Posts tagged ‘Privacy’

SANS Internet Storm Center, InfoCON: green: BizCN gate actor changes from Fiesta to Nuclear exploit kit, (Mon, Jul 6th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Introduction

An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15.

I started writing about this actor in 2014 [1, 2] and recently posted an ISC diary about it on 2015-04-28 [3]. Ive been calling this group the BizCN gate actor because domains used for the gate have all been registered through the Chinese registrar BizCN.

We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:

  • Compromised servers are usually (but not limited to) forum-style websites.
  • Gate domains have all been registered through the Chinese registrar BizCN using privacy protection.
  • The domains for Nuclear EK change every few hours and were registered through freenom.com.
  • Nuclear EK for this actor is on 107.191.63.163, which is an IP registered to Vultr, a hosting provider specializing in SSD cloud servers [4].
  • The payload occasionally changes and includes malware identified as Yakes [5], Boaxxe [6], and Kovter.

NOTE: For now, Kovter is relatively easy to spot, since its the only malware Ive noticed that updates the infected hosts Flash player [7].

Chain of events

During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it. Simply put, the chain of events is:

  • Compromised website
  • BizCN-registered gate domain
  • Nuclear EK

Lets take a closer look at how this happens.

Compromised website

Compromised websites are the first step in an infection chain.” />

In most cases, the malicious javascript will be injected on any page from the site, assuming you get to it from a search engine or other referrer.

BizCN-registered gate domain

The gate directs traffic from the compromised website to the EK. The HTTP GET request to the gate domain returns javascript. In my last diary discussing this actor [3], you could easily figure out the URL for the EK landing page.” />

Weve found at least four IP addresses hosting the BizCN-registered gate domain. They are:

  • 136.243.25.241
  • 136.243.25.242
  • 136.243.224.10
  • 136.243.227.9

If you have proxy logs or other records of your HTTP traffic, search for these IP addresses. If you find the referrers, you might discover other websites compromised by this actor.

Nuclear EK

Examples of infection traffic generated from 2015-07-03 through 2015-07-05 all show 107.191.63.163 as the IP address hosting Nuclear EK. This IP address is registered to Vultr, a hosting provider specializing in SSD cloud servers [4]. ” />

Finally, Nuclear EK sends the malware payload. It” />

Malware sent by this actor

During the three-day period, we infected ten hosts, saw two different Flash exploits, and retrieved five different malware payloads. Most of these payloads were Kovter (ad fraud malware).” />

Below are links to reports from hybrid-analysis.com for the individual pieces of malware:

Final words

Its usually difficult to generate a full chain of infection traffic from compromised websites associated with this BizCN gate actor. We often see HTTP GET requests to the gate domain return a 404 Not Found. In some cases, the gate domain might not appear in traffic at all.

We believe the BizCN gate actor will continue to make changes as a way to evade detection. Fortunately, the ISC and other organizations try our best to track these actors, and well let you know if we discover any significant changes.

Examples of the traffic and malware can be found at:

As always, the zip file is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.


Brad Duncan
Security Researcher at Rackspace and ISC Handler
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2014/01/01/index.html
[2] https://isc.sans.edu/diary/Gate+to+Fiesta+exploit+kit+on+9424221669/19117
[3] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
[4] https://www.vultr.com/about/
[5] https://www.virustotal.com/en/file/b215e4cf122e3b829ce199c3e914263a6d635f968b4dc7b932482d7901691326/analysis/
[6] https://www.virustotal.com/en/file/a0156a1641b42836e64d03d1a0d34cd93d3b041589b0422f8519cb68a4efb995/analysis/
[7] http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-for-you.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Pirate Bay Was Worth Doing Prison Time For, Co-Founder Says

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

fredrik-neijFredrik Neij, one of The Pirate Bay’s co-founders, was released early last month after serving a 10-month prison sentence for his involvement with the site.

A few days ago Fredrik arrived back home in Laos, where he’s enjoying his family and an unlimited stock of beer to get his liver back on track.

TF had the chance to catch up with the Swede to see how prison life treated him and the answers we received may surprise some. While it’s never fun to be locked up, Fredrik says it was worth doing time for The Pirate Bay.

“Things were not too bad in prison,” Fredrik tells TF. “It was well worth doing prison time for The Pirate Bay, when you consider how much the site means to people,” Fredrik says.

The prisons in Sweden are nothing like those seen in Hollywood blockbusters. He had plenty of space and privacy and no bars on the door.

“Like most people I only knew about prisons from American movies. Now that I have some firsthand experience I am happy to say it’s quite different. Unlike the barred cages for two persons in the movies, here I have my own private room that’s 10 square meters, with a real door and no bars on the window.”

Fredrik compares his cell to a cabin on a cruise ship, but one with a shitty view. Instead of seeing beautiful coastlines and picturesque bays, he was looking at a prison wall with barbed wire on top, and agricultural fields in the distance.

The cell itself had a private toilet and shower as well as some space for personal items. There were two bulletin boards as well, one with photos of his kids and family and another one for all the fan mail he received.

Although the prison management denied him access to his classic 8-bit Nintendo console, there was plenty of entertainment around. The room came equipped with a Samsung smart TV and Fredrik was also allowed to have newer game consoles.

As a Sci-Fi addict, Fredrik was also happy that “some people” managed to smuggle digital content inside.

“I watched a lot of TV-series and movies on smuggled in USB sticks and MicroSD cards, which is a nice way to kill some time, watching Archer, Futurama, Firefly and other Sci-Fi,” Fredrik says.

On the music front Pirate Bay’s co-founder was thrown back two decades, spinning CDs in an ancient Discman. Music he actually had to pay for.

“Listening to music on a Discman gave me flashbacks to how life was before MP3s, with short battery-life and having to change CD to listen to different artists. Also it was probably the first legal music I bought this millennium.”

The lockup hours were between 7am and 7pm and inmates were allowed to put out their own lights, so games could be played all night. During weekdays Fredrik had to work for three hours as well, putting pieces of wood into a laser etching machine.

The best times of the week were without a doubt the visiting hours, especially when they overlapped with work. Talking to friends and family was a welcome distraction, either in person or on the phone, which Fredrik could have in his room a few times per week.

There were also a lot of people writing in. Not just with words of support, but also to keep him updated on news in the real world, including TF articles.

“To keep up to date with the outside world, friends and family sent me newspapers, magazines and printouts of online media such as TorrentFreak! I also spent a lot of time reading all news-clippings, books and tech- science- and computer magazines I received from fans.”

Fredrik was locked up in the medium security prison in Skänninge where he was the only convict doing time for a “virtual” crime.

“Most other guys were in for drug-related offenses, robberies, manslaughter, aggravated assault. No-one had ever heard of someone being placed at that prison for such a low severity, nonviolent, white-collar crime as ‘assisted copyright infringement,’ but I guess the MAFIAA get what they pay for,” he says.

Surprisingly enough, Fredrik could cope relatively well without 24/7 access to a keyboard and the Internet.

“I didn’t miss computers and the Internet as much as I would have expected. I mostly just missed having instant access to information like I am used to. Inside I used TEXT-TV and newscasts instead of web-sites,

“You only notice how dependent we are on the Internet when are forced off it and have to do things like it was the early 90s again,” Fredrik adds.

Looking ahead Fredrik is hoping to catch up life where he left off.

“It’s great to be back home with the kids. Family aside I was mostly looking forward to catching up on Doctor Who and Archer. And to put an end to my liver’s well deserved vacation with a large beer!”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

lcamtuf's blog: Poland vs the United States: crime and punishment

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog


[ This is the tenth entry in a short series of articles about Poland and the US. To start from the beginning, click here. ]

Throughout much of its history, the United States has been a violent nation. From the famed lawlessness of the western frontier, to the brawling biker gangs, to the iconic Italian Mafia and the fearsome Mexican drug cartels, the thirst for blood has left a mark on the American psyche – and profoundly influenced many of the country’s most cherished works of literary and cinematic art.

