Posts tagged ‘Privacy’

Schneier on Security: New Pew Research Report on Americans’ Attitudes on Privacy, Security, and Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is interesting:

The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used. Adding to earlier Pew Research reports that have documented low levels of trust in sectors that Americans associate with data collection and monitoring, the new findings show Americans also have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age.

While some Americans have taken modest steps to stem the tide of data collection, few have adopted advanced privacy-enhancing measures. However, majorities of Americans expect that a wide array of organizations should have limits on the length of time that they can retain records of their activities and communications. At the same time, Americans continue to express the belief that there should be greater limits on government surveillance programs. Additionally, they say it is important to preserve the ability to be anonymous for certain online activities.

Lots of detail in the reports.

TorrentFreak: Pirate Domain Seizures Are Easy in the United States

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

court1-featuredOne the biggest piracy-related stories of the year broke this week after Swedish authorities succeeded in their quest to take over two key Pirate Bay domains.

The court order, handed down Tuesday, will see and fall under the control of the Swedish government, provided no appeal is filed in the coming weeks. It’s been a long and drawn out process but given the site’s history, one with an almost inevitable outcome.

Over in the United States and spurred on by ‘rogue’ sites such as TPB, much attention has been focused on depriving ‘pirate’ sites of their essential infrastructure, domains included. Just last week the MPAA and RIAA appeared before the House Judiciary Committee’s Internet subcommittee complaining that ICANN isn’t doing enough to deal with infringing domains.

Of course, having ICANN quickly suspend domains would be convenient, but entertainment industry groups aren’t completely helpless. In fact, yet another complaint filed in the United States by TV company ABS-CBN shows how easily it is to take control of allegedly infringing domains.

The architect of several recent copyright infringement complaints, in its latest action ABS-CBN requested assistance from the United States District Court for the Southern District of Florida.

The TV company complained that eleven sites (listed below) have been infringing its rights by offering content without permission. To protect its business moving forward ABS-CBN requested an immediate restraining order and after an ex parte hearing, District Court Judge William P. Dimitrouleas was happy to oblige.

In an order (pdf) handed down May 15 (one day after the complaint was filed) Judge Dimitrouleas acknowledges that the sites unlawfully “advertised, promoted, offered for distribution, distributed or performed” copyrighted works while infringing on ABS-CBN trademarks. He further accepted that the sites were likely to continue their infringement and cause “irreparable injury” to the TV company in the absence of protection by the Court.

Granting a temporary order (which will become preliminary and then permanent in the absence of any defense by the sites in question) the Judge restrained the site operators from further infringing on ABS-CBN copyrights and trademarks. However, it is the domain element that provokes the most interest.

In addition to ordering the sites’ operators not to transfer any domains until the Court advises, Judge Dimitrouleas ordered the registrars of the domains to transfer their certificates to ABS-CBN’s counsel. Registrars must then lock the domains and inform their registrants what has taken place.

Furthermore, the Whois privacy protection services active on the domains and used to conceal registrant identities are ordered to hand over the site operators’ personal details to ABS-CBN so that the TV company is able to send a copy of the restraining order. If no active email address is present in Whois records, ABS-CBN is allowed to contact the defendants via their websites.

Once this stage is complete the domain registrars are ordered to transfer the domains to a new registrar of ABS-CBN’s choosing. However, if the registrars fail to act within 24 hours, the TLD registries (.COM etc) must take overriding action within five days.

The Court also ordered ABS-CBN’s registrar to redirect any visitors to the domains to a specific URL ( which is supposed to contain a copy of the order. At the time of writing, however, that URL is non-functional.

Also of interest is how the Court locks down attempts to get the sites running again. In addition to expanding the restraining order to any new domains the site operators may choose to move to, the Court grants ABS-CBN access to Google Webmaster Tools so that the company may “cancel any redirection of the domains that have been entered there by Defendants which redirect traffic to the counterfeit operations to a new domain name or website.”

The domains affected are:,,,,,,,,, and

Despite the order having been issued last Thursday, at the time of writing all but one of the domains remains operational. Furthermore, and in an interesting twist, and have already skipped to fresh domains operated by none other than the Swedish administered .SE registry.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: mSpy Denies Breach, Even as Customers Confirm It

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.

myspyappmSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. mSpy also told the BBC that claims the hackers had breached its systems and stolen data were false.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

Let’s parse that statement a bit further. No, the stolen records aren’t on the Web; rather, they’ve been posted to various sites on the Deep Web, which is only accessible using Tor. Also, I don’t doubt that mSpy was the target of extortion attempts; the fact that the company did not pay the extortionist is likely what resulted in its customers’ data being posted online.

How am I confident of this, considering mSpy has still not responded to my requests for comment? I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.

Joe Natoli, director of a home care provider in Arizona, confirmed what was clear from looking at the leaked data — that he had paid mSpy hundreds of dollars a month for a subscription to monitor all of the mobile devices distributed to employees by his company. Natoli said all employees agree to the monitoring when they are hired, but that he only used mSpy for approximately four months.

“The value proposition for the cost didn’t work out,” Natoli said.

Katherine Till‘s information also was in the leaked data. Till confirmed that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter, and were still a paying customer as of my call to her.

Till added that she was unaware of a breach, and was disturbed that mSpy might try to cover it up.

“This is disturbing, because who knows what someone could do with all that data from her phone,” Till said, noting that she and her husband had both discussed the monitoring software with their daughter. “As parents, it’s hard to keep up and teach kids all the time what they can and can’t do. I’m sure there are lots more people like us that are in this situation now.”

Another user whose financial and personal data was in the cache asked not to be identified, but sheepishly confirmed that he had paid mSpy to secretly monitor the mobile device of a “friend.”


News of the mSpy breach prompted renewed calls from Sen. Al Franken for outlawing products like mSpy, which the Minnesota democrat refers to as “stalking apps.” In a letter (PDF) sent this week to the U.S. Justice Department and Federal Trade Commission, Franken urged the agencies to investigate mSpy, whose products he called ‘deeply troubling’ and “nothing short of terrifying” when “in the hands of a stalker or abuse intimate partner.”

Last year, Franken reintroduced The Location Privacy Protection Act of 2014, legislation that would outlaw the development, operation, and sale of such products.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”

Errata Security: Revolutionaries vs. Lawyers

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

I am not a lawyer; I am a revolutionary. I mention this in response to Volokh posts [1, 2] on whether the First Amendment protects filming police. It doesn’t — it’s an obvious stretch, and relies upon concepts like a protected “journalist” class who enjoys rights denied to the common person. Instead, the Ninth Amendment, combined with the Declaration of Independence, is what makes filming police a right.

The Ninth Amendment simply says the people have more rights than those enumerated by the Bill of Rights. There are two ways of reading this. Some lawyers take the narrow view, that this doesn’t confer any additional rights, but is just a hint on how to read the Constitution. Some take a more expansive view, that there are a vast number of human rights out there, waiting to be discovered. For example, some wanted to use the Ninth Amendment to insist “abortion” was a human right in Roe v. Wade. Generally, lawyers take the narrow view, because the expansive view becomes ultimately unworkable when everything is a potential “right”.

I’m not a lawyer, but a revolutionary. For me, rights come not from the Constitution. Bill of Rights, or Supreme Court decision. They come from the Declaration of Independence, the “natural rights” assertion, but also things like the following phrase used to justify the colony’s revolution:

…when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them [the people] under absolute Despotism, it is their right, it is their duty, to throw off such Government…

The state inevitably strives to protect its privilege and power at the expense of the people. The Bill of Rights exists to check this — so that we don’t need to resort to revolution every few decades. The First Amendment protects free speech not because this is a good thing, but because it’s the sort of the thing the state wants to suppress to protect itself.

In this context, therefore, abortion isn’t a “right”. Abortion neither helps nor harms the despot’s power. Whether or not it’s a good thing, whether it should be legal, or even whether the constitution should mention abortion, isn’t the issue. The only issue here is how it relates to government power.

Thus, we know that “recording police” is a right under the Declaration of Independence. The police want to suppress it, because it challenges their despotism. We’ve seen this in the last year, as films of police malfeasance has led to numerous protests around the country. If filming the police were illegal in the United States, this would be an usurpation that would justify revolt.

Everyone knows this, so they struggle to fit it within the constitution. In the article above, a judge uses fancy rhetoric to try to shoehorn it into the First Amendment. I suggest they stop resisting the Ninth and use that instead. They don’t have to accept an infinite number of “rights” in order to use those clearly described in the Declaration of Independence. The courts should simply say filming police helps us resist despots, and is therefore protected by the Ninth Amendment channeling the Declaration of Independence.

The same sort of argument happens with the Fourth Amendment right to privacy. The current legal climate talks about a reasonable expectation of privacy. This is wrong. The correct reasoning should start with a reasonable expectation of abuse by a despot.

Under current reasoning about privacy, government can collect all phone records, credit card bills, and airline receipts — without a warrant. That’s because since this information is shared with a third party, the company you are doing business with, you don’t have a “reasonable expectation of privacy”.

Under my argument about the Ninth, this should change. We all know that a despot is likely to abuse these records to maintain their power. Therefore, in order to protect against a despot, the people have the right that this information should be accessible only with a warrant, and that all accesses by the government should be transparent to the public (none of this secret “parallel construction” nonsense).

We all know there is a problem here needing resolution. Cyberspace has put our “personal effects” in the cloud, where third parties have access to them, that we still want to be “private”. We struggle with how that third party (like Facebook) might invade that privacy. We struggle with how the government might invade that privacy. It’s a substantial enough change that I don’t thing precedence guides us, not Katz, not Smith v Maryland. I think the only guidance comes from the founding documents. The current state of affairs means that cyberspace has made personal effects obsolete — I don’t think this is correct.

Lastly, this brings me to crypto backdoors. The government is angry because even if Apple were to help them, they still cannot decrypt your iPhone. The government wants Apple to put in a backdoor, giving the police a “Golden Key” that will decrypt any phone. The government reasonably argues that backdoors would only be used with a search warrant, and thus, government has the authority to enforce backdoors. The average citizen deserves the protection of the law against criminals who would use crypto to hide their evil deeds from the police. When an evil person has kidnapped, raped, and murdered your daughter, all data from their encrypted phone should be available to the police in order to convict them.

But here’s the thing. In the modern, interconnected world, we can only organize a revolution against our despotic government if we can send backdoor-free messages among ourselves. This is unlikely to be much of a concern in the United States, of course, but it’s a concern throughout the rest of the world, like Russia and China. The Arab Spring was a powerful demonstration of how modern technology mobilized the populace to force regime change. Despots with crypto backdoors would be able to prevent such things.

I use Russia/China here, but I shouldn’t have to. Many argue that since America is free, and the government under the control of the people, that we operate under different rules than those other despotic countries. The Snowden revelations prove this wrong. Snowden revealed a secret, illegal, mass surveillance program that had been operating for six years under the auspices of all three branches (executive, legislative, judicial) and both Parties (Republican and Democrat). Thus, it is false that our government can be trusted with despotic powers. Instead, our government can only be trusted because we deny it despotic powers.

