Peer-To-Peer News - The Week In Review - May 11th, ’24

[JackSpratts]

Since 2002































May 11th, 2024




Broadband Internet Services are Disrupted in Most Parts of Nepal
Binaj gurubacharya

Broadband internet was disrupted in many parts of Nepal on Thursday as Indian vendors from whom most Nepali private operators source the bandwidth stopped providing the services because of payment defaults.

Private internet service providers in Nepal issued notices saying their services were either disrupted or connections were slow. The state-run Nepal Telecom was still continuing to provide internet services.

Two private mobile services operating in Nepal were working, but their internet speed was affected.

Private ISPs in Nepal haven’t been able to pay the Indian vendors for months as the government hasn’t provided them foreign currency from the banks to make the payments. The government has been refusing to do so until the private companies clear taxes on certain services they provide.

The private companies say they are exempted from such taxes.

Wlink Communications, the largest ISP in Nepal, blamed the government for the disruption.

“Our upstream provider has disconnected our internal links citing nonpayment,” the Wlink notice said. “ISPs in Nepal have not been able to remit such payments as we are unable to obtain permission from the Nepal government for foreign exchange.”

There was no immediate comment from the government.
https://apnews.com/article/nepal-int...555df2e9cae793





Full Repairs to Damaged Red Sea Internet Cables Delayed by Yemen Political Splits

• Yemeni government refuses permit for third cable repair
• Repairs to Seacom and EIG cables to start imminently

Mohammed Hatem and Olivia Solon

Full repairs to three submarine internet cables damaged in the Red Sea in February are being held up by disputes over who controls access to infrastructure in Yemeni waters.
The Yemeni government has granted permits for the repair of two out of three cables, but refused the third because of a dispute with one of the cable’s consortium members.

Repairs to the Seacom and EIG cables have been approved, but the consortium that runs AAE-1, which includes telecommunications company TeleYemen, was not granted a permit by Yemen’s internationally recognized government, according to documents seen by Bloomberg.

Three out of more than a dozen cables that run through the Red Sea, a critical route for connecting Europe’s internet infrastructure to Asia’s, were knocked offline by the Houthi-sunk Rubymar vessel in late February. Although the telecommunications data that passes along the damaged cables was re-routed, the incident highlighted the vulnerability of critical subsea infrastructure and the challenges of making repairs in a conflict zone.

The dispute over the third cable derives from the split political control of TeleYemen, the country’s sole telecommunications provider, a reflection of the country’s broader geopolitical divisions. The company has two branches, one in Aden under control of the internationally recognized Yemeni government, and the other in Sanaa under the control of the Houthi militia group. The Yemeni government refused to cooperate with the Houthi-linked part of TeleYemen associated with the AAE-1 cable consortium and sought to appoint a representative from the Aden branch, according to the documents. But the consortium didn’t approve the alternative representative and Yemen’s government declined to grant a permit, according to the documents.

The Aden branch of TeleYemen, affiliated with the Yemeni government, wrote a letter to Yemen’s Telecommunications Ministry demanding that E-Marine provide a £10 million ($12.5 million) bank guarantee to ensure it would not carry out any repairs on the AAE-1 cable when the company was fixing the other two cables until the dispute was resolved. The ministry initially approved the condition, according to the documents, but Yemen’s cabinet decided it wasn’t necessary, a senior government official told Bloomberg.

E-Marine did not immediately respond to a request for comment. The Houthi telecommunications ministry did not immediately respond to a request for comment.

It’s unclear if the Houthis, an Iran-backed militia group which controls much of Yemen’s Red Sea coastline, including the key port of Hodeida, will let E-Marine fix the two cables. The group, which has been attacking ships in the area with drones and missiles for months, has previously said only it can grant permission for the repairs.

The repair ships will take about a week to reach the cables and then approximately two days to fix each one, according to Seacom Ltd.’s Prenesh Padayachee. The cables will be lifted to the surface and fresh cable will be spliced in to replace the damaged sections.

The repair crew will also assess the Rubymar, the Houthi-sunk ship whose anchor most likely severed the cables in February. Seacom estimates that the ship is currently about 1 kilometer away from its cable, Padayachee said, and seems to be stable.

“But we don’t want to do a repair and then have this vessel falling into the new cables,” he said. “In all likelihood it will have to be moved.”

The three damaged cables carry about 25% of traffic in the region, according to estimates from Hong Kong-based internet provider HGC Global Communications, which uses the cables.

