Tag Archives: Transmission

Some notes on the KRACK attack

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/10/some-notes-on-krack-attack.html

This is my interpretation of the KRACK attacks paper that describes a way of decrypting encrypted WiFi traffic with an active attack.

tl;dr: Wow. Everyone needs to be afraid. (Well, worried — not panicked.) It means in practice, attackers can decrypt a lot of wifi traffic, with varying levels of difficulty depending on your precise network setup. My post last July about the DEF CON network being safe was in error.

Details

This is not a crypto bug but a protocol bug (a pretty obvious and trivial protocol bug).
When a client connects to the network, the access-point will at some point send a random “key” data to use for encryption. Because this packet may be lost in transmission, it can be repeated many times.
What the hacker does is just repeatedly sends this packet, potentially hours later. Each time it does so, it resets the “keystream” back to the starting conditions. The obvious patch that device vendors will make is to only accept the first such packet it receives, ignore all the duplicates.
At this point, the protocol bug becomes a crypto bug. We know how to break crypto when we have two keystreams from the same starting position. It’s not always reliable, but reliable enough that people need to be afraid.
Android, though, is the biggest danger. Rather than simply replaying the packet, a packet with key data of all zeroes can be sent. This allows attackers to setup a fake WiFi access-point and man-in-the-middle all traffic.
In a related case, the access-point/base-station can sometimes also be attacked, affecting the stream sent to the client.
Not only is sniffing possible, but in some limited cases, injection. This allows the traditional attack of adding bad code to the end of HTML pages in order to trick users into installing a virus.

This is an active attack, not a passive attack, so in theory, it’s detectable.

Who is vulnerable?

Everyone, pretty much.
The hacker only needs to be within range of your WiFi. Your neighbor’s teenage kid is going to be downloading and running the tool in order to eavesdrop on your packets.
The hacker doesn’t need to be logged into your network.
It affects all WPA1/WPA2, the personal one with passwords that we use in home, and the enterprise version with certificates we use in enterprises.
It can’t defeat SSL/TLS or VPNs. Thus, if you feel your laptop is safe surfing the public WiFi at airports, then your laptop is still safe from this attack. With Android, it does allow running tools like sslstrip, which can fool many users.
Your home network is vulnerable. Many devices will be using SSL/TLS, so are fine, like your Amazon echo, which you can continue to use without worrying about this attack. Other devices, like your Phillips lightbulbs, may not be so protected.

How can I defend myself?

Patch.
More to the point, measure your current vendors by how long it takes them to patch. Throw away gear by those vendors that took a long time to patch and replace it with vendors that took a short time.
High-end access-points that contains “WIPS” (WiFi Intrusion Prevention Systems) features should be able to detect this and block vulnerable clients from connecting to the network (once the vendor upgrades the systems, of course). Even low-end access-points, like the $30 ones you get for home, can easily be updated to prevent packet sequence numbers from going back to the start (i.e. from the keystream resetting back to the start).
At some point, you’ll need to run the attack against yourself, to make sure all your devices are secure. Since you’ll be constantly allowing random phones to connect to your network, you’ll need to check their vulnerability status before connecting them. You’ll need to continue doing this for several years.
Of course, if you are using SSL/TLS for everything, then your danger is mitigated. This is yet another reason why you should be using SSL/TLS for internal communications.
Most security vendors will add things to their products/services to defend you. While valuable in some cases, it’s not a defense. The defense is patching the devices you know about, and preventing vulnerable devices from attaching to your network.
If I remember correctly, DEF CON uses Aruba. Aruba contains WIPS functionality, which means by the time DEF CON roles around again next year, they should have the feature to deny vulnerable devices from connecting, and specifically to detect an attack in progress and prevent further communication.
However, for an attacker near an Android device using a low-powered WiFi, it’s likely they will be able to conduct man-in-the-middle without any WIPS preventing them.

How to Enable LDAPS for Your AWS Microsoft AD Directory

Post Syndicated from Vijay Sharma original https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/

Starting today, you can encrypt the Lightweight Directory Access Protocol (LDAP) communications between your applications and AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AD. Many Windows and Linux applications use Active Directory’s (AD) LDAP service to read and write sensitive information about users and devices, including personally identifiable information (PII). Now, you can encrypt your AWS Microsoft AD LDAP communications end to end to protect this information by using LDAP Over Secure Sockets Layer (SSL)/Transport Layer Security (TLS), also called LDAPS. This helps you protect PII and other sensitive information exchanged with AWS Microsoft AD over untrusted networks.

To enable LDAPS, you need to add a Microsoft enterprise Certificate Authority (CA) server to your AWS Microsoft AD domain and configure certificate templates for your domain controllers. After you have enabled LDAPS, AWS Microsoft AD encrypts communications with LDAPS-enabled Windows applications, Linux computers that use Secure Shell (SSH) authentication, and applications such as Jira and Jenkins.

In this blog post, I show how to enable LDAPS for your AWS Microsoft AD directory in six steps: 1) Delegate permissions to CA administrators, 2) Add a Microsoft enterprise CA to your AWS Microsoft AD directory, 3) Create a certificate template, 4) Configure AWS security group rules, 5) AWS Microsoft AD enables LDAPS, and 6) Test LDAPS access using the LDP tool.

Assumptions

For this post, I assume you are familiar with following:

Solution overview

Before going into specific deployment steps, I will provide a high-level overview of deploying LDAPS. I cover how you enable LDAPS on AWS Microsoft AD. In addition, I provide some general background about CA deployment models and explain how to apply these models when deploying Microsoft CA to enable LDAPS on AWS Microsoft AD.

How you enable LDAPS on AWS Microsoft AD

LDAP-aware applications (LDAP clients) typically access LDAP servers using Transmission Control Protocol (TCP) on port 389. By default, LDAP communications on port 389 are unencrypted. However, many LDAP clients use one of two standards to encrypt LDAP communications: LDAP over SSL on port 636, and LDAP with StartTLS on port 389. If an LDAP client uses port 636, the LDAP server encrypts all traffic unconditionally with SSL. If an LDAP client issues a StartTLS command when setting up the LDAP session on port 389, the LDAP server encrypts all traffic to that client with TLS. AWS Microsoft AD now supports both encryption standards when you enable LDAPS on your AWS Microsoft AD domain controllers.

You enable LDAPS on your AWS Microsoft AD domain controllers by installing a digital certificate that a CA issued. Though Windows servers have different methods for installing certificates, LDAPS with AWS Microsoft AD requires you to add a Microsoft CA to your AWS Microsoft AD domain and deploy the certificate through autoenrollment from the Microsoft CA. The installed certificate enables the LDAP service running on domain controllers to listen for and negotiate LDAP encryption on port 636 (LDAP over SSL) and port 389 (LDAP with StartTLS).

Background of CA deployment models

You can deploy CAs as part of a single-level or multi-level CA hierarchy. In a single-level hierarchy, all certificates come from the root of the hierarchy. In a multi-level hierarchy, you organize a collection of CAs in a hierarchy and the certificates sent to computers and users come from subordinate CAs in the hierarchy (not the root).

Certificates issued by a CA identify the hierarchy to which the CA belongs. When a computer sends its certificate to another computer for verification, the receiving computer must have the public certificate from the CAs in the same hierarchy as the sender. If the CA that issued the certificate is part of a single-level hierarchy, the receiver must obtain the public certificate of the CA that issued the certificate. If the CA that issued the certificate is part of a multi-level hierarchy, the receiver can obtain a public certificate for all the CAs that are in the same hierarchy as the CA that issued the certificate. If the receiver can verify that the certificate came from a CA that is in the hierarchy of the receiver’s “trusted” public CA certificates, the receiver trusts the sender. Otherwise, the receiver rejects the sender.

Deploying Microsoft CA to enable LDAPS on AWS Microsoft AD

Microsoft offers a standalone CA and an enterprise CA. Though you can configure either as single-level or multi-level hierarchies, only the enterprise CA integrates with AD and offers autoenrollment for certificate deployment. Because you cannot sign in to run commands on your AWS Microsoft AD domain controllers, an automatic certificate enrollment model is required. Therefore, AWS Microsoft AD requires the certificate to come from a Microsoft enterprise CA that you configure to work in your AD domain. When you install the Microsoft enterprise CA, you can configure it to be part of a single-level hierarchy or a multi-level hierarchy. As a best practice, AWS recommends a multi-level Microsoft CA trust hierarchy consisting of a root CA and a subordinate CA. I cover only a multi-level hierarchy in this post.

In a multi-level hierarchy, you configure your subordinate CA by importing a certificate from the root CA. You must issue a certificate from the root CA such that the certificate gives your subordinate CA the right to issue certificates on behalf of the root. This makes your subordinate CA part of the root CA hierarchy. You also deploy the root CA’s public certificate on all of your computers, which tells all your computers to trust certificates that your root CA issues and to trust certificates from any authorized subordinate CA.

In such a hierarchy, you typically leave your root CA offline (inaccessible to other computers in the network) to protect the root of your hierarchy. You leave the subordinate CA online so that it can issue certificates on behalf of the root CA. This multi-level hierarchy increases security because if someone compromises your subordinate CA, you can revoke all certificates it issued and set up a new subordinate CA from your offline root CA. To learn more about setting up a secure CA hierarchy, see Securing PKI: Planning a CA Hierarchy.

When a Microsoft CA is part of your AD domain, you can configure certificate templates that you publish. These templates become visible to client computers through AD. If a client’s profile matches a template, the client requests a certificate from the Microsoft CA that matches the template. Microsoft calls this process autoenrollment, and it simplifies certificate deployment. To enable LDAPS on your AWS Microsoft AD domain controllers, you create a certificate template in the Microsoft CA that generates SSL and TLS-compatible certificates. The domain controllers see the template and automatically import a certificate of that type from the Microsoft CA. The imported certificate enables LDAP encryption.

Steps to enable LDAPS for your AWS Microsoft AD directory

The rest of this post is composed of the steps for enabling LDAPS for your AWS Microsoft AD directory. First, though, I explain which components you must have running to deploy this solution successfully. I also explain how this solution works and include an architecture diagram.

Prerequisites

The instructions in this post assume that you already have the following components running:

  1. An active AWS Microsoft AD directory – To create a directory, follow the steps in Create an AWS Microsoft AD directory.
  2. An Amazon EC2 for Windows Server instance for managing users and groups in your directory – This instance needs to be joined to your AWS Microsoft AD domain and have Active Directory Administration Tools installed. Active Directory Administration Tools installs Active Directory Administrative Center and the LDP tool.
  3. An existing root Microsoft CA or a multi-level Microsoft CA hierarchy – You might already have a root CA or a multi-level CA hierarchy in your on-premises network. If you plan to use your on-premises CA hierarchy, you must have administrative permissions to issue certificates to subordinate CAs. If you do not have an existing Microsoft CA hierarchy, you can set up a new standalone Microsoft root CA by creating an Amazon EC2 for Windows Server instance and installing a standalone root certification authority. You also must create a local user account on this instance and add this user to the local administrator group so that the user has permissions to issue a certificate to a subordinate CA.

The solution setup

The following diagram illustrates the setup with the steps you need to follow to enable LDAPS for AWS Microsoft AD. You will learn how to set up a subordinate Microsoft enterprise CA (in this case, SubordinateCA) and join it to your AWS Microsoft AD domain (in this case, corp.example.com). You also will learn how to create a certificate template on SubordinateCA and configure AWS security group rules to enable LDAPS for your directory.