QED: the people have the right to backdoor-free crypto.

I write this because I often hang out with lawyers. They have a masterful command of all the legal decisions and precedent, such as the Katz decision on privacy. It’s not that I disrespect their vast knowledge on the subject, or deny their reasoning is solid. It’s that I just don’t care. I’m a revolutionary. Cyberspace, 9/11, and the war on drugs has led to an alarming number of intolerable despotic usurpations. If you lawyer people believe nothing in the Constitution or Bill of Rights can prevent this, then it’s our right, even our duty, to throw off the current system and institute one that can.

Schneier on Security: Admiral Rogers Speaking at the Joint Service Academy Cyber Security Summit

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about.

First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share insight and knowledge, and to do that in a timely manner.

Second, innovation. It’s about much more than just technology. It’s about ways to organize, values, training, and so on. We need to think about innovation very broadly.

Third, technology. This is a technologically based problem, and we need to apply technology to defense as well.

Fourth, human capital. If we don’t get people working right, all of this is doomed to fail. We need to build security workforces inside and outside of military. We need to keep them current in a world of changing technology.

So, what is the Department of Defense doing? They’re investing in cyber, both because it’s a critical part of future fighting of wars and because of the mission to defend the nation.

Rogers then explained the five strategic goals listed in the recent DoD cyber strategy:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;

  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Expect to see more detailed policy around these coming goals in the coming months.

What is the role of the US CyberCommand and the NSA in all of this? The CyberCommand has three missions related to the five strategic goals. They defend DoD networks. They create the cyber workforce. And, if directed, they defend national critical infrastructure.

At one point, Rogers said that he constantly reminds his people: “If it was designed by man, it can be defeated by man.” I hope he also tells this to the FBI when they talk about needing third-party access to encrypted communications.

All of this has to be underpinned by a cultural ethos that recognizes the importance of professionalism and compliance. Every person with a keyboard is both a potential asset and a threat. There needs to be well-defined processes and procedures within DoD, and a culture of following them.

What’s the threat dynamic, and what’s the nature of the world? The threat is going to increase; it’s going to get worse, not better; cyber is a great equalizer. Cyber doesn’t recognize physical geography. Four “prisms” to look at threat: criminals, nation states, hacktivists, groups wanting to do harm to the nation. This fourth group is increasing. Groups like ISIL are going to use the Internet to cause harm. Also embarrassment: releasing documents, shutting down services, and so on.

We spend a lot of time thinking about how to stop attackers from getting in; we need to think more about how to get them out once they’ve gotten in — and how to continue to operate even though they are in. (That was especially nice to hear, because that’s what I’m doing at my company.) Sony was a “wake-up call”: a nation-state using cyber for coercion. It was theft of intellectual property, denial of service, and destruction. And it was important for the US to acknowledge the attack, attribute it, and retaliate.

Last point: “Total force approach to the problem.” It’s not just about people in uniform. It’s about active duty military, reserve military, corporations, government contractors — everyone. We need to work on this together. “I am not interested in endless discussion…. I am interested in outcomes.” “Cyber is the ultimate team sport.” There’s no single entity, or single technology, or single anything, that will solve all of this. He wants to partner with the corporate world, and to do it in a way that benefits both.

First question was about the domains and missions of the respective services. Rogers talked about the inherent expertise that each service brings to the problem, and how to use cyber to extend that expertise — and the mission. The goal is to create a single integrated cyber force, but not a single service. Cyber occurs in a broader context, and that context is applicable to all the military services. We need to build on their individual expertises and contexts, and to apply it in an integrated way. Similar to how we do special forces.

Second question was about values, intention, and what’s at risk. Rogers replied that any structure for the NSA has to integrate with the nation’s values. He talked about the value of privacy. He also talked about “the security of the nation.” Both are imperatives, and we need to achieve both at the same time. The problem is that the nation is polarized; the threat is getting worse at the same time trust is decreasing. We need to figure out how to improve trust.

Third question we about DoD protecting commercial cyberspace. Rogers replied that the DHS is the lead organization in this regard, and DoD provides capability through that civilian authority. Any DoD partnership with the private sector will go through DHS.

Fourth question: How will DoD reach out to corporations, both established and start-ups? Many ways. By providing people to the private sectors. Funding companies, through mechanisms like the CIA’s In-Q-Tel.. And some sort of innovation capability. Those are the three main vectors, but more important is that the DoD mindset has to change. DoD has traditionally been very insular; in this case, more partnerships are required.

Final question was about the NSA sharing security information in some sort of semi-classified way. Rogers said that there are lot of internal conversations about doing this. It’s important.

In all, nothing really new or controversial.

These comments were recorded — I can’t find them online now — and are on the record. Much of the rest of the summit was held under Chatham House Rules. I participated in a panel on “Crypto Wars 2015″ with Matt Blaze and a couple of government employees.

TorrentFreak: MPAA & RIAA Demand DNS Action Against ‘Pirate’ Domains

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

stopstopOne of the key aims of the now infamous SOPA legislation that failed to pass several years ago was the takedown of domains being used for infringing purposes. The general consensus outside of the major copyright groups was that this kind of provision should be rejected.

However, within the movie and music industries the spirit of SOPA is still alive, it’s just a question of how its aims can be achieved without giving alternative mechanisms the same name. Yesterday, during a hearing before the House Judiciary Committee’s Internet subcommittee, domains were firmly on the agenda.

One group in attendance was the Coalition for Online Accountability. COA’s aim is to improve online transparency and to encourage “effective enforcement against online infringement of copyrights and trademarks.”

No surprise then that its members consist of the Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), Entertainment Software Association (ESA) and the Software and Information Industry Association (SIIA).

COA counsel Steve Metalitz’s testimony called for domain name registrars to deal with complaints effectively.


“In recent months, there have been increasing calls from many quarters for domain name registrars to recognize that, like other intermediaries in the e-commerce environment, they must play their part to help address the plague of online copyright theft that continues to blight the digital marketplace,” Metalitz said.

“Under the 2013 revision of the Registrar Accreditation Agreement (RAA), domain name registrars took on important new obligations to respond to complaints that domain names they sponsor are being used for copyright or trademark infringement, or other illegal activities.”

However, according to Metalitz, registrars are not responding. The COA counsel said that the RAA requires registrars to “investigate and respond appropriately” to abuse reports and make “commercially reasonable efforts” to ensure that registrants don’t use their domain names “directly or indirectly” to infringe third party rights. But there has been little action.

“Well-documented reports of abuse that are submitted to registrars by right-holders, clearly demonstrating pervasive infringement, are summarily rejected, in contravention of the 2013 RAA, which requires that they be investigated,” he said.

As an example, Metalitz highlighted a Romanian-hosted ‘pirate’ music site using the domain

“By August of last year, RIAA had notified the site of over 220,000 infringements of its members’ works (and had sent similar notices regarding 26,000 infringements to the site’s hosting providers). At that time, RIAA complained to the domain name registrar (a signatory of the 2013 RAA), which took no action, ostensibly because it does not host the site,” he explained. A complaint to ICANN was also dismissed, twice.

It’s clear from Metalitz’s testimony that the MPAA, RIAA and ESA are seeking an environment in which domains will be suspended or blocked if they can be shown to be engaged in infringement. But the groups’ demands don’t end there.


WHOIS databases carry the details of individuals or companies that have registered domains and registrars are required to ensure that this information is both accurate and up to date. However, since WHOIS searches often reveal information that registrants would rather keep private, so-called proxy registrations (such as Whoisguard) have become increasingly popular.

While acknowledging there is a legitimate need for such registrations (albeit in “limited circumstances”), the entertainment industry groups are not happy that pirate site operators are playing the system to ensure they cannot be traced.

As a result they are aiming for a situation where registrars only deal with proxy services that meet certain standards on issues including accuracy of customer data, relaying of complaints to proxy registrants, plus “ground rules for when the contact points of a proxy registrant will be revealed to a complainant in order to help address a copyright or trademark infringement.”

In other words, anonymity should only be available up to a point.

In a letter to the Committee, the EFF warned against the COA’s proposals.

“As advocates for free speech, privacy, and liberty on the global Internet, we ask the Committee to resist calls to impose new copyright and trademark enforcement responsibilities on ICANN. In particular, the Committee should reject proposals to have ICANN require the suspension of Internet domain names based on accusations of copyright or trademark infringement by a website,” the EFF said.

“This is effectively the same proposal that formed the centerpiece of the Stop Online Piracy Act of 2011 (SOPA), which this Committee set aside after millions of Americans voiced their opposition. Using the global Domain Name System to enforce copyright law remains as problematic in 2015 as it was in 2011.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Darknet - The Darkside: BitTorrent Bleep – Encrypted, Decentralized Voice & Text App

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So after running an open alpha for a while, BitTorrent Bleep is now finally public and official. The whole secure/transient messaging app/platform area is an interesting space, companies have come and gone, some have been compromised and some are still around (Snapchat, Poke, Wickr, Armortext etc). Bleep requires no personal info, just a nickname…

Read the full post at

TorrentFreak: Copyright Holders Want Cox to Expose “Most Egregious” Pirates

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cox-logoIn the United States most large Internet providers forward DMCA notices to subscribers who’re accused of downloading copyrighted material.

Cox Communications is one of the ISPs that does this. In addition, the ISP also implemented a strict set of rules of its own accord to ensure that its customers understand the severity of the allegations.

According to some copyright holders, however, Cox’s efforts are falling short. Last year BMG Rights Management and Round Hill Music sued the ISP because it fails to terminate the accounts of repeat infringers.

The companies, which control the publishing rights to songs by Katy Perry, The Beatles and David Bowie among others, claimed that Cox has given up its DMCA safe harbor protections due to this inaction.

The case revolves around the “repeat infringer” clause of the DMCA, which prescribes that Internet providers must terminate the accounts of persistent pirates. Both parties are currently conducting discovery.

In order to make their case the copyright holders have sent a long list of demands to Cox, but court records show the ISP is reserved in the information it’s willing to hand over.

The company refused, for example, to reveal the identities of roughly 150,000 subscribers who allegedly downloaded infringing works from BMG and Round Hill Music. According to the ISP, the Cable Privacy Act prevents the company from disclosing this information.

The music groups, however, aren’t taking no for an answer and are now asking the court to compel Cox to hand over their personal details. According to them, this information is crucial to proof the direct infringement claims.

The copyright holders are willing to accept a more limited number of accounts to begin with. In a motion to compel, they ask for the personal details of 500 account holders whose accounts were repeatedly used to share pirated material.

“In an effort to narrow the dispute, Copyright Holders only request the identity of and contact information associated with 500 of what appear to be the most egregious infringers,” they write.

“Specifically, Copyright Holders seek the identity of subscribers associated with 250 IP addresses that have infringed the copyrights at issue since the complaint was filed in this case, and the identity of subscribers associated with 250 IP addresses that have infringed in the six months prior to the Complaint being filed,” the companies add.

