Tag Archives: tsa

Daphne Caruana Galizia’s Murder and the Security of WhatsApp

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/11/daphne_caruana_.html

Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb.

Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app, and find out who those sources were.

One journalist reports:

Part of Daphne’s destroyed smart phone was elevated from the scene.

Investigators say that Caruana Galizia had not taken her laptop with her on that particular trip. If she had done so, the forensic experts would have found evidence on the ground.

Her mobile phone is also being examined, as can be seen from her WhatsApp profile, which has registered activity since the murder. But it is understood that the data is safe.

Sources close to the newsroom said that as part of the investigation her sim card has been cloned. This is done with the help of mobile service providers in similar cases. Asked if her WhatsApp messages or any other messages that were stored in her phone will be retrieved, the source said that since the messaging application is encrypted, the messages cannot be seen. Therefore it is unlikely that any data can be retrieved.

I am less optimistic than that reporter. The FBI is providing “specific assistance.” The article doesn’t explain that, but I would not be surprised if they were helping crack the phone.

It will be interesting to see if WhatsApp’s security survives this. My guess is that it depends on how much of the phone was recovered from the bombed car.

EDITED TO ADD (11/7): The court-appointed IT expert on the case has a criminal record in the UK for theft and forgery.

Съд на ЕС: отговорност на оператора на фенстраница във Фейсбук

Post Syndicated from nellyo original https://nellyo.wordpress.com/2017/11/05/fb-3/

Стана известно заключението на Генералния адвокат Бот по дело C−210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

срещу Wirtschaftsakademie Schleswig-Holstein GmbH в присъствието на Facebook Ireland Ltd.

„Преюдициално запитване — Директива 95/46/ЕО — Членове 2, 4 и 28 — Защита на физическите лица при обработване на лични данни и свободно движение на такива данни — Разпореждане за деактивиране на фенстраница в социалната мрежа Facebook — Понятие „администратор“ — Отговорност на оператора на фенстраница — Съвместна отговорност — Приложимо национално право — Обхват на правомощията за намеса на надзорните органи“

Запитването е отправено в рамките на спор между Wirtschaftsakademie Schleswig-Holstein GmbH, частноправно дружество, специализирано в областта на образованието  и  органа за защита на данните на Шлезвиг-Холщайн („ULD“), във връзка със законосъобразността на разпореждане, прието от последно посочения орган срещу Wirtschaftsakademie, с което се иска деактивиране на „фенстраница“ (Fanpage), хоствана на сайта на Facebook Ireland Ltd (наричано по-нататък „Facebook Ireland“).

Това разпореждане е мотивирано от твърдяното нарушение на разпоредбите на германското право за транспониране на Директива 95/46, по-специално поради факта, че посетителите на дадена фенстраница не са информирани за това, че техните лични данни се събират от социалната мрежа Facebook благодарение на „бисквитки“, които се разполагат на техния твърд диск, като това събиране се извършва с цел да се изготвят статистически данни за посетителите, които са предназначени за оператора на посочената страница, и за да се предостави възможност на Facebook да разпространява целеви реклами.

Надзорните органи на няколко държави  от ЕС са решили през последните месеци да наложат глоби на Facebook за нарушаване на правилата за защита на личните данни на неговите потребители – на 11 септември 2017 г. Agencia española de protección de datos (испанската Агенция за защита на данните) е обявила, че налага глоба в размер на 1,2 милиона евро на Facebook Inc. Преди това, на 27 април 2017 г. Commission nationale de l’informatique et des libertés (Националната комисия по въпросите на информатиката и свободите, CNIL, Франция) приема решение срещу дружествата Facebook Inc. и Facebook Ireland, като при условията на солидарна отговорност им налага имуществена санкция в размер на 150 000 EUR.

Разглежданото дело ще даде възможност на Съда да уточни обхвата на правомощията за намеса, с които разполага надзорен орган като ULD при обработване на лични данни, включващо участието на няколко субекта.

Преюдициалните въпроси

Заключението:

„1)      Член 2, буква г) от Директива 95/46/ЕО на Европейския парламент и на Съвета от 24 октомври 1995 година за защита на физическите лица при обработването на лични данни и за свободното движение на тези данни, изменена с Регламент (ЕО) № 1882/2003 на Европейския парламент и на Съвета от 29 септември 2003 г., трябва да се тълкува в смисъл, че съгласно тази разпоредба за администратор следва да се счита операторът на фенстраница в социална мрежа като Facebook, що се отнася до етапа на обработване на лични данни, състоящ се в събирането от тази социална мрежа на данни относно лицата, които консултират тази страница, с оглед на изготвянето на статистически данни за посетителите на посочената страница.

2)      Член 4, параграф 1, буква а) от Директива 95/46, изменена с Регламент № 1882/2003, трябва да се тълкува в смисъл, че обработване на лични данни като разглежданото в главното производство, се извършва в контекста на дейностите на установен на територията на държава членка обект на администратора по смисъла на посочената разпоредба, когато предприятието, което управлява социална мрежа, създава в тази държава членка дъщерно дружество, чието предназначение е да осигури рекламирането и продажбата на рекламните пространства, предлагани от това предприятие, и чиято дейност е насочена към лицата, живеещи в тази държава членка.

3)      В положение като разглежданото в главното производство, при което към съответното обработване на лични данни се прилага националното право на държавата членка на надзорния орган, член 28, параграфи 1, 3 и 6 от Директива 95/46, изменена с Регламент № 1882/2003, трябва да се тълкува в смисъл, че този надзорен орган може да упражнява всички възложени му в съответствие с член 28, параграф 3 от посочената директива ефективни правомощия за намеса по отношение на администратора, включително когато администраторът е установен в друга държава членка или пък в трета държава.

4)      Член 28, параграфи 1, 3 и 6 от Директива 95/46, изменена с Регламент № 1882/2003, трябва да се тълкува в смисъл, че при обстоятелства като разглежданите в главното производство надзорният орган на държавата членка, в която се намира обектът на администратора, има право да упражнява самостоятелно правомощията си за намеса по отношение на този администратор и без да е длъжен предварително да поиска от надзорния орган на държавата членка, в която се намира посоченият администратор, да упражни своите правомощия“.

u Techcrunch

Filed under: EU Law, Media Law Tagged: данни, FB, съд на ес

AWS Online Tech Talks – November 2017

Post Syndicated from Sara Rodas original https://aws.amazon.com/blogs/aws/aws-online-tech-talks-november-2017/

Leaves are crunching under my boots, Halloween is tomorrow, and pumpkin is having its annual moment in the sun – it’s fall everybody! And just in time to celebrate, we have whipped up a fresh batch of pumpkin spice Tech Talks. Grab your planner (Outlook calendar) and pencil these puppies in. This month we are covering re:Invent, serverless, and everything in between.

November 2017 – Schedule

Noted below are the upcoming scheduled live, online technical sessions being held during the month of November. Make sure to register ahead of time so you won’t miss out on these free talks conducted by AWS subject matter experts.

Webinars featured this month are:

Monday, November 6

Compute

9:00 – 9:40 AM PDT: Set it and Forget it: Auto Scaling Target Tracking Policies

Tuesday, November 7

Big Data

9:00 – 9:40 AM PDT: Real-time Application Monitoring with Amazon Kinesis and Amazon CloudWatch

Compute

10:30 – 11:10 AM PDT: Simplify Microsoft Windows Server Management with Amazon Lightsail

Mobile

12:00 – 12:40 PM PDT: Deep Dive on Amazon SES What’s New

Wednesday, November 8

Databases

10:30 – 11:10 AM PDT: Migrating Your Oracle Database to PostgreSQL

Compute

12:00 – 12:40 PM PDT: Run Your CI/CD Pipeline at Scale for a Fraction of the Cost

Thursday, November 9

Databases

10:30 – 11:10 AM PDT: Migrating Your Oracle Database to PostgreSQL

Containers

9:00 – 9:40 AM PDT: Managing Container Images with Amazon ECR

Big Data

12:00 – 12:40 PM PDT: Amazon Elasticsearch Service Security Deep Dive

Monday, November 13

re:Invent

10:30 – 11:10 AM PDT: AWS re:Invent 2017: Know Before You Go

5:00 – 5:40 PM PDT: AWS re:Invent 2017: Know Before You Go

Tuesday, November 14

AI

9:00 – 9:40 AM PDT: Sentiment Analysis Using Apache MXNet and Gluon

10:30 – 11:10 AM PDT: Bringing Characters to Life with Amazon Polly Text-to-Speech

IoT

12:00 – 12:40 PM PDT: Essential Capabilities of an IoT Cloud Platform

Enterprise

2:00 – 2:40 PM PDT: Everything you wanted to know about licensing Windows workloads on AWS, but were afraid to ask

Wednesday, November 15

Security & Identity

9:00 – 9:40 AM PDT: How to Integrate AWS Directory Service with Office365

Storage

10:30 – 11:10 AM PDT: Disaster Recovery Options with AWS

Hands on Lab

12:30 – 2:00 PM PDT: Hands on Lab: Windows Workloads

Thursday, November 16

Serverless

9:00 – 9:40 AM PDT: Building Serverless Websites with [email protected]

Hands on Lab

12:30 – 2:00 PM PDT: Hands on Lab: Deploy .NET Code to AWS from Visual Studio

– Sara

Implementing Default Directory Indexes in Amazon S3-backed Amazon CloudFront Origins Using [email protected]

Post Syndicated from Ronnie Eichler original https://aws.amazon.com/blogs/compute/implementing-default-directory-indexes-in-amazon-s3-backed-amazon-cloudfront-origins-using-lambdaedge/

With the recent launch of [email protected], it’s now possible for you to provide even more robust functionality to your static websites. Amazon CloudFront is a content distribution network service. In this post, I show how you can use [email protected] along with the CloudFront origin access identity (OAI) for Amazon S3 and still provide simple URLs (such as www.example.com/about/ instead of www.example.com/about/index.html).