— With assistance from Paul Wallace
https://www.bloomberg.com/news/artic...litical-splits





Novel Attack Against Virtually All VPN Apps Neuters Their Entire Purpose

TunnelVision vulnerability has existed since 2002 and may already be known to attackers.
Dan Goodin

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

Reading, dropping, or modifying VPN traffic

The effect of TunnelVision is “the victim's traffic is now decloaked and being routed through the attacker directly,” a video demonstration explained. “The attacker can read, drop or modify the leaked traffic and the victim maintains their connection to both the VPN and the Internet.”

The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network. A setting known as option 121 allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel. By using option 121 to route VPN traffic through the DHCP server, the attack diverts the data to the DHCP server itself. Researchers from Leviathan Security explained:

Quote:

Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.

We use DHCP option 121 to set a route on the VPN user’s routing table. The route we set is arbitrary and we can also set multiple routes if needed. By pushing routes that are more specific than a /0 CIDR range that most VPNs use, we can make routing rules that have a higher priority than the routes for the virtual interface the VPN creates. We can set multiple /1 routes to recreate the 0.0.0.0/0 all traffic rule set by most VPNs.

Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface. This is intended functionality that isn’t clearly stated in the RFC. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.

We now have traffic being transmitted outside the VPN’s encrypted tunnel. This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server. We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

The attack can most effectively be carried out by a person who has administrative control over the network the target is connecting to. In that scenario, the attacker configures the DHCP server to use option 121. It’s also possible for people who can connect to the network as an unprivileged user to perform the attack by setting up their own rogue DHCP server.

The attack allows some or all traffic to be routed through the unencrypted tunnel. In either case, the VPN application will report that all data is being sent through the protected connection. Any traffic that’s diverted away from this tunnel will not be encrypted by the VPN and the Internet IP address viewable by the remote user will belong to the network the VPN user is connected to, rather than one designated by the VPN app.

Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121. For all other OSes, there are no complete fixes. When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.

The most effective fixes are to run the VPN inside of a virtual machine whose network adapter isn’t in bridged mode or to connect the VPN to the Internet through the Wi-Fi network of a cellular device. The research, from Leviathan Security researchers Lizzie Moratti and Dani Cronce, is available here.
https://arstechnica.com/security/202...ntire-purpose/





FCC Explicitly Prohibits Fast Lanes, Closing Possible Net Neutrality Loophole

Putting applications into fast lanes would violate FCC's no-throttling rule.
Jon Brodkin

The Federal Communications Commission clarified its net neutrality rules to prohibit more kinds of fast lanes.

While the FCC voted to restore net neutrality rules on April 25, it didn't release the final text of the order until yesterday. The final text has some changes compared to the draft version released a few weeks before the vote.

Both the draft and final rules ban paid prioritization, or fast lanes that application providers have to pay Internet service providers for. But some net neutrality proponents raised concerns about the draft text because it would have let ISPs speed up certain types of applications as long as the application providers don't have to pay for special treatment.

The advocates wanted the FCC to clarify its no-throttling rule to explicitly prohibit ISPs from speeding up applications instead of only forbidding the slowing of applications down. Without such a provision, they argued that ISPs could charge consumers more for plans that speed up specific types of content.

Advocates warned that mobile carriers could use the 5G technology called "network slicing" to create fast lanes for categories of apps, like online gaming, and charge consumers more for plans that speed up those apps. This isn't just theoretical: Ericsson, a telecommunications vendor that sells equipment to the major carriers, has said the carriers could get more money from gamers by charging "up to $10.99 more for a guaranteed gaming experience on top of their 5G monthly subscription."

No speeding up or slowing down

Net neutrality proponents argued that these separate lanes for different kinds of traffic would degrade performance of traffic that isn't favored. The final FCC order released yesterday addresses that complaint.

"We clarify that a BIAS [Broadband Internet Access Service] provider's decision to speed up 'on the basis of Internet content, applications, or services' would 'impair or degrade' other content, applications, or services which are not given the same treatment," the FCC's final order said.

The "impair or degrade" clarification means that speeding up is banned because the no-throttling rule says that ISPs "shall not impair or degrade lawful Internet traffic on the basis of Internet content, application, or service."

Net neutrality advocates praised the change. The final rule "prohibits 'fast lanes' and other favorable treatment for particular applications or content even when the edge provider isn't required to pay for it... For example, mobile carriers will not be able to use network slicing to offer broadband customers a guaranteed quality of service for video conferencing from some companies but not others," said Michael Calabrese, director of the Open Technology Institute's Wireless Future Project.