While the current request is limited to 500 IP-addresses, the music groups reserve the right to request more at a later stage and ask the court to grant permission to do so.

“Copyright Holders also request that the Court issue an open Order requiring Cox to produce the contact information for additional direct infringers of the copyrights at issue in this case, if the need arises,” they write.

There is a hearing scheduled for later this week when the copyright holders will further detail their request, if needed. Cox has yet to respond but it’s unlikely that the company will hand to hand over the requested information without putting up a fight.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Rightscorp Fails in Bid to Unmask Pirates Using DMCA

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

rightscorpWorking on behalf of various copyright owners including Warner Bros. and BMG, last year anti-piracy company Rightscorp began sending subpoenas to dozens of smaller ISPs in the United States. The aim, as usual, was to unmask alleged file-sharers so that they could be pursued for cash settlement.

While many ISPs complied with the requests, the practice was controversial. Such subpoenas aren’t considered applicable in file-sharing cases and largely avoid scrutiny since they can by signed by a court clerk and are not reviewed by a judge.

In 2014, telecoms company Birch Communications kicked back by refusing to hand over customer details of subsidiary ISP, CBeyond. The company filed a motion to quash Rightscorp’s subpoena arguing that the anti-piracy outfit had embarked on a fishing exercise with no legal basis.

“CBeyond contends that the section does not apply to service providers that act only as a conduit for data transferred between other parties and that do not store data. The court agrees,” Magistrate Judge Janet King said.

Faced with this setback Rightscorp filed objections to the ruling and sought to have it overturned. The company has now failed in that effort. Last week the U.S. District Court for the Northern District of Georgia adopted the earlier ruling and quashed Rightscorp’s subpoena.

“We safeguard our customer information and take privacy issues seriously,” Birch President and Chief Executive Officer Vincent Oddo said in a statement.

“The U.S. District Court did the right thing by backing our view, and we’re very pleased to see that this case will serve to help protect our customers’ private information.”

Birch Senior Vice President and General Counsel Christopher Bunce says the company’s first response is to always protect subscriber privacy.

“Our first order of business when anyone requests access to a customer’s private information is to refuse, absent a valid subpoena or court order, which we then scrutinize as we did with Rightscorp’s illegal subpoena in this matter,” Bunce says.

According to Gardiner Davis who acted as lead litigation counsel for Birch, Rightscorp’s interpretation of the Digital Millennium Copyright Act was far too liberal.

“They had not even filed a copyright infringement lawsuit,” Davis said. “So this attempt was essentially a fishing expedition and I think this ruling was correctly and wisely decided. The court interpreted the statute as Congress intended.”

The defeat represents another blow to an embattled Rightscorp. The company’s latest financial report reveals a company hemorrhaging cash, despite substantial year-on-year growth.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

The Hacker Factor Blog: Goodbye Google

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Over the last few blog entries, I have been overly critical of Google. It isn’t that I have suddenly taken a personal hatred of the company. Rather, choices that the company has made over the last few years have finally culminated into enough pain for me to complain about it.

The good ol’ days

The Internet is not static. Dominant and popular services today will transition over time to something less desirable.

I remember back in the early 1990s having debates about whether Lycos, Alta Vista, or Infoseek was the best online search engine. (Alta Vista… definitely Alta Vista.)

Then came Ask Jeeves. It was the first real natural language search engine. The interface sucked, the results were lacking, but the concept was novel.

Google didn’t start up until the late 1990s. The simplified user interface, fast responses, and solid results quickly made it a dominant force in the search engine market.

During that same time, Microsoft was synonymous with “evil empire”. Their software was slow, Microsoft-oriented (including lawsuits related to Microsoft disabling competing software), and didn’t work very well. The company couldn’t even decide on a good search engine service. They went from LookSmart to Live Search to MSN Search to Bing… Right now, they seem to have settled on Bing.

But old biases die hard — a lot of people don’t use Bing because they still think of Microsoft as an evil empire. (In my opinion, they are still an empire, but not as blatantly evil. I recently started using Bing as an alternative to Google.)

Back to today…

Over the years, my own needs have changed from simple search queries to business-oriented searches. I run a few web sites, develop technologies, and link to online services for augmenting results.

I used to be heavily dependent on Google’s services. Sometimes it was because Google was the only option. Other times it was because they were the easiest option. Or maybe it was because I was doing everything else at Google, so I thought it would be easier to use them as a one-stop shop.

Unfortunately, the number of things that I dislike about Google has grown into a very large list. Here’s my top 7 dislikes related to Google:

1. Google’s Homepage

Google used to have a very simple homepage. A search box and a search button. You typed a query and hit search. The results came back fast and were accurate.

Today, they have made the homepage more complicated. The “Google Doodle” went from a rare occurrence to every few days. It used to be a picture, but today it is animated. As many people have pointed out, the animated doodles makes Google’s homepage difficult to use. The page becomes very slow and sometimes non-responsive.

The thing that has set me off today is their doodle for “Bartolomeo Cristofori, inventor of the piano, was born 360 years ago today!” I have nothing against Cristofori or pianos. Rather, it’s the animated doodle. My office has four computers within arms reach of me. On every single one of them, the doodle consumes so many resources that the browser has become virtually unusable. If I cannot use the search engine for quickly searching the web, then their service is not worth the bandwidth.

Today I changed my browsers from opening up Google to opening up a blank page. In the near future, I will probably set the default to Bing.

Keep in mind, Bing certainly isn’t perfect. Between the scrolling pictures and popups and changing backgrounds, they have a distracting web page. But at least it loads fast and I can easily type in a search query.

2. Search Entry and Hints

When I go to a search engine, I’m usually doing it for business. Time is money. I don’t want to wait for the page to load and I rarely pay attention to the real-time hints as I type.

With Google, their real-time hints (the drop-down list of possible search queries) gets really annoying. First, it dramatically slows down the rate that I can type in my query. Second, it usually isn’t helpful for me. And third, sometimes it stays down — blocking search results.

Bing does the same drop-down hints. But unlike Google, Bing is fast and their window doesn’t stay down covering results. And keep in mind, I’m using these search engines with the exact same browser on the exact same computer.

Yahoo Search has a slower drop-down. But, it doesn’t slow down my typing and it vanishes when I leave the search box.

3. Search Results

Google, Bing, and Yahoo Search all have similar search results. I really cannot say that the quality of results from one is better than another — they all fill different niches. Google finds more popular results, Bing returns more variety, and Yahoo may not have indexed as much of the Internet, but they also don’t return tons of cruft. I find Yahoo good for popular relevancy.

However, recently Google started prioritizing results based on how web pages look. Results from pages that are not, in Google’s opinion, designed for mobile devices will be throttled or censored from searches on mobile devices. When I do searches, I care more about relevancy than aesthetics. Since Google now places a higher importance on aesthetics than relevancy, I can no longer trust that Google’s search engine will return the results that I desire.

(I also find it ironic that Google places such a high emphasis on mobile usability. Yet, their homepage today makes their site virtually unusable on my desktop computers.)

4. Ads vs Content

I don’t like ads. I view sites that host third-party ads as sites that don’t know how to use their own real estate. (“I don’t know what to do over there, so let’s rent it out to a third-party! They know how to use it!”) Revenue from third-party ads is for companies that don’t know how to monetize their own products.

With Bing and Yahoo, ads are listed in the right-hand column of my desktop’s search results. They may also have ads at the top or bottom of the search results, but it is easy to distinguish ads from search results.

With Google? There are ads in the right column and ads at the top and ads within the search results. They make it hard to distinguish ads from content. And with some queries, there are more ads than results.

I used to subscribe to Wired Magazine. But between the change in content (from articles with a technical link to clearly biased with multiple inaccuracies), an increase in blatant advertorials, and page after page of ads that look like articles, I decided that it wasn’t worth the cost of the subscription. By the same means, I don’t think Google’s search results are worth the effort needed to distinguish results from ads.

5. Maps

I frequently use online maps for work. Sometimes it is to find directions, but usually it is associated with geolocation and tracking bad guys online.

Until the end of last year, I was heavily dependent on Google Maps. My change in preference happened when Google completely switched from their old mapping system to the new one. I find their new mapping interface to be extremely slow and cluttered with icons and banners. The first thing I do after any map search is close half of the popups and overlays — that’s a usability issue for Google. My laptop is a netbook — about half of the window is covered up by junk. And of course, there’s the drop-down search bar that never seems to go back up.

In contrast, Bing and MapQuest (yes, MapQuest is still around) have very fast interfaces and they don’t clutter the map with other windows.

I do like the URL parameters for calling Google Maps. Both MapQuest and Google Maps just need a query parameters (q=). In contrast, Bing has a much more complicated interface. (You can’t just say “cp=coordinates”… you need “cp=lat~lon&rtp=pos.lat_lon”. Why the change in delimiter? Who knows… Microsoft has never been known for having simple interfaces.) And don’t get me started with Yahoo Maps; I couldn’t figure out their URL parameters.

Earlier today, I changed my geolocation and profiling code from using Google Maps to supporting Google, Bing, and MapQuest — configurable, with Bing being the default map service. In my next code push to clients, they will see the links to map services has changed from Google to Bing.

6. Harvesting Content

In order for a search engine to get content, they must scan the Internet for web sites. A few years ago, I noticed that Google was submitting crap to every text entry form on my web site. I think they wanted to index every possible search result. I ended up making a code change that explicitly prevented form submissions from Google.

When I started ForoForensics, someone at Google decided to upload every picture from Imgur to my site. This is an abuse of my site as well as a violation of Imgur’s terms of service. I ended up putting in another special rule, just for Google. Initially, I prevented Googlebot from performing uploads. Today, it prevents anyone at Google from uploading pictures to FotoForensics. (Well, most of Google is blocked.)

In contrast, Bing, Yahoo, and most other search engines make no attempt to upload content or abuse my entry forms.

7. Other Services

I use other online services, but not as much as search or maps. I’m not on Facebook, LinkedIn is virtually unusable, and Google Groups is really nothing more than Deja News, but with fewer configuration options. (And the options they do have are buried in a half-dozen places.) I find the Google+ interface to be far from intuitive and definitely unfriendly. Google Hangouts is hard to use, but Google Docs can be good for collaborative efforts… if we can figure out how to share docs. (I can share with them, but they cannot share with me due to some higher level privacy settings or something…)

I use Google’s Picasa service for storing pictures. However, I still use the old Picasa interface. The newer interface doesn’t work with many of the browsers that I use. I also find the newer interface to be as confusing as Google Hangouts.

For email, I almost never use Google. When I need it, I usually use their POP3 or IMAP network service to transfer email to my local mail client. Between Google’s “folders that are not folders” and “delete that isn’t delete”, I try not to use their web mail interface.

I used to use Google’s email alerts. When Google would come across something that matched my query, they would send me an email notice. But the emails became less and less frequent. It isn’t that nothing was happening. Rather, they just were not notifying me, or were notifying me days later. Eventually, I unsubscribed since they were not sending me alerts in a reasonable amount of time.