As a prerequisite, I already created a standalone Microsoft root CA (in this case RootCA) for creating SubordinateCA. RootCA also has a local user account called RootAdmin that has administrative permissions to issue certificates to SubordinateCA. Note that you may already have a root CA or a multi-level CA hierarchy in your on-premises network that you can use for creating SubordinateCA instead of creating a new root CA. If you choose to use your existing on-premises CA hierarchy, you must have administrative permissions on your on-premises CA to issue a certificate to SubordinateCA.

Lastly, I also already created an Amazon EC2 instance (in this case, Management) that I use to manage users, configure AWS security groups, and test the LDAPS connection. I join this instance to the AWS Microsoft AD directory domain.

Diagram showing the process discussed in this post

Here is how the process works:

  1. Delegate permissions to CA administrators (in this case, CAAdmin) so that they can join a Microsoft enterprise CA to your AWS Microsoft AD domain and configure it as a subordinate CA.
  2. Add a Microsoft enterprise CA to your AWS Microsoft AD domain (in this case, SubordinateCA) so that it can issue certificates to your directory domain controllers to enable LDAPS. This step includes joining SubordinateCA to your directory domain, installing the Microsoft enterprise CA, and obtaining a certificate from RootCA that grants SubordinateCA permissions to issue certificates.
  3. Create a certificate template (in this case, ServerAuthentication) with server authentication and autoenrollment enabled so that your AWS Microsoft AD directory domain controllers can obtain certificates through autoenrollment to enable LDAPS.
  4. Configure AWS security group rules so that AWS Microsoft AD directory domain controllers can connect to the subordinate CA to request certificates.
  5. AWS Microsoft AD enables LDAPS through the following process:
    1. AWS Microsoft AD domain controllers request a certificate from SubordinateCA.
    2. SubordinateCA issues a certificate to AWS Microsoft AD domain controllers.
    3. AWS Microsoft AD enables LDAPS for the directory by installing certificates on the directory domain controllers.
  6. Test LDAPS access by using the LDP tool.

I now will show you these steps in detail. I use the names of components—such as RootCA, SubordinateCA, and Management—and refer to users—such as Admin, RootAdmin, and CAAdmin—to illustrate who performs these steps. All component names and user names in this post are used for illustrative purposes only.

Deploy the solution

Step 1: Delegate permissions to CA administrators


In this step, you delegate permissions to your users who manage your CAs. Your users then can join a subordinate CA to your AWS Microsoft AD domain and create the certificate template in your CA.

To enable use with a Microsoft enterprise CA, AWS added a new built-in AD security group called AWS Delegated Enterprise Certificate Authority Administrators that has delegated permissions to install and administer a Microsoft enterprise CA. By default, your directory Admin is part of the new group and can add other users or groups in your AWS Microsoft AD directory to this security group. If you have trust with your on-premises AD directory, you can also delegate CA administrative permissions to your on-premises users by adding on-premises AD users or global groups to this new AD security group.

To create a new user (in this case CAAdmin) in your directory and add this user to the AWS Delegated Enterprise Certificate Authority Administrators security group, follow these steps:

  1. Sign in to the Management instance using RDP with the user name admin and the password that you set for the admin user when you created your directory.
  2. Launch the Microsoft Windows Server Manager on the Management instance and navigate to Tools > Active Directory Users and Computers.
    Screnshot of the menu including the "Active Directory Users and Computers" choice
  3. Switch to the tree view and navigate to corp.example.com > CORP > Users. Right-click Users and choose New > User.
    Screenshot of choosing New > User
  4. Add a new user with the First name CA, Last name Admin, and User logon name CAAdmin.
    Screenshot of completing the "New Object - User" boxes
  5. In the Active Directory Users and Computers tool, navigate to corp.example.com > AWS Delegated Groups. In the right pane, right-click AWS Delegated Enterprise Certificate Authority Administrators and choose Properties.
    Screenshot of navigating to AWS Delegated Enterprise Certificate Authority Administrators > Properties
  6. In the AWS Delegated Enterprise Certificate Authority Administrators window, switch to the Members tab and choose Add.
    Screenshot of the "Members" tab of the "AWS Delegate Enterprise Certificate Authority Administrators" window
  7. In the Enter the object names to select box, type CAAdmin and choose OK.
    Screenshot showing the "Enter the object names to select" box
  8. In the next window, choose OK to add CAAdmin to the AWS Delegated Enterprise Certificate Authority Administrators security group.
    Screenshot of adding "CA Admin" to the "AWS Delegated Enterprise Certificate Authority Administrators" security group
  9. Also add CAAdmin to the AWS Delegated Server Administrators security group so that CAAdmin can RDP in to the Microsoft enterprise CA machine.
    Screenshot of adding "CAAdmin" to the "AWS Delegated Server Administrators" security group also so that "CAAdmin" can RDP in to the Microsoft enterprise CA machine

 You have granted CAAdmin permissions to join a Microsoft enterprise CA to your AWS Microsoft AD directory domain.

Step 2: Add a Microsoft enterprise CA to your AWS Microsoft AD directory


In this step, you set up a subordinate Microsoft enterprise CA and join it to your AWS Microsoft AD directory domain. I will summarize the process first and then walk through the steps.

First, you create an Amazon EC2 for Windows Server instance called SubordinateCA and join it to the domain, corp.example.com. You then publish RootCA’s public certificate and certificate revocation list (CRL) to SubordinateCA’s local trusted store. You also publish RootCA’s public certificate to your directory domain. Doing so enables SubordinateCA and your directory domain controllers to trust RootCA. You then install the Microsoft enterprise CA service on SubordinateCA and request a certificate from RootCA to make SubordinateCA a subordinate Microsoft CA. After RootCA issues the certificate, SubordinateCA is ready to issue certificates to your directory domain controllers.

Note that you can use an Amazon S3 bucket to pass the certificates between RootCA and SubordinateCA.

In detail, here is how the process works, as illustrated in the preceding diagram:

  1. Set up an Amazon EC2 instance joined to your AWS Microsoft AD directory domain – Create an Amazon EC2 for Windows Server instance to use as a subordinate CA, and join it to your AWS Microsoft AD directory domain. For this example, the machine name is SubordinateCA and the domain is corp.example.com.
  2. Share RootCA’s public certificate with SubordinateCA – Log in to RootCA as RootAdmin and start Windows PowerShell with administrative privileges. Run the following commands to copy RootCA’s public certificate and CRL to the folder c:\rootcerts on RootCA.
    New-Item c:\rootcerts -type directory
    copy C:\Windows\system32\certsrv\certenroll\*.cr* c:\rootcerts

    Upload RootCA’s public certificate and CRL from c:\rootcerts to an S3 bucket by following the steps in How Do I Upload Files and Folders to an S3 Bucket.

The following screenshot shows RootCA’s public certificate and CRL uploaded to an S3 bucket.
Screenshot of RootCA’s public certificate and CRL uploaded to the S3 bucket

  1. Publish RootCA’s public certificate to your directory domain – Log in to SubordinateCA as the CAAdmin. Download RootCA’s public certificate and CRL from the S3 bucket by following the instructions in How Do I Download an Object from an S3 Bucket? Save the certificate and CRL to the C:\rootcerts folder on SubordinateCA. Add RootCA’s public certificate and the CRL to the local store of SubordinateCA and publish RootCA’s public certificate to your directory domain by running the following commands using Windows PowerShell with administrative privileges.
    certutil –addstore –f root <path to the RootCA public certificate file>
    certutil –addstore –f root <path to the RootCA CRL file>
    certutil –dspublish –f <path to the RootCA public certificate file> RootCA
  2. Install the subordinate Microsoft enterprise CA – Install the subordinate Microsoft enterprise CA on SubordinateCA by following the instructions in Install a Subordinate Certification Authority. Ensure that you choose Enterprise CA for Setup Type to install an enterprise CA.

For the CA Type, choose Subordinate CA.

  1. Request a certificate from RootCA – Next, copy the certificate request on SubordinateCA to a folder called c:\CARequest by running the following commands using Windows PowerShell with administrative privileges.
    New-Item c:\CARequest -type directory
    Copy c:\*.req C:\CARequest

    Upload the certificate request to the S3 bucket.
    Screenshot of uploading the certificate request to the S3 bucket

  1. Approve SubordinateCA’s certificate request – Log in to RootCA as RootAdmin and download the certificate request from the S3 bucket to a folder called CARequest. Submit the request by running the following command using Windows PowerShell with administrative privileges.
    certreq -submit <path to certificate request file>

    In the Certification Authority List window, choose OK.
    Screenshot of the Certification Authority List window

Navigate to Server Manager > Tools > Certification Authority on RootCA.
Screenshot of "Certification Authority" in the drop-down menu

In the Certification Authority window, expand the ROOTCA tree in the left pane and choose Pending Requests. In the right pane, note the value in the Request ID column. Right-click the request and choose All Tasks > Issue.
Screenshot of noting the value in the "Request ID" column

  1. Retrieve the SubordinateCA certificate – Retrieve the SubordinateCA certificate by running following command using Windows PowerShell with administrative privileges. The command includes the <RequestId> that you noted in the previous step.
    certreq –retrieve <RequestId> <drive>:\subordinateCA.crt

    Upload SubordinateCA.crt to the S3 bucket.

  1. Install the SubordinateCA certificate – Log in to SubordinateCA as the CAAdmin and download SubordinateCA.crt from the S3 bucket. Install the certificate by running following commands using Windows PowerShell with administrative privileges.
    certutil –installcert c:\subordinateCA.crt
    start-service certsvc
  2. Delete the content that you uploaded to S3  As a security best practice, delete all the certificates and CRLs that you uploaded to the S3 bucket in the previous steps because you already have installed them on SubordinateCA.

You have finished setting up the subordinate Microsoft enterprise CA that is joined to your AWS Microsoft AD directory domain. Now you can use your subordinate Microsoft enterprise CA to create a certificate template so that your directory domain controllers can request a certificate to enable LDAPS for your directory.

Step 3: Create a certificate template


In this step, you create a certificate template with server authentication and autoenrollment enabled on SubordinateCA. You create this new template (in this case, ServerAuthentication) by duplicating an existing certificate template (in this case, Domain Controller template) and adding server authentication and autoenrollment to the template.

Follow these steps to create a certificate template:

  1. Log in to SubordinateCA as CAAdmin.
  2. Launch Microsoft Windows Server Manager. Select Tools > Certification Authority.
  3. In the Certificate Authority window, expand the SubordinateCA tree in the left pane. Right-click Certificate Templates, and choose Manage.
    Screenshot of choosing "Manage" under "Certificate Template"
  4. In the Certificate Templates Console window, right-click Domain Controller and choose Duplicate Template.
    Screenshot of the Certificate Templates Console window
  5. In the Properties of New Template window, switch to the General tab and change the Template display name to ServerAuthentication.
    Screenshot of the "Properties of New Template" window
  6. Switch to the Security tab, and choose Domain Controllers in the Group or user names section. Select the Allow check box for Autoenroll in the Permissions for Domain Controllers section.
    Screenshot of the "Permissions for Domain Controllers" section of the "Properties of New Template" window
  7. Switch to the Extensions tab, choose Application Policies in the Extensions included in this template section, and choose Edit
    Screenshot of the "Extensions" tab of the "Properties of New Template" window
  8. In the Edit Application Policies Extension window, choose Client Authentication and choose Remove. Choose OK to create the ServerAuthentication certificate template. Close the Certificate Templates Console window.
    Screenshot of the "Edit Application Policies Extension" window
  9. In the Certificate Authority window, right-click Certificate Templates, and choose New > Certificate Template to Issue.
    Screenshot of choosing "New" > "Certificate Template to Issue"
  10. In the Enable Certificate Templates window, choose ServerAuthentication and choose OK.
    Screenshot of the "Enable Certificate Templates" window

You have finished creating a certificate template with server authentication and autoenrollment enabled on SubordinateCA. Your AWS Microsoft AD directory domain controllers can now obtain a certificate through autoenrollment to enable LDAPS.

