Tag Archives: NPR

User Authentication Best Practices Checklist

Post Syndicated from Bozho original https://techblog.bozho.net/user-authentication-best-practices-checklist/

User authentication is the functionality that every web application shared. We should have perfected that a long time ago, having implemented it so many times. And yet there are so many mistakes made all the time.

Part of the reason for that is that the list of things that can go wrong is long. You can store passwords incorrectly, you can have a vulnerably password reset functionality, you can expose your session to a CSRF attack, your session can be hijacked, etc. So I’ll try to compile a list of best practices regarding user authentication. OWASP top 10 is always something you should read, every year. But that might not be enough.

So, let’s start. I’ll try to be concise, but I’ll include as much of the related pitfalls as I can cover – e.g. what could go wrong with the user session after they login:

  • Store passwords with bcrypt/scrypt/PBKDF2. No MD5 or SHA, as they are not good for password storing. Long salt (per user) is mandatory (the aforementioned algorithms have it built in). If you don’t and someone gets hold of your database, they’ll be able to extract the passwords of all your users. And then try these passwords on other websites.
  • Use HTTPS. Period. (Otherwise user credentials can leak through unprotected networks). Force HTTPS if user opens a plain-text version.
  • Mark cookies as secure. Makes cookie theft harder.
  • Use CSRF protection (e.g. CSRF one-time tokens that are verified with each request). Frameworks have such functionality built-in.
  • Disallow framing (X-Frame-Options: DENY). Otherwise your website may be included in another website in a hidden iframe and “abused” through javascript.
  • Have a same-origin policy
  • Logout – let your users logout by deleting all cookies and invalidating the session. This makes usage of shared computers safer (yes, users should ideally use private browsing sessions, but not all of them are that savvy)
  • Session expiry – don’t have forever-lasting sessions. If the user closes your website, their session should expire after a while. “A while” may still be a big number depending on the service provided. For ajax-heavy website you can have regular ajax-polling that keeps the session alive while the page stays open.
  • Remember me – implementing “remember me” (on this machine) functionality is actually hard due to the risks of a stolen persistent cookie. Spring-security uses this approach, which I think should be followed if you wish to implement more persistent logins.
  • Forgotten password flow – the forgotten password flow should rely on sending a one-time (or expiring) link to the user and asking for a new password when it’s opened. 0Auth explain it in this post and Postmark gives some best pracitces. How the link is formed is a separate discussion and there are several approaches. Store a password-reset token in the user profile table and then send it as parameter in the link. Or do not store anything in the database, but send a few params: userId:expiresTimestamp:hmac(userId+expiresTimestamp). That way you have expiring links (rather than one-time links). The HMAC relies on a secret key, so the links can’t be spoofed. It seems there’s no consensus, as the OWASP guide has a bit different approach
  • One-time login links – this is an option used by Slack, which sends one-time login links instead of asking users for passwords. It relies on the fact that your email is well guarded and you have access to it all the time. If your service is not accessed to often, you can have that approach instead of (rather than in addition to) passwords.
  • Limit login attempts – brute-force through a web UI should not be possible; therefore you should block login attempts if they become too many. One approach is to just block them based on IP. The other one is to block them based on account attempted. (Spring example here). Which one is better – I don’t know. Both can actually be combined. Instead of fully blocking the attempts, you may add a captcha after, say, the 5th attempt. But don’t add the captcha for the first attempt – it is bad user experience.
  • Don’t leak information through error messages – you shouldn’t allow attackers to figure out if an email is registered or not. If an email is not found, upon login report just “Incorrect credentials”. On passwords reset, it may be something like “If your email is registered, you should have received a password reset email”. This is often at odds with usability – people don’t often remember the email they used to register, and the ability to check a number of them before getting in might be important. So this rule is not absolute, though it’s desirable, especially for more critical systems.
  • Make sure you use JWT only if it’s really necessary and be careful of the pitfalls.
  • Consider using a 3rd party authentication – OpenID Connect, OAuth by Google/Facebook/Twitter (but be careful with OAuth flaws as well). There’s an associated risk with relying on a 3rd party identity provider, and you still have to manage cookies, logout, etc., but some of the authentication aspects are simplified.
  • For high-risk or sensitive applications use 2-factor authentication. There’s a caveat with Google Authenticator though – if you lose your phone, you lose your accounts (unless there’s a manual process to restore it). That’s why Authy seems like a good solution for storing 2FA keys.

I’m sure I’m missing something. And you see it’s complicated. Sadly we’re still at the point where the most common functionality – authenticating users – is so tricky and cumbersome, that you almost always get at least some of it wrong.

The post User Authentication Best Practices Checklist appeared first on Bozho's tech blog.

New – Machine Learning Inference at the Edge Using AWS Greengrass

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/new-machine-learning-inference-at-the-edge-using-aws-greengrass/

What happens when you combine the Internet of Things, Machine Learning, and Edge Computing? Before I tell you, let’s review each one and discuss what AWS has to offer.

Internet of Things (IoT) – Devices that connect the physical world and the digital one. The devices, often equipped with one or more types of sensors, can be found in factories, vehicles, mines, fields, homes, and so forth. Important AWS services include AWS IoT Core, AWS IoT Analytics, AWS IoT Device Management, and Amazon FreeRTOS, along with others that you can find on the AWS IoT page.

Machine Learning (ML) – Systems that can be trained using an at-scale dataset and statistical algorithms, and used to make inferences from fresh data. At Amazon we use machine learning to drive the recommendations that you see when you shop, to optimize the paths in our fulfillment centers, fly drones, and much more. We support leading open source machine learning frameworks such as TensorFlow and MXNet, and make ML accessible and easy to use through Amazon SageMaker. We also provide Amazon Rekognition for images and for video, Amazon Lex for chatbots, and a wide array of language services for text analysis, translation, speech recognition, and text to speech.