I don’t use Google’s Analytics. In fact, I have NoScript configured to block that service. While I find the Analystics data informative, I also notice how it dramatically slows down web page loading. In my opinion, the speed impact is not worth the benefit from the data metrics.

Google Code was a great system. Developers like me could readily search and access and interact with lots of source code. Unfortunately, Google Code is going away.

And then there is Google’s high-speed Internet. It isn’t available where I live. And “Google Wireless” at my local Starbucks actually uses Comcast…

I still use Google Voice and Google Translate, but those really seems to be the last vestiges of the old Google mentality.

Leaving Google

I know a few people who work at Google. They are all friendly and very smart. My problem isn’t with any specific employees. Instead, I find their corporate offerings to be lacking. Google has evolved from a company with a variety of easy to use services to a company with more services but much less usability. And if I cannot easily use the service, then I’d rather switch to another service that I can easily use.

There’s still time for Google to turn things around. They could reintroduce usability. They could focus on responsiveness and relevancy. They could test on multiple platforms before releasing code. They could stop trying to integrate disparate services into an ad hoc interface; they should stop forcing square pegs into round holes. But until that happens, I’m switching primary services.

I’ve already switch away from Google Maps. I’m moving away from Google Search. And I’m thinking about moving off of Google’s Picasa. I barely use Google Groups. I try to avoid Google Docs, Google Hangouts, and Google’s Gmail interface. Google used to be the giant that everyone envied. Today, I’m thinking that Microsoft and Yahoo offer viable alternatives.

The diaspora* blog: diaspora* version released!

This post was syndicated from: The diaspora* blog and was written by: Diaspora* Foundation. Original post: at The diaspora* blog

diaspora* version released!

After a long wait we are really happy to announce that a new major version of diaspora*, v0.5.0.0, has been released today! This is the biggest release the community has ever done, and includes many of the large features and improvements you have been waiting for.

IMPORTANT for podmins: Before upgrading, Please make sure to read and understand in full the specific 0.4.x to 0.5 upgrade guide. You will run into problems during the upgrade if you do not follow the instructions carefully!

Here is a list of the main improvements, with links to the relevant pull requests:

User experience

  • Redesign the contacts page, drop the “facebox” viewer and enable search for contacts directly on the page #5153 & #5473
  • Redesign the profile page, including automatic update after an action without reloading the page #4657 & #5180
  • New display for photos on the profile page #5521
  • Improved notification dropdown #5129 & #5237
  • Improved parser for Markdown formatting code #5526
  • Added/moved hide, block user, report and delete icons in the single-post view #5547
  • Show hovercards on mentions #5652
  • Allow users to enable/disable notifications for a post #5511 & #5722
  • Display poll results on reshares of the post #5782


  • Exclude the content of non-public posts from notification emails #5494
  • Allow users to export their profile, posts and comments in JSON format #5499
  • Allow users to export their uploaded photos #5685
  • Strip EXIF data from newly uploaded images (user configurable) #5510
  • Allow podmins to set up a proxy to avoid external requests on images embedded with Markdown, by OpenGraph or from other pods #5386


  • New profile page design with hashtags #5084
  • Add “#Followed tags” to the mobile menu #5468
  • Enable users to add/remove contacts from an aspect #5594

Under the hood

  • Federation improvements #5209
  • Major version updates to Ruby (2.1), Rails (4.2) and Sidekiq (3.3)


  • Make reported posts/comments accessible from the Report tab #5337
  • Add maintenance feature to automatically expire inactive accounts #5288
  • Give admins the ability to lock/unlock accounts #5643

In total this release closes 156 issues or feature tickets. A total of 20 contributors contributed code to this release in a total of 785 commits.

This release has been in release candidate status since the 30th of March and has been tested on pods during that time. As such, we are confident this release will not have major issues left. However, this release does contain many manual steps for podmins when upgrading. Please follow the steps carefully and to the letter! If in doubt, please visit our IRC channel #diaspora on Freenode and ask before continuing. Not following the instructions closely could result in unnecessary downtime for your pod.

MySQL/MariaDB pods: please note this release contains long running database migrations for these databases. Large pods should expect at least 30-60 minutes downtime due to migrations.

Please provide feedback about the release via the normal channels. We are aiming to move to releasing minor upgrades faster in the future, so bug fixes and small features can be pushed out without pods having to wait for a major release.

Schneier on Security: Digital Privacy Public Service Announcement

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I thought this was very well done.

Errata Security: Some notes on why crypto backdoors are unreasonable

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Today, a congressional committee held hearings about ‘crypto backdoors’ that would allow the FBI to decrypt text messages, phone calls, and data on phones. The thing to note about this topic is that it’s not anywhere close to reasonable public policy. The technical and international problems are unsolvable with anything close to the proposed policy. Even if the policy were reasonable, it’s unreasonable that law enforcement should be lobbying for it.

Crypto is end-to-end

The debate hinges on a huge fallacy, that it’s about regulating industry, forcing companies like Apple to include backdoors. This makes it seem like it’s a small law. The truth is that crypto is end-to-end. Apple sells a generic computer we hold in our hand. As a user, I can install any software I want on it — including software that completely defeats any backdoor that Apple would install. Examples of such software would be Signal and Silent Circle.

It seems reasonable that you could extend the law so that it covers any software provider. But that doesn’t work, because software is often open-source, meaning that anybody can build their own app from it. Starting from scratch, it would take me about six-months to write my own app that would talk to other people using the ZRTP encryption standard.

Well, presumably if you couldn’t regulate the software on the phone, you could regulate a service in the Internet. That doesn’t work, either. Such services could be located in another country, because there are no real national borders in cyberspace. In any event, such services aren’t “phone” services, but instead just “contact” services. They let people find each other, but they don’t control the phone call. It’s possible to bypass such services anyway, by either using a peer-to-peer contact system, or overloading something completely different, like DNS.

Like crypto, the entire Internet is based on the concept of end-to-end, where there is nothing special inside the network that provides a service you can regulate.

The point is this. Forcing Apple to insert a “Golden Key” into the iPhone looks reasonable, but the truth is the problem explodes to something far outside of any sort of reasonableness. It would mean outlawing certain kinds of code — which is probably not possible in our legal system.

China and Russia want it, too

The problem with forcing Apple to give a “Golden Key” to the US government is that all governments will want such a key, too. This includes repressive regimes like China and Russia.
This risks balkanizing encrypted phone calls. The Internet knows no national borders. I regularly make calls around the world using encrypted voice apps like Signal. When each country passes backdoor laws, they’ll all do it differently, and they’ll all break. In some cases, it’ll be impossible to call another country with compatible software.
This will make travel difficult. Last time I was in Japan, I used Signal to call back to the United States, using the local wifi, purely to avoid roaming charges (not even caring that it was encrypted). This sort of thing would now be illegal, because while I might have the FBI’s Golden Keys installed on the phone, I wouldn’t have Japan’s. They would notice, and come arrest me.
Even if you could get all this worked out, standardizing things, making this automatic, you’ve now got a hundred countries with their finger in the pie. There’s no way to make this work.

China and Russia want it, too (part two)

The FBI’s testimony stressed that they would only use the Golden Key with a lawful warrant with full Fourth Amendment protections. So would the law enforcement agencies of China and Russia — only their lawful warrants include suppression of political dissent.
Here’s the deal: in the modern world where electronics are the only means of communication, crypto backdoors can make dissent nearly impossible. We saw that in Soviet Union, where even things like copy machines were tightly controlled by the state. 
Like it or not, the United States sets the agenda on freedom around the world. Our policy must be in support of strong crypto around the world, so that citizen’s can hide data from repressive governments. There is no way to have a backdoor for United States communications while opposing backdoors elsewhere.

Our country really isn’t trustworthy

The elephant in the room during today’s testimony is that our government really isn’t as trustworthy as we’d like. It’s more than just the Snowden revelations of mass surveillance of phone records.
Law enforcement used “Stingray”-like devices over 100,000 times last year to intercept mobile phones. Yet, this was challenged in court zero times. Most of the time they hide from defendants that Stingrays were even used, and in the few cases where defendants challenged them, they simply dropped the case rather than expose their use.
As the congressional probing demonstrated, the FBI is gathering everyone’s cell location records all the time. While they don’t know your exact location, they do know within a few blocks. Again, this is all secret, and not accountable to the public.
The United States jails 10 time more of its people (as a percentage) than other free countries, more even than China or Russia. With 5% of the world’s population we have 30% of the world’s prisoners behind bars. A big piece of Hillary Clinton’s 2016 platform is getting these people out of jail. It’s also important to the Koch brothers (the other side of the political spectrum) — they recently removed criminal background from application forms for their companies.
We have a long way to go to reform law enforcement in this country. It’s not reasonable at this time to give them vast new powers that totalitarian regimes drool over.

It’s improper for them to ask

Today’s testimony by the FBI and the DoJ discussed the tradeoffs between privacy and protection. Victims of crimes, those who get raped and murdered, deserve to have their killers brought to justice. That criminals get caught dissuades crime. Crypto makes prosecuting criminals harder.
That’s all true, and that’s certainly the argument victim rights groups should make when lobbying government. But here’s the thing: it’s not the FBI’s job to care. We, the people, make the decision about these tradeoffs. It’s solely we, the people, who are the constituents lobbying congress. The FBI’s job is to do what we tell them. They aren’t an interested party. Sure, it’s their job to stop crime, but it’s also their job to uphold rights. They don’t have an opinion, by definition, which one takes precedence over the other — congress makes that decision.
Yet, in this case, they do have an opinion. The only reason the subcommittee held hearings today is in response to the FBI lobbying for backdoors. Even if this issue were reasonable, it’s not reasonable that the FBI should lobby for it.


I’m a big fan of the idea that reasonable people can disagree, that there are two sides to every debate. This applies to even rancorous debates like abortion and global warming. On many issues, I defend the reasonableness of the opposing side: while I disagree with their policy, I agree that it’s not unreasonable. I point this out to stress the fact that I’m not calling this policy unreasonable simply because I disagree with it.
It’s not merely a matter of forcing Apple to provide the FBI a Golden Key, because users would still encrypt anyway, and Russia would want their own Golden Key. Solving those problems means a public policy that looks nothing like the original one proposed. While it’s reasonable for the people to bring up the subject, it’s wholly unreasonable for the FBI. They serve us, they should stop acting like we serve them.

Schneier on Security: Remote Proctoring and Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting article. There are a lot of surveillance and privacy issues at play here.

SANS Internet Storm Center, InfoCON: green: Actor using Fiesta exploit kit, (Tue, Apr 28th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

An Enduring Adversary

This diary entry documents a criminal group using the Fiesta exploit kit (EK) to infect Windows computers. I previously wrote a guest diary about this group on 2014-12-26 [1] and provided some updated information on my personal blog”>]. I first noticed this group in 2013, and its likely been active well before then.

