Posts tagged ‘research’

Raspberry Pi: Sonic Pi Competition

This post was syndicated from: Raspberry Pi and was written by: Carrie Anne Philbin. Original post: at Raspberry Pi

Coding music on a Raspberry Pi with Sonic Pi has quickly become a great way to learn programming concepts and to pump out some thumping beats. Last year I worked with Dr Sam Aaron, live coder and academic at the University of Cambridge, to teach KS3 pupils text-based programming on Raspberry Pis as part of their ICT & Computing lessons. Since then Sonic Pi has proved incredibly popular in classrooms worldwide. The scheme of work we used is available for free in the ‘Teach’ section of our resources for any educator wanting to teach computer programming in a fun way.

sonicpi2

Since our classroom collaboration, Sam has been busy working on Sonic Pi version 2.0 and together we have been wowing attendees of Picademy with the potential of Sonic Pi for the classroom. We have also been working on Sonic Pi: Live & Coding, a digital research project to turn a Raspberry Pi into a musical instrument with Sonic Pi, working with schools, artists, academics and the Cambridge Junction, which will culminate in a Sonic Pi: Live & Coding Summit this November. In fact, this week at the Cambridge Junction, 60 children have been participating in the project, having coding music battles, and jamming with musicians.

Sonic Pi

Push Sam’s buttons and watch his eyes pop at Sonic Pi Live and Coding!

To coincide with the summit, we will be launching a Sonic Pi: Live & Coding competition in September to find the best original sonic pi composition created by a child or young person in three age categories. We will have a significant number of Raspberry Pis to give away at random for those who take part, and the semi-finalists of the competition will be invited to perform their original work live at the summit in November in front of an audience and panel of judges to potentially be crowned the first ever Sonic Pi Competition winner!

So what are you waiting for? Download Sonic Pi version 2 for your Raspberry Pi by following these instructions, and then take a look at the Sonic Pi 2 article by Sam in the MagPi magazine, and our new Sonic Pi Version 2 Getting Started resource. Take this opportunity to practice and get a head start on the competition!

Get your pratice in for the Sonic Pi version 2 competition with our new resource.

Get your practice in for the Sonic Pi version 2 competition with our new resource.

TorrentFreak: Google Protects Chilling Effects From Takedown Notices

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

google-bayEach week many millions of DMCA-style copyright notices are sent to sites and services around the planet. Initially the process flew almost entirely under the radar, with senders and recipients dealing with complaints privately.

In 2001, that began to change with the advent of Chilling Effects, an archive created by activists who had become concerned that increasing volumes of cease-and-desist letters were having a “chilling effect” on speech.

In the decade-and-a-third that followed the archive grew to unprecedented levels, with giants such as Google and Twitter routinely sending received notices to the site for public retrieval.

However, while Chilling Effects strives to maintain free speech, several times a month rightsholders from around the world (probably unintentionally) try to silence the archive in specific ways by asking Google to de-index pages from the site.

As can be seen from the tables below, Home Box Office has tried to de-index Chilling Effects pages 240 times, with Microsoft and NBC Universal making 99 and 65 attempts respectively.

Chilling1

The ‘problem’ for these copyright holders is two-fold. Firstly, Chilling Effects does indeed list millions of URLs that potentially link to infringing content. That does not sit well with copyright holders.

“Because the site does not redact information about the infringing URLs identified in the notices, it has effectively become the largest repository of URLs hosting infringing content on the internet,” the Copyright Alliance’s Sandra Aistars complained earlier this year.

However, what Aistars omits to mention is that Chilling Effects has a huge team of lawyers under the hood who know only too well that their archive receives protection under the law. Chilling Effects isn’t a pirate index, it’s an educational, informational, research resource.

Thanks to Google, which routinely throws out all attempts at removing Chilling Effects URLs from its indexes, we are able to see copyright holder attempts at de-indexing.

Earlier this month, for example, Wild Side Video and their anti-piracy partners LeakID sent this notice to Google aiming to protect their title “Young Detective Dee.” As shown below, the notice contained several Chilling Effects URLs.

chill2

Each URL links to other DMCA notices on Chilling Effects, each sent by rival anti-piracy outfit Remove Your Media on behalf of Well Go USA Entertainment. They also target “Young Detective Dee”. This is an interesting situation that offers the potential for an endless loop, with the anti-piracy companies reporting each others’ “infringing” links on Chilling Effects in fresh notices, each time failing to get them removed.

chilling3

The seeds of the “endless loop” phenomenon were also experienced by HBO for a while, with the anti-piracy company sending notices (such as this one) targeting dozens of Chilling Effects pages listing notices previously sent by the company.

While publishing notices is entirely legal, the potential for these loops really angers some notice senders.

On April 10 this year a Peter Walley sent a notice to Google complaining that his book was being made available on a “pirate site” without permission. Google removed the link in its indexes but, as is standard practice, linked to the notice on Chilling Effects. This enraged Walley.

chilling4

None of these rantings had any effect, except to place yet another notice on Chilling Effects highlighting where the infringing material could be found.

It’s a lesson others should learn from too.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: “Internet scanning project” scans, (Sat, Jul 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states:

“Hello! You’ve reached the Internet Scanning Project.

We’re computer security researchers performing periodic Internet-wide health assessments.

If you reached this site because of activity you observed on your network:

We apologize for any concern caused by our network activity. We are not specifically targeting your network.

We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity.

This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole.

However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blacklist.”

It does not provide any information or assurances that this is a legitimate research project and I wouldn’t be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn’t reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them.

It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a “legitimate” scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug.

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Raspberry Pi: Pi in the Sky: hardware for high-altitude balloonists from Dave Akerman

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: Regular readers will be very familiar with the name Dave Akerman. Dave has been sending Raspberry Pis to the stratosphere under weather balloons since we launched the Pi in 2012, and his work in helping schools develop their own in-house space programs has been fantastic to watch. He and his friend Anthony Stirk have just produced a telemetry add-on board for the Raspberry Pi to help schools (and everybody else) reproduce the sort of spectacular results you’ve seen from him before. Here he is to introduce it: over to you, Dave!

High Altitude Ballooning is an increasingly popular hobby (I nearly said that interest has been “ballooning”, but fortunately I stopped myself just in time …), bringing what is termed “near space” within the reach of pretty much anyone who is willing to put in the effort and spend a moderate amount of money.

moon and sky from stratosphere

 

Although it’s possible to successfully fly and retrieve a balloon with a simple GSM/GPS tracker, the chances are that this will end in failure and tears. GSM coverage in the UK is nowhere near 100%, especially in rural areas which is where we want (and aim) the flights to land. The next step up, in reliability and price, is a “Spot” tracker which works solely via satellites, but those don’t work if they land upside down. Also, neither of these solutions will tell you how high the flight got, or record any science data (e.g. temperature, pressure), or indeed tell you anything about the flight until they land. If you’re lucky. A lost flight is a sad thing indeed.

pic from stratosphere

 

For some countries (e.g. USA, but not the UK), if you are a licensed amateur radio operator you can fly an APRS tracker, in which case the flight will be tracked for you via the ground-based APRS network run by other radio hams. Sadly UK laws prohibit radio hams transmitting from an airborne vehicle, so APRS is out for us.

For these reasons, pretty much everyone involved in the hobby in the UK, and many other countries, uses radio trackers operating in an ISM (Industrial, Scientific and Medical) band where airborne usage is allowed. These work throughout the flight, transmitting GPS co-ordinates plus temperature and anything else that you can add a sensor for. Many radio trackers can also send down live images, meaning that you can see what your flight is seeing without having to wait for it to land. Here’s a diagram showing how telemetry from the flight ends up as a balloon icon on a Google map:

tracking system

 

What’s not shown here is that, provided you tell them, the other balloonists will help track for you. So not only will you be receiving telemetry and images directly via your own radio receiver, but others will do to. All received data is collated on a server so if you do lose contact with the flight briefly then it doesn’t matter. However, this does not mean you can leave the tracking up to others! You’ll need to receive at the launch site (you have to make sure it’s working!) and also in the chase car once it lands. The expense of doing this is small – a TV dongle for £12 or so will do it, with a £15 aerial and a laptop, ideally with a 3G dongle or tethered to a phone.

Traditionally, balloonists build their own radio trackers, and for anyone with the skills or the time and ability to learn programming and some digital electronics, this is definitely the most rewarding route to take. Imagine receiving pictures of the Earth from 30km up, using a piece of kit that you designed and built and programmed! So if you are up to this challenge (and I suspect that most people reading are) then I recommend that you do just that. It takes a while, but during the development you’ll have plenty of time to research other aspects of the hobby (how to predict the flight path, and obtain permission, and fill the balloon, etc.). And when you’re done, you can hold in your hand something that is all your own work and has, to all intents and purposes, been to space.

weather balloon bursting

 

For some though, it’s just not practical to develop a new tracker. Or you might be a programming whizz, but not know which end of a soldering iron to pick up. It was with these people in mind that we (myself and Anthony Stirk – another high altitude balloonist) developed our “Pi In The Sky” telemetry board. Our principle aim is to enable schools to launch balloon flights with radio trackers, without having to develop the hardware and software first. It is also our hope that older children and students will write their own software or at least modify the provided (open source) software, perhaps connecting and writing code for extra sensors (the board has an i2c connection for add-ons).