Stanford Law professor Barbara van Schewick said the FCC's "final order makes clear that the no-throttling rule prohibits ISPs from speeding up as well as slowing down apps or categories of apps. That's because treating some favored applications better than others has the same effect as slowing down disfavored apps—it makes it harder for the disfavored apps to compete."

FCC ditched case-by-case approach

Under the draft version of the rules, the FCC would have used a case-by-case approach to determine whether specific implementations of what it called "positive discrimination" would harm consumers. But the updated language in the final order "clearly prohibits ISPs from limiting fast lanes to apps or categories of apps they select," leaving no question as to whether the practice is prohibited, van Schewick wrote in a statement provided to Ars.

Under the original plan, "there was no way to predict which kinds of fast lanes the FCC might ultimately find to violate the no-throttling rule," she wrote. "This would have given ISPs cover to flood the market with various fast-lane offerings, arguing that their version does not violate the no-throttling rule and daring the FCC to enforce its rule. The final order prevents this from happening."

In one FCC filing, AT&T promoted network slicing as a way "to better meet the needs of particular business applications and consumer preferences than they could over a best-efforts network that generally treats all traffic the same." AT&T last week started charging mobile customers an extra $7 per month for faster wireless data speeds, but this would likely comply with net neutrality rules because the extra speed applies to all broadband traffic rather than just certain types of online applications.

Any plan to put certain apps into a fast lane will presumably be on hold for as long as the current net neutrality rules are enforced. Broadband providers plan to sue the FCC in an effort to block the regulation. And because Congress hasn't enacted a net neutrality law, it's always possible that a future Republican FCC majority would reverse the current Democratic majority's decision.
https://arstechnica.com/tech-policy/...lity-loophole/





Comcast Now Offers No-Data-Cap, No-Contract Broadband Nationwide

Now Internet, starting at $30/month, leads a family of prepaid services that includes video and wireless. But if you already subscribe to Xfinity, you’ll need to remove it from your account.
Rob Pegoraro

A new broadband service from Comcast comes with a sales pitch that looks like the work of a different company: no data cap, no hardware fees, no contract, and no prices that balloon after a promotional term.

But the Philadelphia cable giant’s Now Internet, available as of Thursday throughout its service footprint after trials in Hartford-New Haven, Houston, and Miami, doesn’t replace its Xfinity-branded broadband.

Instead, Now Internet is a prepaid offering with slower download speeds than most Xfinity plans, which usually start at 300Mbps and top out at 1.2Gbps or 2Gbps except in fiber-upgraded pockets of Comcast’s network, where subscribers willing to pay $300 a month can get 10Gbps—as well as cheaper and simpler pricing.

A $30 plan advertises 100Mbps downloads, while a $45 option brings 200Mbps downloads, and neither requires signing a contract or involves a promotional rate that goes away after the first year or two.

Should Congress find a way to restore funding for the FCC’s Affordable Connectivity Program, those monthly costs would drop to free and $15 for qualifying lower-income households.

The FCC-mandated broadband-facts labels for each Now Internet plan specify "typical" downloads above those touted numbers—115.59Mbps and 234.27Mbps—and uploads at 11.68Mbps.

Neither plan comes with Xfinity’s 1.2TB monthly data cap, with overage fees of $10 for each 50GB, that Comcast enforces outside of the Northeast markets where it often competes with Verizon’s Fios fiber-optic broadband. And both include a free Wi-Fi modem, although spokesman Joel Shadle says this gateway only supports the older Wi-Fi 5 specification.

(The latest xFi gateway that Comcast charges Xfinity subscribers $15 a month to use includes the faster Wi-Fi 6E standard; you can avoid that charge by buying your own hardware, an option Comcast does not support with Now Internet.)

Comcast’s marketing positions Now Internet against fixed-wireless home broadband from AT&T, T-Mobile, Verizon, and others, which has won over the business of millions of subscribers in recent years. But if you already subscribe to Comcast’s Xfinity service, a FAQ page advises that "you’ll need to remove all other Xfinity services (except Xfinity Mobile)" from your account.

Now Mobile for $25 Per Month

Comcast’s Thursday announcement of Now Internet’s nationwide availability also comes with nationwide availability of a prepaid wireless counterpart: a $25/month Now Mobile plan with unlimited on-phone data—subject to a fine-print limit of 20GB, after which downloads slow to 1.5Mbps and uploads to 750Kbps upload.

