P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 22-07-20, 06:30 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - July 25th, ’20

Since 2002































July 25th, 2020




Porn Distribution Company Loses Piracy Suit Appeal Against Web Host

Majority holds that forwarding DMCA warnings to sites is responsibility enough.
Kate Cox

A federal appeals court has upheld a ruling that site hosts are not liable for copyright infringement committed by the sites they host, so long as they take the "simple measures" of forwarding claims to the site owner.

The ruling follows a legal battle between adult content company ALS Scan and site hosting service Steadfast. The Ninth Circuit Court of Appeals ruled 2 to 1 on Friday (PDF) that even though ALS has a "whack-a-mole problem" with pirated content popping up on Imagebam, a site Steadfast hosts, the host did its part to prevent the piracy.

Working as intended

A copyright owner, such as ALS, can file a claim against a site, such as Imagebam, that is unlawfully sharing its copyrighted content. That often means sending notice to the site host—the entity you'd find listed in a whois search—about it. The host, in this case Steadfast, is then required to forward the notice along to the site owner and check that the site owner does in fact take the content down.

ALS several times sent notices to Steadfast about Imagebam sharing infringing content. Steadfast each time forwarded the notices to Imagebam, and each time, Imagebam took down the images specified in the claim. The system worked exactly as it is designed to.

In 2016, ALS apparently got fed up with the sheer volume of takedown requests it was sending and filed suit against several Web hosts, including Steadfast. A California judge in 2018 dismissed the claims against the hosts. Although a business can be held liable for pirate sites it hosts, the judge determined Steadfast had met the required "simple measures" threshold to avoid being responsible for "contributory copyright infringement," because it forwarded the notices and checked for compliance.

"We already check and assure the content is removed, and yes, if the content simply stays up, that is concerning and shows that more could be done," Steadfast CEO Karl Zimmerman told TorrentFreak in 2018. "We took action in forwarding the complaints, tracking those complaints, and validating the content had been removed. We did what was required of us, which is why I thought it was odd we were in this case in the first place."

Whack-a-Mole

Imagebam apparently hosted a lot of ALS' content over time, and ALS in turn sent a whole lot of infringement notices to Steadfast. But "the number of notices is legally irrelevant," the Ninth Circuit holds. "The number of notices that Steadfast previously received gives at most a general knowledge that infringement will likely occur in the future; this does not give notice of any specific acts of infringement that are actually occurring."

Steadfast, in other words, does not have to predict the future based on the past and instead only needs to respond to actual reported instances of infringement that take place.

"We are sympathetic to ALS's 'whack-a-mole problem,'" the majority said, but Steadfast did what was required of it—and, reasonably, could not have actually done more, adding:

“Steadfast forwarded each notice to Imagebam's owner, and every infringing work was taken down. Nor is there evidence that Steadfast had any other simple measures at its disposal. Steadfast did not operate, control, or manage any functions of Imagebam.com. It could not supervise, access, locate, or delete Imagebam accounts. It had no way of knowing, based on a URL hyperlink contained in the notices of copyright infringement, where the infringing works or the Imagebam accounts responsible for illegal uploads were located.”

Circuit Court Judge Richard Clifton dissented with the majority ruling. "It was necessarily apparent to Steadfast that copyright infringements would almost certainly continue, given the history alleged," Clifton wrote. "Hundreds of repeat infringements were reported... Steadfast did not contend (let alone present any evidence to support a conclusion) that the 'simple measures' it took did, in fact, 'prevent future damage to copyrighted works.'"

"The majority appears to accept that copyright law is powerless to address the whack-a-mole problem, but it should not be," Clifton added. "I do not view the law to be so feeble."
https://arstechnica.com/tech-policy/...e-court-rules/





Inside the Surveillance Software Tracking Child Porn Offenders Across the Globe

The Child Protection System helps police triage child pornography cases. But as the system expands, it's facing growing privacy concerns.
Olivia Solon

In December 2016, law enforcement agents seized computers and hard drives from the home of Tay Christopher Cooper, a retired high school history teacher, in Carlsbad, California. On the devices, digital forensic experts found more than 11,600 photos and videos depicting child sexual abuse, according to court documents.

Among the videos was one showing a man raping a toddler girl, according to a criminal complaint.

"The audio associated with this video is that of a baby crying," the complaint states.

Police were led to Cooper's door by a forensic tool called Child Protection System, which scans file-sharing networks and chatrooms to find computers that are downloading photos and videos depicting the sexual abuse of prepubescent children. The software, developed by the Child Rescue Coalition, a Florida-based nonprofit, can help establish the probable cause needed to get a search warrant.

Cooper had used one of the file-sharing programs monitored by the Child Protection System to search for more than 200 terms linked to child sexual abuse, according to the complaint.

Cooper was arrested in April 2018 and pleaded guilty to possession of child pornography. He expressed remorse, according to his attorney, and in December 2018 he was sentenced to a year behind bars.

Cooper is one of more than 12,000 people arrested in cases flagged by the Child Protection System software over the past 10 years, according to the Child Rescue Coalition.

The tool, which was shown to NBC News earlier this year, is designed to help police triage child pornography cases so they can focus on the most persistent offenders at a time when they are inundated with reports. It offers a way to quickly crack down on an illegal industry that has proved resilient against years of efforts to stop the flow of illegal images and videos. The problem has intensified since the coronavirus lockdown, law enforcement officials say, as people spend more time online viewing and distributing illegal material.

The Child Protection System, which lets officers search by country, state, city or county, displays a ranked list of the internet addresses downloading the most problematic files. The tool looks for images that have been reported to or seized by police and categorized as depicting children under age 12.

The Child Protection System "has had a bigger effect for us than any tool anyone has ever created. It's been huge," said Dennis Nicewander, assistant state attorney in Broward County, Florida, who has used the software to prosecute about 200 cases over the last decade. "They have made it so automated and simple that the guys are just sitting there waiting to be arrested."

The Child Rescue Coalition gives its technology for free to law enforcement agencies, and it is used by about 8,500 investigators in all 50 states. It's used in 95 other countries, including Canada, the U.K. and Brazil. Since 2010, the nonprofit has trained about 12,000 law enforcement investigators globally.

Still, it's a drop in the ocean of online child sexual abuse material in circulation. In 2019 alone, the National Center for Missing and Exploited Children received 16.9 million reports related to suspected child sexual exploitation material online.

Now, the Child Rescue Coalition is seeking partnerships with consumer-focused online platforms, including Facebook, school districts and a babysitter booking site, to determine whether people who are downloading illegal images are also trying to make contact with or work with minors.

"Many of these platforms have a big problem of users engaging in suspicious activity that doesn't rise to criminal behavior," said Carly Yoost, CEO of the Child Rescue Coalition. "If they matched their user data with ours, it could alert their security teams to take a closer look at some of their users."

But some civil liberties experts have raised concerns about the mass surveillance enabled by the technology — even before it's connected with social platforms. They say tools like the Child Protection System should be subject to more independent oversight and testing.

"There's a danger that the visceral awfulness of the child abuse blinds us to the civil liberties concerns," said Sarah St.Vincent, a lawyer who specializes in digital rights. "Tools like this hand a great deal of power and discretion to the government. There need to be really strong checks and safeguards."