But sooner or later, a line gets drawn. And so, when a tidal wave of violent crime swept the nation in the late 80s, the legislators and the executive branch felt obliged to act. Many wanted to send a message to the criminal underworld by going after it with relentless and uncompromising zeal – kicking off the multi-decade War on Drugs and rolling out policies such as the three strikes law in California or stop-and-frisk in New York City. Others saw the root of all evil in the pervasive gun culture of the United States – successfully outlawing the possession or carry of certain classes of firearms and establishing a nation-wide system of background checks.

And then, in the midst of these policy changes, something very interesting started to unfold: the crime rate plunged like a rock, dropping almost 50% over the course of twenty years. But why? Well, the funny thing is, nobody could really tell. The proponents of tough policing and the War on Drugs tooted their own horns; but less vindictive municipalities that adopted programs of community engagement and proactive policing heralded broadly comparable results. Gun control advocates claimed that getting assault rifles and handguns off the streets made a difference; gun rights activists found little or no crime gap between the gun-friendly and the gun-hostile states. Economists pointed out that people were living better, happier, and longer lives. Epidemiologists called out the elimination of lead – an insidious developmental neurotoxin – from paints and gasoline. Some scholars have gone as far as claiming that easy access to contraception and abortion caused fewer children to be born into multi-generational poverty and to choose the life of crime.

Europe certainly provided an interesting contrast; the old continent, having emerged from two unspeakably devastating and self-inflicted wars, celebrated its newly-found pacifist streak. Its modern-day penal systems reflected the philosophy of reconciliation – abolishing the death penalty and placing greater faith in community relationships, alternative sentencing, and the rehabilitation of criminals. A person who served a sentence was seen as having paid the dues: in Poland and many other European countries, his or hers prospective employers would be barred from inquiring about the criminal record, and the right to privacy would keep the indictments and court records from public view.

It’s hard to say if the European model worked better when it comes to combating villainy; in the UK, crime trends followed the US trajectory; in Sweden, they did the opposite. But the utilitarian aspect of the correctional system aside, the US approach certainly carries a heavy humanitarian toll: the country maintains a truly astronomical prison population, disproportionately comprised of ethnic minorities and the poor; recidivism rates are high and overcrowding borders on the inhumane. The continued incarceration of people sentenced for non-violent cannabis-related crimes flies in the face of changing social norms.

Untangling this mess is going to take time; most Americans seriously worry about crime and see it as a growing epidemic, even if their beliefs are not substantiated by government-published stats. Perhaps because of this, they favor tough policing; reports of potential prosecutorial oversight – such as the recent case of a tragic homicide in San Francisco – tend to provoke broader outrage than any comparable claims of overreach. Similarly, police brutality or prison rape are widely acknowledged and even joked about – but seen as something that only ever happens to the bad folks.


[ For the next article in the series, click here. ]

TorrentFreak: Court Drops Innocent Cox Subscribers From Piracy Lawsuit

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-runningLast year BMG Rights Management and Round Hill Music sued Cox Communications, arguing that the ISP fails to terminate the accounts of repeat infringers.

As part of the discovery process the music outfits requested details on the accounts which they caught downloading their content.

In total there are 150,000 alleged pirates, but the court limited the initial disclosure to the top 250 infringing IP-addresses in the six months before the lawsuit was filed.

A few weeks ago Cox started informing its customers that their information would be handed over to the music companies. In a response, dozens of subscribers asked the court not to expose their identities.

Some argued that they should be dismissed because they have did not share the mentioned files. Another group explained to the court that they were wrongfully included, because they weren’t Cox subscribers at the time of the alleged offense.

The latter issue is due to Cox’s broad reading of an earlier court order. Instead of handing over details of subscribers who used the IP-addresses at the time of the infringements, the ISP also included the current IP-address holders.

Objection from a Cox subscriber
objectcox

This week U.S. Magistrate Judge John Anderson ruled on the objections (pdf), concluding that the subscribers who did not use the IP-address at the time should be dropped.

“Several of the persons submitting objections have provided information to the court that is sufficient to establish that they were not assigned the IP addresses that are the subject of the court’s ruling at the time of the alleged infringing activity.

“The court sustains the objections raised by those individuals,” the order adds.

The other group of subscribers who merely claimed that they did not share any of the copyright infringing files, were less successful. Their requests were denied and Cox will share their personal details with the music companies.

“The mere denial of any infringing activity is an insufficient reason to justify quashing the subpoena to Cox. In addition, any concerns these individuals may have relating to privacy are addressed adequately by the provisions of the Protective Order entered in this action,” the order reads.

The last part is important because many subscribers fear that the music companies will come after their money. However, the court assures them that their personal information can only be used as evidence in this lawsuit, not to demand settlements.

“The subscriber information produced in this action is to be used solely for the purposes of litigating the claims raised in this action between BMG/Round Hill and Cox and will not be used by BMG/Round Hill to solicit payments directly from Cox subscribers.”

For the music companies this shouldn’t be a problem. They previously said that they don’t intend to pursue any individual subscribers in the lawsuit. How they do plan to use the personal details of the subscribers will become clear as the case proceeds.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: VPN Providers Respond To Allegations of Data Leakage

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

vpn4lifeAs Internet users seek to bypass censorship, boost privacy and achieve a level of anonymity, VPN services have stepped in with commercial solutions to assist with these aims. The uptake among consumers has been impressive.

Reviews of VPN services are commonplace and usually base their ratings on price and speed. At TorrentFreak we examine many services annually, but with a focus on privacy issues instead.

Now a team of researchers from universities in London and Rome have published a paper titled A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (pdf) after investigating 14 popular services on the market today.

“Our findings confirm the criticality of the current situation: many of these providers leak all, or a critical part of the user traffic in mildly adversarial environments. The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models,” the researchers write.

While noting that all providers are able to successfully send data through an encrypted tunnel, the paper claims that problems arise during the second stage of the VPN client’s operation: traffic redirection.

“The problem stems from the fact that routing tables are a resource that is concurrently managed by the operating system, which is unaware of the security requirements of the VPN client,” the researchers write.

This means that changes to the routing table (whether they are malicious or accidental) could result in traffic circumventing the VPN tunnel and leaking to other interfaces.

IPv6 VPN Traffic Leakage

“The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface,” the researchers explain.

vpn-1

As illustrated by the chart above, the paper claims that all desktop clients (except for those provided by Private Internet Access, Mullvad and VyprVPN) leaked “the entirety” of IPv6 traffic, while all providers except Astrill were vulnerable to IPv6 DNS hijacking attacks.

The paper was covered yesterday by The Register with the scary-sounding title “VPNs are so insecure you might as well wear a KICK ME sign” but without any input from the providers in question. We decided to contact a few of them for their take on the paper.

PureVPN told TF that they “take the security of our customers very seriously and thus, a dedicated team has been assigned to look into the matter.” Other providers had already received advanced notice of the paper.

“At least for AirVPN the paper is outdated,” AirVPN told TorrentFreak.

“We think that the researchers, who kindly sent the paper to us many months in advance and were warned about that, had no time to fix [the paper] before publication. There is nothing to worry about for AirVPN.”

“Current topology allows us to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.”

TorGuard also knew of the whitepaper and have been working to address the issues it raises. The company adds that while The Register’s “the sky is falling” coverage of yesterday is “deceptive”, the study does illustrate the need for providers to stay vigilant. Specifically, TorGuard says that it has launched a new IPv6 leak prevention feature on Windows, Mac and Linux.

“Today we have released a new feature that will address this issue by giving users the option of capturing ALL IPv6 traffic and forcing it through the OpenVPN tunnel. During our testing this method proved highly effective in blocking potential IPv6 leaks, even in circumstances when these services were active or in use on the client’s machine,” the company reports.

On the DNS hijacking issue, TorGuard provides the following detail.

“It is important to note that the potential for this exploit only exists (in theory) if you are connected to a compromised WiFi network in which the attacker has gained full control of the router. If that is the case, DNS hijacking is only the beginning of one’s worries,” TorGuard notes.