The board and software are based on what I’ve been flying since my first “Pi In The Sky” flight over 2 years ago, so the technology has been very well proven (approximately 18 flights and no losses other than deliberate ones!). So far the board itself has clocked up 5 successful flights, with the released open-source software on 3 of those. Here’s the board mounted to a model B (though we very strongly recommend use of a model A, which consumes less power and weighs less):

Pi in the Sky board

It comes in a kit complete with a GPS antenna, SMA pigtail (from which you can easily make your own radio aerial), stand-offs for a rigid mounting to the Pi board, and battery connectors. Software is on https://github.com/piinthesky, with installation instructions at http://www.pi-in-the-sky.com/index.php?id=support, or there is a pre-built SD card image for the tragically lazy. We do recommend manual installation as you’ll learn a lot.

By now you’re probably itching to buy a board and go fly it next weekend. Please don’t. Well, buy the board by all means, but from the moment you decide that this is the project for you, you should task yourself with finding out all you can about how to make your flight a safe success. For a start, this means learning about applying for flight permission (which, if you want to launch from your garden at the end of an airport runway, isn’t going to be given). Permission is provided together with a NOTAM (NOtice To AirMen) which tells said pilots what/where/when your launch will be, so they can take a different path. You also need to learn about predicting the flight path so that it lands well away from towns or cities or motorways or airports. I hope I don’t need to explain how important all of this is.

IMG_0690-e1404813775746-768x1024

 

There’s lots more to learn about too, for example:

  • How to track the flight
  • How to fill a balloon
  • Where to buy the balloon
  • What size balloon? What size parachute? How to tie it all together?

None of this is complicated (it’s not, ahem “rocket science”), but there is a lot to know. Don’t be surprised if the time between “I’ll do it!” and “Wow, I did it!” is measured in months. Several of them. In fact, worry if it’s less than that – this research takes time. We will be producing some teaching materials, but meantime please see the following links:

As for the board, it provides a number of features borne out of a large number of successful flights:

  • Efficient built-in power regulator providing run time of over 20 hours from 4 AA cells (using a model A Pi)
  • Highly sensitive UBlox GPS receiver approved for altitudes up to 50km
  • Temperature compensated, license-free (Europe) frequency agile, 434MHz radio transmitter
  • Temperature sensor
  • Battery voltage monitoring
  • Sockets for external i2c devices, analog input, external temperature sensor
  • Allows use of Raspberry Pi camera
  • Mounting holes and spacers for a solid connection to the Pi

The open-source software provides these features:

  • Radio telemetry with GPS and sensor data using UKHAS standard
  • Radio image download using SSDV standard
  • Multi-threaded to maximize use of the radio bandwidth
  • Variable image size according to altitude
  • Stores full-definition images as well as smaller transmitted images
  • Automatically chooses better images for download
  • Configurable via text file in the Windows-visible partition of the SD card
  • Supplied as github repository with instructions, or SD card image

Finally, anyone interested in high altitude ballooning, using our board or not, should come to the UKHAS Conference on 16th August 2014 at the University of Greenwich. Anthony and I will be presenting our board during the morning sessions, and will run a workshop on the board in the afternoon. For tickets click here.

The Hacker Factor Blog: A Victory for Fair Use

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week I reported on a copyright infringement letter that I had received from Getty Images. The extremely hostile letter claimed that I was using a picture in violation of their copyright, ordered me to “cease and desist” using the picture, and demanded that I pay $475 in damages. Various outlets have referred to this letter as trolling and extortion.

Not being an attorney, I contacted my good friend, Mark D. Rasch. Mark is a well-known attorney in the computer security world. Mark headed the United States Department of Justice Computer Crime Unit for nine years and prosecuted cases ranging from computer crime and fraud to digital trespassing and viruses. If you’re old enough, then you remember the Hanover Hackers mentioned in The Cuckoo’s Egg, Robert Morris Jr. (first Internet worm), and Kevin Mitnick — Mark worked all of those prosecutions. He regularly speaks at conferences, appears in news interviews, and has taught cyberlaw to law enforcement and big universities. (If I were a big company looking for a chief privacy officer, I would hire him in a second.)

This letter from Getty had me concerned. But I can honestly say that, in the 12 years that I’ve known him, I have never seen Mark so animated about an issue. I have only ever seen him as a friendly guy who gives extremely informative advice. This time, I saw a side of Mark that I, as a friend, have never experienced. I would never want to be on the other side of the table from him. And even being on the same side was really intimidating. (Another friend told me that Mark has a reputation for being an aggressive bulldog. And this was my first time seeing his teeth.) His first advice to me was very straightforward. He said, “You have three options. One, do nothing. Two, send back a letter, and three, sue them.” Neither of us were fond of option #1. After a little discussion, I decided to do option #2 and prepare for #3.

First I sent the response letter. Then I took Mark’s advice and began to prepare for a lawsuit. Mark wanted me to take the initiative and file for a “Copyright Declaratory Judgment“. (Don’t wait for Getty.) In effect, I wanted the court to declare my use to be Fair Use.

Getty’s Reply

I honestly expected one of three outcomes from my response letter to Getty Images. Either (A) Getty would do nothing, in which case I would file for the Declaratory Judgment, or (B) Getty would respond with their escalation letter, demanding more money (in which case I would still file for the Declaratory Judgment), or (C) Getty would outright sue me, in which case I would respond however my attorney advised.

But that isn’t what happened. Remarkably, Getty backed down! Here’s the letter that they sent me (I’m only censoring email addresses):

From: License Compliance
To: Dr. Neal Krawetz
Subject: [371842247 Hacker Factor ]
Date: Tue, 22 Jul 2014 20:51:13 +0000

Dr. Krawetz:

We have reviewed your email and website and are taking no further action. Please disregard the offer letter that has been presented in this case. If you have any further questions or concerns, please do not hesitate to contact us.

Nancy Monson
Copyright Compliance Specialist
Getty Images Headquarters
605 Fifth Avenue South, Suite 400
Seattle WA 98104 USA
Phone 1 206 925 6125
Fax 1 206 925 5001
[redacted]@gettyimages.com

For more information about the Getty Images License Compliance Program, please visit http://company.gettyimages.com/license-compliance

Helpful information about image copyright rules and how to license stock photos is located at www.stockphotorights.com and Copyright 101.

Getty Images is leading the way in creating a more visual world. Our new embed feature makes it easy, legal, and free for anybody to share some of our images on websites, blogs, and social media platforms.
http://www.gettyimages.com/Creative/Frontdoor/embed

(c)2014 Getty Images, Inc.

PRIVILEGED AND CONFIDENTIAL
This message may contain privileged or confidential information and is intended only for the individual named. If you are not the named addressee or an employee or agent responsible for delivering this message to the intended recipient you should not disseminate, distribute or copy this e-mail or any attachments hereto. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail and any attachments from your system without copying or disclosing the contents. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Getty Images, 605 5th Avenue South, Suite 400. Seattle WA 98104 USA, www.gettyimages.com. PLEASE NOTE that all incoming e-mails will be automatically scanned by us and by an external service provider to eliminate unsolicited promotional e-mails (“spam”). This could result in deletion of a legitimate e-mail before it is read by its intended recipient at our firm. Please tell us if you have concerns about this automatic filtering.

Mark Rasch also pointed out that Getty explicitly copyrighted their email to me. However, the same Fair Use that permits me to use their pictures also permits me to post their entire email message. And that whole “PRIVILEGED AND CONFIDENTIAL” paragraph? That’s garbage and can be ignored because I never agreed to their terms.

Findings

In preparing to file the Copyright Declaratory Judgment, I performed my due diligence by checking web logs and related files for information pertaining to this case. And since Getty has recanted, I am making some of my findings public.

Automated Filing
First, notice how Getty’s second letter says “We have reviewed your email and website…” This clearly shows up in my web logs. Among other things, people at Getty are the only (non-bot) visitors to access my site via “nealkrawetz.org” — everyone else uses “hackerfactor.com”. In each case, the Getty users initially went directly to my “In The Flesh” blog entry (showing that they were not searching or just browsing my site.) Their automated violation bot also used nealkrawetz.org. The big catch is that nobody at Getty ever reviewed “In The Flesh” prior to mailing their extortion letter.

In fact, I can see exactly when their bot visited my web site. Here are all of my logs related to their bot:

2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:44 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/archives/423-In-The-Flesh.html | http://ops.picscout.com/QcApp/PreReport/Index/371842247?normalFlow=True
2014-06-14 23:06:39 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/categories/18-Phones | http://ops.picscout.com/QcApp/Infringer/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247

This listing shows:

  • The date/time (in PST)
  • The bot’s IP address (two in Israel and one in India; none from the United States)
  • The user-agent string sent by the bot
  • Where they went — they most went to “/” (my homepage), but there is exactly one that went to “/blog/index.php?/archives/423-In-The-Flesh.html”. That’s when they compiled their complaint.
  • The “Referer” string, showing what they clicked in order to get to my site. Notice how their accesses are associated with a couple of complaint numbers. “371842247″ is the number associated with their extortion letter. However, “371654690″ appears to be a second potential complaint.

Getty’s complaint has a very specific timestamp on the letter. It’s doesn’t just have a date. Instead, it says “7/10/2014 11:05:05am” — a very specific time. The clocks may be off by a few seconds, but that “11:05″ matches my log file — it is off by exactly 12 hours. (The letter is timestamped 11:05am, and my logs recorded 11:05pm.) This shows that the entire filing process is automated.

When I use my bank’s online bill-pay system, it asks me when I want to have the letter delivered. Within the United States, it usually means mailing the letter four days earlier. I believe that Getty did the exact same thing. They scanned my web site and then mailed their letter so it would be delivered exactly one-month later, and dated the letter 4 days 12 hours before delivery.

Getty’s automated PicScout system is definitely a poorly-behaved web bot. At no time did Getty’s PicScout system retrieve my robots.txt file, showing that it fails to abide by Internet standards. I am also certain that this was a bot since a human’s web browser would have downloaded my blog’s CSS style sheet. (PicScout only downloaded the web page.)

