Tag Archives: theft

Anti-Piracy Outfits Agree to Strengthen International Cooperation

Post Syndicated from Andy original https://torrentfreak.com/anti-piracy-outfits-agree-to-strengthen-international-cooperation-161022/

With the Internet and therefore online piracy having developed into a truly global phenomenon, anti-piracy groups everywhere are expanding their reach.

What was once a semi-isolated affair has become a multi-agency, cross-continent operation, with governments and rights holders alike striving to share information and pool resources.

An event this week illustrated where things are going, with representatives from around the world descending upon Brussels for a meeting hosted by the Motion Picture Association.

The International Roundtable, titled “Combating Internet Piracy: International Practice”, saw government officials from Europe and Russia join representatives from the United States and the UK to discuss cooperation against piracy.

The meeting (Photo via Роскомнадзор)


According to information released by Russian telecoms watchdog Roscomnadzor and translated by the MPA, those gathered agreed that a “lack of intellectual property protection causes significant economic damage to individual rights holders and the global economy.”

Of course, that message certainly isn’t new. Neither are mounting public claims by rights holders that Internet users are being put at risk through their visits to unauthorized sites.

Those assembled agreed that consumers are negatively impacted from enjoying entertainment in a safe environment since pirate sites “are a fertile ground for identity theft, viruses, malware or spyware.”

As mentioned earlier, anti-piracy groups and initiatives of all kinds now understand that collaboration is part of the way forward, whether that’s sharing information or working towards tougher legal frameworks.

“In particular, participants acknowledged the need to strengthen international cooperation in the fight against IPR violations on the Internet and to continue sharing experiences in improving legislation, and law enforcement practice in combating copyright infringement in the digital environment in the EU, Russian Federation, and USA,” a summary of the meeting reads.

Those at the meeting included representatives from the US “six-strikes” Copyright Alert System and the UK’s GetitRight campaign. Details are fairly scarce, but these groups are likely to have shared data on how educational messages affect the behaviors of Internet pirates and how voluntary agreements with industry players such as ISPs can become part of the anti-piracy package.

Another item on the agenda was the role that search engines and user-generated content companies play when it comes to fighting online piracy. While Russia has its own issues with services like Yandex, for the US and Europe the focus is very much on Google and sites such as YouTube.

Service provider liability and related legislative initiatives will continue to be hot topics in the months and years ahead. This is particularly true of the United States, where the safe harbor provisions of the DMCA are under scrutiny alongside a controversial debate on the so-called ‘value gap‘ claimed to be present on YouTube.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

UK Movie Pirates Lose Appeal, Prison Time Stands

Post Syndicated from Ernesto original https://torrentfreak.com/uk-movie-pirates-lose-appeal-prison-time-stands-161020/

piratkeybEarly 2013, five UK men were arrested for their alleged involvement in several interrelated movie release groups including RemixHD, 26K, UNiQUE, DTRG and HOPE/RESISTANCE.

The groups were responsible for distributing no less than 9,000 copyright infringing movies on popular torrent sites, including ExtraTorrent.

These releases generated five million unauthorized ‘views’ and a million pounds in lost revenue, according to a calculation from UK’s Federation Against Copyright Theft, which was actively involved in the case.

All the men opted to plead guilty and late last year Wolverhampton Crown Court handed down sentences adding up to 17 years of jail time.

Sahil Rafiq and Reece Baker received the toughest sentences, four-and-a-half years and four years and two months, respectively. The pair appealed the decision in court this week, but without the desired result.

Defense lawyers argued that a reduced sentence would be appropriate as the men didn’t profit from the widespread copyright infringement. However, the Court of Appeal rejected this argument and denied the appeal.

“Whilst we accept that the sentences passed on these two young men were stiff, we are unpersuaded that they were manifestly excessive,” Mr Justice Hickinbottom said, quoted by Express & Star.

This means that Sahil Rafiq, who was accused of uploading more than 880 movies and causing 1.5 million illegal downloads as founder of 26K, will have to sit out his four-and-a-half year sentence.

Reece Baker, a member of DTRG and the founder of HOPE/RESISTANCE, has to serve four years and two months. He was said to have triggered more than 226,000 illegal downloads and aggravated his circumstances by continuing to upload movies while he was on bail.

The three other men haven’t appealed their sentences, as far as we know.

Graeme Reid, founder of ‘RemixHD,’ was jailed for three years and six months and ANALOG and TCM founder Ben Cooper received the same sentence. Scott Hemming, who uploaded some 800 movies, received a two-year suspended sentence.

Due to the distributed nature of BitTorrent, many of the movies the men released online are still being shared on public torrent sites, and perhaps will still be long after they’ve served their sentences.

Additional background and information is available in our previous in -depth coverage on these cases, here and here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Lawmakers Warned That 10 Year Sentences Could Apply to File-Sharers

Post Syndicated from Andy original https://torrentfreak.com/lawmakers-warned-that-10-year-sentences-could-apply-to-file-sharers-161016/

Under current UK legislation, pirates of physical media such as CDs and DVDs can be jailed for up to 10 years. On the other hand, those committing similar offenses online can be jailed for ‘only’ two years.

This has led to anti-piracy groups such as the Federation Against Copyright Theft choosing to pursue their own private prosecutions under the Fraud Act, which allows for much tougher sentences.

In an effort to fix this disparity, earlier this year a new draft of the Digital Economy Bill contained plans to extend the current ‘online’ prison term from two to ten years. The relevant section amends the Copyright, Designs and Patents Act 1988, and simply replaces the word two with ten.

On its way to becoming law, the Bill has been progressing through various stages in the House of Commons. This week, however, concerns were raised over the precise wording of the amendments. The image below shows how they currently stand.


Despite assurances from MPs that 10-year sentences are directed at large-scale commercial pirates, the text above does not clearly reflect that goal. In fact, just about any online infringer could be swept up in its net, a point not lost on Jim Killock, executive director of the Open Rights Group (ORG), who this week appeared before MPs.

In an exchange with Nigel Adams MP in the Commons, Killock said that ORG is concerned that ordinary members of the public could be affected by the amendments.

“We are worried about the impact of this on people who should not be criminalized and who we thought the Government were not trying to criminalize in this case,” Killock said.

“Our position is that if the Government are going to extend the sentence and have the same sentence online as offline for criminal copyright infringement — that is to say, 10 years — then they need to be very careful about how the lines are drawn, because the offenses are quite different.”

Killock said that offline criminal copyright infringement is all about criminal gangs duplicating things like DVDs, but online things are harder to define because everything looks like the same act – publication.

“You put something on the internet, it is a publication. So how do you tell who is the criminal and who is the slightly idiotic teenager, or whatever it happens to be? How do you make sure that people who should not be threatened with copyright criminal sentences are not given those threats?” Killock asked the MP.

To illustrate his point, Killock spoke about the current state of copyright trolling in the UK by companies such as Golden Eye International.

“They have no specific knowledge that these people are actually the people doing the downloading, all they know is that somebody appears to have downloaded,” Killock said.

At this point Adams interrupted, stating that there’s no intent for the new legislation to affect regular file-sharers.

“The idea of the Bill is not to go after people who are downloading content, it is purely for those who are uploading content for commercial gain. That is the whole purpose,” Adams said.

“Unfortunately, that is not how the language of the offense reads,” Killock responded.

“The test in the offense is that somebody is ‘causing a loss’, which is defined as not paying a licence fee, or is ‘causing the risk of loss’, about which your guess is as good as mine, but it is essentially the same as making available, because if you have made something available and somebody else can then make a copy, and then infringe copyright further and avoid further licence fees, basically that is a criminal act,” the ORG chief explained.

“So file sharers, whether they are small or large, all appear to be criminal copyright thieves. Similarly, people who are publishing things on websites without a license are also potentially criminalized. Those things can be dealt with much better and more simply through civil courts and civil copyright action.”

So, to solve the problem of the legislation potentially targeting the wrong people, Killock suggested a tightening-up of the wording in the amendments.

“What we are calling for is either to get rid of those things which are attacking individuals and wrongly bringing individuals into scope, or to put thresholds of seriousness around the risk of loss and/or causing loss. Something like, ‘Serious risk of causing significant loss’ would be the way to deal with this. Similarly, ‘Causing serious loss’,” he said.

Even with this explanation, the MP didn’t appear to understand.

“If you are knowingly uploading creative content online for commercial gain, to my mind it does not matter whether it is 50 quid or 50,000 quid, you are knowingly stealing someone’s content,” Nigel Adams said.

“The commercial gain is not part of this offense. That is what I am saying,” said Killock.

“The offense is purely to cause loss — in other words, to not pay a license fee — or to cause risk of loss. There is no ‘commercial’ in it. So you have to put the threshold somewhere. You have an offense for the commercial activities and, separately, individuals who cause risk of loss or fail to pay a license fee.”

The Open Rights Group are to be commended for raising this issue in the House of Commons since as things stand, the wording of the legislation is wide open to abuse from aggressive rightsholders. Whether appropriate amendments will be introduced remains to be seen, but there is clearly a need to be more specific. If not, trouble could lie ahead.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Boxing Promoter Offers Cash Reward to Identify Pirate Streamer

Post Syndicated from Andy original https://torrentfreak.com/boxing-promoter-offers-cash-reward-to-identify-pirate-streamer-161015/

streamingkeyEvery day, content production companies and their anti-piracy partners take a keen interest in people posting their material online without permission.