Background

Amazon S3 is a great platform for hosting a static website. You don’t need to worry about managing servers or underlying infrastructure—you just publish your static to content to an S3 bucket. S3 provides a DNS name such as <bucket-name>.s3-website-<AWS-region>.amazonaws.com. Use this name for your website by creating a CNAME record in your domain’s DNS environment (or Amazon Route 53) as follows:

www.example.com -> <bucket-name>.s3-website-<AWS-region>.amazonaws.com

You can also put CloudFront in front of S3 to further scale the performance of your site and cache the content closer to your users. CloudFront can enable HTTPS-hosted sites, by either using a custom Secure Sockets Layer (SSL) certificate or a managed certificate from AWS Certificate Manager. In addition, CloudFront also offers integration with AWS WAF, a web application firewall. As you can see, it’s possible to achieve some robust functionality by using S3, CloudFront, and other managed services and not have to worry about maintaining underlying infrastructure.

One of the key concerns that you might have when implementing any type of WAF or CDN is that you want to force your users to go through the CDN. If you implement CloudFront in front of S3, you can achieve this by using an OAI. However, in order to do this, you cannot use the HTTP endpoint that is exposed by S3’s static website hosting feature. Instead, CloudFront must use the S3 REST endpoint to fetch content from your origin so that the request can be authenticated using the OAI. This presents some challenges in that the REST endpoint does not support redirection to a default index page.

CloudFront does allow you to specify a default root object (index.html), but it only works on the root of the website (such as http://www.example.com > http://www.example.com/index.html). It does not work on any subdirectory (such as http://www.example.com/about/). If you were to attempt to request this URL through CloudFront, CloudFront would do a S3 GetObject API call against a key that does not exist.

Of course, it is a bad user experience to expect users to always type index.html at the end of every URL (or even know that it should be there). Until now, there has not been an easy way to provide these simpler URLs (equivalent to the DirectoryIndex Directive in an Apache Web Server configuration) to users through CloudFront. Not if you still want to be able to restrict access to the S3 origin using an OAI. However, with the release of [email protected], you can use a JavaScript function running on the CloudFront edge nodes to look for these patterns and request the appropriate object key from the S3 origin.

Solution

In this example, you use the compute power at the CloudFront edge to inspect the request as it’s coming in from the client. Then re-write the request so that CloudFront requests a default index object (index.html in this case) for any request URI that ends in ‘/’.

When a request is made against a web server, the client specifies the object to obtain in the request. You can use this URI and apply a regular expression to it so that these URIs get resolved to a default index object before CloudFront requests the object from the origin. Use the following code:

'use strict';
exports.handler = (event, context, callback) => {
    
    // Extract the request from the CloudFront event that is sent to [email protected] 
    var request = event.Records[0].cf.request;

    // Extract the URI from the request
    var olduri = request.uri;

    // Match any '/' that occurs at the end of a URI. Replace it with a default index
    var newuri = olduri.replace(/\/$/, '\/index.html');
    
    // Log the URI as received by CloudFront and the new URI to be used to fetch from origin
    console.log("Old URI: " + olduri);
    console.log("New URI: " + newuri);
    
    // Replace the received URI with the URI that includes the index page
    request.uri = newuri;
    
    // Return to CloudFront
    return callback(null, request);

};

To get started, create an S3 bucket to be the origin for CloudFront:

Create bucket

On the other screens, you can just accept the defaults for the purposes of this walkthrough. If this were a production implementation, I would recommend enabling bucket logging and specifying an existing S3 bucket as the destination for access logs. These logs can be useful if you need to troubleshoot issues with your S3 access.

Now, put some content into your S3 bucket. For this walkthrough, create two simple webpages to demonstrate the functionality:  A page that resides at the website root, and another that is in a subdirectory.

<s3bucketname>/index.html

<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Root home page</title>
    </head>
    <body>
        <p>Hello, this page resides in the root directory.</p>
    </body>
</html>

<s3bucketname>/subdirectory/index.html

<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Subdirectory home page</title>
    </head>
    <body>
        <p>Hello, this page resides in the /subdirectory/ directory.</p>
    </body>
</html>

When uploading the files into S3, you can accept the defaults. You add a bucket policy as part of the CloudFront distribution creation that allows CloudFront to access the S3 origin. You should now have an S3 bucket that looks like the following:

Root of bucket

Subdirectory in bucket

Next, create a CloudFront distribution that your users will use to access the content. Open the CloudFront console, and choose Create Distribution. For Select a delivery method for your content, under Web, choose Get Started.

On the next screen, you set up the distribution. Below are the options to configure:

  • Origin Domain Name:  Select the S3 bucket that you created earlier.
  • Restrict Bucket Access: Choose Yes.
  • Origin Access Identity: Create a new identity.
  • Grant Read Permissions on Bucket: Choose Yes, Update Bucket Policy.
  • Object Caching: Choose Customize (I am changing the behavior to avoid having CloudFront cache objects, as this could affect your ability to troubleshoot while implementing the Lambda code).
    • Minimum TTL: 0
    • Maximum TTL: 0
    • Default TTL: 0

You can accept all of the other defaults. Again, this is a proof-of-concept exercise. After you are comfortable that the CloudFront distribution is working properly with the origin and Lambda code, you can re-visit the preceding values and make changes before implementing it in production.

CloudFront distributions can take several minutes to deploy (because the changes have to propagate out to all of the edge locations). After that’s done, test the functionality of the S3-backed static website. Looking at the distribution, you can see that CloudFront assigns a domain name:

CloudFront Distribution Settings

Try to access the website using a combination of various URLs:

http://<domainname>/:  Works

› curl -v http://d3gt20ea1hllb.cloudfront.net/
*   Trying 54.192.192.214...
* TCP_NODELAY set
* Connected to d3gt20ea1hllb.cloudfront.net (54.192.192.214) port 80 (#0)
> GET / HTTP/1.1
> Host: d3gt20ea1hllb.cloudfront.net
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< ETag: "cb7e2634fe66c1fd395cf868087dd3b9"
< Accept-Ranges: bytes
< Server: AmazonS3
< X-Cache: Miss from cloudfront
< X-Amz-Cf-Id: -D2FSRwzfcwyKZKFZr6DqYFkIf4t7HdGw2MkUF5sE6YFDxRJgi0R1g==
< Content-Length: 209
< Content-Type: text/html
< Last-Modified: Wed, 19 Jul 2017 19:21:16 GMT
< Via: 1.1 6419ba8f3bd94b651d416054d9416f1e.cloudfront.net (CloudFront), 1.1 iad6-proxy-3.amazon.com:80 (Cisco-WSA/9.1.2-010)
< Connection: keep-alive
<
<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Root home page</title>
    </head>
    <body>
        <p>Hello, this page resides in the root directory.</p>
    </body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host d3gt20ea1hllb.cloudfront.net left intact

This is because CloudFront is configured to request a default root object (index.html) from the origin.

http://<domainname>/subdirectory/:  Doesn’t work

› curl -v http://d3gt20ea1hllb.cloudfront.net/subdirectory/
*   Trying 54.192.192.214...
* TCP_NODELAY set
* Connected to d3gt20ea1hllb.cloudfront.net (54.192.192.214) port 80 (#0)
> GET /subdirectory/ HTTP/1.1
> Host: d3gt20ea1hllb.cloudfront.net
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< ETag: "d41d8cd98f00b204e9800998ecf8427e"
< x-amz-server-side-encryption: AES256
< Accept-Ranges: bytes
< Server: AmazonS3
< X-Cache: Miss from cloudfront
< X-Amz-Cf-Id: Iqf0Gy8hJLiW-9tOAdSFPkL7vCWBrgm3-1ly5tBeY_izU82ftipodA==
< Content-Length: 0
< Content-Type: application/x-directory
< Last-Modified: Wed, 19 Jul 2017 19:21:24 GMT
< Via: 1.1 6419ba8f3bd94b651d416054d9416f1e.cloudfront.net (CloudFront), 1.1 iad6-proxy-3.amazon.com:80 (Cisco-WSA/9.1.2-010)
< Connection: keep-alive
<
* Curl_http_done: called premature == 0
* Connection #0 to host d3gt20ea1hllb.cloudfront.net left intact

If you use a tool such like cURL to test this, you notice that CloudFront and S3 are returning a blank response. The reason for this is that the subdirectory does exist, but it does not resolve to an S3 object. Keep in mind that S3 is an object store, so there are no real directories. User interfaces such as the S3 console present a hierarchical view of a bucket with folders based on the presence of forward slashes, but behind the scenes the bucket is just a collection of keys that represent stored objects.