The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain. Im calling this group the BizCN gate actor because all its gate domains are registered through Chinese registrar, and they all reside on a single IP address. The registrant data is privacy-protected through Wuxi Yilian LLC.

Earlier this month, the BizCN gate actor changed its gate IPto [3]. Were currently seeing thegate lead to Fiesta EK on Below is a flow chart for” />

Traffic From an Infected Host

The following image shows traffic from (the gate)that occurred on 2015-04-26. ” />

Within the past week or so, Fiesta EK has modified its URL structure. Now youll finddashes and underscores in the URLs (something that wasn” />

A pcap of this traffic at is available at:

The malware payload on the infected host copied itself to a directory under the users AppData\Local folder. It also” />

A copy of the malware payload is available at: ” />

Below is an image from Sguil on Security Onion for EmergingThreats and ETPRO snort events caused bythe infection. ” />

Indicators of Compromise (IOCs)

Passive DNS on shows at least 100 domains registered through hosted on this IP address. Each domain is paired with a compromised website. Below is a list of the gate domains and their associated compromised websites Ive found so far this month:

(Read: gate on – compromised website)

  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –
  • –

How can you determine if your clients saw traffic associated with this actor? Organizations withweb proxy logs can search for to see theHTTP requests. Those HTTP headers should includea refererline withthe compromised website. Many of these compromised websites use vBulletin.

Final Notes

Researchers may have a hard timegeneratinginfection trafficfrom compromised websites associated with this actor. Most often, HTTP GET requests to the gate domain returna 404 Not Found. “>In some cases, the gate domain might not appear in traffic at all.Other times, the HTTP GET request for theFiesta EK landing page doesnt return anything. Its tough to get a fullinfection chain when youre trying to do it on purpose.

The BizCN gate actor occasionally changes the IP address for these gate domains. Since their information is now public through this diary entry, the actor will likely change the gates IP address and domains again.

Unless theres a drastic change in their pattern of operations, this BizCNgate actor will be found relatively soon after any upcoming changes.

Brad Duncan, Security Researcher at Rackspace
Blog: – Twitter: @malware_traffic



(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

The Hacker Factor Blog: Great Googly Moogly!

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Google recently made another change to their pagerank algorithm. This time, they are ranking results based on the type of device querying it. What this means: a Google search from a desktop computer will return different results compared to the same search from a mobile device. If a web page is better formatted for a mobile device, then it will have a higher search result rank for searches made from mobile devices.

I understand Google’s desire to have web pages that look good on both desktop and mobile devices. However, shouldn’t the content, authoritativeness, and search topic be more important than whether the page looks pretty on a mobile device?

As a test, I searched Google for “is this picture fake”. The search results on my desktop computer was different than the results from my Android phone. In particular, the 2nd desktop result was completely gone on the mobile device, the FotoForensics FAQ was pushed down on the mobile device, TinEye was moved up on the mobile device, and other analysis services were completely removed from the mobile results.

In my non-algorithmic personal opinion, I think the desktop results returned more authoritative results and better matched the search query than the mobile device results.

Google’s Preference

Google announced that they were doing this change on February 26. They gave developers less than two months notice of this change.

While two months may be plenty of time for small developers to change their site layout, I suspect that most small developers never heard about this change. For larger organization, two months is barely enough time to have a meeting about having a meeting about scheduling a meeting to discuss a site redesign for mobile devices.

In other words: Google barely gave anyone notice, and did not give most sites time to act. This is synonymous with those security researchers who report vulnerabilities to vendors and then set arbitrarily short deadlines before going public. Short deadlines are not about doing the right thing; it’s about pushing an agenda.

Tools for the trade

On the plus side, Google provided a nice web tool for evaluating web sites. This allows site designers to see how their web pages look on a mobile device. (At least, how it will look according to Google.)

Google also provides a mobile guide that describes what Google thinks a good web page layout looks like. For example, you should use large fonts and only one column in the layout. Google also gives suggestions like using dynamic layout web pages (detect the screen and rearrange accordingly) and using separate servers (www.domain and m.domain): one for desktop users and one for mobile devices.

Google’s documentation emphasizes that this is really for smartphone users. They state that by “mobile devices“, they are only talking about smartphones and not tablets, feature phones, and other devices. (I always thought that a mobile device was anything you could use while being mobile…)

Little Time, Little Effort

One of my big irks about Google is that Google’s employees seem to forget that not every company is as big as Google or has as many resources as Google. Not everyone is Google. By giving developers very little time to make changes that better match Google’s preferred design, it just emphasizes how out of touch Google’s developers are with the rest of the world. The requirements decreed in their development guidelines also show an unrealistic view of the world. For example:

  • Google recommends using dynamic web pages for more flexibility. It also means much more testing and requires a larger testing environment. Testing is usually where someone notices that the site lacks usability.

    Google+ has a flexible interface — the number of columns varies based on the width of the browser window. But Google+ also has a horrible multi-column layout that cannot be disabled. And LinkedIn moved most of their billions of options into popups — now you cannot click on anything without it being covered by a popup window first.

    For my own sites, I do try to test with different browsers. Even if I think my site looks great on every mobile device I tested, that does not mean that it will look great on every mobile device. (I cannot test on everything.)

    Providing the same content to every device minimizes the development and testing efforts. It also simplifies the usability options.

  • Google suggests the option of maintaining two URLs or two separate site layouts — one for desktops and one for mobile devices. They overlook that this means twice the development effort, which translates into twice the development costs.
  • Maintaining two URLs also means double the amount of bot traffic indexing the site, double the load on the server, and double the network bandwidth. Right now, about 75% of the traffic to my site comes from bots indexing and mirroring (and attacking) my site. If I maintained two URLs to the same content with different formatting, I would be dividing the visitor load between the two sites (half go mobile and half go desktop), while doubling the bot traffic.
  • Google’s recommendations normalize the site layout. Everyone should use large text. Everyone should use one column for mobile displays, etc.

    Normalizing web site layouts goes against the purpose of HTML and basic web site design. Your web site should look the way that you want it to look. If you want small text, then you can use small text. If you want a wide layout, then you can use a wide layout. Every web site can look different. Just be aware that Google’s pagerank system now penalizes you for looking different and for expressing creativity.

  • Google’s online test for mobile devices does not take into account whether the device is held vertically or horizontally. My Android phone rotates the screen and makes the text larger when I hold it horizontally. According to Google, all mobile pages should be designed for a vertical screen.

Ironically, there has been a lot of effort by mobile web browser developers (not the web site, but the actual browser developers) to mitigate display issues in the browser. One tap zooms into the text and reflows it to fit the screen, another tap zooms out and reflows it again. And rotating the screen makes the browser display wider instead of taller. Google’s demand to normalize the layout really just means that Google has zero confidence in the mobile browser developers and a limited view on how users use mobile devices.

Moving targets

There’s one significant technical issue that is barely addressed by Google’s Mobile Developer Guide: how does a web site detect a mobile device?

According to Google, your code should look at the user-agent field for “Android” and “Mobile”. That may work well with newer Android smartphones, but it won’t help older devices or smartphones that don’t use those keywords. Also, there are plenty of non-smartphone devices that use these words. For example, Apple’s iPad tablet has a user-agent string that says “Mobile” in it.

In fact, there is no single HTTP header that says “Hi! I’m a mobile device! Give me mobile content!” There’s a standard header for specifying supported document formats. There’s a standard header for specifying preferred language. But there is no standard for identifying a mobile device.

There is a great write-up called “How to Detect Mobile Devices“. It lists a bunch of different methods and the trade-offs between each.

For example, you can try to use JavaScript to render the page. This is good for most smartphones, but many feature-phones lack JavaScript support. The question also becomes: what should you detect? Screen size may be a good option, but otherwise there is no standard. This approach can also be problematic for indexing bots since it requires rendering JavaScript to see the layout. (Running JavaScript in a bot becomes a halting problem since the bot cannot predict when the code will finish rendering the page.)

Alternately, you can try to use custom style sheets. There’s a style sheet extension “@media” for specifying a different layout for mobile devices. Unfortunately, many mobile devices don’t support this extension. (Oh the irony!)

Usually people try to detect the mobile device on the server side. Every web browser sends a user-agent string that describes the browser and basic capabilities. For example:

User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.3) Gecko/20150308 Firefox/31.9 PaleMoon/25.3.0

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B440 Safari/600.1.4

Mozilla/5.0 (Linux; Android 4.4.2; en-us; SAMSUNG SM-T530NU Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Safari/537.36

Opera/9.80 (Android; Opera Mini/7.6.40234/36.1701; U; en) Presto/2.12.423 Version/12.16

The first sample user-agent string identifies the Pale Moon web browser (PaleMoon 25.3.0) on a 64-bit Windows 7 system (Windows NT 6.1; Win64). It says that it is compatible with Firefox 31 (Firefox/31.9) and supports the Gecko toolkit extension (Gecko/20150308). This is likely a desktop system.

The second sample identifies Mobile Safari 8.0 on an iPhone running iOS 8.1.2. This is a mobile device — because I known iPhones are mobile devices, and not because it says “Mobile”.

The third sample identifies the Android browser 1.5 on a Samsung SM-T530NU device running Android 4.4 (KitKat) and configured for English from the United States. It doesn’t say what it is, but I can look it up and determine that the SM-T530NU is a tablet.

The fourth and final example identifies Opera Mini, which is Opera for mobile devices. Other than looking up the browser type, nothing in the user-agent string tells me it is a mobile device.

The typical solution is to have the web site check the user-agent string for known parts. If it sees “Mobile” or “iPhone” then we can assume it is some kind of mobile device — but not necessarily a smartphone. The web site Detect Mobile Browsers offers code snippets for detecting mobile devices. Google’s documentation says to look for ‘Android’ and ‘Mobile’. Here’s the PHP code that Detect Mobile Browsers suggest using:

if (preg_match(‘/(android|bbd+|meego).+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|series(4|6)0|symbian|treo|up.(browser|link)|vodafone|wap|windows ce|xda|xiino/i’,$useragent)||preg_match(‘/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i’,substr($useragent,0,4))) { then… }

This is more than just detecting ‘Android’ and ‘Mobile’. If the user-agent string says Android or Meego or Mobile or Avantgo or Blackberry or Blazer or KDDI or Opera (with mini or mobi or mobile)… then it is probably a mobile device.

Of course, there are two big problems with this code. First, it has so many conditions that it is likely to have multiple false-positives (e.g., detecting a tablet or even a desktop as a mobile phone). In fact, we can see this this problem since the regular expression contains “kindle” — the Amazon Kindle is a tablet and not a smartphone. (And the Kindle user-agent string also includes the word ‘Android’ and may include the word ‘Mobile’.)

Second, this long chunk of code is a regular expression — a language describing a pattern to match. All regular expressions are slow to evaluate and more complicated expressions take more time. Unless you have unlimited resources (like Google) or have low web volume, then you probably do not want to run this code on every web page request.