Step 4: Configure AWS security group rules


In this step, you configure AWS security group rules so that your directory domain controllers can connect to the subordinate CA to request a certificate. To do this, you must add outbound rules to your directory’s AWS security group (in this case, sg-4ba7682d) to allow all outbound traffic to SubordinateCA’s AWS security group (in this case, sg-6fbe7109) so that your directory domain controllers can connect to SubordinateCA for requesting a certificate. You also must add inbound rules to SubordinateCA’s AWS security group to allow all incoming traffic from your directory’s AWS security group so that the subordinate CA can accept incoming traffic from your directory domain controllers.

Follow these steps to configure AWS security group rules:

  1. Log in to the Management instance as Admin.
  2. Navigate to the EC2 console.
  3. In the left pane, choose Network & Security > Security Groups.
  4. In the right pane, choose the AWS security group (in this case, sg-6fbe7109) of SubordinateCA.
  5. Switch to the Inbound tab and choose Edit.
  6. Choose Add Rule. Choose All traffic for Type and Custom for Source. Enter your directory’s AWS security group (in this case, sg-4ba7682d) in the Source box. Choose Save.
    Screenshot of adding an inbound rule
  7. Now choose the AWS security group (in this case, sg-4ba7682d) of your AWS Microsoft AD directory, switch to the Outbound tab, and choose Edit.
  8. Choose Add Rule. Choose All traffic for Type and Custom for Destination. Enter your directory’s AWS security group (in this case, sg-6fbe7109) in the Destination box. Choose Save.

You have completed the configuration of AWS security group rules to allow traffic between your directory domain controllers and SubordinateCA.

Step 5: AWS Microsoft AD enables LDAPS


The AWS Microsoft AD domain controllers perform this step automatically by recognizing the published template and requesting a certificate from the subordinate Microsoft enterprise CA. The subordinate CA can take up to 180 minutes to issue certificates to the directory domain controllers. The directory imports these certificates into the directory domain controllers and enables LDAPS for your directory automatically. This completes the setup of LDAPS for the AWS Microsoft AD directory. The LDAP service on the directory is now ready to accept LDAPS connections!

Step 6: Test LDAPS access by using the LDP tool


In this step, you test the LDAPS connection to the AWS Microsoft AD directory by using the LDP tool. The LDP tool is available on the Management machine where you installed Active Directory Administration Tools. Before you test the LDAPS connection, you must wait up to 180 minutes for the subordinate CA to issue a certificate to your directory domain controllers.

To test LDAPS, you connect to one of the domain controllers using port 636. Here are the steps to test the LDAPS connection:

  1. Log in to Management as Admin.
  2. Launch the Microsoft Windows Server Manager on Management and navigate to Tools > Active Directory Users and Computers.
  3. Switch to the tree view and navigate to corp.example.com > CORP > Domain Controllers. In the right pane, right-click on one of the domain controllers and choose Properties. Copy the DNS name of the domain controller.
    Screenshot of copying the DNS name of the domain controller
  4. Launch the LDP.exe tool by launching Windows PowerShell and running the LDP.exe command.
  5. In the LDP tool, choose Connection > Connect.
    Screenshot of choosing "Connnection" > "Connect" in the LDP tool
  6. In the Server box, paste the DNS name you copied in the previous step. Type 636 in the Port box. Choose OK to test the LDAPS connection to port 636 of your directory.
    Screenshot of completing the boxes in the "Connect" window
  7. You should see the following message to confirm that your LDAPS connection is now open.

You have completed the setup of LDAPS for your AWS Microsoft AD directory! You can now encrypt LDAP communications between your Windows and Linux applications and your AWS Microsoft AD directory using LDAPS.

Summary

In this blog post, I walked through the process of enabling LDAPS for your AWS Microsoft AD directory. Enabling LDAPS helps you protect PII and other sensitive information exchanged over untrusted networks between your Windows and Linux applications and your AWS Microsoft AD. To learn more about how to use AWS Microsoft AD, see the Directory Service documentation. For general information and pricing, see the Directory Service home page.

If you have comments about this blog post, submit a comment in the “Comments” section below. If you have implementation or troubleshooting questions, start a new thread on the Directory Service forum.

– Vijay

ISO Rejects NSA Encryption Algorithms

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html

The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. It’s because the NSA is not trusted to put security ahead of surveillance:

A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to “insert vulnerabilities into commercial encryption systems.”

More than a dozen of the experts involved in the approval process for Simon and Speck feared that if the NSA was able to crack the encryption techniques, it would gain a “back door” into coded transmissions, according to the interviews and emails and other documents seen by Reuters.

“I don’t trust the designers,” Israeli delegate Orr Dunkelman, a computer science professor at the University of Haifa, told Reuters, citing Snowden’s papers. “There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.”

I don’t trust the NSA, either.

How to Configure an LDAPS Endpoint for Simple AD

Post Syndicated from Cameron Worrell original https://aws.amazon.com/blogs/security/how-to-configure-an-ldaps-endpoint-for-simple-ad/

Simple AD, which is powered by Samba  4, supports basic Active Directory (AD) authentication features such as users, groups, and the ability to join domains. Simple AD also includes an integrated Lightweight Directory Access Protocol (LDAP) server. LDAP is a standard application protocol for the access and management of directory information. You can use the BIND operation from Simple AD to authenticate LDAP client sessions. This makes LDAP a common choice for centralized authentication and authorization for services such as Secure Shell (SSH), client-based virtual private networks (VPNs), and many other applications. Authentication, the process of confirming the identity of a principal, typically involves the transmission of highly sensitive information such as user names and passwords. To protect this information in transit over untrusted networks, companies often require encryption as part of their information security strategy.

In this blog post, we show you how to configure an LDAPS (LDAP over SSL/TLS) encrypted endpoint for Simple AD so that you can extend Simple AD over untrusted networks. Our solution uses Elastic Load Balancing (ELB) to send decrypted LDAP traffic to HAProxy running on Amazon EC2, which then sends the traffic to Simple AD. ELB offers integrated certificate management, SSL/TLS termination, and the ability to use a scalable EC2 backend to process decrypted traffic. ELB also tightly integrates with Amazon Route 53, enabling you to use a custom domain for the LDAPS endpoint. The solution needs the intermediate HAProxy layer because ELB can direct traffic only to EC2 instances. To simplify testing and deployment, we have provided an AWS CloudFormation template to provision the ELB and HAProxy layers.

This post assumes that you have an understanding of concepts such as Amazon Virtual Private Cloud (VPC) and its components, including subnets, routing, Internet and network address translation (NAT) gateways, DNS, and security groups. You should also be familiar with launching EC2 instances and logging in to them with SSH. If needed, you should familiarize yourself with these concepts and review the solution overview and prerequisites in the next section before proceeding with the deployment.

Note: This solution is intended for use by clients requiring an LDAPS endpoint only. If your requirements extend beyond this, you should consider accessing the Simple AD servers directly or by using AWS Directory Service for Microsoft AD.

Solution overview

The following diagram and description illustrates and explains the Simple AD LDAPS environment. The CloudFormation template creates the items designated by the bracket (internal ELB load balancer and two HAProxy nodes configured in an Auto Scaling group).

Diagram of the the Simple AD LDAPS environment

Here is how the solution works, as shown in the preceding numbered diagram:

  1. The LDAP client sends an LDAPS request to ELB on TCP port 636.
  2. ELB terminates the SSL/TLS session and decrypts the traffic using a certificate. ELB sends the decrypted LDAP traffic to the EC2 instances running HAProxy on TCP port 389.
  3. The HAProxy servers forward the LDAP request to the Simple AD servers listening on TCP port 389 in a fixed Auto Scaling group configuration.
  4. The Simple AD servers send an LDAP response through the HAProxy layer to ELB. ELB encrypts the response and sends it to the client.

Note: Amazon VPC prevents a third party from intercepting traffic within the VPC. Because of this, the VPC protects the decrypted traffic between ELB and HAProxy and between HAProxy and Simple AD. The ELB encryption provides an additional layer of security for client connections and protects traffic coming from hosts outside the VPC.

Prerequisites

  1. Our approach requires an Amazon VPC with two public and two private subnets. The previous diagram illustrates the environment’s VPC requirements. If you do not yet have these components in place, follow these guidelines for setting up a sample environment:
    1. Identify a region that supports Simple AD, ELB, and NAT gateways. The NAT gateways are used with an Internet gateway to allow the HAProxy instances to access the internet to perform their required configuration. You also need to identify the two Availability Zones in that region for use by Simple AD. You will supply these Availability Zones as parameters to the CloudFormation template later in this process.
    2. Create or choose an Amazon VPC in the region you chose. In order to use Route 53 to resolve the LDAPS endpoint, make sure you enable DNS support within your VPC. Create an Internet gateway and attach it to the VPC, which will be used by the NAT gateways to access the internet.
    3. Create a route table with a default route to the Internet gateway. Create two NAT gateways, one per Availability Zone in your public subnets to provide additional resiliency across the Availability Zones. Together, the routing table, the NAT gateways, and the Internet gateway enable the HAProxy instances to access the internet.
    4. Create two private routing tables, one per Availability Zone. Create two private subnets, one per Availability Zone. The dual routing tables and subnets allow for a higher level of redundancy. Add each subnet to the routing table in the same Availability Zone. Add a default route in each routing table to the NAT gateway in the same Availability Zone. The Simple AD servers use subnets that you create.
    5. The LDAP service requires a DNS domain that resolves within your VPC and from your LDAP clients. If you do not have an existing DNS domain, follow the steps to create a private hosted zone and associate it with your VPC. To avoid encryption protocol errors, you must ensure that the DNS domain name is consistent across your Route 53 zone and in the SSL/TLS certificate (see Step 2 in the “Solution deployment” section).
  2. Make sure you have completed the Simple AD Prerequisites.
  3. We will use a self-signed certificate for ELB to perform SSL/TLS decryption. You can use a certificate issued by your preferred certificate authority or a certificate issued by AWS Certificate Manager (ACM).
    Note: To prevent unauthorized connections directly to your Simple AD servers, you can modify the Simple AD security group on port 389 to block traffic from locations outside of the Simple AD VPC. You can find the security group in the EC2 console by creating a search filter for your Simple AD directory ID. It is also important to allow the Simple AD servers to communicate with each other as shown on Simple AD Prerequisites.

Solution deployment

This solution includes five main parts:

  1. Create a Simple AD directory.
  2. Create a certificate.
  3. Create the ELB and HAProxy layers by using the supplied CloudFormation template.
  4. Create a Route 53 record.
  5. Test LDAPS access using an Amazon Linux client.

1. Create a Simple AD directory

With the prerequisites completed, you will create a Simple AD directory in your private VPC subnets:

  1. In the Directory Service console navigation pane, choose Directories and then choose Set up directory.
  2. Choose Simple AD.
    Screenshot of choosing "Simple AD"
  3. Provide the following information:
    • Directory DNS – The fully qualified domain name (FQDN) of the directory, such as corp.example.com. You will use the FQDN as part of the testing procedure.
    • NetBIOS name – The short name for the directory, such as CORP.
    • Administrator password – The password for the directory administrator. The directory creation process creates an administrator account with the user name Administrator and this password. Do not lose this password because it is nonrecoverable. You also need this password for testing LDAPS access in a later step.
    • Description – An optional description for the directory.
    • Directory Size – The size of the directory.
      Screenshot of the directory details to provide
  4. Provide the following information in the VPC Details section, and then choose Next Step:
    • VPC – Specify the VPC in which to install the directory.
    • Subnets – Choose two private subnets for the directory servers. The two subnets must be in different Availability Zones. Make a note of the VPC and subnet IDs for use as CloudFormation input parameters. In the following example, the Availability Zones are us-east-1a and us-east-1c.
      Screenshot of the VPC details to provide
  5. Review the directory information and make any necessary changes. When the information is correct, choose Create Simple AD.

