Posts tagged ‘Privacy’

Errata Security: Needs more Hitler

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Godwin’s Law doesn’t not apply to every mention of Hitler, as the Wikipedia page explains:

Godwin’s law applies especially to inappropriate, inordinate, or hyperbolic comparisons with Nazis. The law would not apply to mainstays of Nazi Germany such as genocide, eugenics, racial superiority, or to a discussion of other totalitarian regimes, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate.

Last week, I wrote a piece about how President Obama’s proposed cyber laws were creating a Cyber Police State. The explicit topic of my conversation is totalitarian regimes.

This week, during the State of the Union address, I compared the text of Mein Kampf to the text of President Obama’s speech. Specifically, Mein Kampf said this:

The state must declare the child to be the most precious treasure of the people. As long as the government is perceived as working for the benefit of the children, the people will happily endure almost any curtailment of liberty and almost any deprivation.

Obama’s speech in support of his cyber legislation says this:

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.

There is no reason to mention children here. None of the big news stories about hacker attacks have mentioned children. None of the credit cards scandals, or the Sony attack, involved children. Hackers don’t care about children, have never targeted children in the past, and are unlikely to target children in the future. Children are wholly irrelevant to the discussion.

The only reason children are mentioned in this section is for the exact reason described by Hitler. And this ties directly back to my original thesis that these cyber laws will create a cyber police state.

I didn’t immediately reach for Hitler to describe this problem. I started searching for quotes from the Simpsons, whose character Helen Lovejoy satirizes this situation by screaming at inappropriate times “Why won’t anybody think of the children“. But, while googling, I landed on the Mein Kampf quote first. Since it so perfectly describes this situation, I chose it instead of the Simpsons example.

Famous lefty Michael Moore compared the response to 9/11 with that of the Reichstag fire that catapulted the Nazi party into power. After the fire, Hitler was able to suspend civil liberties in order to fight the communists. This is appropriate, and not an application of Godwin’s law. Many claimed this was hyperbole, because the Patriot Act didn’t go as far as the Germans in suspending civil liberties, or handing power to President Bush. But that’s not the point — the point is that in both cases we were talking about the same sort of situation.

What keeps our country free is the lesson of totalitarian countries like Nazi German, Stalinist Russian, and Maoist China. We need to regularly be reminded of those lessons. When the situations are similar, albeit not as extreme, somebody needs to stand up and make that comparison. That’s how we prevent these situations from becoming as extreme.

In other words, we need more lessons from Hitler. When comparison’s are appropriate, when we are talking about totalitarianism, we shouldn’t let accusations of “Godwin’s Law” drown them out.

LWN.net: Cory Doctorow Rejoins EFF to Eradicate DRM Everywhere

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

The Electronic Frontier Foundation has announced
that Cory Doctorow has rejoined the organization “to battle the pervasive use of dangerous digital rights management (DRM) technologies that threaten users’ security and privacy, distort markets, confiscate public rights, and undermine innovation.

Darknet - The Darkside: Gitrob – Scan Github For Sensitive Files

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Developers generally like to share their code, and many of them do so by open sourcing it on GitHub, a social code hosting and collaboration service. Many companies also use GitHub as a convenient place to host both private and public code repositories by creating GitHub organizations where employees can be joined. Sometimes employees might…

Read the full post at darknet.org.uk

TorrentFreak: MPAA Links Online Piracy to Obama’s Cybersecurity Plan

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoThe unprecedented Sony hack has put cybersecurity on top of the political agenda in the United States.

Just last week Representative Ruppersberger re-introduced the controversial CISPA bill and yesterday President Obama announced his new cybersecurity plans.

New measures are needed to “investigate, disrupt and prosecute” cybercrime as recent events have shown that criminals can and will exploit current weaknesses, according to the White House

“In this interconnected, digital world, there are going to be opportunities for hackers to engage in cyber assaults both in the private sector and the public sector,” President Obama notes.

Together with Congress the Obama administration hopes to draft a new bill that will address these concerns. Among other things, the new plan aims to improve information sharing between private Internet companies and the Government.

Privacy advocates argue that this kind of data sharing endangers the rights of citizens, who may see more private data falling into the hands of the Government. President Obama, on the other hand, sees it as a necessity to stop attacks such as the Sony breach.

“Because if we don’t put in place the kind of architecture that can prevent these attacks from taking place, this is not just going to be affecting movies, this is going to be affecting our entire economy in ways that are extraordinarily significant,” the President cautions.

With the Sony hack Hollywood played a central role in putting cybersecurity back on the agenda. And although President Obama makes no mention of online piracy, the MPAA is quick to add it to the discussion.

In a statement responding to the new cybersecurity plans, MPAA CEO Chris Dodd notes that because of these criminals certain companies have their “digital products exposed and available online for anyone to loot.”

“That’s why law enforcement must be given the resources they need to police these criminal activities,” Dodd says.

The MPAA appears to blend the Sony hack with online piracy. It calls upon Congress to keep the interests of Hollywood in mind, and urges private actors including search engines and ISPs to help in curbing the piracy threat.

“… responsible participants in the Internet ecosystem – content creators, search, payment processors, ad networks, ISPs – need to work more closely together to forge initiatives to stop the unlawful spread of illegally-obtained content,” Dodd says.

Hollywood’s effort to frame online piracy as a broader cybersecurity threat is not entirely new.

Last year an entertainment industry backed report claimed that 90 percent of the top pirate sites link to malware or other unwanted software. In addition, two-thirds were said to link to credit card scams.

This report was later cited in a Senate Subcommittee hearing where the MPAA urged lawmakers to take steps so young Americans can be protected from the “numerous hazards on pirate sites.”

Whether a new cybersecurity bill will indeed include anti-piracy measures has yet to be seen. But for the MPAA it may be one of the few positive outcomes of the Sony hack, which exposed some of its best kept secrets in recent weeks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: Toward Better Privacy, Data Breach Laws

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well could lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.

dataleakThe plan is intended to unify nearly four dozen disparate state data breach disclosure laws into a single, federal standard. But as experts quoted in this story from The New York Times rightly note, much rides on whether or not any federal breach disclosure law is a baseline law that allows states to pass stronger standards.

For example, right now seven states already have so-called “shot-clock” disclosure laws, some more stringent; Connecticut requires insurance firms to notify no more than five days after discovering a breach; California has similar requirements for health providers. Also, at least 14 states and the District of Columbia have laws that permit affected consumers to sue a company for damages in the wake of a breach. What’s more, many states define “personal information” differently and hence have different triggers for what requires a company to disclose. For an excellent breakdown on the various data breach disclosure laws, see this analysis by BakerHostetler (PDF).

Leaving aside the weighty question of federal preemption, I’d like to see a discussion here and elsewhere about a requirement which mandates that companies disclose how they got breached. Naturally, we wouldn’t expect companies to disclose the specific technologies they’re using in a public breach document. Additionally, forensics firms called in to investigate aren’t always able to precisely pinpoint the cause or source of the breach.

But this information could be publicly shared in a timely way when it’s available, and appropriately anonymized. It’s unfortunate that while we’ve heard time and again about credit card breaches at retail establishments, we know very little about how those organizations were breached in the first place. A requirement to share the “how” of the hack when it’s known in an anonymized and by industry would be helpful.

I also want to address the issue of encryption. Many security experts insist that there ought to be a carve-out that would allow companies to avoid disclosure requirements in a breach that exposes properly encrypted sensitive data (i.e., the intruders did not also manage to steal the private key needed to decrypt the data). While a broader adoption of encryption could help lessen the impact of breaches, this exception is in some form already included in nearly all four dozen state data breach disclosure laws, and it doesn’t seem to have lessened the frequency of breach alerts.

passcrackI suspect this there are several reasons for this. The most obvious is that few organizations that suffer a breach are encrypting their sensitive data, or that they’re doing so sloppily (exposing the encryption key, e.g.). Also, most states also have provisions in their breach disclosure laws that require a “risk of harm” analysis that forces the victim organization to determine whether the breach is reasonably likely to result in harm (such as identity theft) to the affected consumer.

This is important because many of these breaches are the result of thieves breaking into a Web site database and stealing passwords, and in far too many cases the stolen passwords are not encrypted but instead “hashed” using a relatively weak and easy-to-crack approach such as MD5 or SHA-1. For a good basic breakdown on the difference between encrypting data and hashing it, check out this post. Also, for a primer on far more secure alternatives to cryptographic hashes, see my 2012 interview with Thomas Ptacek, How Companies Can Beef Up Password Security.

As long as we’re dealing with laws to help companies shore up their security, I would very much like to see some kind of legislative approach that includes ways to incentivize more companies to deploy two-factor and two step authentication — not just for their customers, but just as crucially (if not more so) for their employees.

PRIVACY PROMISES

President Obama also said he would propose the Student Data Privacy Act, which, according to The Times, would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. The story also noted that the president was touting voluntary agreements by companies to safeguard energy data and to provide easy access to consumer credit scores. While Americans can by law get a free copy of their credit report from each of the threat major credit bureaus once per year — at annualcreditreport.com — most consumers still have to pay to see their credit scores.

These changes would be welcome, but they fall far short of the sorts of revisions we need to the privacy laws in this country, some of which were written in the 1980s and predate even the advent of Web browsing technology. As I’ve discussed at length on this blog, Congress sorely needs to update the Electronic Communications Privacy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent. For more on the effort to change the status quo, see digitaldueprocess.org.

cloudprivacyAlso, I’d like to see a broader discussion of privacy proposals that cover what companies can and must/must not do with all the biometric data they’re collecting from consumers. Companies are tripping over themselves to collect oodles of potentially very sensitive such data from consumers, and yet we still have no basic principles that say what companies can do with that information, how much they can collect, how they can collect it or share it, or how they will protect that information.

There are a handful of exceptions at the state level; read more here). But overall, we’re really lacking any sort of basic protections for that information, and consumers are giving it away every day without fully realizing there are basically zero federal standards for what can or should be done with this information.

