Posts tagged ‘Privacy’

Schneier on Security: The Advertising Value of Intrusive Tracking

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s an interesting research paper that tries to calculate the differential value of privacy-invasive advertising practices.

The researchers used data from a mobile ad network and was able to see how different personalized advertising practices affected customer purchasing behavior. The details are interesting, but basically, most personal information had little value. Overall, the ability to target advertising produces a 29% greater return on an advertising budget, mostly by knowing the right time to show someone a particular ad.

The paper was presented at WEIS 2015.

TorrentFreak: Torrent Trackers Ban Windows 10 Over Privacy Concerns

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

win10Since the release of Windows 10 last month many media reports have focused on various privacy intrusions.

The WiFi password sharing feature, for example, or the extensive sharing of personal data and information back to Microsoft’s servers. The list goes on and on.

While we’re the last ones to defend these policies, it is worth pointing out that many other large tech companies have similar privacy violating policies. Reading rants about Windows 10 privacy on Facebook is particularly ironic.

This week things took a turn for the worse. Slowly but steadily reports started pouring in that Windows 10 has a built-in piracy kill switch. If we were to believe some of the reports, Microsoft would nuke all torrents downloaded from The Pirate Bay.

The truth is nowhere near as dystopian though. The controversy originates from a single line in Microsoft’s Service Agreement which allows the company to download software updates and configuration changes that may prevent people from “playing counterfeit games.”

This change isn’t limited to Windows 10 but covers many services. Also, there is no indication that this will ever be used to target third-party games, which is highly unlikely.

Still, the recent privacy concerns have some torrent tracker staffers worried. During the week TF received reports informing us that several private trackers have banned Windows 10, or are considering doing so.

The staffers at iTS explain that Windows 10 is off-limits now because of the extensive amount of data it shares. This includes connections to MarkMonitor, the brand protection company which is also involved in the U.S. Copyright Alert System.

“Unfortunately Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company called MarkMonitor,” iTS staff note.

“Amongst other things Windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures,” they add.

While this may sound scary, Microsoft has been working with MarkMonitor for years already. Among other things, the company helps to keep scammers at bay.

There is no evidence that any piracy related info is being shared. Still, the connection is raising red flags with other tracker operators as well. More trackers reportedly ban Windows 10 and others including BB and FSC are consider to follow suit.

“We have also found [Windows 10] will be gathering information on users’ P2P use to be shared with anti piracy group,” BB staff writes to its users.

“What’s particularly nasty is that apparently it sends the results of local(!!) searches to a well known anti piracy company directly so as soon as you have one known p2p or scene release on your local disk … BAM!”

The same sentiment is shared at FSC where staff also informed users about the threat.

“As we all know, Microsoft recently released Windows 10. You as a member should know, that we as a site are thinking about banning the OS from FSC. That would mean you cannot use the site with the OS installed,” FSC staff writes.

While a paranoid mindset is definitely not a bad thing for people in the business of managing a torrent community, banning an operating system over privacy concerns is a bit much for most. Especially since many of the same issues also affect earlier versions of Windows.

Luckily, the most invasive privacy concerns can be dealt with by configuring Windows properly. Or any other operating system, application or social network for that matter.

Instead of banning something outright, it may be a good idea to inform the public on specific dangers and educate them how they can be alleviated.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Spotify: Piracy May Surge Without a Freemium Option

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cassetteWith the option to stream millions of tracks supported by an occasional ad, or free of ads for a small subscription fee, Spotify has proven to be a serious competitor to music piracy.

Since its first release in 2009 the service has conquered the hearts and minds of many music fans. Currently available in more than 60 countries, it is catering to dozens of millions of users.

In recent months, however, various prominent music industry insiders have called for an end to Spotify’s freemium option. With this move they hope that the company will increase its revenues and pay more compensation to artists and labels.

This is not a good idea, according to Sachin Dosh, Spotify’s Vice President of content and distribution. Killing the freemium model may result in more subscriptions but it may also boost piracy.

“We’ve done such a great job at Spotify of making piracy irrelevant, but that doesn’t mean it’s gone. It just means there’s no need for it right now,” Dosh told MBW.

“You could create that need again if you follow the wrong path,” he adds.

In recent years Spotify has caused a decline in music piracy rates in a few countries, something the company always envisioned it would. Having a free tier is an essential part of this chain.

According to Spotify’s exec the music industry realizes the risk of canceling the freemium option, which suggests that there are no concrete plans to change its model in the near future.

“…I think the industry does actually agree with a lot of this: instead of making free worse, the right answer is making premium better,” Dosh says.

Spotify’s comments on a piracy revival are in line with what we warned earlier. However, it is not the only threat. The recent push for more “exclusive” releases are another point of frustration for many music fans.

Various music services make deals to be the first to release new albums, such as Dr. Dre’s iTunes exclusive, making the piracy option relevant again for users of other paid services. This might not be a good strategy in the long run.

On that note, Spotify also has to be careful with privacy issues. A change to the company’s terms and conditions now allows it to access photos, phone numbers and sensory data from mobile users, which has quite a few users upset.

Now we don’t want these users, including Minecraft creator Markus Persson, to reconvert to pirates again, do we?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

TorrentFreak: Rightscorp’s DMCA Subpoena Effort Crashes and Burns

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In an effort to unmask file-sharers’ identities on behalf of clients including Warner Bros. and BMG, last year anti-piracy company Rightscorp began sending DMCA subpoenas to dozens of smaller ISPs in the United States.

