Peer-To-Peer News - The Week In Review - November 12th, 22

[JackSpratts]

Since 2002


































"Actually started crying when i saw this i have to pay a fortune for school books now." – TikToker






































November 12th, 2022




Z-Library eBook Site Domains Seized by U.S. Dept of Justice
Bill Toulas

Internet domains for the popular Z-Library online eBook repository were seized early this morning by the U.S. Department of Justice, preventing easy access to the service.

Z-Library is ranked in the top 10k most visited websites on the Internet, offering over 11 million books and 84 million articles for free via its website.

Yesterday, the websites hosted at z-lib.org, b-ok.org, and 3lib.net began displaying a message stating that the service was seized by the US DOJ and the Postal Inspection Service, as shown below.

However, the U.S. Postal Inspector's office told BleepingComputer they were credited in the seizure notice by mistake.

Friday afternoon, the seizure notice on 3lib.net was updated to indicate the domains were seized by the FBI and the United States Attorney's Office for the Eastern District of New York.

"This domain has been seized by the Federal Bureau of Investigation in accordance with a warrant issued pursuant to 18 U.S.C. § 981(b) and 21 U.S.C. § 853(f) by the United States District Court for the Eastern District of New York as part of a law enforcement action," reads the seizure notice.

WHOIS information initially showed that the U.S. government seized the domains and switched their DNS servers to NS1.SEIZEDSERVERS.COM and NS2.SEIZEDSERVERS.COM, two DNS servers commonly used by the U.S and law enforcement in domain seizures.

However, since then, the DNS servers for these domains have been switched to Njalla, an anonymizing hosting provider. It is unclear how Z-Library could transfer the domains to the new hosting provider.

Name Server: 1-YOU.NJALLA.NO
Name Server: 2-CAN.NJALLA.IN
Name Server: 3-GET.NJALLA.FO

Even though the clearnet sites are still unavailable, the Z-Library is still accessible via its Tor Onion address. However, there is now a notice informing visitors of server problems that may render the service temporarily unavailable.

While the court order for the seizure is unavailable at this time, the site's domains were likely seized because many of the files were uploaded without the license of the original authors.

Furthermore, when BleepingComputer contacted the US DOJ with questions about the law enforcement action and the seizure of the domains, they declined to comment.

However, complaints to copyright protection offices in the past have resulted in legal actions forcing the platform's registrar to seize the Z-Library domains in 2015 and further domain blockages and DMCA notices in the U.S. and France in 2021.

The USTR (United States Trade Representative) has recently launched an investigation on the platform, causing social media platforms where users promoted Z-Library to be more cautious with what is allowed.

As reported by TorrentFreak last week, TikTok decided to block hashtags related to Z-Library, reportedly responding to copyright holder's complaints.

"Reducing user discoverability of content that violates our Community Guidelines is of paramount importance," stated TikTok.

"Accordingly, TikTok proactively blocks search results for terms that violate our Community Guidelines, including terms that relate to counterfeit goods […]. We also recently blocked search results for #zlibrary while our team assesses content associated with that hashtag."

At the time of writing this, the Z-Library channel on TikTok remains accessible, now counting 1.5 billion views.

Z-Library origins

Z-Library started in 2009 as a free file-sharing platform for academic texts and scholarly journal articles, initially acting as a mirror for Library Genesis (Libgen).

Soon though, users started uploading content outside Libgen, so Z-Library gradually became a separate entity while remaining a non-profit, donation-backed platform.

The platform’s infrastructure of globally dispersed servers hosting a database of over 220 TB was supported by paid memberships, while users received unlimited downloads and file conversion perks in return.

At this time, little is known about the platform's operators and commercial status, so Z-Library will likely return to the clearnet using a different set of domains, or possibly even the same ones.
https://www.bleepingcomputer.com/new...pt-of-justice/





People are Blaming Colleen Hoover Fans on TikTok for the Demise of ebook Piracy Site Z-Library

Popular for its extensive archive of free textbooks, ebook piracy site Z-Library was shut down after going viral on TikTok.
Gavia Baker-Whitelaw

Until recently, Z-Library offered a massive directory of free, pirated ebooks and academic journals. But after years of operating in plain sight, Z-Lib’s domains have now been seized by U.S. authorities—and readers on TikTok are blaming fans of romance novelist Colleen Hoover.