Coming back to the subject of encryption: Considering how few companies actually make customer data encryption the default approach, it’s discouraging to see elements of this administration criticizing companies for it. There is likely a big showdown coming between the major mobile players and federal investigators over encryption. Apple and Google’s recent decision to introduce default, irrevocable data encryption on all devices powered by their latest operating systems has prompted calls from the U.S. law enforcement community for legislation that would require mobile providers to allow law enforcement officials to bypass that security in criminal investigations.

In October, FBI Director James Comey called on the mobile giants to dump their new encryption policies. Last week, I spoke at a conference in New York where the panel prior to my talk was an address from New York’s top prosecutor, who said he was working with unnamed lawmakers to craft new legal requirements. Last week, Sen. Ron Wyden (D-Ore.) reintroduced a bill that would bar the government from requiring tech companies to build so-called “backdoor” access to their data for law enforcement.

This tension is being felt across the pond as well: British Prime Minister David Cameron also has pledged new anti-terror laws that give U.K. security services the ability to read encrypted communications on mobile devices.

TorrentFreak: Record Labels Try to Force ISP to Disconnect Pirates

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Half a decade ago the Irish Recorded Music Association (IRMA) ended its legal action against local ISP Eircom when the ISP agreed to implement a new anti-piracy policy against its own subscribers.

The agreement saw IRMA-affiliated labels including Sony, Universal and Warner tracking Eircom subscribers online. Eircom then forwarded warning notices to customers found to be sharing content without permission and agreed to disconnect those who were caught three times.

In a follow-up move IRMA tried to force another ISP, UPC, to implement the same measures. UPC fought back and a 2010 High Court ruling went in the ISP’s favor.

However, a 2012 change in the law emboldened IRMA to have a second bite and now the music group’s case is being heard by the Commercial Court. As before, IRMA wants an injunction issued against UPC forcing it to implement a “three strikes” or similar regime against its customers.

According to the Irish Times, Michael McDowell SC representing the labels said that UPC could come up with its own graduated response, whether it be “two strikes” or “five strikes”.

For its part, UPC appears to be more concerned about the cost of operating such a system rather than the actual introduction of one. UPC has provided estimates for doing so but the labels view the amounts involved as excessive.

Surprisingly, Cian Ferriter SC, for UPC, said the ISP has “no difficulty in handing over information” (on pirates) for the labels to pursue but the company has issues with setting up an “entire system” to deal with the problem.

The stance of UPC seems markedly different from its position during February 2014. At the time the company said that subjecting customers to a graduated response scheme would raise a “serious question of freedom of expression and public policy” and would “demand fair and impartial procedures in the appropriate balancing of rights.”

In the event, however, Mr McDowell said that UPC’s offer was not only a new but one that raises concern over privacy and data protection issues.

IRMA chairman Willie Kavanagh previously said that the Eircom three-strikes scheme had been “remarkably effective,” since only 0.2% of warned users have proceeded to the disconnection stage. Perhaps even more remarkable is that even after four years of the program, Eircom hadn’t disconnected a single customer.

“We are continuing to implement the graduated response process,” a spokesman said last March. “We haven’t, as yet, disconnected anyone.”

IRMA is contractually bound by its agreement with Eircom to pursue UPC and/or other ISPs to implement a graduated response scheme, so expect this one to run either until the bitter end – or when UPC cave in. For now the case is scheduled to run for eight days.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Aussie ISPs Rushing Ahead With Anti-Piracy Proposals

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

ausFor years Australian citizens have complained of being treated as second class citizens by content companies who have failed to make content freely available at a fair price. As a result millions of Aussies have turned to file-sharing networks for their media fix.

This has given the country somewhat of a reputation on the world stage, which in turn has put intense pressure on the Australian government to do something to reduce unlawful usage.

After years of negotiations between ISPs and entertainment companies went nowhere, last year the government stepped in. ISPs were warned that if they don’t take voluntarily measures to deter and educate pirating subscribers, the government would force a mechanism upon them by law.

With a desire to avoid that option at all costs, the service providers went away with orders to come up with a solution. Just last month Attorney-General George Brandis and Communications Minister Malcolm Turnbull set an April 8 deadline, a tight squeeze considering the years of failed negotiations.

Nevertheless, iiNet, Australia’s second largest ISP, feels that the deadline will be met.

“We will have code; whether or not it gets the rubber stamp remains to be seen,” says iiNet chief regulatory officer Steve Dalby. “Dedicated people are putting in a lot of work drafting documents and putting frameworks together.”

With just 120 days to come up with a solution the government’s deadline is a big ask and Dalby says there are plenty of complications.

“There are issues around privacy, there are issues around appeals. There are issues around costs. There is a lot of work that needs to be done,” he says.

Of course, these are exactly the same issues that caused talks to collapse on a number of occasions in the past. However, in recent months it’s become clear that the government is prepared to accept less stringent measures than the entertainment industries originally wanted. Slowing and disconnecting subscribers is now off the table, for example.

Although there has been no official announcement, it seems likely that the ISPs will offer a notice-and-notice system similar to the one being planned for the UK.

Subscribers will be informed by email that their connections are being used to share content unlawfully and will be politely but firmly asked to stop. An educational program, which advises users where to obtain content legally, is likely to augment the scheme.

Who will pay for all this remains to be seen. ISPs have previously refused to contribute but with the government threatening to impose a code if a suitable one is not presented, compromise could be on the table.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Клошкодил: An Open Letter to Mr. David Cameron

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

(this is a guest post from Boyan Krosnov, the original is here)

An open letter to Mr. David Cameron,

Sir,

This letter is in reaction to you statement: ” But the question remains: are we going to allow a means of communications which it simply isn’t possible to read. My answer to that question is: ‘No we must not’. “Source: link

Mr. Cameron, firstly this letter has nothing to do with recent events in Paris. It is solely addressing the issue of private communications.

End-to-end computer-assisted encryption with ephemeral keys has existed on this world since at least 1977. Even 130 years ago, in 1885, the one-time pad was already invented. If you don’t understand what these are, then please ask your technical advisers. Essentially, someone with a book (for one-time pad), a pen and a sheet of paper can encrypt and decrypt secret messages from/to a party located on the other end of the world. They can communicate these messages in public using a variety of low tech means. For example, they could post innocent-looking messages in a classifieds section of a newspaper. Anyone, without the necessary procedures and a copy of the pad, would not be able to know the content of their communication, and if the scheme is implemented correctly, would not be able to detect that a conversation is taking place. This is not a new development. Even the modern idea of a Sneakernet has existed at least as long as the Internet has existed.

Short of inventing a time machine, your goal is unachievable. :)

On a more serious note though, what you are promoting in your speech is scary and deeply immoral.

Since end-to-end encryption exists, I know of only three ways you could try to achieve your goal of total on-demand, and probably retro-active snoop-ability of communications. These are ineffective and in some cases even impossible to implement, but anyway here they are:

  • Option 1. to have a backdoor in every end-point device manufactured in the UK or brought in through the UK border. This approach does not prevent a sufficiently dedicated person from building a secure end-point from scratch, like with the one-time pad and newspaper approach I mentioned. Backdooring online services is a sub-case of this.

    and/or

  • Option 2. to introduce a key escrow requirement for all encrypted communication beginning and ending and maybe even crossing the UK, and also detect and block all encrypted communication, not conforming to the key escrow rules. The latter might be impossible to implement, but that’s a whole other matter.

    and/or

  • Option 3. Ban encrypted communication altogether. Which would tear down the whole of what you call “the digital economy”, and revert the UK back to a technological state resembling the 80s, while the rest of the world moves on.

The reality of the matter is that all three, apart from being totally ineffective in dealing with the threat of isolated terrorist acts, open the door for massive abuse, not just by the government, but also by related and unrelated third parties. Other people have explained this a lot better than I ever could. For example, in Cory Doctorow’s talk here. To quote just one line ” – … but we both understand, that if our government decided that weaponizing water-bourne parasites was more important than addressing them and curing them, then we would need a new government.”

Let me be clear on one point: We don’t trust nation states with our private thoughts and conversations. We need private communications not just for the paranoid, perverts and criminals, but for businesses, law enforcement, journalists and for regular every-day private conversations between friends and family members.

Your scheme would ruin private communication for all of us. The bad guys are already using secure and undetectable communication media.

Privacy is the opposite of total surveillance. You can’t have both. So unfortunately, for the goals you outlined, we need to have a working and secure private communication for everyone in the world to use, regardless of their sex, skin color, sexual orientation, age, religious views (or lack thereof), wealth, social status or intent. Your scheme for a total surveillance state must be stopped.

With good meaning and respect,
Boyan Krosnov
Sofia, 2015-01-13

(c) 2015, Boyan Krosnov, public domain

The Hacker Factor Blog: FC Net Neutrality

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

One of my guilty little pleasures from living in Fort Collins, Colorado comes from how people abbreviate the city’s name: “FC”. Of course, I think I’m the only person in the city who pronounces it: F*ck. Our local bike co-op is FCBikeCoop. The local symphony is FCsymphony.org, and the city government’s web site is FCgov. Even the local Mennonite Fellowship calls themselves “FCMF”. (I’m probably going to hell for that one.)

I try to get out of the house every now and then. One of the local social groups that I attend are the Fort Collins Internet Professionals (FCIP — go ahead and pronounce it). Every now and then, they put out a request for presentation topics. One request was for someone to cover “Net Neutrality” — it is a big topic that few people really understand. I guess I was stupid because I said that I enjoyed this topic and I can easily argue either side of the debate. *Poof* They asked me to give a presentation on the topic. So, in about a week (Jan 20th), I’ll be presenting on Net Neutrality at FCIP.

(If you’re planning on attending the talk, then stop reading now! This blog entry contains spoilers!)

Choosing Sides

The entire net neutrality debate is polarizing. There are people who are strongly against, and people who are strongly for. Even corporations have come out with their official opinions. Microsoft is for, IBM is against. Netflix is for, Verizon is against. “Father of the Internet” Vint Cerf is for, “Father of the Internet” Bob Kahn is against. Really, both sides seem equally weighted in terms of big name support.

The strong opinions seem limited to people who understand most of the issues. Most regular people have heard the term but have no idea what the debate is about — or how the outcome impacts them. And if someone with a biased opinion describes the situation to the uninformed, then the newly converted becomes polarized with the same bias.