The practice proved controversial. Although several ISPs complied with the anti-piracy company’s demands, DMCA subpoenas aren’t considered applicable in file-sharing cases, not least since they can by signed by a court clerk and are not reviewed by a judge.

In 2014, Rightscorp targeted ISP CBeyond with such a subpoena, but parent company Birch Communications refused to compromise the security of its customers. The company filed a motion to quash the subpoena arguing that Rightscorp was on privacy-invading fishing expedition.

In May, Birch Communications celebrated victory.

“CBeyond contends that the section does not apply to service providers that act only as a conduit for data transferred between other parties and that do not store data. The court agrees,” wrote Magistrate Judge Janet King in her ruling.

But for Rightscorp the matter wasn’t over. The company took the case to appeal in the hope of a better result, but that effort has now ended in another defeat for the struggling anti-piracy outfit.

In a statement sent to TorrentFreak, Tim Phelps, Director of Marketing Communications at Birch, reveals what happened.

“The DMCA did not provide any basis to require an Internet Service Provider in Birch’s position to open its files to private litigants,” Phelps explains.

“Rightscorp dropped its appeal of the May 2015 decision and the Court issued an entry of dismissal in the case.”

Christopher Bunce, Birch Senior Vice President and General Counsel, says that the company examines all applications for personal information and deals with them strictly in accordance with the law.

“Birch scrutinizes every demand from both private parties and the government, complying only with properly served subpoenas, warrants and court orders, refusing to comply with demands such as those served by Rightscorp, and always maintaining an eye toward protecting our customers’ interests,” Bunce says.

The tough stance taken by Birch in defense of customer privacy is not only to be commended but should also be noted by other ISPs. The Rightscorp case shows that companies are prepared to seek confidential data by inappropriate means and should be confronted whenever possible.

The outcome of this case represents yet another blow to Rightscorp, who recently revealed they are still hemorrhaging cash following yet another disappointing set of results.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Schneier on Security: More on Mail Cover

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I’ve previously written about mail cover — the practice of recording the data on mail envelopes. Sai has been covering the issue in more detail, and recently received an unredacted copy of a 2014 audit report. The New York Times has an article on it:

In addition to raising privacy concerns, the audit questioned the Postal Service’s efficiency and accuracy in handling mail cover requests. Many requests were processed late, the audit said, which delayed surveillance, and computer errors caused the same tracking number to be assigned to different requests.

[…]

The inspector general also found that the Postal Inspection Service did not have “sufficient controls” in place to ensure that its employees followed the agency’s policies in handling the national security mail covers.

According to the audit, about 10 percent of requests did not include the dates for the period covered by surveillance. Without the dates in the files, auditors were unable to determine if the Postal Service had followed procedures for allowing law enforcement agencies to monitor mail for a specific period of time.

Additionally, 15 percent of the inspectors who handled the mail covers did not have the proper nondisclosure agreements on file for handling classified materials, records that must be maintained for 50 years. The agreements would prohibit the postal workers from discussing classified information.

And the inspector general found that in about 32 percent of cases, postal inspectors did not include, as required, the date on which they visited facilities where mail covers were being processed. In another 32 percent of cases, law enforcement agencies did not return documents to the Postal Inspection Service’s Office of Counsel, which handles the national security mail covers, within the prescribed 60 days after a case was closed.

SANS Internet Storm Center, InfoCON: green: .COM.COM Used For Malicious Typo Squatting, (Mon, Aug 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Today, our reader Jeff noted how domains ending in .com.com are being redirected to what looks like malicious content.Back in 2013, A blog by Whitehat Security pointed out that the famous com.com domain name was sold by CNET to known typo squatter dsparking.com [1]. Apparently, dsparking.com paid $1.5 million for this particular domain.Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazons cloud.

All .com.com hostnames appear to resolve to54.201.82.69, also hosted by Amazon (amazon.com.com is also directed to the same IP, but right now results in more of a Parked page, not the fake anti-malware as other domains)

The content you receive varies. For example, on my first hit from my Mac to facebook.com.com , I received the following page:

And of course the fake scan it runs claims thatI have a virus :)

As a solution, I was offered the well known scam-app Mackeeper

Probably best to block DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I dont think there is any valid content at any .com.com host name.

The Whitehat article does speak to the danger of e-mail going to these systems. A MX record is configured, but the mail server didnt accept any connections from me (maybe it is overloaded?).

Amazon EC2 abuse was notified.

[1]https://blog.whitehatsec.com/why-com-com-should-scare-you/


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

LWN.net: Privacy Badger 1.0

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The Electronic Frontier Foundation has announced
the 1.0 release of the Privacy Badger browser extension. “As you
browse the Web, Privacy Badger looks at any third party domains that are
loaded on a given site and determines whether or not they appear to be
tracking you (e.g. by setting cookies that could be used for tracking, or
fingerprinting your browser). If the same third party domain appears to be
tracking you on three or more different websites, Privacy Badger will
conclude that the third party domain is a tracker and block future
connections to it.
” The extension is distributed under GPLv3; see
this page for more
information.