Failure to perform due diligence
I want to emphasize that there are no other accesses to that blog entry by any address associated with Getty within months before their complaint. As of this year (from January 2014 to July 23, 2014), people at Getty have only visited the “In The Flesh” web page 13 times: once by the PicScout bot, and 12 times after they received my reply letter. This shows that Getty never viewed the web page prior to sending their letter. In effect, their “infringement” letter is nothing more than trolling and an attempt to extort money. They sent the letter without ever looking at the context in which the picture is used.

My claim that Getty never manually reviewed my web site prior to mailing is also supported by their second letter, where they recanted their claim of copyright infringement. Having actually looked at my blog, they realized that it was Fair Use.

My web logs are not my only proof that no human at Getty viewed the blog page in the months prior to sending the complaint. Getty’s threatening letter mentions only one single picture that is clearly labeled with Getty’s ImageBank watermark. However, if any human had visited the web page, then they would have seen FOUR pictures that are clearly associated with Getty, and all four pictures were adjacent on the web page! The four pictures are:

The first picture clearly says “GettyImages” in the top left corner. The second picture (from their complaint) is watermarked with Getty’s ImageBank logo. The third and fourth pictures come from Getty’s iStockPhoto service. Each photo was properly used as part of the research results in that blog entry. (And right now, they are properly used in the research findings of this blog entry.)

After Getty received my reply letter, they began to visit the “In The Flesh” URL from 216.169.250.12 — Getty’s corporate outbound web proxy address. Based on the reasonable assumption that different browser user-agent strings indicate different people, I observed them repeatedly visiting my site in groups of 3-5 people. Most of them initially visited the “In The Flesh” page at nealkrawetz.org; a few users visited my “About Me” and “Services” web pages. I am very confident that these indicate their attorneys reviewing my reply letter and web site. This is the absolute minimum evaluation that Getty should have done before sending their extortion letter.

Legal Issues
Besides pointing out how my blog entry clearly falls under Fair Use, my attorney noted a number of items that I (as a non-lawyer person) didn’t see. For example:

  • In Getty’s initial copyright complaint, they assert that they own the copyright. However, the burden of proof is on Getty Images. Getty provided no proof that they are the actual copyright holder, that they acquired the rights legally from the photographer, that they never transferred rights to anyone else, that they had a model release letter from the woman in the photo, that the picture was never made public domain, and that the copyright had not expired. In effect, they never showed that they actually have the copyright.

  • Getty’s complaint letter claims that they have searched their records and found no license for me to use that photo. However, they provided no proof that they ever searched their records. At minimum, during discovery I would demand a copy of all of their records so that I could confirm their findings and proof of their search. (Remember, the burden of proof is on Getty, not on me.) In addition, I have found public comments that explicitly identify people with valid licenses who reported receiving these hostile letters from Getty. This brings up the entire issue regarding how Getty maintains and searches their records.
  • Assuming some kind of violation (and I am not admitting any wrong here), there is a three-year statute of limitations regarding copyright infringement. My blog entry was posted on March 18, 2011. In contrast, their complaint letter was dated July 10, 2014 — that is more than three years after the pictures were posted on my site.

Known Research
Copyright law permits Fair Use for many purposes, including “research”. Even Getty’s own FAQ explicitly mentions “research” as an acceptable form of Fair Use. The question then becomes: am I a researcher and does my blog report on research? (Among other things, this goes toward my background section in the Copyright Declaratory Judgment filing.)

As it turns out, my web logs are extremely telling. I can see each time anyone at any network address associated with Getty Images visits my site. For most of my blog entries, I either get no Getty visitors or a few visitors. However, each time I post an in-depth research entry on digital photo forensics, I see large groups of people at Getty visiting the blog entry. I can even see when one Getty person comes through, and then a bunch of other Getty people visit my site — suggesting that one person told his coworkers about the blog entry. In effect, employees at Getty Images have been regular readers of my blog since at least 2011. (For discovery, I would request a forensic image of every computer in Getty’s company that has accessed my web site in order to determine if they used my site for research.)

Getty users also use my online analysis service, FotoForensics. This service is explicitly a research service. There are plenty of examples of Getty users accessing the FotoForensics site to view analysis images, read tutorials, and even upload pictures with test files that have names like “watermark.jpg” and “watermark-removed.jpg”. This explicitly shows that they are using my site as a research tool.

(For the ultra paranoid people: I have neither the time nor the desire to track down every user in my web logs. But if you send me a legal threat, I will grep through the data.)

However, the list does not stop there. For example, the Harvard Reference Guide lists me as the example for citing research from a blog. (PDF: see PDF page 44, document page 42.) Not only does Getty use my site as a research resource, Harvard’s style guide uses me as the example for a research blog (my bold for emphasis).

Blogs are NOT acceptable academic sources unless as objects of research

Paraphrasing, Author Prominent:
Krawetz (2011) uses a blog to discuss advanced forensic image analysis techniques.

Paraphrasing, Information Prominent:
Blogs may give credence to opinion, in some cases with supporting evidence; for example the claim that many images of fashion models have been digitally enhanced (Krawetz 2011).

Reference List Model:
Krawetz, N 2011, ‘The hacker factor blog’, web log, viewed 15 November 2011, http://www.hackerfactor.com/blog/

I should also point out that the AP and Reuters have both been very aware of my blog — including a VP at the AP — and neither has accused me of copyright infringement. They appear to recognize this as Fair Use. Moreover, with one of blog entries on a Reuters photo (Without a Crutch), a Reuters editor referred to the blog entry as a “Great in-depth analysis” on Reuter’s web site (see Sep 30, 2011) and on her twitter feed. This shows that Getty’s direct competition recognize my blog as a research resource.

SLAPP
One of the things my attorney mentioned was California’s Anti-SLAPP law. Wikipedia explains SLAPP, or Strategic Lawsuit Against Public Participation, as “a lawsuit that is intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition.” Wikipedia also says:

The plaintiff’s goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs or simple exhaustion and abandons the criticism. A SLAPP may also intimidate others from participating in the debate. A SLAPP is often preceded by a legal threat. The difficulty is that plaintiffs do not present themselves to the Court admitting that their intent is to censor, intimidate or silence their critics.

In this case, Getty preceded to send me a legal threat regarding alleged copyright infringement. Then they demanded $475 and threatened more actions if I failed to pay it. In contrast, it would cost me $400 to file for a Declaratory Judgment (more if I lived in other states), and costs could rise dramatically if Getty filed a lawsuit against me. In either scenario, it places a financial burden on me if I want to defend my First Amendment rights.

In the United States, California has special anti-SLAPP legislation. While not essential, it helps that Getty has offices in California and a network trace shows that some packets went from Getty to my blog through routers in California. As Wikipedia explains:

To win an anti-SLAPP motion, the defendant must first show that the lawsuit is based on claims related to constitutionally protected activities, typically First Amendment rights such as free speech, and typically seeks to show that the claim lacks any basis of genuine substance, legal underpinnings, evidence, or prospect of success. If this is demonstrated then the burden shifts to the plaintiff, to affirmatively present evidence demonstrating a reasonable probability of succeeding in their case by showing an actual wrong would exist as recognized by law, if the facts claimed were borne out.

This isn’t even half of his legal advice. I could barely take notes fast enough as he remarked about topics like Rule 11, tortious interference with a business relationship, Groucho Marx’s reply to Warner Brothers, and how Getty’s repeated access to my web site could be their way to inflate potential damage claims (since damages are based on the number of views).

A Little Due Diligence Goes A Long Way

Although this entire encounter with Getty Images took less than two weeks, I was preparing for a long battle. I even contacted the Electronic Freedom Foundation (EFF) to see if they could assist. The day after Getty recanted, I received a reply from the EFF: no less than four attorneys wanted to help me. (Thank you, EFF!)

I strongly believe that Getty Images is using a “cookie cutter” style of complaint and is not actually interested in any lawsuit; they just want to extort money from people who don’t know their rights or don’t have the fortitude for a long defense (SLAPP). Getty Images made no effort to evaluate the content beyond an automated search bot, made no attempt to review the bot’s results, provided no evidence that they are the copyright holder, provided no proof that they tried to verify licenses, and threatened legal action against me if I did not pay up.

I am glad that I stood up for my First Amendment rights.

LWN.net: Faults in Linux 2.6

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Six researchers (including Julia Lawall of the Coccinelle project) have just released a paper [PDF] (abstract) that looks at the faults in the 2.6 kernel. “In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.’s experiments to all versions of Linux 2.6; released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. Moreover, the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available.
(Thanks to Asger Alstrup Palm.)

LWN.net: [$] Genealogy research with Gramps

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

alt="[Visualization in Gramps]" width=200 height=112/>

Genealogy is a fairly popular pursuit, and those wishing to use open-source
software in their hobby have their choice cut-out for them—Gramps is the only complete, actively-developed free-software solution. The project was started in 2001 and
initially known as GRAMPS; the first
stable release
was in 2004. The
latest, version 4.1.0 (“Name go in
book”) was
released on June 18.

Schneier on Security: Security Against Traffic Analysis of Cloud Data Access

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s some interesting research on foiling traffic analysis of cloud storage systems.

Press release.

The Hacker Factor Blog: Dear Getty Images Legal Department

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For the last few years, Getty Images has operated an aggressive anti-copyright infringement campaign. In 2011, they purchased PicScout to search the Internet for potential unlicensed uses of their pictures. Then they began sending out very scary-sounding takedown notices. These letters include a “cease and desist” paragraph as well as a bill for the unauthorized use.

