French users seem aware of the risks and threats of illicit sites

The French HADOPI recently published an interesting paper “Etude sur les risques encourus sur les sites illicites,” i.e., a study on the risks incurred on illegal sites. They polled 1,021 Internet users older than 15. The first part of the study analyses the reported use of so-called illicit sites. The second part checks the awareness of these users of the associated risks.

The first part is very conventional and shows information that was already known for other markets. The results are neither surprising nor widely deviating from other countries. For instance, without surprise, the younger generations use more illicit sharing sites than the oldest ones.

Figure extracted from the report. In black, my proposed translation.

Music, movies and TV shows are the categories that are the most illicitly accessed.

The second part is more interesting than the first one. Most polled users claim to know the threats of Internet (scareware, spam, the slowdown of computer due to malware, adult advertisement, and change of browser’s settings) as well as the issues (theft of banking account, identity theft, scam, or ransomware). Nevertheless, the more using illicit content, the higher the risk of nuisance and prejudice. Not surprisingly, 60% of consumers who stopped using illicit content suffered at least on serious prejudice.

Figure extracted from the report. In black, my proposed translation.

Users seem to understand that the use of illicit content seriously increases the risks. Nevertheless, there is a distortion. The nuisance is more associated to illegal consumption than actual real prejudices.

Figure extracted from the report. In black, my proposed translation

The top four motivation of legal users is to be lawful (66%), fear of malware (51%), respect for the artists (50%) and a better product (43%). For regular illicit users, the top three motivation to use legal offer is a better quality (43%), fear of malware (42%) and being lawful (41%). 57% of illicit users claim that they intend to reduce or stop using illegal content. 39% of illicit users announce that they will not change their behavior. 4% of illicit users claim they plan to consume more illicit content.

We must always be cautious with the answers to a poll. Some people may not be ready to disclose their unlawful behavior. Therefore, the real values of illicit behavior are most probably higher than disclosed in the document. Polled people may also provide wrong answers. For instance, about 30% of the consumers is illicitly consuming software claim to use streaming! Caution should also apply to the classification between streaming and P2P. Many new tools, for instance, Popcorn time, use P2P but present a behavior similar to streaming.

Conclusion of the report

Risks are present on the Internet. Illicit users are more at risk than lawful users.

Users acknowledge that illicit consumption is riskier than legal consumption.

Legal offer is perceived as the safe choice.

Having been hit by a security problem pushes users towards the legal offer.

An interesting report, unfortunately, currently it is only available in French.



Tribler: a (worrying) P2P client

triblerTribler is a new P2P client that made the headlines last month.   It was claimed to make bitTorrent  unstoppable and offer anonymity.   I had a look at it and played with.

This is an open source project from the University of Delft.  It has been partly funded by the Dutch Ministry of Economic Affairs.  The project started in January 2008.  Tribler is worrying to both content owners and users.

To content owners, Tribler is worrying with its features.

  •  Tribler is more convivial than other P2P clients.   It integrates in the client several functions.  First, it allows to search torrents from the client user interface within its currently connected clients.  In other words, it does not need a central tracker to keep the torrents pointers.   Thus, it is more robust and also easier to use than other clients.  If the expected content is popular, the likelihood to find it within the connected community is high.  Thus, it is unnecessary to leave the application to find torrents on trackers. Of course, it can import torrents from any external trackers such as mininova.  Thus, when content is not available in the community, the user may use traditional trackers.
    The second interesting feature is that it emulates video streaming using standard torrents.  In this mode, it buffers the video and starts to play it within the application after a few seconds.  From the user point of view, it is similar to streaming from a cyberlocker (with the difference that, once viewing completed, there is a full copy of the content on the user’s computer).
    These features are not new (emule allowed to search within it, Bittorrent Pro offers an HD player inside it…).  However,  Tribler nicely packages them.  The user experience is neat.
  • Tribler promises anonymity.  It uses a Tor-like onion structure to access the different peers.  Or at least, it should do in the future.  With the current version, it is clearly announced that it is still beta.   Furthermore, all the current peers were directly connected.  Only an experiemental torrent used the feature.  However, once validated and activated, it should become harder to trace back the seeders.

To users,Tribler is worrying for its security.  Tribler promises anonymity.  Unfortunately, this is not the case.  “Yawning angel” analyzed the project.  Although his analysis was not thorough, it highlighted several critical flaws in the used protocol.  As it is possible to define circuits of arbitrary length, it would be possible to create congestion and thus create a kind of DoS.  More worrying there are several severe cryptographic mistakes such as improper use of ECB mode, fixed IV in OFB…  His conclusion was:

For users, “don’t”. Cursory analysis found enough fundamental flaws, and secure protocol design/implementation errors that I would be reluctant to consider this secure, even if the known issues were fixed. It may be worth revisiting in several years when the designers obtain more experience, and a thorough third party audit of the improved code and design has been done.