Like the Internet Archive, Z-Lib is pretty divisive. A lot of students rely on it to access otherwise-unaffordable textbooks, but it’s predictably unpopular among authors, who see ebook piracy as a threat to their livelihood. As Z-Lib began to gain more mainstream attention over the past year, the Authors Guild filed an official complaint to the Office of the United States Trade Representative, taking aim at piracy and citing TikTok as a key culprit in promoting Z-Lib to a wider audience. Meanwhile, Z-Lib was already facing legal pushback overseas.

If you try to visit Z-Lib today, the domains either fail to load or simply lead to a page that reads, “This domain name has been seized by law enforcement.”

Right now, BookTok is full of readers bemoaning the demise of Z-Lib, many of them focusing on the sudden inaccessibility of academic materials. “Actually started crying when i saw this i have to pay a fortune for school books now,” reads the caption on one TikTok with 3.7 million views:

Interestingly, this TikTok also singles out “a colleen hoover fan” as the reason for Z-Lib’s takedown; a common theme in the resulting BookTok backlash. Hoover is massively popular on the platform, and while TikTokers were promoting Z-Lib for all sorts of reasons, Hoover’s novels seem to have been a particular target—especially her new book It Starts With Us. TikTokers were openly posting about pirating the book from Z-Lib, and even sharing step-by-step guides on how to use the site.

This unspecified “Colleen Hoover fan” is an easy focal point for Z-Lib users’ ire, but like many viral controversies on TikTok, the source of the rumor isn’t wholly reliable. A lot of people are pointing the finger at a viral (but now-deleted) TikTok where someone downloads Hoover’s books from Z-Lib, posted shortly before Z-Lib’s takedown:

“I will happily blame BookTok for the removal of Z-Lib,” says one typical response to this Colleen Hoover/Z-Lib TikTok. “Because I’ve been using this site almost every single week since I was in 9th grade, with no problems. Yet as soon as it becomes popular on TikTok, because people can download their Colleen Hoover books for free, it gets taken down… You gotta gatekeep these things.”

But while the “Colleen Hoover fan” narrative is an easy way to interpret the situation, it’s not really accurate. This Hoover TikTok seems to have gone viral at the wrong time, coinciding with Z-Lib’s domains being seized last week. In reality, the Authors Guild had already submitted its complaint on October 8, following longterm concerns from authors. Plus, Z-Lib had also been banned in India and France earlier this year—both times due to legal challenges from publishers.

The Authors Guild complaint includes multiple references to TikTok, including a statement from a group of romance authors saying that in 2021, “TikTok behaved like jet fuel on the flames. Every month saw a new TikTok video along the lines of: “Never pay for another book! Find them here on Zlibrary.” And these videos saw hundreds of thousands of views.” Hoover isn’t mentioned by name, and she isn’t among the letter’s signatories.

So the problem is less to do with Colleen Hoover fans specifically, and more to do with TikTok culture at large, with BookTokers posting publicly about pirating free ebooks. If you advertise your crimes under easily-searchable hashtags on a public forum, then eventually you’re going to get caught. That’s why former Z-Lib users are asking TikTokers not to publicize Z-Lib alternatives… although a quick TikTok search will already bring up some people doing just that.
https://www.dailydot.com/unclick/z-l...olleen-hoover/





Apple Kills Long-Time Event Archive on YouTube
Amber Neely

An Apple archivist has had his YouTube account disabled after Apple filed multiple takedown requests against his account.

Brendan Shanks, owner of the Apple WWDC Videos channel on YouTube, tweeted that Apple had filed a series of copyright removal requests against his channel.

The videos in question were decades-old recordings of WWDC events.

Due to the multiple violations, not only were the videos removed, but Shanks' YouTube channel has been disabled.

In addition to losing the archive, Shanks also lost his personal YouTube account, as well as his YouTube TV, which he'd just paid for.
https://appleinsider.com/articles/22...ve-on-youtube/





Microsoft’s GitHub Copilot Sued Over “Software Piracy on an Unprecedented Scale”

The lawsuit stated that this is the first class-action case in the US challenging the training and output of AI systems
Zach Marzouk

Microsoft’s GitHub Copilot is being sued in a class action lawsuit that claims the artificial intelligence product is committing software piracy on an unprecedented scale.

The case was launched on 3 November by Matthew Butterick, a designer and programmer, along with the Joseph Saveri Law Firm to investigate GitHub Copilot. The team has filed a class action lawsuit in the San Francisco federal court on behalf of potentially millions of GitHub users.