I just received one of these letter. Here’s the 7-page (3.4 MB) letter: PDF. (The only thing I censored was the online access code for paying online.) They billed me $475 for a picture used on my blog. (If you log into their site, it’s $488 with tax.)

A number of news outlets as well as the blogosphere have begun reporting on these letters from Getty Images. For example:

  • International Business Times: “Getty Images Lawsuits: Enforcement Or Trolling? Fear Of Letters Dwindling, Stock-Photo Giant Hits Federal Courts”

  • The DG Group: “Image Copyright Infringement And Getty Images Scam Letter”
  • Extortion Letter Info: “Reporting on Getty Images & Stock Photo Settlement Demand Letters (Copyright Trolls, ‘Extortion’ Letters, ‘Shadown’ Letters)”
  • Women in Business: “Are You Being Set Up For Copyright Infringement? As Technology Becomes More Invasive Copyright Infringement Scams Flourish”
  • RyanHealy.com: “Getty Images Extortion Letter”
  • someguy72 @ Reddit: He states that he purchased the pictures legally from Getty and still received an infringement notice. His advice: if you purchase a picture from Getty, the “save your records FOREVER… they will come after you, years later and you might not have PROOF of PURCHASE, and then you will be screwed.”

As far as I can tell, this is an extortion racket. (I’m surprised that there hasn’t been a class-action lawsuit against Getty Images yet.) The basic premise is that they send out a threatening letter with a price tag. Some people will fear the strongly-worded letter and simply pay the amount. If you ignore it, then they send more letters with greater dollar amounts. If you call them up, the forums say that you can usually negotiate a lower amount. However, sometimes you may not actually owe anything at all.

Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.

But here’s the thing… There are some situations where you can use the image without a license. It is in the Copyright law under the heading “Fair Use” (US Copyright Law Title 17 Section 107; in some countries, it’s called “Fair Dealing”). This is an exception from copyright enforcement. Basically, if you’re using the picture as art on your web site or to promote a product, then you are violating their copyright. (You should negotiate a lower rate.) However, if you use it for criticism, comment, news reporting, teaching, scholarship, or research, then you are allowed to use the picture.

For example, I have many blog entries where I forensically evaluate pictures. I do this to show techniques, criticize content, identify deceptive practices, etc. If Fair Use did not exist, then I would be unable to criticize or expose deception from media outlets. In effect, they would be censoring my freedom of speech by preventing me from directly addressing the subject.

Reply To Getty

The picture in question is one that is on an older blog entry: In The Flesh. This blog entry criticizes the media outlets Time and Salon for promoting misleading and hostile software. (It’s hostile because the demo software installs malware.) The software, False Flesh, claims to make people in any picture appear nude. The pictures in my blog entry are used to demonstrate some of the deceptive practices. Specifically, the pictures of nude women on the software’s web site did not come from their software.

I looked at the picture mentioned in Getty’s complaint and how it was being used in the blog entry. I really thought it was permitted under Copyright Fair Use. However, I’m not an attorney. So… I checked with an attorney about the Getty complaint and my use of the picture. I was actually surprised that he didn’t start his answer with “that depends…” (If you’ve every worked with an attorney, then you know any discussion about legality begins with them saying “that depends…”) Instead, he said outright “it’s clearly fair use.”

Personally, I’m offended that Getty Images made no attempt to look at the context in which the picture is used.

Rather than ignoring them, I sent them a letter:

Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033

July 15, 2014

Legal Department
Getty Images
605 5th Ave S, Suite 400
Seattle, WA
98104

Dear Getty Images Legal Department,

I received your copyright infringement notification dated “7/10/2014 11:05:06 AM”, case number 371842247, on July 14, 2014. I have reviewed the image, the use of the picture on my web site, and discussed this situation with an attorney. It is my strong belief that I am clearly using the picture within the scope of Copyright Fair Use (Title 17 Section 107).

Specifically:

  • The blog entry, titled “In The Flesh”, criticizes the media outlets Time and Salon for promoting deceptive software. The software is called “False Flesh” and claims to turn any photo of a person into a nude. I point out that installing the False Flesh demo software will install malware.

  • The blog entry discloses research findings regarding the False Flesh software: there is no identified owner for the software and the sample pictures they use to demonstrate their software are not from their software. I specifically traced their sample images to pictures from sites such as Getty Images. I forensically evaluate the pictures and explicitly point out the misrepresentation created by these images on the False Flesh web site.
  • The picture is used on my web site to criticize the media reports by exposing fraud and misrepresentation associated with the product. It is also included as part of a demonstration for tracking and identifying potentially fraudulent products in general.
  • The blog entry reports on these findings to the public in order to educate people regarding the deceptive nature of False Flesh and the risks from using this software.
  • The image that you identified is not used is the blog entry to promote any products or services and is directly related to the comments, criticism, and research covered in the blog entry. The use is not commercial in nature. This goes toward the purpose and character, which is to identify fraud and misrepresentation in a product promoted by Time and Salon.
  • As described in the blog entry, I found sample images on the False Flesh web site and used TinEye and other forensic methods to identify the sources. This was used to prove that the False Flesh software did not generate any of their sample images.
  • I did not use the full-size version of this particular picture and it includes the Getty Images Image Bank watermark. The blog entry explicitly identifies that the source for the False Flesh picture was Getty Images and not False Flesh. I point out that False Flesh used the picture in a deceptive manner.
  • I believe that my use of this picture has no adverse effect on the potential market for the image.

I believe that this covers the Copyright Fair Use requirements for criticism, comment, teaching, research, and reporting.

Getty Images acknowledges Fair Use in their FAQ concerning license requirements:
http://company.gettyimages.com/license-compliance/faq/#are-there-limitations-on-a-copyright-owners-rights

Specifically, Getty Images calls out education and research. As a computer security and forensic researcher, I use this blog to describe tools and techniques, evaluate methodologies, and to identify deceptive practices. I believe that this specific blog entry, and my blog in general, clearly fit both of these areas.

As stated in this letter, the picture’s appearance on my blog is Fair Use and I have the right under copyright law to use the image without your consent. This letter serves as notice that any DMCA takedown or blocking notices to any third party would be in bad faith.

Sincerely,

/s/ Dr. Neal Krawetz

Chilling Effect

My blog in general reports on findings related to computer security and forensics. Many of these blog entries heavily focus on scams, fraud, and abuse from media outlets. Many of my blog entries (reports) have been repeated by news outlets, and some of my blog entries have had a direct effect on changing insecure and unethical practices. This includes a series of blog entries that exposed digital manipulation in World Press Photo’s annual contest (influencing changes in this year’s contest rules) and a paper on fundamental problems with credit card payment systems that lead to changes in the Visa security standards.

While this could be a wide-spread extortion racket, it could also be Getty’s way of testing the waters before going after some blog entries where I openly and explicitly criticize them for releasing digitally altered photos.

My primary concern is the chilling effect this could have. If I pay the extortion, then it opens me for more claims from Getty; I have previously criticized them for providing digitally altered photos and performed analysis to prove it. It also opens the way for similar claims from the Associated Press, Reuters, and every other media outlet that I have openly criticized. All of my blog entries that explicitly expose digital misrepresentation, report on media manipulation, and even those that disclose methods for evaluating content will be at risk.

In effect, bowing to this one threatening letter would force me to close my blog since I would no longer be allowed to freely write — report, comment, disclose research, and educate others — on topics related to media manipulation and digital photo analysis. I consider Getty’s attempt to censor my blog’s content to be an unacceptable attack on my freedom of speech.

LWN.net: Google’s “Project Zero”

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Google’s newly announced
Project Zero is focused on making the net as a whole safer from attackers.
We’re not placing any particular bounds on this project and will
work to improve the security of any software depended upon by large numbers
of people, paying careful attention to the techniques, targets and
motivations of attackers. We’ll use standard approaches such as locating
and reporting large numbers of vulnerabilities. In addition, we’ll be
conducting new research into mitigations, exploitation, program
analysis—and anything else that our researchers decide is a worthwhile
investment.
” Their policy of only reporting bugs to the vendor
looks like it could result in the burying of inconvenient vulnerabilities,
but presumably they have thought about that.

TorrentFreak: File-Sharing Doesn’t Hurt Box Office Revenue, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

piracy-progressResearch into online piracy comes in all shapes and sizes, often with equally mixed results. Often the main question is whether piracy is hurting sales.

A new study conducted by economist Koleman Strumpf is one of the most comprehensive on the subject so far.

Drawing on data from a popular BitTorrent tracker and revenue projections from the Hollywood Stock Exchange he researches how the release of a pirated movie affects expected box office income.

The research covers 150 of the most popular films that were released over a period of seven years, and the findings reveal that the release of pirated films on file-sharing sites doesn’t directly hurt box office revenue.

“There is no evidence in my empirical results of file-sharing having a significant impact on theatrical revenue,” Strumpf tells TorrentFreak in a comment.

“My best guess estimate is that file sharing reduced the first month box office by $200 million over 2003-2009, which is only three tenths of a percent of what movies actually earned. I am unable to reject the hypothesis that there is no impact at all of file-sharing on revenues.”

So while there is a small negative effect, this is limited to three tenth of a percent and not statistically significant.

Interestingly, the data also reveals that movie leaks shortly before the premiere have a small positive impact on expected revenues. This suggests that file-sharing may serve as a form of promotion.

“One consistent result is that file-sharing arrivals shortly before the theatrical opening have a modest positive effect on box office revenue. One explanation is that such releases create greater awareness of the film. This is also the period of heaviest advertising,” Strumpf notes.

One of the advantages of this study compared to previous research is that it measures the direct effect of a movie leak on projected box office revenues. Previous studies mostly compared early versus late leaks, which is less accurate and may be influenced by other factors.

