The Pirate Bay sentenced

Posted on April 22, 2009 by wunderbarb

Friday, the Sweden court issued its verdict against the Pirate Bay. Peter Sunde (brokep), Fredrik Neij (TiAMO), Gottfrid Svartholm (Anakata) and Carl Lundström have been sentenced to one year of jail and 900K$ each. They already send to appeal.

The judge estimated that the first offenders were The Pirate Bay’s users but that the four defendants assisted the users to do the infringements. The verdict leaked out the court several hours before its actual official announcement. The police investigates this breach of confidentiality.

Nevertheless, The Pirate Bay is still online. There is even no visible sign or clue about the verdict. it is not the case of some other tracker sites such as Nordicbits, Powerbits, Piratebits, MP3nerds and Wolfbits which went off line. They feared prosecution.

Some Pirate Bay supporters have organized a DDOS attack against IFPI site as retaliation. We may expect other such actions in the coming days.

Graduated response: The pirate bay answers

Posted on March 30, 2009 by wunderbarb

A few days before the examination of French law that should launch the graduated response, the pirate bay has announced a riposte. The pirate bay launches a new service. Here is their description:

IPREDator is a network service that makes people online more anonymous using a VPN. it costs about 5 EUR a month and we store no traffic data.
our service is right now in a beta stage. we hope it will be released for the public before 1st of April. sign up now to start using it as soon as we’re stable.
the network is under our control. not theirs.

In other words, only authorized users will be allowed in the VPN and the transferred data are fully encrypted. This means that the HADOPI could not know that a member of ipredator is exchanging illegal data.

The main question is how many people will be ready to spend 5€ per month? Furthermore, if successful then the Pirate bay will have created one of the largest VPN infrastructure.

In any case, the graduated response will probably generate several actions

Movement towards encryption
Apparition of private protected small P2P networks with private trackers
Poisoning by the tracker sites of their tracker lists

Phone and torrents

Posted on March 16, 2009 by wunderbarb

The G1 is the first mobile phone with new operating system Android by Google. The site Android and Me launched a bounty. The challenge was to write a G1 application that would scan the barcode of an official DVD, identify the title and then request the possible torrents for this title by connecting to most important trackers sites such as The Pirate Bay, Mininova…

Alec Holmes was the first to produce a working application and claim the $90 bounty. Through this application, called Torrent Droid, it is possible to walk in a store, scan the title, select the preferred torrent and launch the download of the torrent!

The application itself is not a revolution in the world of piracy. It is another way to enter the target. Rather than typing in the title in your preferred search tool (Che, dedicated toolbar in the browser…) you scan the disc. This change nothing in the piracy world.

What is meaningful is that this application was chosen to illustrate some advantages of G1 and Android. It would be interesting to discover who is behind the site Android and Me.

Is the application illegal? Your opinion?

DRM and games

Posted on March 10, 2009 by wunderbarb

I often described the ruckus generated by DRM for games (see Game and DRM or Spore and the DRM fury). Yesterday, I discussed with some French game editors. Their position was rather negative. According to them, game protections are today too weak. The result is that soon patches are available on P2P to defeat the protections. The paradoxical outcome is that honest customers who purchased games suffer of the constraints imposed by the game protection (for instance, checking the presence of a physical disc in the drive…) whereas dishonest users have the game without the constraints.

Using game theory (see the DRM game)), the winning strategy would be to steal the game! Thus, to change the winning strategy, there seems to be two possible solutions:

Make more robust DRM
Make DRM that are transparent to the customers but not to the dishonest users

Currently, I do not see this trend.

NIST SHA3 and buffer overflows

Posted on March 3, 2009 by wunderbarb

For several months, NIST launched the public challenge to define SHA-3, the successor of SHA-1. All the 42 contenders had to submit the description of their algorithm together with C reference implementation.
Tool supplier, Fortify, decided to analyze these implementations. They used their source analysis code on these reference implementations. Guess what? They found some common mistakes, such as buffer overflows. See the the report. But, most implementations were excellent.

The fact that the implementations had weaknesses does not mean that the algorithm itself is weak. But we may learn two lessons:

– As we all know, writing a secure implementation of an algorithm is a difficult task. And Fortify did not test the robustness against attacks, just the programming errors.
– Using software testing tools such as static analyzers, memory manager, … is MANDATORY when developing software for security. It will not eliminate all the weakness, but at least avoid some basic ones.

Wardriving RFID passports?

Posted on February 27, 2009 by wunderbarb

Wardriving is the game to wander in a location and build the cartography of the wireless networks. Of course, the most interesting ones are the ones which are not protected or WEP protected (The equivalent of not being protected. It is too easy to break WEP).

Chris Paget, a well known white hacker who plays with RFID, has demonstrated a new type of wardriving: collecting information from the new US passport or driving license using RFID. In a video, he shows how he retrieved data needed to clone these cards.

In US passport and RFID, I presented the risks associated to these new cards. Paget shows how to do it with not much cost. The range of reading depends on the emitting power of the antenna. Even without cloning, with this type of attack, it would be possible to spot a person, once you sniffed his/her RFID identification code.

It should be noted that this type of RFID is not the one used in the e-passport (the booklet passport). The e-passport is more secure.

Nevertheless, it is worrying to see administrations deploying such weak systems.

Light sentence for French pirates

Posted on February 24, 2009 by wunderbarb

In February 2006, the French blockbuster “Les Bronzés 3” was released on P2P in DVD quality at the same time than the theatrical release. The audience still reached 10 millions of entries.

Unfortunately, forensics allowed to trace back the leakage. It incriminated three employees of French broadcaster (and the producer of the movie) TF1.

They were sued in court together with three persons, using pseudos Darkpingoo, H2o and Vb2n who posted the movie on Freenet, by the producers and some actors. They asked several millions € in damages. The main argument was that the sales of DVDs did not reach the million. Usually, such blockbuster is expected to reach 2 millions of sold DVDs.

The judge showed clemency. The infringers will have to pay 27,000€ in damages and have been given a one-month suspended prison sentence.

The blog of content protection

A site managed by Eric Diehl

Category Archives: Technology