The lawsuit seeks to challenge the legality of GitHub Copilot, as well as OpenAI Codex which powers the AI tool, and has been filed against GitHub, its owner Microsoft, and OpenAI.

GitHub and OpenAI launched Copilot in June 2021, an AI-based product that aims to help software coders by providing or filling in blocks of code using smart suggestions. It charges users $10 per month or $100 a year for its service.

“By train#ing their AI sys#tems on pub#lic GitHub repos#i#to#ries (though based on their pub#lic state#ments, pos#si#bly much more), we con#tend that the defen#dants have vio#lated the legal rights of a vast num#ber of cre#ators who posted code or other work under cer#tain open-source licences on GitHub,” said Butterick.

These licences include a set of 11 popular open source licences that all require attribution of the author’s name and copyright. This includes the MIT licence, the GNU General Public Licence, and the Apache licence.

The case claimed that Copilot violates and removes these licences offered by thousands, possibly millions, of software developers, and is therefore committing software piracy on an unprecedented scale.

Copilot, which is entirely run on Microsoft Azure, often simply reproduces code that can be traced back to open-source repositories or licensees, according to the lawsuit. The code never contains attributions to the underlying authors, which is in violation of the licences.

“It is not fair, permitted, or justified. On the contrary, Copilot’s goal is to replace a huge swath of open source by taking it and keeping it inside a GitHub-controlled paywall. It violates the licences that open-source programmers chose and monetises their code despite GitHub’s pledge never to do so,” detailed the class-action complaint.

Moreover, the case stated that the defendants have also violated GitHub’s own terms of service and privacy policies, the DMCA code 1202 which forbids the removal of copy#right-man#age#ment infor#ma#tion, and the California Consumer Privacy Act.

“As far as we know, this is the first class-action case in the US chal#leng#ing the train#ing and out#put of AI sys#tems,” said Butterick. “It will not be the last. AI sys#tems are not exempt from the law. Those who cre#ate and oper#ate these sys#tems must remain account#able. If com#pa#nies like Microsoft, GitHub, and OpenAI choose to dis#re#gard the law, they should not expect that we the pub#lic will sit still.

“AI needs to be fair and eth#i#cal for every#one. If it’s not, then it can never achieve its vaunted aims of ele#vat#ing human#ity. It will just become another way for the priv#i#leged few to profit from the work of the many,” he added.

When asked for comment, GitHub highlighted that it had announced on 1 November that it’s set to bring in new features to the Copilot platform in 2023.

Whenever the tool suggests a code fragment, it’s hoping to provide developers with an inventory of similar code found in GitHub public repositories as well as the ability to organise the inventory by filters like the commit date, repository licence, and more.

IT Pro has contacted Microsoft and OpenAI for further comment.

In October 2022, developer Tim Davis, professor of computer science at Texas A&M University, wrote on Twitter that GitHub Copilot had emitted large chunks of his copyrighted code, with no attribution to him.

@github copilot, with "public code" blocked, emits large chunks of my copyrighted code, with no attribution, no LGPL license. For example, the simple prompt "sparse matrix transpose, cs_" produces my cs_transpose in CSparse. My code on left, github on right. Not OK. pic.twitter.com/sqpOThi8nf
— Tim Davis (@DocSparse) October 16, 2022

Davis added that he could probably reproduce his entire sparse matrix libraries from simple prompts, aiming to underline the similarity between his work and what the AI tool produced.

“The code in question is different from the example given. Similar, but different. If you can find a way to automatically identify one as being derivative of the other, patent it,” responded Alex Graverly on Twitter, creator of GitHub Copilot.

The code in question is different from the example given. Similar, but different. If you can find a way to automatically identify one as being derivative of the other, patent it.
— Alex Graveley (@alexgraveley) October 16, 2022

This comes at a time when Microsoft is looking at developing Copilot technology for use in similar programmes for other job categories, like office work, cyber security, or video game design, according to a Bloomberg report.

Microsoft's chief technology officer revealed that the tech giant will build some of the tools itself, while others will be provided by its customers, partners, and rivals.

Examples of what the technology could do include helping video game creators make dialogue for non-playable characters, while the tech giant’s cyber security teams are investigating how the tool can help combat hackers.

GitHub did admit that in some cases Copilot can produce copied code, with the current version of the tool aiming to prevent suggestions that match existing code in public repositories.
https://www.itpro.co.uk/software/369...endented-scale





Italian Police Break Up Biggest TV Piracy Network

Italy's police said on Friday they had dismantled the country's largest network for online TV piracy, one that accounted for 70% of illegal streaming across the nation.