“During our own testing of TorGuard’s OpenVPN app, we were unable to reproduce this when using private DNS servers because any DNS queries can only be accessed from within the tunnel itself.”

Noting that they released IPv6 Leak Protection in October 2013, leading VPN provider Private Internet Access told TorrentFreak that they feel the paper is lacking.

“While the article purported to be an unbiased and intricate look into the security offered by consumer VPN services, it was greatly flawed since the inputs or observations made by the researchers were inaccurate,” PIA said.

“While a scientific theory or scientific test can be proven by a logical formula or algorithm, if the observed or collected data is incorrect, the conclusion will be in error as well.”

PIA criticizes the report on a number of fronts, including incorrect claims about its DNS resolver.

“Contrary to the report, we have our own private DNS daemon running on the Choopa network. Additionally, the DNS server that is reported, while it is a real DNS resolver, is not the actual DNS that your system will use when connected to the VPN,” the company explains.

“Your DNS requests are handled by a local DNS resolver running on the VPN gateway you are connected to. This can be easily verified through a site like ipleak.net. Additionally… we do not allow our DNS servers to report IPv6 (AAAA records) results. We’re very serious about security and privacy.”

Finally, in a comprehensive response (now published here) in which it notes that its Windows client is safe, PIA commends the researchers for documenting the DNS hijacking method but criticizes how it was presented to the VPN community.

“The DNS Hijacking that the author describes [..] is something that has recently been brought to light by these researchers and we commend them on their discovery. Proper reporting routines would have been great, however. Shamefully, this is improper security disclosure,” PIA adds.

While non-IPv6 users have nothing to fear, all users looking for a simply fix can disable IPv6 by following instructions for Windows, Linux and Mac.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: Office of Personnel Management Data Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I don’t have much to say about the recent hack of the US Office of Personnel Management, which has been attributed to China (and seems to be getting worse all the time). We know that government networks aren’t any more secure than corporate networks, and might even be less secure.

I agree with Ben Wittes here (although not the imaginary double standard he talks about in the rest of the essay):

For the record, I have no problem with the Chinese going after this kind of data. Espionage is a rough business and the Chinese owe as little to the privacy rights of our citizens as our intelligence services do to the employees of the Chinese government. It’s our government’s job to protect this material, knowing it could be used to compromise, threaten, or injure its people­ — not the job of the People’s Liberation Army to forebear collection of material that may have real utility.

Former NSA Director Michael Hayden says much the same thing:

If Hayden had had the ability to get the equivalent Chinese records when running CIA or NSA, he says, “I would not have thought twice. I would not have asked permission. I’d have launched the star fleet. And we’d have brought those suckers home at the speed of light.” The episode, he says, “is not shame on China. This is shame on us for not protecting that kind of information.” The episode is “a tremendously big deal, and my deepest emotion is embarrassment.”

My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database? What are the potential attacks that could stem from adding, deleting, and changing data? I don’t think they can add a person with a security clearance, but I’d like someone who knows more than I do to understand that risks.

TorrentFreak: Piracy Concerns May Soon Kill Domain Name Privacy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

whoisguardIn recent months copyright holders have been increasingly pushing for changes in the domain name industry.

Groups such as the MPAA and RIAA, for example, want registrars to suspend domain names of clearly infringing websites.

While this is unlikely to happen on a broad scale in the near future, a new ICANN proposal may put an end to private domain name registrations for some websites.

A new proposal (pdf) will no longer allow ‘commercial’ sites, which could include all domain names that run advertisements, to hide their personal details through so-called WHOIS protections services.

This change is backed by copyright holder groups including the MPAA, who previously argued that it will help them to hold the operators of illegal sites responsible.

“Without accurate WHOIS data, there can be no accountability, and without accountability it can be difficult to investigate and remedy issues when individuals or organizations use the Internet in illegal or inappropriate ways,” MPAA’s Alex Deacon said recently.

“Ensuring this data is accurate is important not only to the MPAA and our members, but also to everyone who uses the Internet every day.”

On the other side of the spectrum, the proposal has ignited protests from privacy advocates and key players in the domain name industry.

Digital rights group EFF points out that copyright holders can already expose the operators of alleged infringers quite easily by obtaining a DMCA subpoena. This is something the RIAA has done already on a few occasions.

EFF further warns that the new rules will expose the personal details of many people who have done nothing wrong, but may have good reasons not to have their address listed publicly.

“The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” EFF’s Mitch Stoltz writes.

Namecheap, one of the largest domain registrars, also jumped in and sent a mass-mailing to all their customers urging them to tell ICANN not to adopt the new proposal.

“No WHOIS privacy provider wants their service to be used to conceal illegal activity, and the vast majority of domain owners are not criminals. Using a WHOIS privacy service is no more suspicious than having an unlisted phone number,” Namecheap CEO Richard Kirkendall notes

“These new proposed rules would wreak havoc on our right to privacy online. ICANN is moving quickly, so we should too – contact them today and tell them to respect our privacy,” he adds.

ICANN is currently accepting comments from the public and Namecheap is encouraging its customers to use the Respect Our Privacy campaign site to protest the proposed changes.

Of course, Namecheap has more to worry about than the privacy of its users alone. The company itself operates the Whoisguard service and earns a lot of revenue through these private registrations.

Thus far most of the responses received by ICANN have come in through the special campaign site, arguing against the proposal. The commenting period closes in two weeks followed by an official report. After that, the ICANN board will still have to vote on whether or not the changes will be implemented.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: What is the DoD’s Position on Backdoors in Security Systems?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In May, Admiral James A. Winnefeld, Jr., vice-chairman of the Joint Chiefs of Staff, gave an address at the Joint Service Academies Cyber Security Summit at West Point. After he spoke for twenty minutes on the importance of Internet security and a good national defense, I was able to ask him a question (32:42 mark) about security versus surveillance:

Bruce Schneier: I’d like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of “us” that makes sense is the world, is everybody. Any technologies that we’ve developed and built will be used by everyone — nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers’s both intelligence and attack jobs much harder. Are you okay with that?

Admiral James A. Winnefeld: Yes. I think Mike’s okay with that, also. That’s a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there’s this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, “I want to take down that emitter so it’ll make it safer for my airplanes to penetrate the airspace,” and they’re saying, “No, you’ve got to keep that emitter up, because I’m getting all kinds of intelligence from it.” So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that — it’s not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I’m also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it’s an excellent question. It really is.

It’s a good answer, and one firmly on the side of not introducing security vulnerabilities, backdoors, key-escrow systems, or anything that weakens Internet systems. It speaks to what I have seen as a split in the the Second Crypto War, between the NSA and the FBI on building secure systems versus building systems with surveillance capabilities.

I have written about this before:

But here’s the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can’t choose a world where the US gets to spy but China doesn’t, or even a world where governments get to spy and criminals don’t. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It’s security or surveillance.

NSA Director Admiral Mike Rogers was in the audience (he spoke earlier), and I saw him nodding at Winnefeld’s answer. Two weeks later, at CyCon in Tallinn, Rogers gave the opening keynote, and he seemed to be saying the opposite.

“Can we create some mechanism where within this legal framework there’s a means to access information that directly relates to the security of our respective nations, even as at the same time we are mindful we have got to protect the rights of our individual citizens?”

[…]

Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so “why can’t we create a similar kind of framework within the internet and the digital age?”

He added: “I certainly have great respect for those that would argue that they most important thing is to ensure the privacy of our citizens and we shouldn’t allow any means for the government to access information. I would argue that’s not in the nation’s best long term interest, that we’ve got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn’t be something arbitrary.”

Does Winnefeld know that Rogers is contradicting him? Can someone ask JCS about this?

lcamtuf's blog: Poland vs the United States: civil liberties

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog


[ This is the sixth entry in a short series of articles about Poland and the US. To start from the beginning, click here. ]

I opened my comparison of Poland and the US with the topic of firearm ownership. I decided to take this route in part because of how alien the US gun culture may appear to outsiders – and because of how polarizing and interesting the subject is. But in today’s entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.

Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of individualism and free enterprise. Of course, many words can be written about the disconnection between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty and failing inner-city schools (it may be a fitting subject for another post). But the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in institutional trustworthiness surveys; federal legislators come dead last. This sentiment shapes many of the ongoing political debates – not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and laissez-faire capitalism seem far more self-evident to the citizens of the US than they are in the EU.

With that in mind, it’s worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of denying the Holocaust. The freedom of speech is also trumped by the right to privacy, including the hotly-debated right to be forgotten on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against insulting any acting heads of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today’s political climate, no one will be charged for calling Mr. Putin a thug.

The US takes a more absolutist view of the First Amendment, with many hate groups enjoying far-reaching impunity enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of “speech” is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European niqab and burka bans would be patently illegal in the United States and aren’t even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is seen by some through the same constitutional prism. Last but not least, there is the controversial Citizens United decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.

As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination – but despite the stereotypes, the incidence of at least some types of casual racism in today’s America seems lower than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
hatred toward Jews; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold too much influence in business – a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using “you Jew!” as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It’s difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.

Other civil liberties uniquely revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret FISA courts. But having worked for a telecommunications company in Poland, my own sentiment is that law enforcement and intelligence agencies in Europe tend to operate with far more impunity and far less legal oversight; the intelligence community in particular is often engaged in politically motivated domestic investigations that should raise an eyebrow or two; all across Europe, “pre-crime” policing ideas are taking hold. In most of these countries, citizens are not afforded powerful tools such as FOIA requests, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can’t work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people – and instill higher ethical standards in the law enforcement and intelligence community. The individualist spirit helps, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.

When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy “tough on crime” image that many American politicians take pride in.

In the same vein, police brutality, disparagingly faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on increasingly shaky moral grounds – even if it faces steady public support. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. Civil forfeiture is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures – although in all likelihood, its days are coming to an end.

As usual, the picture is complex and it’s hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.


[ To proceed to the next article in the series, click here. ]

Schneier on Security: Hayden Mocks NSA Reforms

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Former NSA Director Michael recently mocked the NSA reforms in the recently passed USA Freedom Act:

If somebody would come up to me and say, “Look, Hayden, here’s the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you’re going to be required to do is that little 215 program about American telephony metadata — and by the way, you can still have access to it, but you got to go to the court and get access to it from the companies, rather than keep it to yourself.” I go: “And this is it after two years? Cool!”

The thing is, he’s right. And Peter Swire is also right when he calls the law “the biggest pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978.” I supported the bill not because it was the answer, but because it was a step in the right direction. And Hayden’s comments demonstrate how much more work we have to do.

TorrentFreak: Surprise! VPN Provider Expects Victory in Site-Block Arms Race

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

networkAfter years of pressure but mere months of deliberations, yesterday the Australian government imposed a new copyright law on its citizens.

As soon as it receives the formality of royal assent, the Copyright Amendment (Online Infringement) Bill 2015 will enter into force and soon after it’s expected that rightsholders will make their first moves to have a site blocked.

After the passing of the law yesterday a lot of furious people took to the web, many decrying the censorship and filtering efforts of the Australian government. But despite the outcry there are others who are not only relaxed about the upcoming efforts but also stand to profit handsomely from them.

They are of course VPN providers, services setup to cut through web-blockades and similar efforts like a hot knife through butter. They’re already extremely popular in Australia due to their geo-unblocking abilities and will now do even more business as a result of the country’s new law.

However, there are still those that remain concerned over the future of VPNs and their status as site-blocking kryptonite. Might the government eventually run out of patience and do a U-turn on assurances they won’t tackle the technology by blocking? Would it matter, practically, if they did?

Robert Knapp, chief executive at CyberGhost, one of the more popular VPN providers, doesn’t think so. He is calm, taking developments completely in his stride, and foresees no threat to his business.

“We see in general the same that you see in nature if somebody tries to block a river floating – the water finds his way,” Knapp says.

Despite attempts by the Australian Greens to have VPNs exempted from the new law, it is unlikely that services who play by the rules (i.e do not promote their products for infringing purposes) will be blocked. However, if the authorities want to test the waters, companies like CyberGhost will be up for the challenge.

“They should also then realize with whom they play in the same league,” Knapp says.

“Maybe they do it [blocking], maybe they don’t do it, it’s kind of a technical race. So it’s our daily business. They might do it, we will find a way to keep our servers running.”

While most people understand that blocking a determined service provider could descend into an endless arms-race, rightsholders are also keenly aware of the political fallout from attacking legitimate technologies.

“We didn’t intend this law to be used specifically against VPN because there are many legitimate uses of VPN and the intention of the law is not to stop people using the internet for legitimate purposes,” a Foxtel spokesperson told Mumbrella this morning.

And herein lies the problem. By driving traffic underground, into the encrypted tunnels of VPNs, rightsholders now have even less of an idea of who is pirating what and from where. VPNs are a legitimate but “dual use” technology, one that can be used for privacy or indeed piracy purposes. It’s a giant loophole that will be difficult to close. Nevertheless, companies like Foxtel say they will keep an developments.

“We would obviously be concerned if it meant there was a hole in the law,” the spokesman said. “We will be monitoring how things go and see if there is a serious issue in the future.”

So what next for Australia’s blocking regime?

If history from the UK repeats itself (and there’s every reason to believe that it will), rightsholders will first take on a site that is guaranteed to tick every ‘pirate’ box. That forerunner is almost certain to be The Pirate Bay, a site that is not only located overseas as the legislation requires, but one that also has no respect for copyright. The fact that it has been blocked in plenty of other regions already will be the icing on the cake.

Once the case against The Pirate Bay is complete then other “structurally similar” sites will be tackled with relative ease and since none of their operators will be appearing in court to defend themselves, expect the process to be streamlined in favor of copyright holders.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: Why We Encrypt

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Encryption protects our data. It protects our data when it’s sitting on our computers and in data centers, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.

This protection is important for everyone. It’s easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents.

Encryption works best if it’s ubiquitous and automatic. The two forms of encryption you use most often — https URLs on your browser, and the handset-to-tower link for your cell phone calls — work so well because you don’t even know they’re there.

Encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.

This is important. If we only use encryption when we’re working with important data, then encryption signals that data’s importance. If only dissidents use encryption in a country, that country’s authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can’t tell the dissidents from the rest of the population. Every time you use encryption, you’re protecting someone who needs to use it to stay alive.

It’s important to remember that encryption doesn’t magically convey security. There are many ways to get encryption wrong, and we regularly see them in the headlines. Encryption doesn’t protect your computer or phone from being hacked, and it can’t protect metadata, such as e-mail addresses that need to be unencrypted so your mail can be delivered.

But encryption is the most important privacy-preserving technology we have, and one that is uniquely suited to protect against bulk surveillance ­ the kind done by governments looking to control their populations and criminals looking for vulnerable victims. By forcing both to target their attacks against individuals, we protect society.

Today, we are seeing government pushback against encryption. Many countries, from States like China and Russia to more democratic governments like the United States and the United Kingdom, are either talking about or implementing policies that limit strong encryption. This is dangerous, because it’s technically impossible, and the attempt will cause incredible damage to the security of the Internet.

There are two morals to all of this. One, we should push companies to offer encryption to everyone, by default. And two, we should resist demands from governments to weaken encryption. Any weakening, even in the name of legitimate law enforcement, puts us all at risk. Even though criminals benefit from strong encryption, we’re all much more secure when we all have strong encryption.

This originally appeared in Securing Safe Spaces Online.

EDITED TO ADD: Last month, I blogged about a UN report on the value of encryption technologies to human freedom worldwide. This essay is the foreword to a companion document:

To support the findings contained in the Special Rapporteur’s report, Privacy International, the Harvard Law School’s International Human Rights Law Clinic and ARTICLE 19 have published an accompanying booklet, Securing Safe Spaces Online: Encryption, online anonymity and human rights which explores the impact of measures to restrict online encryption and anonymity in four particular countries ­– the United Kingdom, Morocco, Pakistan and South Korea.

