Tuesday, October 20th, 2015

Time	Event
11:45a	Police Seized a Torrent Proxy & 33K Users Kept Accessing it In July 2013 a new anti-censorship service arrived on the scene. Targeted at users who found VPNs too expensive and Tor too slow, Immunicity provided free access to a wide range of blocked websites. A year later and with support from Hollywood, City of London Police arrested Immunicity’s then 20-year-old operator. He’s still on police bail facing an uncertain future. For many months the Immunicity website remained online but with a very much changed appearance. Gone was the advice on how to unblock sites such as The Pirate Bay to be replaced by a City of London Police banner explaining that the site was under criminal investigation. Police previously admitted that they’d been logging traffic to that site (and many other seized sites for that matter) but recent developments indicate that they could’ve had access to more than straightforward visits to the Immunicity website. Here’s how. Central to the Immunicity system was providing its users with access to a Proxy Auto-Config (PAC) file. Browsers are easily configured to use PAC files and in just a couple of minutes Immunicity users were able to download a custom PAC and begin opening blocked sites via the Immunicity.org domain. However, police took effective control of that domain when they arrested its owner last year and while former users might have been disappointed that the service no longer worked as advertised, thousands left their browsers configured to continue using it. How do we know that? Well, the UK Police Intellectual Property Crime Unit no longer has control of the domain. At the end of August activists from Brass Horn Communications, a non-profit entity which operates Tor exits and other anti-censorship systems such as Packetflagon, managed to obtain the Immunicity domain. Until three days ago it displayed a modified version of the famous police seizure notice. Speaking with TorrentFreak the operator of Brass Horn Communications says that since taking over the Immunicity domain it has become apparent that tens of thousands of former Immunicity users failed to remove the service’s PAC file from their browsers. This means that even after the police took control of Immunicity.org they continued to direct their traffic to the seized domain. “More than a year [after the police raid] there were over 33k unique addresses still surrendering control of their operating systems / browsers (plus Steam, OS updates, OCSP / CRL requests etc) over to the Immunicity Proxy Auto-Config file,” he reveals. “The Police (or another malicious actor had they acquired the domain) could have done a lot of damage.” We asked Brass Horn’s spokesperson about the best and worst case scenarios for the users whose browsers continued to access the Immunicity PAC file. The best case is that nothing happened, the worst is more complicated. “We know that the Police were monitoring the access logs of the seized domains so in theory they could simply have monitored everyone who requested the PAC file and recorded that,” he explains. “But they could have also published a PAC file that sent *all* traffic through a proxy under their control and gathered metadata. They would have been able to alter HTTP content in flight and monitor which IPs were going to which websites, even if they were over SSL. Granted they couldn’t see which URL was being visited but that’s besides the point.” Brass Horn’s operator says people should be aware that while routing their traffic through third parties has the ability to decrease censorship efforts, there are always security considerations to keep in mind. “People need to be aware of the risks of PAC proxies, VPNs etc (e.g. all their traffic is at the whim of the VPN / Proxy operator). With that said, Brass Horn Communications won’t surrender any domains and will be publishing DNSSEC records, TLSA DNS records and long lived HSTS headers to hopefully break any seizures from having an effect.” For now, however, Immunicity is in safe hands. Nevertheless, its new operator is advising former users to immediately delve into their browser settings to disable access to the old PAC file. Full instructions on how to create and install a new PAC file are provided at Immunicity.org, which is now a fully operational PacketFlagon site-unblocking shard. Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services. (Comment on this)
3:03p	BrowserPopcorn Shut Down By the MPAA, Dev Says Last Friday, TorrentFreak was contacted by Milan Kragujević, a web developer with a brand new service up his sleeve. As the name implies, BrowserPopcorn.xyz looked very similar to the Popcorn Time application that has gained so much publicity in recent times. In initial tests the site certainly worked very well too and for people looking for an easy, browser-based Popcorn Time-style experience, BrowserPopcorn offered everything. We didn’t write about the project (more about why in a moment) but others did, enough to attract plenty of eyes over the weekend. According to its operator, that attention also extended to none other than the MPAA who he claims took down the service today. The greeting displayed on BrowserPopcorn.xyz If true (Kragujević didn’t immediately respond to a request for comment), the news hardly comes as a surprise. While Popcorn Time itself is a thorn in the side of Hollywood, making the same kind of service available to anyone with a browser (BrowserPopcorn even worked nicely on Android) is something that the MPAA won’t tolerate if it can be avoided. At this stage it’s unclear what tactics the MPAA employed to shutter the service although a tersely-worded email to its hosting provider could’ve easily done the trick. In any event the MPAA will be pleased that the site has gone so quickly but it was only a matter of time before BrowserPopcorn collapsed under its own success. Taking nothing away from Kragujević who is both articulate, talented and apparently just 15-years-old, we know from experience that these kinds of projects need resources behind them to keep going. Here’s why. While BrowserPopcorn looks and feels like Popcorn Time, uses the same YTS.to content, and is being presented in the media as Popcorn Time in a browser, the way the service works behind the scenes is notably different. The Popcorn Time application has BitTorrent under the hood, meaning that users of the software use their own bandwidth (both upload and download) to distribute the content to each other. BrowserPopcorn relies on a different mechanism which means it operates more like YouTube, gobbling up bandwidth at an alarming rate while using centralized servers. When we spoke with Kragujević again on Saturday he was operating six dedicated servers, each capable of serving around 200 users. Putting that into perspective, an article on the topic from us would’ve ensured that the site would’ve become overloaded within hours, minutes even. At that point the story would be self-defeating, since the topic of discussion wouldn’t exist. That’s never popular with readers so we told Kragujević we’d skip for now. However, that doesn’t mean that BrowserPopcorn isn’t an