They’re often able to use technical means to identify infringers, often relying on IP address, financial, and similar information. However, some also resort to chasing pirates in the physical realm.

This is the approach currently being taken by Duco Events, who are said to be recognized by the World Boxing Organization as the leading promoter in the Asia Pacific region. Duco partners with companies including ESPN, Fox Sports, MAIN EVENT, SKY Sports and SKY Arena, and it is tired of having its content pirated.

One of the biggest thorns in its side is New Zealander James Bryant. Earlier this year he informed NZ Herald that he intended to stream a Duco boxing event taking place in July. That led to a private investigator being sent to his parents’ Auckland house to serve court papers. He wasn’t there.

Bryant, who claims to be a web developer and SEO specialist, says that on a separate occasion another person emailed him looking for a computer repair. Suspicious, he gave a friend’s address, which led to an investigator sitting outside there all day. He eventually asked for Bryant by name.

“They’ve called me twice, and they told me that it’s getting serious now, that it was too big to go away,” Bryant said.

That was back in the summer and it appears that as promised, Duco haven’t forgotten about Bryant. However, they still haven’t managed to locate him.

“I have been on holiday for the last few months and they are not doing a very good job at finding me,” Bryant said last week.

“It doesn’t bother me one bit … as soon as they find me, I will make it my personal mission to stream every event.”

Bryant’s defiance was not well received, with Duco chief executive Martin Snedden rejected claims that chasing streamers is counter-productive.

“In our view it is out-and-out theft, and people are starting to get the message that the risk isn’t worth getting involved. We know we can’t eradicate this, but we’re getting better at running interference,” Snedden said.

Now it appears that Duco are turning up the heat. In a posting this week to the company’s Facebook page, the boxing promotions outfit sought assistance in finding the elusive Bryant.


But if Duco thought that this would prompt Bryant to give himself up, they were very wrong. Instead, the self-confessed streamer has started a fund-raiser with two aims. First, to raise money to fight Duco, and second, to set up a new streaming service.

“My mission is to raise money for the upcoming battle and also to raise funds which will be put into developing a dedicated website which will be hosted on an overseas server which will broadcast live events as they happen,” Bryant explains.

“I am currently setting up a site which will provide live streams of legal events such as music, sport and festivals. It will be hosted off shore in any event that the courts do not allow me access to a computer, I plan on hosting a wide range of different events.

“I believe that as New Zealanders we shouldn’t have to feed the pockets of the corporations to watch sports we care about. It’s time to stand up New Zealand!” he concludes.

Seconds away….round two.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

New Anti-Piracy Unit Takes Over UK Anti-Camming Operations

Post Syndicated from Andy original https://torrentfreak.com/new-anti-piracy-unit-takes-over-uk-anti-camming-operations-161012/

cammer1According to the movie industry the most damaging form of piracy involves the distribution of films that are not yet released or are enjoying their first-run in theaters.

The claim makes some sense. Due to the business model employed by the studios, titles still in cinemas are usually not available for consumption elsewhere, meaning that it’s impossible to compete for that business.

As a result, much time and effort is expended trying to stop people recording (‘camming’) movies in theaters. In the United States it’s an extremely serious offense punishable by jail time, and over in the UK those who record and then upload to the Internet can receive the same treatment.

The job of catching these people has usually fallen to two UK bodies – The Federation Against Copyright Theft (FACT) and the Film Distributors’ Association (FDA). In the past, the FDA fully sponsored a dedicated FACT investigator with duties that included staff training and building relationships with the police. Now, however, things are on the move.

The FDA says it has launched a new anti-piracy unit. Titled the Film Content Protection Agency, it will take over the work previously carried out by FACT. According to Screen Daily, several of FACT’s theatrical experts will be rolled into the new unit.

Back in May, it was announced that Hollywood will withdraw its funding for FACT, ending a 30-year relationship and depriving the anti-piracy group of 50% of its budget. Now it appears that the Motion Picture Association has thrown its support behind the FDA’s new unit instead.

“Cinema security is a key priority for the industry and the MPA welcomes this important step by FDA,” said Stan McCoy, MPA president and managing director for EMEA.

“We will work closely with the new unit to analyze threats and offer practical support as it fulfils its UK-wide remit on behalf of film distributors and other partners.”

According to the UK’s Companies House, the Film Content Protection Agency was formed as a limited company during the summer, registered to the FDA’s Kingly Street address in London.

At the time of incorporation, the FCPA had a single director, 85-year-old Barbara Kahan, who remained in the role for a whole day and then resigned. Kahan is rather active for an octagenarian. According to the government, she’s held posts in more than 18,000 companies.

It’s possible that Kahan set up the new anti-piracy company and then resigned, but that left FCPA without any directors or people with significant control. What’s also problematic is the state of the new website set up to promote the new anti-piracy group.

Currently it’s completely non-functional, having gone down sometime in the past couple of days. However, when the site was up it was providing information on the unit and detailing its goals. While most of the claims seemed fairly accurate, one particular section caught our eye.

Titled “It’s the Law”, the section stated that “The penalty for online copyright theft is up to a maximum of 10 years’ imprisonment and/or an unlimited fine – in line with the theft of physical goods.”

Search snapshot of the currently-down site


While all anti-piracy outfits hope this will indeed become true in the months to come, the above statement is certainly not accurate under current UK law.

Ignoring the deliberate replacement of ‘infringement’ with ‘theft’ (which is not helpful when advising the public about legal matters), the current maximum prison sentence in the UK for online infringement is two years.

Amendments to boost punishments are indeed underway as part of the Digital Economy Bill but they still in progress in the House of Commons and are many stages away from being written into law.

Only time will tell how the new anti-piracy unit will manifest itself but it seems likely that it will maintain the same pressure applied for years by FACT, but under a new banner.

FDA President Lord Puttnam welcomed the creation of the new unit.

“I’m delighted this new unit is up and running,” said FDA President Lord Puttnam.

“It’s an important addition to the distributors’ armoury in safeguarding theatrical releases and enabling UK audiences to enjoy films to their maximum effect in legitimate formats.”

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Pirate Site Operators Are Like Heroin Dealers, Movie Boss Says

Post Syndicated from Andy original https://torrentfreak.com/pirate-site-operators-like-heroin-dealers-movie-boss-says-161010/

shadowGraham Burke can be accused of many things but moderating his words is certainly not one of them.

The outspoken co-chief of media company Village Roadshow has been front and center of many of Australia’s movie piracy battles and has authored some of their most controversial comments.

Speaking at the 71st Australian International Movie Convention today, Burke continued the trend. He launched a fresh attack on Internet piracy, accusing pirate site operators of terrible crimes and site users of undermining the livelihoods of creators.

“Nothing is more important or urgent, as every day that passes tens of thousands of our movies are stolen and it is a devastating contagious plague,” a copy of Burke’s speech obtained by The Australian (subscription) reads.

According to the Village Roadshow chief, the main problem is the sites that facilitate this “theft”, which are not only extremely dangerous places to visit but are run by equally dangerous people.

“We are sending our kids to very dangerous online neighborhoods — the pirates are not good guys,” Burke said.

“These aren’t roguish, basement-dwelling computer geeks — these are the same type of people that sell heroin.”

Describing pirate site operators as often having connections to “organised, international crime syndicates”, Burke warned that they only care about revenue, making “tens of millions blitzing our kids with [high-risk] advertising.”

Interestingly, Burke said that nearly three-quarters of people acknowledge that piracy is theft but noted that many downloaders are unaware that what they are doing is “wrong” because government inaction means that “dangerous” pirate sites are still open for business.

“In our research we repeatedly come across people who have not been told [piracy is wrong and is theft], and assume from continued practice, that it is socially and legally acceptable, and that it does no harm or that their individual activity won’t make any difference,” he said.

“People wouldn’t go into a 7-Eleven and swipe a Mars bar. People are fundamentally honest and fundamentally decent.”

But with site-blocking and making more content legally available only part of the solution, the Village Roadshow chief says his company has decided that taking action against the public is now required. Repeat infringers, Burke says, will now be subjected to legal action.

“We are planning to pursue our legal rights to protect our copyright by suing repeat infringers — not for a king’s ransom but akin to the penalty for parking a car in a loading zone,” ABC reports.

“If the price of an act of thievery is set at say AUS$300 (US$228), we believe most people will think twice.”

While it’s too early to estimate exactly how many Aussie pirates might be caught up in the dragnet, it’s fair to say the numbers could be considerable. Mad Max: Fury Road, a Village Roadshow produced movie, is said to have been illegally downloaded 3.5 million times. Australia has a population of around 23.5 million.

However, the age group of people said to be carrying out much of the pirating presents a problem. Burke says that piracy among adults has dropped in the past year due to the availability of services such as Netflix. However, the growing threat appears to come from a much younger age group.

“There has been some decline in piracy amongst Australian adults in the last year and part of this is due to new streaming services … which demonstrates that when product is legally available, this is a critical factor,” Burke said.

“However, before we get too comfortable by this decline in total piracy, the emphasis on movies is worse and illegal online activity of 12 to 17-year-old Australians has almost doubled since last year — with a whopping 31 per cent pirating movies.”

