In May 2011, French security researcher Olivier Laurelli, who is better known by his alias Bluetouff, told TorrentFreak that he had discovered vulnerabilities in the website of anti-piracy company Trident Media Guard.

TMG have the contract to carry out the monitoring of file-sharers as part of the French government’s enforcement of its ‘Hadopi’ 3-strikes regime. Given the politically sensitive nature of the work, the subsequent leak of information and software tools from TMG was all the more embarrassing.

In order to maintain confidence in the system, Commission Nationale de l’informatique et des Libertés (CNIL), the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data, were sent in to investigate the breach.

While CNIL investigated, TMG was forced to sever its online connections with the Hadopi agency. Instead, information on infringements was sent through the postal system on DVD.

According to Numerama, CNIL had given TMG until September 16th to get their systems in order. That deadline having passed, today CNIL made an announcement.

“On July 29th and September 13th 2011, TMG detailed the procedures implemented to improve the security of its information system,” said CNIL in a statement.

CNIL noted that since the changes carried out by TMG were “satisfactory” and met legal requirements, their investigation into the anti-piracy company is now over. TMG and Hadopi will now link back up online in order to transfer infringement data between them.

Despite TMG’s obvious shortcomings, at this stage they appear to have avoided public admonishment. However, rightsholders may now have to share some of the responsibility for the embarrassment and failures at TMG.

“In France, before rights holders can collect IP addresses of infringing users, they have to ask and obtain an approval from the CNIL,” Numerama’s Guillaume Champeau told TorrentFreak.

Guillaume says that in order to obtain this approval, the four rights holder organizations – SCPP, SPPF, ALPA, SACEM/SDRM – submitted an application in which they described the security measures TMG was forced to abide by.

“But it appears TMG did not abide by all of these requirements, and even the rights holders organizations did not. For instance, they said they would audit TMG every quarter, which they didn’t,” he adds.

“As these rights organizations are the ones who where directly in touch with the CNIL, as they are legally speaking ‘in charge of the collection’ of the IP addresses, they are the ones who may be found in violation of their pre-approval promises.”

Source: Government Concludes Investigation Following Anti-Piracy Data Breach

Popularity: unranked [?]

Last week the MPAA-supported lobby group AFACT released a study claiming that 72 percent of people would stop downloading infringing content if their Internet provider warned them.

The results claimed to support the effectiveness of a 3-strikes system for copyright infringers, but those who took a closer look saw that this was not the case.

As we pointed out, the results could also show that none of the current file-sharers would be deterred, as the question was also answered by the 78 percent of people who don’t even use file-sharing software.

The press release was nothing more that a cheap and misleading marketing stunt and it’s tricks like this that are causing the anti-piracy lobby to lose credibility at a rapid pace.

Just a few hours ago AFACT came out with another press release. This time they plug the results of a study they appear to be unrelated to, conducted by the University of Ballarat’s Internet Commerce Security Laboratory (ICSL). These are the same researchers who released some rather incompetent reports in the past, but their latest study shows signs of improvement.

As AFACT is happy to point out, the researchers conclude that 97.2 percent of the most popular files on BitTorrent are infringing (and that a lot are faked). Although this conclusion is probably not too far off, not all journalists are eager to pick it up as some are starting to see that AFACT has a habit of twisting the truth.

In a piece titled “Fooling some of the media, some of the time,” Canberra Times journalist Myles Peterson explains his concerns.

When Peterson received the three-strikes study press release last week he couldn’t help but notice that News Corp newspapers received the details before ‘regular’ journalists did. Yes indeed, that is the same News Corp organization that is a partner of anti-piracy groups such as IPAF, DEAA and AFACT.

“Last Monday, The Australian ran a full-court press in print and online dubbed ‘Piracy, the disease that’s crippling our creative industries’, comprising a number of articles from various angles, all attacking the scourge of online file sharing. Articles also appeared in News Corp tabloids The Adelaide Advertiser and The Daily Telegraph,” Peterson writes.

“That’s odd, I thought. The avalanche of coverage seemed to disproportionately reference the new study. Would a media outlet co-operate with a lobby group to generate mass coverage of a topic, I wondered.”

