denizens of hackforums[dot]net, a huge forum that is overrun by novice teenage hackers (a.k.a “script kiddies”) from around the world who are selling and buying a broad variety of services designed to help attack, track or otherwise harass people online.

Few services are as full of irony and schadenfreude as Indexeus. You see, the majority of the 100+ databases crawled by this search engine are either from hacker forums that have been hacked, or from sites dedicated to offering so-called “booter” services — powerful servers that can be rented to launch denial-of-service attacks aimed at knocking Web sites and Web users offline.

The brains behind Indexeus — a gaggle of young men in their mid- to late teens or early 20s — envisioned the service as a way to frighten fellow hackers into paying to have their information removed or “blacklisted” from the search engine. Those who pay “donations” of approximately $1 per record (paid in Bitcoin) can not only get their records expunged, but that price also buys insurance against having their information indexed by the search engine in the event it shows up in future database leaks.

The team responsible for Indexeus explains the rationale for their project with the following dubious disclaimer:

“The purpose of Indexeus is not to provide private informations about someone, but to protect them by creating awareness. Therefore we are not responsible for any misuse or malicious use of our content and service. Indexeus is not a dump. A dump is by definition a file containing logins, passwords, personal details or emails. What Indexeus provides is a single-search, data-mining search engine.”

Such information would be very useful for those seeking to settle grudges by hijacking a rival hacker’s accounts. Unsurprisingly, a number of Hackforums users reported quickly finding many of their favorite usernames, passwords and other data on Indexeus. They began to protest against the service being marketed on Hackforums, charging that Indexeus was little more than a shakedown.

Indeed, the search engine was even indexing user accounts stolen from witza.net, the site operated by Hackforums administrator Jesse LaBrocca and used to process payments for Hackforums who wish to upgrade the standing of their accounts on the forum.

WHO RUNS INDEXEUS?

The individual who hired programmers to help him build Indexeus uses the nickname “Dubitus” on Hackforums and other forums. For the bargain price of $25 and two hours of your time on a Saturday, Dubitus also sells online instructional training on “doxing” people — working backwards from someone’s various online personas to determine their real-life name, address and other personal data.

Dubitus claims to be a master at something he calls “Web detracing,” which is basically removing all of the links from your online personas that might allow someone to dox you. I have no idea if his training class is any good, but it wasn’t terribly difficult to find this young man in the real world.

Dubitus offering training for  "doxing" and "Web detracing."

Dubitus offering training for “doxing” and “Web detracing.”

Contacted via Facebook by KrebsOnSecurity, Jason Relinquo, 23, from Lisbon, Portugal, acknowledged organizing and running the search engine. He also claims his service was built merely as an educational tool.

“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” Relinquo said. “I wouldn’t have won the NATO Cyberdefense Competition if I didn’t have a bigger picture in my mind. Just keep that in yours.”

Relinquo said that to address criticisms that his service was a shakedown, he recently modified the terms of service so that users don’t have to pay to have their information removed from the site. Even so, it remains unclear how users would prove that they are the rightful owner of specific records indexed by the service.

Jason Relinquo

Jason Relinquo

“We’re going through some reforms (free blacklisting, plus subscription based searches), due some legal complications that I don’t want to escalate,” Relinquo wrote in a chat session. “If [Indexeus users] want to keep the logs and pay for the blacklist, it’s an option. We also state that in case of a minor, the removal is immediate.”

Asked which sort of legal complications were bedeviling his project, Relinquo cited the so-called “right to be forgotten,” data protection and privacy laws in Europe that were strengthened by a May 2014 decision by the European Court of Justice in a ruling against Google. In that case, the EU’s highest court ruled that individuals have a right to request the removal of Internet search results, including their names, that are “inadequate, irrelevant or no longer relevant, or excessive.”

I find it difficult to believe that Indexeus’s creators would be swayed by such technicalities, given that  that the service was set up to sell passwords to members of a forum known to be frequented by people who will use them for malicious purposes. In any case, I doubt this is the last time we will hear of a service like this. Some 822 million records were exposed in more than 2,160 separate data breach incidents last year, and there is plenty of room for competition and further specialization in the hacked-data search engine market.

The Hacker Factor Blog: Dear Getty Images Legal Department

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For the last few years, Getty Images has operated an aggressive anti-copyright infringement campaign. In 2011, they purchased PicScout to search the Internet for potential unlicensed uses of their pictures. Then they began sending out very scary-sounding takedown notices. These letters include a “cease and desist” paragraph as well as a bill for the unauthorized use.

I just received one of these letter. Here’s the 7-page (3.4 MB) letter: PDF. (The only thing I censored was the online access code for paying online.) They billed me $475 for a picture used on my blog. (If you log into their site, it’s $488 with tax.)

A number of news outlets as well as the blogosphere have begun reporting on these letters from Getty Images. For example:

  • International Business Times: “Getty Images Lawsuits: Enforcement Or Trolling? Fear Of Letters Dwindling, Stock-Photo Giant Hits Federal Courts”

  • The DG Group: “Image Copyright Infringement And Getty Images Scam Letter”
  • Extortion Letter Info: “Reporting on Getty Images & Stock Photo Settlement Demand Letters (Copyright Trolls, ‘Extortion’ Letters, ‘Shadown’ Letters)”
  • Women in Business: “Are You Being Set Up For Copyright Infringement? As Technology Becomes More Invasive Copyright Infringement Scams Flourish”
  • RyanHealy.com: “Getty Images Extortion Letter”
  • someguy72 @ Reddit: He states that he purchased the pictures legally from Getty and still received an infringement notice. His advice: if you purchase a picture from Getty, the “save your records FOREVER… they will come after you, years later and you might not have PROOF of PURCHASE, and then you will be screwed.”