And there lies the dilemma. While Burke thinks that fines might be the answer to further reducing piracy among the adult population, he’s going to have a crisis on his hands if he starts targeting his big problem group – children. Kids can be sued in Australia but that sounds like a horrible proposition that will only undermine the campaign’s goals.

Whoever his company ‘fines’ or goes on to sue, Burke says the money accrued will go back into education campaigns to further reduce piracy. It’s a model previously employed by the RIAA, who eventually abandoned the strategy.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Yahoo Scanned Everyone’s E-mails for the NSA

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/10/yahoo_scanned_e.html

News here and here.

Other companies have been quick to deny that they did the same thing, but I generally don’t believe those carefully worded statements about what they have and haven’t done. We do know that the NSA uses bribery, coercion, threat, legal compulsion, and outright theft to get what they want. We just don’t know which one they use in which case.

EDITED TO ADD (10/7): More news. This and this, too.

Man Who Leaked The Revenant Online Fined $1.1m

Post Syndicated from Andy original https://torrentfreak.com/man-leaked-revenant-online-fined-1-1m-160930/

revenantIn December 2015, many so-called ‘screener’ copies of the latest movies leaked online. Among them a near perfect copy of Alejandro G. Iñárritu’s ‘The Revenant’.

Starring Leonardo DiCaprio and slated for a Christmas day release, in a matter of hours the tale vengeance clocked up tens of thousands of illegal downloads.

With such a high-profile leak, it was inevitable that the authorities would attempt to track down the individual responsible. It didn’t take them long.

Following an FBI investigation, former studio worker William Kyle Morarity was discovered as the culprit. Known online by the username “clutchit,” the 31-year-old had uploaded The Revenant and The Peanuts Movie to private torrent tracker Pass The Popcorn.

The Revenant


Uploading a copyrighted work being prepared for commercial distribution is a felony that carries a maximum penalty of three years in prison, so his sentencing always had the potential to be punishing for the Lancaster man, despite his early guilty plea.

This week Morarity was sentenced in federal court for criminal copyright infringement after admitting screener copies of both movies to the Internet.

After being posted online six days in advance of its theatrical release, it was estimated that The Revenant was downloaded at least a million times during a six week period, costing Twentieth Century Fox Film Corporation to suffer losses of “well over $1 million.”

United States District Court Judge Stephen V. Wilson ordered Morarity to pay $1.12 million in restitution to Twentieth Century Fox. He also sentenced the 31-year-old to eight months’ home detention and 24 months’ probation.

According to court documents, Morarity obtained the screeners and copied them to a portable hard drive. He then uploaded the movies to Pass The Popcorn on December 17 and December 19.

“The film industry creates thousands of jobs in Southern California,” said United States Attorney Eileen M. Decker commenting on the sentencing.

“The defendant’s illegal conduct caused significant harm to the victim movie studio. The fact that the defendant stole these films while working on the lot of a movie studio makes his crime more egregious.”

Deirdre Fike, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said that Morarity had abused his position of trust to obtain copies of the movies and then used them in a way that caused Fox to incur huge losses.

“The theft of intellectual property – in this case, major motion pictures – discourages creative incentive and affects the average American making ends meet in the entertainment industry,” Fike said.

As part of his punishment, Morarity also agreed to assist the FBI to produce a public service announcement aimed at educating the public about the harms of copyright infringement and the illegal uploading of movies to the Internet.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Cost of Cyberattacks Is Less than You Might Think

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/the_cost_of_cyb.html

Interesting research from Sasha Romanosky at RAND:

Abstract: In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along. Will frameworks such as that proposed by NIST really induce firms to adopt better security controls? And if not, why? This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack. Specifically, we examine a sample of over 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. First, we analyze the characteristics of these breaches (such as causes and types of information compromised). We then examine the breach and litigation rate, by industry, and identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries. The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Public concerns regarding the increasing rates of breaches and legal actions, conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.

The result is that it often makes business sense to underspend on cybersecurity and just pay the costs of breaches:

Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company’s annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.

As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

He also noted that the effects of a data incident typically don’t have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn’t make a lot of sense to invest too much in cyber security.

What’s being left out of these costs are the externalities. Yes, the costs to a company of a cyberattack are low to them, but there are often substantial additional costs borne by other people. The way to look at this is not to conclude that cybersecurity isn’t really a problem, but instead that there is a significant market failure that governments need to address.

UK IP Crime Report 2016 Reveals IPTV/Kodi Piracy as Growing Threat

Post Syndicated from Andy original https://torrentfreak.com/uk-ip-crime-report-2016-reveals-iptvkodi-piracy-as-growing-threat-160929/

For more than a decade the IP Crime Group and the Intellectual Property Office have collaborated to produce an assessment of the level of IP crime in the UK. Their annual IP Crime Report details the responses of businesses, anti-piracy groups, and government agencies.

As usual, this year’s report covers all areas of IP crime, both in the physical realm and online. However, it is the latter area that appears to be causing the most concern to participating anti-piracy groups.

“Perhaps the area where IP crime statistics most often reach jaw-dropping levels is in relation to the industries providing digital content,” the report reads.

“During a sample three-month period last year, 28% of those questioned admitted their music downloads in the UK came from illegal sources. Similarly, 23% of films, 22% of software, 16% of TV and 15% of games were downloaded in breach of copyright.”

While noting that illicit music downloads have actually reduced in recent years, the report highlights areas that aren’t doing so well, TV show consumption for example.

“The reasons for the spike in TV copyright infringement appear to be, in part, technological, with ‘unofficial services’ such as uTorrent, BitTorrent, TV catch up apps and established sources such as YouTube offering content without legal certainty,” it adds.

But while several methods of obtaining free TV content online are highlighted in the report, none achieve as much attention as IPTV – commonly known as Kodi with illicit third-party addons.

In her report preamble, Minister for Intellectual Property Baroness Neville-Rolfe describes anti-IPTV collaboration between the Federation Against Copyright Theft, Trading Standards, and the Police, as one of the year’s operational successes. Indeed, FACT say anti-IPTV work is now their top priority.

Federation Against Copyright Theft

“We have prioritised an emerging threat to the audiovisual industry, internet protocol TV (IPTV) boxes,” FACT write.

“In their original form, these boxes are legitimate. However, with the use of apps and add-ons, they allow users to access copyright infringing material, from live TV and sports, to premium pay-for channels and newly released films. Once configured these boxes are illegal.”

FACT say they are concentrating on two areas – raising awareness in the industry and elsewhere while carrying out enforcement and disruption operations.

“In the last year FACT has worked with a wide range of partners and law enforcement bodies to tackle individuals and disrupt businesses selling illegal IPTV boxes. Enforcement action has been widespread across the UK with numerous ongoing investigations,” FACT note.

Overall, FACT say that 70% of the public complaints they receive relate to online copyright infringement. More than a quarter of all complaints now relate to IPTV and 50% of the anti-piracy group’s current investigations involve IPTV boxes.


British Phonographic Industry (BPI)

In their submission to the report, the BPI cite three key areas of concern – online piracy, physical counterfeiting, and Internet-enabled sales of infringing physical content. The former is their top priority.

“The main online piracy threats to the UK recorded music industry at present come from BitTorrent networks, MP3 aggregator sites, cyberlockers, unauthorised streaming sites, stream ripping sites and pirate sites accessed via mobile devices,” the BPI writes.

“Search engines – predominantly Google – also continue to provide millions of links to infringing content and websites that are hosted by non-compliant operators and hosts that cannot be closed down have needed to be blocked in the UK under s.97A court orders (website blocking).”

The BPI notes that between January 2015 and March 2016, it submitted more than 100 million URL takedowns to Google and Bing. Counting all notices since 2011 when the BPI began the practice, the tally now sits at 200 million URLs.

“These astronomic numbers demonstrate the large quantity of infringing content that is available online and which is easily accessible to search engine users,” the BPI says.

On the web-blocking front, the BPI says it now has court orders in place to block 63 pirate sites and more than 700 related URLs, IP addresses and proxies.

“Site blocking is proving a successful strategy, and the longer the blocks are in place, the more effective they tend to be. The latest data available shows that traffic to sites blocked for over one year has reduced by an average of around 80%; with traffic to sites blocked for less than a year reduced by an average of around 50%,” the BPI adds.

Infringement warnings for Internet subscibers

The Get it Right campaign is an educational effort to advise the public on how to avoid pirate sites and spend money on genuine products. The campaign has been somewhat lukewarm thus far, but the sting in the tail has always been the threat of copyright holders sending warnings to Internet pirates.

To date, nothing has materialized on that front but hidden away on page 51 of the report is a hint that something might happen soon.

“A further component of the ‘Get it Right’ campaign is a subscriber alert programme that will, starting by the end of 2016, advise ISPs’ residential subscribers when their accounts are believed to have been used to infringe copyright,” the report reads.

“Account holders will receive an Alert from their ISP, advising them that unlawful uploading of a copyright content file may have taken place on their internet connection and offering advice on where to find legitimate sources of content.”

Overall, the tone of the report suggests a huge threat from IP crime but one that’s being effectively tackled by groups such as FACT, BPI, the Police Intellectual Property Crime Unit, and various educational initiatives. Only time will tell if next year’s report will retain the optimism.