Schneier on Security: History of the First Crypto War

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

As we’re all gearing up to fight the Second Crypto War over governments’ demands to be able to back-door any cryptographic system, it pays for us to remember the history of the First Crypto War. The Open Technology Instutute has written the story of those years in the mid-1990s.

The act that truly launched the Crypto Wars was the White House’s introduction of the “Clipper Chip” in 1993. The Clipper Chip was a state-of-the-art microchip developed by government engineers which could be inserted into consumer hardware telephones, providing the public with strong cryptographic tools without sacrificing the ability of law enforcement and intelligence agencies to access unencrypted versions of those communications. The technology relied on a system of “key escrow,” in which a copy of each chip’s unique encryption key would be stored by the government. Although White House officials mobilized both political and technical allies in support of the proposal, it faced immediate backlash from technical experts, privacy advocates, and industry leaders, who were concerned about the security and economic impact of the technology in addition to obvious civil liberties concerns. As the battle wore on throughout 1993 and into 1994, leaders from across the political spectrum joined the fray, supported by a broad coalition that opposed the Clipper Chip. When computer scientist Matt Blaze discovered a flaw in the system in May 1994, it proved to be the final death blow: the Clipper Chip was dead.

Nonetheless, the idea that the government could find a palatable way to access the keys to encrypted communications lived on throughout the 1990s. Many policymakers held onto hopes that it was possible to securely implement what they called “software key escrow” to preserve access to phone calls, emails, and other communications and storage applications. Under key escrow schemes, a government-certified third party would keep a “key” to every device. But the government’s shift in tactics ultimately proved unsuccessful; the privacy, security, and economic concerns continued to outweigh any potential benefits. By 1997, there was an overwhelming amount of evidence against moving ahead with any key escrow schemes.

The Second Crypto War is going to be harder and nastier, and I am less optimistic that strong cryptography will win in the short term.

Krebs on Security: “Free” Proxies Aren’t Necessarily Free

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Netflix, Hulu and a host of other content streaming services block non-U.S. users from viewing their content. As a result, many people residing in or traveling outside of the United States seek to circumvent such restrictions by using services that advertise “free” and “open” Web proxies capable of routing browser traffic through U.S.-based computers and networks. Perhaps unsurprisingly, new research suggests that most of these “free” offerings are anything but, and actively seek to weaken browser security and privacy.

proxyThe data comes from Austrian researcher and teacher Christian Haschek, who published a simple script to check 443 open Web proxies (no, that number was not accidental). His script tries to see if a given proxy allows encrypted browser traffic (https://), and whether the proxy tries to modify site content or inject any content into the user’s browser session, such as ads or malicious scripts.

Haschek found that 79 percent of the proxies he tested forced users to load pages in unencrypted (http://) mode, meaning the owners of those proxies could see all of the traffic in plain text.

“It could be because they want you to use http so they can analyze your traffic and steal your logins,” Haschek said. “If I’m a good guy setting up a server so that people can use it to be secure and anonymous, I’m going to allow people to use https. But what is my motive if I tell users http only?”

Haschek’s research also revealed that slightly more than 16 percent of the proxy servers were actively modifying static HTML pages to inject ads.

Virtual private networks (VPNs) allow users to tunnel their encrypted traffic to different countries, but increasingly online content providers are blocking popular VPN services as well. Tor offers users the ability to encrypt and tunnel traffic for free, but in my experience the service isn’t reliably fast enough to stream video.

Haschek suggests that users who wish to take advantage of open proxies pick ones that allow https traffic. He’s created and posted online a free tool that allows anyone to test whether a given proxy permits encrypted Web traffic, as well as whether the proxy truly hides the user’s real Internet address. This blog post explains more about his research methodology and script.

Users who wish to take advantage of open proxies also should consider doing so using a Live CD or virtual machine setup that makes it easy to reset the system to a clean installation after each use. I rely on the free VirtualBox platform to run multiple virtual machines, a handful of which I use to do much of my regular browsing, tweeting, emailing and other things that can lead sometimes to malicious links, scripts, etc.

I’ll most likely revisit setting up your own VirtualBox installation in a future post, but this tutorial offers a fairly easy-to-follow primer on how to run a Live CD installation of a Linux distribution of your choosing on top of VirtualBox.

Darknet - The Darkside: Parrot Security OS – Debian Based Security Oriented Operating System

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Parrot Security OS is a security oriented operating system designed for Penetration Testing, Computer Forensic, Reverse engineering, Hacking, Privacy/Anonymity and Cryptography. Instead of installing the OS then painstakingly assembling your collection of security tools (and package dependencies), using something like Parrot Security OS takes care…

Read the full post at darknet.org.uk

Darknet - The Darkside: Apple’s Password Storing Keychain Cracked on iOS & OS X

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

And another password shocker, a few days after ‘cloud’ password service LastPass was pretty seriously hacked (yah if you’re using it, change your master password) critical 0-day flaws in Apple’s password storing keychain have been exposed. Which is kinda funny, as after the LastPass hack I saw some people espousing the…

Read the full post at darknet.org.uk

TorrentFreak: Netflix VPN Problem? Leave Consumers Alone, Aussie Minister Says

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

ausAfter struggling with the issue of online piracy for many years, last week the Australian parliamentary committee investigating the government’s ‘pirate’ site-blocking Bill gave the legislation the green light.

After Coalition and Labor senators endorsed the Bill with four modifications, it is now guaranteed to become law.

Last evening the Bill passed the Australian House of Representatives but while doing so provoked interesting comment from Communications Minister Malcolm Turnbull on the issue of VPN use.

Noting that there is no “silver bullet” to deal with Internet piracy, Turnbull said that the Bill contains a number of safeguards and amendments designed to protect “public and private interests”, including the use of VPNs that are promoted or used for legitimate purposes.

“VPNs have a wide range of legitimate purposes, not least of which is the preservation of privacy — something which every citizen is entitled to secure for themselves — and [VPN providers] have no oversight, control or influence over their customers’ activities,” Turnbull said.

The Communications Minister went on to give the example of an Australian consumer using a VPN to ‘trick’ a U.S.-based site into thinking they were located inside the United States.

“This Australian could then — and this is widely done — purchase the content in the normal way with a credit card. The owner of the Australian rights to the content so acquired might well be quite unhappy about that, but they could take a remedy against the American site or the underlying owner of the rights. This bill does not apply to a site like this. It is not intended to apply to VPNs,” Turnbull confirmed.

There are key reasons why the Copyright Amendment (Online Infringement) Bill 2015 does not apply to VPN use, but for clarity’s sake, Turnbull spelled them out.

“Where someone is using a VPN to access, for example, Netflix from the United States to get content in respect of which Netflix does not have an Australian licence, this bill would not deal with that, because you could not say that Netflix in the United States has as its primary purpose the infringement, or facilitation of the infringement, of copyright,” the Minister said.

Indeed, for this scenario to be covered by the legislation then Netflix and/or the VPN provider would need to show a general disregard for copyright and meet several of at least eight criteria laid out in the Bill, including demonstrating “flagrant” infringement.

Turnbull went on to make it clear that if local entertainment companies have a problem with Australians utilizing VPNs to obtain a better content offering, then they should direct their grievances overseas and leave the man in the street alone.

“If Australian rights owners have got issues about American sites selling content to Australians in respect of which they do not have Australian rights, they should take it up with them. The big boys can sort it out between themselves and leave the consumers out of it,” Turnbull said.

Finally, the timely delivery of quality content at a fair price has always been a problem in Australia and one of the key local drivers behind both piracy and the VPN ‘problem’. Thankfully the issue was underlined by the Communications Minister who noted that blocking alone would not solve the country’s problems.

“The bill is not intended to operate in a vacuum. The availability of content that is timely and affordable is a key factor in the solution to online copyright infringement,” Turnbull said.