It takes several minutes to create the directory. From the AWS Directory Service console , refresh the screen periodically and wait until the directory Status value changes to Active before continuing. Choose your Simple AD directory and note the two IP addresses in the DNS address section. You will enter them when you run the CloudFormation template later.

Note: Full administration of your Simple AD implementation is out of scope for this blog post. See the documentation to add users, groups, or instances to your directory. Also see the previous blog post, How to Manage Identities in Simple AD Directories.

2. Create a certificate

In the previous step, you created the Simple AD directory. Next, you will generate a self-signed SSL/TLS certificate using OpenSSL. You will use the certificate with ELB to secure the LDAPS endpoint. OpenSSL is a standard, open source library that supports a wide range of cryptographic functions, including the creation and signing of x509 certificates. You then import the certificate into ACM that is integrated with ELB.

  1. You must have a system with OpenSSL installed to complete this step. If you do not have OpenSSL, you can install it on Amazon Linux by running the command, sudo yum install openssl. If you do not have access to an Amazon Linux instance you can create one with SSH access enabled to proceed with this step. Run the command, openssl version, at the command line to see if you already have OpenSSL installed.
    [[email protected] ~]$ openssl version
    OpenSSL 1.0.1k-fips 8 Jan 2015

  2. Create a private key using the command, openssl genrsa command.
    [[email protected] tmp]$ openssl genrsa 2048 > privatekey.pem
    Generating RSA private key, 2048 bit long modulus
    ......................................................................................................................................................................+++
    ..........................+++
    e is 65537 (0x10001)

  3. Generate a certificate signing request (CSR) using the openssl req command. Provide the requested information for each field. The Common Name is the FQDN for your LDAPS endpoint (for example, ldap.corp.example.com). The Common Name must use the domain name you will later register in Route 53. You will encounter certificate errors if the names do not match.
    [[email protected] tmp]$ openssl req -new -key privatekey.pem -out server.csr
    You are about to be asked to enter information that will be incorporated into your certificate request.

  4. Use the openssl x509 command to sign the certificate. The following example uses the private key from the previous step (privatekey.pem) and the signing request (server.csr) to create a public certificate named server.crt that is valid for 365 days. This certificate must be updated within 365 days to avoid disruption of LDAPS functionality.
    [[email protected] tmp]$ openssl x509 -req -sha256 -days 365 -in server.csr -signkey privatekey.pem -out server.crt
    Signature ok
    subject=/C=XX/L=Default City/O=Default Company Ltd/CN=ldap.corp.example.com
    Getting Private key

  5. You should see three files: privatekey.pem, server.crt, and server.csr.
    [[email protected] tmp]$ ls
    privatekey.pem server.crt server.csr

    Restrict access to the private key.

    [[email protected] tmp]$ chmod 600 privatekey.pem

    Keep the private key and public certificate for later use. You can discard the signing request because you are using a self-signed certificate and not using a Certificate Authority. Always store the private key in a secure location and avoid adding it to your source code.

  6. In the ACM console, choose Import a certificate.
  7. Using your favorite Linux text editor, paste the contents of your server.crt file in the Certificate body box.
  8. Using your favorite Linux text editor, paste the contents of your privatekey.pem file in the Certificate private key box. For a self-signed certificate, you can leave the Certificate chain box blank.
  9. Choose Review and import. Confirm the information and choose Import.

3. Create the ELB and HAProxy layers by using the supplied CloudFormation template

Now that you have created your Simple AD directory and SSL/TLS certificate, you are ready to use the CloudFormation template to create the ELB and HAProxy layers.

  1. Load the supplied CloudFormation template to deploy an internal ELB and two HAProxy EC2 instances into a fixed Auto Scaling group. After you load the template, provide the following input parameters. Note: You can find the parameters relating to your Simple AD from the directory details page by choosing your Simple AD in the Directory Service console.
Input parameter Input parameter description
HAProxyInstanceSize The EC2 instance size for HAProxy servers. The default size is t2.micro and can scale up for large Simple AD environments.
MyKeyPair The SSH key pair for EC2 instances. If you do not have an existing key pair, you must create one.
VPCId The target VPC for this solution. Must be in the VPC where you deployed Simple AD and is available in your Simple AD directory details page.
SubnetId1 The Simple AD primary subnet. This information is available in your Simple AD directory details page.
SubnetId2 The Simple AD secondary subnet. This information is available in your Simple AD directory details page.
MyTrustedNetwork Trusted network Classless Inter-Domain Routing (CIDR) to allow connections to the LDAPS endpoint. For example, use the VPC CIDR to allow clients in the VPC to connect.
SimpleADPriIP The primary Simple AD Server IP. This information is available in your Simple AD directory details page.
SimpleADSecIP The secondary Simple AD Server IP. This information is available in your Simple AD directory details page.
LDAPSCertificateARN The Amazon Resource Name (ARN) for the SSL certificate. This information is available in the ACM console.
  1. Enter the input parameters and choose Next.
  2. On the Options page, accept the defaults and choose Next.
  3. On the Review page, confirm the details and choose Create. The stack will be created in approximately 5 minutes.

4. Create a Route 53 record

The next step is to create a Route 53 record in your private hosted zone so that clients can resolve your LDAPS endpoint.

  1. If you do not have an existing DNS domain for use with LDAP, create a private hosted zone and associate it with your VPC. The hosted zone name should be consistent with your Simple AD (for example, corp.example.com).
  2. When the CloudFormation stack is in CREATE_COMPLETE status, locate the value of the LDAPSURL on the Outputs tab of the stack. Copy this value for use in the next step.
  3. On the Route 53 console, choose Hosted Zones and then choose the zone you used for the Common Name box for your self-signed certificate. Choose Create Record Set and enter the following information:
    1. Name – The label of the record (such as ldap).
    2. Type – Leave as A – IPv4 address.
    3. Alias – Choose Yes.
    4. Alias Target – Paste the value of the LDAPSURL on the Outputs tab of the stack.
  4. Leave the defaults for Routing Policy and Evaluate Target Health, and choose Create.
    Screenshot of finishing the creation of the Route 53 record

5. Test LDAPS access using an Amazon Linux client

At this point, you have configured your LDAPS endpoint and now you can test it from an Amazon Linux client.

  1. Create an Amazon Linux instance with SSH access enabled to test the solution. Launch the instance into one of the public subnets in your VPC. Make sure the IP assigned to the instance is in the trusted IP range you specified in the CloudFormation parameter MyTrustedNetwork in Step 3.b.
  2. SSH into the instance and complete the following steps to verify access.
    1. Install the openldap-clients package and any required dependencies:
      sudo yum install -y openldap-clients.
    2. Add the server.crt file to the /etc/openldap/certs/ directory so that the LDAPS client will trust your SSL/TLS certificate. You can copy the file using Secure Copy (SCP) or create it using a text editor.
    3. Edit the /etc/openldap/ldap.conf file and define the environment variables BASE, URI, and TLS_CACERT.
      • The value for BASE should match the configuration of the Simple AD directory name.
      • The value for URI should match your DNS alias.
      • The value for TLS_CACERT is the path to your public certificate.

Here is an example of the contents of the file.

BASE dc=corp,dc=example,dc=com
URI ldaps://ldap.corp.example.com
TLS_CACERT /etc/openldap/certs/server.crt

To test the solution, query the directory through the LDAPS endpoint, as shown in the following command. Replace corp.example.com with your domain name and use the Administrator password that you configured with the Simple AD directory

$ ldapsearch -D "[email protected]corp.example.com" -W sAMAccountName=Administrator

You should see a response similar to the following response, which provides the directory information in LDAP Data Interchange Format (LDIF) for the administrator distinguished name (DN) from your Simple AD LDAP server.

# extended LDIF
#
# LDAPv3
# base <dc=corp,dc=example,dc=com> (default) with scope subtree
# filter: sAMAccountName=Administrator
# requesting: ALL
#

# Administrator, Users, corp.example.com
dn: CN=Administrator,CN=Users,DC=corp,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: Built-in account for administering the computer/domain
instanceType: 4
whenCreated: 20170721123204.0Z
uSNCreated: 3223
name: Administrator
objectGUID:: l3h0HIiKO0a/ShL4yVK/vw==
userAccountControl: 512
…

You can now use the LDAPS endpoint for directory operations and authentication within your environment. If you would like to learn more about how to interact with your LDAPS endpoint within a Linux environment, here are a few resources to get started:

Troubleshooting

If you receive an error such as the following error when issuing the ldapsearch command, there are a few things you can do to help identify issues.

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
  • You might be able to obtain additional error details by adding the -d1 debug flag to the ldapsearch command in the previous section.
    $ ldapsearch -D "[email protected]" -W sAMAccountName=Administrator –d1

  • Verify that the parameters in ldap.conf match your configured LDAPS URI endpoint and that all parameters can be resolved by DNS. You can use the following dig command, substituting your configured endpoint DNS name.
    $ dig ldap.corp.example.com

  • Confirm that the client instance from which you are connecting is in the CIDR range of the CloudFormation parameter, MyTrustedNetwork.
  • Confirm that the path to your public SSL/TLS certificate configured in ldap.conf as TLS_CAERT is correct. You configured this in Step 5.b.3. You can check your SSL/TLS connection with the command, substituting your configured endpoint DNS name for the string after –connect.
    $ echo -n | openssl s_client -connect ldap.corp.example.com:636

  • Verify that your HAProxy instances have the status InService in the EC2 console: Choose Load Balancers under Load Balancing in the navigation pane, highlight your LDAPS load balancer, and then choose the Instances

Conclusion

You can use ELB and HAProxy to provide an LDAPS endpoint for Simple AD and transport sensitive authentication information over untrusted networks. You can explore using LDAPS to authenticate SSH users or integrate with other software solutions that support LDAP authentication. This solution’s CloudFormation template is available on GitHub.

If you have comments about this post, submit them in the “Comments” section below. If you have questions about or issues implementing this solution, start a new thread on the Directory Service forum.

– Cameron and Jeff

ESET Tries to Scare People Away From Using Torrents

Post Syndicated from Andy original https://torrentfreak.com/eset-tries-to-scare-people-away-from-using-torrents-170805/

Any company in the security game can be expected to play up threats among its customer base in order to get sales.

Sellers of CCTV equipment, for example, would have us believe that criminals don’t want to be photographed and will often go elsewhere in the face of that. Car alarm companies warn us that since X thousand cars are stolen every minute, an expensive Immobilizer is an anti-theft must.

Of course, they’re absolutely right to point these things out. People want to know about these offline risks since they affect our quality of life. The same can be said of those that occur in the online world too.

We ARE all at risk of horrible malware that will trash our computers and steal our banking information so we should all be running adequate protection. That being said, how many times do our anti-virus programs actually trap a piece of nasty-ware in a year? Once? Twice? Ten times? Almost never?

The truth is we all need to be informed but it should be done in a measured way. That’s why an article just published by security firm ESET on the subject of torrents strikes a couple of bad chords, particularly with people who like torrents. It’s titled “Why you should view torrents as a threat” and predictably proceeds to outline why.