While following up on the study, Petersen noticed that various Australian anti-piracy outfits are conveniently sharing personnel. This, added with the recent Wikileaks revelation that the MPAA is the driving force behind these groups, lead to further doubts. They were only heightened when the obvious flaws in the ‘independent’ study were pointed out by us.

Using journalists in a propaganda war orchestrated by foreign companies wasn’t a very pleasant thought to Petersen.

“The story behind the stories, both those that appeared in News Corp media and TorrentFreak’s balancing rebuttal, stayed with me, as did a series of worrying questions. Are AFACT, the DEAA and IPAF being co-ordinated by the same group of people? Are these people being directed by the Motion Picture Association of America, as the WikiLeaks cable suggested? ” he writes.

“What stuck with me most was a similar concern to one uttered recently by Australian Greens leader Senator Bob Brown. Did a group of journalists put together a press campaign based on a biased study supplied by a lobby group that represents their own employer?”

And if that’s not bad enough, in a few days the anti-piracy outfits have a meeting at the Federal General Attorney’s office to push their agenda at the highest level. The fear is that this talk will be far from balanced, and we can only hope that the hosts will be able to see through it.

“When our federal lawyers host these lobby groups at the end of the week, I hope they cast a more critical eye over any research presented than certain media outlets did. I also hope they are able to work out which person in the room represents the ACIG, AFACT, DEAA, IPAF, MPA, MPAA or all of the above,” Petersen concludes.

The good news is that the piece in the Canberra Times shows that not all journalists are indirectly working for the MPAA. Increasingly, we see skepticism towards the continuous stream of anti-piracy propaganda and more room for a sensible discussion about the topics at stake. Perhaps the tide is turning?

Source: Press Starts to Doubt Anti-Piracy Propaganda Machine

Popularity: unranked [?]

Although New Zealand’s Copyright (Infringing File Sharing) Amendment Act 2011 doesn’t come officially into force until 1st September, last week saw the beginning of P2P network monitoring which can be backed up by action under the new legislation.

As should be clear by now, those who are found to be uploading copyright material are first sent two warnings via their ISP. After a third, copyright holders are able to take Internet account holders to the Copyright Tribunal where they will face fines of up to $15,000 and disconnection.

The legislation has been widely opposed, but complaints have fallen mostly on deaf ears. Today the head of one New Zealand’s largest ISPs added his personal dissenting voice to the mix in an announcement which criticizes the legislation, the outdated business models of the entertainment industries and lack of consumer choice.

“TelstraClear respects copyright and supports the ability of rights owners to realise value from their intellectual property. But a business model that has to be propped up by specific legislation in this way is flawed and needs to change,” Freeth begins.

TelstraClear has been opposing the 3 strikes legislation for some time. In 2009, TelstraClear said that following “an unprecedented large reaction from customers” it would not support a code of practise designed to support a “guilty upon accusation” law with which the company didn’t agree. The legislation was subsequently softened.

But Freeth says that today, even with 3 strikes on the table, the legislation will fail to produce the effect required by copyright holders.

“It may encourage parents to take more notice of what their kids are doing online, and that’s a good thing,” he says. “But it won’t stop those who really want content from getting it.”

The problem, he notes, isn’t so much stopping piracy by force, but by giving customers the content they want.

Freeth says that a 2009 TelstraClear survey showed that customers who download copyright content were not only “tired of paying too much, and waiting too long”, but viewed physical distribution models as outdated and out-of-touch.

“These are the opinions of the ‘now’ generation, and the growing population that has never experienced the world without a TV, the internet, and the freedom this offers,” he says.

“New Zealand’s distance from the source of much content has been conquered by online access, but simply making it available online while retaining old price structures and wait times doesn’t work.”

Freeth highlights some interesting points from the survey which are potential positives for artists but not necessarily good news for their gatekeepers – the rights holders and distributors.

“Respondents suggested building a stronger direct connection between the artist and end-user to reduce the old-world overheads and online purchase price,” says Freeth.

Building stronger connections between artists and consumers is indeed an effective way to cut out the ‘middle-man’. But of course, it’s the middle-man that aggressively lobbied for this new legislation in the first instance in order to protect his business models.