“For example, suppose studios added extra security to big budget movies which then have a delayed arrival to file-sharing networks. Then even if file-sharing has no impact at all, one would find that delayed arrival on file-sharing leads to higher revenues,” Strumpf tells us.

Another upside of the research lies in the statistical precision. The data includes thousands of daily observations and relatively precise estimates, something lacking in most previous studies.

The downside, on the other hand, is that the expected box office impact is estimated from the Hollywood Stock Exchange. While this has shown to be a good predictor for actual revenues, it’s not a direct measurement.

In any case, the paper suggests that file-sharing might not be the biggest threat the movie industry is facing.

Even if the negative effects were twice as big as the data suggests, it would still be less than the $500 million Hollywood spent on the MPAA’s anti-piracy efforts during the same period.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: GCHQ Catalog of Exploit Tools

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

Krebs on Security: Brazilian ‘Boleto’ Bandits Bilk Billions

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate appears to have netted thieves the equivalent of billions of dollars over the past two years.

A boleto.

A boleto.

At issue is the “boleto” (officially “Boleto Bancario”), a popular payment method in Brazil that is used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s Web site, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized  crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a Web-based control panel for a boleto-thieving botnet (see screenshot below); in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the "linea alterada" column shows the accounts used by the thieves to accept diverted payments. "Valor" refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.

Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.

The malware also harvests usernames and passwords from victim PCs, credentials that are thought to be leveraged in spreading the malware via spam to the victim’s contacts. RSA said this fraud gang appears to have infected more than 192,000 PCs, and stolen at least 83,000 sets of user credentials.

Administration screen of the Bolware gang shows the original Boleto numbers "Bola Original" and their destination bank "Bola".  Image: RSA

Administration screen of the Bolware gang shows the original Boleto numbers “Bola Original” and their destination bank “Bola”. Image: RSA

RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds. That’s roughly 7,997 more accounts than were used by the boleto bandits responsible for the diverted transactions in the boleto botnet control panel I discovered.

Researchers at RSA suggest that Brazilians who wish to transact in boletos online should consider using a mobile device to manage their boleto transactions, noting that boleto-thieving malware currently is not capable of altering the data stored in the barcode of each hijacked boleto order — at least for the time being.

“As the malware does not alter the barcode (for now), the safest approach is to use mobile banking applications available on smart phones (for now, immune to this malware) to read the barcode and to make payments,” the company said in its report (PDF) on this crime wave.

Schneier on Security: How Traffic Shaping Can Help the NSA Evade Legal Oversight

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called “traffic shaping,” and has legitimate uses in network management.

From a news article:

The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws — notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.

But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch — along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil — can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.

The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.

An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.

The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.

We saw a clumsy example of this in 2013, when a bunch of Internet traffic was mysteriously routed through Iceland. That one was the result of hacking the Border Gateway Protocol (BGP). I assure you that the NSA’s techniques are more effective and less obvious.

Krebs on Security: 2014: The Year Extortion Went Mainstream

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.

The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.

The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.

Interestingly, all three letters I could find that were posted online so far targeted pizza stores. At least two of them were mailed from Orlando, Florida.

The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.

“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.

Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.

“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”

While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.

“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”

It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints – Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).

Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.

“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”

A GREAT CRIME FOR CRIMINALS

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.

Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.

Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up.  Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.

The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.

A HIDDEN CRIME

Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.

Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.

“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.

Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.

Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.

But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.

“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”

Schneier on Security: More on Hacking Team’s Government Spying Software

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can also enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

[...]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can’t be certain the Saudi government is a customer, but there’s good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it’s a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA — as well as the governments of China, Russia, and a handful of other countries — have their own systems that are at least as powerful.

TorrentFreak: Dotcom’s Internet Party Wants to Abolish “Geo Blocking” Restrictions

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

internetpartyLast January, exactly two years after the Megaupload raid, Kim Dotcom entered New Zealand’s political arena with the launch of his Internet Party.

The party is currently preparing for the general election in September. While Dotcom will not be on the voting ballot himself, he remains one of the main influencers of the party’s policy.

As the name suggests, many of the party’s core issues revolve around the Internet, copyright included. Today the Internet Party released a draft of its copyright policy with several suggestions for an overhaul of current legislation.

One of the key issues the Internet Party wants to change is the liability New Zealanders face for using VPN services and other circumvention tools to access legal content. At the moment, it is illegal for them to stream content from U.S-based Hulu and Netflix via proxies or VPNs.

TorrentFreak spoke with Kim Dotcom who notes that consumers shouldn’t be punished for the inability of Hollywood to release its content globally. Dotcom hopes that these changes will eventually put a stop to the unnecessary release delays.

“The primary goal of this policy is to force copyright holders to release their content globally, without geographical restrictions. If a TV-show is not available in New Zealand for three months after the U.S. release, there should be no enforcement during this period,” Dotcom tells us.

“Content owners should be held responsible, not the public. The ‘geo blocking’ proposal forces Hollywood to change its business model and release its content worldwide without delays,” he adds.

Dotcom hopes that the Internet Party proposal will serve as model for future copyright law that will eventually be adopted around the world.

Hulu’s Geo Blocking
hului-block

Internet Party leader Laila Harré notes that the current situation is unmanageable. The Internet has made it possible to release content worldwide without any delays, but content owners refuse to give consumers what they want.

“A Kiwi who wants to watch the latest season of first run TV shows like Games of Thrones, for example, shouldn’t be forced to jump through hoops to access what should be legally and easily available online. It’s a ridiculous situation in this day and age,” Harré notes.

Thus far most progress has subsequently been drawn in the opposite direction. In an attempt to crack down on people who bypass geo restrictions, Hulu recently started to ban all visitors who use a VPN connection.

Instead of fighting circumvention, the Internet Party believes that copyright holders should address the root of the problem themselves. Making sure that the latest TV-shows can be watched legally is a must, and although some progress has been made over the years, the legal options are still lacking.

“Some excellent work has been done by some copyright owners and content providers to make good legal options available to New Zealanders. But there’s still a long way to go, especially for some types of content such as globally popular first run television shows broadcast overseas but not available in New Zealand for weeks or months, if at all,” Harré says.

Aside from geo blocking issues, the Internet Party also wants to abolish the Internet disconnection sanction available under New Zealand’s “three-strikes” law, and strengthen the “safe harbor” provisions for Internet services to prevent abuse by copyright holders.

The full draft of the Internet Party’s copyright and open research policy is available here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: OfficeMalScanner helps identify the source of a compromise, (Sun, Jun 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

While working a recent forensics case I had the opportunity to spread the proverbial wings a bit and utilize a few tools I had not prior.
In the midst of building my forensic timeline I set out to determine the initial attack vector, operating on the assumption that it was either web-based content via a malicious ad or a site compromised with a web exploit kit, or was a malicious link or document attachment via email. One interesting variable stood out while reviewing the victim’s PST file. Her company was in the midst of hiring, seeking candidates for a few positions, and was receiving numerous emails with resume attachments, both PDF and DOC/DOCX. I had already discovered the primary malware compromise of the victim’s system so I simply needed to see if there was a malicious email that had arrived prior based on time stamps. One particular email with a Word doc attached stood right out as it arrived at 12:23am on the same day of the malware compromise later at noon. Antimalware detection immediately identified the attachment as TrojanDownloader:W97M/Ledod.A. This alleged resume attachment was also for a John Cena, which cracked me up as I am indeed familiar with the WWE professional wrestler of the same name. Unfortunately, technical details for W97M/Ledod.A were weak at best and all I had to go from initially was “this trojan can download and run other malware or potentially unwanted software onto your PC.” Yeah, thanks for that. What is a poor forensicator to do? Frank Boldewin’s (Reconsructer.org) OfficeMalScanner to the rescue! This tool works like a charm when you want a quick method to scan for shellcode and encrypted PE files as well as pulling macro details from a nasty Office documents. As always, when you choose to interact with mayhem, it’s best to do so in an isolated environment; I run OfficeMalScanner on Windows 7 virtual machine. If you just run OfficeMalScanner with out defining any parameters, it kindly dumps options for you as seen in Figure 1.

OfficeMalScanner options

Figure 1

For this particular sample, when I ran OfficeMalScanner.exe "John Cena Resume.doc" scan the result “No malicious traces found in this file!” was returned. As the tool advised me to do, I ran OfficeMalScanner.exe "John Cena Resume.doc" info as well and struck pay dirt as seen in Figure 2.

OfficeMalScanner finds macros code

Figure 2

When I opened ThisDocument from C:\tools\OfficeMalScanner\JOHN CENA RESUME.DOC-Macros I was treated to the URL and executable payload I was hoping for as seen in Figure 3.

OfficeMalScanner results

Figure 3

A little virustotal.com and urlquery.net research on dodevelopments.com told me everything I needed to know, pure Lithuanian evil in the form of IP address 5.199.165.239.  
A bit of trekking through all the malicious exe’s known to be associated with that IP address and voila, I had my source.

See Jared Greenhill‘s writeup on these same concepts at EMC’s RSA Security Analytics Blog and our own Lenny Zeltser‘s Analyzing Malicious Documents Cheat Sheet where I first learned about OfficeMalScanner. Prior related diaries also include Decoding Common XOR Obfuscation in Malicious Code and Analyzing Malicious RTF Files Using OfficeMalScanner’s RTFScan (Lenny is El Jefe).

I hope to see some of you at SANSFIRE 2014. I’ll be there for the Monday evening State of the Internet Panel Discussion at 7:15 and will present C3CM Defeating the Command, Control, and Communications of Digital Assailants on Tuesday evening at 8:15.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Digital Content Online Should Be Free, Children Say

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

download-keyboardThe results of a new survey commissioned by YouGov SixthSense on the file-sharing and content consumption habits of citizens in the UK have just been published.