“Despite their popularity among users, torrents are very risky ‘business’,” it begins.

“Apart from the obvious legal trouble you could face for violating the copyright of musicians, filmmakers or software developers, there are security issues linked to downloading them that could put you or your computer in the crosshairs of the black hats.”

Aside from the use of the phrase “very risky” (‘some risk’ is a better description), there’s probably very little to complain about in this opening shot. However, things soon go downhill.

“Merely downloading the newest version of BitTorrent clients – software necessary for any user who wants to download or seed files from this ‘ecosystem’ – could infect your machine and irreversibly damage your files,” ESET writes.

Following that scary statement, some readers will have already vowed never to use a torrent again and moved on without reading any more, but the details are really important.

To support its claim, ESET points to two incidents in 2016 (which to its great credit the company actually discovered) which involved the Transmission torrent client. Both involved deliberate third-party infection and in the latter hackers attacked Transmission’s servers and embedded malware in its OSX client before distribution to the public.

No doubt these were both miserable incidents (to which the Transmission team quickly responded) but to characterize this as a torrent client problem seems somewhat unfair.

People intent on spreading viruses and malware do not discriminate and will happily infect ANY piece of computer software they can. Sadly, many non-technical people reading the ESET post won’t read beyond the claim that installing torrent clients can “infect your machine and irreversibly damage your files.”

That’s a huge disservice to the hundreds of millions of torrent client installations that have taken place over a decade and a half and were absolutely trouble free. On a similar basis, we could argue that installing Windows is the main initial problem for people getting viruses from the Internet. It’s true but it’s also not the full picture.

Finally, the piece goes on to detail other incidents over the years where torrents have been found to contain malware. The several cases highlighted by ESET are both real and pretty unpleasant for victims but the important thing to note here is torrent users are no different to any other online user, no matter how they use the Internet.

People who download files from the Internet, from ALL untrusted sources, are putting themselves at risk of getting a virus or other malware. Whether that content is obtained from a website or a P2P network, the risks are ever-present and only a foolish person would do so without decent security software (such as ESET’s) protecting them.

The take home point here is to be aware of security risks and put them into perspective. It’s hard to put a percentage on these things but of the hundreds of millions of torrent and torrent client downloads that have taken place since their inception 15 years ago, the overwhelming majority have been absolutely fine.

Security situations do arise and we need to be aware of them, but presenting things in a way that spreads unnecessary concern in a particular sector isn’t necessary to sell products.

The AV-TEST Institute registers around 390,000 new malicious programs every day that don’t involve torrents, plenty for any anti-virus firm to deal with.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Court: Warner Bros Needs Stronger Evidence Against Alleged BitTorrent Pirate

Post Syndicated from Ernesto original https://torrentfreak.com/court-warner-bros-needs-stronger-evidence-against-alleged-bittorrent-pirate-170718/

Over the past decade, copyright holders have gone after hundreds of thousands of alleged pirates in Germany, demanding settlements ranging from a few hundred to thousands of euros.

The targeted account holders are often indeed the perpetrator, but false accusations are bound to happen due to the sheer volume of these cases.

This is one of the reasons why local courts are paying careful attention to the provided evidence. At the District Court of Cologne, this recently resulted in a verdict, clarifying that simply linking an IP-address to a pirated download is not good enough.

The case in question deals with a claim from the local branch of Warner Bros. Entertainment, which accused an account holder of sharing a pirated episode of the popular TV-show “Person of Interest.”

The Hollywood studio claimed 500 euros in damages from the alleged copyright infringer, as well as 168.50 euros in expenses. The defendant, however, said he was innocent, refused to pay up, and contested the claim in court, with success.

Warner’s tracking partner Ipoque had only monitored the defendant’s IP-address twice during a period of 10 minutes. This is not good enough according to the court, since IP-address misassignments regularly take place.

“The causes for a misassignment don’t have to relate to the software of the tracking company, they can also come from others. For example, the transmission of acquired data, or the ISPs assignment of collected IP addresses to connection holders. In the latter case, the Court of First Instance has seen an error rate of at least 2 – 3%,” the court writes.

In this case, the defendant argued that his ISP failed to update the IP-address assignments and that he no longer used the infringing address at the contested time.

The District Court of Cologne agreed that this was a plausible argument. Ideally, Warner should have provided a more extensive tracking record, with more IP-addresses leading to the same account holder, assuming that the assignments regularly change.

Defense attorney Christian Solmecke tells TorrentFreak that so-called “simple tracking,” where only a single IP-address is used as evidence, is simply not good enough.

“In case of simple tracking, evaluation errors are always possible. For instance, mixing up the numbers of the IP-address. The tracking parameters are technically complicated so errors may occur at various stages of the process,” Solmecke notes.

In some cases the error rates can go up to 50%, a recent verdict has shown, which means that accused file-sharers have a solid defense when they are accused based on minimal evidence.

“This is important for defendants as courts usually tend to assume that it cannot be sufficiently clarified whether filesharing did indeed occur via the Internet connection of the defendant. Simple tracking can, therefore, be seen as a good chance for defendants to win against the warning letter industry,” Solmecke adds.

While the verdict is unlikely to stop the piracy settlement industry in Germany, it may prompt rightsholders to step up their BitTorrent monitoring practices.

This doesn’t only apply to Warner Bros. Entertainment, but also to other major rightsholders including the local branches of Universal Pictures, Twentieth Century Fox, Universal Music, EMI Music and Sony Music, which are all active on the anti-piracy front in Germany.

The full verdict of the District Court of Cologne is available Tarnkappe.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

OpenPuff – Professional Steganography Tool

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/_VMH_YXZiYs/

OpenPuff is a professional steganography tool, with unique features you won’t find among any other free or commercial software. OpenPuff is 100% free and suitable for highly sensitive data covert transmission. The tool contains deniable steganography, carrier chains, unique layers of security and obfuscation, multiple carrier formats, is portable…

Read the full post at darknet.org.uk

Using Amazon SQS Dead-Letter Queues to Control Message Failure

Post Syndicated from Tara Van Unen original https://aws.amazon.com/blogs/compute/using-amazon-sqs-dead-letter-queues-to-control-message-failure/


Michael G. Khmelnitsky, Senior Programmer Writer

 

Sometimes, messages can’t be processed because of a variety of possible issues, such as erroneous conditions within the producer or consumer application. For example, if a user places an order within a certain number of minutes of creating an account, the producer might pass a message with an empty string instead of a customer identifier. Occasionally, producers and consumers might fail to interpret aspects of the protocol that they use to communicate, causing message corruption or loss. Also, the consumer’s hardware errors might corrupt message payload. For these reasons, messages that can’t be processed in a timely manner are delivered to a dead-letter queue.

The recent post Building Scalable Applications and Microservices: Adding Messaging to Your Toolbox gives an overview of messaging in the microservice architecture of modern applications. This post explains how and when you should use dead-letter queues to gain better control over message handling in your applications. It also offers some resources for configuring a dead-letter queue in Amazon Simple Queue Service (SQS).

What are the benefits of dead-letter queues?

The main task of a dead-letter queue is handling message failure. A dead-letter queue lets you set aside and isolate messages that can’t be processed correctly to determine why their processing didn’t succeed. Setting up a dead-letter queue allows you to do the following:

  • Configure an alarm for any messages delivered to a dead-letter queue.
  • Examine logs for exceptions that might have caused messages to be delivered to a dead-letter queue.
  • Analyze the contents of messages delivered to a dead-letter queue to diagnose software or the producer’s or consumer’s hardware issues.
  • Determine whether you have given your consumer sufficient time to process messages.

How do high-throughput, unordered queues handle message failure?

High-throughput, unordered queues (sometimes called standard or storage queues) keep processing messages until the expiration of the retention period. This helps ensure continuous processing of messages, which minimizes the chances of your queue being blocked by messages that can’t be processed. It also ensures fast recovery for your queue.

In a system that processes thousands of messages, having a large number of messages that the consumer repeatedly fails to acknowledge and delete might increase costs and place extra load on the hardware. Instead of trying to process failing messages until they expire, it is better to move them to a dead-letter queue after a few processing attempts.

Note: This queue type often allows a high number of in-flight messages. If the majority of your messages can’t be consumed and aren’t sent to a dead-letter queue, your rate of processing valid messages can slow down. Thus, to maintain the efficiency of your queue, you must ensure that your application handles message processing correctly.

How do FIFO queues handle message failure?

FIFO (first-in-first-out) queues (sometimes called service bus queues) help ensure exactly-once processing by consuming messages in sequence from a message group. Thus, although the consumer can continue to retrieve ordered messages from another message group, the first message group remains unavailable until the message blocking the queue is processed successfully.

Note: This queue type often allows a lower number of in-flight messages. Thus, to help ensure that your FIFO queue doesn’t get blocked by a message, you must ensure that your application handles message processing correctly.

When should I use a dead-letter queue?

  • Do use dead-letter queues with high-throughput, unordered queues. You should always take advantage of dead-letter queues when your applications don’t depend on ordering. Dead-letter queues can help you troubleshoot incorrect message transmission operations. Note: Even when you use dead-letter queues, you should continue to monitor your queues and retry sending messages that fail for transient reasons.
  • Do use dead-letter queues to decrease the number of messages and to reduce the possibility of exposing your system to poison-pill messages (messages that can be received but can’t be processed).
  • Don’t use a dead-letter queue with high-throughput, unordered queues when you want to be able to keep retrying the transmission of a message indefinitely. For example, don’t use a dead-letter queue if your program must wait for a dependent process to become active or available.
  • Don’t use a dead-letter queue with a FIFO queue if you don’t want to break the exact order of messages or operations. For example, don’t use a dead-letter queue with instructions in an Edit Decision List (EDL) for a video editing suite, where changing the order of edits changes the context of subsequent edits.

How do I get started with dead-letter queues in Amazon SQS?

Amazon SQS is a fully managed service that offers reliable, highly scalable hosted queues for exchanging messages between applications or microservices. Amazon SQS moves data between distributed application components and helps you decouple these components. It supports both standard queues and FIFO queues. To configure a queue as a dead-letter queue, you can use the AWS Management Console or the Amazon SQS SetQueueAttributes API action.

To get started with dead-letter queues in Amazon SQS, see the following topics in the Amazon SQS Developer Guide:

To start working with dead-letter queues programmatically, see the following resources:

Hardware Provider is Liable For Live Streaming Piracy, Court Rules

Post Syndicated from Ernesto original https://torrentfreak.com/hardware-provider-is-liable-for-live-streaming-piracy-court-rules-170529/

While ‘pirate’ sports streaming sites have been around for over a decade, in recent years rightsholders have taken a more aggressive stance.

The UK Premier League has triggered several police investigations, for example, which have led to the shutdown of several streaming platforms.

In Germany, the local football league (DFL) and Sky Deutschland are involved in a similar battle. The rightsholder and broadcaster feel that unauthorized streaming sites threaten their livelihoods so they’ve initiated legal action in response.

One of the prime targets of these efforts was the streaming portal Stream4u.tv, which was broadcasting sports events without permission. In addition to the site’s operator, a civil lawsuit filed by Sky also targeted the hardware provider that offered the equipment used to decrypt and distribute the streaming signal.

Last week Sky declared a major victory after The District Court of Hamburg ruled that both the site operator and hardware provider are liable for copyright infringement.

Together, both defendants must now pay €18,000 in damages. A clear win for Sky, especially since the streaming portal has been shut down as well.