Personally, I was initially for net neutrality (a few years ago). But then I had some lively discussions with people opposed to Net Neutrality and I began to get the bigger picture. I think the most eye-opening discussion was with my friend, Marc Sachs, the Executive Director for National Security and Cyber Policy at Verizon. About three years ago, he took me though a “what if” hypothetical: what if net neutrality passes? Honestly, it isn’t the panacea that the “for” camp describes.

My current opinion: I am neither for nor against net neutrality. Both sides suck for end consumers and both sides suck for small online services. Maybe I should start a Meetup group and call it FC Net Neutrality.

For Arguments

When people talk about the for arguments, they mention things like anti-competition and data collection and information hijacking and forced peering agreement. And honestly, there are dozens (if not hundreds) of
“>explicit examples.

  • 2013-2014: Comcast, AT&T, and Verizon all throttled Netflix traffic until Netflix agreed to pay the carriers.

  • 2011-2013: AT&T, Sprint, and Verizon blocked Google Wallet because it competed against their own payment system. (Isis the payment system, not ISIS the terrorist group, was later renamed to Softcard.)
  • 2010: Windstream DSL hijacked user-search queries. Later, in 2011, the Electronic Frontier Foundation (EFF) found that several small ISPs were doing something similar.
  • 2007-2009: AT&T forced Apple to block Skype and other competing VoIP services from iPhones.
  • 2005-2007: Comcast blocked peer-to-peer BitTorrent and Gnutella. The FCC ruled this as illegal in 2008.

This list is nowhere near complete. Basically, if the carrier is the only option for the user to connect to the Internet, then the carrier controls what the user can access. And if access is geared toward a competing online service or a competing advertiser, then the carrier has the technical ability to alter the data. They can force users to only see sponsored ads or only access services that the carrier prefers.

Against Arguments

There is a small set of anti-net neutrality arguments. In my opinion, I think these arguments are fairly weak. They mainly cover complaints about limited bandwidth or cost to maintain the network. Netflix, for example, was found to account for around 50% of all network traffic. (That’s HUGE!) If Netflix is going to generate that much traffic, then isn’t it reasonable to have Netflix pay for some of the network maintenance?

By the same means, trucks pay a different road tax than cars. This is because trucks are harder on the roads. More trucks means more road maintenance. It’s not uncommon to see roadsigns that say “no trucks” or “trucks use outer lanes only.” Part of it is maintenance costs to keep the roads in good condition, and part is to prevent big trucks from clogging traffic.

Anti-For and Anti-Against Arguments

Unlike the for and against arguments, there are some very strong anti arguments. This isn’t like anti-net neutrality; it is more about the long-term ramifications from any net neutrality outcome.

For example, Comcast is charging Netflix to be carried on the Comcast network. One would think that the price Netflix pays would lead to faster broadband speeds or lower end-user prices… but neither has happened. The network does not seem any faster (well, faster for watching Netflix, but not for anything else) and prices went up again.

But the whole Comcast/Netflix thing is under “life without net neutrality”.

With complete net neutrality, the Internet will become more like Detroit: a run-down framework of its former self. With little intrinsic value, large swaths of lawlessness, and walled gardens that enforce arbitrary rules.

Think of it this way: under net neutrality, the carriers cannot interfere with network traffic…

Net Neutrality = Lower Network Quality
There’s a series of protocols for load balancing and optimizing network traffic. The most common is RFC2212: Quality of Service (QoS). Without QoS, email has just as much priority as streaming video and VoIP. This means, a large amount of email can disrupt your streaming session. With QoS, the real-time protocols (video and VoIP) can be given precedence. Email will still be delivered, but it’s not necessarily immediate.

Without net neutrality, the application, carrier, backbone, or service can prioritize (throttle) traffic. With net neutrality, only the user or service can prioritize — and nobody else. This will result in more network traffic congestion and worse network performance.

Net Neutrality = More Bots
Just about every ISP out there filters some network ports. Things like NetBIOS (UDP ports 137-139, 445, and 445/TCP) are historically known for being exploited by malware.

Without net neutrality, ISPs can identify known vulnerable ports and block them. This reduces the amount of infected computers on the network. With net neutrality, the ISP must permit every packet.

About this time, someone says “Not true! The ISP can always take preventative steps to maintain the network!” Actually, no they can’t. The ISP can threshold speed or traffic in general, but not for any specific port or service. Otherwise, AT&T can decide that BitTorrent is a security risk and block access — like they did back in 2005. And if a service consumes 50% of all network traffic, then doesn’t it pose a risk to the network? Comcast should throttle Netflix (oh wait, they did).

Net Neutrality = More Attacks
At any given moment, there are dozens of active network attacks. If an ISP detects a denial-of-service, they have options to mitigate the attack. But what if we had net neutrality? In that case, every packet must be permitted.

And then someone says, “Not true! The ISP can always respond to an attack!” Actually, no they can’t. Remember: net neutrality is about the service and not the end user. If it were about the user, then Comcast would have asked all Comcast customers to pay a Netflix fee. Instead, Comcast asked Netflix for the payment.

If it’s about desirability, then it just depends on who you ask. If you ask Netflix, they will say it is desirable because you subscribed and paid. If you ask Skype, they will say it is desirable because you signed up. And if you asked that 12-year-old twerp on WoW who decided to DDoS you, he will say it is desirable because you were asking for it.

Under complete net neutrality, a service provider can cut you off after you reach some bandwidth limit. But they cannot take steps to mitigate the network attack.

Net Neutrality = On Your Own
The other thing to remember is that you, as the end consumer, cannot agree to have the ISP provide any protections. Any such agreement is just a bypass around net neutrality. If you ask Verizon to protect you from hostile network activities, then Verizon might decided to protect you from DDoS attacks. And protect you from malware by blocking certain ports. And protect you from bad products by blocking inferior ads and services. (And they get to define “inferior”.) And don’t forget that large stream of data coming to your computer — is that a network attack, or Netflix? Just to be sure, let’s throttle it.

What the FCC?

The Federal Communication Commission (FCC) plans to make a ruling on Net Neutrality next month. While nobody knows the specifics yet, there have been some strong hints from FCC Chief Tom Wheeler. He is quoted as saying “We’re going to propose rules that say that no blocking (is allowed), no throttling, no paid prioritization”.

I keep thinking about who will win and lose based on the outcome. If the new rules are not strong enough, then the carriers will be big winners: they will still be able to manipulate the network to provide preferential treatment for their own services and advertisers. The big losers will be the online services, like Netflix and Amazon’s streaming video services. And the end consumers will lose because they will still be manipulated and not have unmolested network access.

On the other hand, if the new rules are strong, then who comes out ahead? Well, the carriers will be big winners because they no longer have to police network traffic. Any network problems can be blamed on the FCC. The big losers will be the big streaming services, like Netflix and Amazon’s streaming video, because they cannot have high-priority QoS data. And the end consumers will lose because network quality will be degraded and they will no longer have protections like network attack throttling and hostile port blocking.

That’s right: no matter what the outcome is, the carriers will benefit, online services like Netflix and Amazon will be negatively impacted, and the end consumer loses big. In this debate for net neutrality, be careful of what you wish for. Because you just might get it.

The Hacker Factor Blog: Say It With Flowers

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Emoticons have really come a long way. I remember seeing my first “colon parenthesis” back in 1988. I was chatting online with a friend when she wrote “:-)”. I asked her what that meant and she said it’s a happy face on it’s side. How cool!

Fast forward to today, and we have software that automatically converts :) into pictures! :-) This works great, unless you’re a programmer who’s discussing something with parenthesis and colons…

Emoticons have even become standardized. They are supported in many different font sets. For example, code point #9786 is a happy face. While there are font sets (unicode blocks) for dozens of languages, there are also blocks for common mathematical symbols, architectural symbols, and engineering diagrams. Beyond the technically practical are the various random icons. There are blocks for digbats, arrows, and even emoticons. Dozens of various emoticons are built into your standard web font set. ☹ ☺ ☻ (If you see three faces, then you are using a modern browser and your font supports these character codes. Otherwise, you need to upgrade because Windows XP isn’t supported anymore.)

Using Fonts 😃

The thing to remember about rendered fonts is that a font character is just a glyph — a series of digital brush strokes. When you type the letter “A” on the keyboard, a single keycode is generated. On my computer, ‘A’ generates keycode 38. This gets mapped into a letter: keycode 38 becomes character 0x41, which is ASCII ‘A’. Then the display looks up character 0x41 in the current font and identifies the glyph and strokes needed to render the shape “A”. Then the shape of the letter “A” appears on the screen.

With emoticons, it’s the same thing… except that the keycode step is skipped. The web page says to use character code 9786. The application loads up the font and identifies the glyph and strokes needed to render the letter. But in this case, the letter looks like a circle, two dots, and an arc. Then the results are displayed on the screen.

As a web developer, you may need to include special characters on web pages. Without these special character codes, every arrow → ↑ will need to be it’s own image (<img…>). Rather than generating tons of image tags, I can just include one ampersand code and be done with it. And since these symbols are standardized, I can be certain that every modern web browser will display the correct shape.

Without needing to use img tags, my web page takes less network bandwidth to transfer and renders pages faster. A small arrow image may be a hundred bytes, but a single &rarr; is 6 bytes — far less bandwidth to use the font. And since the font already exists on the computer, the width and height of the character is already known and readily available for formatting the web page.

As a web developer, I think this is great! At FotoForensics, I needed icons to represent rotating picture. Rather than using static images, I just use character codes 8634 and 8635: ↺ ↻

There’s also the benefit of scaling. If someone increases or decreases the font size of a web page, then the text scales but the pictures do not. With symbols rendered as part of the font, they will happily scale with the page.

The only real limitation is with the exact shape. I know that ↺ is a counter-clockwise rotation and ☺ is a happy face. But I don’t know what it looks like on your computer. With fonts, every character can look different. Just as there is a shape difference between text written in San Serif and Times Roman, the arrow and happy face under San Serif may look different than the arrow and happy face under Times Roman. With the arrow, it may start at the top or side, the circle may be closed or partially open. The happy face may have a big mouth or a little mouth… The size may vary, the thickness may differ, but they are still the same basic shapes.

