P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 30-06-21, 06:31 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - July 3rd, ’21

Since 2002



































July 3rd, 2021




3 People Become First Arrested in Japan for Posting 10-Minute Movie Recap on YouTube
Sora

On June 23, Miyagi Prefectural Police announced the arrest of two men and one woman for uploading a fast movie to YouTube in July of last year. “Fast movie” is the Japanese term for those movie summary videos with titles like “Such-and-such In 5 Minutes”, where heavily edited clips or still images of an entire film are put together and narrated with a voice-over or subtitles.

This is the latest incident that demonstrates how copyright infringement in Japan is a criminal offense that could result in prison time. Back in the days of widespread P2P file sharing, scores of people were arrested for uploading and sharing copyrighted material as was the creator of Japan’s largest P2P software Winny.

The advent of YouTube made tracking down uploaders a little more straightforward. In this case, the Japanese trade group Content Overseas Distribution Association (CODA) sought a court order in the United States to get the identities of the fast movie uploaders from YouTube. CODA then handed over the information to the Miyagi Prefectural Police, who oversaw the arrests.

Most comments online seemed to feel that those who infringe on copyrights need to be taken to task, but some raised the question of whether a fast movie was a serious enough case of infringement.

“That was a fast arrest.”

“YouTube is full of these things.”

“If they are using the movies to get ad revenue then it’s wrong.”

“I’ve seen some of these videos and get why the movie companies are upset. After watching them I don’t really see a need to watch the actual full movie.”

“There is a case that it damages the movies, but in another way it promotes them too. It’s not so clear-cut.”

“I watched a fast movie yesterday. I’m ashamed to say that I’m not going to bother watching the movie now.”

“After watching fast movies, don’t people feel like they want to see the whole thing?”

“Wow, did those people even get a warning first?”

Like in other countries, Japan has “fair use” laws that – while somewhat vague – try to balance the protection of intellectual property with the importance of creative expression and cultural growth.

For example, using copyrighted material for non-profit educational purposes would most likely be fair use but posting a full copyrighted movie on YouTube while collecting ad revenue for it will almost certainly lead to handcuffs if caught.

Most cases tend to fall somewhere in between those two extreme examples though, such as fast movies. The criteria for fair use are usually: size, purpose, creativity, and harm.

According to NHK, the video in question was 10 minutes in length, which is a little longer than a lot of video movie recaps and roughly 10 percent of a feature film’s length. And considering the purpose of the fast movie is to explain the entire plot from beginning to end, CODA could make a strong case that it causes significant harm to filmmaker’s profits.

According to one film and anime trade group survey, there were 2,100 fast movies posted by 55 accounts in the past year. They estimate that this resulted in damages of 95.6 billion yen at a time when the film industry was struggling with the pandemic.

Without seeing the actual video, it’s impossible to judge if it demonstrates enough unique creativity to be considered fair use, but considering it appears to fall short on the other three factors, it would be an awfully high bar to clear.

In the end, it all boils down to the opinion of the copyright holder and whether they feel use of their property crosses a line. So when in doubt, do what top cosplayer Enako does and ask them, otherwise use it at your own risk, especially in Japan where penalties can go as high as 10 years in prison.
https://japantoday.com/category/crim...cap-on-youtube





Stars Call for 'Gadget Levy' to Fund UK Creatives
Rory Cellan-Jones

Olivia Colman, John Nettles and Joanne Harris are among dozens of high-profile artists calling for a portion of gadget sales revenue in the UK to go into a fund for performers and creators.

In a letter in Tuesday's Times newspaper, they claim a centralised "Smart Fund" could generate up to £300m per year for the UK's creative sector.

The levy would be between 1% and 3% of the overall price of a device.

However, critics say it would amount to "a new tax" on consumers.

It would apply to everything that can "store and download creative content".

This includes laptops, PCs and smartphones, said a group of artist industry organisations behind the idea.

There are no official proposals for such a scheme, but the artist Yinka Shonibare described it as "a no-brainer".

"Currently there isn't any effective way for creators to be recompensed when their work is downloaded and stored by audiences," he said.

However, Tech UK, a network for the country's tech sector, said it sounded like a "new tax" on consumers.

"It is an arbitrary tax on consumers that is hugely bureaucratic to manage, and with no transparency on how funds are disbursed and spent," said a spokeswoman.

"Shoppers buying a new phone or laptop might have a lot of questions about why they should have to pay such additional charges, when they already pay a significant amount of VAT."

Those of us who were around in the 1980s will remember the slogan "Home Taping Is Killing Music", used by the British record industry in a long-running campaign against what it regarded as piracy, and in favour of a levy on cassette tapes.

This latest campaign for a Smart Fund is more subtle, making no mention of piracy, and suggesting that artists, tech companies and government can unite around the idea of a simple one-off levy on gadgets to support the creative industries.

"We're just about the only country in the world that doesn't have some kind of private copying remuneration scheme," said one proponent of the idea.

With the tech companies not exactly popular and the government keen to find some easy way of helping the arts, the idea may find more political weight behind it this time.

But the tech industry will lobby hard to convince ministers that this is just the kind of bureaucratic European scheme that the UK is now free to ignore.
https://www.bbc.com/news/technology-57642147





World’s Smallest, Best Acoustic Amplifier Emerges from 50-Year-Old Hypothesis

Acousto-electric devices reveal new road to miniaturizing wireless tech
Troy Rummler

Sandia scientists have built the world’s smallest and best acoustic amplifier. And they did it using a concept that was all but abandoned for almost 50 years.

According to a paper published last month in Nature Communications, the device is more than 10 times more effective than the earlier versions. The design and future research directions hold promise for smaller wireless technology.

Modern cellphones are packed with radios to send and receive phone calls, text messages and high-speed data. The more radios in a device, the more it can do. While most radio components, including amplifiers, are electronic, they can potentially be made smaller and better as acoustic devices. This means they would use sound waves instead of electrons to process radio signals.

“Acoustic wave devices are inherently compact because the wavelengths of sound at these frequencies are so small — smaller than the diameter of human hair,” Sandia scientist Lisa Hackett said. But until now, using sound waves has been impossible for many of these components.

Sandia’s acoustic, 276-megahertz amplifier, measuring a mere 0.0008 square inch (0.5 square millimeter), demonstrates the vast, largely untapped potential for making radios smaller through acoustics. To amplify 2 gigahertz frequencies, which carry much of modern cellphone traffic, the device would be even smaller, 0.00003 square inch (0.02 square millimeter), a footprint that would comfortably fit inside a grain of table salt and is more than 10 times smaller than current state-of-the-art technologies.