http://<domainname>/subdirectory/index.html:  Works

› curl -v http://d3gt20ea1hllb.cloudfront.net/subdirectory/index.html
*   Trying 54.192.192.130...
* TCP_NODELAY set
* Connected to d3gt20ea1hllb.cloudfront.net (54.192.192.130) port 80 (#0)
> GET /subdirectory/index.html HTTP/1.1
> Host: d3gt20ea1hllb.cloudfront.net
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 20 Jul 2017 20:35:15 GMT
< ETag: "ddf87c487acf7cef9d50418f0f8f8dae"
< Accept-Ranges: bytes
< Server: AmazonS3
< X-Cache: RefreshHit from cloudfront
< X-Amz-Cf-Id: bkh6opXdpw8pUomqG3Qr3UcjnZL8axxOH82Lh0OOcx48uJKc_Dc3Cg==
< Content-Length: 227
< Content-Type: text/html
< Last-Modified: Wed, 19 Jul 2017 19:21:45 GMT
< Via: 1.1 3f2788d309d30f41de96da6f931d4ede.cloudfront.net (CloudFront), 1.1 iad6-proxy-3.amazon.com:80 (Cisco-WSA/9.1.2-010)
< Connection: keep-alive
<
<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Subdirectory home page</title>
    </head>
    <body>
        <p>Hello, this page resides in the /subdirectory/ directory.</p>
    </body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host d3gt20ea1hllb.cloudfront.net left intact

This request works as expected because you are referencing the object directly. Now, you implement the [email protected] function to return the default index.html page for any subdirectory. Looking at the example JavaScript code, here’s where the magic happens:

var newuri = olduri.replace(/\/$/, '\/index.html');

You are going to use a JavaScript regular expression to match any ‘/’ that occurs at the end of the URI and replace it with ‘/index.html’. This is the equivalent to what S3 does on its own with static website hosting. However, as I mentioned earlier, you can’t rely on this if you want to use a policy on the bucket to restrict it so that users must access the bucket through CloudFront. That way, all requests to the S3 bucket must be authenticated using the S3 REST API. Because of this, you implement a [email protected] function that takes any client request ending in ‘/’ and append a default ‘index.html’ to the request before requesting the object from the origin.

In the Lambda console, choose Create function. On the next screen, skip the blueprint selection and choose Author from scratch, as you’ll use the sample code provided.

Next, configure the trigger. Choosing the empty box shows a list of available triggers. Choose CloudFront and select your CloudFront distribution ID (created earlier). For this example, leave Cache Behavior as * and CloudFront Event as Origin Request. Select the Enable trigger and replicate box and choose Next.

Lambda Trigger

Next, give the function a name and a description. Then, copy and paste the following code:

'use strict';
exports.handler = (event, context, callback) => {
    
    // Extract the request from the CloudFront event that is sent to [email protected] 
    var request = event.Records[0].cf.request;

    // Extract the URI from the request
    var olduri = request.uri;

    // Match any '/' that occurs at the end of a URI. Replace it with a default index
    var newuri = olduri.replace(/\/$/, '\/index.html');
    
    // Log the URI as received by CloudFront and the new URI to be used to fetch from origin
    console.log("Old URI: " + olduri);
    console.log("New URI: " + newuri);
    
    // Replace the received URI with the URI that includes the index page
    request.uri = newuri;
    
    // Return to CloudFront
    return callback(null, request);

};

Next, define a role that grants permissions to the Lambda function. For this example, choose Create new role from template, Basic Edge Lambda permissions. This creates a new IAM role for the Lambda function and grants the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

In a nutshell, these are the permissions that the function needs to create the necessary CloudWatch log group and log stream, and to put the log events so that the function is able to write logs when it executes.

After the function has been created, you can go back to the browser (or cURL) and re-run the test for the subdirectory request that failed previously:

› curl -v http://d3gt20ea1hllb.cloudfront.net/subdirectory/
*   Trying 54.192.192.202...
* TCP_NODELAY set
* Connected to d3gt20ea1hllb.cloudfront.net (54.192.192.202) port 80 (#0)
> GET /subdirectory/ HTTP/1.1
> Host: d3gt20ea1hllb.cloudfront.net
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 20 Jul 2017 21:18:44 GMT
< ETag: "ddf87c487acf7cef9d50418f0f8f8dae"
< Accept-Ranges: bytes
< Server: AmazonS3
< X-Cache: Miss from cloudfront
< X-Amz-Cf-Id: rwFN7yHE70bT9xckBpceTsAPcmaadqWB9omPBv2P6WkIfQqdjTk_4w==
< Content-Length: 227
< Content-Type: text/html
< Last-Modified: Wed, 19 Jul 2017 19:21:45 GMT
< Via: 1.1 3572de112011f1b625bb77410b0c5cca.cloudfront.net (CloudFront), 1.1 iad6-proxy-3.amazon.com:80 (Cisco-WSA/9.1.2-010)
< Connection: keep-alive
<
<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <title>Subdirectory home page</title>
    </head>
    <body>
        <p>Hello, this page resides in the /subdirectory/ directory.</p>
    </body>
</html>
* Curl_http_done: called premature == 0
* Connection #0 to host d3gt20ea1hllb.cloudfront.net left intact

You have now configured a way for CloudFront to return a default index page for subdirectories in S3!

Summary

In this post, you used [email protected] to be able to use CloudFront with an S3 origin access identity and serve a default root object on subdirectory URLs. To find out some more about this use-case, see [email protected] integration with CloudFront in our documentation.

If you have questions or suggestions, feel free to comment below. For troubleshooting or implementation help, check out the Lambda forum.

Amazon Lightsail Update – Launch and Manage Windows Virtual Private Servers

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/amazon-lightsail-update-launch-and-manage-windows-virtual-private-servers/

I first told you about Amazon Lightsail last year in my blog post, Amazon Lightsail – the Power of AWS, the Simplicity of a VPS. Since last year’s launch, thousands of customers have used Lightsail to get started with AWS, launching Linux-based Virtual Private Servers.

Today we are adding support for Windows-based Virtual Private Servers. You can launch a VPS that runs Windows Server 2012 R2, Windows Server 2016, or Windows Server 2016 with SQL Server 2016 Express and be up and running in minutes. You can use your VPS to build, test, and deploy .NET or Windows applications without having to set up or run any infrastructure. Backups, DNS management, and operational metrics are all accessible with a click or two.

Servers are available in five sizes, with 512 MB to 8 GB of RAM, 1 or 2 vCPUs, and up to 80 GB of SSD storage. Prices (including software licenses) start at $10 per month:

You can try out a 512 MB server for one month (up to 750 hours) at no charge.

Launching a Windows VPS
To launch a Windows VPS, log in to Lightsail , click on Create instance, and select the Microsoft Windows platform. Then click on Apps + OS if you want to run SQL Server 2016 Express, or OS Only if Windows is all you need:

If you want to use a Powershell script to customize your instance after it launches for the first time, click on Add launch script and enter the script:

Choose your instance plan, enter a name for your instance(s), and select the quantity to be launched, then click on Create:

Your instance will be up and running within a minute or so:

Click on the instance, and then click on Connect using RDP:

This will connect using a built-in, browser-based RDP client (you can also use the IP address and the credentials with another client):

Available Today
This feature is available today in the US East (Northern Virginia), US East (Ohio), US West (Oregon), EU (London), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Mumbai), Asia Pacific (Sydney), and Asia Pacific (Tokyo) Regions.

Jeff;

 

"Responsible encryption" fallacies

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/10/responsible-encryption-fallacies.html

Deputy Attorney General Rod Rosenstein gave a speech recently calling for “Responsible Encryption” (aka. “Crypto Backdoors”). It’s full of dangerous ideas that need to be debunked.

The importance of law enforcement

The first third of the speech talks about the importance of law enforcement, as if it’s the only thing standing between us and chaos. It cites the 2016 Mirai attacks as an example of the chaos that will only get worse without stricter law enforcement.

But the Mira case demonstrated the opposite, how law enforcement is not needed. They made no arrests in the case. A year later, they still haven’t a clue who did it.

Conversely, we technologists have fixed the major infrastructure issues. Specifically, those affected by the DNS outage have moved to multiple DNS providers, including a high-capacity DNS provider like Google and Amazon who can handle such large attacks easily.

In other words, we the people fixed the major Mirai problem, and law-enforcement didn’t.

Moreover, instead being a solution to cyber threats, law enforcement has become a threat itself. The DNC didn’t have the FBI investigate the attacks from Russia likely because they didn’t want the FBI reading all their files, finding wrongdoing by the DNC. It’s not that they did anything actually wrong, but it’s more like that famous quote from Richelieu “Give me six words written by the most honest of men and I’ll find something to hang him by”. Give all your internal emails over to the FBI and I’m certain they’ll find something to hang you by, if they want.
Or consider the case of Andrew Auernheimer. He found AT&T’s website made public user accounts of the first iPad, so he copied some down and posted them to a news site. AT&T had denied the problem, so making the problem public was the only way to force them to fix it. Such access to the website was legal, because AT&T had made the data public. However, prosecutors disagreed. In order to protect the powerful, they twisted and perverted the law to put Auernheimer in jail.

