Tag Archives: Cloudflare

‘Casting Couch’ Movie Company Orders Cloudflare to Unmask Tube Site Pirates

Post Syndicated from Andy original https://torrentfreak.com/casting-couch-movie-company-orders-cloudflare-to-unmask-tube-site-pirates-200118/

Before taking direct legal action against alleged copyright infringers, it helps if the identities of those people are known to the potential plaintiff. One method to obtain this information is to file an application for a DMCA subpoena.

Commonly filed against domain registries and Cloudflare, DMCA subpoenas can require such companies to give up the names of their allegedly-infringing customers, who are often the operators of ‘pirate’ sites. The process of obtaining a subpoena is attractive and relatively easy since the applications are rarely subjected to much scrutiny and can yield useful results.

Last week adult company AMA Multimedia (better known for its Casting Couch X and various other brands) filed an application at a Washington court demanding that Cloudflare provide identifying information of customers said to have infringed the company’s copyrights.

According to AMA, it previously asked Cloudflare to remove or disable access to around three dozen URLs, mostly JPG images and direct content links, on domains including the 12 million visits per month Pornmilo.com and the 15 million visits per month HLSMP4.com. With that content apparently still intact, AMA asked the court for permission to demand information from Cloudflare to identify the alleged infringers.

“For the period January 1, 2016 through the present, produce all documents and account records that identify the person(s) or entities that caused the infringement of the material described in the attached Exhibit B DMCA notifications to the DMCA Agent for Cloudflare, Inc. and/or who unlawfully uploaded AMA Multimedia LLC’s copyrighted works at the URLs listed in the notifications, including but not limited to identification by names, email addresses, IP addresses, user history, posting history, physical addresses, telephone numbers, and any other identifying information,” the subpoena to Cloudflare reads.

In respect of the phrase “person(s) or entities that caused the infringement”, that could mean the operators of the various listed domains – pornmilo.com, javbeautiful.com, 3fu.xyz, 4fu.xyz, hlsmp4.com, o0-1.com, o0-2.com, o0-3.com, o0-4.com, and o0-5.com. However, when it comes to identifying the underlying infringers, that could be more tricky.

When one visits Pornmilo.com, the platform gives the initial impression of being a YouTube-like site, presumably one that hosts its own content. On closer inspection, however, the site claims not to host any video content at all.

Indeed, it appears that the videos are embedded having been supplied by Fembed, a service that advertises itself as an “All-in-one Video Platform Designed by webmasters, for webmasters.” Essentially, people can host their video files on Fembed and serve them on another site, with or without revenue-generating advertising.

Fembed.com isn’t mentioned in the DMCA subpoena but it appears to be connected to HLSMP4.com, which is mentioned multiple times. Furthermore, javbeautiful.com, 3fu.xyz, 4fu.xyz and indeed all the other domains redirect to Fembed.com, so it’s possible that they have the same owners. AMA seem pretty keen to find out exactly who they are.

That being said, it is far from clear how Cloudflare itself can establish who uploaded the infringing content on HLSMP4, Fembed, and the other sites so it can hand that information to AMA. At this early stage that may not concern AMA too much and it’s possible that outcome is already being anticipated. Nevertheless, the DMCA subpoena has the ability to get closer to the targets in a cheap and relatively easy fashion.

The DMCA subpoena documents can be found here and here (pdf, NSFW)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Manga Publisher Takeshobo Sues Cloudflare For Copyright Infringement

Post Syndicated from Andy original https://torrentfreak.com/manga-publisher-takeshobo-sues-cloudflare-for-copyright-infringement-200108/

Founded in 1972, Takeshobo is major publisher based in Japan. The company distributes dozens of manga publications on monthly schedules, many under the Bamboo Comics label.

On Tuesday the company revealed that it had taken legal action to protect its titles being made available online by pirate sites. However, in common with an increasing number of companies in multiple spaces, its lawyers are going after Cloudflare.

Takeshobo revealed that on December 20, 2019, it filed a civil action against the CDN company at the Tokyo District Court.

“The nature of the complaint is that Cloudflare, Inc. provides a server to an illegal site where many copyrighted works, including those published by us, are illegally uploaded and made available for free,” a statement from Takeshobo reads.

“We asked directly to remove the uploaded copyrighted material from the company’s server, but because no action was taken, we requested the court to remove the copyright infringing page and pay damages.”

Since no court documents have yet been made available to the public and the publisher refers only to “an illegal site”, there’s no absolute confirmation of which ‘pirate’ site Takeshobo is referencing. The company does state, however, that “an order based on copyright infringement has been issued at a District Court in the United States.”

Another possible pointer can be found in Takeshobo’s statement, which further indicates that the legal case against Cloudflare in Japan was filed in collaboration with Mr. Hanamura, one of the authors of the ‘Dorukara’ comic distributed by the company.

With this information in hand, TorrentFreak was able to trace court documents filed in the United States during July 2019, which reveal Takeshobo asking Cloudflare to take action against various ‘pirate’ sites using its services, including those making the ‘Dorukara’ publication available to the public.

“Takeshobo Inc. is seeking a subpoena pursuant to 17 U.S.C. § 512(h) to obtain information sufficient to identify the persons infringing its copyrighted works,” an application for a DMCA subpoena filed at a district court in California reads.

“The purpose for which this subpoena is sought is to obtain the identity of the alleged infringers. Such information will only be used for the purpose of protecting rights
under the Copyright Act (17 U.S.C. § 101, et seq.).”

Domains belonging to several ‘pirate’ sites are listed in the subpoena against Cloudflare – Hoshinoromi.org, Worldjobproject.org, Hanascan.com, Mangahato.com, and Manatiki.com.

Readers will recall that Hoshinoromi.org was presented by some as a ‘successor’ to the previously shuttered Mangamura platform, which at the time was considered one of the largest infringers of manga publishers’ copyrights.

However, after being sued last September at a federal court in New York by publishers Shueisha, Kadowaka, Kodansha, and Shogakukan, Hoshinoromi.org and the related
Worldjobproject.org shut down.

That leaves Hanascan.com, Mangahato.com, and Manatiki.com, all of which are operating today. Manatiki is clearly the smallest player, pulling in around 327,000 visits per month according to SimilarWeb stats. Hanascan is considerably larger with around 3.2 million visits per month but Mangahato is in a clear lead with around 3.5 million.

An image presented as part of the DMCA subpoena application last year shows all three domains allegedly carrying ‘Dolkara’ content, which according to MyAnimeList is an alternative title for ‘Dorukara’.

Another curiosity can be found in the URLs highlighted above. Domain names aside, the URLs listed for all three sites are identical in construction and present content in more or less the same format.

We can also confirm that all of the content remains in place, via Cloudflare’s services, despite demands in Takeshobo’s DMCA subpoena to “remove or disable” the allegedly infringing works from the listed domains.

Whether Takeshobo is targeting one, all, or indeed none of these domains remains a question but it is crystal clear that Cloudflare did not remove or disable access to any of the above content as the earlier DMCA subpoena demanded.

Whether that dispute is also part of the lawsuit now underway in Tokyo against Cloudflare is still unconfirmed but the pieces seem to point in that direction.

The documents supporting the application for a DMCA subpoena, which was signed off by the court last year, are available here and here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Cloudflare Sued For Failing to Terminate 99 ‘Repeat Copyright Infringing’ Sites

Post Syndicated from Andy original https://torrentfreak.com/cloudflare-sued-for-failing-to-terminate-99-repeat-copyright-infringing-sites-200107/

When copyright holders feel they have exhausted all options to have websites stop their allegedly-infringing activities, there is a growing trend to move further up the chain.

Sites now regularly have copyright complaints filed against their hosting companies and domain registries, for example, demanding that they take action to prevent contentious behavior. Since millions of websites now use Cloudflare’s services, that makes the CDN provider a prime candidate for pressure. A new case filed yesterday in a Tennessee district court provides yet another example.

American Clothing Express Inc., which does business as Allure Bridals and Justin Alexander, designs and manufactures wedding dresses. As part of the companies’ sales and marketing efforts, they claim to spend hundreds of thousands of dollars per year on photoshoots featuring models wearing their creations.

According to the companies, however, the resulting photographic images are also being deployed by unauthorized overseas websites (sample below) in an effort to drive customers to unaffiliated bridal stores in local markets selling “cheap imitation” dresses.

The plaintiffs state that they lack a meaningful remedy against such sites, noting that the majority are hosted on servers in China, other locations in South East Asia, or on offshore servers that advertise their non-compliance with United States’ copyright laws.

“Complaints sent by Plaintiffs, or their agents, to the Infringing Website Defendants, or to the entities hosting them in these far-away jurisdictions, largely fall on deaf ears. Domestic judgments obtained against the Infringing Website Defendants are often unenforceable against them in their home jurisdictions,” the complaint reads.

The filing lists 99 websites (represented by Does 1-200) falling into these categories that all have something in common – they are or have been customers of US-based Cloudflare. As a result, the plaintiffs have resorted to filing infringement notices with the CDN company, hoping it will take action to restrict the availability of the infringing images.

Indeed, over the past three years the companies claim that they sent several thousand infringement notifications to Cloudflare which included the URLs of pages on the allegedly infringing sites where unlicensed images were being used. The complaint acknowledges that Cloudflare forwarded the complaints to its customers and their hosts but due to the nature of the clients, the hosting providers mostly ignored the takedown demands.

The complaint targets the operators of the 99 sample sites with claims of direct copyright infringement but additionally, due to Cloudflare’s involvement, the CDN company itself is accused of contributory copyright infringement.

“CloudFlare had actual knowledge of the specific infringing activity at issue here because anti-counterfeiting vendors retained by Plaintiffs delivered more than seven thousand notifications to CloudFlare of the ongoing infringement being prosecuted herein over the course of three years,” the complaint reads.

In common with a similar on-going case in California involving another bridal company, the plaintiffs in this matter also state that Cloudflare should have taken more permanent action when they realized that complaints were being made against the same customers time and again, as illustrated by the sample in the image below.

“CloudFlare could have stopped this infringement being perpetrated through its CDN by simply terminating the accounts of repeat infringers,” the complaint continues.

“CloudFlare has never terminated a repeat infringer in response to notifications sent by Plaintiffs or other bridal manufacturers. Consequently, an exceedingly disproportionate amount of websites infringing Plaintiffs’ copyrights are optimized by CloudFlare, as opposed to other providers of CDNs, due to CloudFlare’s well-known policy of refusing to terminate repeat infringers.”

While the plaintiffs don’t mention Cloudflare’s competitors by name, the complaint alleges that in response to similar copyright infringement notices, other CDN providers told their clients that if the images weren’t removed, their entire website accounts would be terminated.

The term ‘repeat infringer’ is becoming increasingly common in United States copyright infringement cases.

In December 2019, Cox Communications was hit with a $1 billion copyright infringement verdict after a Virginia federal jury determined that the ISP didn’t do enough to stop repeat infringers. Cox was found to be contributorily and vicariously liable for the alleged pirating activities of its subscribers on more than 10,000 copyrighted works.