The team also created the first acoustic circulator, another crucial radio component that separates transmitted and received signals. Together, the petite parts represent an essentially uncharted path toward making all technologies that send and receive information with radio waves smaller and more sophisticated, said Sandia scientist Matt Eichenfield.

“We are the first to show that it’s practical to make the functions that are normally being done in the electronic domain in the acoustic domain,” Matt said.

Resurrecting a decades-old design

Scientists tried making acoustic radio-frequency amplifiers decades ago, but the last major academic papers from these efforts were published in the 1970s.

Without modern nanofabrication technologies, their devices performed too poorly to be useful. Boosting a signal by a factor of 100 with the old devices required 0.4 inch (1 centimeter) of space and 2,000 volts of electricity. They also generated lots of heat, requiring more than 500 milliwatts of power.

The new and improved amplifier is more than 10 times as effective as the versions built in the ‘70s in a few ways. It can boost signal strength by a factor of 100 in 0.008 inch (0.2 millimeter) with only 36 volts of electricity and 20 milliwatts of power.

Previous researchers hit a dead end trying to enhance acoustic devices, which are not capable of amplification or circulation on their own, by using layers of semiconductor materials. For their concept to work well, the added material must be very thin and very high quality, but scientists only had techniques to make one or the other.

Decades later, Sandia developed techniques to do both in order to improve photovoltaic cells by adding a series of thin layers of semiconducting materials. The Sandia scientist leading that effort happened to share an office with Matt.

“I had some pretty heavy peripheral exposure. I heard about it all the time in my office,” Matt said. “So fast forward probably three years later, I was reading these papers out of curiosity about this acousto-electric amplifier work and reading about what they tried to do, and I realized that this work that Sandia had done to develop these techniques for essentially taking very, very thin semiconductors and transferring them onto other materials was exactly what we would need to make these devices realize all their promise.”

Sandia made its amplifier with semiconductor materials that are 83 layers of atoms thick — 1,000 times thinner than a human hair.

Fusing an ultrathin semiconducting layer onto a dissimilar acoustic device took an intricate process of growing crystals on top of other crystals, bonding them to yet other crystals and then chemically removing 99.99% of the materials to produce a perfectly smooth contact surface. Nanofabrication methods like this are collectively called heterogeneous integration and are a research area of growing interest at Sandia’s Microsystems Engineering, Science and Applications complex and throughout the semiconductor industry.

Amplifiers, circulators and filters are normally produced separately because they are dissimilar technologies, but Sandia produced them all on the same acousto-electric chip. The more technologies that can be made on the same chip, the simpler and more efficient manufacturing becomes. The team’s research shows that the remaining radio signal processing components could conceivably be made as extensions of the devices already demonstrated.

Work was funded by Sandia’s Laboratory Directed Research & Development program and the Center for Integrated Nanotechnologies, a user facility jointly operated by Sandia and Los Alamos national laboratories.

So how long until these petite radio parts are inside your phone? Probably not for a while, Matt said. Converting mass-produced, commercial products like cellphones to all acousto-electric technology would require a massive overhaul of the manufacturing infrastructure, he said. But for small productions of specialized devices, the technology holds more immediate promise.

The Sandia team is now exploring whether they can adapt their technology to improve all-optical signal processing, too. They are also interested in finding out if the technology can help isolate and manipulate single quanta of sound, called phonons, which would potentially make it useful for controlling and making measurements in some quantum computers.
https://www.sandia.gov/news/publicat.../acoustic.html





DoubleVPN Servers, Logs, and Account Info Seized by Law Enforcement
Lawrence Abrams

Law enforcement has seized the servers and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities.

DoubleVPN is a Russian-based VPN service that double-encrypts data sent through their service.

When using the service, requests are encrypted and transmitted to one VPN server, which sends it to another VPN server, which finally connects to the final destination, as shown below.

Threat actors commonly use this service to obfuscate their locations and originating IP addresses when performing cyberattacks.

The doublevpn.com [archive.org] website was seized today by law enforcement, who stated that they gained access to the servers for DoubleVPN and took personal information, logs, and statistics for the service's customers.

"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN’s owners failed to provide the services they promised," says the now-seized doublevpn.com website.

"International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue."

Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.

While no further information is available at this time, the splash screen states that the operation was conducted by Germany's BKA, Netherland's Politie, the FBI, the UK National Crime Agency, the United States Secret Service, the Royal Canadian Mounted Police, Eurojust, Switzerland's Polizia Cantonale, Europol, Bulgaria's GDBOP, and the Swedish National Police.

We will update this story as more information becomes available.
https://www.bleepingcomputer.com/new...w-enforcement/





New UK Internet Law Raises Free Speech Concerns, Say Civil Liberties Campaigners

The Online Safety Bill blurs the line between ministers and the independent regulator, say critics.
Annabelle Dickson

Britain's proposed new internet law entails a government power grab with worrying implications for freedom of speech, according to civil liberties groups, academics and the tech industry.

The groups are concerned the proposed Online Safety Bill would hand to Culture Secretary Oliver Dowden disproportionate powers in the name of protecting users from "harmful" content.

The Bill allow him to "modify" a code of practice — the blueprint created by the regulator Ofcom for how tech companies should protect users — to ensure it "reflects government policy."

Critics say such powers, which were set out in a draft of the proposed law published in May and due for imminent scrutiny by MPs and peers, could undermine the regulator's independence and potentially politicize the regulation of the internet.

"The notion that a political appointee will have the unilateral power to alter the legal boundaries of free speech based on the political whims of the moment frankly makes the blood run cold," said Heather Burns, policy manager at the Open Rights Group.

The draft bill — which hasn't yet begun its formal passage through parliament — is due to be checked line-by-line by legislators before being brought back to parliament later this year, where it will then pass through the stages it needs to end up on the statute books. The U.K. government and opposition parties are currently finalizing which lawmakers will sit on the pre-legislative committee.

Even the Carnegie Trust — a public policy think tank whose research on a "duty of care" model to regulate the internet influenced early iterations of the government's proposed legislation — has raised concerns.

"To meet the U.K.’s international commitments on free speech," it said in a response to the bill, "there should be a separation of powers between the executive and a communications regulator."