The network, which advertised its services on Telegram and other social media, had more than 900,000 users, who would typically each pay 10 euros ($10.3) per month to access films, soccer games, and other content from various platforms.

The people behind the racket, which yielded monthly profits of around 10 million euros, were based in several Italian cities as well as in Britain, Germany and Tunisia, a police statement said.

Some 70 people were placed under investigation for various offences, including membership of an international criminal organisation, money laundering, fraudulent transfer of assets, ID forgery and impersonation.

The investigation was led by prosecutors in Catania, Sicily, who ordered inspections and seizures of assets in more than 20 cities, mostly in southern Italy but also Rome and other central and northern locations.

Luigi De Siervo, the head of Serie A, Italy's top soccer league, expressed in a statement his "most heartfelt thanks for the extraordinary job done in this unrelenting fight against illegal streaming."

Commenting on Friday's crackdown, DAZN, which last year spent some 2.5 billion euros on domestic broadcasting rights for Serie A, said such illegal players jeopardised the ability to continue to invest in the live streaming of sports events.

The CEO of Sky Italia, Andrea Duilio, also congratulated law enforcement authorities.

In another raid last year, Italian police said they had blocked 1.5 million users who were streaming illegally from providers including Netflix Inc (NFLX.O), Comcast's (CMCSA.O) Sky unit, DAZN and domestic broadcaster Mediaset.

Reporting by Alvise Armellini and Elvira Pollina; Editing by Bradley Perrett and Tomasz Janowski
https://www.reuters.com/business/med...ce-2022-11-11/





Amazon Just Added 98 Million Songs to Its Free Music Service and It's Making Everyone Angry

You'll only be able to play them on shuffle.
Jason Aten

There are, generally speaking, two types of streaming music services. The first kind--the type you play for--usually allows you to do things like create playlists, select the songs you want to listen to, download tracks to listen to offline, and not be bothered by advertisements.

Apple Music and Spotify's paid tier fall into this category. Until recently, so did Amazon Music, which you did not have to pay extra for. It was a benefit of Amazon Prime.

The second type of streaming music service is usually free and has restrictions. You can't download anything, for example. Maybe you can create playlists, but when you listen to them, they play on shuffle. This type of music service is mostly for people who just want to have music they like playing in the background, but who don't care what music is playing.

Some free services don't even allow you to choose the song you want to listen to. You can tell it what song you want, and it will pick other songs that are like the one you want, and play those. At some point, the algorithm will probably surface the song you asked for, but the reason the service is free is that music contracts are weird and they make it so that it's expensive to let users pick the song they want to listen to.

Amazon Music used to be sort of the best of both. It was free, but gave you access to a modestly-sized catalog with all the benefits usually reserved for paid services. Now, that has all changed. It's still free, but now you can only play songs on shuffle.

"Hey Alexa, play Taylor Swift's Anti-Hero," used to be a simple thing you might say. When you did, your echo would do exactly that. It would play Taylor Swift's newest song as long as it was in the catalog of songs available.

Now, however, that's not what happens at all. If you're lucky, Alexa will start playing songs from Midnights, Swift's latest album. That, however, is not a given. It might play some of her older songs. It might start playing songs from other artists instead. Why does Amazon think anyone wants this?

Here's why: It's cheaper for a streaming service to not let you choose the song you want, but to let you give it an input and start playing similar music. Also, because Amazon clearly sees Amazon Music as a thing you use in the background when you just want music playing as you do other things.

Look, Pandora and Spotify's free tier are fine if what you want is music playing in the background that generally fits your taste and style. That's what they've always been for. But, if what you want to do is listen to Taylor Swift's latest album, you're going to have to choose Apple Music or Spotify Premium, both of which charge more than $10 a month, or Amazon Music Unlimited, which is $8.99 per month.

According to Amazon, 80 percent of people will never do that. They will never pay $10 a month to stream music. They will, however, use a free streaming service even if it means giving up the ability to actually choose the song they want to listen to. Okay, fine, except that's not the thing Amazon had made before.

Amazon's argument is that this is better because it expanded the catalog to 100 million songs, instead of the 2 million users had access to previously. The trade-off is that they are only available in "shuffle mode." Or, you can pay for Unlimited, and you get all the songs and all the features.