It’s not that law enforcement is bad, it’s that it’s not the unalloyed good Rosenstein imagines. When law enforcement becomes the thing Rosenstein describes, it means we live in a police state.

Where law enforcement can’t go

Rosenstein repeats the frequent claim in the encryption debate:

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection

Of course our society has places “impervious to detection”, protected by both legal and natural barriers.

An example of a legal barrier is how spouses can’t be forced to testify against each other. This barrier is impervious.

A better example, though, is how so much of government, intelligence, the military, and law enforcement itself is impervious. If prosecutors could gather evidence everywhere, then why isn’t Rosenstein prosecuting those guilty of CIA torture?

Oh, you say, government is a special exception. If that were the case, then why did Rosenstein dedicate a precious third of his speech discussing the “rule of law” and how it applies to everyone, “protecting people from abuse by the government”. It obviously doesn’t, there’s one rule of government and a different rule for the people, and the rule for government means there’s lots of places law enforcement can’t go to gather evidence.

Likewise, the crypto backdoor Rosenstein is demanding for citizens doesn’t apply to the President, Congress, the NSA, the Army, or Rosenstein himself.

Then there are the natural barriers. The police can’t read your mind. They can only get the evidence that is there, like partial fingerprints, which are far less reliable than full fingerprints. They can’t go backwards in time.

I mention this because encryption is a natural barrier. It’s their job to overcome this barrier if they can, to crack crypto and so forth. It’s not our job to do it for them.

It’s like the camera that increasingly comes with TVs for video conferencing, or the microphone on Alexa-style devices that are always recording. This suddenly creates evidence that the police want our help in gathering, such as having the camera turned on all the time, recording to disk, in case the police later gets a warrant, to peer backward in time what happened in our living rooms. The “nothing is impervious” argument applies here as well. And it’s equally bogus here. By not helping police by not recording our activities, we aren’t somehow breaking some long standing tradit

And this is the scary part. It’s not that we are breaking some ancient tradition that there’s no place the police can’t go (with a warrant). Instead, crypto backdoors breaking the tradition that never before have I been forced to help them eavesdrop on me, even before I’m a suspect, even before any crime has been committed. Sure, laws like CALEA force the phone companies to help the police against wrongdoers — but here Rosenstein is insisting I help the police against myself.

Balance between privacy and public safety

Rosenstein repeats the frequent claim that encryption upsets the balance between privacy/safety:

Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.

This is laughable, because technology has swung the balance alarmingly in favor of law enforcement. Far from “Going Dark” as his side claims, the problem we are confronted with is “Going Light”, where the police state monitors our every action.

You are surrounded by recording devices. If you walk down the street in town, outdoor surveillance cameras feed police facial recognition systems. If you drive, automated license plate readers can track your route. If you make a phone call or use a credit card, the police get a record of the transaction. If you stay in a hotel, they demand your ID, for law enforcement purposes.

And that’s their stuff, which is nothing compared to your stuff. You are never far from a recording device you own, such as your mobile phone, TV, Alexa/Siri/OkGoogle device, laptop. Modern cars from the last few years increasingly have always-on cell connections and data recorders that record your every action (and location).

Even if you hike out into the country, when you get back, the FBI can subpoena your GPS device to track down your hidden weapon’s cache, or grab the photos from your camera.

And this is all offline. So much of what we do is now online. Of the photographs you own, fewer than 1% are printed out, the rest are on your computer or backed up to the cloud.

Your phone is also a GPS recorder of your exact position all the time, which if the government wins the Carpenter case, they police can grab without a warrant. Tagging all citizens with a recording device of their position is not “balance” but the premise for a novel more dystopic than 1984.

If suspected of a crime, which would you rather the police searched? Your person, houses, papers, and physical effects? Or your mobile phone, computer, email, and online/cloud accounts?

The balance of privacy and safety has swung so far in favor of law enforcement that rather than debating whether they should have crypto backdoors, we should be debating how to add more privacy protections.

“But it’s not conclusive”

Rosenstein defends the “going light” (“Golden Age of Surveillance”) by pointing out it’s not always enough for conviction. Nothing gives a conviction better than a person’s own words admitting to the crime that were captured by surveillance. This other data, while copious, often fails to convince a jury beyond a reasonable doubt.
This is nonsense. Police got along well enough before the digital age, before such widespread messaging. They solved terrorist and child abduction cases just fine in the 1980s. Sure, somebody’s GPS location isn’t by itself enough — until you go there and find all the buried bodies, which leads to a conviction. “Going dark” imagines that somehow, the evidence they’ve been gathering for centuries is going away. It isn’t. It’s still here, and matches up with even more digital evidence.
Conversely, a person’s own words are not as conclusive as you think. There’s always missing context. We quickly get back to the Richelieu “six words” problem, where captured communications are twisted to convict people, with defense lawyers trying to untwist them.

Rosenstein’s claim may be true, that a lot of criminals will go free because the other electronic data isn’t convincing enough. But I’d need to see that claim backed up with hard studies, not thrown out for emotional impact.

Terrorists and child molesters

You can always tell the lack of seriousness of law enforcement when they bring up terrorists and child molesters.
To be fair, sometimes we do need to talk about terrorists. There are things unique to terrorism where me may need to give government explicit powers to address those unique concerns. For example, the NSA buys mobile phone 0day exploits in order to hack terrorist leaders in tribal areas. This is a good thing.
But when terrorists use encryption the same way everyone else does, then it’s not a unique reason to sacrifice our freedoms to give the police extra powers. Either it’s a good idea for all crimes or no crimes — there’s nothing particular about terrorism that makes it an exceptional crime. Dead people are dead. Any rational view of the problem relegates terrorism to be a minor problem. More citizens have died since September 8, 2001 from their own furniture than from terrorism. According to studies, the hot water from the tap is more of a threat to you than terrorists.
Yes, government should do what they can to protect us from terrorists, but no, it’s not so bad of a threat that requires the imposition of a military/police state. When people use terrorism to justify their actions, it’s because they trying to form a military/police state.
A similar argument works with child porn. Here’s the thing: the pervs aren’t exchanging child porn using the services Rosenstein wants to backdoor, like Apple’s Facetime or Facebook’s WhatsApp. Instead, they are exchanging child porn using custom services they build themselves.
Again, I’m (mostly) on the side of the FBI. I support their idea of buying 0day exploits in order to hack the web browsers of visitors to the secret “PlayPen” site. This is something that’s narrow to this problem and doesn’t endanger the innocent. On the other hand, their calls for crypto backdoors endangers the innocent while doing effectively nothing to address child porn.
Terrorists and child molesters are a clichéd, non-serious excuse to appeal to our emotions to give up our rights. We should not give in to such emotions.

Definition of “backdoor”

Rosenstein claims that we shouldn’t call backdoors “backdoors”:

No one calls any of those functions [like key recovery] a “back door.”  In fact, those capabilities are marketed and sought out by many users.

He’s partly right in that we rarely refer to PGP’s key escrow feature as a “backdoor”.

But that’s because the term “backdoor” refers less to how it’s done and more to who is doing it. If I set up a recovery password with Apple, I’m the one doing it to myself, so we don’t call it a backdoor. If it’s the police, spies, hackers, or criminals, then we call it a “backdoor” — even it’s identical technology.

Wikipedia uses the key escrow feature of the 1990s Clipper Chip as a prime example of what everyone means by “backdoor“. By “no one”, Rosenstein is including Wikipedia, which is obviously incorrect.

Though in truth, it’s not going to be the same technology. The needs of law enforcement are different than my personal key escrow/backup needs. In particular, there are unsolvable problems, such as a backdoor that works for the “legitimate” law enforcement in the United States but not for the “illegitimate” police states like Russia and China.

I feel for Rosenstein, because the term “backdoor” does have a pejorative connotation, which can be considered unfair. But that’s like saying the word “murder” is a pejorative term for killing people, or “torture” is a pejorative term for torture. The bad connotation exists because we don’t like government surveillance. I mean, honestly calling this feature “government surveillance feature” is likewise pejorative, and likewise exactly what it is that we are talking about.

Providers

Rosenstein focuses his arguments on “providers”, like Snapchat or Apple. But this isn’t the question.

The question is whether a “provider” like Telegram, a Russian company beyond US law, provides this feature. Or, by extension, whether individuals should be free to install whatever software they want, regardless of provider.

Telegram is a Russian company that provides end-to-end encryption. Anybody can download their software in order to communicate so that American law enforcement can’t eavesdrop. They aren’t going to put in a backdoor for the U.S. If we succeed in putting backdoors in Apple and WhatsApp, all this means is that criminals are going to install Telegram.

If the, for some reason, the US is able to convince all such providers (including Telegram) to install a backdoor, then it still doesn’t solve the problem, as uses can just build their own end-to-end encryption app that has no provider. It’s like email: some use the major providers like GMail, others setup their own email server.

Ultimately, this means that any law mandating “crypto backdoors” is going to target users not providers. Rosenstein tries to make a comparison with what plain-old telephone companies have to do under old laws like CALEA, but that’s not what’s happening here. Instead, for such rules to have any effect, they have to punish users for what they install, not providers.