If Google really wants to have every web site provide mobile-specific content, then perhaps they should push through a standard HTTP header for declaring a mobile device, tablet, and other types of devices. Right now, Google is forcing web sites to redesign for devices that they may not be able to detect.

(Of course, none of this handles the case where an anonymizer changes the user-agent setting, or where users change the user-agent value in their browser.)

Low Ranking Advice

Some of Google’s mobile site suggestions are good, but not limited to mobile devices. Enabling server compression and designing pages for fast loading benefit both desktop and mobile browsers.

I actually think that there may be a hidden motivation behind Google’s desire to force web site redesigns… The recommended layout — with large primary text, viewport window, and single column layout — is probably easier for Google to parse and index. In other words, Google wants every site to look the same so it will be easier for Google to index the content.

And then there is the entire anti-competitive edge. Google’s suggestion for detecting mobile devices (look for ‘Android’) excludes non-android devices like Apple’s iPhone. Looking for ‘Mobile’ misclassifies Apple’s iPad, potentially leading to a lesser user experience on Apple products. And Google wants you to make site changes so that your web pages work better with Googlebot. This effectively turns all web sites into Google-specific web sites.

Promoting aesthetics over content seems to go against the purpose of a search engine; users search for content and not styling. Normalizing content layout contracts the purpose of having configurable layouts. Giving developers less than two months to make major changes seems out of touch with reality. And requiring design choices that favor the dominant company’s strict views seems very anti-competitive to me.

Many web sites depend on search engines like Google for income — either directly through ads or indirectly through visibility. This recent change at Google will dramatically impact many web sites — sites with solid content but, according to Google, less desirable layouts. Moreover, it forces companies to comply with Google’s requirements or lose future revenue.

Google has a long history of questionable behavior. This includes multiple lawsuits against Google for anti-competitive behavior and privacy violations. However, each of these cases are debatable. In contrast, I think that this requirement for site layout compliance is the first time that the “do no evil” company has explicitly gone evil in a non-debatable way.

Schneier on Security: Federal Trade Commissioner Julie Brill on Obscurity

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I think this is good:

Obscurity means that personal information isn’t readily available to just anyone. It doesn’t mean that information is wiped out or even locked up; rather, it means that some combination of factors makes certain types of information relatively hard to find.

Obscurity has always been an important component of privacy. It is a helpful concept because it encapsulates how a broad range of social, economic, and technological changes affects norms and consumer expectations.

TorrentFreak: Pirate Bay’s Peter Sunde Kills NSA-Proof Messenger App

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

hemlis-logoDuring the summer of 2013 the Internet was abuzz with the revelations of Edward Snowden. The PRISM scandal exploded and suddenly everyone had confirmation that everything they do online can be stored and monitored on a staggering scale.

As a direct result of this massive privacy breach, people around the world became motivated to fight back against what has developed into one of the biggest technology scandals of recent times.

One of those groups consisted of former Pirate Bay spokesman Peter Sunde, who together with friends and Flattr allies Linus Olsson and Leif Högberg began working on Hemlis, a messaging app for both iOS and Android. The aim of the game was for Hemlis (‘secret’ in Swedish) to provide absolute secrecy, with only the sender and recipient able to read messages – not middle men like prying governments.

“People act differently if they think someone is listening in to their conversation. That’s what Stasi taught us for instance. It’s one of many reasons why privacy is so vital,” Sunde told TF at the time.

But with hundreds of news articles behind them and the two-year anniversary of the project’s birth just around the corner, the Hemlis team have now delivered the ultimate in bad news.

“Lately we have been awfully quiet. The reasons are many, sad and non important right now. They have though made this project drag along and that made us understand a thing we feared for quite a while but neglected to accept. New messengers fail miserably,” the team said in a statement.

“Each new attempt has made us understand that our goal of creating a mass market messenger just based on the fact that it is private, secure and beautiful, is not nearly enough. As the only reason we are doing this is to give you viable huge scale alternative to the existing systems there is really only one thing to do at this stage. Accept our current roadmap and goals as defunct.”

While there were many reasons for the project to succeed, the challenges faced by the Hemlis team proved insurmountable.

At least initially, financing wasn’t a problem, with around $150,000 raised via a short crowd-funding campaign. Then disaster struck when around $30,000 disappeared after a bitcoin wallet was stolen from Hemlis’ bitcoin supplier. Keeping up with the budgets of the competition also took its toll.

“We decided to hire some people to help us out with the things we are not experts in. The process was slow and hit with lots of realizations that certain things would not work. The ideas were too complex and sometimes just too expensive,” Peter Sunde explains.

“We had a lot of money, but far away [from] the same amount (we’re talking millions or billions) that our competitors had access to… They’ve had more progress and financial support so they could speed up their process to the level that they’re now really good. Better than our messaging app could become right now. Ok, they’re missing on features but they have the ability and cash to resolve those issues. And our goal was always to ensure that the everyday users would be protected.”

But financial and technical issues aside, personal issues also played a big part in the project’s demise.

“In the middle of it all one of our team members got a kid and had to focus on that of course. I personally had other issues as I got kidnapped by the Swedish government and locked up for my work with another project – The Pirate Bay. In the middle of the kidnapping, my father died,” Sunde explains.

“I had no way of working on anything, and I’ve had a hard time with how I personally need to handle things. This project – as well as the other projects I’m involved in – were hit massively by my absence. And they still are, since I have not been able to get 100% on my feet yet. I’m getting there but just as with other things, it takes a lot of time.”

A few weeks ago Sunde said the team took a step back to assess its position. While decent apps for both iOS and Android exist semi-completed, Hemlis is far from a market-ready product. More time and money would be need to be pumped in for it to succeed.

“We decided that we could go two ways. We could ask for more money (a lot), either from the community or some investors. Or we could close down. Since we already got money from the community with way too little to show back from the expectations that felt wrong,” Sunde explains.

“And we don’t think that it would be a good idea to ask investors for money since we’d lose control over the project. So in the end, closing it down felt like the least bad thing to do.”

While many supporters of the project are supportive of the brave decision to close Hemlis down, others have been more critical. Some, having pumped money into the project and received nothing, are downright angry. Nevertheless, one of the big takeaways is that in some shape or form, will be handed back to its backers.

“We’ll release the usable parts of the code as free software with the most free license we can. It belongs to the community (and the community paid for it),” Sunde says, adding that there may be other ways to achieve similar aims.

“I’m personally trying to influence people and politicians to make sure we don’t need systems like We should be protected by the governments instead of trying to protect ourselves from them. It’s a multi-angle attack needed, technology, political work and transparency,” Sunde concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: An Incredibly Insecure Voting Machine

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security


The weak passwords — which are hard-coded and can’t be changed — were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network’s encryption key. The shortcomings of WEP have been so well-known that it was banished in 2004 by the IEEE, the world’s largest association of technical professionals. What’s more, the WINVote runs a version of Windows XP Embedded that hasn’t received a security patch since 2004, making it vulnerable to scores of known exploits that completely hijack the underlying machine. Making matters worse, the machine uses no firewall and exposes several important Internet ports.

It’s the AVS WinVote touchscreen Direct Recording Electronic (DRE). The Virginia Information Technology Agency (VITA) investigated the machine, and found that you could hack this machine from across the street with a smart phone:

So how would someone use these vulnerabilities to change an election?

  1. Take your laptop to a polling place, and sit outside in the parking lot.
  2. Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
  3. Connect to the voting machine over WiFi.
  4. If asked for a password, the administrator password is “admin” (VITA provided that).
  5. Download the Microsoft Access database using Windows Explorer.
  6. Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
  7. Use Microsoft Access to add, delete, or change any of the votes in the database.
  8. Upload the modified copy of the Microsoft Access database back to the voting machine.
  9. Wait for the election results to be published.

Note that none of the above steps, with the possible exception of figuring out the WEP password, require any technical expertise. In fact, they’re pretty much things that the average office worker does on a daily basis.


Дни: 21 век

This post was syndicated from: Дни and was written by: Антония. Original post: at Дни

Непознат номер:

– Ало, Антония ли си? Имаш пратка от чужбина, ела да си я вземеш!
– Къде, в пощенски или куриерски офис?
– А, бе, в пощата, бе, тука, до поликлиниката. Айде, чао.

И най-ироничното в цялата ситуация е колко всъщност съм доволна, че ми се обадиха.

Напоследък когато поръчвам онлайн, слагам мобилния си телефон като ред в адреса: София, улица, блок, апартамент, номер +35988… Зарежи ти privacy. Защото иначе пощата обикновено не си дава труда да ме информира, че имам пратка. В половината случаи пакетът „изчезва“, в другата половина го връщат на подателя. A DHL стигат до вратата на входа и ако не ги чакаш на стъпалата – просто си тръгват. И ти обясняват след това как адресът бил неточен. Маймунска работа.

The Hacker Factor Blog: There’s No Fool Like an April Fool

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I stopped celebrating “April Fools Day” many years ago. There’s always someone pulling an unfunny joke, someone trying to hide the fact that they fell for it, and someone who doesn’t get the joke — taking it way too seriously. And most of the gags I’ve seen really haven’t been funny. Moreover, people seem to be doing gags all the time; April Fools day just isn’t special anymore.

In the last two weeks, I have seen three computer security articles where people have just behaved like idiots. In one case, it’s the vendors. In another case, it’s the security researcher. And in the third case, it was law enforcement. With these news reports, I find it hard to believe that it isn’t April 1st.

Car Hacking

There are some things that people in the security community have known for years but have not been made public yet. The reason is usually that experts are working (or trying to work) with vendors to fix the problems. The bigger the problem, the longer it may take to fix. Whispers among small groups of people with the knowledge may go on for years before some problems are resolved. In many cases, the fixes are performed quietly since a public announcement will only benefit the bad guys during a slow roll-out. These are usually the cases where informing the public will educate criminals, without any viable solution for the public.

However, sometimes the vendors become non-responsive. That’s when vulnerabilities with no solution are often made public.

Earlier this month, news outlets reported on an upcoming security presentation about car hacking. Keep in mind, talks on car hacking have been going on for a decade. In this latest exploit, the attacker only needs a $20 amplifier that can fit in your hand to unlock your keyless-entry car. (Funny… the same exploit was discussed two years ago, when it only cost $5.)

Attacks against this keyless entry system have ranged from cracking the weak cryptography (2006) to record and playback attacks (2010).

So here’s the exploit (as detailed by various news outlets)… New keyless-entry cars just require the key near the car in order to unlock. What’s really happening is that the car is constantly sending out a cryptographic challenge over a wireless frequency to the key. The car uses a low power radio signal, so the key has to be very close to hear the challenge. If the key is near enough (usually within a few inches) then it hears the challenge, issues a response, and the car unlocks.

In this latest attack (which is actually from 2013), an amplifier just replays the car’s query louder. Rather than needing the key within a few inches, it can be a few hundred feet away and it will still respond. The amplifier hears the whispered response from the distant key and repeats it so the car can hear it. In the radio community, this is a basic radio repeater — it is technology that has been around for about a century. There’s no need for decryption and no interfering with the signal; the signal is just made louder so it has a larger range.

