Posts tagged ‘Privacy’

TorrentFreak: Kim Dotcom & Mega Trade Barbs Over Hostile Takeover Claims

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mega_logoFor the past several years, Kim Dotcom has been the most vocal supporter of Mega.co.nz, the cloud storage site he helped launch in 2013. Two and a half years later, something has gone very sour.

In a Q&A session with Slashdot this week, Dotcom told surprised readers that Mega was to be avoided.

“I’m not involved in Mega anymore. Neither in a managing nor in a shareholder capacity. The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud. He used a number of straw-men and businesses to accumulate more and more Mega shares,” Dotcom explained.

“Recently his shares have been seized by the [New Zealand] government. Which means the NZ government is in control.”

Intrigued, Dotcom spoke with Kim Dotcom to find out more about his allegations.

“Mega has experienced a hostile takeover and is no longer in the control of people who care about Internet Freedom. The New Zealand Government and Hollywood have seized a significant share of the company,” Dotcom told TorrentFreak.

“The combined shares seized by the NZ government and Hollywood were significant enough to stop our listing on the New Zealand stock exchange. On the one side Hollywood seized Mega shares of a family trust that was created for the benefit of my children and on the other side Hollywood was lobbying US Senators and credit card companies to stop payment processing for Mega.”

Dotcom says that the efforts of the NZ government and Hollywood meant that Mega couldn’t raise the capital required from the stock market to carry out its business plan. Furthermore, attacks on its abilities to process payments have now “dried up” the company’s cash flow.

“As a result Mega has been forced into bankruptcy territory and recently had to raise new capital at an insanely low valuation of NZD 10 million,” Dotcom says.

“This company was worth over 200 million before the NZ government and Hollywood launched their combined effort to destroy Mega. I have always said that this is a political case and the systematic sabotage of Mega is further proof of that.”

All of this leads Dotcom to the conclusion that Mega is no longer a safe site to use.

“As a result of this and a number of other confidential issues I don’t trust Mega anymore. I don’t think your data is safe on Mega anymore. But my non-compete clause is running out at the end of the year and I will create a Mega competitor that is completely open source and non-profit, similar to the Wikipedia model,” Dotcom says.

“I want to give everyone free, unlimited and encrypted cloud storage with the help of donations from the community to keep things going.”

Mega bites back

With shots fired, TorrentFreak spoke with Mega CEO Graham Gaylard and CCO Stephen Hall. Needless to say, they see things quite differently.

“Mega is a New Zealand company privately owned by 17 local and international investors, whose identities are publicly disclosed on the New Zealand Government’s Companies Office website,” Mega told TF.

“Like all start-up companies, Mega has had several rounds of equity investment. More than 75% of shareholders have supported recent equity issues, so there has not been any ‘hostile takeover’, contrary to Mr Dotcom’s assertion. Those shareholders who have decided not to subscribe to recent issues have been diluted accordingly. That has been their choice.”

Turning to the 6% shareholding held by the Dotcom family trust (which is controlled by Mr Dotcom’s estranged wife and is currently subject to a High Court freezing order following a 2014 application by five Hollywood film studios), Mega says there is no cause for alarm.

“That is a matter for the Dotcom family trust and does not concern Mega. The authorities responsible for maintaining the order have not opposed or interfered in any of Mega’s operations,” the company explains.

“Two other shareholdings totaling 7% are subject to a separate restraint ordered by the New Zealand High Court in August 2014. That is also a matter for that investor and does not concern Mega. Mega is not a party to either of the above court proceedings.”

Turning to Kim Dotcom’s claims that Mega is no longer in the hands of people who care about privacy, Mega told TF that isn’t the case.

“Mega continues to be managed by its executive team, supported by a Board of Directors and shareholders, who all care deeply about Internet freedom and privacy and are passionate about supporting Mega’s user-controlled encryption for cloud storage and communication services,” the company says.

Turning to Dotcom himself, the cloud storage site gave its clearest statement yet on its relationship with the German. Mega says that while Dotcom was a co-founder of their operation he was not involved in the design and implementation of Mega technology, resigned as a director in 2013 and has had no managerial role since. Additionally, Mega says that Dotcom has not received any payments or renumeration from the company.

“Mega disagrees with a number of Mr Dotcom’s public comments,” Mega adds.

Turning to the security of Mega itself, the company says that the full source for its client-side software SDK is available on Github and the source for its MEGAsync and mobile applications will be published in due course.

“Mega’s encryption code has been examined by various international experts including the Spanish National Cybersecurity Institute without any flaws being found,” the company says.

In closing, Mega issued a statement which indicates a collapse in relations with their co-founder.

“Mega views Mr Dotcom’s defamatory comments as self-serving and designed simply to [promote] his supposed new business venture,” Mega says.

“They are inconsistent with his previous desire to ensure that the shareholding in Mega remains a valuable asset for his children and reflect just how completely Mr Dotcom and Mega have now moved apart if he can make such an unwarranted and irresponsible, defamatory attack,” the company concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Lauren Weinstein's Blog: Windows 10: A Potential Privacy Mess, and Worse

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

I had originally been considering accepting Microsoft’s offer of a free upgrade from Windows 7 to Windows 10. After all, reports have suggested that it’s a much more usable system than Windows 8/8.1 — but of course in keeping with the “every other MS release of Windows is a dog” history, that’s a pretty low bar. However, it appears that…

Darknet - The Darkside: Drones, Tor & Remailers – The Story Of A High-Tech Kidnapping

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

This whole thing sounds like something straight out of CSI: Cyber with references to Drones, Tor, remailers, anonymous image sharing and the scrubbing of meta data. Pretty interesting reading, although it rather smells like a lot of exageration. A super high-tech kidnapping – gone wrong in the end. Whoever wrote tho e-mails sent to the…

Read the full post at darknet.org.uk

TorrentFreak: Google Publishes Chrome Fix For Serious VPN Security Hole

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

As large numbers of Internet users wise up to seemingly endless online privacy issues, security products are increasingly being viewed as essential for even basic tasks such as web browsing.

In addition to regular anti-virus, firewall and ad-busting products, users wishing to go the extra mile often invest in a decent VPN service which allow them to hide their real IP addresses from the world. Well that’s the theory at least.

January this year details of a serious vulnerability revealed that in certain situations third parties were able to discover the real IP addresses of Chrome and Firefox users even though they were connected to a VPN.

This wasn’t the fault of any VPN provider though. The problem was caused by features present in WebRTC, an open-source project supported by Google, Mozilla and Opera.

By placing a few lines of code on a website and using a STUN server it became possible to reveal not only users’ true IP addresses, but also their local network address too.

While users were immediately alerted to broad blocking techniques that could mitigate the problem, it’s taken many months for the first wave of ‘smart’ solutions to arrive.

