DDos as a form of free speech

Posted on January 14, 2013 by eric

Dykan K. (from Eage, Wisconsin) stared on January 7 an online petition to ask the Obama administration that

Make, distributed denial-of-service (DDoS), a legal form of protesting.

With the advance in internet techonology, comes new grounds for protesting. Distributed denial-of-service (DDoS), is not any form of hacking in any way. It is the equivalent of repeatedly hitting the refresh button on a webpage. It is, in that way, no different than any “occupy” protest. Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website to slow (or deny) service of that particular website for a short time.

Many newspaper claim it is issued by Anonymous. Nevertheless, I was not able to find a related tweet issued by @AnonNews (if somebody spotted it, please send me the pointer).

Is it a legitimate demand? Obviously, some DDos actions were used to protest against authorities, resented actions… For instance, when MegaUpload was closed, Anonymous organized such attack (see http://eric-diehl.com/megaupload-is-down/). Nevertheless, DDos is also used for black mailing or just simple malevolence. Therefore, we can foresee the answer of the Obama administration. To receive an official answer, the petition must score more than 25,000 signatures in one month. At writing time, it was at 4,255.

Update 16-jan: Since Tuesday, the White House has raised the threshold from 25,000 signatures up to 100,000 signatures. At writing time, it was at 4,855. Of course, this rising is not correlated to this petition (rather to secessionist petitions)

CORAL consortium is dissolved

Posted on January 3, 2013 by eric

In October 2004, Intertrust, Philips, Matsushita, Samsung, Sony, and Twentieth Century Fox Film Corporation founded the CORAL consortium. Many companies joined it. It was an initiative to specify an interoperable framework for DRM. The first set of specifications was published in November 2005, and the final set in October 2007.

The actual deployment of the Coral framework is extremely limited. Nevertheless, CORAL framework has been one of the initial contributions to DECE which defines UltraViolet.

On December 13, 2012, the CORAL organization has been dissolved. The web site, http://www.coral-interop.org/, will stay online until April 1, 2013.

How BitTorrent is monitored…

Posted on December 5, 2012 by eric

In a recent study, CHOTIA Tom et al., four researchers from the University of Birmingham, attempted to check whether BitTorrent was monitored, how it was, and by whom. They studied the two types of monitoring:

Indirect monitoring where the copyright infringement agency does not participate to the transaction and just collects clues with not extremely convincing evidence
Direct monitoring where the agency is part of the transaction. in that case, the evidence is better.

For the first type of monitoring, they used six heuristics (5 that they collected from the literature and one that they created). The conclusion is clear: many agencies are scouting the swarms. Funnily, they spotted the French INRIA team who was making a similar study. ( see Identifying providers and downloader in bittorrent). Without surprise, this part of the study was conclusive.

For direct monitoring, they tried other heuristics such as checking whether the reported completion progresses or is consistent, or the duration of connection. Once more, they detected monitoring activity.

The study presents also several interesting (but not surprising) conclusions:

The most popular pieces of content are far more monitored than less popular. This is logic as monitoring as a cost and who would pay for the long tail?
When sharing a popular piece of content, the likelihood to be monitored within three hours is high.
The block lists of supposed monitors (which are available for most popular clients) are not complete.

The definition of the heuristics is interesting. It gives a good hint to the agencies on what they should do to become stealthier.

Twitter and DMCA

Posted on November 29, 2012 by eric

As Google with its transparency program, Twitter is also offering a better transparency when removing twitters following a DMCA notification. Previously, the infringing tweet was removed without any explanation. For a month, Twitter has changed its policy. In case that Twitter decides it is legitimate to takedown a tweet, the following process is applied:

The affected user is notified once the tweet is removed
The affected user received the complaint as well as the procedure to file a counter-notice
A copy is sent to Chilling Effects; Chilling effects is a project from EFF and many US universities (Harvard, Stanford, Berkeley…) that collects all the Cease & Desist (C&D) in the World
The with held tweet is clearly marked

Since 2010, Twitter became a convenient vector for distributing pointers to shared infringing content. Soon, content owners emitted C&D.

Like Google, Twitter tries to find a tradeoff between the content owners and their users. Transparency is probably a good solution.

Google: explosion in the number of takedown URL

Posted on November 19, 2012 by eric

Every semester, Google publishes its biannual transparency report. This semester, the focus was on the increase of the number of user data requests issued by government agencies. The press communicated a lot on this topic.

I prefer to analyze the URL removal requests. They are requested by content owners and governments. The picture displays the URLs requested to be removed from Search per week. It clearly highlights an explosion on the number of requests in the last month. Compare with the same snapshot captured on September 3.

The top organisms requesting removals were Degban (a company specialized in multimedia copyright protection), RIAA and BPI (British Recorded music Industry). The top copyright owners concerned by the takedown URLs were RIAA, Froytal Services Ltd (a porn producer!) and BPI. The affected domains were mainly a search engine for cyber lockers and of course torrent sites (the iconic Pirate Bay was not among the top sites!)

Malware signed by Adobe

Posted on November 16, 2012 by eric

In September, Adobe detected two malwares that were legitimately signed by Adobe! Having a valid signature of a trusted source like Adobe was a compelling advantage for these malwares. As one of the malwares was not publicly available, the likelihood that it was to be used with an Advanced Persistent Threat (APT) is extremely high.

Did a signing private key leak out as it was the case for Yahoo in May? Adobe performed an extensive forensics analysis. They discovered that one build server had been compromised. This build server could submit software for signature. According to Adobe, the configuration of the server was not at the proper Adobe standard of security. As it was a server that was compromised, this means that the private key stored in a Hardware Secure Module (HSM) was not compromised. Adobe had also the proof that this server requested the signature of the malwares. They believe that the attackers accessed first another server and then moved laterally to control this build server. Once the server controlled, the attackers requested the signature of their malware. This is a typical scheme for APT. It means also that the signed malware should also be used by other steps of this APT, which target was not Adobe.

Adobe has informed in details about the attack. The signing key has been revoked on October 4, 2012. Very proper job.

Once more, we see that APT become more and more sophisticated. Large organizations are clearly under serious threats (I will come back on that topic in one of my future posts.)

The blog of content protection

A site managed by Eric Diehl

Author Archives: eric