Edge Computing – The power to have compute resources and decision-making capabilities in disparate locations, often with intermittent or no connectivity to the cloud. AWS Greengrass builds on AWS IoT, giving you the ability to run Lambda functions and keep device state in sync even when not connected to the Internet.

ML Inference at the Edge
Today I would like to toss all three of these important new technologies into a blender! You can now perform Machine Learning inference at the edge using AWS Greengrass. This allows you to use the power of the AWS cloud (including fast, powerful instances equipped with GPUs) to build, train, and test your ML models before deploying them to small, low-powered, intermittently-connected IoT devices running in those factories, vehicles, mines, fields, and homes that I mentioned.

Here are a few of the many ways that you can put Greengrass ML Inference to use:

Precision Farming – With an ever-growing world population and unpredictable weather that can affect crop yields, the opportunity to use technology to increase yields is immense. Intelligent devices that are literally in the field can process images of soil, plants, pests, and crops, taking local corrective action and sending status reports to the cloud.

Physical Security – Smart devices (including the AWS DeepLens) can process images and scenes locally, looking for objects, watching for changes, and even detecting faces. When something of interest or concern arises, the device can pass the image or the video to the cloud and use Amazon Rekognition to take a closer look.

Industrial Maintenance – Smart, local monitoring can increase operational efficiency and reduce unplanned downtime. The monitors can run inference operations on power consumption, noise levels, and vibration to flag anomalies, predict failures, detect faulty equipment.

Greengrass ML Inference Overview
There are several different aspects to this new AWS feature. Let’s take a look at each one:

Machine Learning ModelsPrecompiled TensorFlow and MXNet libraries, optimized for production use on the NVIDIA Jetson TX2 and Intel Atom devices, and development use on 32-bit Raspberry Pi devices. The optimized libraries can take advantage of GPU and FPGA hardware accelerators at the edge in order to provide fast, local inferences.

Model Building and Training – The ability to use Amazon SageMaker and other cloud-based ML tools to build, train, and test your models before deploying them to your IoT devices. To learn more about SageMaker, read Amazon SageMaker – Accelerated Machine Learning.

Model Deployment – SageMaker models can (if you give them the proper IAM permissions) be referenced directly from your Greengrass groups. You can also make use of models stored in S3 buckets. You can add a new machine learning resource to a group with a couple of clicks:

These new features are available now and you can start using them today! To learn more read Perform Machine Learning Inference.

Jeff;

 

Австрия: трудни времена за обществените медии

Post Syndicated from nellyo original https://nellyo.wordpress.com/2018/03/23/orf-2/

Новото правителство на Австрия предприема стъпки за засилване на позициите си в медиите.

Обществената телевизия с най-голямата аудитория в Австрия – до 4 милиона зрители при население 8,7 милиона души – се финансира главно чрез данък, който правителството иска да отмени. Различни министри правят изявления, че не одобряват модела на  финансиране на  ORF. Заместник-канцлерът е най-директен, като нарича ORF  място, където лъжите стават новини. Понятия като фалшиви новини и lügenpresse (лъжепреса) се използват за критичните публикации  по подобие на употребата на термините от управляващите в САЩ.

Представители на ORF  оценяват атаките като част от опитите  на правителството да получи по-голямо политическо влияние чрез медийния сектор. В същото време медийният министър Блумел няколко пъти обявява публично, че правителството възнамерява да укрепи частните радио- и телевизионни медии.

По-широка картина на тревожните тенденции в Австрия – от www.indexoncensorship.org.

Spanish Netflix Competitor Filmin Partnered With Leading Pirate Site

Post Syndicated from Ernesto original https://torrentfreak.com/spanish-netflix-competitor-partnered-leading-pirate-site-180310/

In 2011 Hollywood’s MPAA highlighted SeriesYonkis as one of the most prolific pirate sites on the Internet.

“With a worldwide Alexa rank of 855, Seriesyonkis.com is one the most visited websites in the world for locating and streaming unauthorized copies of motion picture and television content,” Hollywood’s industry group informed the US Government.

While the MPAA was calling for tough enforcement actions, film industry partners in Spain came up with a different plan. They signed an unprecedented deal with the pirate site in 2011, hoping to convert its users into paying customers.

The main figures in this unusual episode are Juan Carlos Tous, the founder of the legal streaming platform Filmin, and SeriesYonkis owner Alexis Hoepfner, who operated the pirate site under his company Burn Media.

With help from lawyer Andy Ramos they negotiated a unique deal that would ‘merge’ both businesses. According to local newspaper El Confidencial, which has seen a copy of the agreement, SeriesYonkis company would get a 23% stake in Filmin, on the condition that pirate links were replaced with legal ones within a set period.

The entire agreement was kept secret by a confidentiality clause, which worked well until a few days ago.

SeriesYonkis also made two loans of 250,000 euros available, which were convertible into shares. In addition to the above, Filmin also offered compensation for every pirate it converted, up to 10 euros per user that signed up for an annual subscription.

The agreement further stipulated that SeriesYonkis had to apologize for its pirate ways. Point five stressed that SeriesYonkis and other Burn Media sites had to “carry out communication and awareness actions so that the users of the websites understand the need to legally access audiovisual content.”

Interestingly, SeriesYonkis wasn’t planning to go down and let other pirate sites take its traffic. The agreement included a clause that obligated Filmin to spend 25,000 euros to shut down or reduce traffic to other pirate sites.

The episode took place when Spain was about to implement its Sinde law, which would make it hard for local pirate sites in a country that was considered a “safe haven” at the time. However, not everything went according to plan.

The Sinde law didn’t destroy all Spanish pirate sites and six months after signing the agreement, SeriesYonkis stopped deleting pirate links. Even worse, its owner launched several new pirate sites, such as SeriesCoco and SeriesKiwi.

Filmin’s founder was outraged and sent an email demanding answers.