'You feel like you are going to get justice'

Rohnie Williams had waited 30 years for the news she received in November 2015: Her brother, Marshall Lugo, had been arrested on charges of possession of child pornography.

"It was exhilarating in a 'Twilight Zone' way," said Williams, 41, a New York-based nurse manager. "Your heart starts palpitating. Your mouth gets dry. You feel like you are going to get justice."

Williams got in touch with Megan Brooks, the investigator on the case in Will County, Illinois, and told her that Lugo, then a teenager, had sexually abused her from the ages of 5 to 7 — allegations that are documented in a police report reviewed by NBC News.

Williams had told her mother about her allegations when she was 11 on the way to a doctor's visit after she got her first period.

"I was afraid the doctor was going to tell her I wasn't a virgin. So I told her that," she said.

Her mother didn't report the allegation to the police and, according to Williams, told her daughter that if she told anybody else it would destroy the family. So Williams, like so many victims of child sexual abuse, kept quiet. (Williams' mother confirmed her daughter's account to NBC News.)

Police were led to Lugo's mobile home by the Child Rescue Coalition's technology, which detected the household IP address' downloading dozens of videos and images depicting the abuse and rape of babies and children under age 12. When police searched the home, where Lugo lived with his wife and two young children, they found external hard drives storing child sexual abuse material, according to the police report.

Although too much time had passed to investigate Williams' allegation as a separate crime, her testimony provided aggravating circumstances in Lugo's sentencing to three years in prison following a guilty plea, according to Brooks, chief investigator for the Will County High Technology Crimes Unit, who led the case.

"Some days I feel like crap doing this job, but sometimes I have full-circle moments where it all feels worth it," Brooks said. "This was one of those cases."

While Williams has thrived professionally, she has struggled to forgive her brother. She spends her weekends working as a sexual assault nurse examiner, providing specialist care and forensic exams to rape victims.

"I chose to go into forensics because of what happened to me as a child, to make sure these victims had somebody taking care of them who was really invested in it," she said.

Lugo didn't respond to a request for comment.

'The underbelly of the internet'

The Child Rescue Coalition is based in a low-rise, leafy business park here in Boca Raton. During a tour in February, before the coronavirus pandemic forced the staff to work from home, 10 people sat in the small office with walnut desks and striped beige carpet tiles. A framed collage of police patches hung on one side of the far wall. Next to it: a screen showing clusters of red dots, concentrated over Europe, where it was already late in the day.

Each of the red dots represented an IP address that had, according to the Child Rescue Coalition's software, recently downloaded an image or a video depicting child sexual abuse. The dots tracked activity on peer-to-peer networks, groups of thousands of individual computers that share files with one another.

The networks, connected by software, provide an efficient and simple way to share files for free. They're similar to the networks people use to illegally download movies. They typically come under none of the oversight of social media companies like Facebook and Twitter or file-hosting services like Dropbox and iCloud Drive. There are no central servers, no corporate headquarters, no security staff and no content moderators.

"It's the underbelly of the internet. There's no one to hold responsible and no security team to report it to," said Yoost, the Child Rescue Coalition's CEO.

The lack of corporate oversight creates the illusion of safety for people sharing illegal images.

"People who use these networks think they are anonymous," said Nicewander, the assistant state attorney. "You don't have to pay or give your email address to a website. You just put in your search terms, and off it goes."

The Child Protection System was created more than a decade ago by Yoost's father, Hank Asher. He was an entrepreneur and founder of several companies that developed tools to aggregate data about people and businesses, including a program called Accurint, for use by law enforcement.

Asher had what Yoost describes as a "rough childhood" in Indiana involving physical and verbal abuse by his father, which motivated him to "rid the world of bullies and people who picked on women and children," Yoost said. In the early 1990s, Asher became friends with John Walsh, the co-founder of the National Center for Missing and Exploited Children, and for the next two decades he donated his data products and millions of dollars to the nonprofit.

In 2009, Asher invited a handful of law enforcement investigators to Florida to work alongside a team of software developers at his company, TLO. Together they built the Child Protection System.

When Asher died in 2013, his daughters, Carly and Desiree, sold TLO to TransUnion on the condition that they could spin the Child Protection System into a new nonprofit, the Child Rescue Coalition.

Tracking illegal files

During the tour in February, Carly Yoost demonstrated the system, starting with a dashboard that showed a list of the "worst IPs" in the United States, ranked by the number of illegal files they had downloaded in the last year from nine peer-to-peer networks. No. 1 was an IP address associated with West Jordan, Utah, which had downloaded 6,896 "notable" images and videos.

"Notables" are images and videos that have been reviewed by law enforcement officials and determined to depict children under age 12. The material typically comes from the seized devices of suspects or reports from technology companies. That, police say, rules out some material that either isn't illegal in every jurisdiction or isn't a priority for prosecution.

"It's not a teenage boy sending a picture of his girlfriend," said Glen Pounder, a British law enforcement veteran who is the Child Rescue Coalition's chief operating officer. "Every single one of the files we track is illegal worldwide."

Once the images have been reviewed by authorities, they are turned into a digital fingerprint called a "hash," and the hashes — not the images themselves — are shared with the Child Protection System. The tool has a growing database of more than a million hashed images and videos, which it uses to find computers that have downloaded them. The software is able to track IP addresses — which are shared by people connected to the same Wi-Fi network — as well as individual devices. The system can follow devices even if the owners move or use virtual private networks, or VPNs, to mask the IP addresses, according to the Child Rescue Coalition.

The system also flags some material that is legal to possess but is suspicious when downloaded alongside illegal images. That includes guides to grooming and molesting children, text-based stories about incest and pornographic cartoons that predators show to potential victims to try to normalize sexual assaults.

Clicking on an IP address flagged by the system lets police view a list of the address' most recent downloads. The demonstration revealed files containing references to a child's age and graphic descriptions of sexual acts.

On top of scanning peer-to-peer networks, the Child Protection System also monitors chatrooms that people use to exchange illegal material and tips to avoid getting caught.

The information exposed by the software isn't enough to make an arrest. It's used to help establish probable cause for a search warrant. Before getting a warrant, police typically subpoena the internet service provider to find out who holds the account and whether anyone at the address has a criminal history, has children or has access to children through work.

With a warrant, officers can seize and analyze devices to see whether they store illegal images. Police typically find far larger collections stored on computers and hard drives than had appeared in the searches tracked by the Child Protection System, Pounder and other forensic experts said.

"What we see in CPS is the absolute minimum the bad guy has done," Pounder said, referring to the Child Protection System. "We can only see the file-sharing and chat networks."

Police also look for evidence of whether their targets may be hurting children. Studies have shown a strong correlation between those downloading such material and those who are abusive. Canadian forensic psychologist Michael Seto, one of the world's leading researchers of pedophilia, found that 50 percent to 60 percent of those who consume child sexual abuse material admit to abusing children.

Yoost said: "Ultimately the goal is identifying who the hands-on abusers are by what they are viewing on the internet. The fact that they are interested in videos of abuse and rape of children under 12 is a huge indicator they are likely to conduct hands-on abuse of children."