Except, if you give someone a thing as a benefit because they gave you money for your $140 a year subscription membership, it's not great if you suddenly make that thing dramatically worse and expect them to pay you more to make it a better experience. People who are upset about the change feel like Amazon just made a thing they liked worse.

That seems to me to be completely obvious, and also an important lesson. Amazon wants to go after a different market than it did before, and that's fine. But don't do it with an existing product. If you want to attract a different type of customer, offer a new and different product. That's how it's supposed to work. Otherwise, you just make everyone angry.
https://www.inc.com/jason-aten/amazo...one-angry.html





A Wild Hearing: Chief Judge Connolly Flips Over Rock, Finds Mavexar LLC Crawling Around, Controlling Patent Litigation and Giving Hapless Patent Owners Just 5-10%
Andrew E. Russell

Wow.

I flagged on Wednesday that Chief Judge Connolly planned to hold an evidentiary hearing today regarding compliance with his litigation funding and entity ownership orders in three cases. Well, I went, and it was one of the most remarkable hearings I've seen in a patent case.

The purpose of the hearing was to dig into whether the parties complied with Chief Judge Connolly's standing orders regarding litigation funding and entity ownership.

But the Court's statements at the hearing offered some insight into what motivated those orders in the first place: Chief Judge Connolly believes (as he has said before) that the District Court is not a "star chamber," and that the public has a right to know who is litigating in the Court.

The three cases all involve patent assertion entities: Lamplight Licensing LLC, Nimitz Technologies LLC, and Mellaconic IP. In each case, the Court had ordered the owners of the entities and/or the attorneys involved to show up and attend the hearing in person.

So many interesting things happened at this hearing, it's hard to distill it down—but I'll sort them into three categories, one for each plaintiff.

Lamplight: With the Owner a No-Show, the Court Grills the Attorney Instead

As expected, two of the individuals did not show. One, out-of-town counsel for Mellaconic, had recently tested positive for COVID. The other, the sole member of Lamplight LLC, had mostly unspecified "medical issues," although counsel filed a letter the day before the hearing setting forth some more detail.

In the absence of Lamplight's sole member, the Court pressed the attorney for the story of how he got the case, how he knew the sole member of the LLC, and why the she could not be here.

Smartly, the attorney had brought copies of medical records, which he passed up to the Court. Those seemed to more or less satisfy the Court and gave some more credibility to the claims of medical issues.

Chief Judge Connolly directed Lamplight to let the Court know when the sole member is able to travel, or to file a status report within 30 days to explain the situation.

MAVEXAR Enters

Based on the lawyer for Lamplight's answers to the Court's questions, it appears that he deals primarily with a company called MAVEXAR LLC, who is a "representative" of Lamplight and "advises" them on asserting patents. MAVEXAR signed the attorney's fee agreement, and the attorney had never met Lamplight or had discussions with them prior to that agreement.

Chief Judge Connolly came prepared with questions about Lamplight's business address. He pointed out that their various addresses, some of which were stated in filings to be their "principal place of business," were merely mail drops.

Judge Connolly made very clear that, in cases before him, it is not truthful to represent that a post office box is a "principle place of business" of an entity. He pointed out that he had prosecuted fraud cases against folks engaged in telemarketing schemes using suite numbers that were actually PO box addresses.

The Court also came prepared to point out that the same attorney had filed complaints on behalf of Lamplight both here and in Texas, just two months apart, and had provided different physical addresses for the principal place of business in each filing.

The Court also picked through the attorney's engagement letter with Lamplight in real time, pushing for the attorney to explain certain terms. He asked, for example, how he could have advised them of their right to be represented by separate counsel in agreeing to an arbitration provision, as the letter stated, if he had never talked to them directly (instead communicating through MAVEXAR).

The Court continued to question the attorney on how he could be sure of the litigation funding information and various other facts. The answers seemed to largely boil down to "because MAVEXAR told me."

Nimitz and Mellaconic: MAVEXAR Recruited Plaintiffs, Organized Suits, Selected Targets and Attorneys

Next up, the Court briefly questioned counsel for Nimitz, and then heard quite a bit of testimony from the principals of both Nimitz and Mellaconic.

Spoiler alert: MAVEXAR seems to be driving the litigation in all three sets of cases.

The principles both told similar stories. The gist all of the testimony seemed to be that someone from MAVEXAR reached out to them about an "investment" opportunity or a chance to make "passive income."

All they had to do was become the owners of a patent assertion entity, and accept the "liabilities" that come along with that.