Finding Fonts 😎

Almost yearly, the Unicode Consortium releases more standardized character codes. Some releases include a few hundred characters; other years include thousands. However, it takes time for those new shapes to be included into fonts and distributed as an industry standard. HTML5 requires support for Unicode version 1.1.0 (June 1993). While your browser may support a more recent Unicode version, web developers can only be certain that version 1.1.0 will exist. (Version 7.0.0 came out last year and version 4.0 from 2003 has wide support.)

With thousands of characters to look use, the real question becomes: how do you find a specific shape? There’s a couple of different web services that I use for quickly looking up characters.

  • Unicode-Table. This site allows you to browse by unicode block and search by name. Any particular character can be rendered under a variety of common fonts, so you can see what it looks like — and check if is supported by a specific font. There’s really just two limitations with this site: (1) it doesn’t render well under older Firefox browsers, and (2) it defaults to a font called “Universalia”, which supports almost everything. But if you’re a web developer, then you probably want to default to a more widely-available, standard font.

  • Fileformat.info. This site also lets you browse unicode pages and search by character name. While, the search engine isn’t as good as Unicode-Table, the browse functionality is much stronger. I also like how it gives much more detail about each character code. It lists standard ways to encode the character, what version of the unicode standard introduced the character, and even lists of fonts that include the character.
  • ShapeCatcher. This is one of the coolest unicode tools on the Internet. ShapeCatcher allows you to search by shape. You draw the shape and it lists characters that look visually similar. I drew a heart and it found four different unicode characters that all look like hearts.

While there is probably a font out there that has the shape you want, finding a font that is supported by default on most web browsers and includes your weird-shaped letter can be very difficult. While web page designers can include a custom font for the web page, this too has it’s trade-offs. For example, if I just need one unicode 6.0 glyph, then I can probably use a font like Symbola. This font supports everything. Except… the font is over two megabytes! If I just want to render one character, then I don’t want to transfer a two meg file!

Almost Logical 😈

Beyond letters, most of the standard unicode glyphs make some kind of sense. There are a wide variety of arrows and mathematical symbols. There are building blocks for text art. There’s characters for playing cards, dominos, and mahjong tiles for common computer games. There’s even weather symbols, phases of the moon, and clock faces that can be used to represent time. There’s a commonality here: these are all widely understood, seen, and known symbols.

Unfortunately, there are also glyphs that fail the basic functionality. Specifically, the purpose of these shapes and pictures are to convey meaning without words. Rather than saying, “I’m happy!”, I can just write ! If I want to say that you need scissors or to show a “cut” functionality, I can just use . Yet, some official unicode glyphs contain text on them. If I need the letters “BANK” to be written on the icon, then the icon fails to convey the meaning “bank”. If these icons did not contain the text on them, could you still figure out what they mean? (I couldn’t.)

For example, if the glyph for U+1F4E7 didn’t have the “E” on it, would it still be email, or would it be just an envelope? Without the “H”, would you know that U+1F3E8 is a hotel? Or maybe a hospital? Or hospice? Or Hilton? At least the DVD looks like a disc, even though — without the text — it could be confused with everything from a CD-ROM to a blu-ray or an old laserdisc. (Thanks Unicode Consortium for clarifying that it is specifically a DVD and not some other kind of digital media.)

More importantly, why are the letters on these glyphs only in English? It is as if other languages do not exist. A good glyph should convey the meaning without any words.

Also, there are some really odd characters in the standard unicode blocks. For example, do we really need a specific glyph to indicate an increase in Japanese stock?

And while I can understand needing symbols for bank, hospital, and hotel, do we really need one for “Love Hotel”? I’m not making this up! It’s character U+1F3E9!

Here is the actual description of this “Love Hotel” character:

“A love hotel is a type of short-stay hotel found around the world operated primarily for the purpose of allowing couples privacy for sexual activities. The name originates from “Hotel Love” in Osaka which was built in 1968 and had a rotating sign.”

This Love Hotel has been a standard character since Unicode 6.0 (2010). Perhaps this explains why there are detailed icons for clocks and various currencies. But shouldn’t there be glyphs for “ugly hooker” and “undercover officer” and “nudge nudge wink wink know what I mean”?

Language Codes

There is a long held belief that languages have more words for important concepts. For example, Eskimos have more words for “snow” and women have more words for color.

By the same means, these icons represent languages. There is only one glyph for “bank”, but there are five standard glyphs that look like scissors. There are over 20 heart-shaped glyphs, and a dozen different flowers — you could literally “say it with flowers”. And yet, there are no glyphs for coffee and only one glyph for “cookie”… and the cookie looks like an asteroid.

TorrentFreak: VPN Services Consider Leaving Canada to Protect Customer Privacy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

canadaA few days ago it became a legal requirement for Canadian ISPs to forward copyright infringement notices to their subscribers.

As a result of the new copyright law amendments, which also apply to VPN services, providers now have to keep logs of their subscribers’ IP-addresses or face high penalties.

Specifically, the law requires a broad range of Internet services to “retain records that will allow the identity of the person to whom the electronic location belongs to be determined, and do so for six months….”

Failing to log traffic and forward these notices may result in “statutory damages in an amount that the court considers just, but not less than $5,000 and not more than 10,000…”

The new rules also apply to BTGuard, a well-known Canadian VPN and proxy service that claims to keep no logs. Concerned that the new data retention requirements would force a change in this policy, several customers asked the provider for clarification.

Responding to these requests BTGuard assured its customers that its logging policy remains unchanged. However, BTGuard may discontinue its Canadian servers in the near future.

“Rest assured that we are committed to our customers’ privacy. As stated in our privacy policy, we do not log our customers’ usage or IPs and never will,” one customer was told by BTGuard.

“It’s possible that this legislation will require us to discontinue our servers in Canada, but we will find a solution and our services will continue where it’s legal to be anonymous without causing you any inconvenience,” the company added.

In a separate request we asked BTGuard for a comment on how the new law will affect its business. In a short comment we were informed that they are still exploring their options and that no final decision has been made yet.

“We still guarantee privacy. Our servers in Canada might be closed, but we are still exploring our options,” BTGuard’s Jared told TF.

Other providers are prepared to take similar measures. While the text of the law suggests that VPN providers are covered (something that’s also confirmed by one of Canada’s top copyright scholars), many are still uncertain about the exact impact it will have.

TunnelBear informed us that they are still investigating if they are indeed covered by the new legislation. If they are, the company will take its business elsewhere.

“Despite our investigation and legal consultations, it remains unclear whether or not VPN companies are included in the bill. We have brought on legal counsel to continue to investigate,” TunnelBear says.

“If it is determined that TunnelBear is required to comply with C11 if we retain operations in Canada, we will swiftly move our operations to a more privacy friendly region. At no point, under any circumstances will TunnelBear log the activity of our users,” TunnelBear adds.

For TunnelBear the issue is less urgent than for others though, as the company doesn’t allow torrent traffic on its servers.

While the changes may reduce piracy somewhat, it also negatively affects people’s privacy. And with the new data retention requirements Canada has certainly become an unattractive location for VPNs and other privacy services.

TF is interested in hearing how other Canadian providers intend to respond to the new law. We sent out more inquiries and will add to this article when responses are received.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: PirateSnoop Browser Unblocks Torrent Sites

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate-cardBlocking of file-sharing related sites is becoming widespread in Europe, particularly so in the UK. In fact, it’s now almost impossible to access a top torrent site from any of the country’s leading ISPs, with the notable exception of OldPirateBay since the site is so new.

Users in the United States can’t rest easy either. As reported here in December, the MPAA is working hard to introduce site-blocking by utilizing creative interpretations of existing law. It seems unlikely that Hollywood will stop until it gets its way.

It’s becoming clear that Internet users everywhere will need to prepare if they want unfettered access to the Internet. While that can be achieved using premium services such as VPNs, there will always be those looking for a free solution. Today we have news of one such product.

In appearance PirateSnoop looks a lot like the popular Chrome browser. In fact the only immediate giveaway that things are a little different is the existence of a small pirate-themed button on the right hand side of its toolbar.

pirate-unblock

Underneath, however, PirateSnoop is based on the freeware web browser SRWare Iron which aims to eliminate some of the privacy-compromising features present in Google Chrome. PirateSnoop is then augmented with special extensions to enable its site unblocking features.

PirateSnoop (PS) was created by the team at public torrent site RARBG. While certainly less referenced by the mainstream media than The Pirate Bay for example, RARBG is now the 7th most popular torrent site in the world and a force to be reckoned with. It was also blocked by major UK ISPs recently.

Anti-censorship agenda

rarbg-logo“Nazi Germany had less censorship than we have today on the Internet,” the PS team informs TorrentFreak.

“However you are not paying for the Internet itself to your ISPs, but for the carrying of the Internet connectivity. ISPs are legally enforced by their countries to block content and what we are worried about is that little to none of the ISPs decided to fight any blocking court order.”

PirateSnoop vs PirateBrowser

The web-blocking features of PirateSnoop are similar to those of The Pirate Bay’s PirateBrowser, but there are some important differences. Although users are not rendered anonymous, PirateBrowser uses the TOR network. PirateSnoop sees this as problematic as torrent sites are increasingly blocking TOR IPs.

“The TOR network is abused by a lot of people – uploading fakes for example. It’s also used by DMCA agencies to scan sites. TOR is no longer an option to access sites. Its blocked on almost every site I know,” a dev explains.

Instead, PirateSnoop uses its own custom proxy network which utilizes full HTTPS instead of the HTTP used by basic proxies. Just like a regular browser to website connection, PS allows websites to see their users’ IP addresses (unless they’re using a VPN) in order to cut down on abuse.

Overall, PirateSnoop should be a faster browsing solution than PirateBrowser, its creators say.

Limitations and future upgrades

Currently several major blocked sites are supported by PirateSnoop but there are a couple of omissions. However, the team is prepared to expand the browser’s reach based on user demand.

“Any site that is requested to be added will be added immediately with no questions asked,” the team note.

The PirateSnoop team say they are committed to upgrades of their software to include proxy updates (added automatically upon browser restart) and full browser updates following any Iron browser core updates.

PirateSnoop can be downloaded here (using BitTorrent, of course).