Stream4u.tv (via)

Aside from the damages, Sky highlights that this is the first time that a third-party intermediary has been held liable for copyright infringement in a case like this. They hope the result will send a strong deterrent message to others.

According to Sky, the ruling effectively means that every technical service provider faces a significant liability risk if they are aware of the illegal use of its services and do not immediately address legitimate complaints.

“The ruling is a warning for all those involved in the illegal distribution of Sky content,” says Thomas Stahn, Director Anti-Piracy & Technology at Sky Deutschland, commenting on the case.

“In contrast to criminal law, every helper is also liable for the full damages suffered by the injured parties – regardless of whether or not it profited from the illegal business,” he adds.

Sky informs TorrentFreak that the Stream4u.tv operator was not present at the court hearings, only the hardware provider. The company could not provide any additional details on the provider but noted that the hardware itself is not illegal.

“The hardware in question was used to receive the Sky broadcast signal and encode it for transmission via the internet. The hardware itself is not illegal in general,” a Sky spokesperson told us.

This isn’t the first victory of its kind for the German division of Sky. As Tarnkappe points out, late last year two people were convicted for their involvement with a sports streaming platform, resulting in a prison sentence for one of them.

Sky Deutschland has several criminal and civil copyright cases pending in Germany, so this isn’t likely to be the last verdict we’ll see against sports streaming sites and services.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Hollywood Demands Net Neutrality Exceptions to Tackle Piracy

Post Syndicated from Andy original https://torrentfreak.com/hollywood-demands-net-neutrality-exceptions-to-tackle-piracy-170502/

Net neutrality is the notion that ISPs should treat all data traveling via the Internet in the same manner. Providers shouldn’t discriminate based on user, content or platform type, nor devices attached to the network.

While there are plenty of entities who support these principles, the free-flow of information is sometimes perceived as a threat. The concept of so-called fast and slow lanes with variable pricing, for example, has the potential to cause many anti-competitive headaches.

But for the content industries, particularly those involved in movies, TV shows, and other video entertainment, the concept of net neutrality has the potential to complicate plans to block and otherwise restrict access to copyright-infringing material.

As a result, Hollywood is making its feelings known both locally and overseas, including in India where it’s just contributed to the country’s net neutrality debate.

Early 2017, the Telecom Regulatory Authority of India (TRAI) asked for input on its “Consultation Paper on Net Neutrality”, the fifth in the past two years aimed at introducing a legal framework for net neutrality.

Published by MediaNama in January, the 14-point questionnaire received responses from many stakeholders, including the Motion Picture Distribution Association, the local division of the MPA/MPAA representing Paramount, Sony, Twentieth Century Fox, Universal, Disney and Warner.

Exceptions to net neutrality principles for pirate content

In response to a question which asked whether there should be exceptions to net neutrality in order for ISPs to implement traffic management practices (TMP), Hollywood is clear. Net neutrality should only ever apply when Internet traffic is lawful, and ISPs should be able to take measures to deal with infringing content.

“For the Motion Picture Association’s members, as representatives of an industry that creates and distributes copyrighted content, it is critical that the Internet does not serve as a haven for illegal activity and that [service providers] should be permitted to take reasonable action to prevent the transfer of stolen copyrighted content,” the Hollywood group writes.

“It is commonly accepted that the requirements of [net neutrality] apply only in respect of access to lawful content. This implies that a [service provider] to, say, block content pursuant to a direction from authorities authorised by law to do so, and after following due process – will not be considered unreasonable.”

The studios say they’re in agreement that the Indian government should have the right to regulate content in “emergency situations” and also whenever content is deemed illegal, so in these instances, net neutrality rules would not apply.

Copyright-infringing content fits the latter category, but the MPA wants the government to include specific wording in any regulation that expressly denotes pirate material as exempt from the freedoms of net neutrality.

“We urge that a clear statement be included in any eventual net neutrality regulation that specifies that pirated and infringing content is unlawful and therefore not subject to the normal net neutrality policy of prohibiting content-based regulations,” the studios say.

Exemptions for blocking and throttling to counter piracy

The idea that infringing content should be blocked, throttled, or otherwise hindered is a cornerstone of Hollywood’s fight against infringing content worldwide, despite it being unable to achieve those things in its own backyard. In India, however, the studios see blocking as a fair response to the spread of infringing content and something that should be allowed under net neutrality rules.

“As a remedy to address the dissemination of, or unauthorized access to, unlawful content, blocking and throttling are necessary and appropriate measures,” the studios note.

“Blocking access to infringing sites is not inconsistent with net neutrality. In fact, blocking illegal sites, especially when they originate from outside the country, is often the only effective remedy to prevent access to illegal content in India.

“[Service providers] must be able to block sites that link, stream, make available, or otherwise communicate to the public unauthorized or illegal content.”

Rightsholders and ISPs should work together

In both the United States and Europe, Hollywood is an advocate of voluntary anti-piracy measures, with content owners and ISPs collaborating to hinder the spread of infringing content. According to its submission to the telecoms regulator, Hollywood would like to see something similar in India.

When forming its regulations, the studios would like to see service providers “encouraged” to work with rightsholders to “employ the best available tools and technologies” to fight piracy while affirming ISPs’ right to use traffic management practices (TMP) to deal with the spread of infringing content.

Furthermore, Hollywood would like a clear statement that the use of TMPs against infringing content “should not depend on an advance judicial or regulatory determination of ‘lawfulness’ prior to every use.” In other words, court oversight should not generally be required.

In conclusion, the MPA underlines that rightsholders and rightsholders alone should have the final say in respect of when, to whom, and under what circumstances they make content available. Should the Telecom Regulatory Authority of India interfere with that right, both domestic and international breaches of law could result.

The full submission can be found here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Selling Piracy-Configured Media Players is Illegal, EU Court Rules

Post Syndicated from Andy original https://torrentfreak.com/selling-piracy-configured-media-players-is-illegal-eu-court-rules-170426/

Probably the biggest story in online piracy scene over the past 12 months has been the massive increase in popularity of piracy-configured set-top devices.

Mostly running Android, these devices are often supplied with software such as the neutral Kodi platform augmented with third-party addons, each designed to receive the latest films, TV shows or live sports, with minimum input from the user.

One of perhaps hundreds of sites involved in these sales was Netherlands-based Filmspeler.nl (Movie Player), an online store that found itself targeted by Dutch anti-piracy group BREIN. Filmspeler’s owners felt that its pre-configured devices were legal, arguing that their sale did not amount to a “communication to the public” as determined by the EU Copyright Directive.

In 2015, the Dutch District Court referred the case to the EU Court of Justice. It was asked to consider whether it’s illegal to sell a product (in this case a media player) with pre-installed add-ons containing hyperlinks to websites from where copyrighted works such as movies, TV shows and live broadcasts are made available without copyright holders’ permission.

A year later, Advocate General (AG) Campos Sánchez-Bordona issued his recommendation to the Court.

Describing how Filmspeler owner Mr. Wullems knowingly added infringing add-ons to Kodi devices, with hyperlinks to content published by known ‘pirate’ sites, the AG added that Filmspeler advertised its media players as ways to watch content without paying. This, he said, amounted to a communication to the public and hence copyright infringement.

But while the AG’s opinion was important, it is the EU Court of Justice’s opinion that holds absolute legal weight. After months of deliberation it handed down its decision a few minutes ago and it’s bad news for purveyors of ‘pirate’ devices all around the EU.

In a long and complex ruling, the ECJ said that a media player with pre-installed addons, accessed through structured menus, grants users “direct access to the protected works published without the permission of the copyright owners” and “must be regarded as an act of communication to the public.”

That large numbers of people have bought these players was taken by the Court to mean that there are an “indeterminate number of potential viewers” involving a large number of people (the public).

On the crucial question of whether the copyright works were transmitted to a “new public”, the Court found that the audience for these devices was not something taken into account by the copyright holders when they first gave permission for their works to be distributed.

Referencing the earlier GS Media case, the ECJ placed emphasis on whether links were offered in the knowledge they were infringing and whether the subsequent communication to the public had a profit element.

“It is common ground that the sale of the ‘filmerspeler’ multimedia player was made in full knowledge of the fact that the add-ons containing hyperlinks pre-installed on that player gave access to works published illegally on the internet,” the decision reads.

“In addition, it cannot be disputed that the multimedia player is supplied with a view to making a profit, the price for the multimedia player being paid in particular to obtain direct access to protected works available on streaming websites without the consent of the copyright holders.

“Therefore, it is necessary to hold that the sale of such a multimedia player constitutes a ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29.”

Having determined that such piracy-configured players can be considered infringing by EU member courts, the ECJ goes on to provide greater clarity on the status of copyrighted content streamed on the Internet without copyright holders’ permission.

The ECJ states that reproduction of content may only be exempt from reproduction rights when it fulfils five conditions:

– When the act is temporary
– When it’s transient or incidental
– When it’s an integral and essential part of a technological process
– When the sole purpose of that process is to enable a transmission in a network between third parties by an intermediary or a lawful use of a work or protected subject matter
– The act has no independent economic significance

Since copyrighted works are obtained from streaming websites without obtaining permission from copyright holders, the above standards are not completely met and no copyright exceptions are available. Streaming copyrighted content from an illicit source can therefore be considered illegal.

The Filmspeler case will now head back to the Dutch court but this decision is likely to echo all around Europe and have a notable and immediate effect on pending cases involving ‘pirate’ boxes and illicit streaming.

Update: The two key points from the decision, as published by the ECJ.

1. The concept of ‘communication to the public’, within the meaning of Article 3(1) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society, must be interpreted as covering the sale of a multimedia player, such as that at issue in the main proceedings, on which there are pre-installed add-ons, available on the internet, containing hyperlinks to websites — that are freely accessible to the public — on which copyright-protected works have been made available to the public without the consent of the right holders.

2. Article 5(1) and (5) of Directive 2001/29 must be interpreted as meaning that acts of temporary reproduction, on a multimedia player, such as that at issue in the main proceedings, of a copyright-protected work obtained by streaming from a website belonging to a third party offering that work without the consent of the copyright holder does not satisfy the conditions set out in those provisions.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Streaming ‘Pirate’ Video is Illegal, High Court Judge Says

Post Syndicated from Andy original https://torrentfreak.com/streaming-pirate-video-is-illegal-high-court-judge-says-170319/

Copyright education has come a long way in recent years, with a much greater proportion of Internet users now aware when their activities might fall foul of the law.

There is no doubt that many still have a problem with the level of freedoms available when it comes to sharing content online without copyright holders’ permission, but an understanding of how that is viewed by the authorities is certainly helpful.

In most areas certainty is available. In many jurisdictions, downloading and then sharing content online using BitTorrent, for example, is considered unlawful distribution, an act punishable by law. But what about those who only consume unauthorized content via online streaming and are not involved in dissemination?

What looks like a straightforward question does not have a straightforward answer. That’s somewhat unfortunate since streaming video is now an extremely popular activity engaged in by millions of Internet users.

Legal experts have gone back and forth on the issue of streaming for years. The idea that people who stream do not make any more than a transient copy of content on their own machine has led some to conclude the activity is either legal or sits in a gray area. That opinion is not shared by rightsholders.

One such example can be found in the case between Dutch anti-piracy group BREIN and Filmspeler.nl, a store which sold “piracy configured” Kodi-type devices. The case was referred to the EU Court of Justice, where several questions were discussed during a hearing late September. One question tackled streaming directly.

“Is it lawful under EU law to temporarily reproduce content through streaming if the content originates from a third-party website where it’s made available without permission?” it asked.