The power to modify a code of practice to “reflect government policy" might undermine OFCOM’s independence, it added. "Removal of this provision is, in our view, desirable and would reaffirm of regulatory independence."

Industry fears

Lorna Woods, a professor of internet Law at the University of Essex involved with Carnegie Trust's research and response, said “The ability of the secretary of state to give Ofcom directions to bring Ofcom into line with government policy makes me a little uneasy as to in what circumstances the secretary of state can do that, and what level of specificity is envisaged. That's slightly worrying.”

“How that operates is potentially worrying because you could be seeing a government directing Ofcom to emphasize certain things that aren’t perhaps politically neutral,” she added.

Antony Walker, Deputy Chief Executive of Tech UK, a trade body with about 800 tech industry members, agreed some of the powers in the bill appeared to go beyond "what would be normal."

"In a well-regulated sector in a democratic society, an independent regulator is seen as a really a good thing," he said.

Commercial companies want to know what is required for them to be compliant, he added. "If they're always looking over their shoulder I think that has significant commercial impacts and also undermines confidence in the legislation."

Ben Greenstone, a former principal advisor to the minister with responsibility for online harms — now managing director of Taso Advisory, a tech lobbying firm — said: “The draft Online Safety Bill gives the secretary of state for digital a remarkable, and I think unprecedented, power to direct an independent regulator. This leaves business with serious uncertainty: the rules can change based on the whims of one politician.”

Opponents of the clause also raise concerns that the regulator will already be politicized.

"It’s clear that Ofcom, whose leadership will also be a political appointment, will be an independent regulator in name only. Their role will be to carry out the political bidding of Secretary of State for DCMS [the Department for Culture Media and Sport], as well as the Home Secretary, and they will do what they are told. These moves, of course, will be depicted as being in the national interest or as matters of national security," added Burns of the Open Rights Group.

Mark Johnson, a legal and policy officer at Big Brother Watch, argued that any restrictions on our right to free speech must be in line with U.K. law — decided on through a full legislative process, "not on ministerial fancy."

"Giving such discretion to government ministers means this legislation will hand over huge amounts of power to the state," he added, "and opens up this flawed system of regulation to politicization."

Responding to a request for comment from POLITICO, a DCMS spokesperson said: "Our world-leading laws will place clear and robust duties on in-scope companies and Ofcom to uphold and protect people’s free speech while making sure they do not over-remove content.

"The bill has been designed with suitable and transparent checks and balances so that Ofcom's implementation of the laws delivers on the policy objectives decided and scrutinised by a democratically elected parliament."
https://www.politico.eu/article/uk-c...on-power-grab/





Ohio GOP Ends Attempt to Ban Municipal Broadband after Protest from Residents

Axed plan's 10Mbps standard could have banned public networks in 98% of Ohio.
Jon Brodkin

After coming close to imposing a near-total ban on municipal broadband networks, Ohio's Republican-controlled legislature has reportedly dropped the proposed law in final negotiations over the state budget.

The final budget agreement "axed a proposal to limit local governments from offering broadband services," The Columbus Dispatch wrote. With a June 30 deadline looming, Ohio's House and Senate approved the budget and sent it to Gov. Mike DeWine for final approval on Monday night, the Dispatch wrote.

As we wrote earlier this month, the Ohio Senate approved a version of the budget containing an amendment that would have forced existing municipal broadband services to shut down and prevented the formation of new public networks. The proposed law was reportedly "inserted without prior public discussion," and no state senator publicly sponsored the amendment. It was approved in a party-line vote as Democrats opposed the restrictions in municipal broadband.

The House version did not contain the amendment, and it was dropped during negotiations between the House and Senate.

“Real grassroots movement”

Lawmakers apparently relented to public pressure from supporters of municipal broadband and cities and towns that operate the networks. People and businesses from Fairlawn, where the city-run FairlawnGig network offers fiber Internet, played a significant role in the protests. FairlawnGig itself asked users to put pressure on lawmakers, and the subscribers did so in great numbers.

"We had a real grassroots movement here in Fairlawn. We are thrilled our residents, subscribers, and businesses came together and helped us defeat this amendment," Fairlawn Service Director Ernie Staten said yesterday, according to an article by the Community Networks team at the Institute for Local Self-Reliance (ILSR). "We appreciate that the State of Ohio recognizes that municipal broadband has a place in this state and we hope to continue this great endeavor."

Fairlawn subscribers sent more than 700 emails telling lawmakers, "Don't take this (municipal broadband) away!" Staten said.

The proposed law would have let cities and towns provide broadband service only to unserved areas and used a definition of "unserved" that would reportedly have made over 98 percent of the state ineligible for municipal broadband. The proposed law defined "unserved areas" as those without access to service with download speeds of at least 10Mbps and upload speeds of at least 1Mbps, which isn't even half as fast as the 25Mbps/3Mbps broadband threshold the Federal Communications Commission adopted over six years ago.

Cities build networks when private ISPs don’t bother

Staten also pointed out that "municipalities only enter the broadband space when forced to by the inaction of the private sector," according to the Akron Beacon Journal.

There are about 30 public broadband providers in Ohio. Besides Fairlawn, examples of local governments running broadband networks include Hudson, Medina County, and Wadsworth. "We're thrilled that communities like Fairlawn and Hudson can keep serving their communities," Summit County Executive Ilene Shapiro said after learning that the budget amendment was dropped, according to the Akron Beacon Journal.

Cleveland City Council President Kevin Kelley previously said the city would sue the state if it restricted municipal broadband.

Until a few months ago, 19 US states had laws restricting municipal broadband, passed for the benefit of private Internet providers that don't want to face competition from public networks. Washington state lawmakers have since killed their anti-municipal broadband law, and Arkansas ended many of its restrictions on municipal broadband as well.

Public networks may be ineligible for new funding

Though it isn't banning public networks, at least for now, Ohio's legislature is apparently not letting municipal networks apply for a new round of funding.

"While Staten celebrated the removal of the budget amendment, he called the victory 'bittersweet,' as municipalities and electric cooperatives in the state do not have access to the proposed $250 million broadband expansion grant program that will be established when, and if, Gov. Dewine signs the budget into law," the ILSR wrote.