Following on the heels of a Chrome fix published by Rentamob earlier this month which protects against VPN leaks while leaving WebRTC enabled, Google has now thrown its hat into the ring.

Titled ‘WebRTC Network Limiter‘, the tiny Chrome extension (just 7.31KB) disables the WebRTC multiple-routes option in Chrome’s privacy settings while configuring WebRTC not to use certain IP addresses.

In addition to hiding local IP addresses that are normally inaccessible to the public Internet (such as 192.168.1.1), the extension also stops other public IP addresses being revealed.

“Any public IP addresses associated with network interfaces that are not used for web traffic (e.g. an ISP-provided address, when browsing through a VPN) [are hidden],” Google says.

“Once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic, typically the same addresses that are already provided to sites in browser HTTP requests.”

While both the Google and Rentamob solutions provide more elegant responses to the problem than previously available, both admit to having issues.

“Some WebRTC functions, like VOIP, may be affected by the multiple routes disabled setting. This is unavoidable,” Rentamob explains.

Google details similar problems, including issues directly linked to funneling traffic through a VPN.

“This extension may affect the performance of applications that use WebRTC for audio/video or real-time data communication. Because it limits the potential network paths, WebRTC may pick a path that results in significantly longer delay or lower quality (e.g. through a VPN). We are attempting to determine how common this is,” the company concludes.

After applying the blocks and fixes detailed above, Chrome users can check for IP address leaks by using sites including IPLeak and BrowserLeaks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Krebs on Security: Windows 10 Shares Your Wi-Fi With Contacts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends!

msoptoutThis brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

I first read about this disaster waiting to happen over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.

“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.

The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.

El Reg says it well here:

That sounds wise – but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access.

In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network. Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this.

I should point out that Wi-Fi networks which use the centralized 802.1x Wi-Fi authentication — and these are generally tech-savvy large organizations — won’t have their Wi-Fi credentials shared by this new feature.

Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).

It’s interesting to contrast Microsoft’s approach here with that of Apple, who offer an opt-in service called iCloud Keychain; this service allows users who decide to use the service to sync WiFi access information, email passwords, and other stored credentials amongst their own personal constellation of Apple computers and iDevices via Apple’s iCloud service, but which does not share this information with other users. Apple’s iCloud Keychain service encrypts the credentials prior to sharing them, as does Microsoft’s Wi-Fi Sense service; the difference is that it’s opt-in and that it only shares the credentials with your own devices.

Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS. But embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.

Why? For starters, despite years of advice to the contrary, many people tend to re-use the same password for everything. Also, lots of people write down their passwords. And, as The Reg notes, if you personally share your Wi-Fi password with a friend — by telling it to them or perhaps accidentally leaving it on a sticky note on your fridge — and your friend enters the password into his phone, the friends of your friend now have access to the network.

Source: How-To Geek

Source: How-To Geek

An article in Ars Technica suggests the concern over this new feature is much ado about nothing. That story states: “First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you’ll be asked if you want to share it with your friends/social networks.”

To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. True, that contact doesn’t get to see my Wi-Fi password, but he can nonetheless connect to my network.

While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name. The Register seems to think Windows 10 upgraders can avoid each by including both “_nomap” and “_optout” in the Wi-Fi network name, but this article at How-To Geek says users will need to choose the lesser of two evils.

Either way, Wi-Fi Sense combined with integrated Google mapping tells people where you live (and/or where your business is), meaning that they now know where to congregate to jump onto your Wi-Fi network without your permission.

My suggestions:

  1. Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”.
  2. After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.
  3. If you haven’t already done so, consider additional steps to harden the security of your Wi-Fi network.

Further reading:

What Is Wi-Fi Sense and Why Does it Want Your Facebook Account? 

UH OH: Windows 10 Will Share Your Wi-Fi Key With Your Friends’ Friends

Why Windows 10 Shares Your Wi-Fi Password and How to Stop it

Wi-Fi Sense in Windows 10: Yes, It Shares Your Passkeys, No You Shouldn’t Be Scared

TorrentFreak: RIAA Wants Domain Registrar to Expose ‘Pirate Site’ Owner

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

riaaDespite an increased availability of legal options, millions of people still stream MP3s from unofficial sources. These sites are a thorn in the side of the RIAA.

Going after these pirate sites is a problem, according to the music group, as the operators are often unknown and hidden behind Whois privacy services. This is one of the reasons why the RIAA is supporting an ICANN proposal to limit domain name privacy.

But even under current laws and regulations it’s often possible to find out who runs a website, through a DMCA subpoena for example. And a recent case shows that the process isn’t too hard.

A few days ago the RIAA obtained a DMCA subpoena from the U.S. District Court of Columbia ordering domain name registrar Dynadot to expose the personal details of a customer. These subpoenas are signed off by a clerk and don’t require any overview from a judge.

With the subpoena in hand RIAA asked Dynadot to identify the owner of the music streaming site Soundpiff.net, claiming that the site infringes the work of artists such as Eminem, Drake and Selena Gomez. Among other details, the registrar is ordered to share the IP-address and email address of the site’s operator.

“We believe your service is hosting the below-referenced domain name on its network. The website associated with this domain name offers files containing sound recordings which are owned by one or more of our member companies and have not been authorized for this kind of use,” the RIAA writes.

Soundpiff.net
soundpiff

In addition, the RIAA also urges Dynadot to review whether the site violates its terms of service as a repeat infringer, which means that it should be pulled offline.

“We also ask that you consider the widespread and repeated infringing nature of the site operator(s)’ conduct, and whether the site(s)‘ activities violate your terms of service and/or your company’s repeat infringer policy.”

Soundpiff.net is a relatively small site that allows user to discover, stream and download music tracks. The audio files themselves appear to be sourced from the music hosting service Audioinbox, and are not hosted on the site’s servers.

“On our website you can find links that lead to media files. These files are stored somewhere else on the internet and are not a part of this website. SoundPiff.net does not carry any responsibility for them,” the website’s operator notes.

It is unclear what the RIAA is planning to do if they obtain the personal information of the site owners. In addition to suggesting that Dynadot should disconnect the site as a repeat infringer, the music group will probably issue a warning to the site’s operator.

For now, however, Soundpiff is still up and running.

This is not the first time that the RIAA has gone after similar sites in this way. Over the past several years the group has targeted several other download and streaming sites via their registrars or Whois privacy services. Some of these have closed, but others still remain online today.

RIAA’s subpoena to Dynadot

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Public Revolts Against Plan to Kill Domain Name Privacy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

whoisguardA new ICANN proposal currently under review suggests various changes to how WHOIS protection services should operate.

The changes are welcomed by copyright holders, as they will make it easier to identify the operators of pirate sites, who can then be held responsible.

However, several domain registrars, digital rights groups and the public at large are less enthusiastic. They fear that the changes will also prevent many legitimate website owners from using private domain registrations.