“I would like to hear your opinion on the progress and explanation of your plan with SeriesCoco! I do not understand anything! I thought you were going to decrease, and I see that you are opening portals!! WTF!” Tous wrote.

The deal eventually fell apart. Filmin kept its shares and stopped paying for new referrals. SeriesYonkis’ company Burn Media filed a lawsuit to get back its money, but thus far that hasn’t happened.

According to an insider close to the deal, the idea was brilliant. SeriesYonkis reportedly earned millions of euros at the time, more than Filmin, and used this money to go legal and destroy the competition ahead of a tough new anti-piracy law.

“The pirate not only abandons its weapons, but is integrated into the industry, and uses capital earned from piracy to fight against it,” a source told El Confidencial.

“It was a winning deal for everyone,” another source added, regretting that it didn’t work out. “It was a very bold agreement, something unusual in this sector, that would have changed the scenario if it had worked.”

Today, roughly seven years after the agreement was set into motion, Filmin is one of the larger streaming platforms in Spain. SeriesYonkis is also still around, but was sold by Hoefner in 2016 and no longer links to pirated content.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

BMG Wants Appeals Court to Rehear Cox Piracy Liability Case

Post Syndicated from Ernesto original https://torrentfreak.com/bmg-wants-appeals-court-to-rehear-cox-piracy-liability-case-180226/

Earlier this month, the Court of Appeals for the Fourth Circuit overturned the $25 million piracy liability verdict against Internet provider Cox.

The panel of three judges concluded that the district court made an error in its jury instruction and ordered a new trial.

The erroneous instruction said that the ISP could be found liable for contributory infringement if it “knew or should have known of such infringing activity.” The Court of Appeals agrees that based on the law, the “should have known” standard is too low.

As a result of the ruling, music publisher BMG Rights Management and Cox would have to go head to head again in a new trial. However, according to BMG, the Court of Appeals itself made a mistake.

A few days ago the copyright holder petitioned the court for a rehearing en banc, asking for a do-over before all the judges of a court.

The music publisher argues that the appeals court judges mistakenly reached their decision based on a legal principle that applies to “inducement” of liability, while BMG was pursuing a claim of “material contribution.”

“The panel’s unprecedented application of a heightened knowledge standard creates a conflict with decisions and pattern jury instructions from other circuits as well as with the common-law rules underlying contributory infringement.

“All of those recognize that BMG’s material-contribution theory requires only constructive knowledge,” BMG’s brief adds.

Even if the appeals court persists with its assertion that the liability standard is “willful blindness” rather than “should have known,” a new trial would not be warranted, according to the music publisher.

They point out that plenty of evidence was presented which proved that Cox was wilfully blind to the copyright infringements and describe the erroneous instruction as a “harmless error of the most benign kind.”

The music publisher’s request for a rehearing is supported by the RIAA, which filed an amicus curiae brief together with the National Music Publishers Association.

Both music industry groups back BMG’s arguments and ask the appeals court to consider a rehearing, stating that it would be in the best interests of artists, songwriters, and other rightsholders.

“The level of copyright infringement that takes place over the Internet is ‘staggering,’ and it is vital that copyright owners have effective mechanisms to address it. It is also critical that copyright owners can adequately address infringement that occurs in other contexts.

“If the panel’s decision is not corrected, it would threaten the very incentives of artists, songwriters, and others to create valuable works and distribute them to the public,” the RIAA and NMPA add.

For the RIAA the case is particularly important since it filed a similar lawsuit against Internet provider Grande Communications last year.

Given what’s at stake, we can assume that Cox will protest the request for a rehearing. And it wouldn’t be a big surprise if other telecommunications companies take the same position.

BMG’s petition is available here (pdf) and a copy of the RIAA/NMPA motion can be found here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

timeShift(GrafanaBuzz, 1w) Issue 35

Post Syndicated from Blogs on Grafana Labs Blog original https://grafana.com/blog/2018/02/23/timeshiftgrafanabuzz-1w-issue-35/

Welcome to TimeShift This week’s timeShift will be abridged, as we’re busy putting the final touches on GrafanaCon EU. As I write this, we have 3 Angel tickets remaining, surpassing a registered 350 attendees. 100% of proceeds from these angel tickets will go to the EFF (Electronic Frontier Foundation), a nonprofit who defends the rights of our digital privacy and free speech; a cause we’re very passionate about. You can snag these last tickets here.

Amazon GameLift FleetIQ and Spot Instances – Save up to 90% On Game Server Hosting

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/amazon-gamelift-fleetiq-and-spot-instances-save-up-to-90-on-game-server-hosting/

Amazon GameLift is a scalable, cloud-based runtime environment for session-based multiplayer games. You simply upload a build of your game, tell Amazon GameLift which type of EC2 instances you’d like to host it on, and sit back while Amazon GameLift takes care of setting up sessions and maintaining a suitably-sized fleet of EC2 instances. This automatic scaling allows you to accommodate demand that varies over time without having to keep compute resources in reserve during quiet periods.

Use Spot Instances
Last week we added a new feature to further decrease your per-player, per-hour costs when you host your game on Amazon GameLift. Before that launch, Amazon GameLift instances were always launched in On-Demand form. Instances of this type are always billed at fixed prices, as detailed on the Amazon GameLift Pricing page.

You can now make use Amazon GameLift Spot Instances in your GameLift fleets. These instances represent unused capacity and have prices that rise and fall over time. While your results will vary, you may see savings of up to 90% when compared to On-Demand Instances.

While you can use Spot Instances as a simple money-saving tool, there are other interesting use cases as well. Every game has a life cycle, along with a cadre of loyal players who want to keep on playing until you finally unplug and decommission the servers. You could create an Amazon GameLift fleet comprised of low-cost Spot Instances and keep that beloved game up and running as long as possible without breaking the bank. Behind the scenes, an Amazon GameLift Queue will make use of both Spot and On-Demand Instances, balancing price and availability in an attempt to give you the best possible service at the lowest price.