Interestingly, in this case, the European Commission equated streaming to watching, which in its opinion is legal from a viewer perspective. Based on this conclusion the Advocate General is to offer a recommendation, to be followed by a final verdict from the EU Court of Justice sometime in 2017.

With that moment still to arrive and anti-piracy groups still insisting that streaming illegal content is, well, illegal, earlier this month Derbyshire Council Trading Standards in the UK offered its opinion, which essentially supports the position of the EC.

“Accessing premium paid-for content without a subscription is considered by the industry as unlawful access, although streaming something online, rather than downloading a file, is likely to be exempt from copyright laws,” a spokesperson said.

But before streaming pirates begin celebrating too much, a rather influential individual has just thrown his hat, or indeed wig, into the arena.

Mr Justice Arnold has presided over a number of important copyright cases in the UK, including those involving The Pirate Bay and Newzbin2. He hasn’t been asked to rule directly whether users who stream content break the law, but he gave an opinion on the topic as part of the recent injunction application by The Premier League.

Before handing down an order to block pirate streams of Premier League matches, Justice Arnold had to consider whether “the operators and users” of pirate servers infringed the League’s copyrights.

In respect of operators, the decision was straightforward. They have a copy of Premier League content which they distribute unlawfully to the public. It’s an open and shut case dealt with under existing case law, something that cannot be said about user streaming specifically.

Nevertheless, Justice Arnold appears to have reached his decision with ease. The Judge decided that although they do not distribute, users do make unlawful copies of Premier League content, even if they only stream it to a device.

“In the course of streaming the Works, users who access a stream cause their computer, mobile device or set-top box to create copies of the Works in the memory of those devices. In some cases, a substantial part of a Work may be copied in a single frame (for example, a Logo),” the Judge said.

In an earlier case, it was determined that no copyright exists in a live match but The Premier League (FAPL) has now closed that loophole. It now records a copy of a match momentarily before transmission to the public, so it holds a copyright in the same way as a movie or TV show company would over their products.

“[T]he Clean Live Feed for each match is now recorded prior to onward transmission and so the FAPL now claims copyright in those films. In addition, FAPL now claims copyright in new logos and graphics,” the injunction reads.

It’s worth noting that to breach the Copyright Designs and Patents Act, a person needs to copy a “substantial” part of a work, whether that’s a movie, TV show, or indeed a football match. However, despite the transient nature of streaming video to the memory of a viewer’s device, the Judge said that a substantial part of the work would be copied if users stream content in any meaningful way.

“In the case of films of matches, copying of a substantial part is very likely to occur if users stream footage of any appreciable segment of the match,” he wrote.

So what we have here is a conflict of opinion. On the one hand, the European Commission doesn’t have a problem with users streaming under EU law, and on the other, a prominent High Court Judge believes that streaming amounts to illegally copying a substantial part of a copyrighted work into a computer’s memory.

What happens from here isn’t clear, but an opinion from the European Court of Justice is awaited, which should provide greater clarity. In the meantime, consumers of unauthorized streaming content will have to wait, unsure whether they’re breaking the law or not, which is far from ideal.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Journalists: How hacking details matter

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/journalists-how-hacking-details-matter.html

When I write my definitive guide for journalists covering hacking, I’m going to point out how easy it is for journalists to misunderstand the details of a story — especially when they change the details to fit the story they want to tell.

For example, there is the notorious “CIA hacked Senate computers” scandal. In fact, the computers in question were owned by the CIA, located in a CIA facility, and managed/operated by CIA employees. You can’t “hack” computers you own. Yes, the CIA overstepped the bounds of an informal agreement with the Senate committee overseeing them, but in no way did anything remotely like “hacking” occur.

This detail matter. If the CIA had truly hacked the Senate committee, that would be a constitutional crisis. A small misstep breaking an informal agreement is not.

A more recent example is this story, which mentions that AlfaBank-Trump connection, claiming the server was in Trump Tower [*]:

What about the computer server at Trump Tower?
Several news media outlets have reported that investigators last year were puzzled by data transmissions between a computer server at Trump Tower and a computer server associated with a Russian bank. Although Mr. Trump on Twitter talked about his “phones,” in theory a judge might determine that the computer address of the server in the tower was a facility being used by a foreign power, Russia, to communicate, and authorize surveillance of it.

No, the server was not located in Trump Tower. It was located outside Philadelphia. It’s owned and operated by a company called Listrak. There’s no evidence anybody in the Trump Organization even knew about the server. It was some other company named Cendyn who decided to associate Trump’s name with the server. There’s no evidence of communication between the server and Alfa — only evidence of communication about the server from Alfa.

The details are important to the story, because it’s trying to show how a judge “might determine that the computer … in the tower was a facility being used by a foreign power”. If it’s not anywhere near or related to the Trump Tower, no such determination could be made.

Then there was that disastrous story from the Washington Post about Russia hacking into a Vermont power plant [*], which still hasn’t been retracted despite widespread condemnation. No such hacking occurred. Instead, the details of what happened is that an employee checked Yahoo mail from his laptop. The night before, the DHS had incorrectly configured its “Einstein” intrusion detection system to trigger on innocent traffic with Yahoo as an indicator of compromise from Russian hackers.

You can see how journalists make these mistakes. If CIA is spying on computers used by Senate staffers, then the natural assumption is that the CIA hacked those computers. If there was a server associated with the Trump Organization, however tenuous, it’s easy to assume a more concrete relationship, such as the server being located in Trump’s offices. You can see how once the DHS claims there was a hack, and you’ve filled your stories with quotes from senators pontificating about the meaning of such hacks, it’s very difficult to retract the story when the details emerge there was nothing remotely resembling a hack.

I’m not trying to claim that journalists need to be smarter about hacking. I’m instead claiming that journalists need to be smarter about journalism. The flaws here all go one way — toward the sensational. Instead of paying attention to the details and questioning whether such sensationalism was warranted, journalists did the reverse.

Also, I’m trying to point out how journalists seem to collude on this. They all piled on with misunderstandings about the “CIA hacking”, such that it became impossible for a journalist not to agree that this is what happened. The original reporting on the Alfa connection was crap, though it becomes real when other reporters repeat the claims. The Vermont hacking story is too juicy for reporters not to repeat, even when they know it’s completely bogus.

Streaming Pirate Content Isn’t Illegal, UK Trading Standards Says

Post Syndicated from Andy original https://torrentfreak.com/streaming-pirate-content-isnt-illegal-uk-trading-standards-says-170306/

In online communities where piracy is discussed on a regular basis, several base questions continually raise their heads. What’s the best and quickest torrent client? What is the largest torrent site? Which streaming platforms get movies quickest?

But perhaps the most common questions asked, particularly by newcomers to the arena, surround the legality or otherwise of consuming media online without copyright holders’ permission.

With torrents (where the user not only downloads but also uploads) sharing copyrighted content is illegal in the majority of countries with strong copyright law, such as North America, Europe, Australia etc. There are plenty of cases that have ended badly for uploaders, hence the rise of VPNs.

These days, however, people are increasingly asking questions about streaming copyrighted content. Whether that’s to a PC, tablet, phone, or Kodi-type device, streaming is becoming increasingly popular and thus questions about legality are on the rise.

Streaming is without a doubt a safer option than using torrents since there is no uploading (distribution). Without this crucial element, it is almost impossible for a user to be tracked and if they can’t be tracked, they can’t be punished or even warned. It’s notable that the UK’s piracy warning scheme, for example, makes no attempt to reach people who are streaming content, because it’s impossible.

So, in practical terms (if people have no problem with potential ethical issues) streaming illegal content is almost 100% safe. No one has ever been prosecuted for merely streaming content and with the rise of Kodi devices (which almost exclusively employ streaming), it’s not difficult to see the problems faced by copyright holders.

Dozens of headlines in mainstream news articles suggest that people who misuse Kodi could get into trouble. But these articles often blur the distinction between sellers and users, where the former is probably breaking the law and the latter operates in a gray area. Interestingly, however, we now have a voice in authority daring to say what most anti-piracy outfits will not.

In an article discussing Kodi, Derbyshire Council Trading Standards begin by noting the problems faced by sellers.

“Kodi is a legitimate piece of software and the developers do not support its use for illegal purposes,” a spokesperson said.

“Derbyshire County Council trading standards officers believe it is illegal under copyright legislation to sell Kodi boxes installed with those add-ons that facilitate the illegal streaming of copyrighted material – although there are court cases pending elsewhere in the UK that will provide further clarification.”

However, most people aren’t sellers, they’re users, and according to Trading Standards, they likely have little to worry about, despite industry claims to the contrary.

“Accessing premium paid-for content without a subscription is considered by the industry as unlawful access, although streaming something online, rather than downloading a file, is likely to be exempt from copyright laws,” the spokesperson added.

This statement certainly carries some weight. Although in a different region of the UK, Trading Standards is the driving force behind the prosecution of Kodi box seller Brian Thompson who entered a not guilty plea in January. He’ll face a trial in a couple of months but it now seems more clear than ever that his customers and millions like them around the country are not breaking the law, a position that’s shared by the EU Commission.

But while people guzzle on the latest movies and sporting events for free, moves are underway to try and close these loopholes. In February the UK government launched a consultation into IPTV and Kodi-enable devices, to see how the law could be tightened up.

The consultation is in its very early stages but there appears to be an effort to target not only sellers but also end users under titles such as “fraudulent reception of transmissions” and “obtaining services dishonestly.” Only time will tell how this will play out but for now at least, it appears that Kodi and other streamers are being given the green light.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

EU Court Hands Copyright Defeat to Streaming Site TVCatchup

Post Syndicated from Andy original https://torrentfreak.com/eu-court-hands-copyright-defeat-to-streaming-site-tvcatchup-170302/

Free-to-air TV in the UK is almost universal, with consumers offered extensive programming via an antennae or satellite dish. However, an option to view the content over the Internet hasn’t always been available.

Back in 2007, TVCatchup spotted a gap in the market and over the years has been streaming TV shows to the masses for free but without rightsholders’ permission. In many markets TVCatchup would be immediately considered a ‘pirate’ service but the site had an unusual defense.

Under Section 73 of the UK’s Copyright, Designs and Patents Act, copyright in a wireless broadcast is not infringed when a party re-transmits that content by cable within “the area of initial broadcast”.

The legislation was drawn up to support the development of cable infrastructure in the 1980s and 1990s but TVCatchup felt that it applied to them when they captured UK broadcasters’ signals and retransmitted them over the Internet.

Needless to say, broadcasters including ITV, Channel 4 and Channel 5 felt differently. They took the service to court, arguing that the platform was illegal under Section 20 of the Copyright, Designs and Patents Act (CDPA), which declares infringement when a copyrighted broadcast is communicated to the public.

The High Court sided with TVCatchup, so the broadcasters took the case to the Court of Appeal, arguing that Internet streaming services are not entitled to protection under legislation intended for cable operators.

In common with other complex copyright cases, the Court of Appeal sought clarification from the Court of Justice of the European Union. Taking the view that section 73 of the CDPA should be interpreted in the light of Article 9 of Directive 2001/29, the Court of Appeal asked several questions, including whether the term “cable” could refer to Internet services.

The CJEU handed down its decision yesterday, ruling that when TVCatchup streamed copyrighted content without permission, that amounted to a communication to the public and was therefore illegal.

“The principal objective of that directive is to establish a high level of protection of authors, allowing them to obtain an appropriate reward for the use of their works, including on the occasion of communication to the public,” the Court wrote.

“Having regard to that high level of protection of authors, the Court …. held that the concept of ‘communication to the public’ … must be interpreted broadly … and that a retransmission by means of an internet stream, such as that at issue in the main proceedings, constitutes such a communication.”