To allow the various parties to weigh in ICANN launched a public consultation, and the overwhelming number of responses over the past several weeks show that domain name privacy is a topic that many people have taken to heart.

At the time of writing ICANN has received well over 11,000 comments, most of which encourage the organization to keep private domain registrations available.

A few dozen comments have been filed by special interest groups, but most were submitted by ordinary Internet users who fear that they will have to put their name, address and other personal details out in public.

Countering the “piracy” argument, several people note that the changes would do very little to stop people from running illegal websites, as WHOIS data can easily be faked.

“The truth is, if the website is an illegal website, then the information in the Whois is not going to be legit anyway. So you are not helping anything when it comes to tracking down crime. You are only helping crime by providing the criminals with more information. On people that are being legal,” one commenter notes.

Others warn that the proposals will leave the door open for all sorts of harassment, or even aid oppressive regimes and terrorist groups including ISIS.

“Please do not make it easier for these oppressive regimes and terrorists to identify and target the brave men and women who risk their lives by writing and blogging about what goes on in those dangerous parts of the world,” a commenter writes.

In large part however, the massive protests are fueled by the “Respect Our Privacy” campaign site which was launched by the EFF, Namecheap and Fight for the Future. This site allows people to submit a pre-written letter in just a few clicks, which results in thousands of duplicate comments.

The MPAA previously criticized the form letters noting that they are triggered by “hype and misinformation sponsored by certain registrars and advocacy groups,” while accusing the campaign site of spreading “completely false” information.

It will be interesting to see how the public consultation will influence ICANN’s proposal and the future operation of domain name privacy services.

The commenting period closes this coming Tuesday and will be followed by an official report. After that, the ICANN board will still have to vote on whether or not the changes will be implemented.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: Using Secure Chat

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Micah Lee has a good tutorial on installing and using secure chat.

To recap: We have installed Orbot and connected to the Tor network on Android, and we have installed ChatSecure and created an anonymous secret identity Jabber account. We have added a contact to this account, started an encrypted session, and verified that their OTR fingerprint is correct. And now we can start chatting with them with an extraordinarily high degree of privacy.

FBI Director James Comey, UK Prime Minister David Cameron, and totalitarian governments around the world all don’t want you to be able to do this.

Darknet - The Darkside: Telegram DDoS Attack – Messaging App Suffers 200GBps Pounding

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

For those not familiar before we get to the Telegram DDoS attack, Telegram is an instant messaging system focusing on privacy and multi-platform availability. It was launched by the founders of VK, the largest social network in Russia and is run as an independent non-profit company in Germany. The client code is open-source and audited […]

The…

Read the full post at darknet.org.uk

Krebs on Security: Hacking Team Used Spammer Tricks to Resurrect Spy Network

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.

hackingteam

Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police (INMP), an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the INMP to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the INMP and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

Apparently nobody detected the BGP hijack at the time, and that action eventually allowed Hacking Team and its Italian government customer to reconnect with the Trojaned systems that once called home to their control server at Santrex. OpenDNS said it was able to review historic BGP records and verify the hijack, which at the time allowed Hacking Team and the INMP to migrate their malware control server to another network.

This case is interesting because it sheds new light on the potential dual use of cybercrime-friendly hosting providers. For example, law enforcement agencies have been known to allow malicious ISPs like Santrex to operate with impunity because the alternative — shutting the provider down or otherwise interfering with its operations –can interfere with the ability of investigators to gather sufficient evidence of wrongdoing by bad actors operating at those ISPs. Indeed, the notoriously bad and spammer-friendly ISPs McColo and Atrivo were perfect examples of this prior to their being ostracized and summarily shut down by the Internet community in 2008.

But this example shows that some Western law enforcement agencies may also seek to conceal their investigations by relying on the same techniques and hosting providers that are patronized by the very criminals they are investigating.

TorrentFreak: Bitcoin Bounties Aim to Turn Pirates Into Snitches

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

snitchWhile money may very well be the root of most evil, it’s still a commodity most people want to get their hands on. Trouble is, most financial systems rely on expensive middle-men who are always keen to retain a piece of the pie in return for their transactional skills.

For users of Bitcoin, however, things are somewhat different. The system relies on a peer-to-peer architecture which allows users to transact directly without needing an intermediary. And, of great value to privacy lovers, the system is somewhat less intrusive, unless users provide information about themselves as part of a purchase, for example.

These aspects have generated interest among those in the ‘pirate’ community, with some torrent sites now accepting donations via Bitcoin donations instead of through the troublesome PayPal. However, a service currently being promoted by a technology company will see Bitcoin used in the fight against piracy instead.

The solution comes from South Africa-based Custos Media Technologies who say that for a fee they can embed a “digital alarm” into movies and music that can alert content owners when their material is uploaded to torrent sites or other file-sharing platforms.

Developed by researchers at Stellenbosch University, the CustosTech system aims to discourage leaks and reward those who find them while exploiting the publicly accessible information associated with Bitcoin.

The concept is fairly straightforward. Content creators are given the opportunity to embed a unique identifying watermark into a movie, music track or other digital content before they sell or loan it to a customer or client. One suggested use that may catch the industry’s eye is when so-called ‘screeners’ are handed out to Academy members and critics.

However, instead of having a “For Your Consideration” watermark in the middle of the screen, protected movies in this scenario have a trick up their sleeve.

“Custos embeds watermarks into the analog and/or digital content of media items, which are imperceptible but difficult to remove. Each watermark contains a Bitcoin wallet, with a reward for anyone who anonymously claims it once the media has passed out of the control of the original recipient,” Custos explain.

“Media downloaders who want to search for such rewards (‘bounty hunters’) can do so anonymously, from anywhere in the world. The moment a bounty is claimed – and by the nature of cryptocurrencies, this can only happen once – the transaction reflects on the blockchain, and Custos notifies the media provider of the incident, and to which recipient the content was originally licensed.”

In other words, when content appears on a site somewhere, the first person to download it, view the code, and report it via a special Custos tool, wins the Bitcoin bounty. It’s essentially a people-powered leak reporting system that could lead to a number of possibilities for the content provider.

“[The person to whom the content was originally given] could then be subject to financial or legal penalties, or to reduced access to future content,” Custos explain.

“In this manner, authorised media users are strongly discouraged from actively sharing files or carelessly leaking them, while at the same time, they need not be inconvenienced by cumbersome security measures.”

The company is marketing CustosTech as a system that “turns the downloaders against the uploaders” and in some ways it’s difficult to argue with the assertion. Whether the system will prove popular enough with ‘snitches’ will remain to be seen – that will probably rely on the size of the ‘bounties’ up for grabs.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: Organizational Doxing

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It’s a huge trove, and already reporters are writing stories about the highly secretive government.

What Saudi Arabia is experiencing isn’t common but part of a growing trend.