As I mentioned earlier, Spot Instances represent capacity that is not in use by On-Demand Instances. When this capacity decreases, existing Spot Instances could be interrupted with two minutes of notification and then terminated. Fortunately, there’s a lot of capacity and terminations are, statistically speaking, quite rare. To reduce the frequency even further, Amazon GameLift Queues now include a new feature that we call FleetIQ.

FleetIQ is powered by historical pricing and termination data for Spot Instances. This data, in combination with a very conservative strategy for choosing instance types, further reduces the odds that any particular game will be notified and then interrupted. The onProcessTerminate callback in your game’s server process will be activated if the underlying Spot Instance is about to be interrupted. At that point you have two minutes to close out the game, save any logs, free up any resources, and otherwise wrap things up. While you are doing this, you can call GetTerminationTime to see how much time remains.

Creating a Fleet
To take advantage of Spot Instances and FleetIQ, you can use the Amazon GameLift console or API to set up Queues with multiple fleets of Spot and On-Demand Instances. By adding more fleets into each Queue, you give FleetIQ more options to improve latency, interruption rate, and cost. To start a new game session on an instance, FleetIQ first selects the region with the lowest latency for each player, then chooses the fleet with the lowest interruption rate and cost.

Let’s walk through the process. I’ll create a fleet of On-Demand Instances and a fleet of Spot Instances, in that order:

And:

I take a quick break while the fleets are validated and activated:

Then I create a queue for my game. I select the fleets as the destinations for the queue:

If I am building a game that will have a global user base, I can create fleets in additional AWS Regions and use a player latency policy so that game sessions will be created in a suitable region:

To learn more about how to use this feature, take a look at the Spot Fleet Integration Guide.

Now Available
You can use Amazon GameLift Spot Instance fleets to host your session-based games now! Take a look, give it a try, and let me know what you think.

If you are planning to attend GDC this year, be sure to swing by booth 1001. Check out our GDC 2018 site for more information on our dev day talks, classroom sessions, and in-booth demos.

Jeff;

 

Game Companies Oppose DMCA Exemption for ‘Abandoned’ Online Games

Post Syndicated from Ernesto original https://torrentfreak.com/game-companies-oppose-dmca-exemption-for-abandoned-online-games-180217/

There are a lot of things people are not allowed to do under US copyright law, but perhaps just as importantly there are exemptions.

The U.S. Copyright Office is currently considering whether or not to loosen the DMCA’s anti-circumvention provisions, which prevent the public from ‘tinkering’ with DRM-protected content and devices.

These provisions are renewed every three years after the Office hears various arguments from the public. One of the major topics on the agenda this year is the preservation of abandoned games.

The Copyright Office previously included game preservation exemptions to keep these games accessible. This means that libraries, archives, and museums can use emulators and other circumvention tools to make old classics playable.

Late last year several gaming fans including the Museum of Art and Digital Entertainment (the MADE), a nonprofit organization operating in California, argued for an expansion of this exemption to also cover online games. This includes games in the widely popular multiplayer genre, which require a connection to an online server.

“Although the Current Exemption does not cover it, preservation of online video games is now critical,” MADE wrote in its comment to the Copyright Office.

“Online games have become ubiquitous and are only growing in popularity. For example, an estimated fifty-three percent of gamers play multiplayer games at least once a week, and spend, on average, six hours a week playing with others online.”

This week, the Entertainment Software Association (ESA), which acts on behalf of prominent members including Electonic Arts, Nintendo and Ubisoft, opposed the request.

While they are fine with the current game-preservation exemption, expanding it to online games goes too far, they say. This would allow outsiders to recreate online game environments using server code that was never published in public.

It would also allow a broad category of “affiliates” to help with this which, according to the ESA, could include members of the public

“The proponents characterize these as ‘slight modifications’ to the existing exemption. However they are nothing of the sort. The proponents request permission to engage in forms of circumvention that will enable the complete recreation of a hosted video game-service environment and make the video game available for play by a public audience.”

“Worse yet, proponents seek permission to deputize a legion of ‘affiliates’ to assist in their activities,” ESA adds.

The proposed changes would enable and facilitate infringing use, the game companies warn. They fear that outsiders such as MADE will replicate the game servers and allow the public to play these abandoned games, something games companies would generally charge for. This could be seen as direct competition.

MADE, for example, already charges the public to access its museum so they can play games. This can be seen as commercial use under the DMCA, ESA points out.

“Public performance and display of online games within a museum likewise is a commercial use within the meaning of Section 107. MADE charges an admission fee – ‘$10 to play games all day’.

“Under the authority summarized above, public performance and display of copyrighted works to generate entrance fee revenue is a commercial use, even if undertaken by a nonprofit museum,” the ESA adds.

The ESA also stresses that their members already make efforts to revive older games themselves. There is a vibrant and growing market for “retro” games, which games companies are motivated to serve, they say.

The games companies, therefore, urge the Copyright Office to keep the status quo and reject any exemptions for online games.

“In sum, expansion of the video game preservation exemption as contemplated by Class 8 is not a ‘modest’ proposal. Eliminating the important limitations that the Register provided when adopting the current exemption risks the possibility of wide-scale infringement and substantial market harm,” they write.

The Copyright Office will take all arguments into consideration before it makes a final decision. It’s clear that the wishes of game preservation advocates, such as MADE, are hard to unite with the interests of the game companies, so one side will clearly be disappointed with the outcome.

A copy of ESA’s submissionavailablelble here (pdf).

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

EFF Urges US Copyright Office To Reject Proactive ‘Piracy’ Filters

Post Syndicated from Andy original https://torrentfreak.com/eff-urges-us-copyright-office-to-reject-proactive-piracy-filters-180213/

Faced with millions of individuals consuming unlicensed audiovisual content from a variety of sources, entertainment industry groups have been seeking solutions closer to the roots of the problem.