Over time, the children depicted in the material circulating online have become younger and younger, law enforcement officials say.

"When I first started, the people depicted in images were teenagers," said Nicewander, the assistant state attorney in Broward County, who has been a prosecutor for more than three decades. "Now the teenage pictures aren't even on the radar anymore," he added. "So many of the kids are under 5 or 6 years old."

Debate over the technology

While law enforcement agencies are enthusiastic about the capabilities of tools like the Child Protection System, some civil liberties experts have questioned their accuracy and raised concerns about a lack of oversight.

In a 2019 open letter to the Justice Department, Human Rights Watch called for more independent testing of the technology and highlighted how some prosecutors had dropped cases rather than reveal details of their use of the Child Protection System.

"My view is that mass surveillance is always a problem," said St.Vincent, the lawyer who wrote the letter. "Because these crimes are so odious, we accept aspects of searches, data collection and potential privacy intrusions we wouldn't accept otherwise."

Forensic expert Josh Moulin, who spent 11 years in law enforcement specializing in cybercrime, agreed.

"If you are taking someone's liberties away in a criminal investigation, there has to be some sort of confidence that these tools are being used properly and their capabilities fall within the Constitution," he said.

The Child Rescue Coalition said it has offered its technology, including the source code, for testing by third parties at the request of federal and state courts.

Sometimes, images flagged by the software turn out not to be on a device once police obtain a search warrant. Critics of the software say that indicates that it could be searching parts of the computer that aren't public, which would be a potential Fourth Amendment violation.

But the Child Rescue Coalition and its defenders say the files could have been deleted or moved to an encrypted drive after they were downloaded. Every Fourth Amendment challenge of the use of the technology has failed in federal court.

Forensic experts say images in the software's dataset could also have been miscategorized or downloaded in error as part of a larger cache of legal adult pornography.

Investigators need to be "extremely careful" to review a person's full collection of images and pattern of behavior to see whether they were looking for illegal material or downloaded it in error, Moulin said.

Bill Wiltse, a former computer forensic examiner who is president of the Child Rescue Coalition, said: "Our system is not open-and-shut evidence of a case. It's for probable cause."

A growing footprint

To expand its impact, the Child Rescue Coalition has started offering its lists of suspicious IP addresses to the commercial sector, charging a subscription fee depending on the size of the company. The organization believes that if social media companies and other online platforms cross-reference the list with their own user data, they can improve their ability to detect child predators.

One of the first test cases has been a babysitting app, the developers of which did not wish to be named for fear of being associated with this type of crime. In the early days of the data matching experiment, the company found that someone had tried to sign up as a babysitter using an IP address that the Child Protection System flagged for entering a chat room with the username "rape babies," according to the Child Rescue Coalition.

Wiltse stressed that the IP connection isn't enough for companies to reject users altogether, particularly if it means denying them employment, as many people could be using the same Wi-Fi network.

"It's just an indicator — something to augment your existing trust and safety procedures and practices," he said.

Jeremy Gottschalk, founder of Marketplace Risk, a consultancy that focuses on risk management for marketplaces for goods and services, said, "If something looks suspicious, you can run that person through additional screening."

Additional screening on a babysitting app could include checking an account for "abnormal" characteristics, such as logging in much more frequently than a typical user, or checking whether it is attached to a profile indicating that the person is willing to travel long distances for a job or is offering a rate that is well below the average.

"If you find a warning sign, you can reach out to law enforcement to give them an opportunity to investigate," he said.

The Child Rescue Coalition believes that could help identify potential predators.

"We need people to be less scared of what would happen if they found this type of material on their platforms," Yoost said, "and more proactive in wanting to protect children."
https://www.nbcnews.com/tech/interne...globe-n1234019





U.S. Hatches Plan to Build a Quantum Internet that Might be Unhackable

The new network would sit alongside the existing Web, offering a more secure way to send and process information
Jeanne Whalen

U.S. officials and scientists unveiled a plan Thursday to pursue what they called one of the most important technological frontiers of the 21st century: building a quantum Internet.

Speaking in Chicago, one of the main hubs of the work, they set goals for forging what they called a second Internet — one that would function alongside the globe’s existing networks, using the laws of quantum mechanics to share information more securely and to connect a new generation of computers and sensors.

Quantum technology seeks to harness the distinct properties of atoms, photons and electrons to build more powerful computers and other tools for processing information. A quantum Internet relies on photons exhibiting a quantum state known as entanglement, which allows them to share information over long distances without having a physical connection.

David Awschalom, a professor at the University of Chicago’s Pritzker School of Molecular Engineering and senior scientist at Argonne National Laboratory, called the Internet project a pillar of the nation’s quantum-research program.

“It’s the birth of a new technology. It’s becoming a global competition. Every major country on earth has launched a quantum program … because it is becoming clearer and clearer there will be big impacts,” he said in an interview.

Seven basic questions about quantum technology, answered

The United States’ top technology rival, China, is investing heavily in quantum technology, a field that could transform information processing and confer big economic and national security advantages to countries that dominate it. Europe is also hotly pursuing the research.

The Energy Department and its 17 national labs will form the backbone of the project.

How exactly the work will be funded wasn’t clear. The Energy Department did not announce a funding figure for the project Thursday. Speaking to reporters, Paul Dabbar, the Energy Department’s undersecretary for science, said the federal government invests about $500 to $700 million a year in quantum information technology, suggesting some of that money would fund the new Internet.

In an interview, Dabbar said there would probably be further funding announcements for the project in the future.

Panagiotis Spentzouris, head of quantum science at the Chicago-area Fermi National Accelerator Laboratory, or Fermilab, said in an interview that more resources, and a clearer project structure, will be needed to carry out the blueprint published Thursday.

The 38-page document lays out research priorities and milestones to aim for, but it doesn’t assign detailed tasks to particular parties.

Initial users of a quantum Internet could include national security agencies, financial institutions and health-care companies seeking to send data more securely, researchers said.

The networks promise to be more secure — some even say unhackable — because of the nature of photons and other quantum bits, known as qubits. Any attempt to observe or disrupt these particles would automatically alter their state and destroy the information being transmitted, scientists say.

A quantum Internet could also be used to connect various quantum computers with one another, helping boost their total computing power. Quantum computers are still at an early stage of development and not yet as powerful as classical computers, but connecting them via an Internet could help accelerate their use for solving complex problems like finding new pharmaceuticals or new high-tech materials, Awschalom said.

Eventually consumers might also tap into the quantum Internet, to buy products with less risk of their credit card details being hacked, or to send and receive sensitive personal information such as health records or social security numbers, Spentzouris said. It is possible consumers will surf seamlessly between the regular and quantum Internets as they make purchases and send information, without necessarily knowing they are switching platforms, he said.

In a sign of the potential economic rewards that quantum technology could bring, Illinois Gov. J.B. Pritzker and Chicago Mayor Lori Lightfoot both spoke at the announcement Thursday, expressing hope that there would be spillover effects for the city’s tech community.

Universities and labs in the region have established the Chicago Quantum Exchange to try to accelerate innovation and economic development.