The outcome of that isn't certain yet. "We have been asking for a small definition change to add municipalities and electric coops, but unless they changed the language, I believe the House version stands," Staten told the ILSR. But the biggest news is the legislature dropping the plan that would have forced networks to shut down. "Being able to continue [providing service] is much more important," Staten said.
https://arstechnica.com/tech-policy/...rom-residents/





The Broadband Gap's Dirty Secret: Redlining Still Exists in Digital Form

Communities that couldn't get mortgage loans in the 1940s are the same areas without fast home internet service today. There's no easy fix.
Shara Tibken

When Christina Wilson moved into Los Angeles public housing with her husband and teenage daughter four years ago, she tried to transfer her internet service plan to her new home. But, as is the case with many low-income communities in the US, the ISP didn't serve the Housing Authority of Los Angeles' Imperial Courts. In fact, no internet service providers offered speedy plans for any of LA's public housing facilities. Instead, they only offered pricey, slow plans insufficient for today's needs.

So the 45-year-old relied on her smartphone's T-Mobile connection for anything she wanted to do online, while her daughter used her phone as a hotspot to attend her virtual film school classes. The mobile devices had unlimited data but came with caveats.

"What we found out with unlimited data is it's still limited because they slow your internet down," Wilson said. "If my daughter's online, doing school, it's terrible waiting all that time."

The gap in broadband coverage in a poorer neighborhood is effectively a digital form of redlining, a now-banned practice that denied service based on race. In the 1930s, banks started developing maps to withhold loans for high-risk, "undesirable inhabitant types," who were almost always poor people of color. The redlining extended to a refusal to insure residents in low-income neighborhoods, denial of health care and decisions not to build essential facilities like supermarkets. Even Amazon has been accused of not serving poor, predominantly Black neighborhoods with its Prime same-day shipping plan.

The decades of redlining represent a form of systematic racism that has denied generations of Black communities the kind of opportunities many other Americans enjoy. And the fear is it's happening again with broadband internet service. Big providers, when deciding where to invest the money to upgrade their networks, often focus on wealthier parts of cities and shun low-income communities. Fiber connections are expensive, and ISPs are hesitant to expand unless they expect a return on their investment. As a result, poorer communities often have no internet or are stuck with slow, legacy networks that can't meet today's demands -- even though they usually pay as much as their wealthier neighbors who have gigabit fiber connections.

Digital redlining isn't illegal since there aren't regulations that dictate where broadband providers build their networks. But those desirable areas are often affluent, predominantly white communities. Conversely, areas where income is lower tend to be in Black and Hispanic neighborhoods, intrinsically tying this issue to race, consumer advocates say. It's because of those complexities that it's difficult to truly gauge the magnitude of the problem.

"Is it intentionally race?" said Angela Siefer, executive director of the National Digital Inclusion Alliance, a nonprofit that advocates for low-income communities to get access to technology. "One doesn't know intentions. But one knows the outcome, which is the majority of the neighborhoods that have slower speeds from providers ... are lower-income neighborhoods, and they tend to be communities of color."

The number of people caught in the broadband gap overall is staggering. Microsoft, which tracks how quickly people download its software and security updates, estimates 120.4 million people, or more than a third of the US population, don't use the internet at broadband speeds. The problem has jumped in importance as the novel coronavirus pandemic has made home broadband essential. Without it, people can't attend classes, work, virtually visit their doctors or even easily schedule appointments for COVID-19 vaccinations. The fear is digital redlining will continue as wireless carriers roll out 5G networks across the country.

There's no data about the nationwide prevalence of digital redlining, but studies have found the practice taking place in cities like Baltimore, Cleveland, Dallas, Detroit, Los Angeles, Oakland and other parts of California. NDIA's annual analysis of the "worst connected cities in America" for 2019, the most recent data available, showed that the top 20 cities with the least access to broadband -- including mobile -- all had poverty rates of at least 10%, while all but two had high percentages of people of color. Meanwhile, the Greenlining Institute last year mapped out Internet accessibility throughout California and found that areas that were redlined by banks in the past are digitally redlined by ISPs today.

Lack of high-speed home internet access disproportionately affects children of color, according to a joint study last year from the Alliance for Excellent Education, National Indian Education Association, National Urban League and UnidosUS. It found that 34% of American Indian/Alaska Native families and about 31% each of Black and Latino families lack access to high-speed home internet, versus 21% of white families. That raises the risk these kids will fall behind their peers.

There is hope the situation will change. In his $2 trillion infrastructure plan unveiled in April, President Joe Biden initially pledged $100 billion over eight years to make sure every American has broadband access. (The amount was later lowered to $65 billion to match a Republican proposal). Affordability will be a big part of that, and the funds could incentivize companies to build in areas they previously avoided. They could also tempt upstart competitors to serve the neighborhoods. Biden tapped Vice President Kamala Harris -- who is Black, Asian American and an Oakland native -- to oversee the country's efforts to close the digital divide.

To directly address affordability, the federal government in mid-May introduced a $50 Emergency Broadband Benefit to get people online during the pandemic, a model that could be followed through future broadband plans. It also has provided funding to get internet access to more students. Like the Biden administration, the US Federal Communications Commission, led by Acting Chairwoman Jessica Rosenworcel, has made broadband access and affordability key areas to tackle.

In the meantime, state and local governments, along with nonprofits, low-cost internet providers and other organizations, are finding ways to bring internet access to underserved communities. In cities like Los Angeles and Denver, budget ISPs such as Starry have built networks to provide $15 monthly internet service in public housing. In East Cleveland, nonprofit PCs for People has partnered with the state, Microsoft and various other businesses to offer inexpensive internet plans and computers to 2,000 residents, while another nonprofit, DigitalC, which has ambitious plans to connect 40,000 people in the city by 2025. Similar programs are happening all over the country.

At a time when people are so divided, this is a rare issue that crosses political lines.

"If somebody else solved this problem for me, I would love it," said Jon Husted, the Republican lieutenant governor of Ohio who also runs InnovateOhio, the state's effort to improve technology access for its citizens. "It's not like I have a secret desire to run a government-run internet service provider. I'm just trying to solve a problem for real people that nobody else is."

The origins of redlining

Redlining was aimed at protecting the bottom lines of banks, insurers and other companies when it emerged in the last century. The groups defended the practice as avoiding "risky" investments, but the definition of risk often was based on race. The policy resulted in entire communities -- a vast majority Black -- being denied loans, coverage or service.