Freeth adds that their survey respondents were also keen to alter the focus of copyright law, to punish those who try to profit from infringement instead of targeting the consumer.

“As stated, TelstraClear respects copyright, but we respect the ever-changing needs of our customers too. At present, they are being denied the freedom to choose by companies intent on propping-up old world business models.

“Rather than investing in innovative ways to legally provide people with the content they want, whether music or movies, pictures or programmes, these companies choose to pressure governments into legislating.”

In summing up, Freeth says that instead of bringing in useless laws the New Zealand government “should be breaking monopolies”, thereby creating an environment where citizens of the country can legitimately obtain content in a timely and cost-effective manner.

“Instead,” he concludes, “it has chosen to introduce a law that could turn ordinary Kiwis into law-breakers.”

Source: ISP CEO Slams Copyright Law and Outdated Business Models

Popularity: 1% [?]

For New Zealand-based Internet users, today is the big day. Although the Copyright (Infringing File Sharing) Amendment Act 2011 doesn’t come into force until 1st September, infringements can be back-dated for 21 days so pirates on P2P networks are probably being logged right now.

Those who are discovered uploading copyright material are first sent two warnings via their ISP. On receipt of a third, copyright holders can take Internet account holders to the Copyright Tribunal where they will face fines of up to $15,000 and disconnection.

While it may sound straightforward, the steps in the previous paragraph face problems. At best the evidence gathered by rights holders is only accurate enough to identify an ISP account from where an infringement took place, it cannot identify the actual infringer. The New Zealand government have dealt with this eventuality by making account holders responsible for infringements even if they didn’t carry them out.

This situation hasn’t gone unnoticed by Reddit user “drunkonthepopesblood” who says he has somehow gained access to the Internet via a government-owned connection (he doesn’t say how – could be wireless, he could be a government worker) and is now sharing copyright material.

“I’m officially downloading copyrighted material on P2P protocol on Government ISP. Lets see what happens,” he announced.

Several hours later his update read: “6:30am no signs of a dawn raid & thoroughly enjoying all of my newly acquired Miley Cyrus movies and soundtracks.”

The clear intention here is for the government to receive 3 strikes warning notices from the entertainment companies’ P2P monitoring partners so that they are disconnected from the Internet – to give them taste of their own medicine, if you will.

Gareth Hughes, ICT spokesman and MP for the Green Party has been an outspoken critic of the 3 strikes legislation. Even so, it was quite a surprise to see him pop up during the Reddit discussion.

“Wow that was fast, but not surprising,” he said in response to the attempt at framing the government for illicit sharing.

“I asked a series of questions [in] Parliament about this yesterday and have written to the Speaker because I don’t think he’s considered the impact this will have on him – as [the] account holder responsible for all alleged infringements,” he added.

“This law could bring the gears of government to a grinding halt because the holder of the account — Parliamentary Services — provides internet access to hundreds of users anyone of whom could cause infringement notices to be sent,” he noted in a separate statement Wednesday.

Hughes also levelled criticism at the government when it was revealed that the official website informing the public of the law’s implications won’t be launched until next Wednesday, one week after the infringement process begins.

“The Government has a responsibility to ensure that public institutions can navigate around the new law and not run the risk of fines or disconnection,” said Hughes.

“By not providing information or advice and relying on InternetNZ, Internet Service Providers, and the media, Mr Power has left schools and universities in a legal grey area.”

Hughes raised the issue with Commerce Minister Simon Power during a parliamentary session yesterday (video embedded below) but the question was disallowed.

However, perhaps the most disappointing part of the video comes at 4m 28s as Hughes asks Simon Power what the government is doing to encourage legal downloading, such as the uptake of Netflix.

“That is a good question,” said Power, laughing into his response.

“Because I have no idea what [Hughes] is referring to…”

Source: New Zealand 3 Strikes Begins But Pirate Sabotage Is In The Air

Popularity: 1% [?]

In February 2009, IRMA – representing EMI, Sony, Universal and Warner – reached an 11th hour out-of-court settlement with Irish ISP Eircom on the issue of illicit file-sharing. The deal would see Eircom introduce a graduated response system for dealing with errant subscribers.