Pieces of the network are already up and running at various national labs. In the Chicago area, Argonne National Laboratory has built a 52-mile quantum network that soon will connect to nearby Fermilab, to establish an 80-mile test bed.

In New York, Stony Brook University and Brookhaven National Lab have built another 80-mile quantum network.

The plan is to slowly connect these local networks nationwide, using fiber-optic cable, satellites and drones fitted with quantum-communication hardware, Spentzouris said.

A key piece of hardware called a quantum repeater still needs to be developed to amplify a quantum network’s signal over long distances, researcher said.

Awschalom stressed that the country needs to do more to educate a new generation of quantum engineers. “When you ask tech companies what is their number one concern with quantum information technology, the number one concern by far is the workforce,” he said. Companies will ask him, “Where are we going to hire a thousand quantum engineers?”
https://www.washingtonpost.com/techn...ntum-internet/





Why You Should Absolutely Worry about the Anti-Privacy EARN IT Act
Jack Morse

Because the internet is a strange and complicated place, the fate of your digital privacy is, at this very moment, intertwined with that of online message boards and comment sections. And things, we're sorry to report, aren't looking so hot.

At issue is the seemingly unrelated EARN IT Act. Pushed by Republican Sen. Lindsey Graham and a host of bipartisan co-sponsors, and voted on by the Senate Judiciary Committee last Thursday, the measure ostensibly aims to combat online child sexual abuse material. However, according to privacy and security experts who spoke with Mashable, the bill both directly threatens end-to-end encryption and promises to spur new and sustained online censorship by weakening Section 230 — a provision of the Communication Decency Act of 1996 that protects internet providers from being held liable for their users' actions.

The devil, as it so often can be found, is in the details. That's because the newly amended version of the bill essentially gives state lawmakers the ability to regulate the internet, according to Joe Mullin, a policy analyst with the Electronic Frontier Foundation, who broke down the censorship risks posed by the measure should it become law.

"All 50 states will be able to write new Internet rules that online platforms and websites will have to follow," Mullin explained in an email. "The only limit on the new rules is that they will have to relate, in some way, to the fight against child sexual abuse. If websites don't follow the new state-level internet rules, they'll be exposed to private lawsuits and potentially state-level criminal prosecutions."

This concern is echoed by the ACLU which, in a July 1 open letter, warned that "[by] allowing states to set their own standards for platform liability for [child sexual abuse material], the amended version [of the EARN IT Act] allows states to create inappropriate standards by which platform responsibility for user-generated content should be judged."

In case that's not clear enough, earlier this month, in an open letter addressed to Democratic Sen. Diane Feinstein and Sen. Graham, EFF director of federal affairs, India McKinney, predicted that the EARN IT Act would lead to the "loss of Section 230 immunity" for online platforms. In other words, online companies could be held liable for user-generated content. This could inspire those companies to proactively discontinue offerings — like message boards — that we all take for granted as an indelible part of internet culture.

"Why have a comments section, or a discussion forum, or an email service, or file storage services, if you could get in big trouble for something that a user did — even without your knowledge," asked Mullin. "Online platforms will hedge their risk by removing or not providing these features."

And, even though the possibility of 50 distinct state-level rules exists if the EARN IT Act becomes law, it's not like living in one relatively hands-off state would necessarily exempt you. Why would a company go to the trouble of crafting 50 different policies and releasing 50 different location-specific offerings, after all, when it could simply tailor everything to the requirements of the most restrictive state government?

Which brings us to encryption, or, more specifically, end-to-end encryption.

End-to-end encryption is the gold standard in digital privacy. When implemented properly, it ensures that only a message's sender and intended recipient can read its contents. Basically, it means that third parties like governments, private companies, and hackers aren't reading your messages, bank statements, and doctors' notes.

The EARN IT Act, which technically is an acronym for the "Eliminating Abusive and Rampant Neglect of Interactive Technologies," has a list of co-sponsors that include many Senators long in opposition to the idea of consumer access to end-to-end encryption. In 2016, Sen. Feinstein, one such EARN IT Act co-sponsor, co-authored a bill with Republican Sen. Richard Burr that would have more or less made end-to-end encryption illegal.

The EARN IT Act may not be as explicit as previous efforts to ban end-to-end encryption, but experts insist it is likewise a threat to a technology used by companies such as Apple to protect customers' data from hackers.

When initially introduced in the Senate on March 5 of this year, the EARN IT Act directly threatened the legality of end-to-end encryption — so much so, that back in April, Signal, a free and open-source, secure messaging app, published a blog post warning its ability to operate in the U.S. was at risk should the measure pass.

"The EARN IT act turns Section 230 protection into a hypocritical bargaining chip," warned Signal. "At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee 'best practices' that are extraordinarily unlikely to allow end-to-end encryption."

The bill was amended last week to address some of those fears, but the changes weren't enough to convince actual privacy experts. Riana Pfefferkorn, the associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society, made as much clear in a July 6 blog post. She wrote that the amendment by Sen. Patrick Leahy is "not the silver bullet that some are holding it out as in terms of answering critics' concerns about how EARN IT could potentially discourage encryption and harm cybersecurity."

Mullin agrees, and cautions that the bill could result in lawmakers insisting providers scan users' devices, messages, and conversations before they are ever encrypted.

"State lawmakers could easily get around the Leahy amendment by demanding some form of 'client side scanning,'" he said, "which has been the direction of the anti-encryption forces for about a year now."

Patrick Wardle, principal security researcher at Jamf, founder of the free anti-malware service Objective-See, and ex-NSA hacker, echoed Mullin in noting that the EARN IT Act looks to be more of the same from the anti-privacy crowd.

"[This] seems just to be the latest push by the govt. for weakening encryption," he said in a Twitter direct message. "Hopefully it doesn't go anywhere."

Wardle's opposition to the EARN IT Act is notable for many reasons, and not just because he used to work for the NSA. In 2017, Wardle uncovered a malware strain that had infected hundreds of computers in the U.S. and was used to spy on unsuspecting victims through their webcams. In early 2018, an Ohio man was charged with installing the malware on thousands of computers.

That Wardle — who literally helped bring to justice someone accused of an effort to "produce child pornography" — opposes the EARN IT Act should be a huge tip-off that the measure isn't as straightforward as its proponents suggest.

Importantly, the bill hasn't passed yet; it hasn't even been brought to the floor of the Senate for a full vote. Not even the EFF could say when or even if the bill will get a full vote.

That doesn't mean the threat it poses to both your privacy, and the internet as we know it, is any less real should it eventually become law.
https://mashable.com/article/earn-it...n-section-230/





The Record Industry Is Going After Parody Songs Written By an Algorithm

Songs written by 'Weird A.I. Yankovic' are getting flagged for violating copyright. Its creator says they should be protected by Fair Use.
Kevin Truong

Georgia Tech researcher Mark Riedl didn’t expect that his machine learning model “Weird A.I. Yankovic,” which generates new rhyming lyrics for existing songs would cause any trouble. But it did.