The sole member of Nimitz said he was a full-time sales person. After discussions with MAVEXAR, he set up his own LLC—one of several he owns—and they transferred somewhere between 50 and 100 patents to his LLC. He said that he gets 10% of the settlement values, and that so far his LLC has made around $4,000.

The sole member of Mellaconic said that he is a restaurateur who owns a food truck. He was approached with a "passive income" opportunity. It was unclear who set up the Mellaconic IP entity, the restaurateur did not know what the name meant. He said that he gets 5% of the settlement values, and that so far his LLC has made around $11,000.

The Court pressed both owners regarding what they had paid for the patents; both eventually conveyed that their LLCs paid nothing, and only accepted the "liabilities" from suit.

Both seemed to indicate that they were not represented by lawyers for these transactions.

Neither sole member was an attorney. The Nimitz sole member said he had at least read the patent, although he didn't know its name; it was less clear that the Mellaconic IP sole member had gone that far.

The Nimitz sole member hedged about whether his LLC had any real estate, but eventually seemed to recognize that its address was just a postal address, not office space.

The restaurateur who owned Mellaconic truly seemed to be a fish out of water on the stand, but he had a couple of points he wanted to make. He emphasized that he could "deny" a litigation decision by Mavexar (although he never had) and that the funding was "recourse" (although he seemed unsure of the difference between "recourse" and "non-recourse").

In short, it looks like both of these witnesses signed up to be the fall guys for the assertion of these patents, in exchange for either 5% or 10% of the profits. (Perhaps the restaurateur will renegotiate his deal now that he knows that the other guy gets!)

These facts are from memory and from my notes; it's possible that the transcript may read differently when it comes out. There was also a lot more that was said. This will definitely be a transcript worth reading if you're defending these cases.

So, MAVEXAR Is Pulling the Strings?

We'll have to see what the Court determines. But watching these witnesses testify, it seems clear that it is MAVEXAR who is driving these actions. MAVEXAR controlled the retention of the attorneys, the selection of targets, the pleadings, the litigation strategy, and the settlements. The "owners" of the patents just sign off, and collect their 5 or 10%.

Incredibly, MAVEXAR's role was described as "advisory," but not in the capacity of attorneys representing the clients. The Court raised numerous concerns about this, although those will have to be the subject of another post.

None of the Court's questions drew direct privilege assertions. In fact, privilege hardly came up at all; the attorneys seemed content to let this all out.
MAVEXAR Has an IP Edge Connection

Chief Judge Connolly asked some specific questions about IP Edge (a well-known patent assertion entity). The witnesses did not seem overly familiar with IP Edge, but one of them recognized the name because their contact at MAVEXAR used an IP Edge e-mail address.

Last month, attorneys from Fish and Richardson pointed out in a blog post that public records indicate that IP Edge’s three principals are behind MAVEXAR.Only the Court Could Do This

The Court truly flipped over a rock here and revealed the inner workings of these four NPE plaintiffs in a way that the parties themselves probably never could.

If the defendants had tried to dig into these machinations, they likely would have been stymied at every step by privilege assertions, instructions not to answer, and "I don't know" or "I'm not sure" responses.

And even if a defendant had been able to somehow dig this information out of these entities, it would all have been locked behind a confidentiality wall (either via a protective order or Local Rule 26.2), and it would have gone nowhere. No one beyond the immediate parties and perhaps a JDG would know. Now it's all public record.

More to Come

We'll likely have additional posts on this in the coming week—particularly if we are able to get the transcript and confirm a few things. There were plenty of other interesting points in the hearing, including an in-person pro hac motion after an out-of-town attorney who wasn't admitted in the case tried to ask questions of the witness (!!). Chief Judge Connolly also raised the possibility of amici briefing. Stay tuned.
https://ipde.com/blog/2022/11/04/a-w...ers-just-5-10/





Starlink is Getting Daytime Data Caps

Starlink is going to start throttling your home internet if you exceed more than 1TB of monthly ‘Priority Access’ data usage. The change will go into effect in December.
Jay Peters

Starlink is about to feel a little more like other ISPs, with a new data policy that mimics Anytime Minutes from the bad old days of highly restricted cellphone service. The satellite internet division of SpaceX will start throttling home internet for customers who use more than 1TB of Priority Access data per month during peak hours beginning in December. The change is being rolled out as part of a new “Fair Use policy” in the US and Canada.