This continues the argument I made above. Government backdoors is not something that forces Internet services to eavesdrop on us — it forces us to help the government spy on ourselves.
Rosenstein tries to address this by pointing out that it’s still a win if major providers like Apple and Facetime are forced to add backdoors, because they are the most popular, and some terrorists/criminals won’t move to alternate platforms. This is false. People with good intentions, who are unfairly targeted by a police state, the ones where police abuse is rampant, are the ones who use the backdoored products. Those with bad intentions, who know they are guilty, will move to the safe products. Indeed, Telegram is already popular among terrorists because they believe American services are already all backdoored. 
Rosenstein is essentially demanding the innocent get backdoored while the guilty don’t. This seems backwards. This is backwards.

Apple is morally weak

The reason I’m writing this post is because Rosenstein makes a few claims that cannot be ignored. One of them is how he describes Apple’s response to government insistence on weakening encryption doing the opposite, strengthening encryption. He reasons this happens because:

Of course they [Apple] do. They are in the business of selling products and making money. 

We [the DoJ] use a different measure of success. We are in the business of preventing crime and saving lives. 

He swells in importance. His condescending tone ennobles himself while debasing others. But this isn’t how things work. He’s not some white knight above the peasantry, protecting us. He’s a beat cop, a civil servant, who serves us.

A better phrasing would have been:

They are in the business of giving customers what they want.

We are in the business of giving voters what they want.

Both sides are doing the same, giving people what they want. Yes, voters want safety, but they also want privacy. Rosenstein imagines that he’s free to ignore our demands for privacy as long has he’s fulfilling his duty to protect us. He has explicitly rejected what people want, “we use a different measure of success”. He imagines it’s his job to tell us where the balance between privacy and safety lies. That’s not his job, that’s our job. We, the people (and our representatives), make that decision, and it’s his job is to do what he’s told. His measure of success is how well he fulfills our wishes, not how well he satisfies his imagined criteria.

That’s why those of us on this side of the debate doubt the good intentions of those like Rosenstein. He criticizes Apple for wanting to protect our rights/freedoms, and declare they measure success differently.

They are willing to be vile

Rosenstein makes this argument:

Companies are willing to make accommodations when required by the government. Recent media reports suggest that a major American technology company developed a tool to suppress online posts in certain geographic areas in order to embrace a foreign government’s censorship policies. 

Let me translate this for you:

Companies are willing to acquiesce to vile requests made by police-states. Therefore, they should acquiesce to our vile police-state requests.

It’s Rosenstein who is admitting here is that his requests are those of a police-state.

Constitutional Rights

Rosenstein says:

There is no constitutional right to sell warrant-proof encryption.

Maybe. It’s something the courts will have to decide. There are many 1st, 2nd, 3rd, 4th, and 5th Amendment issues here.
The reason we have the Bill of Rights is because of the abuses of the British Government. For example, they quartered troops in our homes, as a way of punishing us, and as a way of forcing us to help in our own oppression. The troops weren’t there to defend us against the French, but to defend us against ourselves, to shoot us if we got out of line.

And that’s what crypto backdoors do. We are forced to be agents of our own oppression. The principles enumerated by Rosenstein apply to a wide range of even additional surveillance. With little change to his speech, it can equally argue why the constant TV video surveillance from 1984 should be made law.

Let’s go back and look at Apple. It is not some base company exploiting consumers for profit. Apple doesn’t have guns, they cannot make people buy their product. If Apple doesn’t provide customers what they want, then customers vote with their feet, and go buy an Android phone. Apple isn’t providing encryption/security in order to make a profit — it’s giving customers what they want in order to stay in business.
Conversely, if we citizens don’t like what the government does, tough luck, they’ve got the guns to enforce their edicts. We can’t easily vote with our feet and walk to another country. A “democracy” is far less democratic than capitalism. Apple is a minority, selling phones to 45% of the population, and that’s fine, the minority get the phones they want. In a Democracy, where citizens vote on the issue, those 45% are screwed, as the 55% impose their will unwanted onto the remainder.

That’s why we have the Bill of Rights, to protect the 49% against abuse by the 51%. Regardless whether the Supreme Court agrees the current Constitution, it is the sort right that might exist regardless of what the Constitution says. 

Obliged to speak the truth

Here is the another part of his speech that I feel cannot be ignored. We have to discuss this:

Those of us who swear to protect the rule of law have a different motivation.  We are obliged to speak the truth.

The truth is that “going dark” threatens to disable law enforcement and enable criminals and terrorists to operate with impunity.

This is not true. Sure, he’s obliged to say the absolute truth, in court. He’s also obliged to be truthful in general about facts in his personal life, such as not lying on his tax return (the sort of thing that can get lawyers disbarred).

But he’s not obliged to tell his spouse his honest opinion whether that new outfit makes them look fat. Likewise, Rosenstein knows his opinion on public policy doesn’t fall into this category. He can say with impunity that either global warming doesn’t exist, or that it’ll cause a biblical deluge within 5 years. Both are factually untrue, but it’s not going to get him fired.

And this particular claim is also exaggerated bunk. While everyone agrees encryption makes law enforcement’s job harder than with backdoors, nobody honestly believes it can “disable” law enforcement. While everyone agrees that encryption helps terrorists, nobody believes it can enable them to act with “impunity”.

I feel bad here. It’s a terrible thing to question your opponent’s character this way. But Rosenstein made this unavoidable when he clearly, with no ambiguity, put his integrity as Deputy Attorney General on the line behind the statement that “going dark threatens to disable law enforcement and enable criminals and terrorists to operate with impunity”. I feel it’s a bald face lie, but you don’t need to take my word for it. Read his own words yourself and judge his integrity.

Conclusion

Rosenstein’s speech includes repeated references to ideas like “oath”, “honor”, and “duty”. It reminds me of Col. Jessup’s speech in the movie “A Few Good Men”.

If you’ll recall, it was rousing speech, “you want me on that wall” and “you use words like honor as a punchline”. Of course, since he was violating his oath and sending two privates to death row in order to avoid being held accountable, it was Jessup himself who was crapping on the concepts of “honor”, “oath”, and “duty”.

And so is Rosenstein. He imagines himself on that wall, doing albeit terrible things, justified by his duty to protect citizens. He imagines that it’s he who is honorable, while the rest of us not, even has he utters bald faced lies to further his own power and authority.

We activists oppose crypto backdoors not because we lack honor, or because we are criminals, or because we support terrorists and child molesters. It’s because we value privacy and government officials who get corrupted by power. It’s not that we fear Trump becoming a dictator, it’s that we fear bureaucrats at Rosenstein’s level becoming drunk on authority — which Rosenstein demonstrably has. His speech is a long train of corrupt ideas pursuing the same object of despotism — a despotism we oppose.

In other words, we oppose crypto backdoors because it’s not a tool of law enforcement, but a tool of despotism.

Iran Arrests Six Movie Pirates After Rival ‘Licensed’ Pirates Complain

Post Syndicated from Andy original https://torrentfreak.com/iran-arrests-six-movie-pirates-after-rival-licensed-pirates-complain-171003/

Article 23 of Iran’s Copyright law is quite clear. Anyone who publishes, distributes or broadcasts another person’s work without permission “shall be condemned to corrective imprisonment for a period of time not less than six months and not more than three years.”

That being said, not all content receives protection. Since there are no copyright agreements between Iran and the United States, for example, US content is pirated almost at will in the country. Even the government itself has run ‘warez’ servers in the past.

That makes the arrest late last month of six men tied to movie piracy site TinyMoviez all the more unusual. At first view (translated image below), the site looks just like any other streaming portal offering Hollywood movies.

TinyMoviez

Indeed, much of the content comes from abroad, augmented with local Farsi-language subtitles or audio voiceovers.

However, according to a source cited by the Center for Human Rights in Iran (CHRI), the site was targeted because rival pirate sites (which had been licensed to ‘pirate’ by the Iranian government) complained about its unlicensed status.

“In July and August [2017], there was a meeting between a number of Iranian start-up companies and [current Telecommunications Minister Mohammad Javad Azari] Jahromi, who was asked by film and TV series distributors as well as video game developers to help shut down and monitor unlicensed rivals,” a film distributor in Tehran told CHRI.

“The start-ups made the request because they could not compete with a site like TinyMovies,” the source added. “After that meeting, Jahromi was nicknamed the ‘Start-Up Tsar’ because of his supportive comments. They were happy that he became the minister.”

That being said, the announcement from the authorities suggested broader issues, including that the site offered movies (none are singled out) that may be unacceptable by Iranian standards.

“Tehran’s prosecutor, after referral of the case to the Cyberspace corruption and prostitution department, said that the defendants in the case, of whom six were currently detained, produced vagabond and pornographic films and sold them in cyberspace,” Tehran Prosecutor Abbas Jafari Dowlatabadi said in an announcement.

“This gang illegally operated the largest source for downloading Hollywood movies and over the past three years, has distributed 18,000 foreign films and series after dubbing, many of which were indecent and immoral, and thus facilitated by illegitimate funds.”

While the authorities say that TinyMoviez has been taken down, various URLs (including Tinyz.us, ironically) now divert to a new domain, Timoviez2.net. However, at least for the moment, download links seem to be disabled.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Russian Hacking Tools Codenamed WhiteBear Exposed

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/09/russian_hacking.html

Kaspersky Labs exposed a highly sophisticated set of hacking tools from Russia called WhiteBear.