There comes a point when vendors fail to fix a problem and it must be made public. This usually happens when bad guys are actively using the exploit. Making these details public won’t help bad guys since they already know about it. But public disclosure will inform force legal repercussions onto the vendors.

In this case, the bad guys clearly know about this. Back in 2013, police announced that they were stumped by some car thefts. They included a video where the criminals walk up to the car, hold a small device in their hand, and the car unlocks. This happened outside a residence, where we can assume the key was probably less than a hundred feet from the car. (If the car doesn’t unlock, then the key is probably too far away to hear the amplified signal.)

When I first heard of the car break-ins (in 2013) I started asking around. The exploit had been known to some people in the security community for over a year. They had been trying to get the vendors to address the problem. It is no surprise to me that someone would make the details public years later, since vendors are still rolling out the same keyless entry system in even more vehicles.

Airplane Hacking

While I may be critical of them, I have a lot of respect for the Electronic Frontier Foundation. They stand up for computer security researchers, challenge governments and corporations that violate our digital freedoms, and advise us on ways to stay safe online. However, sometimes I question the battles that the EFF is willing to fight…

Last week, security researcher Chris Roberts was detained by the FBI. He had been planning on speaking at the upcoming RSA conference on airplane insecurity (how to hack airplanes while sitting in coach). Last week, the FBI visited Roberts. They confiscated his equipment but eventually release him. However, that wasn’t the end of it…

On his way to the conference, United Airlines refused to let him board the plane. Roberts was lucky to get on a different airline in order to make it to the conference. According to the EFF:

Our client, Chris Roberts, a founder of the security intelligence firm One World Labs, found himself detained by the FBI earlier this week after tweeting about airplane network security during a United Airlines flight. When Roberts landed in Syracuse, he was questioned by the FBI, which ultimately seized a number of his electronic devices. EFF attorneys now represent Roberts, and we’re working to get his devices back promptly. But unfortunately last week’s tweet and FBI action isn’t the end of the story.

Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.

Reading the report from the EFF, one would think that the FBI and United Airlines were trying to stop the presentation, hinder his freedom of speech, and enforce security by obscurity. However, the EFF left out one major detail: Roberts had tweeted a threat to the airlines.

In this tweet, Roberts explicitly listed attacks he could do on the airplane.

Keep in mind, talking about how to make bombs in an airport, how to shoot up a school, or how to take down an airplane before getting on a plane is still plotting to kill people. Even if said as a joke (not funny) or if he had no real intent.

I’m not an attorney, but it should be obvious that Freedom of Speech does not give you the freedom to cause panic or harm. As ruled in Schenck v. United States (249 U.S. 47, 1919), the First Amendment does not allow you to cause panic by shouting fire in a crowded theater. Tweeting about ways to take down an airplane that you are about to board seems no different to me.

Chris Roberts even knew that these actions were likely illegal, as he tweeted in follow-ups:

Frankly, I’m surprised that the FBI let him go. And I don’t blame United Airlines for exercising their right to refuse service to someone who threatened the safety of their airline.

Do I think the airlines have a security problem that needs to be addressed? Definitely. Do I think that the airline manufacturers and network providers (e.g., Boeing and Cisco) are intentionally ignoring the problem? Yes. Do I think Chris Roberts should give his presentation? Absolutely. But I also think Roberts was a dumb-ass for tweeting his “joke”.

In the case of Roberts, I doubt that anyone would have interfered with him if he did not tweet his joke. I’m looking forward to hearing how the EFF plans to defend this type of threatening speech that was clearly intended to cause panic.

Felony for an 8th Grader

Less than two weeks ago, the Tampa Bay Times reported on an eighth-grader at Paul R. Smith Middle School in Holiday, Florida. The kid had used the teacher’s computer and pulled a prank; he “changed the background image on a teacher’s computer to one showing two men kissing.” The kid was charged with “offense against a computer system and unauthorized access, a felony.”

(Note: Even though news articles repeatedly mention his name, I’m not naming the kid here because he is a minor.)

The article even quotes Sheriff Chris Nocco: “Even though some might say this is just a teenage prank, who knows what this teenager might have done.” To this, I feel that I need to personally respond to the sheriff…

Dear Sheriff Nocco:

Changing a background picture is not the same as stealing cars or threatening to take down airplanes. It’s a prank and nobody got hurt — except the kid, who is probably scarred for life. If you do not see the difference between changing a background picture and the threats dreamed up by your wild imagination, then you need to take some technology courses. And if you cannot see the difference between a prank and a threat, then you need to choose a new occupation.

The article mentions a lot of details about this case. I hope that the kid’s attorney is focusing on these items:

  • The article says that the kid “logged onto the school’s network on March 31 using an administrative-level password without permission.” If he had the password, then he had permission. He did not hack the system; he used it as it was designed.
  • The article says that this happened on March 31 and that the teacher was out that day. This means that the teacher would see it the next day, on April 1st (April Fools Day). This goes along with it being a harmless prank.
  • “One of the computers [the kid] accessed also had encrypted 2014 FCAT questions stored on it, though the sheriff and Pasco County School District officials said [the kid] did not view or tamper with those files.” If the kid did not attempt to access, view, or tamper with those files, then this clearly goes toward the kid’s intent as a prank and not anything malicious.
  • The kid was interviewed at his home and mentioned that ‘students would often log into the administrative account to screen-share with their friends’. (I’m quoting the Tampa Bay Times and not the kid’s actual words.) This shows that using the administrative account was common practice and acceptable behavior. If it wasn’t acceptable, then the administrators would have stopped this behavior before the kid changed the background.
  • The Tampa Bay Times noted that the kid discovered the password by watching the teacher type it in. The purpose of a classroom is for a teacher to show students new concepts. If the teacher showed any student how to login, then the child clearly learned well in this classroom environment.
  • The most startling part is where the Tampa Bay Times wrote, “It was a well-known trick … because the password was easy to remember: a teacher’s last name.” *sigh* At least the password wasn’t “abcde” — like some voting machines in Virginia. If someone intentionally chooses a weak password, then it implies that someone thinks that the system does not need to be secured. Simple patterns (“abcde”, “12345”, etc.), common words (“password”), and personal names have topped the lists of bad password choices for decades.

If the kid gets a felony for this, then the teach should get life. I’m not an attorney and I can easily see that the teachers (both the regular teacher and the substitute) should be charged with Contributing to the Delinquency of a Minor, Attractive Nuisance, and Child Neglect. In particular, the child was left alone with the teacher’s computer after being shown how to login to it. I’m sure an attorney could come up with even more charges.

The EFF pointed out some of these issues in their own report. The EFF describes the Florida law as using “overbroad and insensible language” and being applied arbitrarily. They also point out that the “school had terrible operational security where weak passwords, teachers entering passwords in front of students, and students regularly using teacher credentials, was prevalent.”

The news article ends with a warning from Sheriff Nocco: “If information comes back to us and we get evidence (that other kids have done it), they’re going to face the same consequences.”

In my opinion, Sheriff Nocco is an idiot. You don’t charge an inquisitive child with a felony for a harmless prank. The child should get off with nothing more than a reprimand. And if he is this creative and this tech savvy, then he should be placed in an environment that nurtures and directs his talents toward a beneficial outcome. (Why not have the kids suggest how to strengthen the school’s computer security, since clearly the teacher’s do not know.) In contrast, the teacher and the school should face heavy repercussions for failing to provide a safe environment for these children, failing to secure their computer systems, and failing to provide adequate guidance. And Sheriff Nocco should take an early retirement before being he gets charged with something more serious, like restricting the child’s creative outlet (a First Amendment violation).

Not Joking

It is long after April 1st, but we still have people acting like idiots. Car vendors should have acted upon these exploits when they learned of the risks. Security researchers should not make jokes about technologies that put life in danger. And law officers should not treat pranks as felonies. On the Internet, everyday seems like April Fools Day.

TorrentFreak: TV Companies Will Sue VPN Providers “In Days”

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

As Internet users demand more freedom online alongside an ability to consume media in a manner of their choosing, tools allowing them to do so are gaining in popularity.

Notable has been the rise of VPN services, which not only provide an increased level of privacy but also allow users to appear in any country they choose. This opens up a whole new world of content availability – such as better service from Netflix – often at better prices than those offered on home turf.

While popular with consumers, this behavior is frowned upon by distribution companies that spend huge sums of money on content licensing deals specific to their regions of coverage. Losing customers to overseas providers isn’t part of their plan and now some are doing something about it.

Earlier this month media companies SKY, TVNZ, Lightbox and MediaWorks told several Kiwi ISPs that if they don’t stop providing VPN services to their subscribers, legal trouble would be on the horizon.

Within days one of their targets, Unlimited Internet, pulled its VPN service after receiving a letter from a lawfirm claiming breaches of the Copyright Act. However, CallPlus and Bypass Network Services have no intention of caving in to the media giants’ demands.

“To receive without warning a grossly threatening legal letter like that from four of the largest companies in New Zealand is not something we are used to,” wrote Bypass CEO Patrick Jordan-Smith in a letter to the media companies.

“It smacks of bullying to be honest, especially since your letter doesn’t actually say why you think we are breaching copyright.”

Pulling no punches and describing his adversaries as a “gang”, Jordan-Smith likens the threats to those employed by copyright trolls in the United States.

“Your letter gets pretty close to the speculative invoicing type letters that lawyers for copyright owners sometimes send in the US ‘pay up or shutdown or else were are going to sue you’! Not fair,” he writes.

“We have been providing the Global Mode facility for 2 years. In all that time, none of your Big Media Gang have ever written to us. We assumed they were OK with Global Mode and we continued to spend money innovating the facility and providing innovative NZ ISPs with a service that their customers were telling them they wanted – a service that lets people pay for content rather than pirate it.”

The response from Bypass hasn’t been well received by the media companies who now say they will carry through with their threats to sue over breaches of copyright.

“Our position has not changed and unless they remove the unlawful service we will begin court action in the next few days,” says TVNZ chief executive, Kevin Kenrick.

“Each of our businesses invests significant sums of money into the rights to screen content sourced legitimately from the creators and owners of that copyrighted material. This is being undermined by the companies who profit from promoting illegitimate ways to access that content.”

Claiming that the action is aimed at defending the value of content rights in the digital world, Kenrick says that the legal action is not consumer focused.

“This is not about taking action against individual consumers or restricting choice, indeed each of our businesses are investing heavily in more choice so New Zealanders can have legitimate access to the latest TV shows and movies,” the CEO concludes.

While the commercial position of the TVNZ chief is understandable, his claim that this legal action isn’t aimed at reducing choice simply doesn’t stack up. Kiwis using Netflix locally get access to around 220 TV series and 900 movies, while those using a VPN to tunnel into the United States enjoy around 940 TV series and 6,170 movies, something which Bypass Networks believes is completely legal.