For comparison, Allure Bridals and Justin Alexander state that Cloudflare is liable for contributory copyright infringement relating to more than 5,000 infringing images published on 99 different websites. Overall, Cloudflare serves many thousands of pirate sites, making the outcome of this and similar cases of particular interest.

In respect of the “willful and intentional” direct infringement claims against the 99 websites themselves, Allure Bridals and Justin Alexander request actual or statutory damages, injunctive relief to prevent the ongoing infringements, and the destruction of all copies of copyright works made in violation of the bridal companies’ rights.

The contributory copyright infringement claim against Cloudflare asserts that the CDN company assisted the direct infringers by storing copies of the infringing images on servers in the United States, improving the performance of the infringing websites, while concealing their true locations.

As a result, Cloudflare’s behavior is also described as “willful and intentional”, with the plaintiffs demanding a similar injunction in addition to actual or statutory damages.

The complaint can be obtained here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

American Petroleum Institute Obtains DMCA Subpoena Ordering Cloudflare Action Against Pirate Site

Post Syndicated from Andy original https://torrentfreak.com/american-petroleum-institute-obtains-dmca-subpoena-ordering-cloudflare-action-against-pirate-site-191222/

Most reports of copyright-based legal action in the United States center on the unlicensed downloading, sharing, or distribution of movies, TV shows, music and software.

Albeit at a slower rate, other less mainstream materials are also detailed in infringement complaints, notably copyrighted scientific and research papers, often with pirate sites like Sci-Hub or Libgen somewhere in the equation. This week a relatively rare complaint was filed in a US court protesting the illegal sale of copyrighted petroleum industry documents.

The application for a DMCA subpoena, filed at a Delaware district court by powerful oil and gas industry association American Petroleum Institute (API), claims that its authored standards documents are being made available online without its permission.

“For decades, API has authored standards for the safety and quality of products in the petroleum and gas industry. As author, API owns the copyright in these standards and has registered the copyrights with the U.S. Copyright Office,” counsel for API writes.

“The copyrighted standards constitute a very valuable asset to API. Indeed, sales of the API standards to petroleum and gas industry professionals create considerable income for API.”

According to API, others are also benefiting from the sale of its standards. The application lists several problematic domains (e-standard.org, e-stds.org, pdfstandards.org) all of which direct to one main site located at e-standardstore.org.

“This company is not an authorized distributor of API’s standards. Despite not being an authorized distributor, these links display images of API’s logos. This unauthorized use of API’s logos falsely suggests to consumers that this company is an authorized distributor of API standards,” API adds.

The E-Standards.org ‘pirate’ site

As the image above shows, API’s publications are easily discoverable on the infringing site. API says there are at least 1,700 standards for sale in PDF format, which is problematic in itself since the association only offers physical standards which means the downloads must be copies.

“Additionally, API does not permit sales of its standards in PDF format (or any other electronic format) by anyone. Therefore, the sale of downloadable or e-mailed copies of API’s standards are clearly sales of unauthorized copies or scans of API’s publications,” API adds.

API says that after investigating the ‘pirate’ site’s IP addresses, they were determined to be operated by Cloudflare. As a result, API wants the CDN company to immediately terminate its services utilized by E-Standards.org while handing over the personal details of whoever is behind the platform.

From the API subpoena to Cloudflare

The Delaware court quickly signed off on the API subpoena so some type of action by Cloudflare can be expected soon. That being said, this set of domains isn’t only a thorn in the side of API but also various other specialist organizations that author their own standards.

According to Google’s Transparency Report, all of the redirection domains have been the subject of DMCA notices, some of which date back to 2013. The main domain cited by API (E-Standards.org) is also at the center of most additional complaints including those filed by safety company Underwriters Laboratories, International Organization for Standardization (ISO), the National Fire Protection Association, and American Water Works Association.

A copy of the DMCA subpoena to Cloudflare is available here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

RIAA Shut Down DBR.ee, Now Obtains Subpoenas to Target Replacement

Post Syndicated from Andy original https://torrentfreak.com/riaa-shut-down-dbr-ee-obtains-subpoenas-to-target-replacement-191208/

In May 2019, TF discovered that the RIAA had obtained a DMCA subpoena which compelled CDN company Cloudflare to reveal the identities of several site operators using its services.

Among the several domains listed was DBR.ee, a file-hosting site that had was utilized by some of its users for hosting pre-release music leaks. This clearly didn’t sit well with the RIAA and within a month of the subpoena being obtained, DBR.ee shut itself down.

Initially it wasn’t clear if the subpoena and the closure were linked but soon after a message appeared on the site which advised that it had been shut down for copyright infringement following action by the RIAA, IFPI, and Music Canada.

The DBR.ee shutdown notice

Early September, however, a new site appeared. Sporting the DBREE name and graphics but located under a different URL (DBREE.co), the site seemed to want to pick up where the original had left off. It’s not currently known whether the same people are behind the resurrection but the RIAA appears keen to find out.

Late November the RIAA obtained a pair of DMCA subpoenas at a Columbia federal court, one targeting domain registrar Namecheap and the other CDN service Cloudflare. Their aim is to uncover the identities of several site operators, DBREE.co’s included.

“The purpose for which this subpoena is sought is to obtain the identity of the individual assigned to these websites who has induced the infringement of, and has directly engaged in the infringement of, our members’ copyrighted sound recordings without their authorization,” the subpoenas read.

DBREE.co stands accused of infringement on three tracks – Lover by Taylor Swift, Under the Graveyard by Ozzy Osbourne, and Thailand by Lil Uzi Vert.

FLACC.org, a music release blog that links to content hosted elsewhere, is also accused of infringing copyrights on three tracks from Celine Dion, Ed Sheeran, and Tech N9ne.

Hiphopeasy.xyz, an album, single, and mixtape indexing site, is currently offline. Nevertheless, the RIAA claims it infringed the rights of Post Malone, Travis Scott, and Ed Sheeran. Another platform, identified by the RIAA as operating from Ovzy.xyz and its subdomains, is also inaccessible.

As usual, the subpoenas require Namecheap and Cloudflare to give up every piece of information they hold on the site’s alleged operators. Both companies are also asked to consider “the widespread and infringing nature” of the sites to determine whether they are in breach of terms of service agreements or repeat infringer policies.

Whether Namecheap or Cloudflare have any useful information to hand over to the RIAA remains to be seen but they are both expected to comply.

The DMCA subpoenas are available here and here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Cloudflare Refutes MPA and RIAA’s Piracy Concerns

Post Syndicated from Ernesto original https://torrentfreak.com/cloudflare-refutes-mpa-and-riaas-piracy-concerns-191018/

Earlier this month several copyright holder groups sent their annual “Notorious Markets” complaints to the U.S. Trade Representative (USTR).

The recommendations are meant to call out well-known piracy sites, apps, and services, but Cloudflare is frequently mentioned as well.

The American CDN provider can’t be officially listed since it’s not a foreign company. However, rightsholders have seizes the opportunity to point out that the CDN service helps pirate sites with their infringing activities.

The MPA and RIAA, for example, wrote that Cloudflare frustrates enforcement efforts by helping pirate sites to “hide” their hosting locations. In addition, the Hollywood-affiliated Digital Citizens Alliance (DCA) pointed out that the company helps pirate sites to deliver malware.

This week Cloudflare responded to these allegations. In a rebuttal, sent to the USTR’s Director for Innovation and Intellectual Property, General Counsel Doug Kramer writes that these reports are not an accurate representation of how the company operates.

“My colleagues and I were frustrated to find continued misrepresentations of our business and efforts to malign our services,” Kramer writes.

“We again feel called on to clarify that Cloudflare does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content–all facts well known to the industry groups based on our ongoing work with them.”

Kramer points out that the copyright holder groups “rehash” previous complaints, which Cloudflare previously rebutted. In fact, some parts of the CDN provider’s own reply are rehashed too, but there are several new highlights as well.

For example, the USTR’s latest review specifically focuses on malware issues. According to Cloudflare, its services are specifically aimed at mitigating such threats.

“Our system uses the collective intelligence from all the properties on our network to support and immediately update our web application firewall, which can block malware at the edge and prevent it from reaching a site’s origin server. This protects the many content creators who use our services for their websites as well as the users of their websites, from malware,” Kramer writes.

The DCA’s submission, which included a 2016 report from the group, is out of date and inaccurate, Cloudflare says. Several of the mentioned domains are no longer Cloudflare customers, for example. In addition, the DCA never sent any malware complaints to the CDN service.

Cloudflare did previously reach out to the DCA following its malware report, but this effort proved fruitless, the company writes.

“Despite our repeated attempts to get additional information by either
phone or email, DCA cancelled at least three scheduled calls and declined to provide any specific information that would have allowed us to verify the existence of the malware and protect users from malicious activity online,” Kramer notes.

Malware aside, the allegations that Cloudflare helps pirate sites to ‘hide’ their hosting locations are not entirely true either.

Kramer points out that the company has a “Trusted Reporter” program which complainants, including the RIAA, use frequently. This program helps rightsholders to easily obtain the actual hosting locations of Cloudflare customers that engage in widespread copyright infringement.

Although Cloudflare admits that it can’t stop all bad actors online, it will continue to work with the RIAA, MPA, and others to provide them with all the information they need for their enforcement efforts.

None of this is new though. Year after year the same complaints come in and Cloudflare suggests that copyright holders are actually looking for something else. They would like the company to terminate accounts of suspected pirate sites. However, the CDN provider has no intention to do so.

“Their submissions to the Notorious Markets process seem intended to pressure Cloudflare to take over efforts to identify and close down infringing websites for them, but that is something that we are not obligated to do,” Kramer says.

While it would be technically possible, it would require the company to allocate considerable resources to the task. These resources are currently needed to pursue its primary goal, which is to keep the Internet secure and protect users from malware and other risks.

It’s clear that Cloudflare doesn’t want to take any action against customers without a court order. While it has occasionally deviated from this stance by kicking out Daily Stormer and 8Chan, pirate sites are on a different level.

A copy of the letter Cloudflare’s General Counsel Doug Kramer sent to the USTR’s Director for Innovation and Intellectual Property, Jacob Ewerdt, is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Cloudflare Flags Copyright Lawsuits as Potential Liabilities Ahead of IPO

Post Syndicated from Andy original https://torrentfreak.com/cloudflare-flags-copyright-lawsuits-as-potential-liabilities-ahead-of-ipo-190816/

As a CDN and security company, Cloudflare currently serves around 20 million “Internet properties”, ranging from domains and websites through to application programming interfaces (APIs) and mobile applications.

At least hundreds of those properties, potentially more, are considered ‘pirate’ platforms by copyright groups, which has resulted in Cloudflare being sucked into copyright infringement lawsuits due to the activities of its customers.

On Thursday, Cloudflare filed to go public by submitting the required S-1 registration statement. It contains numerous warnings that copyright infringement lawsuits, both current and those that may appear in the future, could present significant issues of liability for the company.