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Netflix Cracks Down on VPN and Proxy “Pirates”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

netflix-logoDue to complicated licensing agreements Netflix is only available in a few dozen countries, all of which have a different content library.

Some people bypass these content and access restrictions by using VPNs or other circumvention tools that change their geographical location. This makes it easy for people all around the world to pay for access to the U.S. version of Netflix, for example.

The movie studios are not happy with these deviant subscribers as it hurts their licensing agreements. Previously entertainment industry sources in Australia complained bitterly that tens of thousands of Netflix “VPN-pirates” were hurting their business.

Over the past weeks Netflix has started to take action against people who use certain circumvention tools. The Android application started to force Google DNS which now makes it harder to use DNS based location unblockers, and several VPN IP-ranges were targeted as well.

Thus far the actions are limited in scope, so not all VPN users may experience problems just yet. However, TorGuard is one of the VPN providers which noticed a surge in access problems by its users, starting mid-December.

“This is a brand new development. Just two weeks ago we received the first report from a handful of clients that Netflix blocked access due to VPN or proxy usage. This is the very first time I’ve ever heard Netflix displaying this type of error message to a VPN user,” TorGuard’s Ben Van der Pelt tells us.

In TorGuard’s case the users were able to quickly gain access again by logging into another U.S. location. It further appears that some of the blocking efforts were temporary, probably as a test for a full-scale rollout at a later date.

“I have a sneaking suspicion that Netflix may be testing these new IP blocking methods temporarily in certain markets. At this time the blocks do not seem aggressive and may only be targeted at IP ranges that exceed too many simultaneous logins.”

Netflix is reportedly testing a variety of blocking methods. From querying the user’s time zone through the web browser or mobile device GPS and comparing it to the timezone of their IP-address, to forcing Google’s DNS services in the Android app.

TorGuard told us that if Netflix continues with a strict ban policy, they will provide an easy solution to bypass the blocks. Other services, such as Unblock-us are also suggesting workarounds to their customers.

Netflix’ efforts to block geoblocking circumvention tools doesn’t come as a surprise. TF has seen a draft of the content protection agreement Sony Pictures prepared for Netflix earlier this year. This agreement specifically requires Netflix to verify that registered users are indeed residing in the proper locations.

Among other things Netflix must “use such geolocation bypass detection technology to detect known web proxies, DNS based proxies, anonymizing services and VPNs which have been created for the primary intent of bypassing geo-restrictions.”

geofiltering

Blocking VPN and proxy “pirates” has become a priority for the movie studios as streaming services have failed to introduce proper countermeasures. Early 2014 the movie studio looked into the accessibility of various services through popular circumvention tools, including TorGuard, to find out that most are not blocked.

In a follow-up during the summer of 2014 Sony Pictures conducted research to identify the IP-ranges of various VPNs and proxies. These results were shared with Netflix and other streaming services so they could take action and expand their blocklists where needed.

geolocationresults

Based on the above it’s safe to conclude that Netflix will continue to roll out more aggressive blocking tools during the months to come. As with all blocks, this may also affect some people who use VPNs for privacy and security reasons. Whether Netflix will factor this in has yet to be seen.

TF contacted Netflix for a comment on the findings and its future plans, but a few days have passed and we have yet to receive a response.

Netflix is not the only streaming service that’s targeting VPN and proxy users. A few months ago Hulu implemented similar restrictions. This made the site unusable for location “pirates,” but also U.S. based paying customers who used a VPN for privacy reasons.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: Oh Baby!

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For me, 2014 was a serious suck year. Two family deaths and associated family drama, some of my good friends get laid off due to significant cutbacks, and some of my favorite projects came to an end. November just seemed to lose steam and December continued the downward slope. By the time News Years Eve arrived, the entire Internet seemed to come to a stop. No news stories, Digg came to a crawl, people stopped tweeting, and even FotoForensics saw the lowest visitor rate since the site started nearly three years ago.

This slow-growth seems to be creating a “don’t care” attitude. We seem to have more censorship and less anger, less reliable news and more people accepting it, and a growing general lack interest. Another airplane crashed in Asia? It barely received three minutes of news coverage around here. In previous years, they would hype up all of the previous crashes and as they rode the fear wagon. But by the end of 2014? Barely a footnote. You can even see this in the length of news reports by Reuters. Their initial coverage of the recent AirAsia Flight QZ8501 crash is only a few paragraphs. In contrast, their initial report of MH17 goes on for pages.

2014 ended with a lackadaisical respect for traditions. Around here, fewer stores participated in the three-months of Christmas music, and the after-holiday discount aisles (like buying Halloween candy after Halloween) only lasted days instead of weeks. Even some hospitals have stopped celebrating the New Years Baby — even though the new year is typically represented by an old Father Time passing his duties to a Baby New Year.

2015 seems to be starting slowly. But hopefully it will pick up and become more interesting.

Old Acquaintance will be forgot

The New Year has already started with a strong wave of censorship. Sony has escalated from sending “don’t publish anything” threats to sending DMCA takedown notices. WikiLeaks says that their employee’s email has been seized, and China is seriously restricting access to Gmail.

The latest censorship news came out today. News outlets are reporting on widespread government censorship in India. The Indian government has decided to blacklist at least 60 web sites associated with file sharing, picture sharing, and video sharing. The claim is that these sites carry anti-India and pro-ISIS related content.

The list of censored sites includes SourceForge and GitHub (open source code), PasteBin and justpast.it (data sharing), Imgur (pictures), Vimeo (video), and Archive.org (the Internet Archive). Honestly, if they are going to block sites that host significantly less than 1% offensive content, then they should add Twitter, Facebook, and Google+ to their lists. In fact, they should just block anything that starts with “http://”.

This isn’t the first time India has tried to cut off a limb instead of applying a bandage. As The Economic Times mentioned, “In June 2014, the Delhi High Court ordered a block of 472 file sharing websites including Google Docs and Pirate Bay following a complaint filed by Sony Entertainment.”

The Hacker News was quick to point out the irony of this situation, writing, “the contents of the list is particularly embarrassing for Prime Minister Narendra Modi as well, who recently unveiled a ‘Make In India’ campaign earlier this year in an attempt to encourage international businesses to invest in India, which also includes information technology sector. And blocking websites like GitHub is the most definitely not in sync with that vision.”

It looks like India is starting the New Year by throwing the baby out with the bathwater. Or as they say in Hindi: Sonay ko kachray ke saath phenk dena! (Thanks to Gibran Ashraf for the translation!)

Baby Tossing

Yesterday, one of my fourteen loyal readers (Janne), showed me a news photo that came out earlier this year. I had not seen it before now, but apparently it created quite a stir when it first came out. The AFP/Getty photo claims to show a father playing with his child at the beach in Gaza City. Here’s the picture:

Janne pointed out that the error level analysis (ELA) result for this picture really makes it look like the baby was added to the picture.

ELA visually represents the JPEG compression level. In an unaltered original photo, all edges should have similar intensities, all near-uniform colored areas (sky, shirt) should be consistent, and all textures (all water, all rocks) should be similar. Each time a picture is saved, the quality degrades and the ELA result should get darker. (If it is saved too many times, then nothing will stand out but small patches of chromatic noise.) If anything under ELA stands out as being significantly different, then the differences identify a probable alteration.

In this case, the flying baby is bright white, while the rest of the picture is dark. Dark indicates multiple resaves, while white identifies “newer pixels” that have not been saved as many times. The baby appears edited.

At this point, we don’t know if someone selectively sharpened the child or digitally added in the kid. Fortunately, there are additional tools that can be used for evaluating the image. For example, I’ve previously mentioned using color distance as a metric to evaluate blending. A natural photo should have blended edges, while splices do not. Splices typically show up as a single-pixel black line (or a black dashed line). With this picture, the baby definitely has the black line around large sections of his body.

And then there’s the camera lighting (luminance gradient, or LG). This identifies the sensor noise from the camera and differences in lighting direction.

In this case, LG shows that the baby has very sharp edges, while nothing else in the photo is that sharp. This could be due to someone selectively sharpening the picture. Regarding the baby, LG is consistent with the ELA and color distance results.

However, LG is also very good at picking up slight distortions from alterations. For example, LG highlights the clouds that are about the baby’s height. The clouds stretch the entire width of the picture, but are distorted around the child. The clouds even appear broken in the color distance picture — there is a smooth halo around the kid. If the child was digitally placed there, then the artist screwed up the surrounding clouds.

More importantly, there are some subtle distortions in the water, at the horizon, and to the photo-left of the child’s hip. The water distortions are almost shaped like the kid’s legs, and the round shape next to the kid looks like a head. Because they are very subtle, I have drawn in black lines to show these distortion edges:

If we overlay the image, aligning the child’s feet with the distortion, then we can see that the original child was likely no higher than the father’s hands. And this lower height is consistent with another photo taken by the same photographer. In this other photo, the father is only throwing the child a little bit into the air. (Let’s forget the fact that the buildings on the horizon are gone…)

In this case, the flying-baby photo is attributed to AFP Photo / Mahmud Hams. He was a 2008 Pulitzer finalist who captured an equally controversial photo of a missile falling. (Was the missile digitally added? The Jawa Report makes very strong arguments for staged and altered.)

Hasta La Vista, Baby

Personally, I’m glad to see the end of 2014, and it won’t take much for 2015 to be a better year. Ghandi once said, “Be the change that you wish to see in the world.” (At least, that quote is commonly attributed to Ghandi, even though he may not have said it. It’s hard to validate this with all of the censorship in India. In any case…) I’ve decided to take this philosophy to heart this year. I do not want 2015 to be a repeat of 2014, and I’ve already set things in motion. Expect some big announcements in the near future.

TorrentFreak: Dotcom: Encrypted MegaChat is “Coming Soon”

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Following the revelations of systems administrator Edward Snowden, millions of eyes were opened to our online vulnerability. Total privacy, something presumed by many to be as simple as securing a password, was shown to be an easily shattered illusion.

As the need for heightened security filtered down to the masses, companies stepped into the frame offering products and services to help people maintain their privacy online. VPN companies are still riding this wave of popularity and are now going to even greater lengths to assure customers of their commitment to security.