  • P2P seems not yet dead.  Streaming emulation may change the balance with streaming cyber lockers.
  • Be very cautious about claimed anonymity.  Developing a robust Tor-like solution requires an enormous effort and deep knowledge of cryptography and secure protocols.  Tor is continuously under attack.
  • Universities may finance projects that will facilitate piracy.  “Openess of the Internet” to fight censorship does not mandate to watch content within the client.  The illustrating screenshot of Tribler on the Delft university page clearly shows some copyrighted movies offered to sharing.

Some notes on Content Protection Summit 2014

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.

Is French HADOPI law dead ? (11)

Pierre Lescure, former CEO of French broadcaster Canal +, has delivered  to the French minister of culture and communication his report “Contribution aux politiques culturelles à l’ère numérique” (i.e. contribution to cultural policies in the digital area).  Obviously, among the 88 recommendations, numerous proposals tackle copyright issues.  These recommendations got the headlines of French press.


Pierre Lescure and his team have deeply analyzed the current French graduated response, its organization HADOPI, and its efficiency.  Let’s navigate among the 700 page document and highlights some interesting points.

In section A-5: The release window

The report highlights that the audience wants the pieces of content as early as possible.  furthermore, VOD is drastically increasing.  Thus, they propose to reduce the current release window  of VOD by one month.  Interestingly, they would offer this earlier release only to “good citizen” operators.

Plus précisément, il est proposé d’avancer la fenêtre de la vidéo à la demande, éventuellement en réservant cette mesure aux services les plus vertueux, c’est-à-dire à ceux qui acceptent de prendre des engagements volontaristes en termes de financement de la création et d’exposition de la diversité.

Furthermore, they propose the concept of premium week end when a piece of content would be available as VOD one or two weeks after theatrical release for 30€ (40$).


Section A-14 tackles the issue of DRM.  They propose to extend the scope of the DAVDSI law to games and public domain content.  They recommend also to create an open standard for DRM.

Personal note:  the problem with open standard is that it cannot enforce a compliance and robustness regime that is mandatory for any DRM to be efficient Sad smile.

They highlight that DRM and French right to private copy are not well co-existing.

Section B-7 tackles the issue of the private copy levy.

As cloud computing is becoming more and more present, storage in the cloud will become prevalent.  Therefore, the current private copy levy will become useless.   Thus, the report suggests to create a levy for every connected device regardless of its internal storage capabilities.

In section C2: “Appraisal of the graduated response”.

La réponse graduée (articles L.331-24 et suivants du CPI) a pour fondement non pas l’acte de contrefaçon en lui-même, mais le  manquement à l’obligation de surveillance  du titulaire de l’abonnement Internet de son poste d’accès …
La notion de  négligence caractérisée permet ainsi, au terme de la procédure de réponse  graduée, de sanctionner le titulaire de l’abonnement sans avoir la preuve qu’il est bien l’auteur du délit de contrefaçon, dès lors qu’il n’a pas pris les dispositions pour sécuriser sa ligne.

They highlight that the cornerstone of the French graduated response is not the counterfeiting act but the fact of characterized negligence to secure his/her Internet access.  Being negligent to secure the network does not mean the owner of the network was the infringer.


At February 2013, content owners detected 35 millions  for 4.7 millions IP addresses.  1.6 millions first warning and 139,000 second warnings were issued with 29 cases passed to the Court.  Only two cases were sentenced with a 150€ fine.    In 2012, the direct cost of the graduated cost was 6M$, with an additional bill of 2.5Me from the three main ISPs.  This evaluation does not include the cost of TMG detecting the supposed infringing IP addresses that is bared by the content owners.

They must conclude that the efficiency is mixed.  The use of P2P has visibly declined by 40% in three years.  Nevertheless, this may just mean that the traffic moved to direct download/streaming sites that HADOPI does not monitor.

In section C-3: “Lightening the graduated response”

The report acknowledges that suppressing the graduated answer would have many advantages.  nevertheless, the disadvantages are more important.  The report proposes to clarify the concept of “characterized negligence”.  You would have to put something in place, you not to be successful. They propose also to rather focus on the counterfeiting rather than on the negligence.  The counterfeiting act should be proven and for monetary gain.