“Eircom is proceeding with implementation of the protocol which could result in the suspension and ultimately disconnection of broadband service for those customers who deliberately and persistently infringe copyright,” the company said in a December 2010 statement, reiterating their commitment to the scheme.

But little did we know that the fears of “3 strikes” opponents had already come true.

From deep inside the “how the hell did the majority of the media miss this department”, it now becomes clear that by October 2010, Eircom had already sent out around 300 warning letters to completely innocent subscribers.

The company seems to have tried to play down the error saying that computer clocks were incorrectly adjusted to compensate for daylight saving time, some comfort to the unlucky letter recipients.

According to TJ McIntyre at digital rights site EDRI.org, as a result of this failure the Irish Data Protection Commissioner is now investigating the entire Eircom scheme.

“The significance of this case goes well beyond simple technical failings however, as the complaint to the Data Protection Commissioner (DPC) has triggered a wider investigation of the legality of the entire three strikes system,” he writes.

The DPC is said to be not only investigating the complaint but also “whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry.”

McIntyre says that when the Eircom/IRMA deal was being agreed, the DPC expressed concerns with it, not least over the question of whether or not IP addresses are personal data. However, until someone raised a complaint, that issue was put on the back burner. The delivery of 300 false “first strike” warning letters appears to have met that criteria.

“The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers’ internet connections is disproportionate and does not constitute ‘fair use’ of personal information,” McIntyre explains.

“If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose – an outcome which would derail the three strikes system unless Eircom successfully challenges that notice before the courts, or unless the music industry were to succeed in its campaign to secure legislation introducing three strikes into Irish law.”

The way this story has flown largely under the mainstream tech news radar will have been a relief to Eircom and IRMA. Something tells us that is about to change.

Source: ISP Wrongfully Sent 300 “First Strike” Letters To Innocents

Popularity: 1% [?]

As detailed in our earlier reports, anti-piracy company Trident Media Guard (TMG) recently failed to secure some of their systems. Blogger and security researcher Olivier Laurelli, aka Bluetouff, originally reported the breach which included a wide open virtual ‘test’ machine containing various tools. These, of course, spilled into the wild.

From the various files made available, some were easily viewable with a standard text editor, others – such as an executable called server_interface.exe – were more tricky. Thanks to a admittedly fairly hostile Full Disclosure security report we now have a clearer idea of what the package is capable of.

Penned by ‘CULT OF THE DEAD HADOPI’, the report refers to TMG as “Too Many Gremlins” along with reports not to expose them to bright lights. In it the server_interface.exe code is described as a Delphi service to which anyone can connect and start sending commands, no authentication (username/password) required. Perhaps even more worrying is a script which accepts auto-updates.

“An attacker can use the ‘Auto Update’ feature (\x82) to force the server to download updates from an evil FTP server he controls. Of course, a downloaded file is executed
just after the download,” write the researchers.

“Hence, anyone who wants to raise an army against Too Many Gremlins, look for an open port on TCP 8500,” they add.

The implication here is that if this software was present on all TMG servers, in addition to being able to turn them on and off at will a hacker could take them over with custom code of his own choosing, potentially creating “an army” which could be used to attack TMG or indeed, anyone else.

Commenting on the research, Bluetouff told TorrentFreak that the discovery of the vulnerabilities mean that the French 3 strikes program might already have been compromised.

“If TMG is vulnerable to injectioning on the system used to provide IP addresses to the HADOPI, the whole process is fu**** up,” he explained.

“Someone could for example inject the Culture Ministry’s IP range, or worse, gain access between TMG and HADOPI’s VPN by stealing certificates… then gain access to a huge amount of personal data,” he added.

“For instance we don’t know if this new ‘test server’ leak can compromise the LAN(S) of TMG with this exploit. Opacity is even for HADOPI. That’s why they went to audit TMG’s infrastructure with the CNIL [French Data Protection Office].”

“Anyway, this new episode shows that HADOPI was right to close their access,” he concludes.