Schneier on Security: Nicholas Weaver on iPhone Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Excellent essay:

Yes, an iPhone configured with a proper password has enough protection that, turned off, I’d be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don’t configure their phones right. Beyond just waiting for the suspect to unlock his phone, most people either use a weak 4-digit passcode (that can be brute-forced) or use the fingerprint reader (which the officer has a day to force the subject to use).

Furthermore, most iPhones have a lurking security landmine enabled by default: iCloud backup. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages! About the only information of value not included in this backup are the known WiFi networks and the suspect’s email, but a suspect’s email is a different warrant away anyway.

Finally, there is iMessage, whose “end-to-end” nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage’s encryption does not obscure any metadata, and as the saying goes, “the Metadata is the Message”. So with a warrant to Apple, the FBI can obtain all the information about every message sent and received except the message contents, including time, IP addresses, recipients, and the presence and size of attachments. Apple can’t hide this metadata, because Apple needs to use this metadata to deliver messages.

He explains how Apple could enable surveillance on iMessage and FaceTime:

So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice. Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future. A similar modification, adding an FBI key to every request Alice makes for any keys other than her own, enables tapping all messages sent by Alice. There are similar architectural vulnerabilities which enable tapping of “end-to-end secure” FaceTime calls.

There’s a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly — and they’re losing. This might explain Apple CEO Tim Cook’s somewhat sudden vehemence about privacy. I have not found any confirmation of the rumor.

Darknet - The Darkside: Windows 10 Privacy – Just Installed? Read This

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

So no big surprise here but there’s some issues with the default settings in regards to Windows 10 Privacy, if you run through the express install without customizing settings the defaults a little suspect. A lot of Windows 7 and Windows 8 users have already opted in to the automatic (and free) upgrade to the […]

The post Windows 10…

Read the full post at darknet.org.uk

LWN.net: Coalition Announces New ‘Do Not Track’ Standard for Web Browsing

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

The Electronic Frontier Foundation (EFF), privacy company Disconnect and a
coalition of Internet companies have announced a stronger “Do Not Track” (DNT) setting for Web browsing—”a new policy standard that, coupled with privacy software, will better protect users from sites that try to secretly follow and record their Internet activity, and incentivize advertisers and data collection companies to respect a user’s choice not to be tracked online.

Schneier on Security: Shooting Down Drones

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A Kentucky man shot down a drone that was hovering in his backyard:

“It was just right there,” he told Ars. “It was hovering, I would never have shot it if it was flying. When he came down with a video camera right over my back deck, that’s not going to work. I know they’re neat little vehicles, but one of those uses shouldn’t be flying into people’s yards and videotaping.”

Minutes later, a car full of four men that he didn’t recognize rolled up, “looking for a fight.”

“Are you the son of a bitch that shot my drone?” one said, according to Merideth.

His terse reply to the men, while wearing a 10mm Glock holstered on his hip: “If you cross that sidewalk onto my property, there’s going to be another shooting.”

He was arrested, but what’s the law?

In the view of drone lawyer Brendan Schulman and robotics law professor Ryan Calo, home owners can’t just start shooting when they see a drone over their house. The reason is because the law frowns on self-help when a person can just call the police instead. This means that Meredith may not have been defending his house, but instead engaging in criminal acts and property damage for which he could have to pay.

But a different and bolder argument, put forward by law professor Michael Froomkin, could provide Meredith some cover. In a paper, Froomkin argues that it’s reasonable to assume robotic intrusions are not harmless, and that people may have a right to “employ violent self-help.”

Froomkin’s paper is well worth reading:

Abstract: Robots can pose — or can appear to pose — a threat to life, property, and privacy. May a landowner legally shoot down a trespassing drone? Can she hold a trespassing autonomous car as security against damage done or further torts? Is the fear that a drone may be operated by a paparazzo or a peeping Tom sufficient grounds to disable or interfere with it? How hard may you shove if the office robot rolls over your foot? This paper addresses all those issues and one more: what rules and standards we could put into place to make the resolution of those questions easier and fairer to all concerned.

The default common-law legal rules governing each of these perceived threats are somewhat different, although reasonableness always plays an important role in defining legal rights and options. In certain cases — drone overflights, autonomous cars, national, state, and even local regulation — may trump the common law. Because it is in most cases obvious that humans can use force to protect themselves against actual physical attack, the paper concentrates on the more interesting cases of (1) robot (and especially drone) trespass and (2) responses to perceived threats other than physical attack by robots notably the risk that the robot (or drone) may be spying – perceptions which may not always be justified, but which sometimes may nonetheless be considered reasonable in law.

We argue that the scope of permissible self-help in defending one’s privacy should be quite broad. There is exigency in that resort to legally administered remedies would be impracticable; and worse, the harm caused by a drone that escapes with intrusive recordings can be substantial and hard to remedy after the fact. Further, it is common for new technology to be seen as risky and dangerous, and until proven otherwise drones are no exception. At least initially, violent self-help will seem, and often may be, reasonable even when the privacy threat is not great — or even extant. We therefore suggest measures to reduce uncertainties about robots, ranging from forbidding weaponized robots to requiring lights, and other markings that would announce a robot’s capabilities, and RFID chips and serial numbers that would uniquely identify the robot’s owner.

The paper concludes with a brief examination of what if anything our survey of a person’s right to defend against robots might tell us about the current state of robot rights against people.

Note that there are drones that shoot back.