As far as I can tell, this is an extortion racket. (I’m surprised that there hasn’t been a class-action lawsuit against Getty Images yet.) The basic premise is that they send out a threatening letter with a price tag. Some people will fear the strongly-worded letter and simply pay the amount. If you ignore it, then they send more letters with greater dollar amounts. If you call them up, the forums say that you can usually negotiate a lower amount. However, sometimes you may not actually owe anything at all.

Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.

But here’s the thing… There are some situations where you can use the image without a license. It is in the Copyright law under the heading “Fair Use” (US Copyright Law Title 17 Section 107; in some countries, it’s called “Fair Dealing”). This is an exception from copyright enforcement. Basically, if you’re using the picture as art on your web site or to promote a product, then you are violating their copyright. (You should negotiate a lower rate.) However, if you use it for criticism, comment, news reporting, teaching, scholarship, or research, then you are allowed to use the picture.

For example, I have many blog entries where I forensically evaluate pictures. I do this to show techniques, criticize content, identify deceptive practices, etc. If Fair Use did not exist, then I would be unable to criticize or expose deception from media outlets. In effect, they would be censoring my freedom of speech by preventing me from directly addressing the subject.

Reply To Getty

The picture in question is one that is on an older blog entry: In The Flesh. This blog entry criticizes the media outlets Time and Salon for promoting misleading and hostile software. (It’s hostile because the demo software installs malware.) The software, False Flesh, claims to make people in any picture appear nude. The pictures in my blog entry are used to demonstrate some of the deceptive practices. Specifically, the pictures of nude women on the software’s web site did not come from their software.

I looked at the picture mentioned in Getty’s complaint and how it was being used in the blog entry. I really thought it was permitted under Copyright Fair Use. However, I’m not an attorney. So… I checked with an attorney about the Getty complaint and my use of the picture. I was actually surprised that he didn’t start his answer with “that depends…” (If you’ve every worked with an attorney, then you know any discussion about legality begins with them saying “that depends…”) Instead, he said outright “it’s clearly fair use.”

Personally, I’m offended that Getty Images made no attempt to look at the context in which the picture is used.

Rather than ignoring them, I sent them a letter:

Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033

July 15, 2014

Legal Department
Getty Images
605 5th Ave S, Suite 400
Seattle, WA
98104

Dear Getty Images Legal Department,

I received your copyright infringement notification dated “7/10/2014 11:05:06 AM”, case number 371842247, on July 14, 2014. I have reviewed the image, the use of the picture on my web site, and discussed this situation with an attorney. It is my strong belief that I am clearly using the picture within the scope of Copyright Fair Use (Title 17 Section 107).

Specifically:

  • The blog entry, titled “In The Flesh”, criticizes the media outlets Time and Salon for promoting deceptive software. The software is called “False Flesh” and claims to turn any photo of a person into a nude. I point out that installing the False Flesh demo software will install malware.

  • The blog entry discloses research findings regarding the False Flesh software: there is no identified owner for the software and the sample pictures they use to demonstrate their software are not from their software. I specifically traced their sample images to pictures from sites such as Getty Images. I forensically evaluate the pictures and explicitly point out the misrepresentation created by these images on the False Flesh web site.
  • The picture is used on my web site to criticize the media reports by exposing fraud and misrepresentation associated with the product. It is also included as part of a demonstration for tracking and identifying potentially fraudulent products in general.
  • The blog entry reports on these findings to the public in order to educate people regarding the deceptive nature of False Flesh and the risks from using this software.
  • The image that you identified is not used is the blog entry to promote any products or services and is directly related to the comments, criticism, and research covered in the blog entry. The use is not commercial in nature. This goes toward the purpose and character, which is to identify fraud and misrepresentation in a product promoted by Time and Salon.
  • As described in the blog entry, I found sample images on the False Flesh web site and used TinEye and other forensic methods to identify the sources. This was used to prove that the False Flesh software did not generate any of their sample images.
  • I did not use the full-size version of this particular picture and it includes the Getty Images Image Bank watermark. The blog entry explicitly identifies that the source for the False Flesh picture was Getty Images and not False Flesh. I point out that False Flesh used the picture in a deceptive manner.
  • I believe that my use of this picture has no adverse effect on the potential market for the image.

I believe that this covers the Copyright Fair Use requirements for criticism, comment, teaching, research, and reporting.

Getty Images acknowledges Fair Use in their FAQ concerning license requirements:
http://company.gettyimages.com/license-compliance/faq/#are-there-limitations-on-a-copyright-owners-rights

Specifically, Getty Images calls out education and research. As a computer security and forensic researcher, I use this blog to describe tools and techniques, evaluate methodologies, and to identify deceptive practices. I believe that this specific blog entry, and my blog in general, clearly fit both of these areas.