Like the Xfinity Mobile service that Comcast launched in April 2017, which has similar small-type speed restrictions above data thresholds that are higher on most of its plans, Now Mobile runs on Verizon’s network and requires either a Now Internet or Xfinity broadband plan.

Unlike Xfinity Mobile, this one doesn’t include access to Verizon’s fast C-band service or even faster but seriously scarce millimeter-wave coverage. The Now Mobile page doesn’t say so directly, but the broadband-facts label and a broadband-disclosures page specify speeds below C-band and mmWave.
https://www.pcmag.com/news/comcast-n...and-nationwide





Inside Libraries' Battle for Better E-Book Access
Jennifer A. Kingson

Librarians are mounting a fierce state-by-state battle against the high prices they pay to provide patrons with e-books — so far, with little to show for it.

Why it matters: The ongoing dispute threatens library patrons' access to e-books.

Where it stands: Publishers typically require libraries to renew the license to each e-book every two years, or after 26 loans — policies that libraries call prohibitively expensive.

• This restricts the number of e-books — particularly popular bestsellers — that they can lend out to patrons, who are angry and baffled by the limitations.
• Readers love the free (to them) apps that allow them to borrow countless e-books and audiobooks: Libby (the dominant one, run by OverDrive) and hoopla.
• But some libraries say that the cost of renewing their contracts with OverDrive and hoopla are prohibitive, so they're dropping the apps — hoopla in particular.

The other side: The Association of American Publishers argues that it must protect the rights of copyright owners — that is, authors — to be fairly compensated for their work.

• hoopla and Libby say they're just the middlemen.
• "It's really not up to us, to be honest," Ann Ford, a vice president at hoopla, tells Axios. "It's the publishers that make the rules."

Driving the news: A Connecticut bill to boost libraries' bargaining power in e-book negotiations was tabled last week after a three-hour debate in the state House of Representatives.

• Similar bills are under consideration in Massachusetts and Rhode Island.
• Seven states took up the issue this year, with about a dozen interested in doing so next year, says Kyle Courtney, a lawyer and Harvard librarian who drafted model e-book legislation for states.

What they're saying: Libraries have a "unique and determinative public mission" that should entitle them to more favorable e-book purchasing terms when using public funds, Courtney tells Axios.

• "These are nonnegotiable contracts, and the libraries have been trying to get a deal for years," says Courtney, co-founder of Library Futures, a nonprofit advocating for libraries' digital rights.
• "We need the coercive power of the state sitting behind us at the table saying, 'We need a special slice of the pie.'"

Flashback: The renewed momentum follows two temporary victories in 2021, when Maryland and New York passed first-in-the-nation laws that were derailed in 2022.

• Maryland's law would have required publishers to supply e-books to libraries on "reasonable terms."
• But after a challenge by the Association of American Publishers on free market and copyright pre-emption grounds, the law was declared "unconstitutional and unenforceable" by a federal court.
• The challenge in Maryland prompted New York Gov. Kathy Hochul to veto a similar measure that had passed through the state legislature virtually unopposed.

How it works: Each publisher sets its own financial terms for each e-book title, with "the big five" publishing houses largely able to call their own shots.

• From there, OverDrive and hoopla take their markup.
• Amazon's publishing arm has been particularly stingy about making its e-books available through libraries.

Follow the money: "For popular trade e-books, libraries often pay $55 for one copy that expires after 2 years (or $550 for one copy for 20 years)," per the American Library Association.

• "Meanwhile, a consumer will pay about $15 for perpetual use."

• "By comparison, libraries can purchase hardcover books for around $18-$20."

• Each e-book can only be lent out to one person at a time, leading to long wait times for patrons.

Reality check: Only a small number of libraries have canceled access because of the expense.

• OverDrive is trying to help libraries slice and dice their collections to provide the maximum number of e-book titles at the lowest cost.
• hoopla offers an analytics program that helps libraries stretch their e-book dollars, plus new features like BingePass that let people stream copious movies and e-books.

"Yes, there still is more progress for us to make" in terms of library pricing, "but we have delivered," Steve Potash, founder and CEO of OverDrive, tells Axios.

• "We will always find opportunities to educate and advocate for publishers, authors and agents that their best interests are served by giving all institutions fair and flexible opportunities to acquire digital books."
• He noted that OverDrive became a certified B corporation in 2017 — and with that, he says, "we have to be advocates for libraries to get the best value proposition."

What's next: Librarians are developing open-source alternatives to Libby and hoopla and testing "experiments with publishers that don't involve restrictive licenses," says Jennie Rose Halperin, director of Library Futures.

