From Obama to Assange – the evolution of Hope

Take one copyrighted AP photograph of Obama and flip it. Then posterize it and create an iconic work of art – the artist Fairey’s Obama Hope poster. Then take the idea and create an Assange poster.

The evolution of hope…

The idea is brilliant. It’s an image that everyone recognizes, and suggests that our hope for the future is no longer Obama and what he stands for but Assange and what he stands for.

But there’s a problem. AP sued Fairey for copyright infringement. And Fairey himself has issued a cease-and-desist notice to another artist he termed a ‘parasite’. This image has a history, and the protagonists know the law.

Now, I don’t know who ‘created’ the Assange poster. But it’s clearly ‘trading off’. And I do know who’s been distributing it. Forsaking the traditional walls and telegraph poles, 0x00x00 has been using other people’s websites as his whiteboard.

Pissing off SOCA by hacking websites is one thing – but pissing off The Rightsholders is an altogether more dangerous tactic.

News stories on Infosecurity Magazine: 17, 18, 21 and 22 May, 2012

My recent news stories…

Security: do as I say, not as I do
While the role of the CISO is increasingly recognized – usually reporting directly to the board and sometimes sitting on the board – the problems it faces is highlighted by a new Cryptzone survey: security policy doesn’t apply to senior management.
25 May 2012

The rightsholders’ war of attrition against the internet
Google’s Transparency Report now provides a new section on copyright, “disclosing the number of requests… to remove Google Search results because they allegedly link to infringing content.”
25 May 2012

TheWikiBoat’s OpNewSon fires today
TheWikiBoat, a new hacking group that uses techniques and tools similar to Anonymous, but for the lulz rather than the principle, plans to launch its first major operation, #OpNewSon, today.
25 May 2012

Google describes the winning hack at Pwnium
Each year the CanSecWest conference runs the pwn2own hacking contest against leading browsers: Chrome, Firefox, IE and Safari. This year Google withdrew its sponsorship and set up its own Chrome specific contest: Pwnium, an extension of the Chromium Security Rewards program.
24 May 2012

Clueful – an app to describe app behavior
Earlier this year social networking company Path was hauled over the coals by both users and Apple for automatically uploading users’ iPhone address books. This, says Apple, is “in violation of our guidelines.”
24 May 2012

FCC’s net neutrality rules may be tested by VoIP
Bad blood in a local dispute in Georgia leads to request for the FCC to proceed “with corrective action as required or as deemed necessary… to protect the national and global interest of the public and the internet application industry alike.”
24 May 2012

Long-standing secret meetings between Canadian telcos and government on C-30
Michael Geist, a law professor at the University of Ottawa specializing in internet and e-commerce law, has discovered secret talks between Canadian telcos and the government on internet surveillance.
23 May 2012

McAfee Q1 Threats Report
The latest quarterly McAfee threats report shows cyber threats increasing across the board: PC, Mac, mobile malware; botnets and hacktivism are all on the rise.
23 May 2012

Monday Mail Mayhem: Anonymous dumps 1.7GB from the DoJ
Monday Mail Mayhem was this week launched by Anonymous starting with the Pirate Bay dump of a 1.7GB database stolen from the Department of Justice, and the release of the traditional Anonymous video announcement.
23 May 2012

ACTA and the Time Warp

Before I go further I need to offer thanks to three sources. Firstly, to Monica Horten at the excellent IPtegrity blog who saw the connection. Secondly to the genius of Richard O’Brien who penned such a prescient prophesy. And thirdly to the authors of ACTA, without whom – well, I wish we were without whom.

The story reported by Monica is the jump to the left in the European Parliament (socialist rapporteur says he recommends that ACTA be rejected) followed by the step to the right (EPP Sarkozy-ite delays things to buy more time for the rightsholder lobbyists to regroup) – and it was Monica who made the connection with Richard O’Brien. (I’ve reported the ‘news’ side of this story on Infosecurity Mag) “ACTA: EU Parliament takes a step to the right,” is Monica’s headline. “It took a jump to the left…” is the first line.

“It’s just a jump to the left And then a step to the right” is the source in Richard O’Brien’s phenomenal Time Warp song from The Rocky Horror Picture Show. What I hadn’t realised is quite how accurate those lyrics turn out to be.