Another company exploiting the security niche is Mega, the cloud-storage service founded by Kim Dotcom. While the flamboyant German reportedly has little to do with the company on a day to day basis, his family still owns shares in the operation. And for a company with a zero dollar marketing spend, Dotcom remains a valuable promotional asset.

In one of his regular updates, this morning the Megaupload founder announced that Mega is preparing to launch a new product into the communications market.

“Mega will soon release a fully encrypted and browser based video call & chat service including high-speed file transfers. Bye bye Skype,” Dotcom teased.

Although no official announcement has been made, it’s believed that the product will be called “MegaChat”, a naming convention that would certainly fit with previous Dotcom projects.

The service will offer end-to-end encryption and, reading between the lines of Dotcom’s statements, won’t be based in the backyard of his arch-rivals.

“No US based online service provider can be trusted with your data. Skype has no choice. They must provide the US Government with backdoors,” Dotcom says.

While clearly ambitious, Mega is already somewhat behind with plans for expansion outside of its core business of encrypted file-storage. It was previously reported that Mega’s chat/video product would be released to the public in the second quarter of 2014. Its encrypted email service is also yet to see the light.

That being said, an early 2015 release for “MegaChat” would be a welcome development for the company. After first announcing plans to go public in March 2014, Mega now has eyes on an early 2015 NZX listing.

The listing is planned via a reverse takeover of NZ-based TRS Investments but that too has not run entirely smoothly. A shareholders’ vote at the company has been pushed back several times and is not expected to arrive sooner than the end of January.

For investors, potential is there. Mega currently has in excess of 15 million users and while the majority take advantage of the company’s free product, upgrades become more likely as users warm to the service. The advent of additional services will also boost its appeal but the hope is they will also improve the company’s bottom line.

Earlier this month Mega chief executive Graham Gaylard told Stuff that the company is not yet making money and is instead focusing on growth. However, there is profit to be made in this sector and it seems likely that the company will secure and develop its position during 2015.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Клошкодил: 2014-12-26 31c3 ден 0

This post was syndicated from: Клошкодил and was written by: Vasil Kolev. Original post: at Клошкодил

Нулев ден на 31C3.

Станах си нормално в 9-10, добрах се спокойно до летището, летях (и в двата полета) с пищящи деца и се чудех защо изобщо хората се размножават, след което на Мюнхен за 30 минути се изсипа едно весело количество сняг и полета ми го забавиха с час и половина (който иска, може да гледа снимки).

(В Хамбург още не вали)

Изсипах си нещата в хотела и се добрах до CCH, откъдето пиша това. Отворили са още повече място от миналата година, ние имаме една малка маса, дето се надяваме да ни събере (assembly-то ни се казва Eastern-European Hackerspaces и сме набутани в “international” частта, малко като зоопарк за странни видове (което тук нищо не значи, “странно” е най-простото определение за почти всичко)).

Намерихме се с всякакви хора (македонци, сърби, хора минавали през initlab и кой ли не още), като на всички им е лудница. Аз съм си направил приблизителна програма, според която трябва да съм на няколко места едновременно, да видим как ще успея.

Утре се почва в 11:00, да видим колко човека ще побере голямата зала и колко ще оцелее wireless-а…

(моята предварителна програма:

27.12
11:00 saal1 opening/keynote
12:45 saalG aluminum casting
14:00 saal1 scada | saalG reproducible bulids | saal6 textile
16:00 saal1 emv
17:10 saal1 SS7
18:30 saal1 mobile self-defense
20:30 saalG code pointer integrity
21:45 saal1 ecchacks | saalG cloud consp | saal6 banking
23:00 saal2 rocket kitten
24:00 saal1 citizenfour
00:00 Hall13 ripe atlas workshop

28.12
11:00 hall13 ripe morning tea
11:30 saalG gpg
12:45 saal1 PNR | saal2 telecoms/nsa
13:00 hallC tor operators meetup
14:00 saal1 estonia voing
16:00 sall6 automobiles
16:45 saalG crypto needle
17:15 DIYISP anycast vpn
17:30 saal1 information control
18:15 saal2 privacy and markets
19:00 saal6 blow stuff with your brain
20:30 saal1 reconstructing narratives | saalG bug hunting
21:45 saal1 fernvale | saal2 field station
23:00 saal2 sources

29.12
11:00 hall13 ripe morning tea
11:30 saal1 RMS | saalG scanner
12:45 saal2 quantum computer
14:00 saal6 file formats
16:00 Saal2 emet | saalG caesar and norx
17:15 saal2 nuclear weapons
18:30 saal2 maker movement
19:30-21:30 hallB whisky workshop
20:30 saal6 agri-tech
21:15 saal2 cs in DPRK
22:00 saal1 perl expoloit
22:45 saal2 megacode
22:30 saal1 infocalypse

30.12
11:00 hall13 ripe morning tea
11:30 saal6 internet voting in norway
12:45 saal1 why computers are bad and what to do
14:00 saal1 state of the onion | saal6 lets encrypt
16:00 saal2 crypto dust | saalG infrastructure review
17:15 saal2 tor hidden svc
18:30 saal1 closing event
)

[Медийно право] [Нели Огнянова] : Фейсбук и личната неприкосновеност

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

 Делото Campbell v. Facebook Inc  се гледа в Оукланд, Калифорния, и се отнася до практиката на Фейсбук да разполага реклама на базата на съдържанието на съобщенията на  потребителите. Ищците възразяват срещу     създаването на профили и разполагането на реклама, като се взема предвид съдържанието на частните съобщения, вкл. споменаване на име на компания или харесванията.

Представителите на Фейсбук твърдят, че става въпрос за законна практика, допустима по изключение от Electronic Communications Privacy Act  за дейности в рамките на обичайния бизнес, за защита от вируси и спам. Според съда няма доказателства дали е точно така.

От съдебния акт на този етап става ясно,  че има различия по въпроса дали потребителите   във Фейсбук трябва да имат оправдано очакване за конфиденциалност на съобщенията. В други съдебни решения се уточнява, че очакване за конфиденциалност има, когато страните желаят комуникацията да се ограничи само до тях и  – като вземат предвид всички съпровождащи обстоятелства – не могат да очакват съобщенията да се подслушват, записват или споделят по-нататък с по-широк кръг адресати.

Процесът продължава.

 

 

Schneier on Security: Lessons from the Sony Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment’s computer systems and began revealing many of the Hollywood studio’s best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama’s presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of “The Interview,” a satire targeting that country’s dictator, after the hackers made some ridiculous threats about terrorist violence.

Your reaction to the massive hacking of such a prominent company will depend on whether you’re fluent in information-technology security. If you’re not, you’re probably wondering how in the world this could happen. If you are, you’re aware that this could happen to any company (though it is still amazing that Sony made it so easy).

To understand any given episode of hacking, you need to understand who your adversary is. I’ve spent decades dealing with Internet hackers (as I do now at my current firm), and I’ve learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus­people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered “zero-day” vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you’ve heard about in the past year or so.

But even scarier are the high-skill, high-focus attacks­the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame, which many in the IT world suspect were created by the U.S.; Turla, a piece of malware that many blame on the Russian government; and a huge snooping effort called GhostNet, which spied on the Dalai Lama and Asian governments, leading many of my colleagues to blame China. (We’re mostly guessing about the origins of these attacks; governments refuse to comment on such issues.) China has also been accused of trying to hack into the New York Times in 2010, and in May, Attorney General Eric Holder announced the indictment of five Chinese military officials for cyberattacks against U.S. corporations.

This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple’s iCloud and posted them. If you’ve heard the IT-security buzz phrase “advanced persistent threat,” this is it.

There is a key difference among these kinds of hacking. In the first two categories, the attacker is an opportunist. The hackers who penetrated Home Depot’s networks didn’t seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do.

But a skilled, determined attacker wants to attack a specific victim. The reasons may be political: to hurt a government or leader enmeshed in a geopolitical battle. Or ethical: to punish an industry that the hacker abhors, like big oil or big pharma. Or maybe the victim is just a company that hackers love to hate. (Sony falls into this category: It has been infuriating hackers since 2005, when the company put malicious software on its CDs in a failed attempt to prevent copying.)

Low-focus attacks are easier to defend against: If Home Depot’s systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company’s security is superior to the attacker’s skills, not just to the security measures of other companies. Often, it isn’t. We’re much better at such relative security than we are at absolute security.

That is why security experts aren’t surprised by the Sony story. We know people who do penetration testing for a living­real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker­and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren’t sufficiently skilled, good security may protect you completely.

It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won’t end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn’t have to leave so much information exposed. And they didn’t have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.

For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn’t made racist jokes about Mr. Obama or insulted its stars­or if their response systems had been agile enough to kick the hackers out before they grabbed everything.

My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn’t happen to the executives or the stars; it happened to the blameless random employees who were just using their company’s email system. Because of that, they’ve had their most personal conversations­gossip, medical conditions, love lives­exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.

This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn’t something markets can fix.

This essay previously appeared on the Wall Street Journal CIO Journal.

TorrentFreak: Researchers Make BitTorrent Anonymous and Impossible to Shut Down

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

triblerThe Pirate Bay shutdown has once again shows how vulnerable the BitTorrent ‘landscape’ is to disruptions.

With a single raid the largest torrent site on the Internet was pulled offline, dragging down several other popular BitTorrent services with it.

A team of researchers at Delft University of Technology has found a way to address this problem. With Tribler they’ve developed a robust BitTorrent client that doesn’t rely on central servers. Instead, it’s designed to keep BitTorrent alive, even when all torrent search engines, indexes and trackers are pulled offline.

“Tribler makes BitTorrent anonymous and impossible to shut down,” Tribler’s lead researcher Dr. Pouwelse tells TF.

“Recent events show that governments do not hesitate to block Twitter, raid websites, confiscate servers and steal domain names. The Tribler team has been working for 10 years to prepare for the age of server-less solutions and aggressive suppressors.”

To top that, the most recent version of Tribler that was released today also offers anonymity to its users through a custom-built in Tor network. This allows users to share and publish files without broadcasting their IP-addresses to the rest of the world.