From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.

The exact delivery vector for WhiteBear components is unknown to us, although we have very strong suspicion the group spearphished targets with malicious pdf files. The decoy pdf document above was likely stolen from a target or partner. And, although WhiteBear components have been consistently identified on a subset of systems previously targeted with the WhiteAtlas framework, and maintain components within the same filepaths and can maintain identical filenames, we were unable to firmly tie delivery to any specific WhiteAtlas component. WhiteBear focused on various embassies and diplomatic entities around the world in early 2016 — tellingly, attempts were made to drop and display decoy pdf’s with full diplomatic headers and content alongside executable droppers on target systems.

One of the clever things the tool does is use hijacked satellite connections for command and control, helping it evade detection by broad surveillance capabilities like what what NSA uses. We’ve seen Russian attack tools that do this before. More details are in the Kaspersky blog post.

Given all the trouble Kaspersky is having because of its association with Russia, it’s interesting to speculate on this disclosure. Either they are independent, and have burned a valuable Russian hacking toolset. Or the Russians decided that the toolset was already burned — maybe the NSA knows all about it and has neutered it somehow — and allowed Kaspersky to publish. Or maybe it’s something in between. That’s the problem with this kind of speculation: without any facts, your theories just amplify whatever opinion you had previously.

Oddly, there hasn’t been much press about this. I have only found one story.

EDITED TO ADD: A colleague pointed out to me that Kaspersky announcements like this often get ignored by the press. There was very little written about ProjectSauron, for example.

EDITED TO ADD: The text I originally wrote said that Kaspersky released the attacks tools, like what Shadow Brokers is doing. They did not. They just exposed the existence of them. Apologies for that error — it was sloppy wording.

Should US Border Cops Need a Warrant To Search Devices?

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/nkJXOQKsHkU/

The answer from me is, OF COURSE, f&ck yes. They can’t search your home, car and anywhere else in the country, they would need a warrant to search devices too. A case by the EFF (Electronic Frontier Foundation) is heading to the Fifth Circuit Court of Appeals in the US to find out what should […]

The post Should US Border Cops Need a…

Read the full post at darknet.org.uk

Не, ГДБОП няма да ви шпионира чатовете

Post Syndicated from Bozho original https://blog.bozho.net/blog/2851

Тези дни се пови новина, че „ГДБОП вече може да шпионира „Вайбър“, „Фейсбук“ и „Скайп““. Разбира се, това не е вярно. ГДБОП няма да може да шпионира нищо. Самата статия също отбелязва, че от спецификацията не става ясно дали става дума за иззети мобилни устройства, или за следенето им в реално време. Заглавието обаче е гръмко и предполага шпиониране.

От спецификацията все пак става сравнително ясно, а когато разгледаме спечелилия софтуер (Oxygen Forensic), съвсем ясно, че става въпрос за извличане на информация от устройства, които са под физическия контрол на разследващите органи (т.е. иззети като доказателства). Софтуерът позволява извличане на контакти и съобщения (не е ясно с каква успеваемост, тъй като ФБР се затрудни доста в извличането на криптирани данни от iPhone наскоро).

Следене на тази комуникация, без устройството да е физически под контрола на органите, е възможно единствено ако на него е инсталиран шпионски софтуер. Oxygen Forensics (както подсказва и името), не е такъв. А инсталирането на шпионски софтуер е по същество СРС и изисква съдебно решение. Т.е. дори съдът да ги подписва на килограм (както по времето на Цветанов), масово следене не може да има. Освен това няма гаранция, че ще телефонът ви ще бъде заразен, особено ако имате добра потребителска култура. Също така, шпионски софтуер не би бил купен с открита обществена поръчка, най-малкото защото Apple и Google веднага биха запушили евентуални дупки в сигурността като разберат, че е възможно устройствата да се „шпионират“.

Четенето на съобщения „в движение“, т.е. чрез прихващане на комуникацията между устройствата и сървърите, е невъзможна, поне при най-популярните приложения. Всички използват криптирана връзка със сървъра, като някои (като Signal, WhatsApp и Telegram) криптират връзката „от край до край“ – т.е. дори сървърът, през който минават съобщенията, няма как да прочете какво пише в съобщенията. Единствено изпращачът и получателят могат. Защо да няма как? Защото математическите задачи, които са в основата на това криптиране (или „шифриране“), са нерешими със съвременните компютри (поне не в разумни периоди от време).

Защо трябва да се явявам като пиар на ГДБОП, вместо те да разяснят случая с прессъобщение, е друга тема. Но темата за защитата на личното пространство е важна. От тази гледна точка е чудесно, че медиите я следят. От друга гледна точка, не е добре заглавието да е дезинформиращо.

Та – ГДБОП няма да може да ни шпионира чатовете. Не че не биха искали – просто няма технологична възможност. Но е важно да следим както поръчките, така и законодателството – защото през годините имаше не един и два опита в Закона за електронните съобщения да бъдат прокарани текстове, с които органите и службите да могат да получават информация от мобилни и интернет доставчици. До момента тези опити без особен успех, но ще продължат, под претекста „национална сигурност“.

Всъщност, миналата есен бяха приети изменения в Закона за защита при бедствия, които на практика бяха изменения на Закона за електронните съобщения и дадоха възможност на „Пожарна безопасност“ да изисква трафични данни в случай на бедстващо лице (например, ако се загуби в планината). Измененията бяха приети по бързата процедура (в рамките на едно пленарно заседание). На пръв поглед проблем няма, тъй като в такива случаи наистина би било животоспасяващо мобилните оператори да дадат бързо информация за последното местоположение на дадена SIM-карта. Въпросът, както винаги е, дали няма как да се злоупотреби.

И накрая една препоръка – най-сигурните приложения за изпращане на съобщения са Signal и WhatsApp (който използва същия протокол като Signal), следвани от Telegram и Viber (макар при тях да има известни спорове (Telegram, Viber).

Court Hands Internet Textbook Pirates Suspended Sentences

Post Syndicated from Andy original https://torrentfreak.com/court-hands-internet-textbook-pirates-suspended-sentences-170624/

All types of media content can be exploited online with movies, TV shows, and music among the most popular among pirates. However, in recent years books have proven desirable, especially those that otherwise have hefty price tags.

Textbooks are particularly well known for their stiff pricing, something which presents a thorn in the side for thousands of students every year. Making matters worse, books are often marginally tweaked per revision, ensuring that second owner books lose their value. This isn’t something that affects pirates though.

Over the years, many file-sharing sites have catered to people seeking textbooks for free, with many building up a dedicated following. Others, however, have seen the opportunity to make some money, offering broad but illegal access to textbooks for a nominal fee.

That was the case with Denmark-based website LendStudy. It provided students with access to hundreds of textbooks for a comparatively reasonable price of 300 kroner ($45.00) per semester. Unfortunately, that attracted the attention of anti-piracy outfit Rights Alliance, who pursued a case against its operators.

In court this week, three men aged 26, 31 and 71 stood accused of scanning and then making available at least 198 copyrighted textbooks to paying members. Between August 2013 and October 2014 it was alleged the textbooks were downloaded from the site 2,574 times, netting the men revenues of around $3,500.

According to local media, all three men initially pleaded not guilty but later admitted being operators of the site.

The court heard how RightsAlliance tried to create an account on LendStudy but its request for membership was discovered and rejected by the site’s operators. Other evidence presented by the prosecution included photographs of the men loading computers, scanners, and other IT equipment into a car.

“It is expensive for students to acquire new knowledge. Lendstudy wanted to spread knowledge in the form of books that give students more opportunities for new knowledge,” the 31-year-old defendant said in court.

Unfortunately for the site’s operators, the desire to enrich the minds of students failed to persuade the court that piracy could be ignored. All three were found guilty of criminal copyright infringement and handed four-month conditional jail sentences. The LundStudy.dk domain was confiscated.

The notice on the LendStudy site

“If textbooks are made freely available or sold illegally, publishers have less incentive to produce textbooks,” said Martin Lindø Westeraaard from University Press of Southern Denmark.

“It will be detrimental both for publishers and for the students, who will lose the opportunity to read Danish-language textbooks.”

A claim for damages against the men will now be pursued by Rights Alliance in a civil case.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Amazon Lightsail Update – 9 More Regions and Global Console

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/amazon-lightsail-update-9-more-regions-and-global-console/

Amazon Lightsail lets you launch Virtual Private Servers on AWS with just a few clicks. With prices starting at $5 per month, Lightsail takes care of the heavy lifting and gives you a simple way to build and host applications. As I showed you in my re:Invent post (Amazon Lightsail – The Power of AWS, the Simplicity of a VPS), you can choose a configuration from a menu and launch a virtual machine preconfigured with SSD-based storage, DNS management, and a static IP address.

Since we launched in November, many customers have used Lightsail to launch Virtual Private Servers. For example, Monash University is using Amazon Lightsail to rapidly re-platform a number of CMS services in a simple and cost-effective manner. They have already migrated 50 workloads and are now thinking of creating an internal CMS service based on Lightsail to allow staff and students to create their own CMS instances in a self-service manner.

Today we are expanding Lightsail into nine more AWS Regions and launching a new, global console.