Hollywood/government lays out its intention for the internet: It’s astounding, time is fleeting – Madness takes its toll – But listen closely, not for very much longer – I’ve got to keep control

But users are lost in their own, innocent, dreamy vision of the internet: It’s so dreamy, oh fantasy free me – So you can’t see me, no not at all

This is such a romantic view of freedom and the internet! But Hollywood/government responds: In another dimension, with voyeuristic intention – Well-secluded, I see all – With a bit of a mind flip – You’re there in the time slip – And nothing can ever be the same

This is O’Brien at his most prophetic. Hollywood/government wishes, from a hidden point of view, to see everything that happens on the internet. And once they succeed, nothing will ever be the same again.

O’Brien goes on to foretell what will happen. The user concludes: Well I was walking down the street just a-having a think – When a snake of a guy gave me an evil wink – He shook me up, he took me by surprise – He had a pickup truck and the devil’s eyes. – He stared at me and I felt a change – Time meant nothing, never would again.

Hollywood/government wins. The Time Warp itself? They will just keep cycling round in a time warp, time and time again, until they succeed. Just beware when that snake of a guy gives you an evil wink – and make sure you never vote for him again!

Two free videos here!

OK, nudge, nudge, wink, wink – I’ve got two free videos for you to watch.

The first is available via TVShack.net, the site owned (long ago) by Richard O’Dwyer and now pwned by the ICEmen. Go there. You’ll find the ICEmen’s takedown notice. But hang around for a minute (well, about 10 seconds) and they’ll force a video on you.

It’s a nICE video. It explains how piracy is stealing money from creators and costing jobs. It’s compelling, but ultimately unrewarding. It gives no figures, no costs, no proof.

So then you must watch the second video. This one is hosted on that great underground TEDsite. It fills in the gaps. The numbers behind the Copyright Math explains scientifically why and how piracy is costing the economy and those nice entertainment industry people so many billions.

Please watch them both – you’ll enjoy being better informed.

Infosecurity Magazine news stories for 22-28 March 2012

My news stories on Infosecurity Magazine from Thursday 22 March until Wednesday 28 March…

Digital Crime: Fourth great era of organized crime
Organized digital crime is growing – but we still know little about the structure of organized digital crime groups. A new report from BAE Detica Systems and the John Grieve Centre for Policing and Security at London Metropolitan University seeks to change this.
28 March 2012

2600 to broadcast interview with Richard O’Dwyer’s mother
2600 is one of the world’s longest running ‘hacker’ publications. Richard O’Dwyer is a UK citizen likely to be deported to the US for operating the website TVShack.net and providing links to ‘copyright infringing’ material.
28 March 2012

Legislation to enforce Google filtering proposed by MPs’ committee
Parliament’s Joint Committee on Privacy and Injunctions has reported: “This could involve giving Ofcom or another body overall statutory responsibility for press regulation.”
28 March 2012

PwC report highlights senior management complacency about security
Financial services are, not surprisingly, increasingly subject to economic cybercrime. According to a report from PwC, cybercrime is now second only to asset misappropriation as the most popular way of defrauding an organization in the financial services (FS) sector.
27 March 2012

Security concerns delay deployment of NGDCs
A survey from Crossbeam Systems shows that 94% of IT personnel identify network security as the main cause for stalled next generation data center (NGDC) deployments.
27 March 2012

The new Oxford Cyber Security Centre
Final proof of the extent to which information security has become embedded within society comes from Oxford university, Home of the Humanities. The university has announced a new Oxford Cyber Security Centre.
27 March 2012

Strong showing for the Pirate Party in German elections
Saarland is the smallest (apart from the city-states) of 16 states within Germany, with a population of just over 1 million inhabitants. Politically it is generally considered to be a conservative area.
26 March 2012

Anonymous launches Operation Imperva
Anonymous has declared a new target: Imperva Inc, a security firm, is now the subject of Operation Imperva.
26 March 2012

Microsoft takes control of 800 domains associated with Zeus botnets
In a major action against the banking trojan Zeus, Microsoft with FS-ISAC and NACHA and research from Kyrus Tech and F-Secure have succeeded in disrupting a number of the most harmful Zeus botnets in “in an unprecedented, proactive cross-industry action.”
26 March 2012

Europe’s first information risk maturity index developed
PwC and Iron Mountain have joined together to develop a risk maturity index for European SMEs; and finds them generally lacking.
23 March 2012

Firefox will use HTTPS by default
Encrypted searching should become available by default for all Firefox users within a few months – a big win for privacy.
23 March 2012