Noting that some of Cloudflare’s customers may use its services in violation of the law, the company states that existing laws relating to the liability of service providers are “highly unsettled and in flux”, both in the United States and further afield.

“For example, we have been named as a defendant in a number of lawsuits, both in the United States and abroad, alleging copyright infringement based on content that is made available through our customers’ websites,” the filing reads.

“There can be no assurance that we will not face similar litigation in the future or that we will prevail in any litigation we may face. An adverse decision in one or more of these lawsuits could materially and adversely affect our business, results of operations, and financial condition.”

Cloudflare goes on to reference the safe harbor provisions of the DMCA, noting that they may not offer “complete protection” for the company or could even be amended in the future to its detriment.

“If we are found not to be protected by the safe harbor provisions of the DMCA, CDA [Communications Decency Act] or other similar laws, or if we are deemed subject to laws in other countries that may not have the same protections or that may impose more onerous obligations on us, we may face claims for substantial damages and our brand, reputation, and financial results may be harmed. Such claims may result in liability that exceeds our ability to pay or our insurance coverage,” Cloudflare warns.

As a global company, it’s not only US law the company has to consider. Cloudflare references the recently-approved Copyright Directive in the EU, noting that also has the potential to expose Cloudflare and other online platforms to liability.

As recently as last month and in advance of any claims under that particular legislation, Cloudflare experienced an adverse ruling in an Italian court. Local broadcaster RTI successfully argued that Cloudflare can be held liable if it willingly fails to act in response to copyright infringement notices. In addition, Cloudflare was ordered to terminate the accounts of several pirate sites.

Of course, it’s not uncommon for S-1 filings to contain statements that can be interpreted as impending doom, since companies are required to be frank about their business’s prospects. However, with single copyright cases often dealing with millions of dollars worth of alleged infringement, Cloudflare’s appraisal of the risks seems entirely warranted.

Cloudflare’s S-1 filing can be viewed here

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Will Cloudflare Kicking 8chan Undermine Pirate Sites?

Post Syndicated from Andy original https://torrentfreak.com/will-cloudflare-kicking-8chan-undermine-pirate-sites-190805/

Another day, another senseless mass shooting in the United States, claiming the lives of yet more innocent victims.

While the authorities attempt to sift through this catastrophe and work out what drives people to carry out such terrible acts, attention is being placed on how their messages of evil are spread. Somewhat inevitably, parts of the Internet are set to shoulder at least some of the blame.

Not at all unsurprisingly, service providers are usually reluctant to take any responsibility for the actions of their users or some cases, customers. However, in an announcement early this morning, CDN company Cloudflare said it would cease its work with 8chan, the “cesspool of hate” messaging board where it’s alleged the shooter shared his manifesto.

“8chan is among the more than 19 million Internet properties that use Cloudflare’s service. We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time,” CEO Matthew Prince wrote in a statement.

“The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.”

While other publications will quite rightly focus on the human aspect of this weekend’s awful events, our reporting of issues affecting Cloudflare always center on the company’s involvement in copyright infringement actions. And there are several, almost every month.

Cloudflare is not a copyright infringer and always acts within the law but if 8chan is guilty of violating “the spirit” of the law and ripe for termination, it will be no surprise that copyright-focused groups will now be quietly rubbing their hands in anticipation.

The Pirate Bay, perhaps the most high-profile ‘pirate’ customer of Cloudflare, provides the most obvious example of a site with a stated aim of violating the law – copyright law, to be specific.

Yet to date nothing has been done to prevent the site from being a Cloudflare customer, because from Cloudflare’s side – perhaps counterintuitively – the CDN service itself hasn’t broken any laws. A similar argument can be made for the many hundreds or even thousands of comparable ‘pirate’ platforms which use Cloudflare in the same way.

It would be distasteful to compare the events of this past weekend with the sharing of movies, TV shows, and music, but copyright holders have had no problem using that as leverage in the past.

In a case brought against Cloudflare by ALS Scan, the adult publisher reminded the court that Cloudflare had previously terminated its business dealings with the Daily Stormer but hadn’t terminated its pirate site customers. Cloudflare didn’t want that discussion to take place at trial but its arguments were rejected by the judge.

In the end, Cloudflare and ALS Scan agreed to settle their case, meaning that a claim for contributory copyright infringement – through the prism of the Daily Stormer disconnection – didn’t get placed in front of a jury. But here we are, a little over a year later, with 8chan also having been terminated by Cloudflare under broadly similar circumstances.

In his message this morning, CEO Matthew Prince highlighted the fact that Cloudflare realizes that having policies that are more conservative than those of their customers would undermine customers’ abilities to run their ships as they see fit. This, the CEO says, means that the company sometimes has to bite its tongue – up to a point.

“We reluctantly tolerate content that we find reprehensible, but we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services,” Prince added.

Copyright holders regularly argue that pirate sites are “lawless” by their very nature but none have ever caused or inspired the kind of tragic events inflicted upon innocents in recent times.

All that being said, Cloudflare’s decision to terminate a site it states may have only violated “the spirit” of the law will eventually come back to haunt it, even if it was absolutely right to do so. No brand wants to be associated with those reveling in murder, but the clock is already ticking to see which copyright holder brings it up first, to support a case against Cloudflare and its customers.

It’s happened once, it will surely happen again.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

‘Repeat Copyright Infringer’ Case Against Cloudflare Can Continue, Court Rules

Post Syndicated from Ernesto original https://torrentfreak.com/repeat-copyright-infringer-case-against-cloudflare-can-continue-court-rules-190716/

Popular CDN and DDoS protection service Cloudflare has come under a lot of pressure from copyright holders in recent years.

The company offers its services to millions of sites, including some of the world’s leading pirate sites.

Many rightsholders are not happy with this. They accuse Cloudflare of facilitating copyright infringement by continuing to provide access to these platforms. At the same time, they call out the CDN service for masking the true hosting locations of these ‘bad actors’.

Cloudflare’s activities have also triggered some lawsuits. Just last week, we reported that an Italian court ordered the company to terminate the accounts of several pirate sites. In the U.S. there’s an ongoing copyright infringement case as well, which brought more bad news for the company a few days ago.

The case in question wasn’t filed by any of the major entertainment industry players, but by two manufacturers and wholesalers of wedding dresses. Not a typical “piracy” lawsuit, but it’s a copyright case that could have broad effects.

In a complaint filed at a federal court in California last year, Mon Cheri Bridals and Maggie Sottero Designs argued that even after multiple warnings, Cloudflare fails to terminate sites operated by counterfeit vendors. This makes Cloudflare liable for the associated copyright infringements, they said.

Cloudflare responded to the allegations and in April it filed a motion to dismiss the complaint. The company said that the rightsholders failed to state a proper claim, as the takedown notices were not proof of infringement, among other things. In addition, the notices were not formatted properly. 

“Plaintiffs characterize their notifications as ‘credible’ without stating any facts that demonstrate their credibility. In any event, defective notifications, like those the plaintiffs sent to Cloudflare, cannot support any claim of actual knowledge,” Cloudflare argued.

According to Cloudflare, the notifications “may or may not be true”. Without a court determining whether they are accurate or not, the company says they don’t “convey actual knowledge of infringement.” As such, the company doesn’t believe it can be held liable.

District Judge Vince Chhabria disagrees, however. In an order signed a few days ago he denies the motion to dismiss. According to the Judge, the allegations and claims made by the wedding dress manufacturers are sufficient at this stage of the case.

“Cloudflare’s main argument – that contributory liability cannot be based on a defendant’s knowledge of infringing conduct and continued material contribution to it – is wrong,” Judge Chhabria writes.

“Allegations that Cloudflare knew its customer-websites displayed infringing material and continued to provide those websites with faster load times and concealed identities are sufficient to state a claim,” he adds.

Cloudflare also pointed out other deficiencies in the notices, and stressed that it’s not a hosting provider, but these comments were countered too. At this stage of the case, it’s enough to show that Cloudflare was aware of the alleged infringements, the Court notes.

“The notices allegedly sent by the plaintiffs gave Cloudflare specific information, including a link to the offending website and a link to the underlying copyrighted material, to plausibly allege that Cloudflare had actual knowledge of the infringing activity,” Judge Chhabria writes.

The denial of Cloudflare’s motion to dismiss means that the case will move forward. While the case has nothing to do with traditional pirate sites, any rulings could spill over, which means that other copyright holders will watch this case closely.

Mon Cheri Bridals and Maggie Sottero ultimately hope to recoup damages for the losses they’ve suffered as well preliminary and permanent injunctive relief to stop all infringing activity.

Cloudflare, for its part, will argue that it’s not actively participating in any infringing activity and that it merely has a role as a third-party intermediary, which is not liable for the alleged infringing activities of its customers.

A copy of District Judge Vince Chhabria’s order is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Court Orders Cloudflare to Terminate Accounts of Pirate Sites

Post Syndicated from Ernesto original https://torrentfreak.com/court-orders-cloudflare-to-terminate-accounts-of-pirate-sites-190711/

As one of the leading CDN and DDoS protection services, Cloudflare is used by millions of websites across the globe. This includes many pirate sites.

In recent years many copyright holders have complained about Cloudflare’s involvement with these platforms. RTI, a company owned by the Italian mass media giant Mediaset, took things a step further and went to court.

RTI complained that Cloudflare offered its services to various pirate sites, which made available its TV-shows, including Grande Fratello (Big Brother), and L’isola dei Famosi (The Celebrity Island ).

The broadcaster argued that Cloudflare could be seen, among other things, as a hosting provider under the e-Commerce directive (Directive 2000/31/CE) . And, since it was made explicitly aware of the infringing actions of its clients but failed to take action, the company could be held liable.

US-based Cloudflare disagreed. It countered that the Italian court didn’t have jurisdiction and that the e-Commerce directive didn’t apply to foreign companies, but those objections were rejected.

In a ruling handed down by the Commercial Court of Rome late last month, Cloudflare was ordered to immediately terminate the accounts of the contested pirate sites. These include filmpertutti.uno, italiaserie.tv, piratestreaming.watch, cinemalibero.red, and various others.

In addition, Cloudflare was ordered to share the personal details of the site owners and their hosting companies with RTI.

If Cloudflare fails to comply with any of the above, it must pay a fine of €1,000 for each day the infringements continue.

While Cloudflare doesn’t see itself as a hosting provider, the Court concluded that it can be seen as such, under European law. Among other things, its “Always Online” service hosts various website resources even when the site’s servers go offline.

This means that unlike an ISP, which merely passes on traffic, Cloudflare can be held liable for the infringements of its customers, if it deliberately fails to respond properly to copyright takedown notices or similar complaints.

Interestingly, most of the pirate sites listed in the complaint are still online today. Some are redirecting to new domains, but Italiaserie.org is still operational using Cloudflare. We couldn’t see any RTI content on the site, however.

According to RTI’s attorney Alessandro La Rosa, Cloudflare would violate the court order if any of the mentioned sites make RTI content available through its service. This would mean that Cloudflare is liable to pay €1,000 per day.