On May 15, Reidl posted an AI-generated lyric video featuring the instrumental to Michael Jackson’s “Beat It.” It was taken down on July 14, Reidl tweeted, after Twitter received a Digital Millennium Copyright Act takedown notice for copyright infringement from the International Federation of the Phonographic Industry, which represents major and independent record companies.

“I am fairly convinced that my videos fall under fair use,” Riedl told Motherboard of his AI creation, which is obviously inspired by Weird Al's parodies. Riedl said his other AI-generated lyric videos posted to Twitter have not been taken down.

Riedl has contested the takedown with Twitter but has not received a response. Twitter also did not respond to Motherboard’s request for comment.

The incident raises the question of what role machine learning plays when it comes to the already nuanced and complicated rules of fair use, which allows for the use of a copyrighted work in certain circumstances, including educational uses and as part of a “transformative” work. Fair use also protects parody in some circumstances.

Riedl, whose research focuses on the study of artificial intelligence and storytelling for entertainment, says the model was created as a personal project and outside his role at Georgia Tech. “Weird A.I. Yankovic generates alternative lyrics that match the rhyme and syllables schemes of existing songs. These alternative lyrics can then be sung to the original tune,” Riedl said. “Rhymes are chosen, and two neural networks, GPT-2 and XLNET, are then used to generate each line, word by word.”

It’s worth noting, according to the New York Times Weird Al Yankovic asks for permission from an artist before he parodies a song. It appears that the inclusion of the instrumental to “Beat It” is what triggered the takedown notice by IFPI, but Riedl is still convinced his videos are protected under fair use.

“I would argue that my system is generating parody lyrics and that I do not require permission from the copyright holder to publish parody content,” Riedl said. “I am not a lawyer, however.”

The criteria considered when determining if a work is protected under fair use include the nature of the copyrighted work, the quantity and quality of the copyrighted material used, and the effect on the market of the original work created by the new and unlicenced work. Another important criteria is the purpose and character of the use, including whether the new work is in any way transformative. This is particularly pertinent in a world full of fan-made supercuts of clips set to music, memes, video parodies, and other types of online content that often take copyrighted material and transform it to something different.

Casey Fiesler, a professor of Information Science at the University of Colorado Boulder who works on the legal committee for the Organization for Transformative Works, said Riedl’s video is similar to supercut videos in that there is a visual transformation but the audio isn't transformed, which she said can make for a harder fair use argument. However, Fiesler said in her opinion that Riedl’s video should be considered an example of fair use.

“This new product is both a parody and a sort of karaoke-style video. It's definitely really different than what the original song is, which is kind of what transformativeness is,” Fiesler said.

But Fiesler said arguments can always be made either way, and by the nature of her work she is an advocate for a more expansive application of fair use laws. “Fair use is one of those things where, if you ask someone like me, you'll get a very different answer than if you asked the in-house counsel of an entertainment company,” Fiesler said.

The takedown of Riedl’s video raises another interesting question: whether it matters that a transformative work is created by an algorithm and not a human when considered in the context of fair use protection.

Fiesler said she doesn’t think it does, and pointed to a court case in which Google’s collaboration with major research libraries to digitize entire book collections for Google Books was deemed protected under fair use.

“So in Google Books, for example, the case turned slightly on the fact that Google wasn't just copying the book, it was giving information about the book and providing stats,” Fiesler said. “That was an algorithm doing all that.”

Fiesler said it is important to consider whether an algorithm was used to send the takedown notice, which are often automatically acted upon by platforms to avoid lawsuits. Fiesler has written in the past that relying on algorithms and not human moderators can leave more room for error and result in the removal of non-infringing works—particularly those that are transformative and protected under fair use.

When asked for comment, IFPI would not give Motherboard details on how this specific takedown notice was determined, but a spokesperson did say it was a combination of automated and manual processes.

“Whilst we don’t give explicit details of our specific content protection work, we use a combination of manual and automatic processes. This example would have been manually checked for a fair use claim as part of the protocol,” the IFPI spokesperson wrote in an email.

Ultimately, Weird A.I. Yankovic is a personal project that Riedl created for fun, but the discussion around the takedown of one of his videos speaks to the larger issue of copyright law and AI, and whether the laws will evolve along with the rapidly changing technology.
https://www.vice.com/en_us/article/m...y-an-algorithm





Bangladesh Regulator Orders Telcos to Stop Providing Free Access to Social Media
Manish Singh

Bangladesh’s regulator has ordered telecom operators and other internet providers in the nation to stop providing free access to social media services, becoming the latest market in Asia to take a partial stand against zero-rating deals.

Bangladesh Telecommunication Regulatory Commission, the local regulator, said late last week that it had moved to take this decision because free usage of social media services had spurred their misuse by some people to commit crimes. Local outlet Business Standard first reported about the development. Bangladesh is one of the largest internet markets in Asia with more than 100 million online users.

Technology companies such as Facebook and Twitter have struck partnerships, more popularly known as zero-rating deals, with telecom operators and other internet providers in several markets in the past decade to make their services free to users to accelerate growth. Typically, tech companies bankroll the cost of data consumption of users as part of these deals.

In Bangladesh, such zero-rating deals have been popular for several years, said Ahad Mohammad, chief executive of Bongo, an on-demand streaming service, in an interview with TechCrunch (Extra Crunch membership required) .

Grameenphone and Robi Axiata, two of the largest telecom operators in Bangladesh, enable their mobile subscribers to access a handful of services of their partners even when their phones have run out of credit. Both telecom firms have said they are in the process to comply with Dhaka’s order.

It remains unclear whether Free Basics, a program run by Facebook in dozens of markets through which it offers unlimited access to select services at no cost, will continue its presence in Bangladesh after the nation’s order. Facebook relies on telecom networks to offer data access for its Free Basics program.

In Bangladesh, Facebook struck deals with Grameenphone and Robi Axiata, according to its official website, where Facebook continues to identify Bangladesh among dozens of markets where Free Basics is operational.

Several nations in recent years have balked at zero-rating arrangements — though they have often cited different reasons. India banned Free Basics in early 2016 on the grounds that Facebook’s initiative was violating the principles of net neutrality.

Free Basics also ended its program in Myanmar and several other markets in 2017 and 2018. Facebook did not respond to requests for comment.
https://techcrunch.com/2020/07/21/ba...-social-media/





Local Broadcasters Ask Congress to Provide Relief Amid COVID-19

According to the letter, some local broadcasters have lost as much as 90 percent of their ad buys.
Tasos Katopodis

Associations representing local broadcasters in all 50 states, the District and Columbia and Puerto Rico sent a letter to Congress, urging legislators to provide relief for local media so that it can "continue to serve their vital roles in informing Americans and keeping them safe."

Specifically, the letter asks Congress to see that local media has access to the Paycheck Protection Program and receive federal support for advertising.

In a July 15-dated letter to House Speaker Nancy Pelosi, Senate Majority Leader Mitch McConnell, Senate Minority Leader Chuck Schumer and House Minority Leader Kevin McCarthy, the associations asserted that "unlike other businesses, who have the option of temporarily closing their doors, local broadcasters and new publishers have maintained their operations" though some local broadcasters has seen advertising decline more than 50 percent compared with last year "and others have seen as much as 90 percent of their advertising buys cancelled.