Just last week, unknown hackers broke into the network of the cyber-weapons arms manufacturer Hacking Team and published 400 gigabytes of internal data, describing, among other things, its sale of Internet surveillance software to totalitarian regimes around the world.

Last year, hundreds of gigabytes of Sony’s sensitive data was published on the Internet, including executive salaries, corporate emails and contract negotiations. The attacker in this case was the government of North Korea, which was punishing Sony for producing a movie that made fun of its leader. In 2010, the U.S. cyberweapons arms manufacturer HBGary Federal was a victim, and its attackers were members of a loose hacker collective called LulzSec.

Edward Snowden stole a still-unknown number of documents from the National Security Agency in 2013 and gave them to reporters to publish. Chelsea Manning stole three-quarters of a million documents from the U.S. State Department and gave them to WikiLeaks to publish. The person who stole the Saudi Arabian documents might also be a whistleblower and insider but is more likely a hacker who wanted to punish the kingdom.

Organizations are increasingly getting hacked, and not by criminals wanting to steal credit card numbers or account information in order to commit fraud, but by people intent on stealing as much data as they can and publishing it. Law professor and privacy expert Peter Swire refers to “the declining half-life of secrets.” Secrets are simply harder to keep in the information age. This is bad news for all of us who value our privacy, but there’s a hidden benefit when it comes to organizations.

The decline of secrecy means the rise of transparency. Organizational transparency is vital to any open and free society.

Open government laws and freedom of information laws let citizens know what the government is doing, and enable them to carry out their democratic duty to oversee its activities. Corporate disclosure laws perform similar functions in the private sphere. Of course, both corporations and governments have some need for secrecy, but the more they can be open, the more we can knowledgeably decide whether to trust them.

This makes the debate more complicated than simple personal privacy. Publishing someone’s private writings and communications is bad, because in a free and diverse society people should have private space to think and act in ways that would embarrass them if public.

But organizations are not people and, while there are legitimate trade secrets, their information should otherwise be transparent. Holding government and corporate private behavior to public scrutiny is good.

Most organizational secrets are only valuable for a short term: negotiations, new product designs, earnings numbers before they’re released, patents before filing, and so on.

Forever secrets, like the formula for Coca-Cola, are few and far between. The one exception is embarrassments. If an organization had to assume that anything it did would become public in a few years, people within that organization would behave differently.

The NSA would have had to weigh its collection programs against the possibility of public scrutiny. Sony would have had to think about how it would look to the world if it paid its female executives significantly less than its male executives. HBGary would have thought twice before launching an intimidation campaign against a journalist it didn’t like, and Hacking Team wouldn’t have lied to the UN about selling surveillance software to Sudan. Even the government of Saudi Arabia would have behaved differently. Such embarrassment might be the first significant downside of hiring a psychopath as CEO.

I don’t want to imply that this forced transparency is a good thing, though. The threat of disclosure chills all speech, not just illegal, embarrassing, or objectionable speech. There will be less honest and candid discourse. People in organizations need the freedom to write and say things that they wouldn’t want to be made public.

State Department officials need to be able to describe foreign leaders, even if their descriptions are unflattering. Movie executives need to be able to say unkind things about their movie stars. If they can’t, their organizations will suffer.

With few exceptions, our secrets are stored on computers and networks vulnerable to hacking. It’s much easier to break into networks than it is to secure them, and large organizational networks are very complicated and full of security holes. Bottom line: If someone sufficiently skilled, funded and motivated wants to steal an organization’s secrets, they will succeed. This includes hacktivists (HBGary Federal, Hacking Team), foreign governments (Sony), and trusted insiders (State Department and NSA).

It’s not likely that your organization’s secrets will be posted on the Internet for everyone to see, but it’s always a possibility.

Dumping an organization’s secret information is going to become increasingly common as individuals realize its effectiveness for whistleblowing and revenge. While some hackers will use journalists to separate the news stories from mere personal information, not all will.

Both governments and corporations need to assume that their secrets are more likely to be exposed, and exposed sooner, than ever. They should do all they can to protect their data and networks, but have to realize that their best defense might be to refrain from doing things that don’t look good on the front pages of the world’s newspapers.

This essay previously appeared on CNN.com. I didn’t use the term “organizational doxing,” though, because it would be too unfamiliar to that audience.

TorrentFreak: MPAA Wants to Kill Domain Name Privacy, For Some

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

boxedA new ICANN proposal currently under review suggests various changes to how WHOIS protection services should operate.

The plans have raised concerns among registrars and consumer organizations who warn that it may put an end to private domain name registrations for some websites.

Copyright holders, on the other hand, have welcomed the proposed changes as they would help them to track down operators of pirate sites. Yesterday the MPAA submitted its comments to ICANN reiterating this stance.

In particular, the MPAA wants privacy protection services to hand over the registration information if a website owner is unresponsive to abuse complaints. These services should be required hand over the details without a court order or subpoena.

“In situations where clear and verifiable cases of abuse are found and direct communication with the customer of a privacy protection service is not possible, an effective and predictable framework to obtain contact details of the customer is required,” the MPAA’s Alex Deacon writes.

The Hollywood group stresses that it isn’t calling for an outright ban on WHOIS privacy protection for all commercial websites. However, the group does support ongoing discussions on the issue.

Many opponents of the proposed changes warn that privacy limitations may make it easier for criminals to harass website owners. The MPAA turns the tables instead, arguing that consumers have the right to know who runs a commercial website.

“MPAA believes it is equally important to consider the privacy interests and rights of Internet users who interact with web sites, many using privacy protection services, on a daily basis. Users right to know the identity of commercial entities with whom they are transacting, is a foundational principle in consumer protection law,” Deacon notes.

In a separate blog post on the issue the MPAA complains that its stance on the domain name privacy issued has been mischaracterized.

“Unfortunately, in recent weeks there have been a growing number of assertions that have sought to mischaracterize the MPAA’s position on privacy and proxy services,” Deacon writes.

In a blog post the MPAA notes that it doesn’t object to legitimate use of privacy protection services at all, even for commercial services. In addition, it stresses that privacy protection services should not reveal any private information without solid evidence.

However, they add that the new rules must “strike a balance” to ensure that individuals who use domain names for “illegal and abusive activity” can be easily exposed.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: The Risks of Mandating Back Doors in Encryption Products

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Monday a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Behaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller, Bruce Schneier, Michael Specter, and Danny Weitzner.

Abstract: Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

It’s already had a big impact on the debate. It was mentioned several times during yesterday’s Senate hearing on the issue (see here).

Three blog posts by authors. Four different news articles, and this analysis of how the New York Times article changed. Also, a New York Times editorial.

Schneier on Security: The Risks of Mandating Backdoors in Encryption Products

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Tuesday, a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller, Bruce Schneier, Michael Specter, and Danny Weitzner.