As widespread site-blocking attempts to tackle ‘pirate’ sites in the background, greater attention has turned to legal platforms that host both licensed and unlicensed content.

Under current legislation, these sites and services can do business relatively comfortably due to the so-called safe harbor provisions of the US Digital Millennium Copyright Act (DMCA) and the European Union Copyright Directive (EUCD).

Both sets of legislation ensure that Internet platforms can avoid being held liable for the actions of others provided they themselves address infringement when they are made aware of specific problems. If a video hosting site has a copy of an unlicensed movie uploaded by a user, for example, it must be removed within a reasonable timeframe upon request from the copyright holder.

However, in both the US and EU there is mounting pressure to make it more difficult for online services to achieve ‘safe harbor’ protections.

Entertainment industry groups believe that platforms use the law to turn a blind eye to infringing content uploaded by users, content that is often monetized before being taken down. With this in mind, copyright holders on both sides of the Atlantic are pressing for more proactive regimes, ones that will see Internet platforms install filtering mechanisms to spot and discard infringing content before it can reach the public.

While such a system would be welcomed by rightsholders, Internet companies are fearful of a future in which they could be held more liable for the infringements of others. They’re supported by the EFF, who yesterday presented a petition to the US Copyright Office urging caution over potential changes to the DMCA.

“As Internet users, website owners, and online entrepreneurs, we urge you to preserve and strengthen the Digital Millennium Copyright Act safe harbors for Internet service providers,” the EFF writes.

“The DMCA safe harbors are key to keeping the Internet open to all. They allow anyone to launch a website, app, or other service without fear of crippling liability for copyright infringement by users.”

It is clear that pressure to introduce mandatory filtering is a concern to the EFF. Filters are blunt instruments that cannot fathom the intricacies of fair use and are liable to stifle free speech and stymie innovation, they argue.

“Major media and entertainment companies and their surrogates want Congress to replace today’s DMCA with a new law that would require websites and Internet services to use automated filtering to enforce copyrights.

“Systems like these, no matter how sophisticated, cannot accurately determine the copyright status of a work, nor whether a use is licensed, a fair use, or otherwise non-infringing. Simply put, automated filters censor lawful and important speech,” the EFF warns.

While its introduction was voluntary and doesn’t affect the company’s safe harbor protections, YouTube already has its own content filtering system in place.

ContentID is able to detect the nature of some content uploaded by users and give copyright holders a chance to remove or monetize it. The company says that the majority of copyright disputes are now handled by ContentID but the system is not perfect and mistakes are regularly flagged by users and mentioned in the media.

However, ContentID was also very expensive to implement so expecting smaller companies to deploy something similar on much more limited budgets could be a burden too far, the EFF warns.

“What’s more, even deeply flawed filters are prohibitively expensive for all but the largest Internet services. Requiring all websites to implement filtering would reinforce the market power wielded by today’s large Internet services and allow them to stifle competition. We urge you to preserve effective, usable DMCA safe harbors, and encourage Congress to do the same,” the EFF notes.

The same arguments, for and against, are currently raging in Europe where the EU Commission proposed mandatory upload filtering in 2016. Since then, opposition to the proposals has been fierce, with warnings of potential human rights breaches and conflicts with existing copyright law.

Back in the US, there are additional requirements for a provider to qualify for safe harbor, including having a named designated agent tasked with receiving copyright infringement notifications. This person’s name must be listed on a platform’s website and submitted to the US Copyright Office, which maintains a centralized online directory of designated agents’ contact information.

Under new rules, agents must be re-registered with the Copyright Office every three years, despite that not being a requirement under the DMCA. The EFF is concerned that by simply failing to re-register an agent, an otherwise responsible website could lose its safe harbor protections, even if the agent’s details have remained the same.

“We’re concerned that the new requirement will particularly disadvantage small and nonprofit websites. We ask you to reconsider this rule,” the EFF concludes.

The EFF’s letter to the Copyright Office can be found here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Jailed Streaming Site Operator Hit With Fresh $3m Damages Lawsuit

Post Syndicated from Andy original https://torrentfreak.com/jailed-streaming-site-operator-hit-with-fresh-3m-damages-lawsuit-180207/

After being founded more than half a decade ago, Swefilmer grew to become Sweden’s most popular movie and TV show streaming site. It was only a question of time before authorities stepped in to bring the show to an end.

In 2015, a Swedish operator of the site in his early twenties was raided by local police. A second man, Turkish and in his late twenties, was later arrested in Germany.

The pair, who hadn’t met in person, appeared before the Varberg District Court in January 2017, accused of making more than $1.5m from their activities between November 2013 and June 2015.

The prosecutor described Swefilmer as “organized crime”, painting the then 26-year-old as the main brains behind the site and the 23-year-old as playing a much smaller role. The former was said to have led a luxury lifestyle after benefiting from $1.5m in advertising revenue.

The sentences eventually handed down matched the defendants’ alleged level of participation. While the younger man received probation and community service, the Turk was sentenced to serve three years in prison and ordered to forfeit $1.59m.

Very quickly it became clear there would be an appeal, with plaintiffs represented by anti-piracy outfit RightsAlliance complaining that their 10m krona ($1.25m) claim for damages over the unlawful distribution of local movie Johan Falk: Kodnamn: Lisa had been ruled out by the Court.

With the appeal hearing now just a couple of weeks away, Swedish outlet Breakit is reporting that media giant Bonnier Broadcasting has launched an action of its own against the now 27-year-old former operator of Swefilmer.

According to the publication, Bonnier’s pay-TV company C More, which distributes for Fox, MGM, Paramount, Universal, Sony and Warner, is set to demand around 24m krona ($3.01m) via anti-piracy outfit RightsAlliance.