The ruling from the Court of Rome can’t be appealed and there are also two similar proceedings against the company before the same Court. These were filed by RTI and Medusa Film (both companies of the Mediaset Group) and remain ongoing.

Cloudflare did not immediately reply to our request for comment.

The full list of affected domains as mentioned in the complaint reads as follows: filmpertutti.uno,  piratestreaming.watch, cinemalibero.red, altadefinizione.review, guardaserie.watch, serietvu.club, casacinema.news, italiaserie.org, italiaserie.tv, cinemasubito.org, and ctrlhits.online.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

RIAA Targets 14 New Sites in Campaign Against YouTube-Rippers & Piracy

Post Syndicated from Andy original https://torrentfreak.com/riaa-targets-14-new-sites-in-campaign-against-youtube-rippers-piracy-190606/

For some time, the world’s leading record labels have complained that YouTube doesn’t pay the going rate for musical content streamed to its users.

However, when consumers use so-called YouTube-ripping sites to obtain content, it’s claimed that the position worsens. By obtaining music in this fashion, users are able to keep local libraries which further deplete YouTube hits and by extension, revenue generated by the labels.

To plug this hole, the RIAA is working to identify the operators of leading YouTube-ripping platforms. Via DMCA subpoenas, the industry group has been forcing CDN service Cloudflare and domain registries such as NameCheap to hand over the personal details of the people behind these tools.

Two new DMCA subpoenas, obtained by the RIAA in recent days, reveal an apparent escalation in this activity. Mainly targeting Cloudflare but in one instance also NameCheap, the RIAA demands private information relating to several sites.

10Convert.com

With around two million visitors per month (SimilarWeb stats), this platform has a prime focus on YouTube-ripping. The majority of its traffic comes from Brazil (69%), with the United States accounting for a little over 2% of its users.

Amoyshare.com

Enjoying around 4.6m visits per month with most of its visitors coming from the United States (15%), this platform’s focus is offering downloadable tools that enable users to grab videos and music from a wide range of platforms.

However, Amoyshare also offers “AnyUTube”, an online converter which is the element the RIAA is complaining about.

Anything2MP3.cc

This site, which enjoys a relatively low 300,000 visits per month, appears to be dual-use. While it is possible to download content from YouTube, Anything2MP3 also offers users the ability to convert their own audio files in the browser.

IMP3Juices.com

With around six million visits per month, this platform is one of the more popular ones targeted by the RIAA. Around 12.5% of the site’s traffic comes from Italy, with the US following behind with just under 10%.

The site functions like a ‘pirate’ download portal, with users able to search for artists and download tracks. However, the RIAA provides a URL which reveals that the site also has a YouTube to MP4 conversion feature. Indeed, it seems possible that much of the site’s content is obtained from YouTube.

BigConverter.com

Down at the time of writing, possibly as a result of the subpoena, this site offered downloading functionality for a range of sites, from YouTube and Facebook through to Twitter, Vimeo, Vevo, Instagram, Dailymotion, Metacafe, VK, AOL, GoogleDrive and Soundcloud.

YouTubeMP4.to

Enjoying around 7.7 million visits per month, YouTubeMP4.to is a straightforward YouTube video downloader. Almost 23% of its traffic comes from the United States with the UK just behind at close to 11%.

QDownloader.net

This platform has perhaps the most comprehensive offering of those targeted. It claims to be able to download content from 800 sites, of which YouTube is just one. With more than 12 million visits per month, it’s not difficult to see why QDownloader has made it onto the RIAA’s hit list.

GenYouTube.net

Another big one, this multi-site downloader platform attracts around seven million visits per month. The majority of its traffic comes from India (14%), with the United States following behind with around 12%.

Break.TV

For reasons that aren’t immediately clear, YouTube and SoundCloud downloader Break.TV has lost a lot of its monthly traffic since late 2018. From a high edging towards three million visits per month, it now enjoys just over 1.6 million. Interestingly the site says it must only be used to obtain Creative Commons licensed material.

MP3XD.com

In common with IMP3Juices.com, MP3XD.com appears to be focused on offering pirate MP3 downloads rather than straightforward ripping services. However, its content does appear to have been culled from YouTube.

Given that it defaults to Spanish, it seems to target Latin America. Indeed, with close to 10 million visits per month, almost a third hail from Mexico, with Venezuela and Argentina following behind.

DL-YouTube-MP3.net

This platform is a straightforward YouTube-ripping site, offering downloads of both video and audio content. It is one of the lower-trafficked sites on the list, with around 870,000 visits per month with most of its traffic (38%) coming from France.

ConvertBox.net

With around 150,000 visits, ConvertBox is the smallest platform targeted by the RIAA in this batch. It offers conversion features for YouTube, Vimeo, Facebook, and SoundCloud via its website and mobile apps. Around a fifth of its traffic comes from France.

Downloaders.io

Another multi-downloader, Downloaders.io offers tools to rip content from a number of platforms, YouTube included. It’s traffic has been up and down since the start of the year but has averaged around 200K visits per month. Close to 30% of traffic hails from the United States.

Hexupload.net

A relative newcomer, this site doesn’t appear to fit into the ripping or general pirate site niche. Down at the time of writing, this 270,000 visit per month platform appears to have acted as a file upload site, from which users could generate revenue per download.

Cloudflare and NameCheap will now be required to hand over the personal details they have on the users behind all of these sites. As usual, that will include names, addresses, IP addresses, telephone numbers, email addresses, and more.

It isn’t clear what the RIAA has planned for these platforms but since the request was made by the group’s Vice-President Online Piracy, it doesn’t take much imagination to come up with a few ideas.

This latest move by the RIAA follows similar action against several other sites detailed in our earlier reports (1,2,3).

The RIAA’s letters to Cloudflare and NameCheap can be found here and here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

RIAA Subpoenas Target Yet Another Huge YouTube-Ripping Site

Post Syndicated from Andy original https://torrentfreak.com/riaa-subpoenas-target-yet-another-huge-youtube-ripping-site-190527/

According to the major labels, so-called YouTube-ripping sites are a major threat to their business models.

Visitors to these platforms are able to enter a YouTube URL and then download whatever content they want to their own machines. That may be video and audio, or audio alone.

Either way, users then have less of a reason to revisit YouTube for the same content, depriving both the labels and YouTube of revenue, the companies argue. It’s now becoming clear that the music industry, led by the RIAA, wants to do something about this issue.

The latest target for the RIAA is YouTube-ripping giant Y2Mate.com, which offers conversion and downloads of content hosted on Google’s platform. As seen in the screenshot below, it offers a familiar and convenient interface for users to carry out those tasks.

Screenshot of Y2Mate.com

It’s no surprise that Y2Mate now finds itself under the spotlight. According to SimilarWeb stats, the site is attracting huge and increasing volumes of users, making it a major player on the Internet, period.

Y2Mate currently attracts just short of 64 million visits every month, something which places it well within the top 900 most-visited sites in the United States.

However, around 89% of its traffic actually comes from other regions, so its rank on the global stage is even more impressive. SimilarWeb data indicates that it’s the 570th most-trafficked site in the world.

Y2Mate traffic stats: (SimilarWeb data)

To unmask the operator of this site, the RIAA has just applied for and obtained DMCA subpoenas at the United States District Court for the District of Columbia.

The first targets US-based CDN company Cloudflare and explains that the RIAA is concerned that Y2Mate is “offering recordings which are owned by one or more of our member companies and have not been authorized for this kind of use..”

The RIAA’s letter to Cloudflare lists three URLs where allegedly-infringing tracks can be downloaded. The tracks are ‘Never’ by Heart and ‘Let Me Be The One’ by Exposé (both 1985), plus the 1989 release ‘Don’t Wanna Fall In Love’ by Jane Child.

It’s not clear whether the RIAA has already sent Cloudflare a separate takedown notice but the letter to company notes that if it has, that was “merely meant to facilitate removal of the infringing material” and does not “suggest or imply” that the company can rely on its safe harbor protections under the DMCA.

In any event, the RIAA is clear about why it obtained the subpoena.

“The purpose for which this subpoena is sought is to obtain the identities of the individuals assigned to [Y2Mate] who have reproduced and have offered for distribution our members’ copyrighted sound recordings without their authorization,” the music group notes.

The letter sent to NameCheap has the same substance and also specifically demands the “name, physical address, IP address, IP address, telephone number, e-mail address, payment information, account updates and account history” of Y2Mate’s operator.

Both Cloudflare and NameCheap are further asked to consider the “widespread and repeated infringing nature” of Y2Mate and whether that constitutes a violation of the companies’ repeat-infringer policies.

According to the Y2Mate site, however, the platform believes it is operating within the law.

Referring to itself as ‘Muvi’, a statement notes that its only purpose is to “create a copy of downloadable online-content for the private use of the user (‘fair use’)” and the user bears full responsibility for all actions related to the data.

“Muvi does not grant any rights to the contents, as it only acts as a technical service provider,” the Y2Mate copyright page reads.

Just last week, the RIAA targeted another YouTube-ripping site, YouTubNow, with a similar subpoena. Within hours of our report, the site went down, ostensibly for maintenance.

TF previously reported that the RIAA is targeting several other ‘pirate’ sites that use Cloudflare. Similar action is also being aimed at file-hosting platform NoFile.

The RIAA’s letters to Cloudflare and NameCheap can be found here and here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

RIAA Obtains Subpoena to Expose ‘Infringing’ Cloudflare Users

Post Syndicated from Ernesto original https://torrentfreak.com/riaa-obtains-subpoena-to-expose-infringing-cloudflare-users-180506/

Despite the increased availability of legal options, millions of people still stream, rip, or download MP3s from unofficial sources.

These sites are a thorn in the side of the RIAA, one of the music industry’s leading anti-piracy outfits. 

The RIAA has a long history of going after, what it sees as, pirate sites. The problem, however, is that many owners of such sites operate anonymously. The group, therefore, often has to turn to third-party intermediaries to find out more. 

While some services may be willing to voluntarily share information with the music industry group, many don’t. Cloudflare falls into the latter category. While the CDN service does voluntarily reveal the true hosting locations of some of its users, it doesn’t share any personal info. At least, not without a subpoena. 

Luckily for rightsholders, getting a subpoena isn’t very hard in the US. Under the DMCA, copyright holders only have to ask a court clerk for a signature to be able to demand the personal information of alleged copyright infringers. That’s exactly what the RIAA did last week. 

In a letter sent by Mark McDevitt, the RIAA’s vice president of online anti-piracy, the music group informs Cloudflare that it requests personal details including names, addresses and payment information relating to the operators of six domains, which are all Cloudflare users. 

The domains/URLs

The domains in question include those connected to the file-hosting site DBREE,  music release site RapGodFathers, file-host AyeFiles, and music download portal Plus Premieres. The sites are accused of sharing copyrighted tracks from artists such as Pink, Drake, and Taylor Swift.