Abstract: Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

It’s already had a big impact on the debate. It was mentioned several times during yesterday’s Senate hearing on the issue (see here).

Three blog posts by authors. Four different news articles, and this analysis of how the New York Times article changed. Also, a New York Times editorial.

EDITED TO ADD (7/9): Peter Swire’s Senate testimony is worth reading.

SANS Internet Storm Center, InfoCON: green: BizCN gate actor changes from Fiesta to Nuclear exploit kit, (Mon, Jul 6th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Introduction

An actor using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK). This happened around last month, and we first noticed the change on 2015-06-15.

I started writing about this actor in 2014 [1, 2] and recently posted an ISC diary about it on 2015-04-28 [3]. Ive been calling this group the BizCN gate actor because domains used for the gate have all been registered through the Chinese registrar BizCN.

We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:

  • Compromised servers are usually (but not limited to) forum-style websites.
  • Gate domains have all been registered through the Chinese registrar BizCN using privacy protection.
  • The domains for Nuclear EK change every few hours and were registered through freenom.com.
  • Nuclear EK for this actor is on 107.191.63.163, which is an IP registered to Vultr, a hosting provider specializing in SSD cloud servers [4].
  • The payload occasionally changes and includes malware identified as Yakes [5], Boaxxe [6], and Kovter.

NOTE: For now, Kovter is relatively easy to spot, since its the only malware Ive noticed that updates the infected hosts Flash player [7].

Chain of events

During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it. Simply put, the chain of events is:

  • Compromised website
  • BizCN-registered gate domain
  • Nuclear EK

Lets take a closer look at how this happens.

Compromised website

Compromised websites are the first step in an infection chain.” />

In most cases, the malicious javascript will be injected on any page from the site, assuming you get to it from a search engine or other referrer.

BizCN-registered gate domain

The gate directs traffic from the compromised website to the EK. The HTTP GET request to the gate domain returns javascript. In my last diary discussing this actor [3], you could easily figure out the URL for the EK landing page.” />

Weve found at least four IP addresses hosting the BizCN-registered gate domain. They are:

  • 136.243.25.241
  • 136.243.25.242
  • 136.243.224.10
  • 136.243.227.9

If you have proxy logs or other records of your HTTP traffic, search for these IP addresses. If you find the referrers, you might discover other websites compromised by this actor.

Nuclear EK

Examples of infection traffic generated from 2015-07-03 through 2015-07-05 all show 107.191.63.163 as the IP address hosting Nuclear EK. This IP address is registered to Vultr, a hosting provider specializing in SSD cloud servers [4]. ” />

Finally, Nuclear EK sends the malware payload. It” />

Malware sent by this actor

During the three-day period, we infected ten hosts, saw two different Flash exploits, and retrieved five different malware payloads. Most of these payloads were Kovter (ad fraud malware).” />

Below are links to reports from hybrid-analysis.com for the individual pieces of malware:

Final words

Its usually difficult to generate a full chain of infection traffic from compromised websites associated with this BizCN gate actor. We often see HTTP GET requests to the gate domain return a 404 Not Found. In some cases, the gate domain might not appear in traffic at all.

We believe the BizCN gate actor will continue to make changes as a way to evade detection. Fortunately, the ISC and other organizations try our best to track these actors, and well let you know if we discover any significant changes.

Examples of the traffic and malware can be found at:

As always, the zip file is password-protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.


Brad Duncan
Security Researcher at Rackspace and ISC Handler
Blog: www.malware-traffic-analysis.net – Twitter: @malware_traffic

References:

[1] http://malware-traffic-analysis.net/2014/01/01/index.html
[2] https://isc.sans.edu/diary/Gate+to+Fiesta+exploit+kit+on+9424221669/19117
[3] https://isc.sans.edu/diary/Actor+using+Fiesta+exploit+kit/19631
[4] https://www.vultr.com/about/
[5] https://www.virustotal.com/en/file/b215e4cf122e3b829ce199c3e914263a6d635f968b4dc7b932482d7901691326/analysis/
[6] https://www.virustotal.com/en/file/a0156a1641b42836e64d03d1a0d34cd93d3b041589b0422f8519cb68a4efb995/analysis/
[7] http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-for-you.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Pirate Bay Was Worth Doing Prison Time For, Co-Founder Says

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

fredrik-neijFredrik Neij, one of The Pirate Bay’s co-founders, was released early last month after serving a 10-month prison sentence for his involvement with the site.

A few days ago Fredrik arrived back home in Laos, where he’s enjoying his family and an unlimited stock of beer to get his liver back on track.

TF had the chance to catch up with the Swede to see how prison life treated him and the answers we received may surprise some. While it’s never fun to be locked up, Fredrik says it was worth doing time for The Pirate Bay.

“Things were not too bad in prison,” Fredrik tells TF. “It was well worth doing prison time for The Pirate Bay, when you consider how much the site means to people,” Fredrik says.

The prisons in Sweden are nothing like those seen in Hollywood blockbusters. He had plenty of space and privacy and no bars on the door.

“Like most people I only knew about prisons from American movies. Now that I have some firsthand experience I am happy to say it’s quite different. Unlike the barred cages for two persons in the movies, here I have my own private room that’s 10 square meters, with a real door and no bars on the window.”

Fredrik compares his cell to a cabin on a cruise ship, but one with a shitty view. Instead of seeing beautiful coastlines and picturesque bays, he was looking at a prison wall with barbed wire on top, and agricultural fields in the distance.

The cell itself had a private toilet and shower as well as some space for personal items. There were two bulletin boards as well, one with photos of his kids and family and another one for all the fan mail he received.

Although the prison management denied him access to his classic 8-bit Nintendo console, there was plenty of entertainment around. The room came equipped with a Samsung smart TV and Fredrik was also allowed to have newer game consoles.

As a Sci-Fi addict, Fredrik was also happy that “some people” managed to smuggle digital content inside.

“I watched a lot of TV-series and movies on smuggled in USB sticks and MicroSD cards, which is a nice way to kill some time, watching Archer, Futurama, Firefly and other Sci-Fi,” Fredrik says.

On the music front Pirate Bay’s co-founder was thrown back two decades, spinning CDs in an ancient Discman. Music he actually had to pay for.

“Listening to music on a Discman gave me flashbacks to how life was before MP3s, with short battery-life and having to change CD to listen to different artists. Also it was probably the first legal music I bought this millennium.”

The lockup hours were between 7am and 7pm and inmates were allowed to put out their own lights, so games could be played all night. During weekdays Fredrik had to work for three hours as well, putting pieces of wood into a laser etching machine.

The best times of the week were without a doubt the visiting hours, especially when they overlapped with work. Talking to friends and family was a welcome distraction, either in person or on the phone, which Fredrik could have in his room a few times per week.

There were also a lot of people writing in. Not just with words of support, but also to keep him updated on news in the real world, including TF articles.