New Regions
At re:Invent we made Lightsail available in the US East (Northern Virginia) Region. Earlier this month we added support for several additional Regions in the US and Europe. Today we are launching Lightsail in four of our Asia Pacific Regions, bringing the total to ten. Here’s the full list:

  • US East (Northern Virginia)
  • US West (Oregon)
  • US East (Ohio)
  • EU (London)
  • EU (Frankfurt)
  • EU (Ireland)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Singapore)
  • Asia Pacific (Sydney)

Global Console
The updated Lightsail console makes it easy for you to create and manage resources in one or more Regions. I simply choose the desired Region when I create a new instance:

I can see all of my instances and static IP addresses on the same page, no matter what Region they are in:

And I can perform searches that span all of my resources and Regions. All of my LAMP stacks:

Or all of my resources in the EU (Ireland) Region:

I can perform a similar search on the Snapshots tab:

A new DNS zones tab lets me see my existing zones and create new ones:

Creation of SSH keypairs is now specific to a Region:

I can manage my key pairs on a Region-by-Region basis:

Static IP addresses are also specific to a particular Region:

Available Now
You can use the new Lightsail console and create resources in all ten Regions today!

Jeff;

 

Extending the Airplane Laptop Ban

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/extending_the_a.html

The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent fliers to bring their computers with them. This will only exacerbate the divide between the haves and the have-nots — all without making us any safer.

In March, both the United States and the United Kingdom required that passengers from 10 Muslim countries give up their laptop computers and larger tablets, and put them in checked baggage. The new measure was based on reports that terrorists would try to smuggle bombs onto planes concealed in these larger electronic devices.

The security measure made no sense for two reasons. First, moving these computers into the baggage holds doesn’t keep them off planes. Yes, it is easier to detonate a bomb that’s in your hands than to remotely trigger it in the cargo hold. But it’s also more effective to screen laptops at security checkpoints than it is to place them in checked baggage. TSA already does this kind of screening randomly and occasionally: making passengers turn laptops on to ensure that they’re functional computers and not just bomb-filled cases, and running chemical tests on their surface to detect explosive material.

And, two, banning laptops on selected flights just forces terrorists to buy more roundabout itineraries. It doesn’t take much creativity to fly Doha-Amsterdam-New York instead of direct. Adding Amsterdam to the list of affected airports makes the terrorist add yet another itinerary change; it doesn’t remove the threat.

Which brings up another question: If this is truly a threat, why aren’t domestic flights included in this ban? Remember that anyone boarding a plane to the United States from these Muslim countries has already received a visa to enter the country. This isn’t perfect security — the infamous underwear bomber had a visa, after all — but anyone who could detonate a laptop bomb on his international flight could do it on his domestic connection.

I don’t have access to classified intelligence, and I can’t comment on whether explosive-filled laptops are truly a threat. But, if they are, TSA can set up additional security screenings at the gates of US-bound flights worldwide and screen every laptop coming onto the plane. It wouldn’t be the first time we’ve had additional security screening at the gate. And they should require all laptops to go through this screening, prohibiting them from being stashed in checked baggage.

This measure is nothing more than security theater against what appears to be a movie-plot threat.

Banishing laptops to the cargo holds brings with it a host of other threats. Passengers run the risk of their electronics being stolen from their checked baggage — something that has happened in the past. And, depending on the country, passengers also have to worry about border control officials intercepting checked laptops and making copies of what’s on their hard drives.

Safety is another concern. We’re already worried about large lithium-ion batteries catching fire in airplane baggage holds; adding a few hundred of these devices will considerably exacerbate the risk. Both FedEx and UPS no longer accept bulk shipments of these batteries after two jets crashed in 2010 and 2011 due to combustion.

Of course, passengers will rebel against this rule. Having access to a computer on these long transatlantic flights is a must for many travelers, especially the high-revenue business-class travelers. They also won’t accept the delays and confusion this rule will cause as it’s rolled out. Unhappy passengers fly less, or fly other routes on other airlines without these restrictions.

I don’t know how many passengers are choosing to fly to the Middle East via Toronto to avoid the current laptop ban, but I suspect there may be some. If Europe is included in the new ban, many more may consider adding Canada to their itineraries, as well as choosing European hubs that remain unaffected.

As passengers voice their disapproval with their wallets, airlines will rebel. Already Emirates has a program to loan laptops to their premium travelers. I can imagine US airlines doing the same, although probably for an extra fee. We might learn how to make this work: keeping our data in the cloud or on portable memory sticks and using unfamiliar computers for the length of the flight.

A more likely response will be comparable to what happened after the US increased passenger screening post-9/11. In the months and years that followed, we saw different ways for high-revenue travelers to avoid the lines: faster first-class lanes, and then the extra-cost trusted traveler programs that allow people to bypass the long lines, keep their shoes on their feet and leave their laptops and liquids in their bags. It’s a bad security idea, but it keeps both frequent fliers and airlines happy. It would be just another step to allow these people to keep their electronics with them on their flight.

The problem with this response is that it solves the problem for frequent fliers, while leaving everyone else to suffer. This is already the case; those of us enrolled in a trusted traveler program forget what it’s like to go through “normal” security screening. And since frequent fliers — likely to be more wealthy — no longer see the problem, they don’t have any incentive to fix it.

Dividing security checks into haves and have-nots is bad social policy, and we should actively fight any expansion of it. If the TSA implements this security procedure, it should implement it for every flight. And there should be no exceptions. Force every politically connected flier, from members of Congress to the lobbyists that influence them, to do without their laptops on planes. Let the TSA explain to them why they can’t work on their flights to and from D.C.

This essay previously appeared on CNN.com.

EDITED TO ADD: US officials are backing down.

Facebook / WhatsApp: ЕК налага глоба по регламента за сливанията

Post Syndicated from nellyo original https://nellyo.wordpress.com/2017/05/18/facebook-whatsapp-%D0%B5%D0%BA-%D0%BD%D0%B0%D0%BB%D0%B0%D0%B3%D0%B0-%D0%B3%D0%BB%D0%BE%D0%B1%D0%B0-%D0%BF%D0%BE-%D1%80%D0%B5%D0%B3%D0%BB%D0%B0%D0%BC%D0%B5%D0%BD%D1%82%D0%B0-%D0%B7%D0%B0-%D1%81/

Европейската комисия взема решение да наложи на Facebook  глоба в размер 110 милиона евро за предоставяне на неточна или подвеждаща информация относно придобиването от Facebook на WhatsApp. Според комисаря по конкуренцията Вестагер Комисията трябва да може да взема решения относно въздействието на сливанията върху конкуренцията при пълното познаване на точните факти.

За първи път Комисията налага глоба на дружество за предоставяне на невярна или подвеждаща информация след влизането в сила на Регламента за сливанията от 2004 г. Решението на ЕК не е свързано с въпроси, свързани с неприкосновеността на личния живот, защитата на данните или защитата на потребителите, които могат да възникнат  относно Facebook / WhatsApp, нито с процедури на национално ниво в ЕС.

Съгласно Регламента за сливанията Комисията може да налага глоби в размер до 1% от общия оборот на дружествата, които умишлено или по непредпазливост предоставят на Комисията неточна или подвеждаща информация. В случая невярна и подвеждаща инфорпмация е предоставена два пъти – във формуляра за уведомление за сливане от 2014 и в отговора на искане на Комисията за информация от 2016.

Медиите отбелязват, че това е поредният технологичен гигант, с който се занимава ЕК –  след  Amazon и Apple и при  текущи процедури срещу Google.

Съобщението на ЕК

Filed under: Digital, EU Law

News from the AWS Summit in Berlin – 3rd AZ & Lightsail in Frankfurt and Another Polly Voice

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/news-from-the-aws-summit-in-berlin-3rd-az-lightsail-in-frankfurt-and-another-polly-voice/

We launched the AWS Region in Frankfurt in the fall of 2014 and opened the AWS Marketplace for the Region the next year.

Our customers in Germany come in all shapes and sizes: startups, mid-market, enterprise, and public sector. These customers have made great use of the new Region, building and running applications and businesses that serve Germany, Europe, and more. They rely on the broad collection of security features, certifications, and assurances provided by AWS to help protect and secure their customer data, in accord with internal and legal requirements and regulations. Our customers in Germany also take advantage of the sales, support, and architecture resources and expertise located in Berlin, Dresden, and Munich.

The AWS Summit in Berlin is taking place today and we made some important announcements from the stage. Here’s a summary:

  • Third Availability Zone in Frankfurt
  • Amazon Lightsail in Frankfurt
  • New voice for Amazon Polly

Third Availability Zone in Frankfurt
We will be opening an additional Availability Zone (AZ) in the EU (Frankfurt) Region in mid-2017 in response to the continued growth in the use of AWS. This brings us up to 43 Availability Zones within 16 geographic Regions around the world. We are also planning to open five Availability Zones in new AWS Regions in France and China later this year (see the AWS Global Infrastructure maps for more information).

AWS customers in Germany are already making plans to take advantage of the new AZ. For example:

Siemens expects to gain additional flexibility by mirroring their services across all of the AZs. It will also allow them to store all of their data in Germany.

Zalando will do the same, mirroring their services across all of the AZs and looking ahead to moving more applications to the cloud.