As stated in this letter, the picture’s appearance on my blog is Fair Use and I have the right under copyright law to use the image without your consent. This letter serves as notice that any DMCA takedown or blocking notices to any third party would be in bad faith.

Sincerely,

/s/ Dr. Neal Krawetz

Chilling Effect

My blog in general reports on findings related to computer security and forensics. Many of these blog entries heavily focus on scams, fraud, and abuse from media outlets. Many of my blog entries (reports) have been repeated by news outlets, and some of my blog entries have had a direct effect on changing insecure and unethical practices. This includes a series of blog entries that exposed digital manipulation in World Press Photo’s annual contest (influencing changes in this year’s contest rules) and a paper on fundamental problems with credit card payment systems that lead to changes in the Visa security standards.

While this could be a wide-spread extortion racket, it could also be Getty’s way of testing the waters before going after some blog entries where I openly and explicitly criticize them for releasing digitally altered photos.

My primary concern is the chilling effect this could have. If I pay the extortion, then it opens me for more claims from Getty; I have previously criticized them for providing digitally altered photos and performed analysis to prove it. It also opens the way for similar claims from the Associated Press, Reuters, and every other media outlet that I have openly criticized. All of my blog entries that explicitly expose digital misrepresentation, report on media manipulation, and even those that disclose methods for evaluating content will be at risk.

In effect, bowing to this one threatening letter would force me to close my blog since I would no longer be allowed to freely write — report, comment, disclose research, and educate others — on topics related to media manipulation and digital photo analysis. I consider Getty’s attempt to censor my blog’s content to be an unacceptable attack on my freedom of speech.

Darknet - The Darkside: Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

We’ve talked a lot about using a password manager to secure, generate and manage your passwords – way back since 2008 when we introduced you to the Password Hasher Firefox Extension. Since then we’ve also mentioned it multiple times in articles where plain text passwords were leaked during hacks, such as the Cupid Media hack…

Read the full post at darknet.org.uk

Darknet - The Darkside: dirs3arch – HTTP File & Directory Brute Forcing Tool

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

dirs3arch is a simple command line tool designed to brute force directories and files in websites. It’s a HTTP File & Directory Brute Forcing Tool similar to DirBuster. Features Keep alive connections Multithreaded Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc). Recursive brute forcing…

Read the full post at darknet.org.uk

The Hacker Factor Blog: Master of My Domain

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I receive all sorts of email. Some real, and some junk. I used to have a lot of fun with the junk mailers. Nearly two decades ago, I would spend a few hours hunting them down. Then I would do really mean things to them. I had created a method of determining the spammer’s motivation based on how their spam content was formed. If you know their motivation, then you know what they value. Attacking the thing they value would cause them to stop spamming. (Seriously — I ended up stopping dozens of spammers.)

For example, “List Makers” would collect mailing lists and then sell them off to other spammers. Their email messages were designed to verify if the email address was valid. One List Maker used a web form for people to “opt out”. (Opting out with his system resulted in even more spam since you validated your mailing address.) I wrote a script to iterate through his web site and acquired his list — and I made sure he noticed it. I then informed a few universities and companies about their addresses that were in the list — allowing them to create better filters. With his list stolen, he had nothing to sell. He rewrote his script to block my IP address. No problem — I relayed through hundreds of proxies and stole his list again — and again I made sure that he knew it was stolen. That’s when he stopped sending spam.

And then there was Jason in Spokane, Washington. He wasn’t very anonymous and he had an open directory with his mailing lists. I had his name and city, but nothing else. That’s when some friends in the UIUC Library school offered to help. (Librarians are really terrifying when they start searching public records. Never piss off a librarian.) In 24 hours, we knew his full name, address, phone number, previous employer, reason he was fired (misusing computers at work), his parent’s contact information, his girlfriend’s info, and much more.

I began posting about this to a UUNet newsgroup. Meanwhile, in an email, I had politely asked Jason to stop spamming. His reply showed a strong control of cut-and-paste but a lack of spelling: he called me a “LOOSER” (not “LOSER”) and replicated the sentence a few dozen times. Then he subscribed my email address to hundreds of newsgroups. Back in 1997, that created a denial-of-service attack by flooding my email box. (I was online at the time and immediately unsubscribed.)

Eventually, I posted his personal information online. I had wanted people to physically protest and picket outside his home. But that isn’t what happened… Instead, something happened that I never expected: Hundreds of people around the world called Jason’s phone number to complain and request no more spam. First Jason stopped answering the phone. Then he changed his phone number. Within hours, someone else found Jason’s new number and posted it. Meanwhile, people found other information that I had not made public: they began calling his church, his parents, and his girlfriend. (“I’m not his girlfriend! I’m just a girl who is his friend, and I’m not even his friend anymore!”)

Jason stopped sending spam. And his friend who actually ran the spam operation also stopped. (He switched from spam to life enhancement and get rich quick products.)

(All of this was long before CAN-SPAM and related legislation was passed.)

Suffice to say, I don’t use a standard spam filter. I have other ways to rapidly filter email.

New Domain!

An email that I received a few weeks ago really got my attention. It was spam, and it said that the domain “fotoforensic.com” was going to be available soon. The spammer wanted me to pay him for the domain name.

I quickly checked the DNS registration information and was startled to see that I was not the listed registrant!