“When infringing sources of content are disrupted, this disruption will be most effective if Australian consumers have legitimate sources to turn to that provide content at competitive prices and at the same time that it is available overseas.”

Whether that situation comes to pass is up to the entertainment industries but if grand efforts aren’t made, Aussies will use their VPNs not only to access Netflix, but also evade every site blocking measure this legislation hopes to impose.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Lauren Weinstein's Blog: When Google Thinks They’re Your Mommy

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

Major tech companies are in an interesting position these days. They provide and (one way or another) control most of our communications pipelines, and (quite reasonably) usually wish to encourage maximally effective security and privacy regimes. Certainly Google falls into this category, with world-class privacy and security teams that have been my privilege to work with in the past. But…

TorrentFreak: Mega Publishes First Transparency Report

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mega_logoFor the past several years the publication of a so-called ‘Transparency Report’ has become common on large technology focused sites. Reddit, Twitter and even Amazon produce such documents.

Perhaps the best known report is produced by Google. This giant database is updated on a daily basis and includes details of hundreds of millions of requests by third parties to have content removed from the search giant’s databases. Today, cloud-storage site Mega gets in on the act with the publication of its first transparency report since the company launched in 2012.

The report, which details activities up until March 2015, focuses on content removal requests and third-party requests for information related to Mega’s users.

Noting that the company is New Zealand-based and is governed by the laws of that country, Mega notes that it also aims to comply with regulatory requirements in other key areas in which it does business, notably the United States.

Copyright takedowns

“When Mega receives such notices it promptly removes or disables access to the offending file or files, depending on the type of request, consistent with the Terms of Service agreed to by every registered user,” Mega notes.

Interestingly, Mega offers three options when accepting takedown requests:

1. Disable one link per file – the file will remain in the user’s account
2. Disable multiple URLs per file – the file will remain in the user’s account
3. Remove all underlying files of the supplied URL(s) – there is no user permitted to store this under any circumstance worldwide.

These options allow for externally linked content to be taken down while respecting fair use, for example.

“Many copyrighted materials provide the user with a licence to make a backup copy. Recently enacted UK law confirms this right. Uploading it to a cloud storage service is not infringing,” Mega explains.

Overall, the numbers of files being taken down are small when compared to the total number of files stored on the service.

“The number of files which have been subject to such take down notices continues to be very small, indicative of a user base which appreciates the speed and flexibility of Mega’s system for fully legal business and personal use.”

Mega’s claims of a “very small” number of files being taken down is supported by the company’s data. Currently the company’s users upload an impressive 15 to 20 million files per day, or more than 200 files every second.

During 2013 Q1, Mega took down 30,078 files, representing just 0.019% of the total number of files present on Mega’s servers. By the first quarter of 2015, files taken down numbered 107,146 but due to a further boost in total files stored, that represented just 0.002% of the company’s storage.

Also noteworthy is the total number of requests Mega received for the removal of content. Starting in 2013 Q1, the company received 51,857 requests but 21,779 (42%) were either duplicate or invalid. By 2015 Q1 things had improved somewhat with ‘just’ 21% of requests rejected. However, 2014 Q4 was a particularly bad month, with more than a quarter of a million (63% of all notices sent) rejected due to being invalid or duplicate.

mega-down

Despite the large numbers of complaints received (valid or otherwise), Mega says that it deals with them all in a timely manner.

“The DMCA requires links to be taken down expeditiously. Most cloud providers target takedown within 24 hours. Mega targets takedown within a maximum of 4 hours, with takedowns frequently being actioned much quicker than the 4 hour target,” the report reads.

This timing is impressive. In a 2014 announcement, Google reported an average takedown time of six hours when the company took down 222 million results from Google Search in 2013.

Repeat infringers

With entertainment companies continuously breathing down the company’s neck, the way Mega deals with so-called ‘repeat infringers’ is an important public barometer of the company’s attitude towards protecting copyright.

“Mega maintains market leading processes for dealing with users who upload and share copyright infringing material or breach any other legal requirements,” the company notes.

“Mega suspends the account of any user with 5 takedown actions. In some cases the account can be reinstated where it is proved to be the subject of invalid takedown notices but most suspended accounts are terminated. Up to 31 March 2015, Mega had suspended 29,213 users.”

mega-suspend

Requests for personal information

Mega bills itself as ‘The Privacy Company’ so users are likely to expect that their personal information will be as safe, if not safer, in the hands of Mega than similarly placed service providers. Mega says it values user privacy but in some cases the company will hand over information to relevant authorities when required.

“Privacy is not an absolute right and is subject to limitations. We take all requests for the disclosure of user information seriously. In considering any request for user data, user information or action involving a Mega user, Mega starts from the position that user data and information is private,” the company writes.

“Mega will generally only provide user details when required to do so by New Zealand law or a New Zealand court or law enforcement authority with appropriate jurisdiction but Mega may consider requests made by non-New Zealand law enforcement authorities and civil claimants.”

However, considering how many people use Mega’s services, requests for personal information are extremely low.

In 2013 the company received just a single request but handed over no data. In 2014 a total of six requests were received (all from overseas) and just two resulted in information being disclosed. Of that total, four requests were made by government or the police, two from corporate entities and one from a private individual.

“Mega respects the need to openly disclose the level of non-compliant activity of the few users who breach its Terms of Service, even though many competitors don’t disclose such information,” Mega CEO Graham Gaylard informs TorrentFreak.

“Mega works very hard to ensure that the legitimate rights of content owners are respected.”

The full report can be found here.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Kim Dotcom’s MegaNet Preps Jan 2016 Crowdfunding Campaign

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptopFor many years Kim Dotcom was associated with a crazy lifestyle but these days he prefers to be seen more as a family man.

Regularly posting pictures of his children on Twitter and playing down his wild past, Dotcom seems unlikely to entertain a recent request from Pirate Bay founder Peter Sunde to join him on the Gumball Rally.

But while yachts and fast cars might be a thing of the past, Dotcom has certainly not lost the fire in his belly when it comes to his current predicament. As he fights off a ravenous U.S. government determined to bring him to justice by any means possible, spying included, the Megaupload founder has positioned himself as a champion of Internet privacy.

On January 19, 2013, Dotcom marked the anniversary of the raid on his empire by launching the privacy-focused cloud-storage service Mega.co.nz. Next year on the same date, the tenacious German says he will deliver again.

Thus far, details are thin on the ground, but what we do know is that Dotcom is planning a new anti-censorship network he calls MegaNet.

“How would you like a new Internet that can’t be controlled, censored or destroyed by Governments or Corporations?” Dotcom teased in February.

MegaNet’s precise mechanism is yet to be revealed, but Dotcom has already stated that the network will be non-IP address based and that blockchain technology will play an important role.

What we also know is that users’ mobile phones will play a crucial role, although at launch other devices will participate in the network.

“All your mobile phones become an encrypted network,” Dotcom notes. “You’d be surprised how much idle storage & bandwidth capacity mobile phones have. MegaNet will turn that idle capacity into a new network.”

At this stage it appears that Dotcom envisions a totally decentralized system, an essential quality if he is to deliver on his claims of absolute privacy.

With the earlier promise that participants in MegaNet “become the MegaNet”, Dotcom’s announcement this morning that the project will seek monetary contributions from the masses seems entirely fitting.

“MegaNet details will be revealed and equity will be available via crowd funding on 20 Jan 2016, the fourth anniversary of the raid [on Dotcom and Megupload],” Dotcom confirmed.

And for now, that is all. Dotcom has become somewhat of an expert at dripping small details to the masses as and when he sees fit while allowing the media to fill in the blanks. It’s a somewhat effective strategy which provides millions in free advertising for close to zero marketing outlay.

The big question now is how much equity MegaNet will need to get off the ground and how many of Dotcom’s supporters will believe that privacy is a commodity worth supporting with their wallets. People were happy to support Peter Sunde’s Heml.is on the same premise, but as recently revealed the amount of cash required to compete can be considerable.