Among broader issues, the study, which draws on a sample of 1,907 adults over 16 years old and 614 children aged between 8 and 15, looked at reasons why people use file-sharing sites, plus attitudes towards piracy and paying for content.

Online content should be free

The headline finding presented YouGov suggests that half of the up-and-coming generation believes that the Internet should be a content free-for-all. A total of 49% of the 8 to 15-year-olds questioned said that they believe that people should be able to download the content they want from the Internet for nothing.

Drilling down specifically into attitudes towards file-sharing sites, 6% of children said that using them is easy, with 7% agreeing that it had become the normal thing to do.

Interestingly, YouGov found that when questioning the 16-year-old and above group, the attitudes towards free content were the same, with an identical 49% stating that online content should be free to download.

Motivations to share files

The survey found that the major driver for use of file-sharing sites is cost. While adults tend to have the most disposable income, 51% said that they use file-sharing sites to save money.

Among the children, whose resources are often more limited, 44% said their motivation was financial, with a quarter of 16-24 year olds reporting that file-sharing is the only way they can afford to access content online.

Unsurprisingly, the issue of accessibility came in at a close second place for both groups. The speed and convenience of file-sharing was cited as a key motivator for use by 41% of adults and 38% of the children.

Attitudes towards piracy and sanctions

The mainstream entertainment companies invariably insist that downloading movies and music without permission is tantamount to stealing. However, when it comes to the UK’s children the survey suggests that Big Entertainment has a mountain to climb to have that notion widely adopted. While 16% of children accept that it’s wrong to obtain content for free without the creator’s permission, just 7% believe that file-sharing is a form of stealing.

When it comes to punishing someone, somewhere, for the piracy problem, it comes as little surprise that most of the adults feel that the blame should be placed elsewhere. Rather than being punished for illegal downloading themselves, 60% of the 16-24 year-olds said that the companies and websites providing the content should be punished instead.

The future

Despite the favorable cost and convenience of using unauthorized sources, YouGov notes that opportunities exist for content providers to address those issues. Legal alternatives, such as the free ad-supported model offered by Spotify, are being utilized more, and there are signs that people are happy to pay for exclusive content. Among the children, for example, 13% said they would spend their money if that meant supporting an up-and-coming artist.

“Children in this generation have grown up with digital material and are used to having access to what they want, when they want it and for some of the time not paying for it,” says YouGov Research Director James McCoy.

“Whilst they appreciate the issues surrounding piracy and illegal downloads, if they can get away with it, then they will. Why change the habit of a lifetime?”

McCoy says that the challenge for industry moving forward is to find ways to engage and educate this group “in a relevant and non-condescending way.” That can probably be done, it just might take a little while yet.

The Future of Digital Consumption 2014 can be purchased from YouGov.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: MPAA Offers $20,000 Grants For “Unbiased” Piracy Research

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoLate last year a study from European researchers revealed that the Megaupload shutdown had a negative effect on the box office revenues of smaller films.

The researchers suggested that the decrease in sales may be the result of a drop in word-of-mouth promotion from pirates, which affects smaller movies more since they have less advertising budget.

The MPAA wasn’t happy with the media coverage the study generated and went on the defensive citing two Carnegie Mellon University studies to show that piracy harms sales.

Interestingly, it failed to disclose that those findings came from research that was supported by a $100,000 grant from the MPAA.

While we trust that the research is solid, the above shows that academic research plays an important role in the MPAA’s lobbying efforts. For this reason, the Hollywood group has recently started a grants program, hoping to enlist more academics to conduct copyright-related research.

The MPAA is now accepting research proposals on a series of predefined topics. They include the impact of copyright law on innovation and the effectiveness of DMCA takedown notices. The best applications will be awarded a $20,000 grant.

“We want to enlist the help of academics from around the world to provide new insight on a range of issues facing the content industry in the digital age,” says MPAA CEO and former U.S. Senator Chris Dodd.

According to the MPAA boss, academic researchers can contribute to understanding the changes the industry faces by providing unbiased insights.

“We need more and better research regarding the evolving role of copyright in society. The academic community can provide unbiased observations, data analysis, historical context and important revelations about how these changes are impacting the film industry and other IP-reliant sectors,” Dodd notes.

The MPAA clearly sees academic research as an important tool in their efforts to ensure that copyright protections remain in place, or are strengthened if needed.

This outreach to academics may in part be fueled by what their ‘opponents’ are doing. Google, for example, is heavily supporting academic research on copyright-related projects in part to further their own interests.

Both sides clearly steer researchers by giving them precise directions on the grounds they want covered. It’s now up to the academics to make sure that they don’t become pawns in a much bigger fight, and that their research is conducted and results presented in an objective manner.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Paying People to Infect their Computers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Research paper: “It’s All About The Benjamins: An empirical study on incentivizing users to ignore security advice, by Nicolas Christin, Serge Egelman, Timothy Vidas, and Jens Grossklags.

Abstract: We examine the cost for an attacker to pay users to execute arbitrary code — potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice — not to run untrusted executables­ — if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

The experiment was run on Mechanical Turk, which means we don’t know who these people were or even if they were sitting at computers they owned (as opposed to, say, computers at an Internet cafe somewhere). But if you want to build a fair-trade botnet, this is a reasonable way to go about it.

Two articles.

Bradley M. Kuhn's Blog ( bkuhn ): Resolving Weirdness In Thinkpad T60 Hotkeys

This post was syndicated from: Bradley M. Kuhn's Blog ( bkuhn ) and was written by: Bradley M. Kuhn. Original post: at Bradley M. Kuhn's Blog ( bkuhn )

In keeping with my tendency to write a blog post about any technical issue
I find that takes me more than five minutes to figure out when searching
the Internet, I include below a resolution to a problem that took me,
embarrassingly, nearly two and half hours across two different tries to
figure out.

The problem appeared when I took Debian 7 (wheezy) laptop hard drive out
of an Lenovo Thinkpad T61 that I was using that failed and into Lenovo
Thinkpad T60. (I’ve been trying to switch fully to the T60 for everything
because it is supported by Coreboot.)

src="http://ebb.org/images/thinkpad-t60-keyboard-show-volume-keys.png"
alt="image of a Lenovo T60 Thinkpad keyboard with volume buttons circled in purple."/>

When I switched, everything was working fine, except the volume buttons on
the Thinkpad T60 (those three buttons in the top left hand corner of the
keyboard, shown circled in purple in the image on the right) no longer did
what I expected. I expected they would ultimately control PulseAudio volume,
which does the equivalent of pactl set-sink-mute 0 0 and
appropriate pactl set-sink-volume 0 commands for my sound card.
I noticed this because when PulseAudio is running, and you type those
commands on the command line, all functions properly with the
volume, and, when running under X, I see the popup windows coming
from my desktop environment showing the volume changes. So, I knew nothing
was wrong with the sound configuration when I switched the hard drive to a
new machine, since the command line tools worked and did the right things.
Somehow, the buttons weren’t sending the same commands in whatever manner
they were used to.

I assumed at first that the buttons simply generated X events. It turns
out they do, but the story there is a bit more complex. When I
ran xev I saw those buttons did not, in fact, generate any X
events. So, that makes it clear that nothing from X windows
“up” (i.e, to the desktop software) had anything to do with the
situation.

So, I first proceed to research whether these volume keys were supposed to
generate X events. I discovered that there were indeed XF86VolumeUp,
XF86VolumeDown and XF86VolumeMute key events (I’d seen those before, in
fact, doing similar research years ago). However, the advice online was
highly conflicting whether or not the best way to solve this is to have
them generate X events. Most of the discussions I found assumed the keys
were already generating X events and had advice about how to bind those
keys to scripts or to your desktop setup of
choice id="return-crunchbang-arch-advice-forums">0.

I found various old documentation about the thinkpad_acpi
daemon, which I quickly found quickly was out of date since long ago that
had been incorporated into Linux’s ACPI directly and didn’t require
additional daemons. This led me to just begin poking around about how the
ACPI subsystem for ACPI keys worked.

I quickly found the xev equivalent for
acpi: acpi_listen. This was the breakthrough I needed to
solve this problem. I ran acpi_listen and discovered that
while other Thinkpad key sequences, such as Fn-Home (to
increase brightness), generated output like:

video/brightnessup BRTUP 00000086 00000000 K
video/brightnessup BRTUP 00000086 00000000

but the volume up, down, and mute keys generated no output. Therefore, it’s
pretty clear at this point that the problem is something related to
configuration of ACPI in some way. I had a feeling this would be hard to
find a solution for.

That’s when I started poking around in /proc, and found
that /proc/acpi/ibm/volume was changing each time I
hit a these keys. So, Linux clearly was receiving notice that these keys
were pressed. So, why wasn’t the acpi subsystem notifying anything else,
including whatever interface acpi_listen talks to?

Well, this was a hard one to find an answer to. I have to admit that I
found the answer through pure serendipity. I had already
loaded this
old bug report for an GNU/Linux distribution waning in popularity
and
found that someone resolved the ticket with the command:

cp /sys/devices/platform/thinkpad_acpi/hotkey_all_mask /sys/devices/platform/thinkpad_acpi/hotkey_mask


This command:

# cat /sys/devices/platform/thinkpad_acpi/hotkey_all_mask /sys/devices/platform/thinkpad_acpi/hotkey_mask 
0x00ffffff
0x008dffff


quickly showed that that the masks didn’t match. So I did:

# cat /sys/devices/platform/thinkpad_acpi/hotkey_all_mask > /sys/devices/platform/thinkpad_acpi/hotkey_mask 


and that single change caused the buttons to work again as expected,
including causing the popup notifications of volume changes and the like.