Indian call centers sell UK financial data and DVLA gives access to Indian workers
On the same day that the Sunday Times reported Indian workers offering UK finance details for sale at as little as 0.02p, the Observer reported that IBM contractors in India will have access to the data of 43 million UK drivers held by the DVLA.
23 March 2012

Privacy: the great EU/US debate
The two great western trading blocs are taking personal privacy very seriously. In January the EU published a draft proposal for a new Data Protection Regulation, and in February the White House released its privacy blueprint, including the Consumer Privacy Bill of Rights.
22 March 2012

Almost half of UK educational establishments have had mobile devices stolen
A new survey from LapSafe Products has revealed that that 45% of education establishments have had mobile devices – such as laptops, netbooks, MP3 players, tablets and gaming devices – stolen between 2009 and 2011.
22 March 2012

Dame Fiona Caldicott to review patient data confidentiality
The people currently responsible for protecting the confidentiality of patient information in the UK are known as the Caldicott Guardians, so named after Dame Fiona Caldicott. Dame Fiona will now lead a new independent review into patient privacy.
22 March 2012

The Pirate ship must sail into the sunset – but if you believe that you must be as inept as our politicians

The music industry has won its case against the ISPs in the High Court. Of course, it wasn’t targeted at the ISPs (they didn’t ‘defend’ themselves), it was targeted at The Pirate Bay. The music industry wants the ISPs to block access to The Pirate Bay (I’ve written about it on Infosecurity Magazine: It is confirmed: The Pirate Bay is a pirate). They’ve won, and TPB will almost certainly be blocked by UK ISPs come this summer.

TPB sails off into the sunset, right?

It’s all very contorted logic and all pretty pointless. The Pirate Bay doesn’t host the files in question; so how are they logically guilty of breaching copyright? It is because they facilitate and even encourage the act. But how is that really different from a motor manufacturer who advertises, boasts about, and sells a motor car capable of exceeding the legal speed limit? Is the motor industry equally guilty of facilitating and encouraging breaches of the speeding laws?

The ISPs absented themselves from the argument. Their position is that they will do what they’re told. That’s sad. I had hoped that they would fight tooth and nail for their customers. I used Pirate Bay just recently to look at a copy of the supposed correspondence between Symantec and the pcAnywhere hacker. As a journalist, I didn’t merely have a right to do that, I had a duty to do that – so I don’t believe I broke the law in doing it, nor that TPB broke the law in allowing me to do that. But lawful use of TPB by lawful users is going to be penalised because of the unlawful acts of copyright infringers downloading from somewhere else.

It’s just that TPB is the easy target. Prosecuting individual downloaders is more difficult and more expensive even if more logical. So instead, the solution is to prevent everyone, lawful and unlawful, gaining access to TPB for both lawful and unlawful purposes. When you use a sledgehammer to crack a walnut, you generally end up smashing the nut as well as the shell.

And, as I said, it’s all so pointless. Righard Zwienenberg, a senior research fellow with ESET in The Netherlands, gave me the Dutch experience.

In The Netherlands, he told me, two of the largest ISPs, Ziggo and XS4All, are required by court order to block TPB. They are appealing (which is more than I can say for the music industry – or even the UK lilly-livered ISPs; but I digress). For now, the blockade stays on PirateBay.org and its (pre-listed) IP numbers. Smaller ISPs were pressured to join the blockade, but declined.

“And of course,” says Righard, “the block does not work.” Using a foreign proxy or TOR will simply bypass the blockade. “We also suddenly have PirateBay.nl, PiratenBay.nl/org, and others that are all identical copies of the original PirateBay.org, and that are not blocked as they do not belong to PirateBay.org. So their IP numbers do not fall under the verdict of the court.”

Righard believes that this sort of action does little to help prevent piracy, and nothing to promote the music industry. “There are so many other Torrent sites to use. And the site itself does not carry any illegal content. It’s more like the ads section of a newspaper. If I want to sell my old vinyl records, will the newspaper first check if they are not stolen? If I want to sell music tapes, will they check if they are original or copies?”

My stories on Infosecurity Magazine last week

Last week’s news stories (Feb 6 to Feb 10):

UK attitudes to online safety and personal safety are different
The UK public are likely to trade privacy for security on the streets, but not on the wire.

UK security skills are ‘wholly inadequate’
Baroness Neville-Jones claims UK security skills are ‘wholly inadequate’.