However, Dotcom probably won’t attempt this entirely on his own. Given his history there’s a significant chance that the entrepreneur will pull in heavyweights such as Julian Assange and Glenn Greenwald to support the campaign. That will definitely help to boost the coffers.

Update: Kim Dotcom has sent TorrentFreak additional details on how MegaNet will operate.

“MegaNet has a unique file crystallization and recreation protocol utilizing the blockchain. You can load entire websites with this new technology and it makes them immune to almost all hacker attacks and ddos,” Dotcom informs TF.

“In the beginning MegaNet will still utilize the current Internet as a dumb pipe but in 10 years it will run exclusively on smartphones with hopefully over 500 million users carrying the network.

“A network by the people for the people. Not controlled by any government or corporations. MegaNet will be a powerful tool to guard our privacy and freedoms and it will also be my legacy,” Dotcom concludes.

On the finance front, MegaNet will partner with Bnktothefuture.com and Max Keiser to raise capital.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: BitTorrent’s DHT Turns 10 Years Old

This post was syndicated from: TorrentFreak and was written by: Ben Jones. Original post: at TorrentFreak

The Birth of DHT, May 2005

When BitTorrent started in 2002, decentralization was one of its main innovations. The central structure of services like Napster ultimately led to their downfall, and while decentralized systems such as eDonkey/eMule and Gnutella existed, they were often cumbersome and filled with fakes and spam.

BitTorrent was also somewhat individualized. Clients only dealt with clients on the swarms they were interested in, and all conducted business through a tracker.

This led to problems though, when trackers went down, as the trackers were the only way for peers to get information about others in the swarm. There was no fallback, except trying to add more trackers and hope everyone else adds the same. However, with the launch of Distributed Hash Tables (DHT) these problems were all but over.

That two similar but incompatible DHT systems were launched within weeks of each other is quite surprising, given the history behind both. To this day, in fact, the systems are still incompatible, although there are plug-ins that allow the use of both to act as a bridge between the two swarms (one Vuze, one Mainline).

When you factor in that both were released just months after eXeem had tried and failed to do a similar thing (earning significant criticism while doing so) the success and longevity of both look even more impressive. But how did they come about?

The Vuze DHT debuted first, with version 2.3.0 of the Azureus client on May 2, 2005. In its announcements back then, they were keen to stress the difference from eXeem, stating it was a decentralized layer on top of BitTorrent, rather than a decentralised BitTorrent system itself. Within 24 hours there were more than 200,000 peers, and there are currently around 1.1 million peers on the network.

According to Paul Gardener, the main developer of the Azureus DHT system, tracker redundancy wasn’t the main reason behind its development. Instead, decentralization for search was driving it.

“That was one of my pet aims when I joined the Azureus development team,” Gardener told TF earlier this month. “But the others in the team weren’t sure if search was a priority, so I found a way of working on some decentralization that perhaps one day could evolve into/be adapted for search. Of course decentralized tracking was a good aim in itself.”

Paul Gardner, Azureus/Vuze Developer
Paul Gardner, Azureus/Vuze Developer

“I started from scratch,” Gardener recalls, “there weren’t any libraries out there I could use, so had to figure out which kind of DHT to use (Kademlia) etc. [It took] a few months I guess.”

Three weeks later, Bittorrent Inc. released their own version of DHT with the release of version 4.1. This was then adopted by the then popular client BitComet in early June, and by other clients soon after.

While the timing may suggest otherwise, BitTorrent’s DHT wasn’t a response to Vuze’s release at all, as the person responsible – Drue Loewenstern – had been working on it since 2002.

“I started working on the DHT in the summer of 2002 after making the first Mac BitTorrent clients, a year before Azureus was established on Sourceforge. Finishing it off and integration into BitTorrent started in 05 when BT became a company. I was in testing and about to release it when Azureus launched theirs,” Loewenstern says.

The inspiration for the BitTorrent mainline DHT came from an unlikely and famous source: Aaron Swartz.

“Distributed hash tables were an inspiring area of research. I was really into P2P, having just worked on MojoNation and BitTorrent, and wanted to do all sorts of cool decentralized things like trust metrics. Aaron Swartz, 15 at the time, circulated a one page implementation of the Chord algorithm and I was struck by its simplicity, Loewenstern notes.

“I started looking into DHTs specifically and Kademlia was the first DHT paper that really clicked with me and seemed like it might work in the real world So I decided to start implementing it without really knowing what I was going to do with it.”

Contrary to Vuze, redundancy was one of the main motivations driving the development of the mainline DHT.

In the case of BitTorrent, the goal of the DHT has always been to make BT more robust, to improve performance by finding more peers, and to simplify publishing by making a tracker optional,” Loewenstern says.

DHT ‘Haters’

Of course, not everyone was thrilled to see the introduction of DHT. Private trackers were opposed to DHT as it enabled people to use the site’s torrents without being under the strict control of the tracker admins.

The solution to this was a form of access control called the private flag, which disabled DHT, along with Peer Exchange (PEX) and restricted peer access to trackers – locking things into the way of 2005.

The flag works by being inside the data used to generate the hash, so if disabled, it would change the overall torrent hash, meaning a torrent with the flag enabled would be a completely separate swarm from one with the flag disabled. It also gave these sites a new way to market themselves, by taking the term “private flagged torrent trackers” and condensing it to “private trackers,” implying some form of privacy.

This move though, was not by choice.

“There’s always been tensions between clients and private trackers,” Vuze’s Gardener says. “In particular they like to ban Vuze because it is ‘open source and people have hacked it to report incorrect stats’ or other such ‘reasons’. I’ve never been a fan of [the private flag] as a solution.”

Loewenstern agrees

“It came to be because some index site operators enforce upload/download ratios in an effort to keep seeders around for torrents that nobody wants to be left holding the bag for by seeding. They thought DHT (and PEX) might let users bypass the ratio system so they made a lot of noise about banning clients that implemented DHT,” he says.

“Azureus didn’t want to get banned so they came up with the private flag and added it to their client. It wasn’t my decision to add it to BitTorrent. Without PEX, torrents take longer to ramp up so it annoys me when people upload private torrents to public index sites.”

NEXT, The BitComet Incident

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: 2015 EPIC Champions of Freedom Dinner

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Monday night, EPIC — that’s the Electronic Privacy Information Center — had its annual Champions of Freedom Dinner. I tell you this for two reasons. One, I received a Lifetime Achievement Award. (I was incredibly honored to receive this, and I thank EPIC profusely.) And two, Apple’s CEO Tim Cook received a Champion of Freedom Award. His acceptance speech, delivered remotely, was amazing.

The Hacker Factor Blog: Security By Insurance

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

There’s lots of different security concepts. Insulation (also called modularity or compartmentalization) limits the potential scope of a bug or compromise. Least privilege provides access on a “needs to know” basis. Validating inputs is a safety check to make sure that external data does not lead to bugs or exploits… There are dozens of these concepts.

Then there’s the kitchen-sink mentality: defense in depth. Why rely on one security concept when you can deploy a stack of them? This helps prevent a compromise at one level from compromising everything. Instead of jumping one hurdle, an attacker needs to jump a dozen hurdles. It doesn’t make it impossible to compromise a system, but it does make it more difficult.

You’re in good hands (Allstate)

A lot of people still depend on Security by Obscurity (SbO). This is where you don’t tell anyone about the security processes that have been deployed. By keeping it secret, attackers need to guess at the safeguards. SbO works as long as nobody knows the secret. However, this doesn’t stop someone from stumbling across a vulnerability. And attackers can always observe results and piece together the actual security processes.

For example, a few weeks ago I had a user who was trying to automate uploads to FotoForensics — I prohibit automated uploads (the public site is for humans to use, not bots). Each time he got blocked, he would spend time trying to figure out the cause and then worked around the ban. I have about two dozen security precautions that look for abuses and this guy systematically worked through more than half of them before giving up. (He spent days during this process, and was banned about 50 times.)