“This is about organized crime and grossly criminal individuals who earned huge sums on our and others’ content. We want to take every opportunity to take advantage of our rights,” says Johan Gustafsson, Head of Corporate Communications at Bonnier Broadcasting.

C More reportedly filed its lawsuit at the Stockholm District Court on January 30, 2018. At its core are four local movies said to have been uploaded and made available via Swefilmer.

“C More would probably never even have granted a license to [the operator] to make or allow others to make the films available to the public in a similar way as [the operator] did, but if that had happened, the fee would not be less than 5,000,000 krona ($628,350) per film or a total of 20,000,000 krona ($2,513,400),” C More’s claim reads.

Speaking with Breakit, lawyer Ansgar Firsching said he couldn’t say much about C More’s claims against his client.

“I am very surprised that two weeks before the main hearing [C More] comes in with this requirement. If you open another front, we have two trials that are partly about the same thing,” he said.

Firsching said he couldn’t elaborate at this stage but expects his client to deny the claim for damages. C More sees things differently.

“Many people live under the illusion that sites like Swefilmer are driven by idealistic teens in their parents’ basements, which is completely wrong. This is about organized crime where our content is used to generate millions and millions in revenue,” the company notes.

The appeal in the main case is set to go ahead February 20th.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Russia Blocks 500 ‘Pirate’ Sites in Four Months, Without a Single Court Order

Post Syndicated from Andy original https://torrentfreak.com/russia-blocks-500-pirate-sites-in-four-months-without-a-single-court-order-180204/

Once the legal process for blocking pirate sites has been accepted in a region, it usually follows that dozens if not hundreds of other sites are given the same treatment. Rightsholders simply point to earlier decisions and apply for new blockades under established law.

Very quickly, however, it became clear that when a domain is blocked it’s relatively easy to produce a clone or ‘mirror’ of a site to achieve the same purpose, thus circumventing a court order. This mirror site whac-a-mole was addressed in Russia last year with new legislation.

Starting October 1, 2017, Russian authorities allowed rightsholders to add mirror sites to the country’s national blocklist without having to return to court. Perhaps unsurprisingly, given the relative convenience and cost-efficiency, they have been doing that en masse.

According to Alexei Volin, Russia’s Deputy Minister of Communications and Mass Media, hundreds of mirrors of pirate sites have been blocked since the introduction of the legislation in October, affecting an audience of millions of people.

“For the past few months, we have been able to block mirrors of pirate sites. As of today, we can already note that about 500 sites are blocked as mirrors,” said Volin at the CSTB 2018 television and telecommunications expo in Moscow.

While rightsholders were expected to quickly take advantage of the change in the law, the speed at which they have done so is unprecedented. According to Volin, more pirate platforms have been blocked in the four months since October 1, 2017, than in the previous two years’ worth of judicial decisions.

“Colleagues from the industry recently found a general audience of blocked sites, it’s about 200 million people,” Volin said, while describing the results as “encouraging.”

The process is indeed quite straightforward. Following a request from a rightsholder, the Ministry of Communications decides whether the site being reported is actually a copy of a previously blocked pirate site. If it is, the owner of the site and telecoms regulator Rozcomnadzor are informed about the situation, while local ISPs are ordered to begin blocking the site.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Weekly roundup: Anise’s very own video game

Post Syndicated from Eevee original https://eev.ee/dev/2018/01/01/weekly-roundup-anises-very-own-video-game/

Happy new year! 🎆

In an unprecedented move, I did one thing for an entire calendar week. I say “unprecedented” but I guess the same thing happened with fox flux. And NEON PHASE. Hmm. Sensing a pattern. See if you can guess what the one thing was!

  • anise!!: Wow! It’s Anise! The game has come so far that I can’t even believe that any of this was a recent change. I made monster AI vastly more sensible, added a boatload of mechanics, fleshed out more than half the map (and sketched out the rest), and drew and implemented most of a menu with a number of excellent goodies. Also, FINALLY (after a full year of daydreaming about it), eliminated the terrible “clock” structure I invented for collision detection, as well as cut down on a huge source of completely pointless allocations, which sped physics up in general by at least 10% and cut GC churn significantly. Hooray! And I’ve done even more just in the last day and a half. Still a good bit of work left, but this game is gonna be fantastic.

  • art: Oh right I tried drawing a picture but I didn’t like it so I stopped.

I have some writing to catch up on — I have several things 80% written, but had to stop because I was just starting to get a cold and couldn’t even tell if my own writing was sensible any more. And then I had to work on a video game about my cat. Sorry. Actually, not sorry, video games about my cat are always top priority. You knew what you were signing up for.

Five ‘Fantastic’ Piracy Predictions for 2018

Post Syndicated from Ernesto original https://torrentfreak.com/five-fantastic-piracy-predictions-for-2018-180101/

On January 1, the TF newsroom often wonders what copyright and piracy news the new year will have in store.

Today we want to give our readers some insight into some of the things that crossed our minds.

Granted, predicting the future isn’t an easy task, but the ‘fantastic’ forecasts below give plenty of food for thought and discussion.

Power Cord Manufacturer Held Liable for Streaming Piracy

Hollywood’s concerns over pirate streaming boxes will reach unprecedented levels this year. After successful cases against box sellers and add-on developers, the major movie studios will take aim at the hardware.

A Chinese power cord manufacturer, believed to be linked to more than half of all the streaming boxes sold throughout the world, will be taken to court.

The movie studios argue that the power-cords are essential to make pirate streaming boxes work. They are therefore liable for contributory copyright infringement and should pay for the billions in losses they are partly responsible for.

Pirate Sites Launch ‘The Pirate Coin’

In 2017 The Pirate Bay added a cryptocoin miner to its website, an example many other pirate sites followed. In the new year, there will be another cryptocurrency innovation that will have an even more profound effect.

After Google Chrome adds its default ad-blocker to the Chrome browser, a coalition of torrent sites will release The Pirate Coin.