Here are two books that talk about these topics. And an article from 2012.

Schneier on Security: Help with Mailing List Hosting

This post was syndicated from: Schneier on Security and was written by: moderator. Original post: at Schneier on Security

I could use some help with finding a host for my monthly newsletter, Crypto-Gram. My old setup just wasn’t reliable enough. I had a move planned, but that fell through when the new host’s bounce processing system turned out to be buggy and they admitted the problem might never be fixed.

Clearly I need something a lot more serious. My criteria include subscriber privacy, reasonable cost, and a proven track record of reliability with large mailing lists. (I would use MailChimp, but it has mandatory click tracking for new accounts.)

One complication is that SpamCop, a popular anti-spam service, tells me I have at least one of their “spamtrap” addresses on the list. Spamtraps are addresses that — in theory — have never been used, so they shouldn’t be on any legitimate list. I don’t know how they got on my list, since I make people confirm their subscriptions by replying to an e-mail or clicking on an e-mailed link. But I used to make rare exceptions for people who just asked to join, so maybe a bad address or two got on that way. Spamtraps don’t work if you tell people what they are, so I can’t just find and remove them. And this has caused no end of problems for subscribers who use SpamCop’s blacklist.

At a minimum, I need to be sure that a new host won’t kick me out for couple of spamtraps. And if the solution to this problem involves making all 100,000 people on the list reconfirm their subscriptions, then that has to be as simple and user-friendly a process as possible.

If you can recommend a host that would work, I’m interested. Even better would be talking to an expert with lots of experience running large mailing lists who can guide me. If you know a person like that, or if you are one, please leave a comment or e-mail me at the address on my Contact page.

Lauren Weinstein's Blog: Windows 10’s New Feature Steals Your Internet Bandwidth

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

A couple of days ago I discussed a number of privacy and other concerns with Microsoft’s new Windows 10, made available as a free upgrade for many existing MS users: Windows 10: A Potential Privacy Mess, and Worse: http://lauren.vortex.com/archive/001115.html The situation has only been getting worse since then. For example, it’s been noted that the Win10 setup sequence is rigged…

Schneier on Security: Schneier Speaking Schedule

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I’m speaking at an Infoedge event at Bali Hai Golf Club in Las Vegas, at 5 PM on August 5, 2015.

I’m speaking at DefCon 23 on Friday, August 7, 2015.

I’m speaking — remotely via Skype — at LinuxCon in Seattle on August 18, 2015.

I’m speaking at CloudSec in Singapore on August 25, 2015.

I’m speaking at MindTheSec in São Paulo, Brazil on August 27, 2015.

I’m speaking on the future of privacy at a public seminar sponsored by the Institute for Future Studies, in Stockholm, Sweden on September 21, 2015.

I’m speaking at Next Generation Threats 2015 in Stockholm, Sweden on September 22, 2015.

I’m speaking at Next Generation Threats 2015 in Gothenburg, Sweden on September 23, 2015.

I’m speaking at Free and Safe in Cyberspace in Brussels on September 24, 2015.

I’ll be on a panel at Privacy. Security. Risk. 2015 in Las Vegas on September 30, 2015.

I’m speaking at the Privacy + Security Forum, October 21-23, 2015 at The Marvin Center in Washington, DC.

I’m speaking at the Boston Book Festival on October 24, 2015.

I’m speaking at the 4th Annual Cloud Security Congress EMEA in Berlin on November 17, 2015.

TorrentFreak: Kim Dotcom & Mega Trade Barbs Over Hostile Takeover Claims

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mega_logoFor the past several years, Kim Dotcom has been the most vocal supporter of Mega.co.nz, the cloud storage site he helped launch in 2013. Two and a half years later, something has gone very sour.

In a Q&A session with Slashdot this week, Dotcom told surprised readers that Mega was to be avoided.

“I’m not involved in Mega anymore. Neither in a managing nor in a shareholder capacity. The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud. He used a number of straw-men and businesses to accumulate more and more Mega shares,” Dotcom explained.

“Recently his shares have been seized by the [New Zealand] government. Which means the NZ government is in control.”

Intrigued, Dotcom spoke with Kim Dotcom to find out more about his allegations.

“Mega has experienced a hostile takeover and is no longer in the control of people who care about Internet Freedom. The New Zealand Government and Hollywood have seized a significant share of the company,” Dotcom told TorrentFreak.

“The combined shares seized by the NZ government and Hollywood were significant enough to stop our listing on the New Zealand stock exchange. On the one side Hollywood seized Mega shares of a family trust that was created for the benefit of my children and on the other side Hollywood was lobbying US Senators and credit card companies to stop payment processing for Mega.”

Dotcom says that the efforts of the NZ government and Hollywood meant that Mega couldn’t raise the capital required from the stock market to carry out its business plan. Furthermore, attacks on its abilities to process payments have now “dried up” the company’s cash flow.

“As a result Mega has been forced into bankruptcy territory and recently had to raise new capital at an insanely low valuation of NZD 10 million,” Dotcom says.

“This company was worth over 200 million before the NZ government and Hollywood launched their combined effort to destroy Mega. I have always said that this is a political case and the systematic sabotage of Mega is further proof of that.”

All of this leads Dotcom to the conclusion that Mega is no longer a safe site to use.