The full report can be downloaded here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Man Likely to Sacrifice Himself Testing Streaming Piracy Limits

Post Syndicated from Andy original https://torrentfreak.com/man-likely-to-sacrifice-himself-testing-streaming-piracy-limits-160925/

android-boxYear in, year out, people with an interest in Internet file-sharing discuss what is permissible under current legislation. It’s an important exercise if people are to stay on the right side of the law.

These discussions have historically taken place among enthusiasts but with the advent of easily accessible piracy tools such as Popcorn Time, modified Kodi, and Showbox, the man in the street his now taking part.

One individual that has provoked interest among the public is UK-based Brian ‘Tomo’ Thompson, who was previously raided by police and Trading Standards after selling “fully loaded” Android boxes from his shop in the north-east.

Thompson is now being prosecuted by his local council. He says he intends to fight back to discover where the boundaries lie for sellers of similar devices.

“All I want to know is whether I am doing anything illegal. I know it’s a grey area but I want it in black and white,” he said this week.

“I’m prepared to accept what the court decides but at the moment as far as I’m concerned I’m not breaking the law.”

There are many people who share Thompson’s opinion and there’s no shortage of supporters willing the Middlesbrough man on to victory against what some see as a vindictive prosecution.

But while this is indeed an attack on the little guy, Thompson is almost certainly about to sacrifice himself for little to no gain. Admittedly the case isn’t completely straightforward, but a conviction seems almost inevitable. Here’s why.

Hardware devices – whether a computer, Android phone, tablet, or in this case, a set-top box – are 100% legal. Anyone can buy, sell or trade such devices almost anywhere in the world with no issues.

Thompson knows this, describing the blank devices as “just like a big USB stick.” While not a great analogy, for the purposes of the law, that will suffice.

On its own, the Kodi media player is also 100% legal. Anyone can download, install, use or give away the software with no problems whatsoever. Installing Kodi on an Android device and selling it is legal almost everywhere and definitely legal in the UK.

If Thompson had only done the above – sell Android set-top boxes with basic Kodi installed – he would have no issues with the police or indeed Trading Standards. Individually and combined, the software and devices are completely non-infringing.

However, Thompson did not stop there. What he did was sold Android boxes with Kodi installed, plus all the extra third-party addons that allow people to view infringing movies, TV shows, live sports, plus all the other ‘goodies’ that buyers of these boxes demand. His adverts on Facebook make that very clear.


It is these third-party addons that make what Thompson did unlawful. Selling devices and/or software designed for infringing copying purposes is illegal in the UK. Encouraging others to break the law never goes in a defendant’s favor either.

According to The Northern Echo, since he was raided in March, Thompson has been selling boxes that do not have the addons installed.

“These boxes are available from all over the place, not just me, but it’s the downloading of software to watch channels that is apparently causing the problem,” he said.

But despite not offering them himself, the businessman continued to encourage his customers to install the addons on devices he supplied, despite being targeted twice previously by the authorities.

The advert below is currently available on Thompson’s Facebook page and many of the channels are subscription-only affairs. Judges rarely look kindly on people encouraging others to break the law, especially where big corporate interests are the perceived victims.


Finally, there is another issue that could negatively affect Thompson’s defense. In June 2015, a company called Geeky Kit was raided near to Thompson’s premises. That company was also targeted for selling fully-loaded Android boxes. That company’s storefront at the time of the raid is shown below.

The signage clearly states that items being sold within are being offered on the basis that they provide access to subscription TV package channels for free. Geeky Kit’s premises remained closed in the weeks that followed the raid but in August came a surprise announcement from Thompson.


Thompson is now set to appear before Magistrates’ Court next week in what will be a first-of-its-kind case. Much will hinge on the outcome, for Thompson and others in his position.

“This may have to go to the crown court and then it may go all the way to the European court, but I want to make a point with this and I want to make it easier for people to know what it legal and what isn’t,” he said. “I expect it go against me but at least I will know where I stand.”

While some definitive legal clarity in this area would help thousands of people to understand where the boundaries lie with these boxes, one can’t help but think that this is a particularly bad case for testing the waters.

Whether it will go entirely against Thompson next week remains to be seen, but if he wins the case and boxes with addons are declared legal to sell, it will be nothing short of a miracle. Companies like Sky, Premier League, and the Federation Against Copyright Theft, will rightly go into meltdown.

“It is the first case of its kind in the world so it is going to be interesting,” Thompson concludes.

He’s not wrong there.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

10 Years in Prison For Online Pirates a Step Closer in the UK

Post Syndicated from Andy original https://torrentfreak.com/10-years-in-prison-for-online-pirates-a-step-closer-in-the-uk-160914/

In an effort to control the prevalence of online piracy, numerous criminal actions against file-sharers and file-sharing site operators have already taken place in the UK. However, these prosecutions have not been straightforward.

Due to UK copyright law allowing for custodial sentences of ‘just’ two years for online offenses, anti-piracy groups such as the Federation Against Copyright Theft have chosen to pursue their own private prosecutions. These have largely taken place under legislation designed for those who have committed fraud, rather than the more appropriate offense of copyright infringement.

Physical pirates (CDs, DVDs) can be jailed for up to 10 years under current legislation. During the past few years, there have been lobbying efforts for this punishment to apply both on and offline. That resulted in a UK Government announcement last year indicating that it would move to increase the maximum prison sentence for online copyright infringement to ten years.

This proposal was detailed in a draft of the Digital Economy Bill published in July. If passed into law, it would amend the relevant section of the Copyright, Designs and Patents Act 1988.

That likelihood increased yesterday with the 2nd Reading of the Digital Economy Bill in the House of Commons. Karen Bradley, Secretary of State for Culture, Media and Sport, was in attendance. The MP, who was appointed in July, spoke strongly in favor of strict copyright enforcement.

“We will help businesses from attacks on their intellectual property. Burglars can be sentenced to ten years in prison, but the criminal gangs that are making vast sums of money through exploiting the online creations of others only face a two-year sentence. We will increase this to ten,” Bradley said.


Interestingly, Bradley mentioned a convicted pirate by name. Paul Mahoney ran streaming portal FastPassTV and discussion and linking forum BedroomMedia. After being raided in 2011, the Northern Ireland-based man was sentenced to four years in jail under the Fraud Act, two more than the maximum he would’ve received under copyright legislation.

“Criminals like Paul Mahoney, who profited by almost £300,000 and cost industry millions by facilitating access to illegal films on the Internet, need to be sent a clear message,” Bradley said.

“We need to ensure that enforcement agencies and their partners have the right set of tools to tackle all types of piracy, which is why this clause is so important.”

When the increase to ten years was first reported, some news outlets suggested that regular file-sharers could be subjected to the decade-long sentence. That was addressed in Parliament yesterday by Labour MP Thangam Debbonaire, who welcomed the move but sought assurances that the casual downloader wouldn’t be targeted.

“I am pleased that clause 26 amends the current legislation on copyright to bring online criminal penalties for copyright infringement in line with off-line penalties, with a maximum of 10 years’ imprisonment. This will target anyone who infringes copyright in order to make a commercial gain,” he said.

“However, I wish to stress to hon. Members and to members of the public that this is not to catch out people who download music and unwittingly download or stream something illegal. I want to make that clear in adding my support to this measure. As far as I understand it, it targets the criminals who make money from distributing music to which they do not have the rights.”

Culture Secretary Karen Bradley confirmed that was indeed the case.

Speaking in support of the amendment, Conservative MP John Whittingdale said he was “delighted” that online and offline penalties will be equalized but said that more still needs to be done. Unsurprisingly, given the current environment, Google was again the target.

“The Conservative party manifesto stated that we would put pressure on search engines to try to prevent illegal sites from coming up at the top of a search. I know that round-table discussions have been taking place for a considerable time, but it is a matter of great concern that no significant progress has yet been made,” Whittingdale said.

“In the most recent attempt to find out whether or not there had been an improvement, a Google search was made for ‘Ed Sheeran Photograph download’, with ‘Photograph’ being one of Ed Sheeran’s most recent songs. Only one of the top 10 listings involved a legal site, and the legal site was YouTube, which, of course, is owned by Google.”

In response, Labour MP Dr Rupa Huq offered his thoughts on how that might be mitigated in future.

“[John Whittingdale] said that Ed Sheeran’s song was available on illegal platforms. Does he agree that technology companies, ​and platforms such as Google and YouTube, should be compelled to list only legal sites?” Huq said.

“At present the pirates are sometimes listed higher up than legal sites, and our British musicians who contribute, I believe, £4 billion annually to the economy are losing out as a consequence.”

Whittingdale wasn’t convinced of Huq’s solution, but agreed that much more needs to be done.

“I think it would be unrealistic to expect Google to establish whether every single site was legal or illegal. What it can do is react when illegal sites are brought to its attention,” the MP said.

“[Google] does de-list, but new sites then appear immediately. There have been a vast number of complaints from rights owners about particular sites, but they should tweak their algorithms so that those sites no longer appear at the top of the search listings. Measures of that kind have been under discussion for months and months, but the problem still exists.”

Whittingdale added that there may be a need to include a legal provision which would encourage service providers to establish some kind of voluntary code.

“[T]here may well be a case for legislation, because we cannot allow Google and other search providers to go on allowing people access to illegal sites,” he said.