While the Fair Housing Act in 1968 made redlining illegal, the effects still linger for Black communities. In the US, home ownership has long been a major factor in determining a person's financial stability and a way for families to pass on wealth to future generations. In 2019, only about 42% of Black people owned homes versus 72% of white Americans, according to the Urban Institute, and the median Black household held one-eighth the wealth of the median white household. At the same time, historically redlined neighborhoods have "lower life expectancy and higher incidence of chronic diseases that are risk factors for poor outcomes from COVID-19," according to a study from the National Community Reinvestment Coalition.

Redlining "created Black poverty," said Juan Perea, a professor of law and social justice at the Loyola University Chicago School of Law and an expert on the history of racism in the US. "Black poverty has been devastating on equal schools, on equal housing, on equal health conditions, on equal employment possibilities."

Digital redlining is similar to traditional redlining, though it isn't based outright on race. Instead, it's based on income and corporate calculations on whether building service in a particular neighborhood or city will be profitable.

Internet service in the US is considered a free market service, not a utility like electricity, gas or landline phone service. While ISPs build networks where it makes financial sense and set their own prices, utilities face price caps, coverage requirements and other regulations to make them accessible for everyone.

While ISPs aren't openly shunning build-outs in areas because of the ethnic breakdown of a community, they are weighing the money they'll make from installing pricey infrastructure. Often, they determine they won't make much -- if any -- profit in low-income areas, so they decide not to invest there. It turns out, many of the areas redlined by banks decades ago have trouble getting high-speed internet service today. A modern-day map of households in Cleveland without broadband internet access mirrors a 1940s map of mortgage redlining in the city.

A map of 1940s mortgage redlining in Cleveland closely aligns with a modern-day map of areas of Cleveland without fast internet service. The "undesirable" areas marked in red on the bank map match areas on the broadband map where at least 40% of the households don't have broadband. The mortgage map is based on an image shared by Ohio State University, while the broadband map is from DigitalC and empowerCLE+ and uses data from the 2015 to 2019 American Community Survey.

"Digital redlining is the system working as it was designed," said Vinhcent Le, technology equity legal counsel at the Greenlining Institute. "How it should have been designed is the internet is a utility. At the end of the day, that's the only surefire way to get out of this. At the same time, it's probably one of the least likely ways given the amount of money involved."

The origins of digital redlining stem from a system that was designed to make sure everyone had telephone access. Landline telecom companies were required to provide inexpensive, fixed-line phone service to all homes in the US. Many of those companies then became the first internet service providers, providing connectivity through dial-up connections and later through "digital subscriber lines" via copper cables. DSL, as it's more commonly known, was considered speedy in the 1990s before it was supplanted by faster cable broadband.

Now, DSL speeds typically range from 0.5 Mbps -- too slow to do most tasks on the internet -- to about 100 Mbps, if the user is close to the main hub. Because most DSL connections can't keep up with today's internet needs, companies no longer invest in those networks and are instead building fiber or fixed wireless to serve their customers and future-proof their networks. But some providers are only replacing DSL with pricey fiber in wealthier areas where they know their investment will pay off.

The big, publicly traded service providers generally expect to make a return on their investments in about three to five years, said Ernesto Falcon, senior legislative counsel at the Electronic Frontier Foundation.

"That's basically impossible with this high-capacity infrastructure for a vast majority of places," he said. "Some places [like rural communities] may take upwards of 30 to 40 years to repay the debt and make it work." In areas with about 1,000 people per square mile, ISPs should be able to make money in the long run, Falcon estimated. "It just doesn't make money fast enough for their liking," he said.

While digital redlining isn't identical to traditional redlining, it could have some of the same impacts over the long term. Kids who can't take classes from home may never catch up to their more affluent peers, get into good colleges and find high-paying work. Adults without fast broadband can't participate in the modern economy -- completing tasks like paying bills online, video chatting with their doctors remotely, or searching and applying for jobs. They're often limited to what they can do on their phones, which experts say isn't a real replacement for a wired connection.

Reclassifying broadband?

To ensure that everyone has broadband internet service, some organizations have proposed using Title II of the 1934 Communications Act to reclassify broadband as a telecommunications service, the same step taken by the FCC in 2015. At that time, the FCC adopted net neutrality and said it would be able to regulate broadband under the rules used for the old telephone network. The move made broadband a "common carrier," which meant the network had to be open to everyone. One of the first major moves by Ajit Pai after his appointment as FCC chairman by President Donald Trump in 2017 was reversing net neutrality rules and deregulating broadband. The current FCC can seek to reverse the reversal, but first, Biden will have to appoint a fifth, tiebreaker commissioner.

Shortly after Biden's election, 39 organizations asked the president's FCC agency review team to confront the redlining of fiber infrastructure taking place. Separately, three Baltimore city council members -- along with 100 other elected officials and organizations around the country -- sent a letter in March to Rosenworcel asking her to launch a commission focused on ending digital redlining, as well as to reclassify broadband under Title II authority.

"We demand that the new Biden FCC commit to abolishing digital redlining in its first year and use its power to end digital redlining of fiber infrastructure in its entirety across America before the end of the first term," said the November letter to Biden, which was signed by groups such as the California LGBT Arts Alliance, the Detroit Community Technology Project and the DC-based advocacy group Public Knowledge.

Enacting Title II wouldn't just bring back net neutrality. It also could let the FCC regulate the broadband industry in a similar way to utilities, including protecting consumers and ensuring service quality. It could be able to ensure service providers offer affordable plans and require those plans to cover everyone, not select, wealthy parts of a network. Whether it will actually do that would take a lot of heavy political lifting. When passing net neutrality in 2015, the FCC didn't adopt some aspects of Title II, like setting price caps on broadband service.

But if broadband is redefined as a utility, it could help places like the Housing Authority in LA make internet access even more affordable for residents.

Public-private partnerships

For much of the pandemic, students in California have taken classes remotely. But at least one group struggled -- children who live in LA's public housing. The approximate 6,900 units house about 23,000 Angelenos, but until last summer, the residents had no wired, fast, reliable internet service in their apartments.

"Most of our sites were not really covered by anyone," said Jenny Scanlin, chief development officer for HACLA. "They were theoretically covered by a number of broadband providers, but the broadband providers would not invest in the infrastructure needed to actually bring and distribute that internet on site. Even though some people were paying for services, they were spotty to say the least and fairly useless."