“As a result of this and a number of other confidential issues I don’t trust Mega anymore. I don’t think your data is safe on Mega anymore. But my non-compete clause is running out at the end of the year and I will create a Mega competitor that is completely open source and non-profit, similar to the Wikipedia model,” Dotcom says.

“I want to give everyone free, unlimited and encrypted cloud storage with the help of donations from the community to keep things going.”

Mega bites back

With shots fired, TorrentFreak spoke with Mega CEO Graham Gaylard and CCO Stephen Hall. Needless to say, they see things quite differently.

“Mega is a New Zealand company privately owned by 17 local and international investors, whose identities are publicly disclosed on the New Zealand Government’s Companies Office website,” Mega told TF.

“Like all start-up companies, Mega has had several rounds of equity investment. More than 75% of shareholders have supported recent equity issues, so there has not been any ‘hostile takeover’, contrary to Mr Dotcom’s assertion. Those shareholders who have decided not to subscribe to recent issues have been diluted accordingly. That has been their choice.”

Turning to the 6% shareholding held by the Dotcom family trust (which is controlled by Mr Dotcom’s estranged wife and is currently subject to a High Court freezing order following a 2014 application by five Hollywood film studios), Mega says there is no cause for alarm.

“That is a matter for the Dotcom family trust and does not concern Mega. The authorities responsible for maintaining the order have not opposed or interfered in any of Mega’s operations,” the company explains.

“Two other shareholdings totaling 7% are subject to a separate restraint ordered by the New Zealand High Court in August 2014. That is also a matter for that investor and does not concern Mega. Mega is not a party to either of the above court proceedings.”

Turning to Kim Dotcom’s claims that Mega is no longer in the hands of people who care about privacy, Mega told TF that isn’t the case.

“Mega continues to be managed by its executive team, supported by a Board of Directors and shareholders, who all care deeply about Internet freedom and privacy and are passionate about supporting Mega’s user-controlled encryption for cloud storage and communication services,” the company says.

Turning to Dotcom himself, the cloud storage site gave its clearest statement yet on its relationship with the German. Mega says that while Dotcom was a co-founder of their operation he was not involved in the design and implementation of Mega technology, resigned as a director in 2013 and has had no managerial role since. Additionally, Mega says that Dotcom has not received any payments or renumeration from the company.

“Mega disagrees with a number of Mr Dotcom’s public comments,” Mega adds.

Turning to the security of Mega itself, the company says that the full source for its client-side software SDK is available on Github and the source for its MEGAsync and mobile applications will be published in due course.

“Mega’s encryption code has been examined by various international experts including the Spanish National Cybersecurity Institute without any flaws being found,” the company says.

In closing, Mega issued a statement which indicates a collapse in relations with their co-founder.

“Mega views Mr Dotcom’s defamatory comments as self-serving and designed simply to [promote] his supposed new business venture,” Mega says.

“They are inconsistent with his previous desire to ensure that the shareholding in Mega remains a valuable asset for his children and reflect just how completely Mr Dotcom and Mega have now moved apart if he can make such an unwarranted and irresponsible, defamatory attack,” the company concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Lauren Weinstein's Blog: Windows 10: A Potential Privacy Mess, and Worse

This post was syndicated from: Lauren Weinstein's Blog and was written by: Lauren. Original post: at Lauren Weinstein's Blog

I had originally been considering accepting Microsoft’s offer of a free upgrade from Windows 7 to Windows 10. After all, reports have suggested that it’s a much more usable system than Windows 8/8.1 — but of course in keeping with the “every other MS release of Windows is a dog” history, that’s a pretty low bar. However, it appears that…

Darknet - The Darkside: Drones, Tor & Remailers – The Story Of A High-Tech Kidnapping

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

This whole thing sounds like something straight out of CSI: Cyber with references to Drones, Tor, remailers, anonymous image sharing and the scrubbing of meta data. Pretty interesting reading, although it rather smells like a lot of exageration. A super high-tech kidnapping – gone wrong in the end. Whoever wrote tho e-mails sent to the…

Read the full post at darknet.org.uk

TorrentFreak: Google Publishes Chrome Fix For Serious VPN Security Hole

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

As large numbers of Internet users wise up to seemingly endless online privacy issues, security products are increasingly being viewed as essential for even basic tasks such as web browsing.

In addition to regular anti-virus, firewall and ad-busting products, users wishing to go the extra mile often invest in a decent VPN service which allow them to hide their real IP addresses from the world. Well that’s the theory at least.

January this year details of a serious vulnerability revealed that in certain situations third parties were able to discover the real IP addresses of Chrome and Firefox users even though they were connected to a VPN.

This wasn’t the fault of any VPN provider though. The problem was caused by features present in WebRTC, an open-source project supported by Google, Mozilla and Opera.

By placing a few lines of code on a website and using a STUN server it became possible to reveal not only users’ true IP addresses, but also their local network address too.

While users were immediately alerted to broad blocking techniques that could mitigate the problem, it’s taken many months for the first wave of ‘smart’ solutions to arrive.

Following on the heels of a Chrome fix published by Rentamob earlier this month which protects against VPN leaks while leaving WebRTC enabled, Google has now thrown its hat into the ring.

Titled ‘WebRTC Network Limiter‘, the tiny Chrome extension (just 7.31KB) disables the WebRTC multiple-routes option in Chrome’s privacy settings while configuring WebRTC not to use certain IP addresses.