Google Wallet vulnerable to brute forcing the PIN
Joshua Rubin discloses a Google Wallet PIN vulnerability.

Cybercrime – another business in the Malspace
Trusteer gives information on cybercrime ‘Factory Outlets’.

Intrusion upon seclusion protected by Canadian court
The Ontario Appeal Court decides that there is an action for tort on privacy breaches.

Service providers lack confidence in LEAs
Arbor Network’s review shows rise in hacktivist DDoS, and ISPs still distrust LEAs.

Copyrighting pornography; are unsecured WiFi owners to blame?
Two US court cases: can you copyright porn; and are WiFi owners automatically responsible for all downloads.

2011 review: CNI targetted, spam down, botnets up
M86’s review gives a good account of the rise and rise of the Blackhole exploit kit.

Disaster Recovery is health industry’s biggest headache
New survey from BridgeHead Software shows that disaster recovery is the health industry’s main concern for 2012.

Adobe Flash sandbox comes to Firefox on Windows
Adobe has announced that it is bringing its Flash sandbox to the Firefox browser.

EU hints on planned Strategy for Internet Security – HP comments
Neelie Kroes has given three hints on what the EU’s future Strategy for Internet Security might contain; and HP’s Dr Prescott Winter gives his thoughts.

Teampoison hacktivists deface Daily Mail recipe page
The Daily Mail, the UK’s love-to-hate right wing ragpaper, was hacked by Teampoison in a pure example of hacktivist defacement.

EU Regulation decouples privacy from data protection
Amberhawk data protection legal training company discusses aspects of the new EU Data Protection Regulation.

More breaches caused by staff than hackers
An Irish Computer Society survey highlights that more breaches are aused by staff than external hackers.

Adobe addresses PDF security problem
A new paper from Adobe discusses the problems and solutions in PDF security.

Cyber Protection – old racket, new names

The old Protection Racket had gangsters, thugs and baseball bats; the cyber version has rightsholders, lawyers and the law. The names have changed, but the roles and purpose have not – extortion under severe threat.

It works like this. The gangsters target a district – such as IP addresses they have seen at a particular site. The thugs, with just a vague wave of their baseball bats, obtain the home addresses of the targets. And then they move in, swinging their baseball bats and shouting out threats, demanding money with menaces.

The amount demanded in this extortion is carefully chosen. It is the maximum they think they can get without killing off the goose. It is high enough to make the whole racket worthwhile, but low enough to make payment preferable to being kneecapped by the baseball bat.

If you find yourself targeted and don’t want to pay up – whether you were actually at the gangsters’ chosen site or not – you had better be certain that the bat is weak or you have some powerful friends. Both is preferable.

Liuxia Wong is standing up to the gangsters (Hard Drive porn merchants) and its thugs (Hard Drive’s lawyers). She says she wasn’t there in the first place – but anyway your bat is weak and has a flaw. Technically, the flaw she has spotted is that you cannot copyright porn. The Copyright Clause of the Constitution allows Congress to use copyright “To promote the progress of science and useful arts…” Now, says Liuxia, since porn is neither science nor useful arts, it cannot be copyrighted. Your bat is weak and you cannot hit me with it…

She also has some powerful friends: EFF. The thugs ar trying to weaken these friends by name-calling. EFF, say the thugs, is “radical, quasi-anarchist, and intrinsically opposed to any effective enforcement of intellectual property” baseball bats…

Is she right or is she Wong? Is this a real flaw in the thugs’ baseball bat, or will the Makers of the Bats decide it is a false flaw and her friends irrelevant; and allow the gangster’s thugs to hit Liuxia very hard. Two things we can be certain about: if the bat is strong, many different gangsters with many different thugs will use it again and again on many different Liuxias; and if the bat is weak, the thugs will just find a new one. Until, and unless, the Controllers of the Makers of the Bats change the structure of the baseball bats so that they cannot be wielded by thugs in the employ of gangsters.

Bread and Circuses and Anonymous

Lisa Vaas has an interesting post on the Sophos Naked Security blog (and of course on Graham Cluley’s, Paul Ducklin’s, SophosLabs’, and Chester Wisniewski’s own blogs – call it saturation marketing). She questions the effectiveness of the Anonymous ‘bullying’ campaigns, especially against companies like Sony.

She is right to make the question. Anonymous claims to be fighting for democracy; but if it alienates the population, it will be defeated by democracy. For Anonymous to win, it has a fine line to tread; it will need all the political skills of its enemies to take the people with it.