"Local broadcasters alone may see revenue losses of more than $14 billion this year," the associations warned. "Some local media outlets have been forced to furlough or eliminate their employees to remain open, and others have had to shutter their businesses permanently. As the pandemic marches on, many more will follow without relief."

The full letter from 50 state broadcasters can be read here.
https://www.hollywoodreporter.com/be...vid-19-1303649





COVID-19 is Hurting Journalists’ Mental Health. News Outlets should Help them Now

Many reporters are struggling to cope with the emotional demands of covering the pandemic
Meera Selva, Anthony Feinstein

A significant number of journalists reporting on COVID-19 show signs of anxiety and depression, according to the early results of a survey into the current state of journalists’ emotional wellbeing.

Even experienced reporters working for large, well-funded media organizations are often struggling to cope with the demands on reporting on the pandemic.

A survey by the Reuters Institute for the Study of Journalism and the University of Toronto asked reporters a range of questions about their work, mental health and concerns in June 2020, during a period where all countries were affected by COVID-19 in some way.

The study is led by the two of us, Dr. Anthony Feinstein, Professor of Psychiatry at the University of Toronto and a neuropsychiatrist, and Meera Selva, Director of the Journalist Fellowship Programme at Reuters Institute for the Study of Journalism, working with a team of researchers. It builds on work Dr. Feinstein has done on how journalists are affected when they report on extreme events, including the 9/11 terror attacks, the Iraq war, organized crime in Mexico, the al-Shabaab attack on the Westgate Mall in Kenya, and. in a previous collaboration with the Reuters Institute, the refugee crisis in Europe.

We have surveyed a sample of 73 journalists from international news organisations, who in June 2020 were asked to answer a set of questions on their working conditions and emotional state. All journalists have worked on stories directly related to the pandemic. The survey had a 63 percent response rate.

The majority of our respondents, around 70 percent, suffer from some levels of psychological distress and responses suggest that 26 percent have clinically significant anxiety compatible with the diagnosis of Generalized Anxiety Disorder which includes symptoms of worry, feeling on edge, insomnia, poor concentration and fatigue.

Around 11 percent of respondents report prominent symptoms of post-traumatic stress disorder, which include recurrent intrusive thoughts and memories of a traumatic COVID-19-related event, a desire to avoid recollections of the event, and feelings of guilt, fear, anger, horror and shame.

These are preliminary results from a work in progress, and the reasons for this distress, and possible solutions, will be discussed in further analysis and subsequent publications. But the top-line findings are so striking that we feel it is important to flag up the pressure many journalists are working under so that news media and others can consider how to respond to the problems we identify.

This is a sample of experienced reporters, working at large, established news media, with an average of 18 years of experience, and virtually all – 99 percent – consider themselves to be in good physical health, but they are still hit hard by the circumstances. The situation could well be even worse in less privileged parts of the journalistic profession.

One striking aspect of reporting on the pandemic is that the story has been so widespread and constant that all reporters have had to learn fast how to cover the health beat.

Only 4 percent of our respondents were specialist health reporters to begin with, but now 74 percent say they are reporting on health-related matters linked to the pandemic. And in many countries journalists say they fear they are unable to do their job properly, in the absence of reliable information. One respondent wrote: “I am more stressed out because I am unable to cover the outbreak in my country as other countries in the west have done. I feel like a hypocrite because I am only allowed to follow what the government tells me to and I am not able to shed light on how the rest of the country is handling this outbreak.”

All the reporters are working here on a story that impacts them directly. While only one of the journalists surveyed tested positive for COVID-19, 45 percent of the sample know a journalist who had taken ill from the disease. Two respondents said they know of a journalist who had died from the virus.

In one response a journalist spoke of how it was hard “navigating the challenge of covering a global story that is both personal but professional, leading a team to do so, having to explain a new subject in an accurate, responsible and fast way.” Another spoke of the stress of “covering for colleagues who could not make it to the office because of coronavirus fears.”

Others spoke of the difficulty of reporting on a story at a moment when trust in the media is falling: “Finding things to document that inform the public are extremely difficult with mistrust of the media at an all-time high. Gatherings can turn hostile on us in an instant and the idea that the media has any agenda other than simply documenting this time in our collective history is pervasive.”

Working patterns have also changed. Sixty percent report working longer hours since the pandemic and 60 percent noted more demand for stories because of the pandemic.

This combined tension of covering a new, complex beat with high and often personal stakes combined with a dramatic change in working patterns may well have contributed directly to the high levels of mental distress and anxiety.

The reporters who responded to the survey are from a section of society whose responsibilities have risen sharply during lockdown personally as well as professionally. The average age is 41 years. Just over half of them – 55 percent – have children and 58 percent of the sample are women.

One respondent spoke of how “the combination of working from home and home schooling, while trying to run a home, is impossible.”

Of course early research on the impact on COVID-19 on general public health indicates that the wider population is also suffering from higher rates of mental distress than normal.

Direct comparisons can be tricky given demographic mismatch but journalists still appear to be under higher than average strain.

In keeping with previous studies, there is more anxiety, PTSD symptoms and depression in female journalists, as opposed to male journalists.

This short article aims to highlight the pressures journalists are operating under but it also does recognise that the newsrooms studied here do have both the ability and willingness to support their staff.

Our respondents say that their organizations have been moderately supportive. On average, our respondents give their organization a score of 6/10 where 10 was very supportive and 0 was not supportive at all. Similarly, they regard their work during the pandemic as moderately stressful and rate it as 6/10.

An intriguing finding is that there is a negative correlation between covering the COVID-19 pandemic and age. Thus, the older you are, the less likely you were to be given a COVID-19 story. This may well reflect a concern on the part of news organizations that older people are more vulnerable to the effects of the infection and as such, younger journalists were more likely to be given COVID related stories. If this is indeed the case, and it is hard to interpret the data any other way, it does reflect sensitivity on the part of news organizations to the wellbeing of their staff.

Fifty-two percent of respondents have been offered access to some form of counselling since the outbreak of the pandemic and the survey shows that those who have received therapy since the start of the pandemic are less likely to be anxious, distressed or display symptoms of PTSD.

Preliminary analysis suggests that psychological distress correlates significantly with the absence of counselling, so those journalists who did not receive counselling since the start of the pandemic are more distressed.

This study polled journalists who are employed by established media houses, and the authors recognise there are many journalists working as freelancers, or for much smaller, poorly resourced newsrooms which are not in a position to offer any sort of extra support for their staff,

There is a strong case to be made for making sure all journalists can access support of some sort, either through their newsrooms or through external organizations such as the DART Center in New York and its counterparts elsewhere.

We are reporting these top-line findings here to draw attention to the issue, illustrate the pressures that many individual journalists clearly feel they are under (but may not feel like discussing if they are unsure about how widespread these problems are in the profession), and in the hope that journalists and news media will take these problems seriously, something we hope our past, and ongoing, research will help with.