With this new cryptocurrency, users can buy all sorts of perks and features on their favorite download and streaming portals. From priority HD streaming, through personalized RSS feeds, to VIP access – Pirate Coins can pay for it all.

The new coin will see mass adoption within a few months and provide a stable income for pirate sites, which no longer see the need for traditional ads.

YouTube Music Label Signs First Artists

For years on end, the major music labels have complained bitterly about YouTube. While the video service earned them millions, they demanded better deals and less piracy.

In 2018, YouTube will run out of patience. The video streaming platform will launch a counter-attack and start its own record label. With a talent pool of millions of aspiring artists among its users, paired with the right algorithms, they are a force to be reckoned with.

After signing the first artists, YouTube will scold the other labels for not giving their musicians the best deals.

Comcast Introduces Torrent Pro Subscription

While there’s still a lot of public outrage against the net neutrality repeal in 2018, torrent users are no longer complaining. After the changes are approved by Congress, Comcast will announce its first non-neutral Internet package.

The Torrent Pro (®) package will allow subscribers to share files via BitTorrent in an optimized network environment.

Their traffic will be routed over separate lanes with optimal connections to India, while minimizing interference from regular Internet users.

The new package comes with a free VPN, of course, to ensure that all transfers take place in a fully encrypted setting without having to worry about false notifications from outsiders.

Pirate Bay Goes All-in on Streaming

The Pirate Bay turns 15 years old in 2018, which is an unprecedented achievement. While the site’s appearance hasn’t changed much since the mid-2000s, technically it has been changed down quite a bit.

The resource-intensive tracker was removed from the site years ago, for example, and shortly after, the .torrent files followed. This made The Pirate Bay more ‘portable’ and easier to operate, the argument was.

In 2018 The Pirate Bay will take things even further. Realizing that torrents are no longer as modern as they once were, TPB will make the switch to streaming, at least for video.

While the site has experimented with streaming browser add-ons in the past, it will implement WebTorrent streaming support in the new year. This means users can stream high-quality videos directly from the TPB website.

The new streaming feature will be released together with an overhaul of the search engine and site navigation, allowing users to follow TV-shows more easily, and see what’s new at a glimpse.

Happy 2018!

Don’t believe in any of the above? Look how accurate we were last year! Don’t forget the salt…

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Supporting Conservancy Makes a Difference

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2017/12/31/donate-conservancy.html

Earlier this year, in
February, I wrote a blog post encouraging people to donate
to where I
work, Software Freedom Conservancy. I’ve not otherwise blogged too much
this year. It’s been a rough year for many reasons, and while I
personally and Conservancy in general have accomplished some very
important work this year, I’m reminded as always that more resources do
make things easier.

I understand the urge, given how bad the larger political crises have
gotten, to want to give to charities other than those related to software
freedom. There are important causes out there that have become more urgent
this year. Here’s three issues which have become shockingly more acute
this year:

  • making sure the USA keeps it commitment
    to immigrants to allow them make a new life here just like my own ancestors
    did,
  • assuring that the great national nature reserves are maintained and
    left pristine for generations to come,
  • assuring that we have zero tolerance abusive behavior —
    particularly by those in power against people who come to them for help and
    job opportunities.

These are just three of the many issues this year that I’ve seen get worse,
not better. I am glad that I know and support people who work on these
issues, and I urge everyone to work on these issues, too.

Nevertheless, as I plan my primary donations this year, I’m again, as I
always do, giving to the FSF and my
own employer, Software
Freedom Conservancy
. The reason is simple: software freedom is still
an essential cause and it is frankly one that most people don’t understand
(yet). I wrote almost
two years ago about the phenomenon I dubbed Kuhn’s
Paradox
. Simply put: it keeps getting more and more difficult
to avoid proprietary software in a normal day’s tasks, even while the
number of lines of code licensed freely gets larger every day.

As long as that paradox remains true, I see software freedom as urgent. I
know that we’re losing ground on so many other causes, too. But those of
you who read my blog are some of the few people in the world that
understand that software freedom is under threat and needs the urgent work
that the very few software-freedom-related organizations,
like the FSF
and Software Freedom
Conservancy
are doing. I hope you’ll donate now to both of them. For
my part, I gave $120 myself to FSF as part of the monthly Associate
Membership program, and in a few minutes, I’m going to give $400 to
Conservancy. I’ll be frank: if you work in technology in an industrialized
country, I’m quite sure you can afford that level of money, and I suspect
those amounts are less than most of you spent on technology equipment
and/or network connectivity charges this year. Make a difference for us
and give to the cause of software freedom at least as much a you’re giving
to large technology companies.

Finally, a good reason to give to smaller charities like FSF and
Conservancy is that your donation makes a bigger difference. I do think
bigger organizations, such as (to pick an example of an organization I used
to give to) my local NPR station does important work. However, I was
listening this week to my local NPR station, and they said their goal
for that day was to raise $50,000. For Conservancy, that’s closer
to a goal we have for entire fundraising season, which for this year was
$75,000. The thing is: NPR is an important part of USA society, but it’s
one that nearly everyone understands. So few people understand the threats
looming from proprietary software, and they may not understand at all until
it’s too late — when all their devices are locked down, DRM is
fully ubiquitous, and no one is allowed to tinker with the software on
their devices and learn the wonderful art of computer programming. We are
at real risk of reaching that distopia before 90% of the world’s
population understands the threat!

Thus, giving to organizations in the area of software freedom is just
going to have a bigger and more immediate impact than more general causes
that more easily connect with people. You’re giving to prevent a future
that not everyone understands yet, and making an impact on our
work to help explain the dangers to the larger population.

TorrentFreak’s 17 Most Read Articles of 2017

Post Syndicated from Ernesto original https://torrentfreak.com/torrentfreaks-17-most-read-articles-of-2017-171231/

Every year we write roughly 900 articles here at TorrentFreak, and some are more popular than others.