“We have determined that users of your system or network have infringed our member record companies’ copyrighted sound recordings. Enclosed is a subpoena compliant with the Digital Millennium Copyright Act,” the RIAA’s McDevitt writes.

“As is stated in the attached subpoena, you are required to disclose to the RIAA information sufficient to identify the infringers. This would include the individuals’ names, physical addresses, IP addresses, telephone numbers, e-mail addresses, payment information, account updates and account history.”

The RIAA stresses that the mentioned files are offered without permission and it asks Cloudflare to consider the widespread and repeated infringing nature of the sites and whether these warrant a termination under its repeat infringer policy. 

From the letter RIAA sent to Cloudflare

At the time of writing the sites are still using Cloudflare’s services. However, the allegedly infringing files are no longer available. These were presumably removed by the site owners.

There is no obvious connection between all the targeted sites. However, RapGodFathers is a familiar name when it comes to anti-piracy enforcement. Nearly ten years ago, the site was targeted by the U.S. Government, but the name is still around today.  

It is unclear what RIAA plans to do with the requested information. It could form the basis of a legal complaint, but the music group may also use it to contact the site operators more directly. The letter only mentions that the information will be used to protect the rights of RIAA member companies.

“The purpose for which this subpoena is sought is to obtain the identities of the individuals assigned to these websites who have reproduced and have offered for distribution our members’ copyrighted sound recordings without their authorization.

“This information will only be used for the purposes of protecting the rights granted to our members, the sound recording copyright owner, under Title II of the Digital Millennium Copyright Act,” the letter adds.

What this “protection” entails remains a mystery for now. 

While the court clerk signed the DMCA subpoena, Cloudflare still has the option to object, by asking the court to quash it. However, thus far there are no signs that the company plans to do so.

A copy of the letter RIAA sent to Cloudflare, obtained by TorrentFreak, is available here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

DNS over HTTPS in Firefox

Post Syndicated from corbet original https://lwn.net/Articles/756262/rss

The Mozilla blog has an
article
describing the addition of DNS over HTTPS (DoH) as an optional
feature in the Firefox browser. “DoH support has been added to
Firefox 62 to improve the way Firefox interacts with DNS. DoH uses
encrypted networking to obtain DNS information from a server that is
configured within Firefox. This means that DNS requests sent to the DoH
cloud server are encrypted while old style DNS requests are not
protected.
” The configured server is hosted by Cloudflare, which
has posted this
privacy agreement
about the service.

Sci-Hub ‘Pirate Bay For Science’ Security Certs Revoked by Comodo

Post Syndicated from Andy original https://torrentfreak.com/sci-hub-pirate-bay-for-science-security-certs-revoked-by-comodo-ca-180503/

Sci-Hub is often referred to as the “Pirate Bay of Science”. Like its namesake, it offers masses of unlicensed content for free, mostly against the wishes of copyright holders.

While The Pirate Bay will index almost anything, Sci-Hub is dedicated to distributing tens of millions of academic papers and articles, something which has turned itself into a target for publishing giants like Elsevier.

Sci-Hub and its Kazakhstan-born founder Alexandra Elbakyan have been under sustained attack for several years but more recently have been fending off an unprecedented barrage of legal action initiated by the American Chemical Society (ACS), a leading source of academic publications in the field of chemistry.

After winning a default judgment for $4.8 million in copyright infringement damages last year, ACS was further granted a broad injunction.

It required various third-party services (including domain registries, hosting companies and search engines) to stop facilitating access to the site. This plunged Sci-Hub into a game of domain whac-a-mole, one that continues to this day.

Determined to head Sci-Hub off at the pass, ACS obtained additional authority to tackle the evasive site and any new domains it may register in the future.

While Sci-Hub has been hopping around domains for a while, this week a new development appeared on the horizon. Visitors to some of the site’s domains were greeted with errors indicating that the domains’ security certificates had been revoked.

Tests conducted by TorrentFreak revealed clear revocations on Sci-Hub.hk and Sci-Hub.nz, both of which returned the error ‘NET::ERR_CERT_REVOKED’.

Certificate revoked

These certificates were first issued and then revoked by Comodo CA, the world’s largest certification authority. TF contacted the company who confirmed that it had been forced to take action against Sci-Hub.

“In response to a court order against Sci-Hub, Comodo CA has revoked four certificates for the site,” Jonathan Skinner, Director, Global Channel Programs at Comodo CA informed TorrentFreak.

“By policy Comodo CA obeys court orders and the law to the full extent of its ability.”

Comodo refused to confirm any additional details, including whether these revocations were anything to do with the current ACS injunction. However, Susan R. Morrissey, Director of Communications at ACS, told TorrentFreak that the revocations were indeed part of ACS’ legal action against Sci-Hub.

“[T]he action is related to our continuing efforts to protect ACS’ intellectual property,” Morrissey confirmed.

Sci-Hub operates multiple domains (an up-to-date list is usually available on Wikipedia) that can be switched at any time. At the time of writing the domain sci-hub.ga currently returns ‘ERR_SSL_VERSION_OR_CIPHER_MISMATCH’ while .CN and .GS variants both have Comodo certificates that expired last year.

When TF first approached Comodo earlier this week, Sci-Hub’s certificates with the company hadn’t been completely wiped out. For example, the domain https://sci-hub.tw operated perfectly, with an active and non-revoked Comodo certificate.

Still in the game…but not for long

By Wednesday, however, the domain was returning the now-familiar “revoked” message.

These domain issues are the latest technical problems to hit Sci-Hub as a result of the ACS injunction. In February, Cloudflare terminated service to several of the site’s domains.

“Cloudflare will terminate your service for the following domains sci-hub.la, sci-hub.tv, and sci-hub.tw by disabling our authoritative DNS in 24 hours,” Cloudflare told Sci-Hub.

While ACS has certainly caused problems for Sci-Hub, the platform is extremely resilient and remains online.

The domains https://sci-hub.is and https://sci-hub.nu are fully operational with certificates issued by Let’s Encrypt, a free and open certificate authority supported by the likes of Mozilla, EFF, Chrome, Private Internet Access, and other prominent tech companies.

It’s unclear whether these certificates will be targeted in the future but Sci-Hub doesn’t appear to be in the mood to back down.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Some notes on memcached DDoS

Post Syndicated from Robert Graham original http://blog.erratasec.com/2018/03/some-notes-on-memcached-ddos.html

I thought I’d write up some notes on the memcached DDoS. Specifically, I describe how many I found scanning the Internet with masscan, and how to use masscan as a killswitch to neuter the worst of the attacks.

Test your servers

I added code to my port scanner for this, then scanned the Internet:
masscan 0.0.0.0/0 -pU:11211 –banners | grep memcached
This example scans the entire Internet (/0). Replaced 0.0.0.0/0 with your address range (or ranges).
This produces output that looks like this:
Banner on port 11211/udp on 172.246.132.226: [memcached] uptime=230130 time=1520485357 version=1.4.13
Banner on port 11211/udp on 89.110.149.218: [memcached] uptime=3935192 time=1520485363 version=1.4.17
Banner on port 11211/udp on 172.246.132.226: [memcached] uptime=230130 time=1520485357 version=1.4.13
Banner on port 11211/udp on 84.200.45.2: [memcached] uptime=399858 time=1520485362 version=1.4.20
Banner on port 11211/udp on 5.1.66.2: [memcached] uptime=29429482 time=1520485363 version=1.4.20
Banner on port 11211/udp on 103.248.253.112: [memcached] uptime=2879363 time=1520485366 version=1.2.6
Banner on port 11211/udp on 193.240.236.171: [memcached] uptime=42083736 time=1520485365 version=1.4.13
The “banners” check filters out those with valid memcached responses, so you don’t get other stuff that isn’t memcached. To filter this output further, use  the ‘cut’ to grab just column 6:
… | cut -d ‘ ‘ -f 6 | cut -d: -f1
You often get multiple responses to just one query, so you’ll want to sort/uniq the list:
… | sort | uniq

My results from an Internet wide scan

I got 15181 results (or roughly 15,000).
People are using Shodan to find a list of memcached servers. They might be getting a lot results back that response to TCP instead of UDP. Only UDP can be used for the attack.

Other researchers scanned the Internet a few days ago and found ~31k. I don’t know if this means people have been removing these from the Internet.

Masscan as exploit script

BTW, you can not only use masscan to find amplifiers, you can also use it to carry out the DDoS. Simply import the list of amplifier IP addresses, then spoof the source address as that of the target. All the responses will go back to the source address.
masscan -iL amplifiers.txt -pU:11211 –spoof-ip –rate 100000
I point this out to show how there’s no magic in exploiting this. Numerous exploit scripts have been released, because it’s so easy.

Why memcached servers are vulnerable

Like many servers, memcached listens to local IP address 127.0.0.1 for local administration. By listening only on the local IP address, remote people cannot talk to the server.
However, this process is often buggy, and you end up listening on either 0.0.0.0 (all interfaces) or on one of the external interfaces. There’s a common Linux network stack issue where this keeps happening, like trying to get VMs connected to the network. I forget the exact details, but the point is that lots of servers that intend to listen only on 127.0.0.1 end up listening on external interfaces instead. It’s not a good security barrier.
Thus, there are lots of memcached servers listening on their control port (11211) on external interfaces.

How the protocol works

The protocol is documented here. It’s pretty straightforward.
The easiest amplification attacks is to send the “stats” command. This is 15 byte UDP packet that causes the server to send back either a large response full of useful statistics about the server.  You often see around 10 kilobytes of response across several packets.
A harder, but more effect attack uses a two step process. You first use the “add” or “set” commands to put chunks of data into the server, then send a “get” command to retrieve it. You can easily put 100-megabytes of data into the server this way, and causes a retrieval with a single “get” command.
That’s why this has been the largest amplification ever, because a single 100-byte packet can in theory cause a 100-megabytes response.
Doing the math, the 1.3 terabit/second DDoS divided across the 15,000 servers I found vulnerable on the Internet leads to an average of 100-megabits/second per server. This is fairly minor, and is indeed something even small servers (like Raspberry Pis) can generate.

Neutering the attack (“kill switch”)

If they are using the more powerful attack against you, you can neuter it: you can send a “flush_all” command back at the servers who are flooding you, causing them to drop all those large chunks of data from the cache.
I’m going to describe how I would do this.
First, get a list of attackers, meaning, the amplifiers that are flooding you. The way to do this is grab a packet sniffer and capture all packets with a source port of 11211. Here is an example using tcpdump.
tcpdump -i -w attackers.pcap src port 11221
Let that run for a while, then hit [ctrl-c] to stop, then extract the list of IP addresses in the capture file. The way I do this is with tshark (comes with Wireshark):
tshark -r attackers.pcap -Tfields -eip.src | sort | uniq > amplifiers.txt
Now, craft a flush_all payload. There are many ways of doing this. For example, if you are using nmap or masscan, you can add the bytes to the nmap-payloads.txt file. Also, masscan can read this directly from a packet capture file. To do this, first craft a packet, such as with the following command line foo:
echo -en “\x00\x00\x00\x00\x00\x01\x00\x00flush_all\r\n” | nc -q1 -u 11211
Capture this packet using tcpdump or something, and save into a file “flush_all.pcap”. If you want to skip this step, I’ve already done this for you, go grab the file from GitHub:
Now that we have our list of attackers (amplifiers.txt) and a payload to blast at them (flush_all.pcap), use masscan to send it:
masscan -iL amplifiers.txt -pU:112211 –pcap-payload flush_all.pcap

Reportedly, “shutdown” may also work to completely shutdown the amplifiers. I’ll leave that as an exercise for the reader, since of course you’ll be adversely affecting the servers.