The Bill will now move to Committee and Report stages, before moving to its Third Reading. It will then pass to readings in the House of Lords before undergoing amendments and the final stage of Royal Assent.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Apple’s Cloud Key Vault

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/apples_cloud_ke.html

Ever since Ian Krstić, Apple’s Head of Security Engineering and Architecture, presented the company’s key backup technology at Black Hat 2016, people have been pointing to it as evidence that the company can create a secure backdoor for law enforcement.

It’s not. Matthew Green and Steve Bellovin have both explained why not. And the same group of us that wrote the “Keys Under Doormats” paper on why backdoors are a bad idea have also explained why Apple’s technology does not enable it to build secure backdoors for law enforcement. Michael Specter did the bulk of the writing.

The problem with Tait’s argument becomes clearer when you actually try to turn Apple’s Cloud Key Vault into an exceptional access mechanism. In that case, Apple would have to replace the HSM with one that accepts an additional message from Apple or the FBI­ — or an agency from any of the 100+ countries where Apple sells iPhones­ — saying “OK, decrypt,” as well as the user’s password. In order to do this securely, these messages would have to be cryptographically signed with a second set of keys, which would then have to be used as often as law enforcement access is required. Any exceptional access scheme made from this system would have to have an additional set of keys to ensure authorized use of the law enforcement access credentials.

Managing access by a hundred-plus countries is impractical due to mutual mistrust, so Apple would be stuck with keeping a second signing key (or database of second signing keys) for signing these messages that must be accessed for each and every law enforcement agency. This puts us back at the situation where Apple needs to protect another repeatedly-used, high-value public key infrastructure: an equivalent situation to what has already resulted in the theft of Bitcoin wallets, RealTek’s code signing keys, and Certificate Authority failures, among many other disasters.

Repeated access of private keys drastically increases their probability of theft, loss, or inappropriate use. Apple’s Cloud Key Vault does not have any Apple-owned private key, and therefore does not indicate that a secure solution to this problem actually exists.

It is worth noting that the exceptional access schemes one can create from Apple’s CKV (like the one outlined above) inherently entails the precise issues we warned about in our previous essay on the danger signs for recognizing flawed exceptional access systems. Additionally, the Risks of Key Escrow and Keys Under Doormats papers describe further technical and nontechnical issues with exceptional access schemes that must be addressed. Among the nontechnical hurdles would be the requirement, for example, that Apple run a large legal office to confirm that requests for access from the government of Uzbekistan actually involved a device that was located in that country, and that the request was consistent with both US law and Uzbek law.

My colleagues and I do not argue that the technical community doesn’t know how to store high-value encryption keys­ — to the contrary that’s the whole point of an HSM. Rather, we assert that holding on to keys in a safe way such that any other party (i.e. law enforcement or Apple itself) can also access them repeatedly without high potential for catastrophic loss is impossible with today’s technology, and that any scheme running into fundamental sociotechnical challenges such as jurisdiction must be evaluated honestly before any technical implementation is considered.

Apple Patents Collecting Biometric Information Based on Unauthorized Device Use

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/apple_patents_c.html

Apple received a patent earlier this year on collecting biometric information of an unauthorized device user. The obvious application is taking a copy of the fingerprint and photo of someone using as stolen smartphone.

Note that I have no opinion on whether this is a patentable idea or the patent is valid.

Notes on that StJude/MuddyWatters/MedSec thing

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/notes-on-that-stjudemuddywattersmedsec.html

I thought I’d write up some notes on the StJude/MedSec/MuddyWaters affair. Some references: [1] [2] [3] [4].

The story so far

tl;dr: hackers drop 0day on medical device company hoping to profit by shorting their stock

St Jude Medical (STJ) is one of the largest providers of pacemakers (aka. cardiac devices) in the country, around ~$2.5 billion in revenue, which accounts for about half their business. They provide “smart” pacemakers with an on-board computer that talks via radio-waves to a nearby monitor that records the functioning of the device (and health data). That monitor, “Merlin@Home“, then talks back up to St Jude (via phone lines, 3G cell phone, or wifi). Pretty much all pacemakers work that way (my father’s does, although his is from a different vendor).

MedSec is a bunch of cybersecurity researchers (white-hat hackers) who have been investigating medical devices. In theory, their primary business is to sell their services to medical device companies, to help companies secure their devices. Their CEO is Justine Bone, a long-time white-hat hacker. Despite Muddy Waters garbling the research, there’s no reason to doubt that there’s quality research underlying all this.

Muddy Waters is an investment company known for investigating companies, finding problems like accounting fraud, and profiting by shorting the stock of misbehaving companies.

Apparently, MedSec did a survey of many pacemaker manufacturers, chose the one with the most cybersecurity problems, and went to Muddy Waters with their findings, asking for a share of the profits Muddy Waters got from shorting the stock.

Muddy Waters published their findings in [1] above. St Jude published their response in [2] above. They are both highly dishonest. I point that out because people want to discuss the ethics of using 0day to short stock when we should talk about the ethics of lying.

“Why you should sell the stock” [finance issues]

In this section, I try to briefly summarize Muddy Water’s argument why St Jude’s stock will drop. I’m not an expert in this area (though I do a bunch of investment), but they do seem flimsy to me.
Muddy Water’s argument is that these pacemakers are half of St Jude’s business, and that fixing them will first require recalling them all, then take another 2 year to fix, during which time they can’t be selling pacemakers. Much of the Muddy Waters paper is taken up explaining this, citing similar medical cases, and so on.
If at all true, and if the cybersecurity claims hold up, then yes, this would be good reason to short the stock. However, I suspect they aren’t true — and they are simply trying to scare people about long-term consequences allowing Muddy Waters to profit in the short term.
@selenakyle on Twitter suggests this interest document [4] about market-solutions to vuln-disclosure, if you are interested in this angle of things.
Update from @lippard: Abbot Labs agreed in April to buy St Jude at $85 a share (when St Jude’s stock was $60/share). Presumable, for this Muddy Waters attack on St Jude’s stock price to profit from anything more than a really short term stock drop (like dumping their short position today), Muddy Waters would have believe this effort will cause Abbot Labs to walk away from the deal. Normally, there are penalties for doing so, but material things like massive vulnerabilities in a product should allow Abbot Labs to walk away without penalties.

The 0day being dropped

Well, they didn’t actually drop 0day as such, just claims that 0day exists — that it’s been “demonstrated”. Reading through their document a few times, I’ve created a list of the 0day they found, to the granularity that one would expect from CVE numbers (CVE is group within the Department of Homeland security that assigns standard reference numbers to discovered vulnerabilities).

The first two, which can kill somebody, are the salient ones. The others are more normal cybersecurity issues, and may be of concern because they can leak HIPAA-protected info.

CVE-2016-xxxx: Pacemaker can be crashed, leading to death
Within a reasonable distance (under 50 feet) over several hours, pounding the pacemaker with malformed packets (either from an SDR or a hacked version of the Merlin@Home monitor), the pacemaker can crash. Sometimes such crashes will brick the device, other times put it into a state that may kill the patient by zapping the heart too quickly.

CVE-2016-xxxx: Pacemaker power can be drained, leading to death
Within a reasonable distance (under 50 feet) over several days, the pacemaker’s power can slowly be drained at the rate of 3% per hour. While the user will receive a warning from their Merlin@Home monitoring device that the battery is getting low, it’s possible the battery may be fully depleted before they can get to a doctor for a replacement. A non-functioning pacemaker may lead to death.

CVE-2016-xxxx: Pacemaker uses unauthenticated/unencrypted RF protocol
The above two items are possible because there is no encryption nor authentication in the wireless protocol, allowing any evildoer access to the pacemaker device or the monitoring device.

CVE-2016-xxxx: Merlin@Home contained hard-coded credentials and SSH keys
The password to connect to the St Jude network is the same for all device, and thus easily reverse engineered.

CVE-2016-xxxx: local proximity wand not required
It’s unclear in the report, but it seems that most other products require a wand in local promixity (inches) in order to enable communication with the pacemaker. This seems like a requirement — otherwise, even with authentication, remote RF would be able to drain the device in the person’s chest.

So these are, as far as I can tell, the explicit bugs they outline. Unfortunately, none are described in detail. I don’t see enough detail for any of these to actually be assigned a CVE number. I’m being generous here, trying to describe them as such, giving them the benefit of the doubt, there’s enough weasel language in there that makes me doubt all of them. Though, if the first two prove not to be reproducible, then there will be a great defamation case, so I presume those two are true.

The movie/TV plot scenarios

So if you wanted to use this as a realistic TV/movie plot, here are two of them.
#1 You (the executive of the acquiring company) are meeting with the CEO and executives of a smaller company you want to buy. It’s a family concern, and the CEO really doesn’t want to sell. But you know his/her children want to sell. Therefore, during the meeting, you pull out your notebook and an SDR device and put it on the conference room table. You start running the exploit to crash that CEO’s pacemaker. It crashes, the CEO grabs his/her chest, who gets carted off the hospital. The children continue negotiations, selling off their company.
#2 You are a hacker in Russia going after a target. After many phishing attempts, you finally break into the home desktop computer. From that computer, you branch out and connect to the Merlin@Home devices through the hard-coded password. You then run an exploit from the device, using that device’s own radio, to slowly drain the battery from the pacemaker, day after day, while the target sleeps. You patch the software so it no longer warns the user that the battery is getting low. The battery dies, and a few days later while the victim is digging a ditch, s/he falls over dead from heart failure.