Dans l’immédiat, il pourrait être demandé aux Parquets de n’engager des poursuites pour contrefaçon que lorsqu’ilexiste des  indices sérieux et concordants tendant à prouver l’existence d’un enrichissementpersonnel ou collectif, dans le cadre d’un réseau contrefaisant.

The educational element of the graduated response should be enhanced.  Thus, the ultimate punishment, i.e. suppression of Internet access, should be replaced by throttling.  Furthermore, the fine should be reduced from 1,500€ to 60€.

The report proposes to close the HADOPI organization and forward its mission to the Conseil Supérieur de l’Audiovisuel (High Council of Audiovisual).  We anticipated that in August 2012.

Section C-4: “the fight against online commercial piracy” is going in the right direction.  It clearly highlights that direct download, streaming and referee sites are making money through piracy, estimated between 52 to 71M€ each year in France.  According to the report, these sites are the real money makers of digital piracy.  Despite the laws exist, suing these site owners is difficult. The State should be proactive in this fight.

Section C-5: “The responsibility of hosting sites”.   Currently, European and French laws imply that the hosting site cannot be responsible:

  • if it was not aware that content was infringing
  • if it did not take down infringing content once notified.

La  responsabilitécivile ou pénale des hébergeurs ne peut être engagée « s’ils n’avaient pas effectivement connaissance » du caractère illicite des contenus stockés ou « si, dès le moment où elles en ont eu cette connaissance, elles ont agi promptement pour retirer ces données  ou en rendre l’accès impossible ».

The report does not recommend to modify this status.  Nevertheless, it recommends to facilitate good practices such as using fingerprint to detect illegal content (The French INA signature is highlighted).  The report recommends that the French State support a common initiative to set up an organization that would create a database of reference fingerprints and send take down notifications to sites.

In Section C-6, the report recommends that search engines should present the legal offers in a predominant position compared to counterfeiting offers.  Currently, search engines have in Europe light responsibilities in this field.

Section C-7 highlights the role of payment organizations and advertisement agencies.  they indirectly facilitate and benefit from digital piracy.  The report calls these intermediaries to be good citizens.  Google has already proven that it may accept to play this game.

Section C-8 tackles the issue of blocking a site and domain names.  Although possible with French regulation, the report does recommend to use them only as ultimate solution.



  • Is HADOPI dead?   It seems that this time, it is a serious blow against it.  It is only  a report, not a set of decisions.   We know the French minister of culture is not HADOPI-friendly.   Thus the likelihood of its near death is high.
  • Is the French graduated response dead?   It will continue, in its current form or in a new way, regardless of its future hosting organization.

How BitTorrent is monitored…

In a recent study, CHOTIA Tom et al., four researchers from the University of Birmingham, attempted to check whether BitTorrent was monitored, how it was, and by whom.  They studied the two types of monitoring:

  • Indirect monitoring where the copyright infringement agency does not participate to the transaction and just collects clues with not extremely convincing evidence
  • Direct monitoring where the agency is part of the transaction.  in that case, the evidence is better.

For the first type of monitoring, they used six heuristics (5 that they collected from the literature and one that they created).  The conclusion is clear: many agencies are scouting the swarms.  Funnily, they spotted the French INRIA team who was making a similar study.  ( see Identifying providers and downloader in bittorrent).   Without surprise, this part of the study was conclusive.

For direct monitoring, they tried other heuristics such as checking whether the reported completion progresses or is consistent, or the duration of connection.  Once more, they detected monitoring activity.

The study presents also several interesting (but not surprising) conclusions:

  • The most popular pieces of content are far more monitored than less popular.  This is logic as monitoring as a cost and who would pay for the long tail?
  • When sharing a popular piece of content, the likelihood to be monitored within three hours is high.
  • The block lists of supposed monitors (which are available for most popular clients) are not complete.

The definition of the heuristics is interesting.   It gives a good hint to the agencies on what they should do to become stealthier.

HADOPI: a little insight view

In may 2011, French HADOPI mandated an expert, Dadid Znaty, to evaluate the robustness of the system that tracks infringers on P2P.  The objectives were:

  1. Analyze the method used to generate fingerprints
  2. Analyze the method used to compare sample candidates with these fingerprints
  3. Analyze the process that collects the IP addresses
  4. Analyze the workflow

On January 16, 2012, Mr Znaty delivered his report.  A version without the annexes was published on HADOPI site for public dissemination. The report concluded that the system was secure.

Conclusion : en l’état, le processus actuel autour du système TMG est FIABLE.  Les documents constitués du procès verbal (saisine), et si nécessaire du fichier complet de l’oeuvre (stockée chez TMG) associé au segment de 16Ko constituent une preuve ROBUSTE.