Some notes

Here are some good reading on this attack:

New DDoS Reflection-Attack Variant

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/03/new_ddos_reflec.html

This is worrisome:

DDoS vandals have long intensified their attacks by sending a small number of specially designed data packets to publicly available services. The services then unwittingly respond by sending a much larger number of unwanted packets to a target. The best known vectors for these DDoS amplification attacks are poorly secured domain name system resolution servers, which magnify volumes by as much as 50 fold, and network time protocol, which increases volumes by about 58 times.

On Tuesday, researchers reported attackers are abusing a previously obscure method that delivers attacks 51,000 times their original size, making it by far the biggest amplification method ever used in the wild. The vector this time is memcached, a database caching system for speeding up websites and networks. Over the past week, attackers have started abusing it to deliver DDoSes with volumes of 500 gigabits per second and bigger, DDoS mitigation service Arbor Networks reported in a blog post.

Cloudflare blog post. BoingBoing post.

EDITED TO ADD (3/9): Brian Krebs covered this.

AskRob: Does Tor let government peek at vuln info?

Post Syndicated from Robert Graham original http://blog.erratasec.com/2018/03/askrob-does-tor-let-government-peek-at.html

On Twitter, somebody asked this question:

The question is about a blog post that claims Tor privately tips off the government about vulnerabilities, using as proof a “vulnerability” from October 2007 that wasn’t made public until 2011.
The tl;dr is that it’s bunk. There was no vulnerability, it was a feature request. The details were already public. There was no spy agency involved, but the agency that does Voice of America, and which tries to protect activists under foreign repressive regimes.

Discussion

The issue is that Tor traffic looks like Tor traffic, making it easy to block/censor, or worse, identify users. Over the years, Tor has added features to make it look more and more like normal traffic, like the encrypted traffic used by Facebook, Google, and Apple. Tors improves this bit-by-bit over time, but short of actually piggybacking on website traffic, it will always leave some telltale signature.
An example showing how we can distinguish Tor traffic is the packet below, from the latest version of the Tor server:
Had this been Google or Facebook, the names would be something like “www.google.com” or “facebook.com”. Or, had this been a normal “self-signed” certificate, the names would still be recognizable. But Tor creates randomized names, with letters and numbers, making it distinctive. It’s hard to automate detection of this, because it’s only probably Tor (other self-signed certificates look like this, too), which means you’ll have occasional “false-positives”. But still, if you compare this to the pattern of traffic, you can reliably detect that Tor is happening on your network.
This has always been a known issue, since the earliest days. Google the search term “detect tor traffic”, and set your advanced search dates to before 2007, and you’ll see lots of discussion about this, such as this post for writing intrusion-detection signatures for Tor.
Among the things you’ll find is this presentation from 2006 where its creator (Roger Dingledine) talks about how Tor can be identified on the network with its unique network fingerprint. For a “vulnerability” they supposedly kept private until 2011, they were awfully darn public about it.
The above blogpost claims Tor kept this vulnerability secret until 2011 by citing this message. It’s because Levine doesn’t understand the terminology and is just blindly searching for an exact match for “TLS normalization”. Here’s an earlier proposed change for the long term goal of to “make our connection handshake look closer to a regular HTTPS [TLS] connection”, from February 2007. Here is another proposal from October 2007 on changing TLS certificates, from days after the email discussion (after they shipped the feature, presumably).
What we see here is here is a known problem from the very beginning of the project, a long term effort to fix that problem, and a slow dribble of features added over time to preserve backwards compatibility.
Now let’s talk about the original train of emails cited in the blogpost. It’s hard to see the full context here, but it sounds like BBG made a feature request to make Tor look even more like normal TLS, which is hinted with the phrase “make our funders happy”. Of course the people giving Tor money are going to ask for improvements, and of course Tor would in turn discuss those improvements with the donor before implementing them. It’s common in project management: somebody sends you a feature request, you then send the proposal back to them to verify what you are building is what they asked for.
As for the subsequent salacious paragraph about “secrecy”, that too is normal. When improving a problem, you don’t want to talk about the details until after you have a fix. But note that this is largely more for PR than anything else. The details on how to detect Tor are available to anybody who looks for them — they just aren’t readily accessible to the layman. For example, Tenable Networks announced the previous month exactly this ability to detect Tor’s traffic, because any techy wanting to would’ve found the secrets how to. Indeed, Teneble’s announcement may have been the impetus for BBG’s request to Tor: “can you fix it so that this new Tenable feature no longer works”.
To be clear, there are zero secret “vulnerability details” here that some secret spy agency could use to detect Tor. They were already known, and in the Teneble product, and within the grasp of any techy who wanted to discover them. A spy agency could just buy Teneble, or copy it, instead of going through this intricate conspiracy.

Conclusion

The issue isn’t a “vulnerability”. Tor traffic is recognizable on the network, and over time, they make it less and less recognizable. Eventually they’ll just piggyback on true HTTPS and convince CloudFlare to host ingress nodes, or something, making it completely undetectable. In the meanwhile, it leaves behind fingerprints, as I showed above.
What we see in the email exchanges is the normal interaction of a donor asking for a feature, not a private “tip off”. It’s likely the donor is the one who tipped off Tor, pointing out Tenable’s product to detect Tor.
Whatever secrets Tor could have tipped off to the “secret spy agency” were no more than what Tenable was already doing in a shipping product.

Update: People are trying to make it look like Voice of America is some sort of intelligence agency. That’s a conspiracy theory. It’s not a member of the American intelligence community. You’d have to come up with a solid reason explaining why the United States is hiding VoA’s membership in the intelligence community, or you’d have to believe that everything in the U.S. government is really just some arm of the C.I.A.

SUPER game night 3: GAMES MADE QUICK??? 2.0

Post Syndicated from Eevee original https://eev.ee/blog/2018/01/23/super-game-night-3-games-made-quick-2-0/

Game night continues with a smorgasbord of games from my recent game jam, GAMES MADE QUICK??? 2.0!

The idea was to make a game in only a week while watching AGDQ, as an alternative to doing absolutely nothing for a week while watching AGDQ. (I didn’t submit a game myself; I was chugging along on my Anise game, which isn’t finished yet.)

I can’t very well run a game jam and not play any of the games, so here’s some of them in no particular order! Enjoy!

These are impressions, not reviews. I try to avoid major/ending spoilers, but big plot points do tend to leave impressions.

Weather Quest, by timlmul

short · rpg · jan 2017 · (lin)/mac/win · free on itch · jam entry

Weather Quest is its author’s first shipped game, written completely from scratch (the only vendored code is a micro OO base). It’s very short, but as someone who has also written LÖVE games completely from scratch, I can attest that producing something this game-like in a week is a fucking miracle. Bravo!

For reference, a week into my first foray, I think I was probably still writing my own Tiled importer like an idiot.

Only Mac and Windows builds are on itch, but it’s a LÖVE game, so Linux folks can just grab a zip from GitHub and throw that at love.

FINAL SCORE: ⛅☔☀

Pancake Numbers Simulator, by AnorakThePrimordial

short · sim · jan 2017 · lin/mac/win · free on itch · jam entry

Given a stack of N pancakes (of all different sizes and in no particular order), the Nth pancake number is the most flips you could possibly need to sort the pancakes in order with the smallest on top. A “flip” is sticking a spatula under one of the pancakes and flipping the whole sub-stack over. There’s, ah, a video embedded on the game page with some visuals.

Anyway, this game lets you simulate sorting a stack via pancake flipping, which is surprisingly satisfying! I enjoy cleaning up little simulated messes, such as… incorrectly-sorted pancakes, I guess?

This probably doesn’t work too well as a simulator for solving the general problem — you’d have to find an optimal solution for every permutation of N pancakes to be sure you were right. But it’s a nice interactive illustration of the problem, and if you know the pancake number for your stack size of choice (which I wish the game told you — for seven pancakes, it’s 8), then trying to restore a stack in that many moves makes for a nice quick puzzle.

FINAL SCORE: \(\frac{18}{11}\)

Framed Animals, by chridd

short · metroidvania · jan 2017 · web/win · free on itch · jam entry

The concept here was to kill the frames, save the animals, which is a delightfully literal riff on a long-running AGDQ/SGDQ donation incentive — people vote with their dollars to decide whether Super Metroid speedrunners go out of their way to free the critters who show you how to walljump and shinespark. Super Metroid didn’t have a showing at this year’s AGDQ, and so we have this game instead.

It’s rough, but clever, and I got really into it pretty quickly — each animal you save gives you a new ability (in true Metroid style), and you get to test that ability out by playing as the animal, with only that ability and no others, to get yourself back to the most recent save point.

I did, tragically, manage to get myself stuck near what I think was about to be the end of the game, so some of the animals will remain framed forever. What an unsatisfying conclusion.

Gravity feels a little high given the size of the screen, and like most tile-less platformers, there’s not really any way to gauge how high or long your jump is before you leap. But I’m only even nitpicking because I think this is a great idea and I hope the author really does keep working on it.

FINAL SCORE: $136,596.69

Battle 4 Glory, by Storyteller Games

short · fighter · jan 2017 · win · free on itch · jam entry

This is a Smash Bros-style brawler, complete with the four players, the 2D play area in a 3D world, and the random stage obstacles showing up. I do like the Smash style, despite not otherwise being a fan of fighting games, so it’s nice to see another game chase that aesthetic.

Alas, that’s about as far as it got — which is pretty far for a week of work! I don’t know what more to say, though. The environments are neat, but unless I’m missing something, the only actions at your disposal are jumping and very weak melee attacks. I did have a good few minutes of fun fruitlessly mashing myself against the bumbling bots, as you can see.

FINAL SCORE: 300%

Icnaluferu Guild, Year Sixteen, by CHz

short · adventure · jan 2017 · web · free on itch · jam entry

Here we have the first of several games made with bitsy, a micro game making tool that basically only supports walking around, talking to people, and picking up items.

I tell you this because I think half of my appreciation for this game is in the ways it wriggled against those limits to emulate a Zelda-like dungeon crawler. Everything in here is totally fake, and you can’t really understand just how fake unless you’ve tried to make something complicated with bitsy.

It’s pretty good. The dialogue is entertaining (the rest of your party develops distinct personalities solely through oneliners, somehow), the riffs on standard dungeon fare are charming, and the Link’s Awakening-esque perspective walls around the edges of each room are fucking glorious.