The Muddy Water’s document is crap

There are many ethical issues, but the first should be dishonesty and spin of the Muddy Waters research report.

The report is clearly designed to scare other investors to drop St Jude stock price in the short term so that Muddy Waters can profit. It’s not designed to withstand long term scrutiny. It’s full of misleading details and outright lies.

For example, it keeps stressing how shockingly bad the security vulnerabilities are, such as saying:

We find STJ Cardiac Devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past. 

This is factually untrue. St Jude problems are no worse than the 2013 issue where doctors disable the RF capabilities of Dick Cheney’s pacemaker in response to disclosures. They are no worse than that insulin pump hack. Bad cybersecurity is the norm for medical devices. St Jude may be among the worst, but not by an order-of-magnitude.

The term “orders of magnitude” is math, by the way, and means “at least 100 times worse”. As an expert, I claim these problems are not even one order of magnitude (10 times worse). I challenge MedSec’s experts to stand behind the claim that these vulnerabilities are at least 100 times worse than other public medical device hacks.

In many places, the language is wishy-washy. Consider this quote:

Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks

The semantic content of this is nil. It says they weren’t able to replicate the attacks themselves. They don’t have sufficient background in cybersecurity to understand what they replicated.

Such language is pervasive throughout the document, things that aren’t technically lies, but which aren’t true, either.

Also pervasive throughout the document, repeatedly interjected for no reason in the middle of text, are statements like this, repeatedly stressing why you should sell the stock:

Regardless, we have little doubt that STJ is about to enter a period of protracted litigation over these products. Should these trials reach verdicts, we expect the courts will hold that STJ has been grossly negligent in its product design. (We estimate awards could total $6.4 billion.15)

I point this out because Muddy Waters obviously doesn’t feel the content of the document stands on its own, so that you can make this conclusion yourself. It instead feels the need to repeat this message over and over on every page.

Muddy Waters violation of Kerckhoff’s Principle

One of the most important principles of cyber security is Kerckhoff’s Principle, that more openness is better. Or, phrased another way, that trying to achieve security through obscurity is bad.

The Muddy Water’s document attempts to violate this principle. Besides the the individual vulnerabilities, it makes the claim that St Jude cybersecurity is inherently bad because it’s open. it uses off-the-shelf chips, standard software (line Linux), and standard protocols. St Jude does nothing to hide or obfuscate these things.

Everyone in cybersecurity would agree this is good. Muddy Waters claims this is bad.

For example, some of their quotes:

One competitor went as far as developing a highly proprietary embedded OS, which is quite costly and rarely seen

In contrast, the other manufacturers have proprietary RF chips developed specifically for their protocols

Again, as the cybersecurity experts in this case, I challenge MedSec to publicly defend Muddy Waters in these claims.

Medical device manufacturers should do the opposite of what Muddy Waters claims. I’ll explain why.

Either your system is secure or it isn’t. If it’s secure, then making the details public won’t hurt you. If it’s insecure, then making the details obscure won’t help you: hackers are far more adept at reverse engineering than you can possibly understand. Making things obscure, though, does stop helpful hackers (i.e. cybersecurity consultants you hire) from making your system secure, since it’s hard figuring out the details.

Said another way: your adversaries (such as me) hate seeing open systems that are obviously secure. We love seeing obscure systems, because we know you couldn’t possibly have validated their security.

The point is this: Muddy Waters is trying to profit from the public’s misconception about cybersecurity, namely that obscurity is good. The actual principle is that obscurity is bad.

St Jude’s response was no better

In response to the Muddy Water’s document, St Jude published this document [2]. It’s equally full of lies — the sort that may deserve a share holder lawsuit. (I see lawsuits galore over this). It says the following:

We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading.

If that’s true, if they can prove this in court, then that will mean they could win millions in a defamation lawsuit against Muddy Waters, and millions more for stock manipulation.

But it’s almost certainly not true. Without authentication/encryption, then the fact that hackers can crash/drain a pacemaker is pretty obvious, especially since (as claimed by Muddy Waters), they’ve successfully done it. Specifically, the picture on page 17 of the 34 page Muddy Waters document is a smoking gun of a pacemaker misbehaving.

The rest of their document contains weasel-word denials that may be technically true, but which have no meaning.

St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions. 

Our software has been evaluated and assessed by several independent organizations and researchers including Deloitte and Optiv.

In 2015, we successfully completed an upgrade to the ISO 27001:2013 certification.

These are all myths of the cybersecurity industry. Conformance with security standards, such as ISO 27001:2013, has absolutely zero bearing on whether you are secure. Having some consultants/white-hat claim your product is secure doesn’t mean other white-hat hackers won’t find an insecurity.

Indeed, having been assessed by Deloitte is a good indicator that something is wrong. It’s not that they are incompetent (they’ve got some smart people working for them), but ultimately the way the security market works is that you demand of such auditors that the find reasons to believe your product is secure, not that they keep hunting until something is found that is insecure. It’s why outsiders, like MedSec, are better, because they strive to find why your product is insecure. The bigger the enemy, the more resources they’ll put into finding a problem.

It’s like after you get a hair cut, your enemies and your friends will have different opinions on your new look. Enemies are more honest.

The most obvious lie from the St Jude response is the following:

The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report.

That’s not how wireless works. With directional antennas and amplifiers, 7-feet easily becomes 50-feet or more. Even without that, something designed for reliable operation at 7-feet often works less reliably at 50-feet. There’s no cutoff at 7-feet within which it will work, outside of which it won’t.

That St Jude deliberately lies here brings into question their entire rebuttal. (see what I did there?)


First let’s discuss the ethics of lying, using weasel words, and being deliberately misleading. Both St Jude and Muddy Waters do this, and it’s ethically wrong. I point this out to uninterested readers who want to get at that other ethical issue. Clear violations of ethics we all agree interest nobody — but they ought to. We should be lambasting Muddy Waters for their clear ethical violations, not the unclear one.

So let’s get to the ethical issue everyone wants to discuss:

Is it ethical to profit from shorting stock while dropping 0day.

Let’s discuss some of the issues.

There’s no insider trading. Some people wonder if there are insider trading issues. There aren’t. While it’s true that Muddy Waters knew some secrets that nobody else knew, as long as they weren’t insider secrets, it’s not insider trading. In other words, only insiders know about a key customer contract won or lost recently. But, vulnerabilities researched by outsiders is still outside the company.

Watching a CEO walk into the building of a competitor is still outsider knowledge — you can trade on the likely merger, even though insider employees cannot.

Dropping 0day might kill/harm people. That may be true, but that’s never an ethical reason to not drop it. That’s because it’s not this one event in isolation. If companies knew ethical researchers would never drop an 0day, then they’d never patch it. It’s like the government’s warrantless surveillance of American citizens: the courts won’t let us challenge it, because we can’t prove it exists, and we can’t prove it exists, because the courts allow it to be kept secret, because revealing the surveillance would harm national intelligence. That harm may happen shouldn’t stop the right thing from happening.

In other words, in the long run, dropping this 0day doesn’t necessarily harm people — and thus profiting on it is not an ethical issue. We need incentives to find vulns. This moves the debate from an ethical one to more of a factual debate about the long-term/short-term risk from vuln disclosure.

As MedSec points out, St Jude has already proven itself an untrustworthy consumer of vulnerability disclosures. When that happens, the dropping 0day is ethically permissible for “responsible disclosure”. Indeed, that St Jude then lied about it in their response ex post facto justifies the dropping of the 0day.

No 0day was actually dropped here. In this case, what was dropped was claims of 0day. This may be good or bad, depending on your arguments. It’s good that the vendor will have some extra time to fix the problems before hackers can start exploiting them. It’s bad because we can’t properly evaluate the true impact of the 0day unless we get more detail — allowing Muddy Waters to exaggerate and mislead people in order to move the stock more than is warranted.

In other words, the lack of actual 0day here is the problem — actual 0day would’ve been better.

This 0day is not necessarily harmful. Okay, it is harmful, but it requires close proximity. It’s not as if the hacker can reach out from across the world and kill everyone (barring my movie-plot section above). If you are within 50 feet of somebody, it’s easier shooting, stabbing, or poisoning them.

Shorting on bad news is common. Before we address the issue whether this is unethical for cybersecurity researchers, we should first address the ethics for anybody doing this. Muddy Waters already does this by investigating companies for fraudulent accounting practice, then shorting the stock while revealing the fraud.

Yes, it’s bad that Muddy Waters profits on the misfortunes of others, but it’s others who are doing fraud — who deserve it. [Snide capitalism trigger warning] To claim this is unethical means you are a typical socialist who believe the State should defend companies, even those who do illegal thing, in order to stop illegitimate/windfall profits. Supporting the ethics of this means you are a capitalist, who believe companies should succeed or fail on their own merits — which means bad companies need to fail, and investors in those companies should lose money.