“[We provide our service] on our understanding that geo-unblocking to allow people to digitally import content purchased overseas is perfectly legal. If you say it is not, then we are going to need a lot more detail from you to understand why,” Jordan-Smith informs his adversaries.

“Simply sending us a threatening letter, as frightening as that may be, does not get us there and is not a fair reason for us to shut down our whole business.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Two Thoughtful Essays on the Future of Privacy

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Paul Krugman argues that we’ll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them:

Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today — that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now. Well, one thing that’s very clear if you spend any time around the rich — and one of the very few things that I, who by and large never worry about money, sometimes envy — is that rich people don’t wait in line. They have minions who ensure that there’s a car waiting at the curb, that the maitre-d escorts them straight to their table, that there’s a staff member to hand them their keys and their bags are already in the room.

And it’s fairly obvious how smart wristbands could replicate some of that for the merely affluent. Your reservation app provides the restaurant with the data it needs to recognize your wristband, and maybe causes your table to flash up on your watch, so you don’t mill around at the entrance, you just walk in and sit down (which already happens in Disney World.) You walk straight into the concert or movie you’ve bought tickets for, no need even to have your phone scanned. And I’m sure there’s much more — all kinds of context-specific services that you won’t even have to ask for, because systems that track you know what you’re up to and what you’re about to need.

Daniel C. Dennett and Deb Roy look at our loss of privacy in evolutionary terms, and see all sorts of adaptations coming:

The tremendous change in our world triggered by this media inundation can be summed up in a word: transparency. We can now see further, faster, and more cheaply and easily than ever before — and we can be seen. And you and I can see that everyone can see what we see, in a recursive hall of mirrors of mutual knowledge that both enables and hobbles. The age-old game of hide-and-seek that has shaped all life on the planet has suddenly shifted its playing field, its equipment and its rules. The players who cannot adjust will not last long.

The impact on our organizations and institutions will be profound. Governments, armies, churches, universities, banks and companies all evolved to thrive in a relatively murky epistemological environment, in which most knowledge was local, secrets were easily kept, and individuals were, if not blind, myopic. When these organizations suddenly find themselves exposed to daylight, they quickly discover that they can no longer rely on old methods; they must respond to the new transparency or go extinct. Just as a living cell needs an effective membrane to protect its internal machinery from the vicissitudes of the outside world, so human organizations need a protective interface between their internal affairs and the public world, and the old interfaces are losing their effectiveness.

TorrentFreak: Hollywood Seeks Net Neutrality Exceptions to Block Pirates

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

throttleThe Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet) is legislation that governs the use of the Internet in Brazil. Under development since 2009, among other key issues the Marco Civil is aimed at protecting online privacy rights and net neutrality principles.

The law, which passed last April, was fast-tracked in the wake of revelations from Edward Snowden indicating that the U.S. had been spying on President Dilma Rousseff’s emails and phone calls, those of Brazil’s biggest oil company, and the communications of millions of citizens.

After being in place for a year, Brazil is now rolling out the Marco Civil’s secondary legislation, with the Ministry of Justice announcing a public consultation process allowing stakeholders to contribute to the development of the law.

One of the organizations getting involved is the Motion Picture Association, the international big brother to the United States’ MPAA. According to the MPA, which counts all the big movie studios among its members, the Marco Civil’s net neutrality provisions present an obstacle to rightsholders seeking to protect their content online.

In a submission to Justice Minister José Eduardo Cardozo, the Motion Picture Association expresses concern that the legislation’s current wording is too tight and that exceptions need to be introduced in order to deal with online piracy.

“[Our] position is that the regulation should contain cases of exception to the general rule of net neutrality, enabling the judiciary to determine that traffic to a given illegal repository can be blocked,” the MPA writes.

“The aforementioned suggestion is based on the premise that an adequate service must be in harmony with the possibility of allowing the judiciary to block access to content that, based on judicial scrutiny, is illegal for any reason, from a case of child pornography and trafficking of illegal substances, to the case of systematic disregard for the consumer and violation of intellectual property rights.”

The MPA notes that due to the borderless nature of the Internet anyone can access content from any location. This presents challenges on a national level when undesirable content is made available from other parts of the world, the group says.

“For content hosted within a national territory a judge may issue a removal order, or in the case of breaches in the copyright field, the rightsholder can send a takedown notice to the ISP, requesting that the content is rendered unavailable,” the MPA states.

“However, when the content is hosted in a foreign nation, the Brazilian court order may [not have jurisdiction] or produce the expected results for months, perhaps years, after the court order has been issued.”

According to the MPA there is only one way to remedy this kind of impotence but the way the law is currently worded, the solution remains elusive.

“In these cases the Brazilian courts only have only one option: to order service providers to implement technical measures to block Internet traffic when it has been established that services are illegal,” the MPA notes.

“Without a clear provision for these techniques, in the midst of regulations, the current wording of the Marco Civil deprives courts of this possibility, leaving them unable to address such threats.”

The net neutrality debate is a sensitive one and one that has the potential to seriously affect Hollywood’s interests. With that in mind the MPA and MPAA will be keen to ensure that any new legislation, whether overseas or on home turf, won’t hinder the pursuit and monitoring of online pirates.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Linux How-Tos and Linux Tutorials: Tweaking Ubuntu Unity to Better Suit Your Needs

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Jack Wallen. Original post: at Linux How-Tos and Linux Tutorials

Unity scopes choice

Ubuntu Unity. Never before has there been a user interface to bring about such polar opinions. Users either love it or hate it—there’s very little middle ground. One of the reasons so many lay claim to their dislike of Unity is the lack of configuration options.

If you compare Unity to the likes of Xfce, you will certainly find that Unity does, in fact, lack a certain amount of available options. However, that does not mean the shell is locked down such that it cannot be configured. In fact, you’ll be surprised at just how much you can do with Unity. That is my goal here, to introduce you to some Unity tweaks you can easily manage in order to make the default Ubuntu desktop work perfectly for you.


One issue that Ubuntu gets hit hard on is privacy. There are certain elements of Unity that make the interface incredibly efficient. One element is Scopes. With Scopes you can, from within the Dash, search anywhere—both locally and online—for anything. Problem is, some users see this as an invasion of their privacy. Thankfully, the developers of Unity foresaw this and ensured that users can easily configure Scopes to best suit their privacy needs.

First, let’s see how you can fine-tune Scopes to include (or exclude) locations from the web. Say, for example, you aren’t overly concerned about the privacy of your search results, but don’t want include all sources or categories in your results. Let me show you how.

  1. Open the Unity Dash (either clicking the Ubuntu logo on the Launcher or by clicking the Super key on your keyboard).

  2. When the Dash opens, click on Filter results.

  3. From the listing, enable and disable the sources and/or categories to fit your needs. (Figure 1)

When you set a filter, it should stick—so the next time you go to search using the Dash, the same categories and sources should remain.

For those that take their privacy seriously, you can completely disable online search results. To do this, follow these steps:

  1. Open the Dash.

  2. Type settings and, when it appears in the results, click to open the Settings tool.

  3. Click on Security & Privacy.

  4. Click on the When searching in the Dash ON/OFF slider (Figure 2) until it is set to OFF.

tweak unity 2

NOTE: Once you’ve disabled online search results, you will still see all local search results (which will include all locally attached drives).

Unity Tweak Tool

The Unity Tweak Tool is a must have for those who want to tweak Ubuntu Unity. With it you can not only tweak options (that aren’t available in the standards Settings tool) for Unity, but for the Window Manager, Appearance, and System. Configuration categories within the Unity Tweak Tool include:

  • Launcher

  • Search

  • Panel

  • Switcher

  • Web Apps.

Within each category you will find plenty of options to tweak.

To install the Unity Tweak Tool, simply open up the Ubuntu Software Center, search for “tweak”, and click to install. Once installed, you will find this tool as easy to use as the standard Settings tool.

One particular feature you might want to pay close attention to is the Web Apps category. Unity Web Apps brings desktop integration for particular websites and services (such as Amazon, Google Drive, or Facebook). By default Web Apps is enabled and Amazon and (the now defunct) Ubuntu One are installed. If you open the Ubuntu Software Center and do a search for “webapps”, you’ll find a number of additional apps to be integrated into Unity. The only caveat to adding Web Apps is that many of them simply offer little more than a shortcut to the website and no other features. To this end, many users opt to disable this Unity feature. The easiest way to do so is through Unity Tweak Tool. From within the Web Apps tab, switch the Integration prompts to OFF (Figure 3) and Unity will no longer prompt you to integrate sites.

Unity web apps disable

You should also uncheck any authorized domains already associated with Web Apps. This doesn’t actually remove Webapps integration, but you will not be prompted to include services and sites that happen to be available.

Workspace switcher

Oddly enough workspaces, a feature that has been a part of the Linux landscape for over a decade, defaults to off on the latest iterations of Linux. For many users, workspaces was one of the most efficient means of managing a busy Linux desktop.

Fortunately, workspaces can be enabled without having to install any third-party software. However, the setting is a bit hidden. Here’s how to enable workspaces:

  1. Open the Dash and type “settings” (no quotes)

  2. From the Settings window, click Appearance

  3. Click on the Behavior tab

  4. Click to enable workspaces (Figure 4).

tweak unity 4

To switch between workspaces, either click on the Workspace icon in the Launcher or tap and hold Ctrl+Alt and then tap either the right or left arrow key. You can also tap the Super+s key and then tap the arrow key to move to the workspace you want to use and hit the Enter key to give that workspace focus.

NOTE: You can also configure workspaces within the Unity Tweak Tool (where you can also configure the number of both vertical and horizontal workspaces).


One oft-forgotten feature of Unity is hotcorners. What this feature does is set each corner of your desktop to a certain behavior. The available behaviors are:

  • Toggle desktop

  • Show workspace

  • Toggle windows spread

  • Spread all windows.

There are actually eight hotcorners that can be configured through the Unity Tweak Tool. From the Tweak Tool main window, click Hotcorners and then make sure the feature is set to ON (Figure 5).

Unity hotcorners

For each available hotcorner, click the drop-down and select the behavior you want to associate with that location.

There is one caveat to using this feature. If you have multiple monitors, setting the corners and edges can get tricky because hotcorners treats both monitors as one—so the right corners and edge of the left monitor and the left corners and edge of the right monitor will not function as hotcorners. Personally, I set the bottom hotcorner with the Spread all Windows and it works on both monitors.

Window controls

Finally, if you’re one of those that cannot stand the Close, Minimize, and Maximize buttons on the upper left corner of the windows, you can change that with the help of the Unity Tweak Tool. From the Overview, click on Window Controls and then select between the Left or Right layout (Figure 7).

unity window control

You do not have to be constrained within the default look and feel of Unity. With the addition of a single tool and a bit of poking around, you can find plenty of tweaks to help make Unity best fit your needs and work more efficiently.

Have you found a tweak for Unity that would help make users’ experiences even more productive? If so, feel free to share in the comments.