Amazon Lightsail in Frankfurt
Amazon Lightsail lets you launch a virtual machine preconfigured with SSD storage, DNS management, and a static IP address in a matter of minutes (read Amazon Lightsail – The Power of AWS, the Simplicity of a VPS to learn more).

Amazon Lightsail is now available in the EU (Frankfurt) Region and you can start using it today. This allows you to use it to host applications that are required to store customer data or other sensitive information in Germany.

New Voice for Amazon Polly
Polly gives you high-quality, natural-sounding male and female speech in multiple languages. Today we are adding another German-speaking female voice to Polly, bringing the total number of voices to 48:

Like the German voice of Alexa, Vicki (the new voice) is fluent and natural. Vicki is able to fluently and intelligently pronounce the Anglicisms frequently used in German texts, including the fully inflected versions. To get started with Polly, open up the Polly Console or read the Polly Documentation.

I’m looking forward to hearing more about the continued growth and success of our customers in and around Germany!

Jeff;

ЕС: Facebook и личните данни

Post Syndicated from nellyo original https://nellyo.wordpress.com/2017/05/17/%D0%B5%D1%81-facebook-%D0%B8-%D0%BB%D0%B8%D1%87%D0%BD%D0%B8%D1%82%D0%B5-%D0%B4%D0%B0%D0%BD%D0%BD%D0%B8/

На Facebook е наложена глоба от 150 000 евро във Франция. Френският регулатор в областта на личните данни  CNIL  констатира шест нарушения, включително събиране на информация за потребителите за реклама “без правно основание”. Установено е проследяване на потребителите, докато сърфират в мрежата. Потребителите нямат контрол върху използването на личните им данни, според  изявление на регулатора от 16 май 2017. 

FT съобщава, че подобно е становището на регулатора в Белгия, в Холандия е установено разполагане на реклами според заявените сексуални предпочитания, а WhatsApp е глобена 3 милиона евро в Италия – тъй като условията за ползване включват задължително съгласие  за обмен на данни с Facebook, компанията – собственик на WhatsApp.

Френският регулатор работи съвместно с регулаторите в областта на личните данни в Холандия, Германия, Белгия, Испания и др.

Източник FT

Filed under: Digital, EU Law

Streaming Site Operator Jailed For Three Years After Landmark Trial

Post Syndicated from Andy original https://torrentfreak.com/streaming-site-operator-jailed-for-three-years-after-landmark-trial-170516/

Founded more than half a decade ago, Swefilmer grew to become Sweden’s most popular movie and TV show streaming site. It was credited alongside another streaming portal for serving up to 25% of all online video streaming in Sweden.

With this level of prominence, it was only a question of time before authorities stepped in to end the free streaming bonanza. In 2015, that happened when an operator of the site in his early twenties was raided by local police.

This was followed by the arrest of a now 26-year-old Turkish man in Germany, who was accused of receiving donations from users and setting up Swefilmer’s deals with advertisers.

The pair, who had never met in person, appeared at the Varberg District Court in January, together accused of making more than $1.5m from their activities between November 2013 and June 2015.

As the trial progressed, it was clear that the outcome was not likely to be a good one for the men.

Prosecutor Anna Ginner described the operation as being like “organized crime”, with lawyer Henrik Pontén of RightsAlliance claiming that the evidence only represented a small part of the money made by the pair.

From the beginning, it was always claimed that the 26-year-old was the main player behind the site, with the now 23-year-old playing a much smaller role. While the latter received an estimated $4,000 of the proceeds, the former was said to have enriched himself with more than $1.5m in advertising revenue.

The Varberg District Court has now handed down its ruling and it’s particularly bad news for the 26-year-old, who is reported to have led a luxury lifestyle with proceeds from the site.

In a short statement the court confirmed he had been convicted of 1,044 breaches of copyright law and serious money laundering offenses. He was sentenced to serve three years in prison and ordered to forfeit $1.59m. The Court was far more lenient with the younger man.

After being found guilty of four counts of copyright infringement but playing almost no role in the site’s revenue operations, no sentencing for money laundering was handed down. He was instead handed probation and ordered to complete 120 hours of community service, a sentence that was positively affected by his age when the offenses were committed.

It’s worth noting that the sentence received by the 26-year-old goes way beyond the sentences handed down even in the notorious Pirate Bay case, where defendants Fredrik Neij, Peter Sunde and Gottfrid Svartholm received 10 months, 12 months and 8 months respectively.

However, with Henrik Pontén describing the Swefilmer case as being primarily about money laundering, his group is clearly unhappy that copyright offenses aren’t considered serious enough to warrant lengthy sentences in their own right.

“We welcome the judgment, but it is clear that copyright law must be adapted to today’s serious piracy. The penalty for copyright infringement should in itself be enough to deter people from crime,” Pontén says.

“The low level of penalties allows foreign piracy organizations to locate their operations in Sweden. The trend is very worrying.”

An important factor in the case moving forward is that in determining whether infringement had taken place, the Court drew heavily on the GS Media ruling handed down by the European Court of Justice last September.

In that decision, the Court found that linking to copyrighted material is only allowed when there is no intent to profit and when the linker is unaware that the content is infringing.

When there is a profit motive, which there clearly was in the Swefilmer case, operators of a site are expected to carry out the “checks necessary” to ensure that linked works have not been illegally published.

The operators of Swefilmer failed on all counts, so the local court determined that the platform had communicated copyrighted works to the public, in breach of copyright law.

Speaking with TorrentFreak, the 23-year-old expressed relief at his relatively light sentence but noted it may not be over yet.

“I was really happy when the judgment came. The long wait is finally over,” he said.

“RightsAlliance will appeal because they did not receive any compensation for the trial. But the prosecutor is satisfied with the judgment so it is only RightsAlliance who are dissatisfied.”

According to IDG, the lawyer of the 26-year-old believes that his client’s sentence is far too severe, so there may be an appeal in that direction too.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Why Is the TSA Scanning Paper?

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/why_is_the_tsa_.html

I’ve been reading a bunch of anecdotal reports that the TSA is starting to scan paper separately:

A passenger going through security at Kansas City International Airport (MCI) recently was asked by security officers to remove all paper products from his bag. Everything from books to Post-It Notes, documents and more. Once the paper products were removed, the passenger had to put them in a separate bin to be scanned separately.

When the passenger inquired why he was being forced to remove the paper products from his carry-on bag, the agent told him that it was a pilot program that’s being tested at MCI and will begin rolling out nationwide. KSHB Kansas City is reporting that other passengers traveling through MCI have also reported the paper-removal procedure at the airport. One person said that security dug through the suitcase for two “blocks” of Post-It Notes at the bottom.

Does anyone have any guesses as to why the TSA is doing this?

EDITED TO ADD (5/11): This article says that the TSA has stopped doing this. They blamed it on their contractor, Akai Security.

Swefilmer Piracy Trial Ends, Operators Face Years in Jail

Post Syndicated from Andy original https://torrentfreak.com/swefilmer-piracy-trial-ends-operators-face-years-in-jail-170428/

Founded more than five years ago, Swefilmer grew to become Sweden’s most popular movie and TV show streaming site. It was once said to have accounted for 25% of all web TV viewing in Sweden.

In 2015, a 22-year-old Swefilmer operator revealed he’d been raided and in 2016 a Turkish national was arrested in Germany on a secret European arrest warrant. The now 26-year-old was accused of receiving donations from users and setting up Swefilmer’s deals with advertisers.

The pair appeared at the Varberg District Court in January, accused of making more than $1.5m from their activities between November 2013 and June 2015.

After a few weeks’ suspension, the case got back underway this month, when details of the investigation into the site were revealed to the Court.

This week the trial concluded with prosecutor Anna Ginner describing the Swefilmer streaming operation as being like “organized crime”, while demanding a 4.5-year prison sentence for the 26-year-old alongside damages of more than $1.5m.

“I say this bears the traits of organized crime. A crime that has drawn in a lot of big money,” said Ginner via video link.

“The aim was to provide all visitors of the website Swefilmer an opportunity to see movies for free. The website even placed advertising to encourage more visitors,” she said.

“The effect of the business has been that thousands of users have done just that, instead of paying for the Swedish film companies. This has damaged the film studios.”

According to local media, the 26-year-old’s lawyer dismissed the prosecution’s claims as “fantasy”, noting that it’s not clear that his client committed any crimes at all.

That assertion wasn’t shared by lawyer Henrik Pontén of RightsAlliance.

“We must not forget that it is only a small part of the money that we have been able to find. There is a large amount of money that has been lost somewhere in the world,” Pontén said.

The prosecution considers the 26-year-old to be the main player behind the site, with the 22-year-old playing a much smaller role. He stands accused of receiving around $4,000 of the proceeds but according to his lawyer Claes Kennedy, no crime was committed, since at the time it had not been established by the EU court that linking to pirated content was illegal.

Nevertheless, the prosecution wants the site’s former administrator to receive a year in jail but may settle for a suspended sentence plus community service, a point on which his lawyer agrees.

For his part, Henrik Pontén hopes the punishments are closer to the top of the scale as a deterrent to others.

“Foreign criminals are attracted to Sweden for the opportunity to earn serious money and receive low penalty rates,” he told Hallands Nyheter.

The district court’s decision is due mid-May.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.