In addition to hiding local IP addresses that are normally inaccessible to the public Internet (such as 192.168.1.1), the extension also stops other public IP addresses being revealed.

“Any public IP addresses associated with network interfaces that are not used for web traffic (e.g. an ISP-provided address, when browsing through a VPN) [are hidden],” Google says.

“Once the extension is installed, WebRTC will only use public IP addresses associated with the interface used for web traffic, typically the same addresses that are already provided to sites in browser HTTP requests.”

While both the Google and Rentamob solutions provide more elegant responses to the problem than previously available, both admit to having issues.

“Some WebRTC functions, like VOIP, may be affected by the multiple routes disabled setting. This is unavoidable,” Rentamob explains.

Google details similar problems, including issues directly linked to funneling traffic through a VPN.

“This extension may affect the performance of applications that use WebRTC for audio/video or real-time data communication. Because it limits the potential network paths, WebRTC may pick a path that results in significantly longer delay or lower quality (e.g. through a VPN). We are attempting to determine how common this is,” the company concludes.

After applying the blocks and fixes detailed above, Chrome users can check for IP address leaks by using sites including IPLeak and BrowserLeaks.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Krebs on Security: Windows 10 Shares Your Wi-Fi With Contacts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends!

msoptoutThis brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

I first read about this disaster waiting to happen over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.

“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.

The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.

El Reg says it well here:

That sounds wise – but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access.

In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network. Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this.

I should point out that Wi-Fi networks which use the centralized 802.1x Wi-Fi authentication — and these are generally tech-savvy large organizations — won’t have their Wi-Fi credentials shared by this new feature.

Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).

It’s interesting to contrast Microsoft’s approach here with that of Apple, who offer an opt-in service called iCloud Keychain; this service allows users who decide to use the service to sync WiFi access information, email passwords, and other stored credentials amongst their own personal constellation of Apple computers and iDevices via Apple’s iCloud service, but which does not share this information with other users. Apple’s iCloud Keychain service encrypts the credentials prior to sharing them, as does Microsoft’s Wi-Fi Sense service; the difference is that it’s opt-in and that it only shares the credentials with your own devices.

Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS. But embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.

Why? For starters, despite years of advice to the contrary, many people tend to re-use the same password for everything. Also, lots of people write down their passwords. And, as The Reg notes, if you personally share your Wi-Fi password with a friend — by telling it to them or perhaps accidentally leaving it on a sticky note on your fridge — and your friend enters the password into his phone, the friends of your friend now have access to the network.

Source: How-To Geek

Source: How-To Geek

An article in Ars Technica suggests the concern over this new feature is much ado about nothing. That story states: “First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you’ll be asked if you want to share it with your friends/social networks.”

To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. True, that contact doesn’t get to see my Wi-Fi password, but he can nonetheless connect to my network.

While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name. The Register seems to think Windows 10 upgraders can avoid each by including both “_nomap” and “_optout” in the Wi-Fi network name, but this article at How-To Geek says users will need to choose the lesser of two evils.

Either way, Wi-Fi Sense combined with integrated Google mapping tells people where you live (and/or where your business is), meaning that they now know where to congregate to jump onto your Wi-Fi network without your permission.

My suggestions:

  1. Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”.
  2. After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.
  3. If you haven’t already done so, consider additional steps to harden the security of your Wi-Fi network.

Further reading:

What Is Wi-Fi Sense and Why Does it Want Your Facebook Account? 

UH OH: Windows 10 Will Share Your Wi-Fi Key With Your Friends’ Friends

Why Windows 10 Shares Your Wi-Fi Password and How to Stop it

Wi-Fi Sense in Windows 10: Yes, It Shares Your Passkeys, No You Shouldn’t Be Scared

TorrentFreak: RIAA Wants Domain Registrar to Expose ‘Pirate Site’ Owner

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

riaaDespite an increased availability of legal options, millions of people still stream MP3s from unofficial sources. These sites are a thorn in the side of the RIAA.

Going after these pirate sites is a problem, according to the music group, as the operators are often unknown and hidden behind Whois privacy services. This is one of the reasons why the RIAA is supporting an ICANN proposal to limit domain name privacy.

But even under current laws and regulations it’s often possible to find out who runs a website, through a DMCA subpoena for example. And a recent case shows that the process isn’t too hard.

A few days ago the RIAA obtained a DMCA subpoena from the U.S. District Court of Columbia ordering domain name registrar Dynadot to expose the personal details of a customer. These subpoenas are signed off by a clerk and don’t require any overview from a judge.

With the subpoena in hand RIAA asked Dynadot to identify the owner of the music streaming site Soundpiff.net, claiming that the site infringes the work of artists such as Eminem, Drake and Selena Gomez. Among other details, the registrar is ordered to share the IP-address and email address of the site’s operator.

“We believe your service is hosting the below-referenced domain name on its network. The website associated with this domain name offers files containing sound recordings which are owned by one or more of our member companies and have not been authorized for this kind of use,” the RIAA writes.

Soundpiff.net
soundpiff

In addition, the RIAA also urges Dynadot to review whether the site violates its terms of service as a repeat infringer, which means that it should be pulled offline.

“We also ask that you consider the widespread and repeated infringing nature of the site operator(s)’ conduct, and whether the site(s)‘ activities violate your terms of service and/or your company’s repeat infringer policy.”