Yes, this is bad for cybersec research. There is constant tension between cybersecurity researchers doing “responsible” (sic) research and companies lobbying congress to pass laws against it. We see this recently how Detroit lobbied for DMCA (copyright) rules to bar security research, and how the DMCA regulators gave us an exemption. MedSec’s action means now all medical devices manufacturers will now lobby congress for rules to stop MedSec — and the rest of us security researchers. The lack of public research means medical devices will continue to be flawed, which is worse for everyone.

Personally, I don’t care about this argument. How others might respond badly to my actions is not an ethical constraint on my actions. It’s like speech: that others may be triggered into lobbying for anti-speech laws is still not constraint on what ethics allow me to say.

There were no lies or betrayal in the research. For me, “ethics” is usually a problem of lying, cheating, theft, and betrayal. As long as these things don’t happen, then it’s ethically okay. If MedSec had been hired by St Jude, had promised to keep things private, and then later disclosed them, then we’d have an ethical problem. Or consider this: frequently clients ask me to lie or omit things in pentest reports. It’s an ethical quagmire. The quick answer, by the way, is “can you make that request in writing?”. The long answer is “no”. It’s ethically permissible to omit minor things or do minor rewording, but not when it impinges on my credibility.

A life is worth about $10-million. Most people agree that “you can’t put value on a human life”, and that those who do are evil. The opposite is true. Should we spend more on airplane safety, breast cancer research, or the military budget to fight ISIS. Each can be measured in the number of lives saved. Should we spend more on breast cancer research, which affects people in their 30s, or solving heart disease, which affects people’s in their 70s? All these decisions means putting value on human life, and sometimes putting different value on human life. Whether you think it’s ethical, it’s the way the world works.

Thus, we can measure this disclosure of 0day in terms of potential value of life lost, vs. potential value of life saved.

Is this market manipulation? This is more of a legal question than an ethical one, but people are discussing it. If the data is true, then it’s not “manipulation” — only if it’s false. As documented in this post, there’s good reason to doubt the complete truth of what Muddy Waters claims. I suspect it’ll cost Muddy Waters more in legal fees in the long run than they could possibly hope to gain in the short run. I recommend investment companies stick to areas of their own expertise (accounting fraud) instead of branching out into things like cyber where they really don’t grasp things.

This is again bad for security research. Frankly, we aren’t a trusted community, because we claim the “sky is falling” too often, and are proven wrong. As this is proven to be market manipulation, as the stock recovers back to its former level, and the scary stories of mass product recalls fail to emerge, we’ll be blamed yet again for being wrong. That hurts are credibility.

On the other the other hand, if any of the scary things Muddy Waters claims actually come to pass, then maybe people will start heading our warnings.

Ethics conclusion: I’m a die-hard troll, so therefore I’m going to vigorously defend the idea of shorting stock while dropping 0day. (Most of you appear to think it’s unethical — I therefore must disagree with you).  But I’m also a capitalist. This case creates an incentive to drop harmful 0days — but it creates an even greater incentive for device manufacturers not to have 0days to begin with. Thus, despite being a dishonest troll, I do sincerely support the ethics of this.


The two 0days are about crashing the device (killing the patient sooner) or draining the battery (killin them later). Both attacks require hours (if not days) in close proximity to the target. If you can get into the local network (such as through phishing), you might be able to hack the Merlin@Home monitor, which is in close proximity to the target for hours every night.

Muddy Waters thinks the security problems are severe enough that it’ll destroy St Jude’s $2.5 billion pacemaker business. The argument is flimsy. St Jude’s retort is equally flimsy.

My prediction: a year from now we’ll see little change in St Jude’s pacemaker business earners, while there may be some one time costs cleaning some stuff up. This will stop the shenanigans of future 0day+shorting, even when it’s valid, because nobody will believe researchers.

PIPCU’s Operation Creative Gets New Leader & New Backers

Post Syndicated from Andy original https://torrentfreak.com/pipcus-operation-creative-gets-new-leader-new-backers-160823/

Back in 2013, major torrent sites began receiving letters from the UK’s National Fraud Intelligence Bureau (NFIB), a City of London Police unit tasked with identifying organized crime groups in order to disrupt their activities.

Behind the scenes, the fledgling Police Intellectual Property Crime Unit (PIPCU) had been working with the Federation Against Copyright Theft (FACT), the British Recorded Music Industry (BPI) and The Publishers Association with the aim of closing as many torrent and streaming sites as possible.

In time, this initiative became known as Operation Creative, a multi-pronged effort to reduce piracy using a variety of tactics, including the targeting of domains and the disruption of revenue streams.

The latter included the development of the Infringing Website List (IWL), a blacklist of websites distributed to potential advertisers and agencies who are asked to boycott the domains in the name of supporting creators.

The police, on the other hand, reportedly placed their own ads on some ‘pirate’ sites in an effort to scare would-be pirates.

Operation Creative is now in its third year and with that anniversary comes the appointment of a brand new senior officer to head up the initiative.

Detective Constable Steve Salway joins PIPCU having spent time at the National Fraud Investigation Bureau (NFIB) as a disruptions team investigator. During his time there, Salway is reported to have overseen the closure of “hundreds of criminal websites” worldwide.

While NFIB is involved in tackling IP infringement, the unit also has responsibility for investigating a wide variety of online crimes including financial fraud and identity theft. Salway’s work there crossed over with PIPCU operations and enticed him in.

“Operation Creative is leading the way in disrupting UK online digital piracy, and now it’s time to take success to the next level by exploring different tactics like maximising disruption opportunities around criminal revenue,” Salway says.

“My experience in tackling online crime and closing down criminal internet infrastructures will be applied to all future referrals and I am proud to be part of this new era for the initiative.”

PIPCU’s new dedicated officer puts the successes of Operation Creative down to the strength of the partnerships the police have forged with the private sector.

In addition to FACT, BPI and The PA, the International Federation of the Phonographic Industry (IFPI), PRS for music and the Association for UK Interactive Entertainment (UKIE) are all members. Coinciding with Salway’s appointment, the initiative now welcomes a new member in the form of the Music Publishers Association (MPA).

The MPA has a mission to “safeguard and promote” the interests of music publishers and writers while representing their interests to government, the rest of the industry, and the public. It currently boast around 260 members and 4,000 music catalogues.

“I am pleased to welcome the Music Publishers Association to the Operation Creative initiative,” says PIPCU head Detective Chief Inspector Peter Ratcliffe.

“The Police Intellectual Property Crime Unit is committed to reducing the impact of intellectual property crime on the UK’s creative industries and in Creative we have a wonderful tool to disrupt the infringers’ revenue streams and hit them where it hurts them the most.”

While providing no specific details, Ratcliffe says that since Operation Creative is “entering a new phase”, new supporters will help strengthen its ranks.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

How Legitimate Content Killed an “Ethical” Torrent Site

Post Syndicated from Andy original https://torrentfreak.com/how-legitimate-content-killed-an-ethical-torrent-site-160821/

When peer-to-peer file-sharing networks started to gain traction more than a decade and a half ago, it soon became clear that if entertainment industries were to compete, they’d need to step up their game.

In the early 2000s, for example, users of Sharman Networks’ Kazaa software already had wide and free access to music and video titles. The introduction of BitTorrent shortly after only turned up the pressure.

Fifteen years down the line it’s now clearer than ever. The true enemy of illicit file-sharing is broad and convenient access to all content at a fair price. In the meantime, however, platforms such as torrent sites continue to pick up the slack. More than a decade ago, they were leading the charge.

Founded in 2003/4, torrent site UKNova took a somewhat unusual approach to its offering. Rather than the free-for-all witnessed on most platforms, UKNova aimed to responsibly service UK-based consumers and those overseas with select content that couldn’t easily be obtained by other means.

Initially, the site catered to a few ex-pats who were desperate for their fix of long-running TV soap, Eastenders. It had been made available in the States by BBC America, but in 2003 the iconic show was dropped.

“After initially sending VHS tapes across the Atlantic, a daring foray into the unknown world of trackers and torrents was made by brave visionaries and uknova.com was born,” a site operator told TorrentFreak.

“UKNova rapidly became known as the ‘go-to’ place for UK television and for a while was probably the leading private tracker catering to ex-pats and Anglophiles around the world.”

Most private torrent sites have strict rules, but UKNova went a step further than most by only allowing UK-produced TV content that was not available on DVD or premium channels. But despite the restrictions, UKNova was a success.

“Membership rapidly grew and was voluntarily limited to between 30,000 and 40,000 members. Forum activity could become so heavy that server problems arose, leading to an iconic ‘Mind The Gap‘ message.”

But UKNova was much more than just a torrent site. Like many niche trackers, UKNova had a thriving close-knit community centered around the theme and culture of UK TV. With assistance from the site’s radio station, those friendships thrived beyond the digital space.

“Events and activities grew from the forums: picnics and meet-ups, annual awards ceremonies with live radio, mugs and t-shirts, fantasy football leagues, and above all solidarity for members who were in need, ill or deceased,” the operator explains.

“There were at least four marriages resulting from friendships struck up on UKNova’s forums and IRC chat.”

Due to the nature of UK TV (free to view, for those who pay the standard license fee), UKNova offered a lot of BBC content. Back in the early days BBC iPlayer simply did not exist so once shows disappeared off air, that was that until the corporation decided to bring them back. UKNova not only filled that gap, but even received a request to help the BBC complete its archives.