Additionally, the CJEU found that Article 9 of Directive 2001/29 does not permit “national legislation which provides that copyright is not infringed in the case of the immediate retransmission by cable, including, where relevant, via the internet.”

That statement is effectively a huge thumbs-down to Section 73 of the CDPA on which TVCatchup had formed its defense.

While that will be bad news for TVCatchup, it will be of little hardship to the UK Government. The Digital Economy Bill currently moving through Parliament contains an amendment to remove Section 73 from the CDPA, with the government noting during a consultation that it was never intended to apply to Internet services.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

‘Kodi Box’ Consultation Launched By Intellectual Property Office

Post Syndicated from Andy original https://torrentfreak.com/kodi-box-consultation-launched-by-intellectual-property-office-170228/

As BitTorrent usage continues year after year, a new piracy opportunity has been gathering momentum in more recent times. Known on the street as ‘Kodi Boxes’ after the legal software they use as a base, these devices enable consumers to access every type of media available, for a very small outlay.

While in the past a full-blown PC would have been used to consume movies, TV shows, music and live events via illicit sites, augmented Kodi setups can achieve the same on cheap set-top Android hardware, even phones and tablets. This barrier to entry is an all-time low in piracy circles and of serious concern to rightsholders.

These concerns are perhaps most visible in the UK, where police and anti-piracy groups have been tackling people who sell this kind of hardware for infringing uses. There have been some arrests and cases are pending, but there appears to be an underlying nervousness that current legislation simply isn’t up to the job. That’s where the government has now stepped in.

In a consultation launched by the Intellectual Property Office, the government calls for input from groups with experience of investigating and prosecuting offenses relating to illicit streaming devices, although anyone with relevant information can participate.

“Internet Protocol Television (IPTV) boxes (also known as set-top boxes, Android TVboxes or Kodi boxes) are small plug and play media servers, originally designed to allow consumers to stream legitimate content (locally stored or legal online content),” the IPO begins.

“Despite the legitimate use of this equipment, software is widely available (illicit Kodi extensions being the best known) which connect the boxes to illegal content through streaming websites, file lockers and BitTorrent trackers.”

The IPO notes that these devices are now widely available from well-known online retailers at low prices, something that has led to a sharp increase in use by consumers. This has unsettled those who make money from the official distribution of copyrighted content.

“Broadcasters and content owners have voiced concerns that, although a range of existing legislation applies to the sale and use of these devices (as well as the provision of illicit content streams), the legal framework does not provide sufficient tools to tackle this growing threat,” the IPO notes.

From information published thus far, it seems likely that the government will consider tightening up any branch of legislation that could apply to these devices, whether that concerns their advertising, sale, supply, or even end use.

Under the general banner of the Copyright, Designs and Patent Act 1988, the IPO suggests that several pieces of legislation may already apply to Kodi-type devices, including s297 – fraudulent reception of transmissions, s297a – unauthorized decoders, through to s296ZB – devices and services designed to circumvent technological measures.

The latter will be tested later this year in the case against Kodi box seller Brian Thompson. It’s unlikely to be straightforward and experts have already warned that prosecutions using existing legislation raise issues.

But while tweaking copyright law seems an obvious choice, the government is urging consideration of other charges too.

Under the Fraud Act 2006, possession and/or making or supplying articles for use in fraud are highlighted, as is the offense of obtaining services dishonestly.

Like “fraudulent reception of transmissions” (listed above in the copyright section), “obtaining services dishonestly” could conceivably be applied to end users of Kodi devices, given the right circumstances. However, the former currently only warrants a fine while the latter has provisions for up to five years imprisonment.

The consultation is certainly interesting and one that is likely to provoke much debate moving forward. In some respects, however, it is a little puzzling.

While a tightening of the law may result in more straightforward prosecutions, it’s difficult to see how current legislation doesn’t already cover most eventualities, particularly when it comes to prosecuting people who advertise and supply boxes for illegal purposes during the course of a business.

However, perhaps the more worrying aspect is what appears to be a new focus on the end users of such devices rather than just the sellers. It’s worth keeping in mind that users of these boxes are merely streaming content from the Internet in much the same way as they would with a normal web browser, something that is probably not illegal under existing EU law.

The consultation (pdf) closes April 7, 2017.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

China Bans Unauthorized VPN Services in Internet Crackdown

Post Syndicated from Andy original https://torrentfreak.com/china-ban-unauthorized-vpn-services-in-internet-crackdown-170123/

blocked-censorWhile the Internet is considered by many to be the greatest invention of modern time, to others it presents a disruptive influence that needs to be controlled.

Among developed nations nowhere is this more obvious than in China, where the government seeks to limit what citizens can experience online. Using technology such as filters and an army of personnel, people are routinely barred from visiting certain websites and engaging in activity deemed as undermining the state.

Of course, a cat-and-mouse game is continuously underway, with citizens regularly trying to punch through the country’s so-called ‘Great Firewall’ using various techniques, services, and encryption technologies. Now, however, even that is under threat.

In an announcement yesterday from China’s Ministry of Industry and Information Technology, the government explained that due to Internet technologies and services expanding in a “disorderly” fashion, regulation is needed to restore order.

“In recent years, as advances in information technology networks, cloud computing, big data and other applications have flourished, China’s Internet network access services market is facing many development opportunities. However, signs of disorderly development show the urgent need for regulation norms,” MIIT said.

In order to “standardize” the market and “strengthen network information security management,” the government says it is embarking on a “nationwide Internet network access services clean-up.” It will begin immediately and continue until March 31, 2018, with several aims.

All Internet services such as data centers, ISPs, CDNs and much-valued censorship-busting VPNs, will need to have pre-approval from the government to operate. Operating such a service without a corresponding telecommunications business license will constitute an offense.

“Internet data centers, ISP and CDN enterprises shall not privately build communication transmission facilities, and shall not use the network infrastructure and IP addresses, bandwidth and other network access resources…without the corresponding telecommunications business license,” the notice reads.

It will also be an offense to possess a business license but then operate outside its scope, such as by exceeding its regional boundaries or by operating other Internet services not permitted by the license. Internet entities are also forbidden to sub-lease to other unlicensed entities.

In the notice, VPNs and similar technologies have a section all to themselves and are framed as “cross-border issues.”

“Without the approval of the telecommunications administrations, entities can not create their own or leased line (including a Virtual Private Network) and other channels to carry out cross-border business activities,” it reads.

The notice, published yesterday, renders most VPN providers in China illegal, SCMP reports.

Only time will tell what effect the ban will have in the real world, but in the short-term there is bound to be some disruption as entities seek to license their services or scurry away underground.

As always, however, the Internet will perceive censorship as damage, and it’s inevitable that the most determined of netizens will find a way to access content outside China (such as Google, Facebook, YouTube and Twitter), no matter how strict the rules.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

BT’s Piracy Warning Information is Confusing and Outdated

Post Syndicated from Andy original https://torrentfreak.com/bts-piracy-warning-information-confusing-outdated-170117/

btAs recently reported, UK ISPs will soon partner up with the Get it Right From a Genuine Site campaign to send warning notices to users whose accounts have been used to share copyright content.

While the campaign is educational in both tone and aim, it is still likely to worry warning recipients, even though there are no immediate repercussions for being caught. With that in mind, ISPs are preparing to inform their users as to what the scheme is all about.

A couple of hours ago via its website, it appears that BT became the first ISP to officially announce the campaign’s arrival. Virgin Media has had a section bookmarked on its site for some time but currently there is no information available.

The other ISPs involved, TalkTalk and Sky, seem less prepared at this point, so well done to BT for going first. However, BT’s announcement has the potential to cause confusion, despite starting well.

“Peer-to-peer (P2P) file sharing is the transfer of data from one person’s computer directly to multiple other computers without the use of an intermediate server. This is known as a file sharing network and is set up using peer-to-peer software on your computer (also known as a programme, application or client),” it reads.

From here, BT gets its apples and pears a bit mixed up.

“You may have heard of networks like Gnutella, Napster, Torrentz and ThePirateBay. If your computer is online and you make files available for sharing in a peer-to-peer network, other members within that network can download files from you without you noticing,” the ISP writes.

While Gnutella and Napster are indeed the names of peer-to-peer networks, both Torrentz and ThePirateBay are torrent index sites. What makes the situation even more confusing is that the Napster peer-to-peer service has been dead for 15 years and is now a legitimate content platform. That could make less well-informed Napster customers believe they’re paying for a product that could get them a warning notice.

The Gnutella network (on which the LimeWire operated) is technically alive but on continual life support, and Torrentz shut down last year so doesn’t even exist. And suggesting that people can download files from torrent users without them knowing is clearly a step too far.

That said, BT correctly gives The Pirate Bay a prominent position, since the vast majority (if not all) of the warning notices going out will target BitTorrent users. However, instead of telling users how BitTorrent sharing works, the ISP focuses on how old-fashioned and largely redundant applications offer content for download.

By default, peer-to-peer software applications search for and share content on your computer with others. Normally, peer-to-peer software usually runs as soon as you turn on your computer and continues to run in the background. Even if you disable sharing/uploading, copyrighted content in a “shared” folder on your computer it can still be seen by others using the same peer-to-peer network. Some peer-to-peer software can even reset your preferences to resume uploading.

While the above might have been true when KaZaA, LimeWire and Morpheus ruled the pirate seas way over a decade ago, this is not the way BitTorrent works at all. BitTorrent users are completely aware of what they’re sharing, because they have to obtain a torrent file first to get the content. BitTorrent software does not search users’ computers for content to share without their permission, users are in complete control.

In fact, the ‘shared folder’ applications referenced by BT are more or less antiques in today’s file-sharing landscape. Like VHS and cassette tapes, there are still people out there using ‘shared folder’ applications, but these people are not the focus of the GetitRight campaign. Giving them a prominent mention is confusing and makes little to no sense.

Things also get messy when BT ventures into the world of file-sharing protocols and clients.

There are many different file types (also called protocols) that are used for the file sharing, such as BitTorrent, Deluge, iLivid, and Tixati etc. Each Protocol will have its own client. Popular BitTorrent clients are Vuze, Transmission, Deluge, uTorrent, Tribler, Tixati, BitComet, Torch etc.

First off, the term ‘file types’ is not interchangeable with the term ‘protocol’. A file type is something like .doc, .mp3 or .avi. A protocol is the technical communications system a file-sharing client relies upon to share with other clients. While BitTorrent is indeed a file-sharing protocol, Deluge, iLivid and Tixati are either torrent clients or download managers, they are not file-sharing protocols at all.

All that being said, in the rest of the announcement BT does a good job of explaining how users are tracked by copyright holders and detailing when notices will be sent out. It also offers reassurance that users’ details have not been shared with copyright holders and that broadband services will not be affected as a result of receiving a warning.

Finally, BT also provides some new information which indicates that users will able to see what content they’re being accused of downloading by following a link in warning notices. BT customers will be required to login using their BTID and password which will get them access to the Get it Right Information Portal.

“Once you click through the link on the email you will land on a BT page which from where you can go through to the portal. BT only provides you a secure access to the Get It Right Information Portal so that your data is kept completely confidential,” the company concludes.

While there’s clearly no intent on BT’s behalf to mislead, its advisory (here) could be improved by the removal of several paragraphs and the editing of others.

Received a warning notice from any UK ISP? Contact TF in confidence here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

NSA Given More Ability to Share Raw Intelligence Data

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/01/nsa_given_more_.html

President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the US’s other 16 intelligence agencies.

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.

Here are the new procedures.

This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.

From a privacy perspective, this feels like a really bad idea to me.