FINAL SCORE: 2 bits

The Lonely Tapes, by JTHomeslice

short · rpg · jan 2017 · web · free on itch · jam entry

Another bitsy entry, this one sees you play as a Wal— sorry, a JogDawg, which has lost its cassette tapes and needs to go recover them!

(A cassette tape is like a VHS, but for music.)

(A VHS is—)

I have the sneaking suspicion that I missed out on some musical in-jokes, due to being uncultured swine. I still enjoyed the game — it’s always clear when someone is passionate about the thing they’re writing about, and I could tell I was awash in that aura even if some of it went over my head. You know you’ve done good if someone from way outside your sphere shows up and still has a good time.

FINAL SCORE: Nine… Inch Nails? They’re a band, right? God I don’t know write your own damn joke

Pirate Kitty-Quest, by TheKoolestKid

short · adventure · jan 2017 · win · free on itch · jam entry

I completely forgot I’d even given “my birthday” and “my cat” as mostly-joking jam themes until I stumbled upon this incredible gem. I don’t think — let me just check here and — yeah no this person doesn’t even follow me on Twitter. I have no idea who they are?

BUT THEY MADE A GAME ABOUT ANISE AS A PIRATE, LOOKING FOR TREASURE

PIRATE. ANISE

PIRATE ANISE!!!

This game wins the jam, hands down. 🏆

FINAL SCORE: Yarr, eight pieces o’ eight

CHIPS Mario, by NovaSquirrel

short · platformer · jan 2017 · (lin/mac)/win · free on itch · jam entry

You see this? This is fucking witchcraft.

This game is made with MegaZeux. MegaZeux games look like THIS. Text-mode, bound to a grid, with two colors per cell. That’s all you get.

Until now, apparently?? The game is a tech demo of “unbound” sprites, which can be drawn on top of the character grid without being aligned to it. And apparently have looser color restrictions.

The collision is a little glitchy, which isn’t surprising for a MegaZeux platformer; I had some fun interactions with platforms a couple times. But hey, goddamn, it’s free-moving Mario, in MegaZeux, what the hell.

(I’m looking at the most recently added games on DigitalMZX now, and I notice that not only is this game in the first slot, but NovaSquirrel’s MegaZeux entry for Strawberry Jam last February is still in the seventh slot. RIP, MegaZeux. I’m surprised a major feature like this was even added if the community has largely evaporated?)

FINAL SCORE: n/a, disqualified for being probably summoned from the depths of Hell

d!¢< pic, by 573 Games

short · story · jan 2017 · web · free on itch · jam entry

This is a short story about not sending dick pics. It’s very short, so I can’t say much without spoiling it, but: you are generally prompted to either text something reasonable, or send a dick pic. You should not send a dick pic.

It’s a fascinating artifact, not because of the work itself, but because it’s so terse that I genuinely can’t tell what the author was even going for. And this is the kind of subject where the author was, surely, going for something. Right? But was it genuinely intended to be educational, or was it tongue-in-cheek about how some dudes still don’t get it? Or is it side-eying the player who clicks the obviously wrong option just for kicks, which is the same reason people do it for real? Or is it commentary on how “send a dick pic” is a literal option for every response in a real conversation, too, and it’s not that hard to just not do it — unless you are one of the kinds of people who just feels a compulsion to try everything, anything, just because you can? Or is it just a quick Twine and I am way too deep in this? God, just play the thing, it’s shorter than this paragraph.

I’m also left wondering when it is appropriate to send a dick pic. Presumably there is a correct time? Hopefully the author will enter Strawberry Jam 2 to expound upon this.

FINAL SCORE: 3½” 😉

Marble maze, by Shtille

short · arcade · jan 2017 · win · free on itch · jam entry

Ah, hm. So this is a maze navigated by rolling a marble around. You use WASD to move the marble, and you can also turn the camera with the arrow keys.

The trouble is… the marble’s movement is always relative to the world, not the camera. That means if you turn the camera 30° and then try to move the marble, it’ll move at a 30° angle from your point of view.

That makes navigating a maze, er, difficult.

Camera-relative movement is the kind of thing I take so much for granted that I wouldn’t even think to do otherwise, and I think it’s valuable to look at surprising choices that violate fundamental conventions, so I’m trying to take this as a nudge out of my comfort zone. What could you design in an interesting way that used world-relative movement? Probably not the player, but maybe something else in the world, as long as you had strong landmarks? Hmm.

FINAL SCORE: ᘔ

Refactor: flight, by fluffy

short · arcade · jan 2017 · lin/mac/win · free on itch · jam entry

Refactor is a game album, which is rather a lot what it sounds like, and Flight is one of the tracks. Which makes this a single, I suppose.

It’s one of those games where you move down an oddly-shaped tunnel trying not to hit the walls, but with some cute twists. Coins and gems hop up from the bottom of the screen in time with the music, and collecting them gives you points. Hitting a wall costs you some points and kills your momentum, but I don’t think outright losing is possible, which is great for me!

Also, the monk cycles through several animal faces. I don’t know why, and it’s very good. One of those odd but memorable details that sits squarely on the intersection of abstract, mysterious, and a bit weird, and refuses to budge from that spot.

The music is great too? Really chill all around.

FINAL SCORE: 🎵🎵🎵🎵

The Adventures of Klyde

short · adventure · jan 2017 · web · free on itch · jam entry

Another bitsy game, this one starring a pig (humorously symbolized by a giant pig nose with ears) who must collect fruit and solve some puzzles.

This is charmingly nostalgic for me — it reminds me of some standard fare in engines like MegaZeux, where the obvious things to do when presented with tiles and pickups were to make mazes. I don’t mean that in a bad way; the maze is the fundamental environmental obstacle.

A couple places in here felt like invisible teleport mazes I had to brute-force, but I might have been missing a hint somewhere. I did make it through with only a little trouble, but alas — I stepped in a bad warp somewhere and got sent to the upper left corner of the starting screen, which is surrounded by walls. So Klyde’s new life is being trapped eternally in a nowhere space.

FINAL SCORE: 19/20 apples

And more

That was only a third of the games, and I don’t think even half of the ones I’ve played. I’ll have to do a second post covering the rest of them? Maybe a third?

Or maybe this is a ludicrous format for commenting on several dozen games and I should try to narrow it down to the ones that resonated the most for Strawberry Jam 2? Maybe??

Physics cheats

Post Syndicated from Eevee original https://eev.ee/blog/2018/01/06/physics-cheats/

Anonymous asks:

something about how we tweak physics to “work” better in games?

Ho ho! Work. Get it? Like in physics…?

Hitboxes

Hitbox” is perhaps not the most accurate term, since the shape used for colliding with the environment and the shape used for detecting damage might be totally different. They’re usually the same in simple platformers, though, and that’s what most of my games have been.

The hitbox is the biggest physics fudge by far, and it exists because of a single massive approximation that (most) games make: you’re controlling a single entity in the abstract, not a physical body in great detail.

That is: when you walk with your real-world meat shell, you perform a complex dance of putting one foot in front of the other, a motion you spent years perfecting. When you walk in a video game, you press a single “walk” button. Your avatar may play an animation that moves its legs back and forth, but since you’re not actually controlling the legs independently (and since simulating them is way harder), the game just treats you like a simple shape. Fairly often, this is a box, or something very box-like.

An Eevee sprite standing on faux ground; the size of the underlying image and the hitbox are outlined

Since the player has no direct control over the exact placement of their limbs, it would be slightly frustrating to have them collide with the world. This is especially true in cases like the above, where the tail and left ear protrude significantly out from the main body. If that Eevee wanted to stand against a real-world wall, she would simply tilt her ear or tail out of the way, so there’s no reason for the ear to block her from standing against a game wall. To compensate for this, the ear and tail are left out of the collision box entirely and will simply jut into a wall if necessary — a goofy affordance that’s so common it doesn’t even register as unusual. As a bonus (assuming this same box is used for combat), she won’t take damage from projectiles that merely graze past an ear.

(One extra consideration for sprite games in particular: the hitbox ought to be horizontally symmetric around the sprite’s pivot — i.e. the point where the entity is truly considered to be standing — so that the hitbox doesn’t abruptly move when the entity turns around!)

Corners

Treating the player (and indeed most objects) as a box has one annoying side effect: boxes have corners. Corners can catch on other corners, even by a single pixel. Real-world bodies tend to be a bit rounder and squishier and this can tolerate grazing a corner; even real-world boxes will simply rotate a bit.

Ah, but in our faux physics world, we generally don’t want conscious actors (such as the player) to rotate, even with a realistic physics simulator! Real-world bodies are made of parts that will generally try to keep you upright, after all; you don’t tilt back and forth much.

One way to handle corners is to simply remove them from conscious actors. A hitbox doesn’t have to be a literal box, after all. A popular alternative — especially in Unity where it’s a standard asset — is the pill-shaped capsule, which has semicircles/hemispheres on the top and bottom and a cylindrical body in 3D. No corners, no problem.

Of course, that introduces a new problem: now the player can’t balance precariously on edges without their rounded bottom sliding them off. Alas.

If you’re stuck with corners, then, you may want to use a corner bump, a term I just made up. If the player would collide with a corner, but the collision is only by a few pixels, just nudge them to the side a bit and carry on.

An Eevee sprite trying to move sideways into a shallow ledge; the game bumps her upwards slightly, so she steps onto it instead

When the corner is horizontal, this creates stairs! This is, more or less kinda, how steps work in Doom: when the player tries to cross from one sector into another, if the height difference is 24 units or less, the game simply bumps them upwards to the height of the new floor and lets them continue on.

Implementing this in a game without Doom’s notion of sectors is a little trickier. In fact, I still haven’t done it. Collision detection based on rejection gets it for free, kinda, but it’s not very deterministic and it breaks other things. But that’s a whole other post.

Gravity

Gravity is pretty easy. Everything accelerates downwards all the time. What’s interesting are the exceptions.

Jumping

Jumping is a giant hack.

Think about how actual jumping works: you tense your legs, which generally involves bending your knees first, and then spring upwards. In a platformer, you can just leap whenever you feel like it, which is nonsense. Also you go like twenty feet into the air?

Worse, most platformers allow variable-height jumping, where your jump is lower if you let go of the jump button while you’re in the air. Normally, one would expect to have to decide how much force to put into the jump beforehand.

But of course this is about convenience of controls: when jumping is your primary action, you want to be able to do it immediately, without any windup for how high you want to jump.

(And then there’s double jumping? Come on.)

Air control is a similar phenomenon: usually you’d jump in a particular direction by controlling how you push off the ground with your feet, but in a video game, you don’t have feet! You only have the box. The compromise is to let you control your horizontal movement to a limit degree in midair, even though that doesn’t make any sense. (It’s way more fun, though, and overall gives you more movement options, which are good to have in an interactive medium.)