Registry Domain ID: 1804179046_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2013-07-15 14:36:48
Creation Date: 2013-05-27 01:32:41
Registrar Registration Expiration Date: 2014-05-27 01:32:41
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.480-624-2505
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientRenewProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Nish Patel
Registrant Organization:
Registrant Street: c/o GoDaddy Redemption Services
Registrant Street: 14455 N. Hayden Road, Suite 219
Registrant City: Scottsdale
Registrant State/Province: AZ
Registrant Postal Code: 85260
Registrant Country: United States
Registrant Phone: +1.4805058877
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID:

I was on the phone — and on hold with GoDaddy — when I realized what was happening. I own “fotoforensics.com” (plural) and this Nish Patel person had registered “fotoforensic.com” (singular). After a year of cybersquatting, he let the domain expire. We were in that period where the domain would cost Patel a huge late fee to reclaim before it goes up for auction.

The guy at GoDaddy was extremely helpful. He pointed out that this was a very rare and lucky situation for me. Since the cybersquatter had used GoDaddy and I used GoDaddy, it meant that it would go to the GoDaddy auction site before going public. If it went public, some other cybersquatter would likely snatch it. But I could grab it before it left GoDaddy. And best of all, I was the only person registered for this domain at the GoDaddy auction.

A while ago, I had received a spam email from a cybersquatter. (Was that a year ago? Two years ago? I didn’t really pay attention.) He had wanted a few hundred dollars for “fotoforensic.com” — I had ignored him and forgotten about it. But then I received this spam email about the domain coming up for grabs. I ended up getting it for $4 — that’s $10 to register for the auction and $10 for the domain, minus $16 in credit that I already had at GoDaddy. A $4 domain is much better than paying hundreds to a cybersquatter.

One of Many

Still, I wanted to know more about this “Nish Patel” guy. As far as I can tell, he is a professional cybersquatter, located in China. Someone with his name has currently registered over 25,000 domain names!

A quick search also turned up lots of lawsuits for cybersquatting and trademark infringement. (Patel lost every one of them.) For example:

  • Lorillard Licensing Company, LLC v. Nish Patel
  • WIPO Arbitration case D2013-1127: Compagnie Générale des Etablissements Michelin v. Nish Patel/Above.com Domain Privacy
  • WIPO Arbitration case D2013-0655: Atos IT Services UK Limited v. Nish Patel/Above.com Domain Privacy
  • WIPO Arbitration case D2013-0114: LEGO Juris A/S v. Above.com Domain Privacy / Ready Asset, Nish Patel

While WIPO arbitration is not free, the $1500 to protest up to five domains is likely cheaper than anything the cybersquatter wants. (If it comes down to it, I’d rather pay the attorneys and WIPO than a cybersquatter.)

Online

The domain auction at GoDaddy closed a few days ago (I won). The domain was transferred to me today and it’s already pointing to FotoForensics.com. This way, if someone types the domain name a little wrong (forgetting the plural), they will still be redirected to the site.

I find it ironic that (1) the cybersquatter got nothing for his effort — and ended up spending more money than me, (2) a spammer notified me about the domain name — and earned nothing for his efforts, and (3) owning the domain actually does help me since I know a few people who have typed the domain name wrong — by forgetting the final ‘s’. This is a good start to the week.

TorrentFreak: Google Services Among 472 Sites Blocked For World Cup ‘Piracy’

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

With the World Cup now heading to its semi-final stages, FIFA and its distribution partners are pushing hard to stem the tide of unauthorized content.

While FIFA has even gone as far as taking action against Twitter avatars, news today shows that its affiliates are also prepared to disrupt the activities of hundreds of sites and countless millions of Internet users if that means protecting their copyrights.

The development follows legal action initiated by Multi Screen Media PVT Ltd, a Sony Entertainment Television subsidiary in India. Earlier this year the company obtained a license from FIFA to broadcast the 2014 World Cup to Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan and Sri Lanka. Of course, content is now being made available elsewhere without permission, so the company has decided to do something about that.

In a statement to the High Court in Delhi, counsel for Multi Screen Media explained that “various websites are indulging in hosting, streaming, providing access to” infringing content causing substantial loss of revenue not just for the company, but also to the government due to lost tax on TV subscription fees.

The list of ‘infringing’ sites supplied to the High Court is huge – 479 sites in all – and contains well known sharing sites including The Pirate Bay, torrent storage site Torrage, 1337x, Demonoid, and dozens of file-hosting sites.

Quite amazingly, however, the list also contains entirely legitimate sites including Google Docs, Google Video, Google URL shortener Goo.gl, and Kim Dotcom’s Mega.co.nz. None escape the criticism of Sony or the High Court.

“Learned counsel for the plaintiff submits that many of the websites [in the list] are anonymous in nature and it is virtually impossible to locate the owners of such websites or contact details of such owners. It is further submitted that many of these Rogue Websites also hide behind domain privacy services offered by various domain name Registrars,” the judge wrote in his decision.

“[Websites] listed below, or any other website identified by the Plaintiff are restrained, from in any manner hosting, streaming, broadcasting, rebroadcasting, retransmitting, exhibiting, making available for viewing and downloading, providing access to and / or communicating to the public, displaying, uploading, modifying, publishing, updating and/or sharing (including to its subscribers and users), through the internet, in any manner whatsoever,” he continued.