Residential customers will now start each monthly billing cycle with an allocation of “Priority Access” data that tracks what you’re using from 7AM in the morning until 11PM at night. If you surpass that 1TB cap, which Starlink says less than 10 percent of users currently do, you’ll be moved to “Basic Access” data, or deprioritized data during heavy network congestion, for the rest of your billing cycle.

If you want to buy more Priority Access data, you can, at the cost of 25 cents per GB, and any data used between 11PM and 7AM doesn’t count towards your Priority Access tally. (You may want to download new Call of Duty updates or schedule device backups to run while everyone’s asleep, for example). RV and Portability satellite internet customers can’t get Priority Access at all, while there are different brackets for anyone with a Business account or who’s using Starlink at sea.

You’ll be able to track your data usage and opt-in to buying Priority Access data from the Starlink app or your Starlink account webpage. As part of the new Fair Use policy, Starlink has also detailed data caps and Priority Access pricing for its business and mobility plans.

Starlink claims that its internet is a “finite resource” (just ask the Ukrainian government) that will grow as it launches more satellites and says that it has to “manage the network to balance Starlink supply with user demand.” But the new data caps bring Starlink down to earth with other ISPs like Comcast, which currently has 1.2TB data caps for many customers (and has repeatedly delayed introducing them in Northeast states).
https://www.theverge.com/2022/11/4/2...y-basic-access





Mysterious Company with Government Ties Plays Key Internet Role

TrustCor Systems vouches for the legitimacy of websites. But its physical address is a UPS Store in Toronto.
Joseph Menn

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.

One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics.

Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it.

The Pentagon did not respond to a request for comment on TrustCor. After this story’s publication, a TrustCor executive said the company had not cooperated with any government information requests or assisted with a third party’s monitoring of its customers on behalf of others. Mozilla demanded more detailed answers and said it might remove TrustCor’s authority.

Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life

TrustCor’s products include an email service that claims to be end-to-end encrypted, though experts consulted by The Washington Post said they found evidence to undermine that claim. A test version of the email service also included spyware developed by a Panamanian company related to Packet Forensics, researchers said. Google later banned all software containing that spyware code from its app store.

A person familiar with Packet Forensics’ work confirmed that it had used TrustCor’s certificate process and its email service, MsgSafe, to intercept communications and help the U.S. government catch suspected terrorists.

“Yes, Packet Forensics does that,” the person said, speaking on the condition of anonymity to discuss confidential practices.

Packet Forensics counsel Kathryn Tremel said the company has no business relationship with TrustCor. She declined to say whether it had had one previously.

The latest discovery shows how the technological and business complexities of the internet’s inner workings can be leveraged to an extent that is rarely revealed.

Concerns about root certificate authorities, though, have come up before.

In 2019, a security company controlled by the government of the United Arab Emirates that had been known as DarkMatter applied to be upgraded to top-level root authority from intermediate authority with less independence. That followed revelations about DarkMatter hacking dissidents and even some Americans; Mozilla denied it root power.

In 2015, Google withdrew the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates for Google sites.

With Packet Forensics, a paper trail led to it being identified by researchers twice this year. Mostly known for selling interception devices and tracking services to authorities, the company is four months into a $4.6 million Pentagon contract for “data processing, hosting and related services.”

In the earlier spyware matter, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley found that a Panamanian company, Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.

Measurement Systems’ website was registered by Vostrom Holdings, according to historic domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records. Measurement Systems was registered in Virginia by Saulino, according to another state filing.

After the researchers shared their findings, Google booted all apps with the spy code out of its Play app store.

Tremel said that “a company previously associated with Packet Forensics was a customer of Measurement Systems at one time” but that there was no ownership stake.

When Reardon and Egelman looked deeper at Vostrom, they found it had registered the domain name TrustCor.co, which directed visitors to the main TrustCor site. TrustCor has the same president, agents and holding-company partners listed in Panamanian records as Measurement Systems.

A firm with the same name as one of the holding companies behind both TrustCor and Measurement Systems, Frigate Bay Holdings, filed papers to dissolve this March with the secretary of state in Wyoming, where it was formed. The papers were signed by Saulino, who listed his title as manager. He could not be reached for comment.

TrustCor has issued more than 10,000 certificates, many of them for sites hosted with a dynamic domain name service provider called No-IP, the researchers said. That service allows websites to be hosted with constantly changing Internet Protocol addresses.

Because root authority is so powerful, TrustCor can also give others the right to issue certificates.