Lisa Vaas’ own comments illustrate the problem, She says, very bluntly,

SOPA is an affront to the Internet.

But what does she suggest to prevent this affront?

Anonymous, back off. Let consumers handle this, and let us do it without bullying.

Politically, this is a shockingly naive statement from an intelligent lady.

Bread and circuses have been used since our earliest political systems to appease the public. It is particularly relevant to this situation: bread is government and circuses is the entertainment industry; and together they represent the unholy alliance that is driving SOPA in America, ACTA around the world, and so many other restrictive, controlling and censoring laws.

This is the problem faced by Anonymous. How can it fight for freedom without appearing to be taking away the bread and circuses fed to us to keep us quiet and happy and docile. I hope Anonymous succeeds. I hope it grows up and realises that the stakes are enormous. The stakes are freedom itself. It is, along with the other rebels of the Internet such as Wikileaks and organizations like CCC our best hope. But it has to take the people with it. In the end, only people power can make governments realise that they are our servants and not our masters.

Anonymous bullies Sony and Nintendo over SOPA support

The Biter Bit – the entertainment industry exposed as pirates

Yesterday, Brian Krebs discussed youhavedownloaded.com

You may have never heard of youhavedownloaded.com, but if you recently grabbed movies, music or software from online file-trading networks, chances are decent that the site has heard of you. In fact, you may find that the titles you downloaded are now listed and publicly searchable at the site, indexed by your Internet address.
Who Knows What Youhavedownloaded.com?

It does pretty much what the entertainment industry does – it monitors the internet looking for illegal downloads. The difference is that the entertainment industry will then sue the pants off you. Youhavedownloaded.com doesn’t do that. You can just visit the site and see if you’re exposed to the ever-increasing anti-piracy copyright-protecting draconian laws. And as a bit of fun, if you know their IP addresses, you can scare your friends by telling them what illegal downloads they’ve made. It is a perfect example of the dual-purpose weapon: could be used for good or evil; or fun.

Or you could use it to turn the tables on hypocrites – hypocrites such as the entertainment industry itself. This is what TorrentFreak has done.

Armed with the IP-ranges of major Hollywood studios we decided to find out what they’ve been downloading. As expected, it didn’t take us long before we found BitTorrent ‘pirates’ at several leading entertainment industry companies. Yes, these are the same companies who want to disconnect people from the Internet after they’ve been caught sharing copyrighted material.

First up is Sony Pictures Entertainment. As shown below, on this single IP-address alone a wide variety of music and movies have been downloaded. And this is probably just the tip of the iceberg, as YouHaveDownloaded only tracks about 20% of all public BitTorrent downloads.
Busted: BitTorrent Pirates at Sony, Universal and Fox

TorrentFreak goes on to list some of the many acts of piracy it located. It adds

We aren’t the only ones to come up with the idea of revealing the BitTorrent habits of copyright advocates. Yesterday, the Dutch blog Geenstijl exposed how someone at the local music royalty collecting agency Buma/Stemra downloaded a copy of the TV-show Entourage and video game Battlefield 3.

In a response Buma/Stemra issued a press release stating that their IP-addresses were spoofed. A very unlikely scenario, but one that will be welcomed by BitTorrent pirates worldwide. In fact, we encourage Sony, Universal and Fox to say something similar. After all, if it’s so easy to spoof an IP-address, then accused file-sharers can use this same defense against copyright holders.

It is indeed an unlikely scenario. I asked security expert David Harley, a senior researcher at ESET, what he thought about spoofing. At the time, I had been wondering if you could abuse the site for revenge on an ex or wandering partner. “I guess if you can spoof an ex’s IP, you can abuse the system. I’m sure we’ve all seen enough stories to be aware that ex’s do play all sorts of unpleasant games with their former, or even current partner’s systems – not to mention their Twitter accounts. Since the site combines the unacceptable combination of sloppy (“Eric, we don’t bother ourselves to separate dynamic IPs. The site is just for show”) and judgmental (“Well, you are in the clear. But look what others do”) I can see that the scenario you suggest is possible. However,” and this is the point, “pinning an illegal download to a specific machine is not forensically trivial even with ISP cooperation and still-extant logs.”

In short, it can only really be treated as a bit of fun. The problem is, the government/ entertainment industry unholy alliance is treating it for real.

ESET