A 2019 study on broadband in LA County from the University of Southern California's Annenberg Research Network on International Communication found that competition and fiber internet service are less likely to be found in low-income areas and communities of color, particularly in areas that combine poverty and a large percentage of Black residents. Gigabit-level broadband service is "significantly more available in wealthier communities," the study said. And there's more competition in affluent areas, giving consumers in those areas more choice and better prices for faster speeds.

"There are significant differences in what happened then [with mortgage redlining] and what's happening now," said Hernan Galperin, an associate professor at USC's Annenberg School for Communication and one of the study's authors. "But you could argue that ultimately the result is the same."

The situation in LA's public housing started changing when Starry wanted to put its broadband internet towers on the roofs of HACLA housing. Its low-cost, digital equity arm, Starry Connect, ended up signing a deal with the housing authority to provide fixed wireless, 30Mbps symmetrical service to over 5,000 units across nine different public housing sites. Instead of tying service to an individual -- which traditionally has required ISPs to perform credit and background checks -- Starry provides service based on an address. After a six-month free trial during the initial launch period, the service costs $15 a month. Starry so far has covered about 1,000 units.

"The vast majority of those folks that participate in ... our program probably don't actually know that they're a part of an affordability program," said Virginia Lam Abrams, Starry's senior vice president of government affairs and strategic advancement. "It was really purpose-built that way ... to really reduce the friction [to] adopting broadband … [and] there's a lot to be said about preserving people's dignity."

While $15 a month may be reasonable for many people, it's still too expensive for those who have no income. That's where classifying internet service like a utility could help. The US Department of Housing and Urban Development, which funds HACLA and other housing authorities across the country, doesn't allow those organizations to cover the cost of internet service for residents -- yet. There's hope that officially defining internet service as a utility would allow residents to deduct the cost of their internet service from their rent, such as what they do for utilities like gas and electricity.

"Frankly, I think that this should be treated as a utility," Scanlin said. "It should be something that is required to be provided."

Currently, HUD allows housing authorities to pay for internet service in common areas and computer rooms, but not individual units. The Coronavirus Aid, Relief, and Economic Security (CARES) Act allowed HUD funds to be used to cover in-unit internet service for families with significant telehealth needs, kids attending remote classes, or disabled and elderly people who couldn't leave their homes.

HUD is exploring how it could do more. Providing a utility allowance for internet service for public housing residents would take, at the very least, regulatory action. To extend benefits to lower income families participating in other HUD programs, like its housing vouchers program, likely would require an act of Congress.

"Because the Biden-Harris administration understands how vital internet connectivity is to daily living, HUD is exploring options to make home internet service more accessible for the families we serve through the public housing program and across the department's other programs for low-income housing," said a HUD senior official.

ISPs argue that it doesn't make sense for internet to be a utility. They say the industry is "ultra-competitive," in the words of trade group USTelecom-The Broadband Association, and is defined by ever higher speeds, plenty of capacity, new providers and next-generation technologies. USTelecom lobbies on behalf of companies like AT&T, Frontier, Verizon and Cisco. Broadband providers have invested $1.8 trillion over the past 25 years to build infrastructure around the country, said USTelecom CEO Jonathan Spalter, and ISPs argue such investment wouldn't be possible if companies couldn't make money from providing service.

"Broadband deployment is hard and capital intensive work, but broadband providers in every corner of the country -- from local Main Street companies to global technology leaders -- are investing nearly $80 billion annually to connect communities, upgrade infrastructure, bolster speeds and innovate across their networks," Spalter said in a statement.

"Let's be clear: all communities in the United States should have access to the power and promise of broadband -- no matter where, no matter what," Spalter added. "Full stop. Systematically excluding anyone from 21st century connectivity is wrong."

Suing for equal coverage

Even though internet service isn't regulated like a utility, companies can still be accused of denying coverage or discrimination. The biggest offenders tend to be the former landline service providers such as AT&T and Frontier Communications, not cable companies, experts say. Because of franchise agreements, cable providers are barred from offering internet service to people in some areas and ignoring others.

"Cable broadband service absolutely does not redline and builds out and upgrades its networks throughout entire cities, including inner city areas," Brian Dietz, a spokesman for NCTA-The Internet & Television Association, said in a statement. The group, formerly known as the National Cable & Telecommunications Association, represents the country's biggest cable providers like Comcast, and it's one of the most influential lobbying groups in America. "These franchises have been in place for decades in most communities across the US," he added.

In 2017, citizens of Cleveland filed an FCC complaint against AT&T, accusing the wireless carrier and home internet service provider of "failing to serve the low-income, communities of color" in the city. A similar complaint was filed later that year by residents of Detroit. Both relied on research from NDIA that pulled data from AT&T's FCC filings. In the case of Cleveland, "the overwhelming majority of [census] blocks with individual poverty rates above 35%" lacked fast AT&T fiber-to-the-node internet, while the technology was the standard in Cleveland's wealthier suburbs. In Detroit, a similar pattern emerged, NDIA said. AT&T disputed the findings, and both complaints were "resolved" through "commission-staff supervised mediation" and dismissed in early 2018.

"We do not 'redline' internet access, and any suggestion that we do is wrong," AT&T spokesman Jim Kimberly said in a statement. "Our investment decisions are based on the capacity needs of our network and demand for our services. So called 'studies' from ideologically driven groups like NDIA skew antiquated, inaccurate and cherry-picked data to formulate desired conclusions."

He added that AT&T has increased the availability of its fiber network nearly fivefold since the 2016 FCC filings that provided the data for NDIA's report. As of the end of the first quarter, AT&T Fiber covered more than 14.5 million customer locations in over 90 areas, and the company plans to double the number of customer locations by the end of 2025.

Still, an October 2020 report from NDIA and the Communications Workers of America -- based on FCC data from 2019 -- found that AT&T has made fiber-to-the-home available to fewer than a third of the households in its footprint. It also said that households with AT&T Fiber available have a median income 34% higher than those with DSL only.

Meanwhile, an examination of Frontier Communications' bankruptcy filing by the EFF a year ago found that Frontier hadn't upgraded its old DSL network because it was making money from customers paying for those slow speeds. Had it invested in fiber, it would have lost money for about five years, the EFF calculated.

Part of Frontier's plan to emerge from bankruptcy, which it outlined in April, is to accelerate its fiber build-out. It aims to pass an additional 3 million homes and businesses with fiber over multiple years, bringing its total footprint to 6 million. That includes extending fiber to nearly 500,000 more residences this year. Upgrading about 3 million DSL users will deliver a 20% internal rate of return on its investment by 2031, Frontier said in a regulatory filing.