As journalists continue to report on a fast moving story to a bewildered and mistrustful public, this support is vital. Reporters can only continue to provide accurate information about the crisis if they are able to and supported to cope with the demands the pandemic impose on them.
https://reutersinstitute.politics.ox...-help-them-now





Bonnier Taps New CEO Amid Deal to Sell US Publications
Keith J. Kelly

Bonnier, the 216-year-old Swedish publishing giant that owns Field & Stream, Popular Science and Saveur, has changed the CEO of its American operation as it nears a deal to sell off its US-based titles.

Eric Zinczenko, a 14-year veteran of Bonnier Corp who has spent the past four years as CEO of the US unit, is exiting and will be replaced by chief operating officer David Ritchie.

After years of cutbacks, the company began exploring a potential sale of most of its media US operations in February and officially put the for-sale sign out in May. The US pullback doesn’t include Working Mother or Bonnier’s exhibition wing.

A deal is apparently near for the US media.

“We received a dozen initial bids and after concluding the management meetings with these prospective buyers, we are currently evaluating the merits of five strong final bids,” said a spokeswoman.

She added that “all potential buyers have media/digital backgrounds,” but would not disclose their identities.

For Bonnier, still privately owned by the Bonnier family, the timing could not have been worse as it expanded beyond its European base to establish an American toehold. Its biggest deal came in 2007 when it paid $225 million to buy 18 titles from Time Inc. which included its Time 4 Media Group and the Parenting Group before the Great Recession took hold the following year.

At the time, Bonnier’s US operations were projected to have revenue of $350 million and its parent company had soared to $2.9 billion in annual revenue. Its current US revenue after years of cuts is estimated to be only $30 million.

More recently it has been forced to endure the digital onslaught. In 2018, it laid off 17 percent of its staff. Rushing to keep pace, it folded or converted to digital-only eight motorcycle titles that it had acquired several years earlier, keeping only Cycle World in print.

Last year, Bonnier sold off Scuba Diving and Sports Diver. Many of its remaining titles cut frequency. Field & Stream and Popular Science, once selling over a million copies each monthly, are now only quarterly print and digital.

Saveur, the award-winning foodie title, was supposed to be three times a year but skipped one print issue.
https://nypost.com/2020/07/16/bonnie...hie-amid-sale/





Study: Community Broadband Drives Competition, Lowering Costs
Karl Bode

For all of the talk about being #1, America's broadband networks are routinely mediocre. The U.S. consistently ranks among the middle of the pack in speeds and overall availability, while Americans continue to pay some of the highest prices in the developed world for both fixed and mobile broadband. The reasons aren't mysterious: we've let a bunch of telecom giants monopolize the sector, dictate most US telecom policy in exchange for campaign contributions, and literally write state and federal law with a relentless focus on hamstringing competition.

We then stand around with a dumb look on our collective faces, wondering what went wrong. Rinse, wash, repeat.

While this has been true for 30 years or so, the pandemic has finally started shining a brighter light on the problem. After all, an estimated 42 million Americans can't get access to any broadband whatsoever despite endless billions in subsidies and mammoth industry tax breaks. Millions more can't afford service thanks to monopolization and a lack of competition. A new report by the Open Technology Institute revealed last week once again that Americans pay some of the highest prices for broadband in the developed world:

"We find substantial evidence of an affordability crisis in the United States. Based on our dataset, the most affordable average monthly prices are in Asian and European cities. Just three U.S. cities rank in the top half of cities when sorted by average monthly costs. The most affordable U.S. city—Ammon, Idaho—ranks seventh. The overwhelming majority of the U.S. cities in our dataset rank in the bottom half for average monthly costs."

Why Ammon, Idaho? It's a community owned and operated open access fiber network that encourages, you guessed it, actual competition. Data repeatedly shows such networks offer faster, better, and cheaper service -- in part because they're more accountable to the local community being locals themselves, but also because they can spur incumbent providers to improve service and lower costs. It's something the OTI study noted quite clearly:

And yet, there's an entire telecom-sector backed cottage industry of folks who attempt to malign community broadband and public/private partnerships. Time and time again, such networks are demonized (incorrectly) as inevitable boondoggles and not simply an organic response to market failure. Why? Because such networks challenge the status quo enjoyed by AT&T, Verizon, and Comcast, which all but own a bipartisan laundry list of state and federal lawmakers and a chorus of "experts" happy and willing to try and argue that US broadband is both competitive and hugely innovative.

But the data doesn't budge. US broadband simply isn't competitive, particularly at faster speeds of 100 Mbps or greater:

“When you factor in price at [100 Mbps] speed,” FCC Commissioner Jessica Rosenworcel has written, “the United States is not even close to leading the world." Our findings support this statement. At the 100 Mbps minimum download speed tier, the United States has the most expensive average monthly price, followed by Asia and Europe. Eight of the 10 most expensive cities in this speed tier are in the United States."

That didn't happen by accident. And none of this should be surprising to anyone.

US phone companies have given up on upgrading their aging DSL networks because it's simply not profitable quickly enough for Wall Street's liking. As a result, cable giants like Comcast and Charter Spectrum have secured a monopoly over faster broadband speeds across huge swaths of the nation, driving up costs and ensuring some of the worst customer service in any industry in America. Contrary to industry's claims, wireless is not some panacea for this problem for reasons we've well explored. And while low orbit satellite might help a little, that too isn't going to be a miracle cure.

Study, after study, after study make it clear: US broadband is patchy, expensive, and slower than a long list of countries due to limited competition and state and federal corruption. We know this, the data repeatedly shows it, and yet year after year we simply double down on the same mistakes for what, by now, should be a fairly obvious reason: it's what wealthy US telecom monopolists want.
https://www.techdirt.com/articles/20...ng-costs.shtml





Here's Why Your Samsung Blu-Ray Player Bricked itself: It Downloaded an XML Config File that Broke the Firmware

Network-connected gear stuck in boot loop needs replacing
Thomas Claburn

Analysis Since the middle of last month, thousands of Samsung customers found their older internet-connected Blu-ray players had stopped working.

In the days that followed, complaints about devices caught in an endless startup boot loop began to appear on various internet discussion boards, and videos documenting the device failure appeared on YouTube.

To fix the issue, Samsung eventually advised customers to return their inoperable video players for repairs. There is no software fix.

"We are aware of the boot loop issue that appeared on certain 2015 Samsung Blu-Ray players and are offering free mail-in repairs to customers who have been impacted," a representative of the mega-manufacturer said in a Samsung forum post.

It was speculated by netizens and some media reports that a HTTPS certificate error was to blame. However, it's been suggested to The Register that the cause of the failure was an XML file downloaded by the network-connected devices from Samsung servers during periodic logging policy checks.

This file, when fetched and saved to the device's flash storage and processed by the equipment, crashed the system software and force a reboot. Upon reboot, the player parsed the XML file again from its flash storage, crashed and rebooted again. And so on, and so on, and so on. Crucially, the XML file would be parsed before a new one could be fetched from the internet, so once the bad configuration file was fetched and stored by these particular Samsung Blu-ray players in the field, they were bricked.

Drilling in

A Register reader who is savvy with low-level hardware, and asked to be identified simply as Gray, provided us a detailed technical analysis of Samsung's blunder.