That closure of access is a reference to Hadopi severing their Internet links to TMG once they found out about the leak and resorting to shifting IP addresses around by DVD and the postal system instead. That is hardly efficient and undoubtedly TMG will be working hard to get back into the 21st century.

Source: Major Vulnerability Found in Leaked Anti-Piracy Software

Popularity: unranked [?]

On Saturday evening, with the invaluable assistance of blogger and security researcher Olivier Laurelli, aka Bluetouff, TorrentFreak first reported that Trident Media Guard (TMG), the private company entrusted to carry out file-sharing network monitoring for the French government, had been hacked.

As became evident, the term ‘hacked’ was probably overly generous to TMG, since according to Bluetouff the company had left the equivalent of its front door open.

“A virtual machine leaked a lot of information like scripts, p2p clients to generate fake peers, local physical addresses in the datacenter and even a password that could lead to a major global TMG security breach,” he explained.

TorrentFreak obtained and listed some of the files in question in our earlier report, but as the contents of the leak were examined in more detail, it became evident that TMG had not only leaked out its own data, but that belonging to the subjects of their monitoring.

The day after our report, Guillaume Champeau of Numerama, a publication which follows French file-sharing issues in-depth, contacted TorrentFreak to say he had been able to show that IP addresses linked to the 3-strikes process may also have been leaked. He informed the HADOPI agency of his find which led to them to report that they were taking the matter “very seriously”.

Indeed, that concern has been followed by an announcement from Eric Walter, the secretary-general of HADOPI. Walter, a friend of French President Nicolas Sarkozy, who now confirms that “as a precaution Hadopi has decided to temporarily suspend its interconnection with TMG.”

What this effectively means is that since TMG is the only company licensed to do this work for the government, from now on and pending a review, the French 3 strikes regime for dealing with illicit file-sharing is suspended. Data gathered before Saturday evening, however, can still be used.

This suspension will be seen by some as a major embarrassment for President Sarkozy. France has taken a particularly hard-line approach to unlawful file-sharing and the government has continually brushed aside calls from the public and various watchdogs to consider more carefully the privacy and related rights issues connected with such a regime.

Source: French 3 Strikes Suspended Due To Anti-Piracy Security Alert

Popularity: 1% [?]

In a surprise development, during the next few hours New Zealand’s government is to rush through legislation that will target Internet users who share copyrighted material online without rightsholder permission.

The Copyright (Infringing File Sharing) Amendment Bill, which unanimously passed its first reading in Parliament in April 2010, will put in place a 3 strikes-style regime, whereby Internet service providers will be initially required to send warning letters to alleged infringers at the behest of rights holders.

New Zealand’s Copyright Tribunal will be empowered to rule on cases of alleged repeat infringement and will be given the authority to hand down fines up to a maximum of $15,000 ($11,733 US).

For repeat offenders, a six month period of Internet disconnection may be applied, a measure too far for Green MP Gareth Hughes who wasn’t even aware the Bill was coming up today.

”It really surprised me because we haven’t debated it since November,” he said.

Hughes later confirmed he would request an amendment to remove the suspension clause but a spokesperson for Commerce Minister Simon Power said it would be opposed. While the Greens are against disconnections, they supports the Bill in principle.

Today’s second reading of the Bill is being accompanied by a Supplementary Order Paper (SOP) which in part is aimed at clarifying burden of proof issues in a current clause.

According to intellectual property lawyer Rick Shera, the clause created a presumption in favour of copyright owners and the changes being considered remove the reference to the presumption of guilt being “conclusive”.

“I do act for a number of copyright owners, I can’t see why there is a need for a presumption, I mean if copyright owners are sure of their evidence then they would simply submit that evidence to the copyright tribunal,” Shera told NBR. “The tribunal is perfectly capable of weighing up whose evidence is better, that’s what tribunals do all the time.”

The Bill is expected to pass its third and final stage during the next few hours. The news is already causing protests on Twitter, where users are calling for a repeat of last year’s demonstrations.

TorrentFreak

Popularity: unranked [?]