Air control also exposes an obvious place that game physics collide with the realistic model of serious physics engines. I’ve mentioned this before, but: if you use Real Physics™ and air control yourself into a wall, you might find that you’ll simply stick to the wall until you let go of the movement buttons. Why? Remember, player movement acts as though an external force were pushing you around (and from the perspective of a Real™ physics engine, this is exactly how you’d implement it) — so air-controlling into a wall is equivalent to pushing a book against a wall with your hand, and the friction with the wall holds you in place. Oops.

Ground sticking

Another place game physics conflict with physics engines is with running to the top of a slope. On a real hill, of course, you land on top of the slope and are probably glad of it; slopes are hard to climb!

An Eevee moves to the top of a slope, and rather than step onto the flat top, she goes flying off into the air

In a video game, you go flying. Because you’re a box. With momentum. So you hit the peak and keep going in the same direction. Which is diagonally upwards.

Projectiles

To make them more predictable, projectiles generally aren’t subject to gravity, at least as far as I’ve seen. The real world does not have such an exemption. The real world imposes gravity even on sniper rifles, which in a video game are often implemented as an instant trace unaffected by anything in the world because the bullet never actually exists in the world.

Resistance

Ah. Welcome to hell.

Water

Water is an interesting case, and offhand I don’t know the gritty details of how games implement it. In the real world, water applies a resistant drag force to movement — and that force is proportional to the square of velocity, which I’d completely forgotten until right now. I am almost positive that no game handles that correctly. But then, in real-world water, you can push against the water itself for movement, and games don’t simulate that either. What’s the rough equivalent?

The Sonic Physics Guide suggests that Sonic handles it by basically halving everything: acceleration, max speed, friction, etc. When Sonic enters water, his speed is cut; when Sonic exits water, his speed is increased.

That last bit feels validating — I could swear Metroid Prime did the same thing, and built my own solution around it, but couldn’t remember for sure. It makes no sense, of course, for a jump to become faster just because you happened to break the surface of the water, but it feels fantastic.

The thing I did was similar, except that I didn’t want to add a multiplier in a dozen places when you happen to be underwater (and remember which ones need it to be squared, etc.). So instead, I calculate everything completely as normal, so velocity is exactly the same as it would be on dry land — but the distance you would move gets halved. The effect seems to be pretty similar to most platformers with water, at least as far as I can tell. It hasn’t shown up in a published game and I only added this fairly recently, so I might be overlooking some reason this is a bad idea.

(One reason that comes to mind is that velocity is now a little white lie while underwater, so anything relying on velocity for interesting effects might be thrown off. Or maybe that’s correct, because velocity thresholds should be halved underwater too? Hm!)

Notably, air is also a fluid, so it should behave the same way (just with different constants). I definitely don’t think any games apply air drag that’s proportional to the square of velocity.

Friction

Friction is, in my experience, a little handwaved. Probably because real-world friction is so darn complicated.

Consider that in the real world, we want very high friction on the surfaces we walk on — shoes and tires are explicitly designed to increase it, even. We move by bracing a back foot against the ground and using that to push ourselves forward, so we want the ground to resist our push as much as possible.

In a game world, we are a box. We move by being pushed by some invisible outside force, so if the friction between ourselves and the ground is too high, we won’t be able to move at all! That’s complete nonsense physically, but it turns out to be handy in some cases — for example, highish friction can simulate walking through deep mud, which should be difficult due to fluid drag and low friction.

But the best-known example of the fakeness of game friction is video game ice. Walking on real-world ice is difficult because the low friction means low grip; your feet are likely to slip out from under you, and you’ll simply fall down and have trouble moving at all. In a video game, you can’t fall down, so you have the opposite experience: you spend most of your time sliding around uncontrollably. Yet ice is so common in video games (and perhaps so uncommon in places I’ve lived) that I, at least, had never really thought about this disparity until an hour or so ago.

Game friction vs real-world friction

Real-world friction is a force. It’s the normal force (which is the force exerted by the object on the surface) times some constant that depends on how the two materials interact.

Force is mass times acceleration, and platformers often ignore mass, so friction ought to be an acceleration — applied against the object’s movement, but never enough to push it backwards.

I haven’t made any games where variable friction plays a significant role, but my gut instinct is that low friction should mean the player accelerates more slowly but has a higher max speed, and high friction should mean the opposite. I see from my own source code that I didn’t even do what I just said, so let’s defer to some better-made and well-documented games: Sonic and Doom.

In Sonic, friction is a fixed value subtracted from the player’s velocity (regardless of direction) each tic. Sonic has a fixed framerate, so the units are really pixels per tic squared (i.e. acceleration), multiplied by an implicit 1 tic per tic. So far, so good.

But Sonic’s friction only applies if the player isn’t pressing or . Hang on, that isn’t friction at all; that’s just deceleration! That’s equivalent to jogging to a stop. If friction were lower, Sonic would take longer to stop, but otherwise this is only tangentially related to friction.

(In fairness, this approach would decently emulate friction for non-conscious sliding objects, which are never going to be pressing movement buttons. Also, we don’t have the Sonic source code, and the name “friction” is a fan invention; the Sonic Physics Guide already uses “deceleration” to describe the player’s acceleration when turning around.)

Okay, let’s try Doom. In Doom, the default friction is 90.625%.

Hang on, what?

Yes, in Doom, friction is a multiplier applied every tic. Doom runs at 35 tics per second, so this is a multiplier of 0.032 per second. Yikes!

This isn’t anything remotely like real friction, but it’s much easier to implement. With friction as acceleration, the game has to know both the direction of movement (so it can apply friction in the opposite direction) and the magnitude (so it doesn’t overshoot and launch the object in the other direction). That means taking a semi-costly square root and also writing extra code to cap the amount of friction. With a multiplier, neither is necessary; just multiply the whole velocity vector and you’re done.

There are some downsides. One is that objects will never actually stop, since multiplying by 3% repeatedly will never produce a result of zero — though eventually the speed will become small enough to either slip below a “minimum speed” threshold or simply no longer fit in a float representation. Another is that the units are fairly meaningless: with Doom’s default friction of 90.625%, about how long does it take for the player to stop? I have no idea, partly because “stop” is ambiguous here! If friction were an acceleration, I could divide it into the player’s max speed to get a time.

All that aside, what are the actual effects of changing Doom’s friction? What an excellent question that’s surprisingly tricky to answer. (Note that friction can’t be changed in original Doom, only in the Boom port and its derivatives.) Here’s what I’ve pieced together.

Doom’s “friction” is really two values. “Friction” itself is a multiplier applied to moving objects on every tic, but there’s also a move factor which defaults to \(\frac{1}{32} = 0.03125\) and is derived from friction for custom values.

Every tic, the player’s velocity is multiplied by friction, and then increased by their speed times the move factor.

$$
v(n) = v(n – 1) \times friction + speed \times move factor
$$

Eventually, the reduction from friction will balance out the speed boost. That happens when \(v(n) = v(n – 1)\), so we can rearrange it to find the player’s effective max speed:

$$
v = v \times friction + speed \times move factor \\
v – v \times friction = speed \times move factor \\
v = speed \times \frac{move factor}{1 – friction}
$$

For vanilla Doom’s move factor of 0.03125 and friction of 0.90625, that becomes:

$$
v = speed \times \frac{\frac{1}{32}}{1 – \frac{29}{32}} = speed \times \frac{\frac{1}{32}}{\frac{3}{32}} = \frac{1}{3} \times speed
$$

Curiously, “speed” is three times the maximum speed an actor can actually move. Doomguy’s run speed is 50, so in practice he moves a third of that, or 16⅔ units per tic. (Of course, this isn’t counting SR40, a bug that lets Doomguy run ~40% faster than intended diagonally.)

So now, what if you change friction? Even more curiously, the move factor is calculated completely differently depending on whether friction is higher or lower than the default Doom amount:

$$
move factor = \begin{cases}
\frac{133 – 128 \times friction}{544} &≈ 0.244 – 0.235 \times friction & \text{ if } friction \ge \frac{29}{32} \\
\frac{81920 \times friction – 70145}{1048576} &≈ 0.078 \times friction – 0.067 & \text{ otherwise }
\end{cases}
$$

That’s pretty weird? Complicating things further is that low friction (which means muddy terrain, remember) has an extra multiplier on its move factor, depending on how fast you’re already going — the idea is apparently that you have a hard time getting going, but it gets easier as you find your footing. The extra multiplier maxes out at 8, which makes the two halves of that function meet at the vanilla Doom value.

A graph of the relationship between friction and move factor

That very top point corresponds to the move factor from the original game. So no matter what you do to friction, the move factor becomes lower. At 0.85 and change, you can no longer move at all; below that, you move backwards.

From the formula above, it’s easy to see what changes to friction and move factor will do to Doomguy’s stable velocity. Move factor is in the numerator, so increasing it will increase stable velocity — but it can’t increase, so stable velocity can only ever decrease. Friction is in the denominator, but it’s subtracted from 1, so increasing friction will make the denominator a smaller value less than 1, i.e. increase stable velocity. Combined, we get this relationship between friction and stable velocity.

A graph showing stable velocity shooting up dramatically as friction increases

As friction approaches 1, stable velocity grows without bound. This makes sense, given the definition of \(v(n)\) — if friction is 1, the velocity from the previous tic isn’t reduced at all, so we just keep accelerating freely.

All of this is why I’m wary of using multipliers.

Anyway, this leaves me with one last question about the effects of Doom’s friction: how long does it take to reach stable velocity? Barring precision errors, we’ll never truly reach stable velocity, but let’s say within 5%. First we need a closed formula for the velocity after some number of tics. This is a simple recurrence relation, and you can write a few terms out yourself if you want to be sure this is right.

$$
v(n) = v_0 \times friction^n + speed \times move factor \times \frac{friction^n – 1}{friction – 1}
$$

Our initial velocity is zero, so the first term disappears. Set this equal to the stable formula and solve for n:

$$
speed \times move factor \times \frac{friction^n – 1}{friction – 1} = (1 – 5\%) \times speed \times \frac{move factor}{1 – friction} \\
friction^n – 1 = -(1 – 5\%) \\
n = \frac{\ln 5\%}{\ln friction}
$$

Speed” and move factor disappear entirely, which makes sense, and this is purely a function of friction (and how close we want to get). For vanilla Doom, that comes out to 30.4, which is a little less than a second. For other values of friction:

A graph of time to stability which leaps upwards dramatically towards the right

As friction increases (which in Doom terms means the surface is more slippery), it takes longer and longer to reach stable speed, which is in turn greater and greater. For lesser friction (i.e. mud), stable speed is lower, but reached fairly quickly. (Of course, the extra “getting going” multiplier while in mud adds some extra time here, but including that in the graph is a bit more complicated.)

I think this matches with my instincts above. How fascinating!

What’s that? This is way too much math and you hate it? Then don’t use multipliers in game physics.

Uh

That was a hell of a diversion!

I guess the goofiest stuff in basic game physics is really just about mapping player controls to in-game actions like jumping and deceleration; the rest consists of hacks to compensate for representing everything as a box.