“The public was beginning to lose the battle for Internet freedom, but today we are proud to be able to present an attack-resilient and censorship-resilient infrastructure for publishing,” Dr. Pouwelse says.

After thorough tests of the anonymity feature earlier this year, it’s now built into the latest release. Tribler implemented a Tor-like onion routing network which hides who is seeding or sharing files. Users can vary the number of “hops” the client uses to increase anonymity.

“Tribler creates a new dedicated network for anonymity that is in no way connected to the main Tor network. By using Tribler you become part of a Tor-like network and help others become anonymous,” Dr. Pouwelse says.

“That means you no longer have any exposure in any swarm, either downloading or seeding,” he adds.

Tribler_anonymous_downloading_in action__select_your_privacy_level_for_each_torrent

The downside to the increase in privacy is higher bandwidth usage. After all, users themselves also become proxies and have to relay the transfers of others. In addition, the anonymity feature may also slow down transfer speeds depending on how much other users are willing to share.

“We are very curious to see how fast anonymous downloads will be. It all depends on how social people are, meaning, if they leave Tribler running and help others automatically to become anonymous. If a lot of Tribler users turn out to be sharing and caring, the speed will be sufficient for a nice downloading experience,” Pouwelse says.

Another key feature of Tribler is decentralization. Users can search for files from within the application, which finds torrents through other peers instead of a central server. And if a tracker goes offline, the torrent will continue to download with the help of other users too.

The same decentralization principle applies to spam control. Where most torrent sites have a team of moderators to delete viruses, malware and fake files, Tribler uses user-generated “channels” which can be “liked” by others. If more people like a channel, the associated torrents get a boost in search results.

triblernew

Overall the main goal of the University project is to offer a counterweight to the increased suppression and privacy violations the Internet is facing. Supported by million of euros in taxpayer money, the Tribler team is confident that it can make the Internet a bit safer for torrent users.

“The Internet is turning into a privacy nightmare. There are very few initiatives that use strong encryption and onion routing to offer real privacy. Even fewer teams have the resources, the energy, technical skills and scientific know-how to take on the Big and Powerful for a few years,” Pouwelse says.

After the Pirate Bay raid last week Tribler enjoyed a 30% increase in users and they hope that this will continue to grow during the weeks to come.

Those who want to give it a spin are welcome to download Tribler here. It’s completely Open Source and with a version for Windows, Mac and Linux. In addition, the Tribler team also invites researchers to join the project.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: C is for Cookie

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

When people are banned for uploading prohibited content to FotoForensics, they have the option to contest the ban. They can fill out an online unban request form, or they can send an email request.

The problem with unban requests via email is that users forget to include information that I require in order to identify the ban. Right now, there’s about 4,000 active bans on the site. Without some basic information, I’ll be unable to match the ban to the user’s unban request.

For this reason, we released a web-based contact form last March. When people fill out the unban form, it automatically gathers information that is needed to identify the user’s ban. This includes the user’s network address, user-agent string, and other header information. (This is passive, not active; we do not need to run any client-side code to do this. The user is already providing this information with each web request.) With this web form, users just ask to be unbanned and the server automatically identifies the ban rule. This way, we have all the information we need.

What starts with the letter “C”?

A few months ago, I banned someone who decided to send me an unban request in an email. He did not use the online form because, as he put it, “Your site requires cookies.” At the time, I thought he was just a nut-job. Not because he was worried about web cookies, but because my FotoForensics site doesn’t use cookies.

When I first designed FotoForensics back in 2012, I used a default server installation. By default, Apache + PHP enables web cookies for tracking sessions. Since the public (HTTP) web site does not use sessions, I disabled cookies. I think they were enabled for the first few months, but they haven’t been used for over two years.

Keep in mind, I am only talking about the public FotoForensics web site. (The blog software at hackerfactor.com sets cookies, but it doesn’t use them unless you login… and I disabled the login interface since nobody besides me needs access.) Also, the private FotoForensics site (used by admins) uses HTTPS and does use cookies for tracking login sessions. But the public HTTP FotoForensics site does not use cookies. To confirm this, you can use httpfox for Firefox and the standalone wireshark sniffer. Both of these network analyzers show the entire HTTP headers sent between the web browser and FotoForensics web server. Neither should show any cookies being sent.

Cookie! Cookie! Cookie starts with “C”!

Web cookies are a cute way to save state between web requests. These short character sequences are sent from the web site to the browser and then returned by the browser during subsequent requests. The browser does not modify the cookie’s contents (without special JavaScript code); the browser only returns data that the server sent it.

The browser associates the cookie with a web site. The next time the browser contacts the site, it uploads the cookie. With any request, the server may change the cookie value.

The network flow typically looks like:

  1. Web browser connects to server and says “give me this web page”.
  2. Server provides the page and says “here’s a cookie!”
  3. Browser then requests the “CSS” style information and says “and here’s the cookie you gave me.”
  4. Server returns the CSS information. The server also knows, based on the unique cookie, that this data is going specifically to you and not to just “anybody”.
  5. Browser then requests each picture on the page. With each picture, it also says “and here’s the cookie!”
  6. Server sees each picture request and the unique tracking cookie and returns each picture.

Some cookies are used for uniquely tracking users. Other cookies contain configuration settings for that web site.

The one important aspect about cookies is that they do not span domains. If your browser receives a cookie from “google.com”, then it will only send it to “google.com”. Your browser won’t send the “google.com” cookie to reddit.com, fotoforensics.com, or any other web site. Cookies only go back to the domain that generated them.

What else starts with “C”?

Back to my cookie issue…

We are currently receiving about one unban request every 1-3 weeks. However, two of the last four unban requests have included cookies. This is really odd since the cookies did not come from my site.

I finally started tracking this problem. Specifically, I have been looking for web browsers that upload cookies that didn’t come from me. For example, on 2014-12-15, FotoForensics received 909 unique file uploads and 1,253 total uploads. The site was accessed by 4,738 users. (It was a relatively slow day.) Of all of those, a total of 33 requests included cookies. (Less than 1%.)

I started to look over the cookies to see if there was anything consistent.

  • Some cookies really look like Google Analytics. I see the utma, utmb, utmc, and utmz cookie values.

  • Some cookies are clearly marketing trackers. For example, one person’s cookie included a “mindsparktb” value. That’s Mindspark.com — an online advertiser. That cookie even mentioned something called “TOOLBAR_CLEANER”. That’s known malware by Mindspark. Another person’s cookie said “SUPER-CRSRDR”. That’s associated with another ad-based computer virus.

    Basically, both of these people have web browsers that are infected with ad-based viruses. Every web site they visit will have words underlined with links to ads. (You should only see 6 hyperlinks in this entire blog entry — 3 near the beginning, 2 in this section, and 1 at the end. If you see more hyperlinked words, then you’re infected. Those extra ad links are not coming from me! They are coming from a virus that is installed on your computer.) The people who supplied Google Analytics cookie data could also be infected with malware.

  • There’s a browser plugin called “ImTranslator” that adds in cookies when it translates pages.
  • A few of the cookies really look suspicious… It almost looks like their ISP, or someone in the middle of the network transfer, may be inserting tracking cookies. I’ll need more data before I can determine if this is specific to certain ISPs in Saudi Arabia and the Czech Republic, or something else.

Cookies should never be sent to the wrong domain. It should never happen. It isn’t like it’s an accident — the software in all of these browsers explicitly forbids it. I ran these observations by a few of my friends (SM, JK, BT). They all reached the same conclusion: there’s no legitimate reason for this to be happening. We were able to come up with three possible scenarios:

  • Option #1: The web browsers are infected with one or more viruses and they are inserting cookies incorrectly.

  • Option #2: The browser is using a network connection (ISP or proxy network) that is tagging web traffic and filtering out the cookies prior to forwarding packets to my service.
  • Option #3: The user had previously accessed my site through a proxy that was adding tracking cookies. Later, the user came to my site without the proxy and ended up sending the cookies. Without the proxy to intercept, there was nothing to stop me from seeing the cookies that the tagging proxy had associated with my web site.

Good enough for me

With most of the cookies that I am seeing, it really looks like a user with an infected computer (option #1). This begs the next question: what do I do about it?

On one hand, I want to tell these users that they have a problem. I could easily configure my site to inform users when I detect unexpected cookies. I could even create a special web page for people who “just want to check”. Seriously: this is easy to make. I could warn them that they may have malware installed on their computers.

But then there’s the “no good deed” issue. I’m sure that some people won’t distinguish detection from cause. They will blame me for infecting their computers. Or worse: they will beg me to help them de-worm their systems. (I don’t work for individuals for a reason: individuals are crazy. If they don’t accuse you for creating the problem, then they’ll blame you for failing to read their minds.)

Or maybe there is something else going on that I’m not seeing.

Schneier on Security: Over 700 Million People Taking Steps to Avoid NSA Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”

The press is mostly spinning this as evidence that Snowden has not had an effect: “merely 39%,” “only 39%,” and so on. (Note that these articles are completely misunderstanding the data. It’s not 39% of people who are taking steps to protect their privacy post-Snowden, it’s 39% of the 60% of Internet users — which is not everybody — who have heard of him. So it’s much less than 39%.)

Even so, I disagree with the “Edward Snowden Revelations Not Having Much Impact on Internet Users” headline. He’s having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that’s an additional 46 million people around the world.

It’s probably true that most of those people took steps that didn’t make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It’s probably even true that some of those people didn’t take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

Name another news story that has caused over ten percent of the world’s population to change their behavior in the past year? Cory Doctorow is right: we have reached “peak indifference to surveillance.” From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.

Related: a recent Pew Research Internet Project survey on Americans’ perceptions of privacy, commented on by Ben Wittes.

TorrentFreak: “How To Learn Absolutely Nothing In Fifteen Years,” By The Copyright Industry

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

pirate bayIn 1999, Napster was a one-time opportunity for the copyright industry to come out on top of the Internet. Napster was the center of attention for people sharing music. (Hard drives weren’t big enough to share movies yet.)

Everybody knew that the copyright industry at the time had two options – they could embrace and extend Napster, in which case they would be the center of culture going forward, or they could try to crush Napster, in which case they would lose the Internet forever as there would not be another centralized point like it.