One thing you have to understand is that these internet-connected Blu-ray players in question are programmed to log their activities and send copies of this information to Samsung. This telemetry is sent to the tech giant's servers when the player's firmware is told to check for a software update. These logs include things like when you opened, say, the Netflix app and when you closed it on the player.

Exactly how much the device should log and transmit back to HQ is defined by Samsung in an XML logging policy file regularly fetched from this URL:

https://configprd.samsungcloudsoluti...ogpolicyconfig

The affected Blu-ray players, we're told, do not transmit their logs until a privacy notice has been accepted by the user. The privacy notice comes into play when the customer connects the device to the internet and tries to use a network service like Netflix. After that notice is accepted, these Blu-ray players no longer bug their users with privacy notices, and simply quietly send the telemetry while the system checks for software updates.

And even if you don't use something like Netflix, or don't accept the privacy notice nor download a software update, but do connect the device to the internet, your player will still routinely fetch the logging policy file. That's why, our source tells us, Samsung Blu-ray players that have never connected to the internet were not affected by the flawed file. Also, it explains why players that never performed a software update nor used a network service, and were simply connected to the internet, were bricked. The firmware routinely automatically fetches, stores, and parses the logging policy file regardless of anything else.

"Players were bricked even though the users never performed a network update. It was enough for the player to be connected to the internet. Samsung never asked the user if it was OK to download the bomb," said Gray, referring to the dodgy XML policy file.

The problem with the XML file, sent out on June 18, 2020, is that it wasn't formatted in a way compatible with the device's code. Though a valid XML file, it contained an empty list element, we're told:

Code:
<?xml version="1.0"?> <Policy>

<period val="2020-06-18T17:00:01"/> <server type="operating"/>
<list/>

</Policy>
"Unfortunately for Samsung, the code which handles the processing of the log policy XML file has not been tested for such an empty <list/> element and causes a crash," Gray explained. The device code appears not to have been designed to handle that possibility because the empty list produces an invalid memory reference in the device's main program, called bdpprog, which causes the kernel to terminate it.

Crashing the main program results in a reboot, but since the logging policy XML file is always processed early on after startup, the crash simply reoccurs before a fixed version of the file can be fetched. Gray suggested this XML file was sent to the Blu-ray players without proper verification.

"After the crash, the main program, bdpprog, is terminated by the kernel," said Gray. "Since bdpprog is the main program, its termination results in a reboot by init. Even less fortunately for Samsung, the code for parsing the logging policy XML file is hard-coded to run at every boot. The result is that the player is stuck in a permanent boot loop as has recently been experienced by thousands of users worldwide."

Gray continued:

Because of the monumentally stupid idea of parsing a downloaded XML file unconditionally at every boot, there seems to be no way to recover the devices from the boot loop using normal means – such as a USB stick, CD or network – because the crash happens too early in the boot sequence.

The only ways to revive the player are: erase the invalid policy file from the flash partition, or update the firmware of the player with a version in which the XML parse bug has been corrected. At the time of writing this, no such updated firmware exists.

Unfortunately, both of these fixes require low-level access to the serial debug port of the player, soldering wires to the motherboard, proprietary hardware and software tools as well as deep knowledge of the player’s architecture. This is not something that an average user can do. Hence, the best solution that Samsung can and is offering its customers is a prepaid label for sending the player to an authorized repair center.

Samsung, we're told, replaced the file on its servers on June 27, 2020, thereby preventing the problem from affecting Blu-ray players that hadn't already ingested it. But a server-side fix does nothing for devices already locked in an endless reboot loop. Hence the mail-in repair program.

The Register asked Samsung whether it could confirm Gray's claims and provide more specific details about the number of devices ultimately affected by the snafu. A spokesperson acknowledged the request, and promised a reply if the manufacturer has anything to share. We've not yet received any response beyond that.

Bootnote

If you try to fetch the policy file from Samsung's services, you'll probably run into a certificate error. But that's because it's using a Samsung-issued HTTPS certificate your browser or operating system doesn't trust. However, the Blu-ray players do trust the certs, which expire in 2069. "This problem has nothing to do with expiring SSL certificates as has been speculated," noted Gray.
https://www.theregister.com/2020/07/...off_explained/





BadPower Attack Corrupts Fast Chargers to Melt or Set Your Device on Fire

Attackers can alter the firmware of fast charger devices to deliver extra voltage and damage connected equipment.
Catalin Cimpanu

The Internet of Things is creating serious new security risks. We examine the possibilities and the dangers.

Chinese security researchers said they can alter the firmware of fast chargers to cause damage to connected (charging) systems, such as melt components, or even set devices on fire.

The technique, named BadPower, was detailed last week in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent.

According to researchers, BadPower works by corrupting the firmware of fast chargers -- a new type of charger that was developed in the past few years to speed up charging times.

A fast charger looks like any typical charger but works using special firmware. This firmware "talks" to a connected device and negotiates a charging speed, based on the device's capabilities.

If a fast-charging feature is not supported, the fast charger delivers the standard 5V, but if the device can handle bigger inputs, the fast charger can deliver up to 12V, 20V, or even more, for faster charging speeds.

The BadPower technique works by altering the default charging parameters to deliver more voltage than the receiving device can handle, which degrades and damages the receiver's components, as they heat up, bend, melt, or even burn.

BadPower attack is silent and fast

A BadPower attack is silent, as there are no prompts or interactions the attacker needs to go through, but also fast, as the threat actor only needs to connect their attack rig to the fast charger, wait a few seconds, and leave, having modified the firmware.

Furthermore, on some fast charger models, the attacker doesn't need special equipment, and researchers say the attack code can also be loaded on regular smartphones and laptops.

When the user connects their infected smartphone or laptop to the fast charger, the malicious code modifies the charger's firmware, and going forward the fast charger will execute a power overload for any subsequently connected devices.

The damage caused by a BadPower attack usually varies depending on the fast charger model and its charging capabilities, but also on the charged device and its protections.

Researchers tested 35 fast chargers, found 18 vulnerable

The Tencent team said they verified their BadPower attack in practice. Researchers said they selected 35 fast chargers from 234 models available on the market and found that 18 models from 8 vendors were vulnerable.

The good news is that "most BadPower problems can be fixed by updating the device firmware."

The bad news is that the research team also analyzed 34 fast-charging chips, around which the fast charger models had been built. Researchers said that 18 chip vendors did not ship chips with a firmware update option, meaning there was no way to update the firmware on some fast charger chips.

Tencent researchers said they notified all affected vendors about their findings, but also the Chinese National Vulnerabilities Database (CNVD), in an attempt to accelerate the development and promotion of relevant security standards to protect against BadPower attacks.

Suggestions to fix the BadPower problem include hardening firmware to prevent unauthorized modifications, but also deploying overload protection to charged devices.

A demo video of a BadPower attack is available at the bottom of the Tencent report. The video could not be embedded here.
https://www.zdnet.com/article/badpow...evice-on-fire/

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

July 18th, July 11th, July 4th, June 27th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
__________________
Thanks For Sharing
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 30th, '11 JackSpratts Peer to Peer 0 27-07-11 06:58 AM
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 08:28 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)