• The Palace Project is a nascent e-book delivery platform for libraries backed by the James L. Knight Foundation, a nonprofit called Lyrasis and the Digital Public Library of America.
• The New York Public Library has an open-source initiative called SimplyE.
• A library e-book collaborative called Briet is just getting off the ground.

The bottom line: Librarians are already on the front lines of the nation's social problems — and it's going to be tough for them to simultaneously take on the publishing industry and win.
https://www.axios.com/2024/05/06/lib...cense-policies





Survey: APAC Content Piracy Rises
Colin Mann

Findings from the annual piracy consumer survey conducted by YouGov for the Asia Video Industry Association’s Coalition Against Piracy (CAP) suggest that despite a decrease in piracy on pirate TV boxes, pirate apps and streaming or torrent websites, there has been an increase in the incidence of piracy across the region, climbing from 52 per cent in 2023 to 59 per cent this year due to more piracy on social media and messaging platforms.

Particularly concerning are the increases in the Philippines (12 per cent yoy) and Vietnam (13 per cent yoy), with both countries also now having the region’s highest incidences of piracy amongst their populations, at 70 per cent and 71 per cent, respectively.

The dominance of social media and messaging platforms as the conduit to piracy not only remains, but has grown more severe, increasing by 14 per cent across the region. Meanwhile, only 13 per cent of consumers in the region now access pirated content

Awareness of the negative consequences of piracy (89 per cent) remains extremely high across the region, with consumers being most aware of criminals profiting from pirate services, the risks of malware and the damage piracy causes to local industry being most prominent. And the impact of judicial or administrative orders requiring ISPs to block access to pirate sites is clear, with Indonesian (59 per cent), Vietnamese (54 per cent), Malaysian (42 per cent) and Singaporean (28 per cent) consumers saying they have either stopped entirely or rarely access pirate sites as a direct result of sites being blocked.

The survey shows a dramatic increase in the number of consumers in Asia-Pacific both searching for and accessing pirate content via social media or messaging services. CAP is continuing to work with the major platforms across the region to address this issue but remains concerned with the lack of response from some platforms, notably Telegram.

“We are greatly encouraged by the continuing downward trend of consumers accessing pirate content from illegal websites, which reflects the work done over many years in the region by industry and governments,” commented Matt Cheetham, General Manager of CAP. “However, it is clear that social media and messaging platforms must do more to prevent their services being used to find and access pirate content.”
https://advanced-television.com/2024...-piracy-rises/





Actor Femi Adebayo Raises Concern Over Film Piracy
Nsikak Nseyen

Nollywood actor, Femi Adebayo, has expressed worry over increasing cases of film piracy in the country.

Adebayo took to his instagram page, @femiadebayosalami, on Tuesday, to narrate his ordeal and how he recently came out victorious in his fight against piracy on one of his movies.

He noted that the dividend of the business of filmmaking had not been maximised due to the illegal activities of movie pirates.

Adebayo said: “The Nigerian film industry has experienced exponential growth over the years, but we haven’t been able to maximise the true dividends of this business because of dare devil pirates who benefit where they didn’t sow.

“This is a major reason why investors find it hard to commit their funds to filmmakers. However, through persistence and the use of the legal framework covering intellectual property, we can bring their activities to a gradual halt.

“Several times, I have been a victim of movie pirates and I never spared them. I recently concluded a legal battle with a notable media company that owns a big radio station and also engages in Youtube content distribution.

“During the cinema run of “Survival of Jelili” in 2019, my movie was gathering good numbers at that time. They decided to use my movie poster and title to promote a movie on their platform, thereby deceiving fans and diverting revenue accrued to me.

“It took 3 years, but my trust in the legal and justice system remained unwavering. With the dedication of our legal team, Bola Adebowale & Co Legal Practitioners, who are seasoned professionals with wealth of experience in handling such cases.

“They presented undeniable evidence, put up a strong argument, and took the case to trial. Their promptness, efficiency, and attention to detail played a huge part in the direction of the case. We won and were awarded a total of twenty-five five million Naira.

“This isn’t just my win as a filmmaker and content producer, but a win for all of Nollywood.”

According to him, filmmakers must be ready to fight intellectual property theft and piracy at all levels.

“Every win brings us closer to protecting and getting the true economic value of our works,” he said
https://www.msn.com/en-xl/news/other...cy/ar-BB1lXyfY
















Until next week,

- js.



















Current Week In Review





Recent WiRs -

May 4th, April 27th, April 20th, April 13th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black