The copyright industry, having a strong and persistent tradition of trying to obliterate every new technology for the past century, moved to crush Napster. It vanished. DirectConnect, LimeWire, and Kazaa — slightly more decentralized sharing mechanisms – popped up almost immediately, and BitTorrent a year or so later.

This was about as predictable as the behavior of a grandfather clock: the cat wasn’t just out of the bag, but had boarded a random train and travelled halfway cross-country already. People had smelled the scent of sharing, and there was no going back. However, people wouldn’t repeat the mistakes of Napster and have a single point of failure. For the next couple of years, sharing decentralized rapidly to become more impervious and resilient to the onslaught of an obsoleted distribution industry.

It is not a coincidence that The Pirate Bay rose about 2003. That time period was the apex of the post-Napster generation of sharing technologies. With the advent of the first generation of torrent sites, sharing slowly started to re-centralize to focus on these sharing sites. For a few years, DirectConnect hubs were popular, before people transitioned completely to the faster and more decentralized BitTorrent technology.

This week, The Pirate Bay was taken offline in a police raid in Sweden. It may only have been the front-end load balancer that got captured, but it was still a critical box for the overall setup, even if all the other servers are running in random, hidden locations.

Sure, The Pirate Bay was old and venerable, and quite far from up to date with today’s expectations on a website. That tells you so much more, when you consider it was consistently in the top 50 websites globally: if such a… badly maintained site can get to such a ranking, how abysmal mustn’t the copyright industry be?

The copyright industry is so abysmal it hasn’t learned anything in the past 15 years.

In the mere week following the downing of The Pirate Bay, there has been a flurry of innovation. People are doing exactly what they did fifteen years ago, after Napster: everybody is saying “never again”, and going to town inventing more resilience, more decentralization, and more sharing efficiency. The community who are manufacturing our own copies of knowledge and culture had gotten complacent with the rather badly-maintained website and more or less stopped innovating – The Pirate Bay had been good enough for several years, even when its age was showing.

I’ve seen signals from every continent in the past week that the past decade of decentralization technologies is getting pooled into new sharing initiatives. A lot of them seem really hot. Some are just hitting the ball out of the park if they get realized: everything from TOR to blockchain technology to distributed computing – components that weren’t there when BitTorrent first surfaced ten years ago. If realized, they should surface over the next few years, like BitTorrent surfaced three to four years after Napster with a bunch of other technologies in between. As a side bonus, these new initiatives will also protect privacy and free speech, which are both incompatible with enforcement of the copyright monopoly.

So in a way, this was welcome. We need that innovation. We need to not grow complacent. We all need to stay ahead of the crumbling monopolies – a dying tiger is dangerous, even when it’s obviously insane. But The Pirate Bay’s legacy will never die, just like Napster’s legacy won’t.

In the meantime, the copyright industry is a case study in how to really insist on not learning a damn thing from your own monumental mistakes in fifteen full years.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Darknet - The Darkside: Oryon C Portable – Open Source Intelligence (OSINT) Framework

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations. Oryon comes with dozens of pre-installed tools and a select set of links catalogued by category – including those that can be found in the OI Shared Resources. Based on SRWare Iron version 31.0.1700.0 (Chromium) More than 70…

Read the full post at darknet.org.uk

The Hacker Factor Blog: You Can Bank On It

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week, security journalist Brian Krebs reported on a U.S. Treasury Department finding. The Treasury found that TOR nodes account for a large percent of online banking fraud.

I found this report to be startling. I wasn’t surprised that TOR was being used for fraud. Rather, I was stunned that, after all these years, the banking industry was not filtering out logins from TOR nodes!

Don’t look at me!

Let’s back up a moment… The purpose of TOR (the onion router) is to mix up the network pathway so that users can be anonymous online. The purpose of logging into anything — a bank, Google, Facebook, or any other online service — is to identify yourself. These are diametrically opposed concepts. You cannot be anonymous and identify yourself at the same time!

There may be some online services where you don’t care about the account and you want to be anonymous. A good example would be a free Yahoo Mail account that some anti-government Chinese citizen wants to access. They are anonymous but also identified for logging into the account. However, online banking is different.

With online banking, it is not a “free account”. The account manages tangable assets (money) and is directly associated with a person (or company). Customers want the bank to know it is them doing legitimate business and not someone else doing fraud.

The only time a user might want to be anonymous when accessing a bank is if the account is for doing something illegal (like money laundering). This way, the bank won’t be able to trace the account to an individual. But then again, no FDIC Insured bank wants that kind of customer. (Let’s leave the fraud to non-insured PayPal accounts.)

Seriously: I cannot think of any legitimate reason to do anonymous online banking. I see no legitimate reason to access your bank account using TOR.

Safe Web Access

The other thing to remember is that TOR is not a safe online system. Sure, nobody can trace the network connection from the web client to the web server, but that doesn’t mean it is safe. Specifically, you (the TOR user) do not know who owns each TOR exit node and you have no idea what they are doing to your data.

Last October, some researchers discovered that a few TOR exit nodes were maliciously modifying files. You may think you are downloading a program, but the TOR node was inserting malware instead.

Hostile TOR nodes have also been used to track users and even record logins and passwords.

In effect, if you use TOR then you should assume that (1) nobody knows it is you, and (2) someone is watching and recording what you do. Logging into your bank, or anywhere else, is really a bad idea for TOR users. Knowing this, it strikes me that banks are being intentionally ignorant to permit logins from TOR nodes. This majority of banking fraud should have been stopped years ago.

Filtering by Network

I have previously written about various ways to detect proxies. There are two fast and easy ways to detect proxy users: network and application filtering.

The first way focuses on the network address. The folks at the Tor Project actually have an FAQ entry for online services that want to block TOR. They even provide the list of known TOR nodes! At this point, the web server can look at every login request and check if the client’s network address is the same as a known TOR node. If it is, then they can block the request. (And if the login was valid, the bank can even block all login access to the account since the account has been compromised.)

Keep in mind: TOR is not the only proxy network out there. There are dozens of free lists of open proxies. (And even more fee-based lists.) There are also a couple of DNS-blacklist systems that identify known proxy addresses. And then there are network-based geo-location databases — most have some subnets identified as known proxy networks. Banks could even use the geo-location information to identify likely fraud. For example, if I last logged in from Colorado and then, minutes or hours later, appear to come from Europe, then my account has likely been compromised.

If banks really wanted to be proactive, then they would also identify Starbucks, McDonalds, Holiday Inn, and other major free-Internet providers and add them to the “no login” list. Users should never check their bank accounts from a free Internet service.

Filtering by Application

While network filtering will identify known addresses that denote proxy systems, there are always other proxies that are not found on any list.

Beyond looking at network addresses, services can detect proxies by looking at the web traffic’s HTTP header. Many proxy systems add in their own HTTP headers that denote a network relay. If any of these proxy headers exist, then the server should reject the login.

The biggest problem with HTTP headers is that there is no consistent method to identify a web proxy. Some relays add in an HTTP “VIA” header. Others may use “FORWARDED”, “FORWARDED-FOR”, “HTTP_CLIENT_IP”, “X-PROXY-ID” or similar header fields. My own FotoForensics system currently looks for over a dozen different HTTP headers that denote some kind of proxy network connection. While some of these proxy networks may be acceptable for online banking (e.g., “X-BlueCoat-Via” or “Client-IP”), others should probably be blacklisted.

Being proactive is not a crime

There are many viable uses for proxy networks. However, there are also times when using a proxy is a really bad idea. Banks should be utilizing all of these proxy detection methods. They should be ensuring that the network address is not part of a known proxy system. And they should be proactively trying to identify and reduce fraud.

Of course, some people may tell you that online banking through TOR is safe if you use HTTPS. However, that really isn’t true. Anyone who has seen the Defcon Wall of Sheep knows that HTTPS is easy to compromise if you control the network. Remember: SSL is a security placebo and not an actual security solution.

Before I began focusing on forensic tool development, I did a lot of forensic analysis for corporations. I always thought it was ironic when the corporate lawyers would give me very specific directions, like: “We want to know exactly what happened on this computer. Who did what and when. And whatever happens, we do not want you to look at that computer over there!” With corporate attorneys, if they know about something then they must act on it. But if they don’t explicitly know, then they don’t have to do anything about it. By not looking at the problem, they could always claim ignorance.

This entire “TOR used for bank fraud” situation has a similar feel. It is as if the banks want to claim ignorance rather than addressing the problem. But in this case, the entire industry has known for years that TOR is commonly used for online criminal activity. And we have long known that easy banking access facilitates fraud. In this case, not blocking TOR users really looks to me like intentional criminal negligence.

Schneier on Security: Comments on the Sony Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I don’t have a lot to say about the Sony hack, which seems to still be ongoing. I want to highlight a few points, though.

  1. At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it’s not an insider, either.) That we live in the world where we aren’t sure if any given cyberattack is the work of a foreign government or a couple of guys should be scary to us all.

  2. Sony is a company that hackers have loved to hate for years now. (Remember their rootkit from 2005?) We’ve learned previously that putting yourself in this position can be disastrous. (Remember HBGary.) We’re learning that again.
  3. I don’t see how Sony launching a DDoS attack against the attackers is going to help at all.
  4. The most sensitive information that’s being leaked as a result of this attack isn’t the unreleased movies, the executive emails, or the celebrity gossip. It’s the minutia from random employees:
  5. The most painful stuff in the Sony cache is a doctor shopping for Ritalin. It’s an email about trying to get pregnant. It’s shit-talking coworkers behind their backs, and people’s credit card log-ins. It’s literally thousands of Social Security numbers laid bare. It’s even the harmless, mundane, trivial stuff that makes up any day’s email load that suddenly feels ugly and raw out in the open, a digital Babadook brought to life by a scorched earth cyberattack.

    These people didn’t have anything to hide. They aren’t public figures. Their details aren’t going to be news anywhere in the world. But their privacy as been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and reads this stuff.

    These are people who did nothing wrong. They didn’t click on phishing links, or use dumb passwords (or even if they did, they didn’t cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn’t have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we’ve become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.

    Gizmodo got this 100% correct. And this is why privacy is so important for everyone.

I’m sure there’ll be more information as this continues to unfold.