"Fiber has high upfront costs (like a house), but it pays off handsomely over time," the EFF said. "The inability to capitalize on superior investment opportunities because they take too long to mature is the very definition of dysfunctional short-termism."

The US Federal Trade Commission and law enforcement agencies from six states sued Frontier in May for failing to deliver DSL internet speeds that consumers paid for and were promised. The complaint alleges that Frontier charged many consumers for more expensive and higher-speed service than it actually provided. Frontier provides DSL service to about 1.3 million subscribers, many in rural areas, across 25 states.

At the time, Frontier said in a statement that the lawsuit is "without merit" and that its "DSL Internet speeds have been clearly and accurately articulated, defined and described in the company's marketing materials and disclosures." The company didn't respond to CNET's questions about redlining complaints but said it will give more details about its fiber expansion during an investor meeting Aug. 5.

New York sued Verizon in 2017 for failing to live up to its promise to install fiber to every home in the city by 2014. The deal was reached in 2008 as part of a citywide cable television franchise agreement, but by the time of the lawsuit, Verizon had installed fiber in about two-thirds of New York's 3.1 million residences. Most unserved homes were in low-income parts of the city. New York and Verizon settled their dispute in November, with Verizon saying it will wire up to 500,000 more households with Fios, particularly in the ignored low-income neighborhoods.

"Internet access is an economic right in New York City, no matter your ZIP code," Mayor Bill de Blasio said in a press release announcing the settlement. "Tech giants will not stand in our way to deliver high-quality broadband to New Yorkers -- they must be a part of the solution."

Verizon said it's "grateful for the opportunity to bring Verizon Fios service" to more New Yorkers. "The NYC agreement builds upon Verizon's base and will make this premier broadband service available to even more consumers," spokeswoman Adria Tomaszewski said in a statement.

Meanwhile, the State of New York has gone further with trying to make broadband affordable for residents. In April, it passed a law that will require all ISPs to offer high-speed internet plans to low-income families for $15 a month starting in mid-June. Internet providers are battling the law in court, though, and the rollout plans are on hold.

Giving consumers choice

Six years ago, Denver looked a lot like LA when it came to internet service in public housing. No broadband providers served the 26,000 residents across 21 properties, one of the biggest public housing communities in the Western US. The median household income for the residents is around $10,000 a year, making most internet plans out of reach, even if the units were wired for service. More than 90% of the residents are people of color.

"I just find this shocking, and every time I say it out loud, it feels like I'm talking about 1983 or something," Jesse Burne, strategic initiatives manager at the Denver Housing Authority, said of the lack of broadband in the city's public housing.

Then Denver became a pilot participant in President Barack Obama's ConnectHome initiative, which aimed to expand broadband to more families across the country. Through that program and other efforts, Denver's public housing properties went from zero ISPs to three, giving residents more choice than most Americans across the country. The providers include Comcast with its Internet Essentials program, Starry Connect and LiveWireNet, a local ISP. None charges more than $15 a month, including taxes and fees.

While some organizations and housing authorities have pushed for the internet to be defined as a utility, others view competition as the way to get lower prices and better service -- though competition alone likely won't solve the digital redlining problem. According to an August report from the Institute for Local Self-Reliance, most Americans don't have real choice in internet providers. At least 83.3 million Americans can only access broadband through a single ISP, the study said.

"We don't see just one internet provider as suitable for our residents," Burne said. "They're just like all the rest of us -- they want choice."

The success of the three ISPs in Denver public housing has prompted other big internet providers to approach the units to offer service to residents, Burne said. But they can't come close to the $15 -- or less -- monthly rate the residents are paying.

"The problem is that they don't really understand their audience," Burne said. "They don't understand that they're talking to someone sitting across from them [who] makes $10,000 a year, and they're trying to sell them a $150 internet package."

In Denver's public housing, at least, competition wins. In other places, it may take changes in federal and state funding eligibility to allow new providers to address areas considered "covered" by an incumbent, which typically neglects an area but vows to change when it sees a competitor eyeing its turf (See: Google Fiber). Some municipalities may build service for residents or find ways to fund nonprofits that can provide broadband, like PCs for People in Cleveland. And those billions of dollars in federal infrastructure funding may be better targeted at inner cities and areas previously deemed ineligible for help. Much of the last four years of government broadband spending was aimed at rural communities.

"We know connectivity gaps remain in parts of America, and it is unacceptable," USTelecom's Spalter said. "But private investment alone can't finish the job of connecting every home and business -- that's why this is an important and pivotal moment in Washington."

LA's public housing doesn't yet have competition, but at least it has coverage. In late 2020, Starry Connect made its way to HACLA resident Wilson's home in Imperial Courts.

"They came around and knocked on doors," Wilson said. In the time she's had service, Wilson no longer uses her phone as a hotspot and is able to work as an independent consultant for Paparazzi Accessories, selling jewelry from the company online.

"I feel like $15 is really affordable, especially when it comes to the speed of it," said Wilson, who started paying for her service this month after her six-month free trial. "And it definitely has worked. We're online right now watching TikTok videos."
https://www.cnet.com/features/the-br...-digital-form/





Musk says Total Investments in Starlink to Reach $20-$30 Billion

Elon Musk said on Tuesday that total investments in Starlink would reach between $5 billion and $10 billion before the satellite internet venture achieves positive cash flow.

Over the lifetime of the project, total investments could run to $20-$30 billion, the Tesla Inc (TSLA.O) CEO told the Mobile World Congress in Barcelona.

"It's a lot, basically," Musk said in a video interview from California.
Reporting by Supantha Mukherjee and Clara-Laeila Laudette, Writing by Douglas Busvine Editing by Keith Weir
https://www.reuters.com/technology/m...on-2021-06-29/





Hackers Exploited 0-Day, Not 2018 Bug, to Mass-Wipe My Book Live Devices

Western Digital removed code that would have prevented the wiping of petabytes of data.
Dan Goodin

Update 6/29/2021, 9:00 PM: Western Digital has published an update that says the company will provide data recovery services starting early next month. My Book Live customers will also be eligible for a trade-in program so they can upgrade to My Cloud devices. A spokeswoman said the data recovery service will be free of charge.

The company also provided new technical details about the zeroday, which is now being tracked as CVE-2021-35941. Company officials wrote:

We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.