With that Judge V. Kameswar Rao issued an order for the country’s ISPs to block the 479 sites in question – Google’s included – plus “such other websites that may subsequently be notified by the Plaintiff to be infringing of its exclusive rights.”

While the Judge granting a blocking order against Google is bad enough, one has to question how the company’s services ended up on the High Court application in the first place. That is the responsibility of local anti-piracy company Markscan, who compiled the list for Multi Screen Media. Markscan were featured in a TorrentFreak article last month when they sent dozens of erroneous takedown notices to Google, again on behalf of a Sony company.

“We want to assure you that we deploy technology, in addition to best efforts of our teams, to ensure that we do not impact legal content on yours, or any other website,” they told us at the time. Users of Google Docs, Goo.gl and Google Video may beg to differ.

While some local ISPs have already initiated blockades, Google told Indian news outlet Medianama that there had been “no interruption of our services mentioned in the order.”

The High Court order was issued June 23, alongside an instruction to distribute the summons to the defendant sites by July 22, 2014.

Update: MediaNama is reporting that it has obtained a copy of an updated court order that isn’t yet available on the Delhi High Court website. The update reveals blocking requests for 219 sites, down from the 472 in the original order. No Google websites are in the updated list but many torrent and other file-sharing sites remain.

Original List of 472 Sites to Be Blocked

1. cdn.playwire.com

2. embedupload.com

3. 1fichier.com

4. crocko.com

5. multiupload.nl

6. uppit.com

7. solidfiles.com

8. bayfiles.net

9. tusfiles.net

10. bitshare.com

11. muchshare.net

12. mega.co.nz

13. share-online.biz

14. sendspace.com

15. real4download.com

16. telugump3.biz

17. wapkafiles.com

18. telugumasthi.wapka.me

19. telugustar.net

20. myteluguwap.net

21. s1.myteluguwap.net

22. s2.myteluguwap.net

23. filestube.to

24. ul.to

25. mightyupload.com

26. uploaded.net

27. freakshare.com

28. putlocker.com

29. uploadable.ch

30. safelinking.net

31. ultramegabit.com

32. terafile.co

33. fileom.com

34. d01.megashares.com

35. dizzcloud.com

36. lumfile.com

37. fileparadox.in

38. nitrobits.com

39. filemonkey.in

40. fastshare.cz

41. keep2share.cc

42. k2s.cc

43. sharerepo.com

44. depositfiles.com

45. rapidshare.com

46. filerio.com

47. goo.gl

48. fcore.eu

49. anonfiles.com

50. adf.ly

51. megafiles.se

52. exashare.com

53. primeshare.tv

54. uploadc.com

55. epicshare.net

56. dwn.so

57. uploadhero.com

58. dfiles.eu

59. thefile.me

60. nosupload.com

61. uploadsat.com

62. shareflare.net

63. letitbit.net

64. filesfrog.net

65. unlimitzone.com

66. uploadrocket.net

67. secureupload.eu

68. hulkfile.eu

69. tusfiles.co.nz

70. filehoot.com

71. jumbofiles.com

72. usefile.com

73. clicktoview.org

74. 180upload.nl

75. hitfile.net

76. easybytez.com

77. crisshare.com

78. vip-file.com

79. ufile.eu

80. jheberg.net

81. dl.free.fr

82. 2shared.com

83. sharebeast.com

84. cramit.in

85. ryushare.com

86. teluguworld.asia

87. twap.in

88. vshare.eu

89. 108.59.3.225:182

90. megafilesfactory.com

91. 199.91.152.94

92. 205.196.121.39

93. 199.91.152.86

94. 199.91.154.157

95. 205.196.123.194

96. 205.196.123.8

97. 205.196.123.182

98. mhnwap.wapka.me

99. mhnwap.wapka.mobi

100. realitytelevisionportal.eu

101. dorabuzz.in

102. foncity.in

103. toonvideos.in

104. bestcartoon.wapka.mobi

105. wap.dorabuzz.in

106. playpanda.net

107. play44.net

108. shared.sx

109. mega-vids.com

110. promptfile.com

111. 4upfiles.com

112. filemoney.com

113. lemuploads.com

114. anysend.com

115. luckyshare.net

116. filedap.com

117. junocloud.me

118. filevice.com

119. v-vids.com

120. quickyshare.net

121. tumi.tv

122. mp4star.com

123. sockshare.ws

124. uploadcrazy.net

125. uploadboy.com

126. putlocker.ws

127. filenuke.net

128. docs.google.com

129. dotsemper.com

130. upload.com

131. cloudyvideos.com

132. v.youku.com

133. movzap.com

134. googlevideo.com

135. vertor.eu

136. dramautubes.com

137. nosvideo.com

138. vreer.com

139. vidxden.com

140. divxstage.eu

141. rapidvideo.tv

142. vidspot.net

143. freshvideo.net

144. vidbux.com

145. vidplay.net

146. vidup.me

147. video.tt

148. modovideo.com

149. youwatch.org

150. magnovideo.com

151. videobam.com

152. sharexvid.com

153. videoslasher.com

154. nowvideo.ch

155. donevideo.com

156. videozed.net

157. vidhog.com

158. vidzi.tv

159. streamin.to

160. thevideo.me

161. vidzbeez.com

162. divxpress.com

163. nubestream.com

164. divxstream.net

165. videobb.com

166. divxden.com

167. mixturecloud.com

168. divxstage.net

169. videowood.tv

170. hostingbulk.com

171. playit.pk

172. movpod.net

173. daclips.com

174. slickvid.com

175. videofun.me

176. video44.net

177. yucache.net

178. moevideos.net

179. videomega.tv

180. vidpaid.com

181. sharevid.org

182. zuzvideo.com

183. video.vidcrazy.net

184. videovalley.net

185. videoboxone.com

186. vidcrazy.net

187. vodu.ch

188. watchfreeinhd.com

189. veehd.com

190. movdivx.com

191. blip.tv

192. animeuploads.com

193. videohub.ws

194. hdwide.co

195. stormvid.co

196. neovid.me

197. hawkhd.me

198. streamland.cc

199. vidshark.ws

200. vidspace.cc

201. vids.bz

202. play.flashx.tv

203. videoweed.es

204. torrenthound.com

205. nowvideo.sx

206. limetorrents.com

207. novamov.com

208. torrentfunk.com

209. torrents.net

210. wapkafile.com

211. thepiratebay.org

212. torlock.com

213. movshare.net

214. unblockedpiratebay-proxy.com

215. thetorrent.org

216. torrentz.sx

217. thepiratebay.se.unblock.to

218. nowdownload.ch

219. sockshare.com

220. bittorrent.pm

221. uptobox.com

222. torrage.com

223. vidbux.com

224. muchshare.net

225. sumotorrent.sx

226. torrentdownload.ws

227. vidup.me

228. btmon.com

229. ryushare.com

230. uploadable.ch

231. thepiratebay.se

232. 1337x.to

233. video.tt

234. bthunter.org

235. tusfiles.net

236. 1337x.org

237. swankshare.com

238. 1337xproxy.in

239. torrentz.dj

240. torrentcrazy.ee

241. filesbomb.in

242. torrentz.is

243. torrentz.am

244. kickassunblock.net

245. torrent.tm

246. uploadboy.com

247. oc.o2.vc

248. ineedtorrent.net

249. torrenthoundproxy.com

250. torcache.kickassunblock.net

251. kickasstor.net

252. streamupload.org

253. arabloads.net

254. torrentsnet.come.in

255. torrentz.to

256. filesfrog.net

257. 3gparena.in

258. dl.free.fr

259. divxstage.eu

260. play.flashx.tv

261. download-abc.com

262. filmsmaza.com

263. glotorrents.com

264. coolmoviez.com

265. 62.210.201.55:81

266. fuckyourcrew.org

267. mimti1.moviesmobile.net

268. sandy1.moviesmobile.net

269. sandy3.moviesmobile.net

270. sandy4.moviesmobile.net

271. thepiratebay.mk

272. dev.torrentz.pro

273. uploaded.net

274. torrentmoviemafia.com

275. 1337x.pw

276. share1.moviesmobile.net

277. share2.moviesmobile.net

278. share3.moviesmobile.net

279. share4.moviesmobile.net

280. bayproxy.me

281. sarthaktv.in

282. p2p4ever.com

283. tny.cz

284. torrent-loco.com.ar

285. piraattilahti.org

286. punjabwap.com

287. torrent.ee

288. torrentz.asia

289. fromplay.org

290. proxybay.pw

291. vertor.com

292. katshore.org

293. nl.malaysiabay.org

294. demonoid.ph

295. kickasstorrents.come.in

296. putlocker.cz

297. proxybay.eu

298. vertor.eu

299. 3gparina.in

300. 89.248.162.148

301. fromplay.com

302. etorrent.co.kr

303. fun4buddy.com

304. livetvindian.com

305. ontohinbd.com

306. pc.rdxhd.com

307. seedpeer.me

308. ukcast.tv

309. ezcast.tv

310. xuscacamusca.se

311. crichd.in

312. 122.155.203.9

313. http://www.0dian8.com/

314. http://www.114nba.com/

315. http://360bo.com/

316. http://51live.com/

317. http://www.52waha.com/

318. http://bf.5xzb.com/

319. http://allsport-live.net/

320. http://www.antibookers.ru/

321. http://www.assistirtvonlineaovivo.tv/

322. http://atdhe.eu/

323. http://atdhe.so/

324. http://atdhe.xxx/

325. http://www.atdhe24.net/

326. http://www.azhibo.com/

327. http://barcelonastream.com/

328. http://www.coolsport.tv/schedule-coolsport-tv.html

329. http://www.tvole.com/

330. http://www.drakulastream.eu/

331. http://esportesaovivo.com/

332. http://www.feed2all.eu/type/football.html

333. http://gofirstrowuk.eu/

334. http://www.footballstreaming.info/

335. http://www.frombar.com/

336. http://www.futebolaovivo.net/inicio.php

337. http://www.online.futebolaovivogratis.org/

338. http://gooool.org/

339. http://www.rajangan.me/

340. http://www.hahasport.com/

341. http://hdzhibo.com/

342. http://neolive.net/

343. http://www.kanqiu.tv/

344. http://livesport4u.com/

345. http://livetv.sx/

346. http://meczelive.tv/

347. http://www.megatvonline.co/

348. http://tvonline.megavertvonline.net/live/

349. http://myp2p.pw/

350. http://nogomya.ch/

351. http://www.p2p-hd.com/

352. http://qmzhibo.com/

353. http://rntplayer.com/

354. http://www.rojadirecta.me/

355. http://www.seezb.net/

356. http://www.sport.net/

357. http://sport5online.com/

358. http://sportlemon.ge/

359. http://sportlemontv.eu/

360. http://sportlive.lt/

361. http://www.sportlv.info/

362. http://www.sportp2p.com/

363. http://www.stopstream.tv/

364. http://thefirstrow.biz/

365. http://www.feed4u.net/

366. http://www.time4tv.com/