In this case, security by obscurity worked with defense in depth to mitigate his abuse. If he had known the security steps that I had implemented, he would have been able to bypass them faster. With insight, he could even get an idea about how far he had progressed and could decide whether to continue. With SbO, he never knew how far he got and he spent days trying before giving up. (And by observing this, I figured out how he was detecting the security procedures, how to better obscure my defenses, and how to add in even more levels of security. Someone like him will not get as far next time.)

Security by obscurity does help mitigate an attacker’s ability to compromise a system. However, SbO should never be your only security option.

Like a good neighbor (State Farm)

Unfortunately, there’s also a lot of bad security processes out there. Like security by apathy, where people or companies just don’t care about long term security. This could be as simple as intentionally using a bad password for some online web service, or having buggy bloatware apps that you cannot delete running on your cellphone. Even Verizon’s super-cookies are a type of security by apathy since they don’t care if external services can track Verizon customers.

There is another bad concept that lots of companies seem to depend on: Security by Insurance. This is where companies do the absolute minimum to secure data. If the data is compromised, then they can have their insurance companies cover the damages.

A good example of security-by-insurance is the Payment Card Industry’s Data Security Standard. The PCI DSS is nothing more than the absolute minimum, and it is not enough to protect consumer information. Companies like Best Buy, CardSystems Solutions, TJX, and Target strive for nothing more than PCI compliance since that is enough to get their insurance companies to cover any breaches.

Cash if you die. Cash if you don’t. (Lloyd’s Life Insurance)

For years, I have been under the belief that the direct solution is not always the best solution. For example, the entire debate on net neutrality addresses a symptom and not a cause. If we don’t have net neutrality, then it is bad for consumers. And if we do have net neutrality, then it is also bad for consumers.

In my opinion, laws and regulations about net neutrality will not solve the problem. Instead, you have to come at the problem sideways. To resolve net neutrality, we need more competition among Internet service providers. If I don’t like how Comcast throttles Netflix, then, if there was more competition, I could switch to someone who doesn’t throttle Netflix. If I could leave for a different ISP when Comcast began throttling, then Comcast would quickly stop throttling. Similarly, if we had more carrier options, then the blocking, throttling, arbitrary prioritization, and interception issues associated with net neutrality would become moot.

By the same means, I do not think that security at these large companies will be taken seriously until after the insurance companies stop paying out for poor security practices. I even mentioned this in my letter to United Airlines. Failure to take adequate security precautions could lead to issues with their airplane insurance policies. If airlines could not be insured due to a lack of computer security, then you can be certain that the computer security would improve.

Ironically, the insurance companies just pushed back…

Gets you back where you belong (Farmers)

Columbia Casualty Insurance recently denied a claim related to a health care provider’s information leak. The insurer cited poor security practices by Cottage Health. As noted by Law360 (my bold for emphasis):

According to Columbia, prior to the issuance of the subject policy, it asked Cottage to complete, as part of its application, a risk control self-assessment. In doing so, Cottage represented that it followed minimum required practices relating to its data security, including checking for security patches to its systems at least weekly, replacing factory default settings to ensure that its information security systems are securely configured, reassessing its exposure to information security and privacy threats at least yearly, outsourcing its information security management to a qualified firm specializing in security (or having staff responsible for and trained in information security), having a way to detect unauthorized access or attempts to access its sensitive information and tracking all changes to its network to ensure it remains secure.

In light of the compromise and subsequent class-action settlement for $4.13 million, it appears that Cottage did not uphold the minimum requirements as claimed to the insurance company.

Making matters worse, Cottage does not seem to have the money to cover this settlement and was depending on the insurance company to bail them out. As Law360 wrote, “Columbia also asserts that [Cottage Health] does not maintain sufficient liquid assets to contribute toward the proposed settlement fund and does not maintain liability insurance that applies with respect to the privacy claims asserted in the class action.” In other words, they agreed to the settlement under the assumption that they could have the insurance cover it. The denial by the insurance company is still pending in the courts.

This single action of denying a claim due to insufficient security procedures is a game changer. Even though this is a relatively minor insurance provider and a small health care provider, it is going to have huge implications. This single rejection means that companies will no longer be able to perform the bare minimal steps needed for compliance with PCI, Sarbanes-Oxley, HIPAA, and other regulations. In the future, if companies want to have insurance coverage, then they need to do more than minimal.

This is how security changes in an industry. Better security is not another firewall, a longer password, or another audit checklist. Better security is the incentive to do more than the minimum.

TorrentFreak: UN: Encryption and Anonymity Must Be Protected

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

spyFor the past several years and particularly in the wake of the Edward Snowden revelations, interest in encrypted and anonymous communications has spread to a much wider audience.

More than ever before the ability to send and receive information both privately and anonymously is viewed as crucial in the digital age, enabling all corners of society – especially those most persecuted – to exercise their right to freedom of opinion and expression.

On the other hand, however, there are those who abuse those freedoms and the rights of others. And then, rightly or wrongly, there are those who communicate privately in order to undermine their governments. This leads some nations to restrict or even ban encryption, while others seek to introduce laws which allow law enforcement to tap into citzens’ communications.

A new report from David Kaye, a UN special rapporteur on freedom of expression, seeks to shine light on these complex issues by asking two questions:

– Do the rights to privacy and freedom of opinion and expression protect secure online communication, specifically by encryption or anonymity?
– Assuming an affirmative answer, to what extent may Governments, in accordance with human rights law, impose restrictions on encryption and anonymity?

Acknowledging that some states impose draconian measures to restrict citizens’ abilities to send and impart knowledge without fear, Kaye says that journalists and activists often need specialist tools to make their voices heard.

“A VPN connection, or use of Tor or a proxy server, combined with encryption, may be the only way in which an individual is able to access or share information in such environments,” Kaye says.

Noting that individuals should be able to send and receive information beyond their borders, the rapporteur states that some member states act to deny those freedoms by restricting communications using aggressive filtering.

“Encryption enables an individual to avoid such filtering, allowing information to flow across borders. Moreover, individuals do not control — and are usually unaware of — how or if their communications cross borders. Encryption and anonymity may protect information of all individuals as it transits through servers located in third countries that filter content,” Kaye writes.

Of course, in the online environment encryption and anonymity are often spoken of in the same breath, and just as encryption can often beat the censors, in some cases staying anonymous is vital to continued freedom of expression.

“Anonymity has been recognized for the important role it plays in safeguarding and advancing privacy, free expression, political accountability, public participation and debate,” Kaye writes.

“Some States exert significant pressure against anonymity, offline and online. Yet because anonymity facilitates opinion and expression in significant ways online, States should protect it and generally not restrict the technologies that provide it.”

Kaye notes that several states have attempted to combat anonymity tools such as TOR, VPNs and proxies, with Russia even offering significant cash bounties for techniques which would enable it to unmask TOR users. However, due to their human rights value, use of such tools should actually be encouraged.

“Because such tools may be the only mechanisms for individuals to exercise freedom of opinion and expression securely, access to them should be protected and promoted,” Kaye advises.

“States should revise or establish, as appropriate, national laws and regulations to promote and protect the rights to privacy and freedom of opinion and expression.”

In respect of encryption and anonymity, Kaye says that member states should adopt policies of “non-restriction or comprehensive protection”, and only introduce restrictions on a proportional, court-order supported, case-by-case basis.

Adding that states and companies alike should actively promote strong encryption and anonymity, Kaye says that measures that weaken individual’s online security, such as backdoors, weak encryption standards and key escrows, should be avoided.

Finally, Kaye advises member states to not only encourage the use of encryption, but also make it the norm.

“The Special Rapporteur, recognizing that the value of encryption and anonymity tools depends on their widespread adoption, encourages States, civil society organizations and corporations to engage in a campaign to bring encryption by design and default to users around the world and, where necessary, to ensure that users at risk be provided the tools to exercise their right to freedom of opinion and expression securely,” the report concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Darknet - The Darkside: IRS Was Not Hacked – Taxpayer Data Stolen For 100,000 People

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no. There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data […]

The post IRS Was Not Hacked…

Read the full post at darknet.org.uk