“To keep up to date with the outside world, friends and family sent me newspapers, magazines and printouts of online media such as TorrentFreak! I also spent a lot of time reading all news-clippings, books and tech- science- and computer magazines I received from fans.”

Fredrik was locked up in the medium security prison in Skänninge where he was the only convict doing time for a “virtual” crime.

“Most other guys were in for drug-related offenses, robberies, manslaughter, aggravated assault. No-one had ever heard of someone being placed at that prison for such a low severity, nonviolent, white-collar crime as ‘assisted copyright infringement,’ but I guess the MAFIAA get what they pay for,” he says.

Surprisingly enough, Fredrik could cope relatively well without 24/7 access to a keyboard and the Internet.

“I didn’t miss computers and the Internet as much as I would have expected. I mostly just missed having instant access to information like I am used to. Inside I used TEXT-TV and newscasts instead of web-sites,

“You only notice how dependent we are on the Internet when are forced off it and have to do things like it was the early 90s again,” Fredrik adds.

Looking ahead Fredrik is hoping to catch up life where he left off.

“It’s great to be back home with the kids. Family aside I was mostly looking forward to catching up on Doctor Who and Archer. And to put an end to my liver’s well deserved vacation with a large beer!”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

lcamtuf's blog: Poland vs the United States: crime and punishment

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

This is the tenth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

Throughout much of its history, the United States has been a violent nation. From the famed lawlessness of the western frontier, to the brawling biker gangs, to the iconic Italian Mafia and the fearsome Mexican drug cartels, the thirst for blood has left a mark on the American psyche – and profoundly influenced many of the country’s most cherished works of literary and cinematic art.

But sooner or later, a line gets drawn. And so, when a tidal wave of violent crime swept the nation in the late 80s, the legislators and the executive branch felt obliged to act. Many wanted to send a message to the criminal underworld by going after it with relentless and uncompromising zeal – kicking off the multi-decade War on Drugs and rolling out policies such as the three strikes law in California or stop-and-frisk in New York City. Others saw the root of all evil in the pervasive gun culture of the United States – successfully outlawing the possession or carry of certain classes of firearms and establishing a nation-wide system of background checks.

And then, in the midst of these policy changes, something very interesting started to unfold: the crime rate plunged like a rock, dropping almost 50% over the course of twenty years. But why? Well, the funny thing is, nobody could really tell. The proponents of tough policing and the War on Drugs tooted their own horns; but less vindictive municipalities that adopted programs of community engagement and proactive policing heralded broadly comparable results. Gun control advocates claimed that getting assault rifles and handguns off the streets made a difference; gun rights activists found little or no crime gap between the gun-friendly and the gun-hostile states. Economists pointed out that people were living better, happier, and longer lives. Epidemiologists called out the elimination of lead – an insidious developmental neurotoxin – from paints and gasoline. Some scholars have gone as far as claiming that easy access to contraception and abortion caused fewer children to be born into multi-generational poverty and to choose the life of crime.

Europe certainly provided an interesting contrast; the old continent, having emerged from two unspeakably devastating and self-inflicted wars, celebrated its newly-found pacifist streak. Its modern-day penal systems reflected the philosophy of reconciliation – abolishing the death penalty and placing greater faith in community relationships, alternative sentencing, and the rehabilitation of criminals. A person who served a sentence was seen as having paid the dues: in Poland and many other European countries, his or hers prospective employers would be barred from inquiring about the criminal record, and the right to privacy would keep the indictments and court records from public view.

It’s hard to say if the European model worked better when it comes to combating villainy; in the UK, crime trends followed the US trajectory; in Sweden, they did the opposite. But the utilitarian aspect of the correctional system aside, the US approach certainly carries a heavy humanitarian toll: the country maintains a truly astronomical prison population, disproportionately comprised of ethnic minorities and the poor; recidivism rates are high and overcrowding borders on the inhumane. The continued incarceration of people sentenced for non-violent cannabis-related crimes flies in the face of changing social norms.

Untangling this mess is going to take time; most Americans seriously worry about crime and see it as a growing epidemic, even if their beliefs are not substantiated by government-published stats. Perhaps because of this, they favor tough policing; reports of potential prosecutorial oversight – such as the recent case of a tragic homicide in San Francisco – tend to provoke broader outrage than any comparable claims of overreach. Similarly, police brutality or prison rape are widely acknowledged and even joked about – but seen as something that only ever happens to the bad folks.

For the next article in the series, click here.

TorrentFreak: Court Drops Innocent Cox Subscribers From Piracy Lawsuit

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-runningLast year BMG Rights Management and Round Hill Music sued Cox Communications, arguing that the ISP fails to terminate the accounts of repeat infringers.

As part of the discovery process the music outfits requested details on the accounts which they caught downloading their content.

In total there are 150,000 alleged pirates, but the court limited the initial disclosure to the top 250 infringing IP-addresses in the six months before the lawsuit was filed.

A few weeks ago Cox started informing its customers that their information would be handed over to the music companies. In a response, dozens of subscribers asked the court not to expose their identities.

Some argued that they should be dismissed because they have did not share the mentioned files. Another group explained to the court that they were wrongfully included, because they weren’t Cox subscribers at the time of the alleged offense.

The latter issue is due to Cox’s broad reading of an earlier court order. Instead of handing over details of subscribers who used the IP-addresses at the time of the infringements, the ISP also included the current IP-address holders.

Objection from a Cox subscriber
objectcox

This week U.S. Magistrate Judge John Anderson ruled on the objections (pdf), concluding that the subscribers who did not use the IP-address at the time should be dropped.

“Several of the persons submitting objections have provided information to the court that is sufficient to establish that they were not assigned the IP addresses that are the subject of the court’s ruling at the time of the alleged infringing activity.

“The court sustains the objections raised by those individuals,” the order adds.

The other group of subscribers who merely claimed that they did not share any of the copyright infringing files, were less successful. Their requests were denied and Cox will share their personal details with the music companies.

“The mere denial of any infringing activity is an insufficient reason to justify quashing the subpoena to Cox. In addition, any concerns these individuals may have relating to privacy are addressed adequately by the provisions of the Protective Order entered in this action,” the order reads.

The last part is important because many subscribers fear that the music companies will come after their money. However, the court assures them that their personal information can only be used as evidence in this lawsuit, not to demand settlements.

“The subscriber information produced in this action is to be used solely for the purposes of litigating the claims raised in this action between BMG/Round Hill and Cox and will not be used by BMG/Round Hill to solicit payments directly from Cox subscribers.”

For the music companies this shouldn’t be a problem. They previously said that they don’t intend to pursue any individual subscribers in the lawsuit. How they do plan to use the personal details of the subscribers will become clear as the case proceeds.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: VPN Providers Respond To Allegations of Data Leakage

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

vpn4lifeAs Internet users seek to bypass censorship, boost privacy and achieve a level of anonymity, VPN services have stepped in with commercial solutions to assist with these aims. The uptake among consumers has been impressive.