For the past several years, the music industry has championed the need for a 3 strikes-style regime in order to combat illicit file-sharing. The idea is that when someone is monitored illegally sharing files, they are sent a warning letter via their ISP. On receipt of a third such warning the recipient will find his connection to the Internet temporarily severed.

On April 1st 2009, South Korea took a step into the unknown by passing legislation to begin such a regime. By July 2009, warnings were being delivered to users via their ISPs and now, thanks to work by Heesob Nam, the results of the first 6 months of the scheme are available, as shown in the table below:

Interestingly, ‘Suspension of User Account’ – the 3rd strike – hasn’t been used at all in any case. So, while on one side people will argue that a 3 strikes regime was never necessary, others in the music industry will no doubt frame it differently – that the threat was necessary to force compliance and has been proven to be 100% effective. Whether that trend continued for the rest of 2010 remains to be seen.

However, a unique aspect of the South Korean implementation of 3 strikes is that it applies to websites too. If found to be continually hosting infringing content, either as reported by copyright holders or at the discretion of the government, sites run the risk of being shut down by the authorities.

It is of great interest, then, that while the above figures show zero disconnections for the the first 7 months of the scheme, the same will not be true when March 2011′s figures are reported.

The South Korean authorities have just announced they have conducted a major crackdown on some of the country’s top cyberlocker/file-hosting services.

According to the Ministry of Culture, 19 “die-hard” sites were targeted in the operation which was carried out by dozens of investigators over the past several days.

Together the sites are reported to have served between 2 million and 4 million users, and in common with pending cases in the United States, prosecutors in South Korea claim that the sites encouraged those users to upload infringing material.

So far around 1000 TB of data has been seized and the prosecutors say work is now underway to identify the heaviest uploaders. Since South Korea’s 3 strikes law allows action to be taken against those who continually upload infringing content even to file-hosting sites, Internet suspensions could be on the way.

TorrentFreak

Popularity: 1% [?]

Hadopi, the French authority with responsibility for issuing warnings to illicit file-sharers, has just announced that so far it has sent out 100,000 email warnings. While the figure is far below the 50-70,000 reports filed by the entertainment industry every day, around 15% of warning recipients have responded by email, some with confessions, some with confusion.

According to those involved in France’s “3 strikes” illicit file-sharing process, the Hadopi authority has sent a total of 100,000 warning emails to Internet account holders since October.

The figure is substantially below the requirements of the entertainment industries who had begun sending complaints to Hadopi at the rate of 25,000 per day in the hope that they would all be passed on. They weren’t, but that didn’t stop the submissions quickly reaching 50,000 per day. The total capacity is 70,000 per day.

The complaints bottleneck has continued, with magistrates involved in the process informing Le Figaro this week that since November Hadopi has been sending out warning emails at the rate of 2,000 per day.

This much lower rate was set for a reason. Ever since its inception critics have believed that the system would be prone to error and innocent people would be accused of offenses they didn’t commit. That may well prove to be the case, but by keeping the numbers down the error rate will stay low too, an essential requirement if people are to have confidence in the process.

Magistrates involved in the process say “It’s too early to conclude” if the emails will have the required long-term effect on recipients. However, they say that around 15% of those receiving these first warnings have actually responded to them by email.

The warning emails don’t currently mention the infringing material in question, so some responses request additional information on which files the warning refers to. According to Jacques Bille from the Court of Auditors, the omission is deliberate to avoid embarrassment, such as wives and girlfriends discovering their partners have downloaded something questionable.

While some warning recipients simply confess and swear not to do it again, others are reportedly making their excuses. Only time will tell if they have a case, and if that case is heard to their satisfaction as has been promised.

Next year its inevitable that the 2,000 emails being sent out daily will increase and according to Jacques Bille, with this comes a dilemma.

“Either we send out hordes of emails and be seen as horribly repressive,” he told Le Figaro, “or we are more cautious and we qualify as ineffective.”

In January 2011, things will step up a gear, with Hadopi sending out more emails and then letters by registered mail to repeat offenders. The promise is that repeat offenders face having their Internet disconnected. Quite when that will happen, 2011 or 2012, remains to be seen, but the entertainment industries want action, quickly.

Article from: TorrentFreak.

Popularity: 1% [?]