“During this time relations with the BBC were cordial. In one case UKNova was even asked if they could find a missing recording of documentary series Horizon,” a site representative explains.

But by 2012, the atmosphere had begun to shift.

“UKNova is being forced to change,” an operator told TF at the time. “We have been issued with a ‘cease and desist’ order by FACT (Federation Against Copyright Theft.”

FACT was clear in its demands. All copyrighted content needed to come down, no matter where that content had come from and despite the fact that UKNova had never had a complaint from any TV station since its inception. The site didn’t believe it could be successfully prosecuted but had no way of defending itself.

“UKNova has never had any source of revenue other than donations to help pay for the servers and bandwidth. In latter years the site survived uniquely on private donations from Staff,” TF was told.

Within weeks UKNova shut down, but the dream wasn’t quite over yet.

“In 2013 a group of independent users decided to re-ignite the flame with a new site which was kept as low profile as possible. This site kept the ethos of the original UKNova, with the same rules concerning commercially available material,” a site veteran explains.

This, it appears, was to be the site’s ultimate undoing. The environment in 2013 was massively different to that of 2003. Legitimate services were appearing left and right, meaning that the content pool available to UKNova users under the site’s own stringent rules was diminishing every day.

UKNova’s decision to maintain its position as “the ethical torrent site” was cutting off its own oxygen supply and over the next three years the site began to die.

“In 2016 it became clear that the advent of the BBC Store and Amazon Video, linked to the quasi-immediate availability of shows from other channels on DVD, meant that allowable content was shrinking daily,” a site operator explains.

With the main reason for people visiting the site diminishing all the time, members had less and less to talk about. The continued rise of external and mainstream social media only exacerbated the situation.

“The discussion forums were grinding to a halt and membership was gradually shrinking. Rather than flogging a dead horse it seemed appropriate to turn out the lights, lock the door and gracefully retire.”

On Saturday August 7, UKNova’s trackers were taken offline. A week later the site was shuttered completely. UKNova was dead, this time for real.

“It’s been a good long run, so much good has been done, and so much fun has been had, by so many people – a unique experience. But all good things..,” the site said in a closing statement.

While FACT’s intervention was certainly an unwelcome one, it seems fairly clear that its own strict rules and the availability of legitimate content was what ultimately led to UKNova’s demise. Sadly, however, UKNova’s initial goals of serving the ex-pat community are still proving a problem today.

Only last week, FACT and the UK’s Police Intellectual Property Unit shut down an IPTV service directly aimed at British citizens living abroad.

PIPCU said that the platform had many thousands of customers, showing that a potentially lucrative market still exists if only someone, somewhere, would service it. Someone will, but it won’t be UKNova.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Major NSA/Equation Group Leak

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/major_nsaequati.html

The NSA was badly hacked in 2013, and we’re just now learning about it.

A group of hackers called “The Shadow Brokers” claim to have hacked the NSA, and are posting data to prove it. The data is source code from “The Equation Group,” which is a sophisticated piece of malware exposed last year and attributed to the NSA. Some details:

The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies.

The dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as “BANANAGLEE” or “EPICBANANA.”

Nicholas Weaver has analyzed the data and believes it real:

But the proof itself, appear to be very real. The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA’s implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets.

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I’ve found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from comprised systems. Instead the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code­ — the kind that probably never leaves the NSA.

I agree with him. This just isn’t something that can be faked in this way. (Good proof would be for The Intercept to run the code names in the new leak against their database, and confirm that some of the previously unpublished ones are legitimate.)

This is definitely not Snowden stuff. This isn’t the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider…probably a government.

Weaver again:

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps­ — which are easy to modify­ — the most likely date of acquisition was June 11, 2013. That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks as the NSA furiously ran down possibly sources, it may have accidentally or deliberately eliminated this adversary’s access.

Okay, so let’s think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it’s a signal to the Obama Administration: “Before you even think of sanctioning us for the DNC hack, know where we’ve been and what we can do to you.”

They claim to be auctioning off the rest of the data to the highest bidder. I think that’s PR nonsense. More likely, that second file is random nonsense, and this is all we’re going to get. It’s a lot, though. Yesterday was a very bad day for the NSA.

EDITED TO ADD: Snowden’s comments. He thinks it’s an “NSA malware staging server” that was hacked.

EDITED TO ADD (8/18): Dave Aitel also thinks it’s Russia.

EDITED TO ADD (8/19): Two news articles.

Cisco has analyzed the vulnerabilities for their products found in the data. They found several that they patched years ago, and one new one they didn’t know about yet. See also this about the vulnerabilities.

EDITED TO ADD (8/20): More about the vulnerabilities found in the data.

Previously unreleased material from the Snowden archive proves that this data dump is real, and that the Equation Group is the NSA.

Hackers Stealing Cars

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/hackers_stealin.html

We’re seeing car thefts in the wild accomplished through hacking:

Houston police have arrested two men for a string of high-tech thefts of trucks and SUVs in the Houston area. The Houston Chronicle reports that Michael Armando Arce and Jesse Irvin Zelaya were charged on August 4th, and are believed to be responsible for more than 100 auto thefts. Police said Arce and Zelaya were shuttling the stolen vehicles across the Mexican border.


The July video shows the thief connecting a laptop to the Jeep before driving away in it. A Fiat-Chrysler spokesman told ABC News that the thieves used software intended to be used by dealers and locksmiths to reprogram the vehicle’s keyless entry and ignition system.

PIPCU Raids ‘Pirate’ TV Streaming Operation, Three Arrested

Post Syndicated from Andy original https://torrentfreak.com/pipcu-raids-pirate-tv-streaming-operation-three-arrested-160811/

cityoflondonpoliceLast month saw the shutdown of KickassTorrents and the arrest of its alleged founder, a development which sent shockwaves through the file-sharing community.

That was followed by the surprise shutdown of Torrentz, the world’s largest torrent meta-search engine. It’s not known why the site chose to close its doors but its departure from the scene was somewhat more orderly than that of KAT.

Meanwhile, and as revealed in our earlier report, streaming continues to prove increasingly popular with Internet users, a fact the authorities are well aware of.

With that in mind, the UK’s Police Intellectual Property Unit (PIPCU) has just carried out a new operation against individuals it believes are involved in streaming content online and distributing set-top boxes modified to receive it.

Following a series of dawn raids carried out yesterday morning in Lancashire, PIPCU arrested three men aged 36, 40 and 58, on suspicion of conspiracy to defraud and money laundering offences.

PIPCU say that the operation received assistance from local police and a forensic investigator from the Federation Against Copyright Theft (FACT).

While previous operations against streaming pirates have usually resulted in the seizure of Kodi-enabled Android set-top boxes, this operation appears to have gone a step up the chain.

Photographs provided by PIPCU show what appears to be a somewhat sophisticated operation, beginning with satellite TV reception.


The PIPCU operation spanned three residential addresses and an as-yet-unnamed business premises. It seems likely that the photograph of the server room shown below was taken in the latter location. Thus far, PIPCU say they have seized approximately 30 servers.


In addition, PIPCU say they also recovered set-top boxes which had been modified so that users could access hundreds of premium subscription-only channels.

“Some of the channels available on the devices include pay-per-view sports, the latest movies and UK broadcast television only available to UK licence fee payers. Officers have also identified 15 satellites,” PIPCU report.

Neither the police nor FACT have provided any information which allows us to easily identify those arrested or their operation. However, there are a number of clues which point us in a particular direction.

Firstly, PIPCU claims that the devices were being sold as legitimate products that could provide content to users anywhere in the world for an annual fee of around £400. Second, the unit also identified a small town with a population of just 41,000.

So, given the location of the raids and the specific nature and size of the business, TorrentFreak sources familiar with IPTV operators in the UK told us that one company in particular stands out as the most likely candidate.

The outfit has not yet responded to our requests for comment so naturally we won’t name them, but we do know that they offer IPTV packages to the expat market and those abroad for just a few pounds less than the £400 mentioned by PIPCU.

The packages (and indeed the hardware) are also marketed and sold as entirely legitimate. We’re also aware that a staff member at the company was previously involved in another business dealing in satellite communications.

At the time of writing their website is still up and running and registered to a business premises in Chorley, Lancashire, the town mentioned by PIPCU. Furthermore, a posting discovered online by TF indicates that the IPTV operation had been established for a number of years and was recently running 30 servers.

In a statement, head of PIPCU, Detective Chief Inspector Peter Ratcliffe, described the outfit as “a significant and highly resourced operation to distribute pirated television on an industrial scale” to tens of thousands of people across the globe.

“Operations like this remain an integral part of protecting livelihoods supported by the entertainment industry and the law abiding public who pay for their channels with their hard earned cash,” he said.

Director General of the Federation Against Copyright Theft, Kieron Sharp, said his organization will continue to pursue those engaged in this growing area of piracy.

“Illegally modified set-top boxes, along with infringing apps and add-ons, have created new opportunities for criminality and piracy. Tackling these threats and the people behind them is one of our highest priorities and therefore today’s multi-agency action is another great result for law enforcement and the creative industries,” Sharp said.

“We will continue to work with our members and partners, such as the City of London Police, to crack down on those involved in the illegal supply of these boxes so that both the content and its creators are protected.”

When TF has solid information concerning the identity of the company involved we will post an update.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.