interesting project. “Basically, BrowserPopcorn is powered by TorrentStream.me. TorrentStream works by running an instance of peerflix-server (the same engine that Popcorn Time uses) and there is a PHP script which handles interfacing between node.js and the outside world,” Kragujević explained. “When you request [a movie], the PHP script adds a torrent to peerflix-server and starts proxying the data from it to the user.” And of course, this is where the whole things becomes extremely bandwidth hungry. A true BitTorrent-client-in-a-browser solution would actually be perfect for this application, but that has its own difficulties. “This is not an in-browser solution as that is impossible currently,” Kragujević said. “There are attempts, like WebTorrent.io, but that only works if the peers are running the same client and communicate with websockets. It has no support for standard torrent clients like Deluge, uTorrent, Transmission, Vuze, etc.” Whether BrowserPopcorn will make a comeback remains to be seen, but in the meantime there are several other similar sites ready to take up the slack, including Torba.se which has been around for some time already. Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services. (Comment on this)
7:44p	MPAA Asks Government to Facilitate Private Anti-Piracy Deals Following the failed SOPA and PIPA bills, entertainment industry groups have switched their efforts away from legislation and towards voluntary cooperation with various stakeholders. This has resulted in several agreements in which Internet providers, advertising agencies, payment processors and other companies are more actively involved in deterring piracy. These deals have been encouraged and facilitated by the Obama administration, often outside public view. The Copyright Alert System, for example, was negotiated with help from Vice President Joe Biden. In a letter sent to Intellectual Property Enforcement Coordinator (IPEC) Daniel Marti this week, Hollywood’s MPAA points out the importance of the Government’s involvement in this matter. “Encouraging industry players to work together has been one of the IPEC’s most valuable contributions to combating online copyright theft,” the MPAA writes (pdf). However, aside from the successes there are other areas where the movie and music industries would like to see more significant progress. Despite various lobbying efforts the movie studios haven’t been able to strike a satisfactory deal with the domain name industry, search engines and hosting companies. “…at least three areas have shown lagging progress: the use of domain names for unlawful conduct; the prevalence of piracy websites on the first pages of search results; and the use of data storage services to host websites trafficking in stolen content.” To motivate various stakeholders to take action, the MPAA wants the U.S. Government to intervene. The Obama administration is currently working on a new Joint Strategic Plan on Intellectual Property Enforcement and the MPAA says that voluntary agreements should play a key role. “We ask the IPEC to address each of these issues in the upcoming strategic plan, as well as to continue coordinating enforcement actions against those who engage in pervasive theft of copyrighted content,” the MPAA writes. The movie studios provide a detailed overview of what needs to improve in all three areas, starting with domain name registrars and registries. Domain registrars and registries According to the MPAA, many domain name registrars and registries fail to live up to their contracts with ICANN, the main oversight body for the Internet’s global domain name system. Several contract provisions require the companies to properly respond to abuse of domain names, including by sites that facilitate the sharing of copyrighted material, but thus far this has failed to yield satisfactory results. “To date, however, registrars have failed to respect these provisions and ICANN has not enforced them, summarily rejecting nearly all complaints from rights holders,” the MPAA notes. ICANN previously responded to the criticism by pointing out that it doesn’t plan to become the Internet police by regulating speech and content. However, the MPAA disagrees, and notes that ICANN should enforce its contracts. “There is an immense difference between interfering with content, speech, or political freedom on the one hand, and enforcing contract provisions prohibiting unlawful conduct on the other,” the movie group writes. Search engines Cooperation with search engines is another hot issue. Despite repeated calls to take a tougher stance against piracy the MPAA says it hasn’t made adequate progress on this front. “Unfortunately, some search engines continue — through their search results, through suggested searches, and through sponsored advertising — to provide the pathway through which many users learn about and reach sites that engage in or facilitate online theft.” Ideally, Google and other search engines should demote infringing sites, promote legal services, and completely remove results for sites that have been found guilty by law. In addition, auto-complete suggestions should no longer feature terms that are associated with piracy. Search engine requirements The MPAA indirectly accuses search engines of facilitating and profiting from piracy, noting that they show no reluctance to act against other offensive material such as child porn or malware. “What is important to recognize is that no company is above the law and no company should facilitate illegal behavior. Search engines frequently block and prioritize results when they decide it is in their interest — or in the public good — to do so.” Hosting and CDN services Finally, the Hollywood group would like to see more cooperation from various hosting services. There are still many companies that refuse to take action, despite their obligations under the DMCA. “The lack of cooperation from these technology companies makes the job of enforcing rights far more difficult than it needs to be.” In a similar vein the MPAA calls out content delivery networks including Cloudflare. These companies often offer services to pirate sites, but do very little to address copyright infringements. “The most prominent example is the U.S. company Cloudflare. While these companies provide many valuable services to legitimate websites, they also provide them to sites dedicated to copyright theft,” the MPAA writes. “These companies also too often refuse to enforce their own terms of service to cut off support for clearly illegal sites.” Many of the suggestions put forward have been made in the past, so it’s doubtful that big changes will be made without an intervention. Previously, the MPAA suggested a tightening of the law to force voluntary agreements, which may remain one of the options. The MPAA’s suggestions will be taken into consideration by Intellectual Property Czar Daniel Marti, who is expected to release the 2016 – 2019 Joint Strategic Plan on Intellectual Property Enforcement during the months to come. Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services. (Comment on this)

<< Previous Day

2015/10/20 [Calendar]

Next Day >>