Certificates for websites are publicly viewable so that bad ones should be exposed sooner or later. There have been no reports so far that the TrustCor certificates have been used inappropriately, for example by vouching for impostor websites. The researchers speculated that the system is only used against high-value targets within short windows of time. The person familiar with Packet Forensics’ operations agreed said that was in fact how it has been used.

“They have this position of ultimate trust, where they can issue encryption keys for any arbitrary website and any email address,” Egelman said. “It’s scary this is being done by some shady private company.”

The leadership page of the TrustCor’s website lists just two men, identified as co-founders. Though that page does not say so, one of them died months ago, and the other’s LinkedIn profile says he left as chief technology officer in 2019. That man declined to comment.

The website site lists a contact phone number in Panama, which has been disconnected, and one in Toronto, where a message had not been returned after more than a week. The email contact form on the site doesn’t work. The physical address in Toronto given in its auditor’s report, 371 Front St. West, houses a UPS Store mail drop.

TrustCor adds another layer of mystery with its outside auditing firm. Instead of using a major accounting firm that rates the safety of internet infrastructure companies, TrustCor selected one called Princeton Audit Group, which gives its address as a residential townhouse in Princeton, N.J.

In its comments Tuesday to an email list for Mozilla developers, TrustCor executive Rachel McPherson said that her company had been the victim of complex attacks that involved the registration of companies with names similar to those of its shareholders, perhaps to help set up some sort of phishing attack. She said she would research why some of the people were listed as officers.

In addition to TrustCor’s certificate power, the firm offers what purports to be end-to-end encrypted email, MsgSafe.io. But researchers said the email is not encrypted and can be read by the company, which has pitched it to a variety of groups worried about surveillance.

MsgSafe has touted its security to a variety of potential customers, including Trump supporters upset that Parler had been dropped by app stores in January 2021, and to users of encrypted mail service Tutanota who were blocked from signing on to Microsoft services.

“Create your free end-to-end encrypted email today with over 40 domains to choose from and are guaranteed to work with Microsoft Teams,” the company tweeted in August.

Reardon sent test messages over MsgSafe that appeared unencrypted in transmission, meaning MsgSafe could read them at will. Egelman ran the same test with the same result.

Jon Callas, a cryptography expert at the Electronic Frontier Foundation, also tested the system at The Post’s request and said that MsgSafe generated and kept the private key for his account, so that it could decrypt anything he sent.

“The private key has to be under the person’s control to be end-to-end,” Callas explained.

Packet Forensics first drew attention from privacy advocates a dozen years ago.

In 2010, researcher Chris Soghoian attended an invite-only industry conference nicknamed the Wiretapper’s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency customers.

The brochure was for a piece of hardware to help buyers read web traffic that parties thought was secure. But it wasn’t.

“IP communication dictates the need to examine encrypted traffic at will,” the brochure read, according to a report in Wired that quoted Saulino as a Packet Forensics spokesman. “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption,” the brochure added.

The brochure told customers they could use a decryption key provided by a court order or a “look-alike key.”

Researchers thought at the time that the most likely way the box was being used was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of an impostor communications site.

They did not conclude that an entire certificate authority itself might be compromised.

Obtaining trusted root certificate authority takes time and money for the infrastructure and for the audit that browsers require, experts say.

Each browser has slightly different requirements. At Mozilla’s Firefox, the process takes two years and includes crowdsourced and direct vetting as well as an audit.

But all of that typically focuses on formal statements of technological steps, rather than mysteries of ownership and intent. The person familiar with Packet Forensics said the big tech companies probably were unwitting participants in the TrustCor play: “Most people aren’t paying attention.”

“With enough money, you or I could become a trusted root certificate authority,” said Daniel Schwalbe, vice president of technology at web data tracker DomainTools.

Mozilla currently recognizes 169 root certificate authorities, including three from TrustCor.

The case gives new focus to problems with that system, in which critical tech companies outsource their trust to third parties with their own agendas.

“You can’t bootstrap trust, it has to come from somewhere,” Reardon said. “Root certificate authorities are the kernel of trust from which it is all built on. And it will always be shaky, because it will always involve humans, committees and decision-making.”

Reardon and Egelman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they had heard little back until Tuesday.

After publication of this story, Mozilla gave TrustCor two weeks to respond to a series of questions, including about its relationships with Measurement Systems and Packet Forensics, the shared officers, and how the banned spyware code from Measurement Systems got into an early MsgSafe app.
https://www.washingtonpost.com/techn...t-connections/

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

November 5th, October 29th, October 22nd, October 15th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black