Le mode opératoire utilisé permet donc l’identification sans équivoque d’une oeuvre et de l’adresse IP ayant mis à disposition cette oeuvre.

An approximate translation of this conclusion is

Conclusion: The current process of TMG’s system is RELIABLE.  The documents, the minutes, and if necessary the complete opus (stored by TMG)  associated to the 16K segment are a ROBUST proof.

The workflow allows unambiguous identification of a piece of content and the IP address that made it available.

Quickly, content owners complained that sensitive information may leak from this report.  Therefore, it was interesting to have a look to this report.

The report is not anymore available on the HADOPI site.  The links are present, but there is no actual download.    Sniffing around, you may easily find copies of the original report (for instance here).   Once we have it, what is leaking out?

Most probably for the experts, nothing really interesting.   We learn a lot on the process of identification of the right owners of a content.  This part is well described in the document.  When we look on the technical side, no details.  the expert was always answered that the technology providers will not give any details on the algorithms.   Therefore, to validate the false positive rate, the expert checks if there is any content inside the reference database that share the same fingerprint.  The answer is no (excepted for one case where they fed twice the same master  :Pondering: ).   Conclusion: no false positive!  I let you make your own conclusion.

The annexes that may have some details were not published.  I have not found a copy on the net.  What bit of information could we grasp:

  • There are two technology providers for the fingerprint.  They are “anonymized” in the document for confidentiality  (sigh! )  We can guess that the audio fingerprint provider is not French as a quote of an answer was in English.  This is not a surprise as to the best of my knowledge there is no French technology commercialy available.
  • They look for copyrighted content on P2P networks using keywords.  Once a content is spotted, its fingerprint is extracted and compared to the master database.  If the content fits, its hashcode is recorded (most probably the md5 code).   Then, TMG can look for this md5 sample and record the IP address.
  • The content is recognized if there is a ordered sequence of fingerprints.   The length of the sequence seems to depend of the type of content and the rights owner.  For audio, 80% of the duration.  For video, in the case of ALPA, 35 minutes…

In conclusion, no a great deal…


MegaUpload effect: is technology evil?

My editorial of the last security newsletter provoked many reactions. It could have been expected because I reported about MegaUpload’s shutdown. The typical reaction was the tricky question: how do you decide that a cyber locker is acting evil? Is the cyber locker operator liable for its users to store illegal contents? We’re back to the safe harbor issue.

who-owns-the-rain-a-discussion-on-accountability-of-whats-in-the-cloud posted on blog nicely presents the problem. In a nutshell, why only megaUpload? Most of the other cyber lockers will probably host illegal content.

The issue of cyber lockers is similar with the situation of Peer To Peer. The technology is not to be blamed, it is its misuse that is to be blamed. How often did we see people automatically identifying P2P to piracy? And too often, even us, the specialists, oversimplify communication by identifying the technology with its use. P2P and cyber lockers are valuable technology and have many legitimate use. Therefore, we must be very careful about breaking the identification of cyber locker to piracy harbors.

Now why striking MegaUpload? Of course, there were non-infringing content stored on MegaUpload, as there may be illegal content stored on DropBox (choose any other name). I am sure that I will certainlyfind legitimate content on The Pirate Bay (both on there P2P service and their own cyber locker). When closing MegaUpload, most probably some people did loose legitimate content. Now, why would MegaUpload be evil and not DropBox? Most probably, the difference between bad/good comes from the actual behavior of the site owners. For instance, YouTube answers to cease and desist notice. According to the US justice, MegaUpload did not have such a clean behavior. An extract of the FBI announcement about MegaUpload.

The indictment states that the conspirators conducted their illegal operation using a business model expressly designed to promote uploading of the most popular copyrighted works for many millions of users to download. The indictment alleges that the site was structured to discourage the vast majority of its users from using Megaupload for long-term or personal storage by automatically deleting content that was not regularly downloaded. The conspirators further allegedly offered a rewards program that would provide users with financial incentives to upload popular content and drive web traffic to the site, often through user-generated websites known as linking sites. The conspirators allegedly paid users whom they specifically knew uploaded infringing content and publicized their links to users throughout the world.

The reward program was most probably a good indicator as well as a red rag under the nose of MPAA. The frontier is most probably in the applied business model. Does most of your money come from “legitimate” business? But even that is a difficult test. If your business model is purely based on advertisement revenue, then you should try to increase the traffic, thus the number of eye balls. Free copyright content is one of the categories that attracts visitors.

As for all ethical matters, it is not Manichean. And the grey scale is large.

What is your opinion?