367. http://torrent-tv.ru/

368. http://tvaovivogratis.net/

369. http://tvonlinexat.com/

370. http://www.usagoals.tv/

371. http://vipbox.net/

372. http://www.vipboxuk.co/

373. http://www.wasu.cn/

374. http://www.wiziwig.tv/

375. http://wszhibo.com/

376. http://www.look-tvs.com/

377. http://www.yaomtv.com.cn/

378. http://www.zhiboche.com/

379. http://zqnow.com/

380. http://www.24livestreamtv.com/brazil-2014-fifa-world-cup-football-
live-streaming-online-tv/

381. http://acefootball.eu/

382. http://al3ablive.info/

383. http://atdhe.ru/

384. http://atdhe.ge/

385. http://atdhe.sx/

386. http://atdhe.ws/

387. http://bongdatructuyen.info/

388. http://www.bongdatructuyen.vn/

389. http://bongdatv.net/

390. http://bongdaup.com/

391. http://www.majika.biz/

392. http://btvsports.com/

393. http://canalesdetv.com/

394. http://capodeportes.net/

395. http://www.catedralhd.tk/

396. http://www.cv55.eu/

397. http://desistreams.tv/

398. http://desportogratis.com/

399. http://dinozap.com/

400. http://drhtv.com.pl/

401. http://epctv.com/

402. http://zonasports.to/

403. http://fancylive.com/

404. http://feed2all.eu/

405. http://www.firstrows.eu/

406. http://firstrows.biz/

407. http://firstrowsports.ge/

408. http://footballhd.ru/

409. http://footdirect24.com/

410. http://freefootball.ws/

411. http://freehdspor.com/

412. http://freelivefussball.de/

413. http://freelivesport.eu/

414. http://fsicrew.info/

415. http://fussball-live-streams.com/

416. http://futbolarg.tv/

417. http://www.futbol-envivo.com/

418. http://futbolsinlimites.pw/

419. http://futebolaovivogratis.org/

420. http://goatd.net/

421. http://hdembed.com/

422. http://funkeysports.com/

423. http://hdsports.me/

424. http://www.hdstreams.tv/index.php

425. http://iraqgoals.in/

426. http://jokerplanete.com/

427. http://lesoleildelanuit.wf/

428. http://life-sport.org/

429. http://livesportv.com/

430. http://max-deportv.com/

431. http://megaviptv.net/

432. http://milloxtv.me/

433. http://myp2p.cm/

434. http://myp2p.ec/

435. http://newsoccertv.com/

436. http://nowwatchtvlive.com/

437. http://onlinemoviesportsandtv.com/

438. http://online–soccer.eu/

439. http://portugaldesportivo.com/

440. http://premier-league-live.net/

441. http://qxzhibo.com/

442. http://realtvsport.com/

443. http://real-tv-sport.com/

444. http://www.redzer.tv/

445. http://s247.tv/

446. http://sambasoccer.pw/

447. http://skysport.tv/

448. http://soccerembed.com/

449. http://soccertoall.net/

450. http://softsportstv.eu/

451. http://www.sportsbeech.tv/

452. http://sports-x.net/

453. http://sportz-hd.eu/

454. http://stadium-live.com/

455. http://stream-foot.tv/

456. http://streamhd.eu/

457. http://streamking.org/

458. http://todaytv.me/

459. http://www.tvonlinepc.eu/

460. http://totbet.net/

461. http://tructiepbongda.com/

462. http://tvembed.com/

463. http://tvembed.eu/

464. http://tv-link.in/

465. http://tv-porinternet.com/

466. http://tvsport24.info/

467. http://u-peak.me/

468. http://vipbox.co/

469. http://vipracing.co.in/

470. http://vtv4u.eu/

471. http://whoopwhoop.tv/

472. http://wiziwigfootball.com/

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: Web Exploits from Microsoft

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week was very depressing. Right now, I’m just trying to get back into the swing of work and programming to help me past the shock. (There was a death in my family.) Until things get back to normal, here’s a topic that I’ve been meaning to write about…

Microsoft Web Errors

For the longest time, the web logs at FotoForensics has had a periodic error message. Since the error doesn’t hurt anything, I never paid it much attention. The error looks like:

[Tue Mar 04 03:17:12 2014] [error] [client 157.55.33.80] (36)File name too long: access to /)\xc3
\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82
\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb5\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a
\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\xac\xe2\x84\xa2\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3
\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a
\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf
\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80
\x9a\xc3\x82\xc2\xb1\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xa9: failed

The key elements are the “File name too long: access to” and a bunch of binary garbage. On my server, this type of error appears a few times daily. The IP address varies, but (almost) always traces to Microsoft in Redmond, Washington. The IP addresses appear to be associated with Microsoft web bots that scan and index the Internet.