Soundpiff.net is a relatively small site that allows user to discover, stream and download music tracks. The audio files themselves appear to be sourced from the music hosting service Audioinbox, and are not hosted on the site’s servers.

“On our website you can find links that lead to media files. These files are stored somewhere else on the internet and are not a part of this website. SoundPiff.net does not carry any responsibility for them,” the website’s operator notes.

It is unclear what the RIAA is planning to do if they obtain the personal information of the site owners. In addition to suggesting that Dynadot should disconnect the site as a repeat infringer, the music group will probably issue a warning to the site’s operator.

For now, however, Soundpiff is still up and running.

This is not the first time that the RIAA has gone after similar sites in this way. Over the past several years the group has targeted several other download and streaming sites via their registrars or Whois privacy services. Some of these have closed, but others still remain online today.

RIAA’s subpoena to Dynadot

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

TorrentFreak: Public Revolts Against Plan to Kill Domain Name Privacy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

whoisguardA new ICANN proposal currently under review suggests various changes to how WHOIS protection services should operate.

The changes are welcomed by copyright holders, as they will make it easier to identify the operators of pirate sites, who can then be held responsible.

However, several domain registrars, digital rights groups and the public at large are less enthusiastic. They fear that the changes will also prevent many legitimate website owners from using private domain registrations.

To allow the various parties to weigh in ICANN launched a public consultation, and the overwhelming number of responses over the past several weeks show that domain name privacy is a topic that many people have taken to heart.

At the time of writing ICANN has received well over 11,000 comments, most of which encourage the organization to keep private domain registrations available.

A few dozen comments have been filed by special interest groups, but most were submitted by ordinary Internet users who fear that they will have to put their name, address and other personal details out in public.

Countering the “piracy” argument, several people note that the changes would do very little to stop people from running illegal websites, as WHOIS data can easily be faked.

“The truth is, if the website is an illegal website, then the information in the Whois is not going to be legit anyway. So you are not helping anything when it comes to tracking down crime. You are only helping crime by providing the criminals with more information. On people that are being legal,” one commenter notes.

Others warn that the proposals will leave the door open for all sorts of harassment, or even aid oppressive regimes and terrorist groups including ISIS.

“Please do not make it easier for these oppressive regimes and terrorists to identify and target the brave men and women who risk their lives by writing and blogging about what goes on in those dangerous parts of the world,” a commenter writes.

In large part however, the massive protests are fueled by the “Respect Our Privacy” campaign site which was launched by the EFF, Namecheap and Fight for the Future. This site allows people to submit a pre-written letter in just a few clicks, which results in thousands of duplicate comments.

The MPAA previously criticized the form letters noting that they are triggered by “hype and misinformation sponsored by certain registrars and advocacy groups,” while accusing the campaign site of spreading “completely false” information.

It will be interesting to see how the public consultation will influence ICANN’s proposal and the future operation of domain name privacy services.

The commenting period closes this coming Tuesday and will be followed by an official report. After that, the ICANN board will still have to vote on whether or not the changes will be implemented.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Schneier on Security: Using Secure Chat

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Micah Lee has a good tutorial on installing and using secure chat.

To recap: We have installed Orbot and connected to the Tor network on Android, and we have installed ChatSecure and created an anonymous secret identity Jabber account. We have added a contact to this account, started an encrypted session, and verified that their OTR fingerprint is correct. And now we can start chatting with them with an extraordinarily high degree of privacy.

FBI Director James Comey, UK Prime Minister David Cameron, and totalitarian governments around the world all don’t want you to be able to do this.

Darknet - The Darkside: Telegram DDoS Attack – Messaging App Suffers 200GBps Pounding

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

For those not familiar before we get to the Telegram DDoS attack, Telegram is an instant messaging system focusing on privacy and multi-platform availability. It was launched by the founders of VK, the largest social network in Russia and is run as an independent non-profit company in Germany. The client code is open-source and audited […]

The…

Read the full post at darknet.org.uk

Krebs on Security: Hacking Team Used Spammer Tricks to Resurrect Spy Network

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. New analysis of the leaked Hacking Team emails suggests that in 2013 the company used techniques perfected by spammers to hijack Internet address space from a spammer-friendly Internet service provider in a bid to regain control over a spy network it apparently had set up for the Italian National Military Police.

hackingteam

Hacking Team is in the business of selling exploits that allow clients to secretly deploy spyware on targeted systems. In just the past week since the Hacking Team data was leaked, for example, Adobe has fixed two previously undocumented zero-day vulnerabilities in its Flash Player software that Hacking Team had sold to clients as spyware delivery mechanisms.

The spyware deployed by Hacking Team’s exploits are essentially remote-access Trojan horse programs designed to hoover up stored data, recorded communications, keystrokes, etc. from infected devices, giving the malware’s operator full control over victim machines.

Systems infested with Hacking Team’s malware are configured to periodically check for new instructions or updates at a server controlled by Hacking Team and/or its clients. This type of setup is very similar to the way spammers and cybercriminals design “botnets,” huge collections of hacked PCs that are harvested for valuable data and used for a variety of nefarious purposes.