Additional searching
show this
hotkey issue is documented in Linux, in its Thinkpad ACPI
documentation
, which states:

The hot key bit mask allows some control over which hot keys generate events.
If a key is “masked” (bit set to 0 in the mask), the firmware will handle it.
If it is “unmasked”, it signals the firmware that thinkpad-acpi would prefer
to handle it, if the firmware would be so kind to allow it (and it often
doesn’t!).

I note that on my system, running the command the document recommends to
reset to defaults yields me back to the wrong state:

# cat /proc/acpi/ibm/hotkey 
status:         enabled
mask:           0x00ffffff
commands:       enable, disable, reset, <mask>
# echo reset > /proc/acpi/ibm/hotkey 
# cat /proc/acpi/ibm/hotkey 
status:         enabled
mask:           0x008dffff
commands:       enable, disable, reset, <mask>
# echo 0xffffffff > /proc/acpi/ibm/hotkey

So, I added that last command above to restore it to enabled Linux’s control
of all the ACPI hot keys, which I suspect is what I want. I’ll update the
post if doing that causes other problems that I hadn’t seen before. I’ll
also update the post to note whether this setting is saved over reboots, as
I haven’t rebooted the machine since I did this. :)


href="http://ebb.org/bkuhn/blog/2014/06/08/volume-hotkeys-thinkpad-t60.html#return-crunchbang-arch-advice-forums">0Interestingly, as has
happened to me often recently, much of the most useful information that I
find about any complex topic regarding how things work in modern GNU/Linux
distributions is found on the Arch or Crunchbang online fora and wikis. It’s
quite interesting to me that these two distributions appear to be the primary
place where the types of information that every distribution once needed to
provide are kept. Their wikis are becoming the canonical references of how a
distribution is constructed, since much of the information found therein
applies to all distributions, but distributions like Fedora and Debian
attempt to make it less complex for the users to change the
configuration.

TorrentFreak: Piracy Takedown Notices Increase E-Book Sales, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

book-pirateIn an attempt to limit the availability of pirated content, copyright holders send millions of takedown requests to online services every week.

The effectiveness of these anti-piracy measures is often in doubt, since the pirated files usually reappear quickly elsewhere. But, according to new research they do have some effect.

Imke Reimers, an economics researcher affiliated with NBER and Northeastern University, examined the effectiveness of these takedown notices on book sales. The results, published in the working paper “The Effect of Piracy Protection in Book Publishing,” show that e-books sales increase as a result of the takedown efforts.

In her research Reimers compares sales of book titles before and after takedown notices are issued, to see the effect on book sales across different titles, genres and formats. The study is the first of its kind and reaches the conclusion that piracy protection increases e-book sales.

“This paper is the first to empirically analyze the interaction of online piracy and the legal market for books. It finds that piracy protection significantly increases regular unit sales of e-books, while the effect on physical formats is not as clear,” Reimers writes.

“E-books, the closest substitute for online piracy benefit from piracy protection by selling 15.4% more units, while there is no significant effect on other formats,” she adds.

A 15 percent increase in e-book sales is quite significant, and translates to millions of dollars in revenue across the industry. For other book formats, including hardcovers, paperback and audiobooks, no sales increase was observed.

The research controlled for a wide variety of third-party variables that could have influenced the results. Based on the current data Reimers is confident that the sales increase can indeed be attributed the takedown notices. However, she also spots differences in the impact on established and starting writers.

More specifically, piracy doesn’t appear to pose a threat to the e-book sales of starting authors and could even serve as a promotional tool.

“The effect varies by the title’s level of popularity. For well-known books and those by popular authors, online piracy mainly poses a threat to regular book sales, while authors who are just starting out could benefit from the additional platform. My results support this idea, at least for e-books,” Reimers writes.

TorrentFreak reached out to Reimers who notes that it might be a good idea for some authors to share some of their work online.

“I find no evidence that piracy protection is ‘bad’ for any books, but it seems that more obscure titles could benefit from the advertising effect of pirated versions. Some emerging authors offer their titles or excerpts of their titles for free on their websites – exactly to advertise their works. My results suggest that this might be a smart move,” she tells us.

The research is based on data from Digimarc, one of the leading piracy protection firms for the book industry. Needless to say, the company is happy to hear that their efforts indeed appear to have an effect.

“This new research strongly validates our position that Digimarc Guardian’s anti-piracy strategies provide a substantial return-on-investment for customers, in the form of increased legitimate sales and revenue,” Chris Shepard, Director of Product Management at Digimarc, informs us.

Digimarc assured TorrentFreak that they had no hand in the academic research other than providing the piracy takedown data.

The sales data used for the research comes from the leading independent e-book publisher RosettaBooks. Needless to say, they are also happy with the results.

“Rightsholders feel exposed or taken advantage of by piracy. We believe that Digimarc’s services improve our overall sales and the effect of dampened piracy greatly exceeds the cost of the service,” Greg Freed, eBook Production and Distribution Director at RosettaBooks tells TorrentFreak.

While the research indicates that takedown notices can have a positive effect on e-book sales, future research will have to show whether or not this can be generalized to other industries, including the movie and music business.

In any case, with the above in mind it’s expected that the volume of takedown notices will only increase in the near future, a trend that has been going on for several years now.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: EFF’ing Up

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

The Electronic Freedom Foundation (EFF) is a very important organization to those of us who care about technology, security, and privacy. I primarily know about their legal efforts — protecting free speech, fair use, and civil rights. If you’re a security researcher, then you know that any moment some big corporation may choose to sue you for reporting an exploit rather than addressing their vulnerabilities. Apple has sued security researchers. Microsoft used to threaten to sue (and left open the potential to do it again). Epic Games, Cisco, and many other big companies have tried to sue people who report vulnerabilities. When this happens, we inevitably run to the EFF for assistance and guidance.

The EFF usually has a very visible position at most big security conferences and they are well-known in the security community. While I rarely donate to any organizations, I have donated to the EFF because they are needed and they do very good work.

Well… they usually do good work…

Oh, so close!

Beyond their legal actions, exposes, and topical news reports, they also provide a cute web plug-in, developed in collaboration with the Tor Project, called “HTTPS-Everywhere“. The idea is that it forces your web browser to use HTTPS rather than HTTP.

I have previously mentioned many of the limitations with HTTPS: it doesn’t reliably validate connections, it permits the human to bypass detected security risks, it is vulnerable to man-in-the-middle connection hijacking, and that little lock symbol really doesn’t mean you are secure.

As security goes, HTTPS is “better than nothing” security. Treat it like that little lock on your front door — it stops someone from easily opening the door. But it doesn’t stop someone from picking the lock, kicking in the door, listening to you through the door, or climbing in the open window next to the door.

Before Google forced everyone to use HTTPS, they offered both HTTP and HTTPS for accessing google.com. Using this plug-in, it would send you to HTTPS rather than HTTP. The same goes for eBay, PayPal, and many other sites. Lots of sites offer both HTTP and HTTPS, but few sites force you to use HTTPS when HTTP is available. In effect, this plug-in forces you to use security-by-placebo rather than no security at all.

My current irk with HTTPS-Everywhere is that the developers do not seem to be testing their code before releasing it. I recently learned that they have a rule file named Hacker-Factor.xml. This rule forces users who access my FotoForensics site to use HTTPS instead of HTTP. This is a big problem.

While FotoForensics does run both HTTP and HTTPS servers, these two interfaces do not provide the same services. “HTTP” is for the public. As clearly specified in the FAQ, the public service is public. It is not private, it offers no privacy, it is explicitly a research site, and it does not offer logins to the public.

In contrast, my HTTPS server demands a login. You won’t get to the upload page or any of the other features without login credentials. (Logins to that server are strictly limited to administrators and research partners.) With my server, you need HTTPS to access the login interface.

Forcing the Point

There is no rule that says the HTTP and HTTPS servers must provide the same content. In fact, many sites today are like mine: HTTP is for the public, and HTTPS are for users who need to login. Today, I cannot login to my bank’s web site without using HTTPS. With HTTP, I see their site, but I must switch to HTTPS to see the login. I cannot login to Google or Twitter or Facebook without HTTPS. Even most news sites use HTTP for public content but you must use HTTPS if you want to login. It is not uncommon to see very different content when using HTTPS instead of HTTP.

By forcing users to the HTTPS service at FotoForensics, HTTPS-Everywhere prevents people from using FotoForensics. Moreover, I know that I’m not the only web service out there that uses HTTP for public information and HTTPS for private access.

(I should point out that Buzzfeed.com forces users to HTTP. HTTPS at cnn.com doesn’t work. Reddit.com still uses HTTP, even for logins. And pay.reddit.com displays very different content depending on whether you use HTTP or HTTPS.)

As far as I can tell, someone associated with HTTPS-Everywhere did do a little testing with their Hacker-Factor.xml rules. They noted in their configuration file that I use a self-signed certificate. A self-signed certificate is typically considered “bad”. Except that I also use client-side certificates, which is much stronger security than third-party authentication without client-side certificates. (Also, I don’t see any point in paying a third-party certificate provider for a certificate that isn’t secure.) In effect, I have two-part authentication: something you have (the client-side certificate) and something you know (login credentials). While the EFF noticed my self-signed cert, they did not notice that they couldn’t use the HTTPS site!

I noticed this today when a user complained, so I filled out a trouble ticket, letting them know that the configuration for my site was incorrect. (The “reported by: cypherpunks” is their generic account for people who do not want to register a login with their trouble-ticket service.) They closed it out shortly after, with no change and the comment, “it won’t prohibit the vast majority of people from visiting the site.” I guess they missed the part that prohibiting ANYONE from accessing my site is a flaw in their rule-set!