Reviews of VPN services are commonplace and usually base their ratings on price and speed. At TorrentFreak we examine many services annually, but with a focus on privacy issues instead.

Now a team of researchers from universities in London and Rome have published a paper titled A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (pdf) after investigating 14 popular services on the market today.

“Our findings confirm the criticality of the current situation: many of these providers leak all, or a critical part of the user traffic in mildly adversarial environments. The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models,” the researchers write.

While noting that all providers are able to successfully send data through an encrypted tunnel, the paper claims that problems arise during the second stage of the VPN client’s operation: traffic redirection.

“The problem stems from the fact that routing tables are a resource that is concurrently managed by the operating system, which is unaware of the security requirements of the VPN client,” the researchers write.

This means that changes to the routing table (whether they are malicious or accidental) could result in traffic circumventing the VPN tunnel and leaking to other interfaces.

IPv6 VPN Traffic Leakage

“The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface,” the researchers explain.

vpn-1

As illustrated by the chart above, the paper claims that all desktop clients (except for those provided by Private Internet Access, Mullvad and VyprVPN) leaked “the entirety” of IPv6 traffic, while all providers except Astrill were vulnerable to IPv6 DNS hijacking attacks.

The paper was covered yesterday by The Register with the scary-sounding title “VPNs are so insecure you might as well wear a KICK ME sign” but without any input from the providers in question. We decided to contact a few of them for their take on the paper.

PureVPN told TF that they “take the security of our customers very seriously and thus, a dedicated team has been assigned to look into the matter.” Other providers had already received advanced notice of the paper.

“At least for AirVPN the paper is outdated,” AirVPN told TorrentFreak.

“We think that the researchers, who kindly sent the paper to us many months in advance and were warned about that, had no time to fix [the paper] before publication. There is nothing to worry about for AirVPN.”

“Current topology allows us to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.”

TorGuard also knew of the whitepaper and have been working to address the issues it raises. The company adds that while The Register’s “the sky is falling” coverage of yesterday is “deceptive”, the study does illustrate the need for providers to stay vigilant. Specifically, TorGuard says that it has launched a new IPv6 leak prevention feature on Windows, Mac and Linux.

“Today we have released a new feature that will address this issue by giving users the option of capturing ALL IPv6 traffic and forcing it through the OpenVPN tunnel. During our testing this method proved highly effective in blocking potential IPv6 leaks, even in circumstances when these services were active or in use on the client’s machine,” the company reports.

On the DNS hijacking issue, TorGuard provides the following detail.

“It is important to note that the potential for this exploit only exists (in theory) if you are connected to a compromised WiFi network in which the attacker has gained full control of the router. If that is the case, DNS hijacking is only the beginning of one’s worries,” TorGuard notes.

“During our own testing of TorGuard’s OpenVPN app, we were unable to reproduce this when using private DNS servers because any DNS queries can only be accessed from within the tunnel itself.”

Noting that they released IPv6 Leak Protection in October 2013, leading VPN provider Private Internet Access told TorrentFreak that they feel the paper is lacking.

“While the article purported to be an unbiased and intricate look into the security offered by consumer VPN services, it was greatly flawed since the inputs or observations made by the researchers were inaccurate,” PIA said.

“While a scientific theory or scientific test can be proven by a logical formula or algorithm, if the observed or collected data is incorrect, the conclusion will be in error as well.”

PIA criticizes the report on a number of fronts, including incorrect claims about its DNS resolver.

“Contrary to the report, we have our own private DNS daemon running on the Choopa network. Additionally, the DNS server that is reported, while it is a real DNS resolver, is not the actual DNS that your system will use when connected to the VPN,” the company explains.

“Your DNS requests are handled by a local DNS resolver running on the VPN gateway you are connected to. This can be easily verified through a site like ipleak.net. Additionally… we do not allow our DNS servers to report IPv6 (AAAA records) results. We’re very serious about security and privacy.”

Finally, in a comprehensive response (now published here) in which it notes that its Windows client is safe, PIA commends the researchers for documenting the DNS hijacking method but criticizes how it was presented to the VPN community.

“The DNS Hijacking that the author describes [..] is something that has recently been brought to light by these researchers and we commend them on their discovery. Proper reporting routines would have been great, however. Shamefully, this is improper security disclosure,” PIA adds.

While non-IPv6 users have nothing to fear, all users looking for a simply fix can disable IPv6 by following instructions for Windows, Linux and Mac.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: Office of Personnel Management Data Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I don’t have much to say about the recent hack of the US Office of Personnel Management, which has been attributed to China (and seems to be getting worse all the time). We know that government networks aren’t any more secure than corporate networks, and might even be less secure.

I agree with Ben Wittes here (although not the imaginary double standard he talks about in the rest of the essay):

For the record, I have no problem with the Chinese going after this kind of data. Espionage is a rough business and the Chinese owe as little to the privacy rights of our citizens as our intelligence services do to the employees of the Chinese government. It’s our government’s job to protect this material, knowing it could be used to compromise, threaten, or injure its people­ — not the job of the People’s Liberation Army to forebear collection of material that may have real utility.

Former NSA Director Michael Hayden says much the same thing:

If Hayden had had the ability to get the equivalent Chinese records when running CIA or NSA, he says, “I would not have thought twice. I would not have asked permission. I’d have launched the star fleet. And we’d have brought those suckers home at the speed of light.” The episode, he says, “is not shame on China. This is shame on us for not protecting that kind of information.” The episode is “a tremendously big deal, and my deepest emotion is embarrassment.”

My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database? What are the potential attacks that could stem from adding, deleting, and changing data? I don’t think they can add a person with a security clearance, but I’d like someone who knows more than I do to understand that risks.

TorrentFreak: Piracy Concerns May Soon Kill Domain Name Privacy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

whoisguardIn recent months copyright holders have been increasingly pushing for changes in the domain name industry.

Groups such as the MPAA and RIAA, for example, want registrars to suspend domain names of clearly infringing websites.

While this is unlikely to happen on a broad scale in the near future, a new ICANN proposal may put an end to private domain name registrations for some websites.

A new proposal (pdf) will no longer allow ‘commercial’ sites, which could include all domain names that run advertisements, to hide their personal details through so-called WHOIS protections services.

This change is backed by copyright holder groups including the MPAA, who previously argued that it will help them to hold the operators of illegal sites responsible.

“Without accurate WHOIS data, there can be no accountability, and without accountability it can be difficult to investigate and remedy issues when individuals or organizations use the Internet in illegal or inappropriate ways,” MPAA’s Alex Deacon said recently.

“Ensuring this data is accurate is important not only to the MPAA and our members, but also to everyone who uses the Internet every day.”