On the brink of 2018, we look back at 2017 by going over the 17 most read news items of the year.

The ExtraTorrent shutdown was a clear eye catcher. Not only was it the most read article, there are also two related news items in the list.

All in all, it was quite a controversial year once again. Website and domain issues tend to be popular items, as the full list shows, as are the inevitable Game of Thrones mentions.

But what will 2018 bring?

1. ExtraTorrent Shuts Down For Good

Popular torrent site ExtraTorrent shut down in May. The abrupt decision was announced in a brief message posted on the site’s homepage and came as a complete surprise to many friends and foes.

2. Pirate Streaming Site 123Movies Rebrands as GoMovies

Pirate movie streaming site 123movies renamed itself to GoMovies for a fresh start last March. With the brand change and a new domain name, the popular site hoped to set itself apart from the many fake sites. Interestingly, the site has recently moved back to the old 123movies brand again.

3. Game of Thrones Episode “S07E06” Leaks Online Early

The sixth episode of the last Game of Thrones season leaked online early in August. Soon after, it was widely shared on various streaming and download portals The leak turned out to be the result of an error at HBO Spain.

4. ExtraTorrent’s Main Domain Name Shut Down By Registrar

Prior to its shutdown, ExtraTorrent lost control of its main domain Extratorrent.cc. The domain name was disconnected by the registrar, presumably after a copyright holder complaint.

5. ‘Putlocker’ Loses Domain Name Following Court Order

Putlockers.ch lost its domain name in February. The site’s registrar EuroDNS was ordered to suspend the domain name following a decision from a Luxembourg court, in favor of an entertainment industry group.

6. ExtraTorrent’s Distribution Groups ettv and EtHD Keep Going

ExtraTorrent shut down, but several popular release groups that originated on the site kept the name alive. Later in the year, ettv and EtHD launched their own website which is slowly gaining traction.

7. Anime Torrent Site NYAA Goes Down After Domain Name Deactivation

Popular anime torrent site NYAA lost control over several of its domain names last Spring. Several people later pointed out that NYAA’s owner decided to close the site voluntarily.

8. Popular Kodi Addon ‘Exodus’ Turned Users into a DDoS ‘Botnet’

Users of the popular Kodi addon Exodus became unwittingly part of a DDoS attack in February. After the issue raised eyebrows in the community, the Exodus developer rolled back the malicious code and retired.

9. Porn Pirate Sites Use ‘Backdoor’ to Host Videos on YouTube

Last January adult streaming sites were found to use Google’s servers to store infringing material at no cost. While streaming sites have exploited Google’s servers for a long time, the issue hit the mainstream news this year.

10. The Pirate Bay’s .SE Domain is Back in Action

The Pirate Bay’s .SE domain name sprang back into action in October, after it was deactivated. A few months later, the Supreme Court decided that it should be handed over to the authorities. TPB, meanwhile, sails on, relying on its original .org domain.

11. Man Leaks New ‘Power’ Episodes Online, Records His Own Face

Last summer a man leaked several episodes of the smash-hit TV series Power. The episodes were ‘cammed’ using a phone, with the ‘cammer’ recording his own face for good measure.

12. Live Mayweather v McGregor Streams Will Thrive On Torrents Tonight

The Mayweather v McGregor fight last August was a streaming success, but not just on legal channels. While centralized streaming services had a hard time keeping up with the unprecedented demand, lesser known live streaming torrents thrived.

13. The Pirate Bay Website Runs a Cryptocurrency Miner

In September, The Pirate Bay decided to use the computer resources of its visitors to mine Monero coins. This resulted in a heated debate. Supporters saw it as a novel way to generate revenue and a potential to replace ads, while opponents went out of their way to block the mining script.

14. Hackers Leak Netflix’s Orange is The New Black Season 5

In April the hacking group “TheDarkOverlord” leaked a trove of unreleased TV shows and movies. The group uploaded several videos, including episodes of Netflix’s Orange is The New Black, which it obtained the content from a post-production studio.

15. Demonoid Returns After Two Months Downtime

After nearly two months of downtime, the semi-private BitTorrent tracker Demonoid resurfaced online in March. The site was pulled offline due to hosting problems and had to endure some internal struggles as well.

16. “We Won’t Block Pirate Bay,” Swedish Telecoms Giant Says

In February a landmark ruling compelled a Swedish ISP to block The Pirate Bay. Copyright holders hoped that other ISPs would follow suit but telecoms giant Telia said it had no intention of blocking The Pirate Bay, unless it’s forced to do so by law.

17. Former Vuze Developers Launch BiglyBT, a ‘New’ Open Source Torrent Client

In August two long-time developers of the Vuze BitTorrent client, formerly known as Azureus, launched BiglyBT. The client emerged at a time when Vuze development stalled. The developers promised to take the project forward while removing all advertising and other annoyances.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

Privilege escalation via eBPF in Linux 4.9 and beyond

Post Syndicated from jake original https://lwn.net/Articles/742170/rss

Jann Horn has reported eight bugs in the
eBPF verifier, one for the 4.9 kernel and seven introduced in 4.14, to the
oss-security mailing list. Some
of these bugs result in eBPF programs being able to read and write arbitrary
kernel memory, thus can be used for a variety of ill effects, including
privilege escalation. As Ben Hutchings notes,
one mitigation would be to disable unprivileged access to BPF using the
following sysctl:
kernel.unprivileged_bpf_disabled=1. More information can also be found
in this Project
Zero bug entry
. The fixes are not yet in the mainline tree, but are in
the netdev tree. Hutchings goes on to say: “There is a public
exploit that uses several of these bugs to get root privileges. It doesn’t
work as-is on stretch [Debian 9] with the Linux 4.9 kernel, but is easy to adapt. I
recommend applying the above mitigation as soon as possible to all systems
running Linux 4.4 or later.