Bad Advice

The other thing that got me looking at the EFF was a tweet they made today:

One year after the first Snowden disclosure, we need a web that resists NSA spying. Fight back. Run a Tor relay. https://eff.org/tor

Wow… does the EFF really not understand what Tor does?

The folks at the Tor Project have a wonderful description of their process. Tor mixes up the path between your computer and the remote system you are accessing. Let’s assume that there is someone who can watch all network traffic. What will they be able to tell about your online activities:

  • They will see that your computer is connecting to a Tor server. But they won’t know what you are doing. The data between you and the Tor server is encrypted.

  • The Tor network is like a giant mixer. One node passes to another node passes to another node… And since everyone is getting mixed up, someone watching the network traffic will see you and lots of other people (and other Tor nodes) all connect to the same Tor nodes, but they won’t know which continuing traffic belongs to you. Your trail vanishes into anonymity.
  • Eventually your traffic will reach an “exit node”. This is where it leaves the Tor network and connects to your desired server. The observer sees lots of exit nodes and lots of exit traffic — they don’t know which one belongs to you.

In this regard, Tor offers great security: an observer can see you enter, but doesn’t know what you sent or where you went. They can see lots of people exiting the Tor network, but they cannot identify which exit request is yours. It’s like being pursued by bloodhounds, getting into a car, and driving into rush-hour traffic — the dogs will lose your scent.

(For you deep-security folks, I’m ignoring potential connection leaks via applications that do not use Tor for DNS, or other things you run that do not pass through the Tor tunnel.)

Insecure-Tor

If your path is secure, then that means you are secure, right? Well, no.

Eventually your network traffic must exit the Tor network. At that point, it’s just as secure as connecting directly. If you connect to your bank or your Reddit account, then someone watching the traffic will see your login credentials used at that service. The omnipotent observer will see you connect to Tor “going somewhere” and your credentials being used to check your email at Yahoo. At this point, they don’t need a high IQ to know it is you. (It’s like catching a bank robber who fled the scene after being identified. The cops won’t go chasing you. They’ll just send someone over to watch your house — you’re bound to go home sometime…)

Last January, there was a report about some evil Tor exit nodes. Remember: the exit nodes can watch you leave the system and they can explicitly see where you are going. According to the report, some Swedish researchers managed to find “at least 22 corrupt exit nodes that were tampering with encrypted traffic leaving the supposedly private Tor network.”

Tor nodes are run by volunteers, and there is no vetting involved. If you want to run a Tor node, you can. If you want to be an exit node, that’s allowed. And if you want to watch all traffic that leaves your exit node, there’s nothing stopping you. In the case with the Swedish researchers, they found some nodes that were intentionally altering the data that you wanted to receive.

I’d say that this is earth-shattering news, except that it isn’t. This type of exploit has been reported in 2012, and 2011 (with sample code), and pretty much every year since Tor started.

Back in 2007, one Swedish guy ran a Tor exit node and was capturing login credentials. Among other things, he saw login credentials to embassies all over the world.

You are… The Weakest Link!

At this point, Tor is only as secure as your connection to the server. If you use HTTP over Tor and you do anything that identifies yourself (fill out a form that requires your name, enter your email address, login to a service, check Facebook, do an ego-search to see who is talking about you…) then you’ve just compromised any security that Tor was providing. Someone watching the network traffic will know it was you.

Using something like HTTPS-Everywhere can help a little. It will stop you from forgetting to use HTTPS for certain web sites. However, virtually nobody uses HTTPS with client-side certificates. And without client-side certificates, it is relatively easy for someone on the network between Tor and your bank to hijack your network connection. (For the attacker, you don’t sit and wait for “Neal” to login… You hijack everyone and eventually you’ll also catch “Neal”.) Moreover, if someone is smart enough to configure a Tor exit node and monitor traffic, then they are certainly smart enough to hijack your HTTPS connection. (We’re not talking about an extreme level of difficulty here; any beginner-admin can learn to do this in a few hours.)

Run or Run Away

In their tweet, the EFF recommends that people run their own Tor relays. This will make the mixer network larger and makes tracking network traffic more difficult. However, what does it do for privacy and to your network traffic?

  • Tor consumes network bandwidth. I hope you have a high-speed network connection, because most residential users can either run a Tor relay or watch NetFlix, but you won’t have enough bandwidth for both.

  • Tor has entry, middle, and exit nodes. Someone on an entry node can see you enter the network, but not where you are going. An exit node can see where you go and what you are doing, but not where the request came from. Meanwhile, a middle node sees anonymous traffic coming in and anonymous traffic going out. (Until I learn of an exploit, the middle nodes are safe enough.) If you run an exit node, then you can observe all network traffic between the outside world and your exit node. And you have the ability to interfere with network traffic.

    As a Tor user, you don’t know who owns the exit nodes or what they are doing. “Assuming” it is safe does not make it safe.

  • As an exit node, you cannot control where people go or what they want to download. If they download child porn, then it will look to the omnipotent network gods as if you (the owner of the exit node) downloaded child porn. (Better leave the front door unlocked since it’s expensive to repair a kicked-in door after the police arrive.)
  • My contract with my Internet Service Provider (ISP) explicitly forbids me from sharing my network connection with other people outside my home. I cannot legally run a free WiFi access point for my neighbors or even run a public web service. That’s the same with most residential ISPs. The EFF’s suggestion for you to run a Tor node will likely be in violation of your ISP service agreement. (You’re running a network service and permitting the world to use your network connection.)

What my client meant to say…

Perhaps the EFF meant to tell people to use Tor and misspoke when they say to run a Tor relay… In that case, there are still two issues: speed and security. With regards to speed, Tor is really slow on its good days.

But then there is that pesky exit-node issue. Without Tor, I can connect to my bank from my home. I can be fairly confident that nobody is intercepting or hijacking the connections, and it is as safe as HTTPS (without client-certs) allows. But with Tor, I cannot trust the exit nodes. HTTPS will not notify me if the initial connection is hijacked and the exit node has a great opportunity for hijacking the connection.

Moreover, Tor nodes are run by volunteers all over the Internet. I have no idea who they are, what networks my login credentials are passing over, or who might be watching. As far as I know, there is no way to identify all of the networks that my packets touch. While I do use Tor for anonymous network access, I would never trust it in its current state for anything that requires identifiable information.

For more specific paranoia, consider this: If I connect directly from my home to my bank, I can use traceroute and identify that my packets never leave this country. Yes, corporations that run the networks may see my traffic, but I don’t have to worry about foreign governments. In contrast, if I use Tor and it randomly selects an exit node in Taiwan, then governments in Taiwan, China, Europe, and every other country can spy on my connection as the packets leave a distant Tor exit node and connect to my local bank. With Tor, there are a lot more options for people to watch my online activities and hijack the connection. Without Tor, I only have to worry about my local networks.

Focal Points

I typically trust the EFF’s judgment. Their legal advice and concerns about privacy, security, and technology are usually spot-on. And when the EFF speaks, people should listen.

However, as with anyone else, their suggestions are not always 100% reliable. Forcing people to use HTTPS on an HTTP-only service breaks access to the service. Releasing a HTTPS-Everywhere rule without testing it first seems like a really bad idea, and not patching it when told that the rule does not work seems willfully-ignorant. And while I agree that we need a more secure version of the Internet, Tor is not the solution. Advising people to run a Tor node without identifying the impact and risks seems like a huge mistake to me.

Perhaps I am just over-reacting. But it seems to me that the EFF just gave out some very bad advice.

TorrentFreak: Young Swedes Who Never File-Share Up By 40%

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

piracydownSweden has long been a central figure in the file-sharing phenomenon, not least due to its associations with the The Pirate Bay. As a result, for more than ten years sharing files has been a popular pastime with many young Swedes, much to the disappointment of the world’s largest entertainment companies.

The Cybernorms research group at Lund University in Sweden has been in the news several times during the past few years as a result of its work with The Pirate Bay. On more than one occasion the infamous torrent site as renamed itself to The Research Bay in order for researchers to collect information on the values, norms and conceptions of the file-sharing community.

Cybernorms have now revealed more of their findings which suggest that after years of escalation, online sharing by those in the 15-24 year-old bracket could be in decline.

Survey responses from around 4,000 individuals suggest that the number of active file-sharers has dropped in the past two years. Those who share files daily or almost daily has decreased from 32.8 percent in 2012 to 29 percent in 2014.

“It is a small but significant decrease,” Måns Svensson, head of Cybernorms at Lund University told SVT.

Perhaps the most interesting aspect of the decrease is the mechanism through which it was encouraged. Historically, entertainment industry scare tactics have been employed to try to reduce unauthorized sharing, but the researchers believe something much more positive is responsible.

“What is interesting is that this is the first time we have been able to see that file-sharing has gone down but without that being associated with a conviction, such as the Pirate Bay ruling,” Svensson says.

“If you listen to what young people themselves are saying, it is new and better legal services that have caused the decrease in file-sharing, rather than respect for the law. There has been a trend where alternative legal solutions such as Spotify and Netflix are changing consumption patterns among young people.”

Also of interest is the apparent effect on up-and-coming youngsters who might otherwise have begun file-sharing themselves. The researchers found that between 2009 and 2013 the percentage of young people who never share files illegally increased from 21.6 percent to 30.2 percent, a boost of well over a third.

Interestingly, in that same four-year period, the percentage of young people who said they believe that people should not share files because it is illegal dropped from 24 percent to 16.9 percent. So, even while young people are sharing files less often, their acceptance of the standards presented by the law appears to be dropping too.

In this case it does indeed appear that the carrot is mightier than the stick.

Image credit

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.