No surprise, then, that Hacking Team placed its control servers in this case at an ISP that was heavily favored by spammers. Leaked Hacking Team emails show that in 2013, the company set up a malware control server for the Special Operations Group of the Italian National Military Police (INMP), an entity focused on investigating organized crime and terrorism. One or both of these organizations chose to position that control at Santrex, a notorious Web hosting provider that at the time served as a virtual haven for spammers and malicious software downloads.

But that decision backfired. As I documented in October 2013, Santrex unexpectedly shut down all of its servers, following a series of internal network issues and extensive downtime. Santrex made that decision after several months of incessant attacks, hacks and equipment failures at its facilities caused massive and costly problems for the ISP and its customers. The company’s connectivity problems essentially made it impossible for either Hacking Team or the INMP to maintain control over the machines infected with the spyware.

According to research published Sunday by OpenDNS Security Labs, around that same time the INMP and Hacking Team cooked up a plan to regain control over the Internet addresses abandoned by Santrex. The plan centered around a traffic redirection technique known as “BGP hijacking,” which involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a dormant range of Internet addresses that it doesn’t actually have the right to control.

IP address hijacking is hardly a new phenomenon. Spammers sometimes hijack Internet address ranges that go unused for periods of time (see this story from 2014 and this piece I wrote in 2008 for The Washington Post for examples of spammers hijacking Internet space). Dormant or “unannounced” address ranges are ripe for abuse partly because of the way the global routing system works: Miscreants can “announce” to the rest of the Internet that their hosting facilities are the authorized location for given Internet addresses. If nothing or nobody objects to the change, the Internet address ranges fall into the hands of the hijacker.

Apparently nobody detected the BGP hijack at the time, and that action eventually allowed Hacking Team and its Italian government customer to reconnect with the Trojaned systems that once called home to their control server at Santrex. OpenDNS said it was able to review historic BGP records and verify the hijack, which at the time allowed Hacking Team and the INMP to migrate their malware control server to another network.

This case is interesting because it sheds new light on the potential dual use of cybercrime-friendly hosting providers. For example, law enforcement agencies have been known to allow malicious ISPs like Santrex to operate with impunity because the alternative — shutting the provider down or otherwise interfering with its operations –can interfere with the ability of investigators to gather sufficient evidence of wrongdoing by bad actors operating at those ISPs. Indeed, the notoriously bad and spammer-friendly ISPs McColo and Atrivo were perfect examples of this prior to their being ostracized and summarily shut down by the Internet community in 2008.

But this example shows that some Western law enforcement agencies may also seek to conceal their investigations by relying on the same techniques and hosting providers that are patronized by the very criminals they are investigating.

TorrentFreak: Bitcoin Bounties Aim to Turn Pirates Into Snitches

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

snitchWhile money may very well be the root of most evil, it’s still a commodity most people want to get their hands on. Trouble is, most financial systems rely on expensive middle-men who are always keen to retain a piece of the pie in return for their transactional skills.

For users of Bitcoin, however, things are somewhat different. The system relies on a peer-to-peer architecture which allows users to transact directly without needing an intermediary. And, of great value to privacy lovers, the system is somewhat less intrusive, unless users provide information about themselves as part of a purchase, for example.

These aspects have generated interest among those in the ‘pirate’ community, with some torrent sites now accepting donations via Bitcoin donations instead of through the troublesome PayPal. However, a service currently being promoted by a technology company will see Bitcoin used in the fight against piracy instead.

The solution comes from South Africa-based Custos Media Technologies who say that for a fee they can embed a “digital alarm” into movies and music that can alert content owners when their material is uploaded to torrent sites or other file-sharing platforms.

Developed by researchers at Stellenbosch University, the CustosTech system aims to discourage leaks and reward those who find them while exploiting the publicly accessible information associated with Bitcoin.

The concept is fairly straightforward. Content creators are given the opportunity to embed a unique identifying watermark into a movie, music track or other digital content before they sell or loan it to a customer or client. One suggested use that may catch the industry’s eye is when so-called ‘screeners’ are handed out to Academy members and critics.

However, instead of having a “For Your Consideration” watermark in the middle of the screen, protected movies in this scenario have a trick up their sleeve.

“Custos embeds watermarks into the analog and/or digital content of media items, which are imperceptible but difficult to remove. Each watermark contains a Bitcoin wallet, with a reward for anyone who anonymously claims it once the media has passed out of the control of the original recipient,” Custos explain.

“Media downloaders who want to search for such rewards (‘bounty hunters’) can do so anonymously, from anywhere in the world. The moment a bounty is claimed – and by the nature of cryptocurrencies, this can only happen once – the transaction reflects on the blockchain, and Custos notifies the media provider of the incident, and to which recipient the content was originally licensed.”

In other words, when content appears on a site somewhere, the first person to download it, view the code, and report it via a special Custos tool, wins the Bitcoin bounty. It’s essentially a people-powered leak reporting system that could lead to a number of possibilities for the content provider.

“[The person to whom the content was originally given] could then be subject to financial or legal penalties, or to reduced access to future content,” Custos explain.

“In this manner, authorised media users are strongly discouraged from actively sharing files or carelessly leaking them, while at the same time, they need not be inconvenienced by cumbersome security measures.”

The company is marketing CustosTech as a system that “turns the downloaders against the uploaders” and in some ways it’s difficult to argue with the assertion. Whether the system will prove popular enough with ‘snitches’ will remain to be seen – that will probably rely on the size of the ‘bounties’ up for grabs.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.