Tag Archives: boingboing

The Curious Takedown Notices of ‘Tongues of Glass’ Poet Shaun Shane

Post Syndicated from Ernesto original https://torrentfreak.com/the-curious-takedown-notices-of-tongues-of-glass-poet-shaun-shane-180519/

Over the years we have published numerous articles on dubious or inaccurate takedown notices, both from large media conglomerates and independent copyright holders.

One of the most curious cases is without doubt that of Shaun Shane and his poem ‘Tongues Made of Glass.’

Five years ago the case first made headlines when On Press Inc. started hounding people on social media because they dared to recite the single line poem, which consists of just eighteen words.

At the time, Techdirt reported on the issue, which was quickly picked up by others including BoingBoing, professor Michael Geist, and lawyer Ken White at Popehat. Needless to say, the number of poem recitals only increased.

On Press Inc. wasn’t happy with the coverage. Responding to the media attention, the company asked Google to remove links to the poem from its search engine.

This effort backfired in an even bigger way. Not only did it lead to more articles, Google also rejected most of the requests. Even worse, the poem was also posted in full in the Lumen database, where copies of Google’s DMCA notices are published.

Fast forward five years and the Tongues Made of Glass poem is back on the radar. This time it appears to be author ‘Shaun Shane’ himself who’s sending takedown notices to Google.

As before, the DMCA notices are mostly targeting articles that reference the previous debacles, including our own, but the accusations now go far beyond that.

According to Shaun Shane, people are using black hat SEO bots to fool Google’s search algorithm and make these articles rank high for his name.

“Someone is using Bots for the reported Url to artificially raise its ranking in Google search results for the search terms ‘Shaun Shane’ beyond what Googles search algorithm would natural assign it and are engaging in Black Hat Seo [sic],” he writes in the takedown notices.

We’re not sure what these alleged black hat tactics have to do with a copyright claim. What we do know, however, is that the repeated coverage of the poem’s dubious takedowns may have something to do with the high ranking.

It doesn’t end at these accusations though.

Looking more closely at the reported URLs we see some usual suspects, including BoingBoing, TorrentFreak, Techdirt and Popehat links. However, there are also several innocent bystanders being dragged into the drama.

The poet also targets the website of the company “Shaun Shane Bricklaying,” the Linkedin profile of sales manager Shaun Shane, a piece on Legend Solar founders Shaun Alldredge and Shane Perkins, and the TripAdvisor profile of Shaun & Shane Tour Operators.

Needless to say, none of these links are even remotely infringing, and we seriously doubt that they are using Black Hat SEO. They just happen to use the keywords “Shaun” and “Shane”.

Google, luckily, denied all of the takedown requests that we referenced here. We did see one URL that was removed, which used an image with the poem, without any context.

This means that the end result for Shaun Shane is not very uplifting. Most of the content he reported remains online and with new news reports being published (including this one), they will only end up higher in the search results next time.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

IoT Inspector Tool from Princeton

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/05/iot_inspector_t.html

Researchers at Princeton University have released IoT Inspector, a tool that analyzes the security and privacy of IoT devices by examining the data they send across the Internet. They’ve already used the tool to study a bunch of different IoT devices. From their blog post:

Finding #3: Many IoT Devices Contact a Large and Diverse Set of Third Parties

In many cases, consumers expect that their devices contact manufacturers’ servers, but communication with other third-party destinations may not be a behavior that consumers expect.

We have found that many IoT devices communicate with third-party services, of which consumers are typically unaware. We have found many instances of third-party communications in our analyses of IoT device network traffic. Some examples include:

  • Samsung Smart TV. During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook­even though we did not sign in or create accounts with any of them.
  • Amcrest WiFi Security Camera. The camera actively communicates with cellphonepush.quickddns.com using HTTPS. QuickDDNS is a Dynamic DNS service provider operated by Dahua. Dahua is also a security camera manufacturer, although Amcrest’s website makes no references to Dahua. Amcrest customer service informed us that Dahua was the original equipment manufacturer.

  • Halo Smoke Detector. The smart smoke detector communicates with broker.xively.com. Xively offers an MQTT service, which allows manufacturers to communicate with their devices.

  • Geeni Light Bulb. The Geeni smart bulb communicates with gw.tuyaus.com, which is operated by TuYa, a China-based company that also offers an MQTT service.

We also looked at a number of other devices, such as Samsung Smart Camera and TP-Link Smart Plug, and found communications with third parties ranging from NTP pools (time servers) to video storage services.

Their first two findings are that “Many IoT devices lack basic encryption and authentication” and that “User behavior can be inferred from encrypted IoT device traffic.” No surprises there.

Boingboing post.

Related: IoT Hall of Shame.

Cybersecurity Insurance

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/04/cybersecurity_i_1.html

Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is.

Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years’ worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.

“Typically in insurance we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.