The post added:

We have reviewed log files which we have received from affected customers to understand and characterize the attack. The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.

What follows is the article as it originally appeared:

Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but also a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

Done and undone

The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices.

Normally, and for good reason, factory resets require the person making the request to provide a user password. This authentication ensures that devices exposed to the Internet can only be reset by the legitimate owner and not by a malicious hacker.

As the following script shows, however, a Western Digital developer created five lines of code to password-protect the reset command. For unknown reasons, the authentication check was cancelled, or in developer parlance, it was commented out, as indicated by the double / character at the beginning of each line.

function post($urlPath, $queryParams = null, $ouputFormat = 'xml') {
// if(!authenticateAsOwner($queryParams))
// {
// header("HTTP/1.0 401 Unauthorized");
// return;
// }

“The vendor commenting out the authentication in the system restore endpoint really doesn't make things look good for them,” HD Moore, a security expert and the CEO of network discovery platform Rumble, told Ars. “It’s like they intentionally enabled the bypass.”

To exploit the vulnerability, the attacker would have had to know the format of the XML request that triggers the reset. That’s “not quite as easy as hitting a random URL with a GET request, but [it’s] not that far off, either,” Moore said.

Dude, where’s my data?

The discovery of the second exploit comes five days after people all over the world reported that their My Book Live devices had been compromised and then factory-reset so that all stored data was wiped. My Book Live is a book-sized storage device that uses an Ethernet jack to connect to home and office networks so that connected computers have access to the data on it. Authorized users can also access their files and make configuration changes over the Internet. Western Digital stopped supporting the My Book Live in 2015.

Western Digital personnel posted an advisory following the mass wiping that said it resulted from attackers exploiting CVE-2018-18472. The remote command execution vulnerability was discovered in late 2018 by security researchers Paulos Yibelo and Daniel Eshetu. Because it came to light three years after Western Digital stopped supporting the My Book Live, the company never fixed it.

An analysis performed by Ars and Derek Abdine, CTO at security firm Censys, found that the devices hit by last week’s mass hack had also been subjected to attacks that exploited the unauthorized reset vulnerability. The additional exploit is documented in log files extracted from two hacked devices.

One of the logs was posted in the Western Digital support forum where the mass compromise first came to light. It shows someone from the IP address 94.102.49.104 successfully restoring a device:

rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS

A second log file I obtained from a hacked My Book Live device showed a different IP address—23.154.177.131—exploiting the same vulnerability. Here are the telltale lines:

Jun 16 07:28:41 MyBookLive REST_API[28538]: 23.154.177.131 PARAMETER System_factory_restore POST : erase = format
Jun 16 07:28:42 MyBookLive REST_API[28538]: 23.154.177.131 OUTPUT System_factory_restore POST SUCCESS

After presenting these findings to Western Digital representatives, I received the following confirmation: “We can confirm that in at least some of the cases, the attackers exploited the command injection vulnerability (CVE-2018-18472), followed by the factory reset vulnerability. It’s not clear why the attackers exploited both vulnerabilities. We’ll request a CVE for the factory reset vulnerability and will update our bulletin to include this information.”

This vulnerability has been password-protected

The discovery raises a vexing question: if the hackers had already obtained full root access by exploiting CVE-2018-18472, what need did they have for this second security flaw? There’s no clear answer, but based on the evidence available, Abdine has come up with a plausible theory—that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the other vulnerability in an attempt to wrest control of those already compromised devices.

The attacker who exploited CVE-2018-18472 used the code execution capability it provided to modify a file in the My Book Live stack named language_configuration.php, which is where the vulnerability is located. According to a recovered file, the modification added the following lines:

function put($urlPath, $queryParams=null, $ouputFormat='xml'){

parse_str(file_get_contents("php://input"), $changes);

$langConfigObj = new LanguageConfiguration();
if(!isset($changes["submit"]) || sha1($changes["submit"]) != "56f650e16801d38f47bb0eeac39e21a8142d7da1")
{
die();
}

The change prevented anyone from exploiting the vulnerability without the password that corresponds to the cryptographic SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. It turns out that the password for this hash is p$EFx3tQWoUbFc%B%R$k@. The plaintext appears in the recovered log file here.

A separate modified language_configuration.php file recovered from a hacked device used a different password that corresponds to the hash 05951edd7f05318019c4cfafab8e567afe7936d4. The hackers used a third hash—b18c3795fd377b51b7925b2b68ff818cc9115a47—to password-protect a separate file named accessDenied.php. It was likely done as an insurance policy in the event that Western Digital released an update that patched language_configuration.

So far, attempts to crack these two other hashes haven’t succeeded.

According to Western Digital’s advisory linked above, some of the My Book Live devices hacked using CVE-2021-18472 were infected with malware called .nttpd,1-ppc-be-t1-z, which was written to run on the PowerPC hardware used by My Book Live devices. One user in the support forum reported a hacked My Book Live receiving this malware, which makes devices part of a botnet called Linux.Ngioweb.

A theory emerges

So why would someone who successfully wrangled so many My Book Live devices into a botnet turn around and wipe and reset them? And why would someone use an undocumented authentication bypass when they already have root access?

The most likely answer is that the mass wipe and reset was performed by a different attacker, very possibly a rival who either attempted to take control of the rival’s botnet or simply wanted to sabotage it.

“As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” Abdine wrote in a recent blog post.

The discovery of this second vulnerability means that My Book Live devices are even more insecure than most people thought. It adds authority to Western Digital’s recommendation to all users to disconnect their devices from the Internet. Anyone using one of these devices should heed the call immediately.

For many hacked users who lost years' or decades' worth of data, the thought of buying another Western Digital storage device is probably out of the question. Abdine, however, says that My Cloud Live devices, which replaced Western Digital’s My Book Live products, have a different codebase that doesn’t contain either of the vulnerabilities exploited in the recent mass wiping.

“I took a look at the My Cloud firmware, too,” he told me. “It's rewritten and bears some, but mostly little, resemblance to My Book Live code. So it doesn't share the same issues.”
https://arstechnica.com/gadgets/2021...-live-devices/

































Until next week,

- js.



















Current Week In Review





Recent WiRs -

June 26th, June 19th, June 12th, June 5th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
__________________
Thanks For Sharing
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 30th, '11 JackSpratts Peer to Peer 0 27-07-11 06:58 AM
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 10:57 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)