Looking up the error message with Google shows many other people who have noticed this same thing. Some of the postings date back to 2005.

Most of the forums focus on the error message and end with no conclusion beyond “it’s harmless”. A few of the postings did mention that it mainly comes from Microsoft and seems to be associated with the Bing search bot.

Cause and Effect

Last month, I tracked down the cause of this error. I configured my test server just like the FotoForensics system and submitted the same URL to it. I managed to reproduce the same error message in the error.log file. I then began stripping out fields in my .htaccess file until the error went away.

The cause is pretty straightforward: enabling Apache’s mod_rewrite is all it takes to cause this error. It appears that mod_rewrite uses a fixed buffer length and this URL is too long for the buffer. The error message is harmless and the client receives an HTTP 403 error message. Between the URL being invalid and the overflow being caught, this seem to be a harmless error.

Except…

I have trouble believing that Microsoft would be doing this by accident. I mean, they have been doing this since at least 2005. According to Wikipedia, Bing was not introduced until 2009 (sounds right to me). In early 2005, Bing’s predecessor (MSN Search) introduced a picture search engine. I’m sure there were other changes to their search engine, but that’s about the time when this type of error began to appear.

If it was a bug, I would have expected it to stop or change when they rolled out Bing. Since it did not stop, it appears to be intentional.

Hidden Purpose

I don’t mind if errors show up in my web logs, but I don’t want users to see errors. Seeing a generic “File not found” does not help users who want to find the file. I actually like how 4chan returns a random web page that clearly tells the user that the content is no longer available. But at minimum, I want to return a blank web page.

While trying to return a blank page, I noticed how this bug really works…

Apache permits every directory to have a .htaccess file for controlling or restricting access. This gives users directory-level control. If I want to return a blank page in place of an HTTP 403 error message, I can simply add a control line to my .htaccess file:

ErrorDocument 403 ” “

This line says to return a fixed string whenever there is a 403 error. And the fixed string is a single space. The result is a blank web page.

The problem is, this line didn’t work as long as I had “RewriteEngine on” in my .htaccess file (enabling mod_rewrite). Apache seems to process mod_rewrite before the ErrorDocument line, even if the ErrorDocument line comes first in the file.

The default Apache 403 error message is pretty basic. It returns a very simple error page:

Forbidden

You don’t have permission to access /)\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2
\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb5\xc3\x83\xc6\x92
\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3
\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xa0\xc3\xa2\xe2\x82\xac\xe2\x84\xa2\xc3\x83
\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xaf\xc3\x83\xc6\x92\xc3\x86\xe2\x80
\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5
\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xbf\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xc2\xa2\xc3\xa2\xe2
\x80\x9a\xc2\xac\xc3\x85\xc2\xa1\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xbd\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3
\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82\xc2\xb1\xc3\x83\xc6\x92\xc3\x86\xe2\x80\x99\xc3\x83
\xe2\x80\xb9\xc3\x85\xe2\x80\x9c\xc3\x83\xc6\x92\xc3\xa2\xe2\x82\xac\xc5\xa1\xc3\x83\xe2\x80\x9a\xc3\x82
\xc2\xa9
on this server.


Apache/2.2.22 (Ubuntu) Server at test-server Port 80

And there it is! The error identifies the server’s version information at the bottom of the error message. Moreover, a user-level .htaccess file cannot prevent this version information from being disclosed. Microsoft is intentionally exploiting this bug so that they can collect information about the server and version being used. This way, Microsoft can tell how many servers are running Apache (and what versions). This is a boon for competitive marketing and market share statistics.

At this point, I expect people to point out that my HTTP header already says the server and version in the HTTP “Server” field. However, the Server field reflects the front-end server, even if the request is actually processed by some back-end server. (Web servers can be chained together.) In contrast, the error message comes from any back-end server that processed the request. In my configuration, the front-end and back-end are the same. However, that isn’t the case for many banks, social networks, and large-scale web services. In effect, Microsoft is harvesting the version information found on the back-end servers.

Keep in mind, this information disclosure does not stop with one URL. Microsoft appends the long garbage characters to lots of different URLs on my site. If any URL silently redirects to a different server, then Microsoft will be able to see the version string change. This permits Microsoft to map out my back-end server architecture.

Mitigating Exposure

So how do you stop this information disclosure? The answer is relatively easy: place the ErrorDocument line in the only configuration file that is processed prior to the user-level .htaccess files. On my server, that’s “/etc/apache2/httpd.conf”. By default, the httpd.conf file is empty. On my server, it now contains one line:

ErrorDocument 403 ” “

You’ll need to restart the server when you change the httpd.conf file. And make absolutely sure that the httpd.conf file does not contain “RewriteEngine on” — or else the ErrorDocument line will not be processed.

By doing this change, the server will always return a blank page instead of the default 403 error message. The errors still appear in my error.log file, but the user’s browser only sees a 403 error code with a single space web page. Moreover, Microsoft seems to have noticed that I made this change. They used to send garbage to my server a few times every day. Since making this configuration change, Microsoft reduced their garbage queries (8 in the last week, and only on Sundays and Wednesdays).