On the other side of the spectrum, the proposal has ignited protests from privacy advocates and key players in the domain name industry.

Digital rights group EFF points out that copyright holders can already expose the operators of alleged infringers quite easily by obtaining a DMCA subpoena. This is something the RIAA has done already on a few occasions.

EFF further warns that the new rules will expose the personal details of many people who have done nothing wrong, but may have good reasons not to have their address listed publicly.

“The limited value of this change is manifestly outweighed by the risks to website owners who will suffer a higher risk of harassment, intimidation and identity theft,” EFF’s Mitch Stoltz writes.

Namecheap, one of the largest domain registrars, also jumped in and sent a mass-mailing to all their customers urging them to tell ICANN not to adopt the new proposal.

“No WHOIS privacy provider wants their service to be used to conceal illegal activity, and the vast majority of domain owners are not criminals. Using a WHOIS privacy service is no more suspicious than having an unlisted phone number,” Namecheap CEO Richard Kirkendall notes

“These new proposed rules would wreak havoc on our right to privacy online. ICANN is moving quickly, so we should too – contact them today and tell them to respect our privacy,” he adds.

ICANN is currently accepting comments from the public and Namecheap is encouraging its customers to use the Respect Our Privacy campaign site to protest the proposed changes.

Of course, Namecheap has more to worry about than the privacy of its users alone. The company itself operates the Whoisguard service and earns a lot of revenue through these private registrations.

Thus far most of the responses received by ICANN have come in through the special campaign site, arguing against the proposal. The commenting period closes in two weeks followed by an official report. After that, the ICANN board will still have to vote on whether or not the changes will be implemented.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: What is the DoD’s Position on Backdoors in Security Systems?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In May, Admiral James A. Winnefeld, Jr., vice-chairman of the Joint Chiefs of Staff, gave an address at the Joint Service Academies Cyber Security Summit at West Point. After he spoke for twenty minutes on the importance of Internet security and a good national defense, I was able to ask him a question (32:42 mark) about security versus surveillance:

Bruce Schneier: I’d like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of “us” that makes sense is the world, is everybody. Any technologies that we’ve developed and built will be used by everyone — nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers’s both intelligence and attack jobs much harder. Are you okay with that?

Admiral James A. Winnefeld: Yes. I think Mike’s okay with that, also. That’s a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there’s this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, “I want to take down that emitter so it’ll make it safer for my airplanes to penetrate the airspace,” and they’re saying, “No, you’ve got to keep that emitter up, because I’m getting all kinds of intelligence from it.” So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that — it’s not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I’m also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it’s an excellent question. It really is.

It’s a good answer, and one firmly on the side of not introducing security vulnerabilities, backdoors, key-escrow systems, or anything that weakens Internet systems. It speaks to what I have seen as a split in the the Second Crypto War, between the NSA and the FBI on building secure systems versus building systems with surveillance capabilities.

I have written about this before:

But here’s the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can’t choose a world where the US gets to spy but China doesn’t, or even a world where governments get to spy and criminals don’t. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It’s security or surveillance.

NSA Director Admiral Mike Rogers was in the audience (he spoke earlier), and I saw him nodding at Winnefeld’s answer. Two weeks later, at CyCon in Tallinn, Rogers gave the opening keynote, and he seemed to be saying the opposite.

“Can we create some mechanism where within this legal framework there’s a means to access information that directly relates to the security of our respective nations, even as at the same time we are mindful we have got to protect the rights of our individual citizens?”

[…]

Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so “why can’t we create a similar kind of framework within the internet and the digital age?”

He added: “I certainly have great respect for those that would argue that they most important thing is to ensure the privacy of our citizens and we shouldn’t allow any means for the government to access information. I would argue that’s not in the nation’s best long term interest, that we’ve got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn’t be something arbitrary.”

Does Winnefeld know that Rogers is contradicting him? Can someone ask JCS about this?

lcamtuf's blog: Poland vs the United States: civil liberties

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

This is the sixth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

I opened my comparison of Poland and the US with the topic of firearm ownership. I decided to take this route in part because of how alien the US gun culture may appear to outsiders – and because of how polarizing and interesting the subject is. But in today’s entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.

Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of individualism and free enterprise. Of course, many words can be written about the disconnect between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty or failing inner-city schools (it may be a fitting subject for another post). But the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in institutional trustworthiness surveys; federal legislators come dead last. This sentiment shapes many of the ongoing political debates – not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and laissez-faire capitalism seem far more self-evident to the citizens of the US than they are in the EU.

With that in mind, it’s worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of denying the Holocaust. The freedom of speech is also broadly trumped by the right to privacy, including the hotly-debated right to be forgotten on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against disrespecting the religious beliefs of others or insulting any acting head of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today’s political climate, no one will be charged for calling Mr. Putin a thug.

The US takes a more absolutist view of the First Amendment, with many hate groups enjoying far-reaching impunity enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of “speech” is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European niqab and burka bans would be patently illegal in the United States and aren’t even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is seen by some through the same constitutional prism: it is your right to teach your children about Young Earth creationism, and the right trumps any concerns over the purported social costs. Last but not least, there is the controversial Citizens United decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.

As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination – but despite the stereotypes, the incidence of at least some types of casual racism in today’s America seems lower than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
hatred toward Jews; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold too much influence in business – a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using “you Jew!” as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It’s difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.

Other civil liberties revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret FISA courts. But having worked for a telecommunications company in Poland, my own sentiment is that law enforcement and intelligence agencies in Europe tend to operate with far more impunity and far less legal oversight; the intelligence community in particular is often engaged in politically motivated domestic investigations that should raise an eyebrow or two; all across Europe, “pre-crime” policing ideas are taking hold. In most of these countries, citizens are not afforded powerful tools such as FOIA requests, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can’t work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people – and instill higher ethical standards in the law enforcement and intelligence community. The individualist spirit helps, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.

When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy “tough on crime” image that many American politicians take pride in.

In the same vein, police brutality, disproportionately faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on increasingly shaky moral grounds – even if it faces steady public support. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. Civil forfeiture is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures – although in all likelihood, its days are coming to an end.

As usual, the picture is complex and it’s hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.

For the next article in the series, click here.

Schneier on Security: Hayden Mocks NSA Reforms

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Former NSA Director Michael recently mocked the NSA reforms in the recently passed USA Freedom Act:

If somebody would come up to me and say, “Look, Hayden, here’s the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you’re going to be required to do is that little 215 program about American telephony metadata — and by the way, you can still have access to it, but you got to go to the court and get access to it from the companies, rather than keep it to yourself.” I go: “And this is it after two years? Cool!”

The thing is, he’s right. And Peter Swire is also right when he calls the law “the biggest pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978.” I supported the bill not because it was the answer, but because it was a step in the right direction. And Hayden’s comments demonstrate how much more work we have to do.