In my new book — out in September — I write:

There are challenges to creating these new insurance products. There are two basic models for insurance. There’s the fire model, where individual houses catch on fire at a fairly steady rate, and the insurance industry can calculate premiums based on that rate. And there’s the flood model, where an infrequent large-scale event affects large numbers of people — but again at a fairly steady rate. Internet+ insurance is complicated because it follows neither of those models but instead has aspects of both: individuals are hacked at a steady (albeit increasing) rate, while class breaks and massive data breaches affect lots of people at once. Also, the constantly changing technology landscape makes it difficult to gather and analyze the historical data necessary to calculate premiums.

BoingBoing article.

E-Mailing Private HTTPS Keys

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/03/e-mailing_priva.html

I don’t know what to make of this story:

The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert, a certificate authority that acquired Symantec’s certificate issuance business after Symantec was caught flouting binding industry rules, prompting Google to distrust Symantec certificates in its Chrome browser. In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.

When Rowley asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security.

Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren’t followed.

I am croggled by the multiple layers of insecurity here.

BoingBoing post.

New DDoS Reflection-Attack Variant

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/03/new_ddos_reflec.html

This is worrisome:

DDoS vandals have long intensified their attacks by sending a small number of specially designed data packets to publicly available services. The services then unwittingly respond by sending a much larger number of unwanted packets to a target. The best known vectors for these DDoS amplification attacks are poorly secured domain name system resolution servers, which magnify volumes by as much as 50 fold, and network time protocol, which increases volumes by about 58 times.

On Tuesday, researchers reported attackers are abusing a previously obscure method that delivers attacks 51,000 times their original size, making it by far the biggest amplification method ever used in the wild. The vector this time is memcached, a database caching system for speeding up websites and networks. Over the past week, attackers have started abusing it to deliver DDoSes with volumes of 500 gigabits per second and bigger, DDoS mitigation service Arbor Networks reported in a blog post.

Cloudflare blog post. BoingBoing post.

EDITED TO ADD (3/9): Brian Krebs covered this.

Jumping Air Gaps

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/02/jumping_air_gap_2.html

Nice profile of Mordechai Guri, who researches a variety of clever ways to steal data over air-gapped computers.

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.

Here’s a page with all the research results.

BoingBoing post.

Skygofree: New Government Malware for Android

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/01/skygofree_new_g.html

Kaspersky Labs is reporting on a new piece of sophisticated malware:

We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.

Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.

It seems to be Italian. Ars Technica speculates that it is related to Hacking Team:

That’s not to say the malware is perfect. The various versions examined by Kaspersky Lab contained several artifacts that provide valuable clues about the people who may have developed and maintained the code. Traces include the domain name h3g.co, which was registered by Italian IT firm Negg International. Negg officials didn’t respond to an email requesting comment for this post. The malware may be filling a void left after the epic hack in 2015 of Hacking Team, another Italy-based developer of spyware.

BoingBoing post.

Linking Is Not Copyright Infringement, Boing Boing Tells Court

Post Syndicated from Ernesto original https://torrentfreak.com/linking-is-not-copyright-infringement-boing-boing-tells-court-180119/

Late last year Playboy sued the popular blog Boing Boing for publishing an article that linked to an archive of every playmate centerfold till then.

“Kind of amazing to see how our standards of hotness, and the art of commercial erotic photography, have changed over time,” Boing Boing’s Xena Jardin commented.

Playboy, instead, was amazed that infringing copies of their work were being shared in public. While Boing Boing didn’t upload or store the images in question, the publisher took the case to court.

The blog’s parent company Happy Mutants was accused of various counts of copyright infringement, with Playboy claiming that it exploited their playmates’ images for commercial purposes.

Boing Boing sees things differently. With help from the Electronic Frontier Foundation, it has filed a motion to dismiss the case, arguing that hyperlinking is not copyright infringement.

“This lawsuit is frankly mystifying. Playboy’s theory of liability seems to be that it is illegal to link to material posted by others on the web — an act performed daily by hundreds of millions of users of Facebook and Twitter, and by journalists like the ones in Playboy’s crosshairs here,” they write.

The article in question

The defense points out that Playboy’s complaint fails to state a claim for direct or contributory copyright infringement. In addition, it argues that this type of reporting should be seen as fair use.

“Boing Boing’s reporting and commenting on the Playboy photos is protected by copyright’s fair use doctrine,” EFF Senior Staff Attorney Daniel Nazer says, commenting on the case.

“We’re asking the court to dismiss this deeply flawed lawsuit. Journalists, scientists, researchers, and everyday people on the web have the right to link to material, even copyrighted material, without having to worry about getting sued.”

The lawsuit shares a lot of similarities with the case between Dutch blog GeenStijl and local Playboy publisher Sanoma. That high-profile case went all the way to the European Court of Justice.

The highest European court eventually decided that hyperlinks to infringing works are to be considered a ‘communication to the public,’ and that a commercial publication can indeed be held liable for copyright infringement.

Boing Boing hopes that US Courts will see things differently, or it might be “the end of the web as we know it.”

“The world can’t afford a judgment against us in this case — it would end the web as we know it, threatening everyone who publishes online, from us five weirdos in our basements to multimillion-dollar, globe-spanning publishing empires like Playboy,” Boing Boing writes.

A copy of Boing Boing’s memorandum in support of the motion to dismiss is available here (pdf). The original Playboy complaint can be found here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons