Overseas snooping: French “Patriot Act” gaining support

ExpressVNPProjet de Loi Relatif au Renseignement

Critics have compared it to the much-hated “Patriot Act” in the United States, but despite public backlash, France’s “Projet de Loi Relatif au Renseignement” is gaining steam in parliament as a way to crack down on terrorists and other criminals. The theory? By giving spy agencies more leeway in tracking suspected evildoers, regular citizens reap the benefit of a safer nation. Citizens aren’t buying it, however, and a petition to turf the proposed legislation has already passed 100,000 signatures. Still, that’s no guarantee of success. What happens if the new French proposal becomes law?

Ideal Climate?

The timing seems impeccable: in the wake of Charlie Hebdo and the Hyper Cacher attacks, this kind of bill is bound to attract attention. What’s more, Prime Minister Manuel Valls currently enjoys significant popularity among French citizens, *** it easier to champion this legislation without prompting outrage. What’s interesting, however, is that the bill was actually tabled before the recent terrorist attacks occurred. It’s only now, with many French nationals and immigrants feeling the pressure of worldwide political unrest, that Valls’ legislation has started to gain momentum.

Critics liken it to post-9/11 America, where fears over international ire prompted the creation of wide-ranging powers for the NSA and other spy agencies. After the recent Snowden revelations, however, other countries aren’t so quick to grant law enforcement agencies power over the Internet at large, especially when private citizens are lumped into the mix with “terrorists”.

Minimal Oversight

According to Human Rights Watch (HRW) an international, non-governmental organization, there are a number of worrisome provisions in the proposed legislation. First is the lack of any judicial oversight; suspected criminals could be monitored and tapped without warrant and without permission from a judge. What’s more, Internet service providers (ISPs) would be on the hook to monitor all user accounts for suspicious network usage and traffic patterns, then store this data and report it to national security agencies. In addition, ISPs would be obligated to keep both the means of tracking and their findings secret from the general population, blurring the line between their status as private companies and what the HRW calls “surrogate national security analysts.”

The bill does lay out a general right to privacy but also details seven “public interests” which justify the violation of this privacy, including “economic and scientific priorities,” “foreign policy” and “the execution of international engagements.” For his part, Prime Minister Valls says that his new bill won’t go after large amounts of private data and argues that “the critics or the posturing that refer to a French Patriot Act or the stench of a police state are outright lies and irresponsible in the context of threat we face.” In other words, security trumps liberty for Prime Minister Valls — French citizens should be willing to give up some of the latter to improve the former.

Private Impact

Along with citizens, private companies are also speaking out against the new bill. Internet service provider OVH, Europe’s number-one hosting company, says that if the new law passes, they’ll be moving servers out of France to avoid the monitoring and reporting obligations attached to Valls’ legislation. With hosting services seeing unprecedented growth thanks to cloud adoption and the ubiquity of broadband connections, this is revenue France can ill-afford to lose.

Bottom line? While the Prime Minister’s new law might make sense when narrowly viewed, the wider picture reveals a problem: both private citizens and private companies are against the idea.

Limited View

Fortunately, French citizens and international users surfing websites hosted in France aren’t entirely powerless. Even if the government chooses to pass this Patriot Act-style legislation, they can’t track what they can’t see — meaning the country should prepare for a jump in the use of virtual private networks (VPNs) as citizens take their right to privacy into their own hands.

The same thing is happening in the United States, the UK, Australia and other countries across the world as this kind of right-minded but ultimately misguided legislation makes it past the discussion stage. While citizens are happy to help government agencies catch terrorists and protect national borders, threatening the edges of the public’s right to privacy virtually guarantees a backlash.


Featured image: Jon Luty / Public Domain Pictures.net


A rebellious breed of POS Malware has been discovered: Punkey Malware

ExpressVNPnew pos malware

Researchers from security firm Trustwave have identified a new breed of point-of-sale (POS) malware as part of an investigation led by the US Secret Service.

Overall, the Trustwave team discovered the IP addresses of more than 75 infected cash registers, as well as a pile of stolen payment card data.

It’s unclear at this time just how many victims have fallen prey to the new strain of malware that has been dubbed Punkey.

Discovered during analysis of multiple command and control servers, Punkey has similarities with another family of POS malware known as NewPosThings – recently discovered by researchers at Arbor Networks and Trend Micro – yet enough differences to be classified as a new strain.

Since the initial investigation, Trustwave has observed three different versions of Punkey, suggesting that it is either being tailored for use against specific retail targets, or being controlled by multiple hacking groups.

Punkey hides itself within the explorer.exe process on Windows POS systems until activated, at which point it then scans the register’s memory for card holder data.

When payment card data has been discovered, it is forwarded to a command and control server from which the attackers can retrieve it.

Once in place, Punkey can also potentially gift access to other parts of a company’s systems via its use of a keylogger (DLLx64.dll).

The malware allows keystrokes to be captured and sent back to command and control servers, 200 keystrokes at a time. If usernames and passwords for other areas of the company’s network are thus obtained, gaining access to more than the POS system could be a breeze for attackers.

Trustwave believes Punkey, which comes in both 32-bit and 64-bit flavours, finds its way onto systems via the usual tried and tested means – poor password security applied to remote access software used to access POS systems, or via human error, e.g. cashiers using tills for other purposes, such as opening malicious emails or surfing across dangerous websites.

Writing for Trustwave’s SpiderLabs blog, Eric Merritt explained how Punkey can search for and then pilfer personal details, as well as the “rare” ability to update itself and adapt remotely:

“This gives Punkey the ability to run additional tools on the system such as executing reconnaissance tools or performing privilege escalation. This is a rare feature for PoS malware.”

Fortunately for retailers, Trustwave has developed a tool which can decrypt Punkey traffic. Located on software repository Github, the tool could help concerned businesses determine whether they have Punkey traffic running over their networks.

Retailers do of course need to be increasingly aware of the threat posed by POS RAM scraping attacks.

Beyond the now very well-known case of Target, which was breached via its cash registers, the issue continues to present headaches to the industry.

Just last week, Verizon’s annual Data Breach Investigations Report highlighted how infiltration of POS systems represented a significant threat, featuring in the top three causes for confirmed data breaches during 2014.

With three strains of Punkey in existence already, plus NewPosThings and the also recently discovered Poseidon strain of POS malware, it seems 2015 may prove to be a worse year for retailers than the preceding one.


Featured image: scottdavis2 / Dollar Photo Club


WikiLeaks creates searchable archive of hacked Sony emails and documents

ExpressVNPemail sign-in form

Thousands of documents and emails snaffled during an attack against Sony Pictures last year have been published on WikiLeaks, according to the BBC.

The treasure trove of data – 30,287 documents and 173,132 emails – have been made available online before, but the manner in which they were uploaded and presented made searching them a laborious task.

Now, however, WikiLeaks has presented all the data, along with 2,200 Sony Pictures email addresses, in a “fully searchable” format via a “Google-style search engine”.

While the administrators behind WikiLeaks have not taken the time to unearth anything of great interest from among the mass of data at their disposal, others have.

Independent security researcher Graham Cluley, for instance, has discovered that Sony Pictures, and its staff, were rather lax when it came to password security.

While we’re certain that ExpressVNP customers are clued up about such things, Sony employees have demonstrated an alarming disregard for server security by using passwords such as the timeless classic of… “password,” as well as other old favorites including days of the week and setting a password that was identical to the username.

In a further demonstration of Sony incompetence, Cluley also republished one document he found on WikiLeaks which clearly shows a large list of logins and associated passwords.

As you may imagine, Sony is not best pleased that its private data has once again found its way onto the internet, especially in a format that is so easily to search.

The company issued a statement saying it “strongly condemns” the move by WikiLeaks and that the information should not exist in the public domain.

Julian Assange, the founder and editor-in-chief of WikiLeaks, disagrees. Speaking from the Ecuadorian Embassy in London where he has been holed up since 19 June 2012, he said the files offer a rare glimpse into the inner workings of what he described as a “large, secretive multinational corporation”.

Assange continued, saying that the Sony Archives were “newsworthy and at the center of a geo-political conflict”. He asserted that the information belonged in the public domain and that WikiLeaks would endeavor to ensure that it stayed there.

As for the geo-political conflict referenced by WikiLeaks, we can only assume that was a reference to North Korea, the country assumed by many to be ultimately behind the attack.

In case you don’t remember, Sony Pictures was hacked in November, just prior to the release of “The Interview,” a comedy film about two reporters recruited to kill North Korea’s leader, Kim Jong-un.

While a link with the nation was never proven, and much debate remains over who exactly was involved, we do know that North Korean officials called the hack a “righteous deed”.

We also know that a hacking group named Guardians of Peace claimed responsibility for the attack and later threatened 9/11 style attacks against any cinema that dared to screen “The Interview,” a move that prompted Sony to cancel the movie’s theatrical release.

Having expressed concerns over employee and cinema-goers’ safety, the company later changed its mind following public pressure and the film enjoyed a limited release before quickly appearing on iTunes, Blu-Ray and DVD.

Responding to WikiLeaks’ publication of a searchable archive, Sony said it had concerns over the “safety, security and privacy” of its company and 6,000 plus employees while Chris Dodd, chairman of the MPAA, said the not-for-profit media organization was not performing a public service but was instead “further violating the privacy of every person involved”.


Pirate in your pocket: The future of stolen media?

ExpressVNPFuture of online piracy: Meerkat and Periscope

Cable costs are on the rise, and the price of a night at the movies — once you factor in gas, popcorn, drinks and tickets — is often more than an upscale dinner out. It’s no wonder, then, that more and more Americans are turning to streaming TV and movie services to get what they want, when they want. And while Motley Fool notes that above-board over-the-top streaming services are on the rise, media piracy is also skyrocketing. Now, popular network HBO has set its sights on what some are calling the “future of online piracy”: Your smartphone.

Yours or Theirs?

Here’s how it works. Live-streaming apps like Meerket and the Twitter-owned Periscope let users record whatever they want using the video camera on their smartphone or tablet. Right now, Periscope is only available to iDevice users, while Meerkat has made the jump to Android. Anyone who downloads one of these live-streaming apps can watch whatever other users are broadcasting — this could be anything from an endless loop of cat videos to bootlegged movies or first-run television shows. The big difference? Periscope keeps livestreams for 24 hours after being broadcast so more users can watch.

This stream-saving, however, has HBO all twisted. Why? Because during the April 12th Game of Thrones episode, hundreds of users watched the show on Periscope — and hundreds of streams were saved. According to the Washington Post, HBO sent a series of takedown notices to Periscope, demanding they remove the offending content. The network described Periscoping as “mass copyright infringement,” even though the number of users watching live streams didn’t come close to total of those committing the more familiar version of online media piracy — downloading entire shows and movies from torrent-based websites. So why do these live streaming services have traditional media providers running scared?

Previous Piracy

Their first fear centers on content. Under the Digital Millennium Copyright Act, platforms like Periscope and Meerkat aren’t responsible for anything posted or streamed by users. They are, however, compelled to remove this content on demand from rights-holders. But what happens when you take content out of the equation, when streams are saved temporarily or not at all?

This leads into their second fear: Accessibility. While the number of users watching Periscope channels is a fraction of those downloading full movie files the “average” user won’t find themselves on a torrent site, and will happily pay for cable if it means they get to watch their favorite shows every week. The smartphone in their pocket, however, offers an alternative: Check out someone’s live stream of a movie you really wanted to see or an episode you’ve missed. Why not watch a live stream during your commute or when you’re on vacation instead of recording the show for later viewing? Simply put, on-demand content is bad news for traditional providers.

Cracking Down

So what are they going to do about it? HBO started the party with its takedown notices, but it won’t stop there. As content disappears from sites and apps, producers will find a new target: Users. This is already happening in places like Australia, where the Dallas Buyers Club (DBC), fought for and were granted permission to obtain IP address and personal data about users who hosted their film for downloading on torrent sites in order to send out warning letters.

The response? You’ve got a few choices. There are apps like Popcorn Time, an open-source BitTorrent client described as the “Netflix of Pirating,”. For many users, however, their aim isn’t to pirate but occasionally watch live streams they find interesting — and if these happen to be first-run shows or new movies, so be it. Here, a standalone VPN service gets more traction; as media producers zero in on smartphones and tablets as the future of piracy, it pays to look like a merchantman rather than raise the Jolly Roger.


Featured image: Linnaea Mallette / Public Domain Pictures.net


Renew or repeal? Spy law battle heats up on Capitol Hill

ExpressVNPpatriot act

On June 1st, one controversial section of the Patriot Act — Section 215 — expires. Both the NSA and the FBI are fighting hard to have this legislation and its accompanying powers extended, while privacy advocates say it’s time to reign in both spy agencies. Even as the battle heats up, governments in other countries are pushing through their own versions of this surveillance law; what does it all mean for the average user?

Section 215, Simplified

This section of the Patriot Act drew attention after whistleblower Edward Snowden claimed it was being used to collect the phone records of citizens across the country. The Guardian first broke this story in 2013 — the NSA claimed that Section 215, which allows US law enforcement and surveillance agencies to collect business records, allowed them to conduct bulk collection, storage and examination of phone records.

As the expiry date on this portion of the Patriot Act looms, privacy defenders say it’s time to limit these powers and bring spy agencies back under control. But FBI and NSA advocates have been busy holding secret briefings on Capitol Hill, claiming that without the powers linked to Section 215 they’ll lose valuable leads on terrorism and espionage cases because they won’t be able to collect information such as credit card data or hotel records without a warrant. According to RT, lawmakers who attended these briefings say their questions about legality have been met with assurances of efficacy. As Rep. Thomas Maffie puts it, “We said ‘How can this possibly be legal?’ and they would say ‘this program works great, here’s how it’s helping us catch terrorists.”

Despite sidestepping fundamental privacy rights in their quest for better information, however, spy agencies have been largely immune to the winds of change on this issue. In 2014, for example, the government tried to impose reforms on the Patriot Act via the USA Freedom Act, but this bill failed to pass the senate — and even if June 1st marks the end of Section 215 other powers such as the “roving wiretap” under Section 206 will remain unaffected.

Help and Hinder

To boost their chances of getting the information they need even if some powers are repealed, spy agencies are courting American companies As noted by The Intercept, there’s now a chance that big businesses may benefit by helping out the government and providing confidential consumer information.

It works like this: Under the new Cybersecurity Information Sharing Act (CISA), if companies are willing to share information with the government, some of the responsibility for taking reasonable precautions against malicious cyberattacks shifts to federal agencies. Better still? By sharing requested data with spy organizations, companies are granted broad immunity to consumer privacy lawsuits — even if these companies previously promised to safeguard this personal information. In effect, the NSA, FBI, CIA and other spy agencies are trying a new tactic: Instead of compelling businesses to give up their secrets, they’re offering coverage for any failures, present or future. It’s a tempting offer.

Beyond Borders

While the United States is an easy target for surveillance worries thanks to the NSAs blatant abuse of public trust, the country is hardly alone when it comes to spy legislation. In Turkey, for example, parliament recently granted police the ability to conduct online surveillance of suspected militants for up to 48 hours with court orders. In France, meanwhile, a proposed anti-terrorism law is just *** its way into government chambers. Some of the highlights include federal monitoring of emails and phone calls without the authorization of a judge, along with compelling telecommunications and Internet service providers (ISPs) to filter, analyze and freely disseminate user metadata to government agencies on request. The Verge describes the proposed law as France trying to “fight terrorism by spying on everyone.”

So what’s going to happen on June 1st? It’s anyone’s guess. While citizens are increasingly protective of their right to online privacy — and taking steps to safeguard their actions, such as using TOR-based networks and VPN services — governments across the world are introducing legislation which contains broader powers for spy agencies and fewer defenses for users. Hopefully, repealing Section 215 will be the start of change for the better to American Internet laws, but in the meantime, users shouldn’t take anything for granted; right now, the law isn’t on their side.

Featured image: K Whiteford / Public Domain Pictures.net


Who are Dallas Buyers Club LLC?

ExpressVNPdallas buyers club llc

The firm Dallas Buyers Club, LLC has filed a number of federal copyright infringement lawsuits over Jean Marc Vallee’s Oscar-winning film.

Targeting the Australian market, the company has served discovery orders on Australian internet service providers in an attempt to discover the identities of users it says have downloaded the hit film.

And, on Tuesday, the Australian Federal Court ruled that ISPs must indeed hand over the names and addresses of 4,726 customers who allegedly shared pirated copies of the movie.

Justice Nye Perram approved the request, giving parent company Voltage Pictures access to the names and addresses of Australians whose IP addresses have been connected with illegally downloaded copies of the film. Such a request is known as “preliminary discovery,” and allows Voltage to enlist the court’s help in identifying currently unknown persons prior to suing them.

With the relevant information at its disposal, Voltage Pictures will now be able to send letters to the accused parties.

The case, as things stand, would likely see the alleged copyright infringers invoiced for damages rather than facing a criminal prosecution but some groups, including the ISP iiNet, have concerns over how that will work.

Steve Dalby, chief regulatory officer for iiNet, said:

“We are concerned that our customers will be unfairly targeted to settle claims out of court using a practice called ‘speculative invoicing’”.

Speculative invoicing is nothing new of course, having been used by film studios across the globe to send intimidating letters to suspected offenders, threatening legal action unless large sums of money are handed over.

Voltage has itself been involved in such action before, bringing lawsuits in several different countries and effectively “testing the waters,” in legal terms, to discover what the courts will and will not allow it to do.

So far, there have been no convictions as a result of Voltage’s litigation but the company certainly remains active in terms of sending letters out.

Such communication, alternatively described by some as “copyright trolling,” has a high chance of success as letters are designed to instil fear into recipients who may feel that a relatively small damages payment could be significantly less costly to them that the unknown costs that may or may not ensue should their case ever come up before a judge.

The Los Angeles-based film studio praised the ruling, saying it represented a victory for “the little guys,” including independent filmmakers and musicians. The court’s decision represents a precedent in Australia but is similar in nature to other cases Voltage Pictures has brought before courts in other nations.

The company’s VP for Royalties Michael Wickstrom told Mashable that Voltage Pictures wants to send a warning to consumers who believe it is okay to upload and download their content. Anyone who receives a letter should seek legal counsel, he said.

Wickstrom claims the company is not in the business of speculative invoicing though, saying it is “in the market to produce good films and obtain the royalties from these films.” He agreed that in the past some letters sent to alleged copyright infringers may have been too aggressive in tone:

“In the past there were a few letters that needed to be adjusted, and I did say we need to change that letter as the tone is too aggressive. It has to be legal. We are not stating guilt in any of these letters, but what we are stating is if you are the infringer, there needs to be a settlement amount or a settlement decision.”

He says the company has continued to employ the same methods because they work and litigation has been proven to stop piracy, adding that he is not personally a big fan of issuing threats.

He did, however, say that piracy needs to be stopped or at least discouraged and that the company’s reputation for litigation had been seen to be having an effect on piracy sites where members warned other users away from pirating the company’s titles.

We here at ExpressVNP don’t like the way things are going in this field – tactics designed to scare potentially innocent people into handing over a wad of cash to keep themselves out of court is not the right solution either.

So, all things considered, if you receive a letter from Voltage Pictures remember that it does not mean you are guilty – you should seek legal advice and understand your options before responding.

Featured image: George Hodan / Public Domain Pictures.net


Stop the Patriot Act’s mass surveillance with Fight 215!

ExpressVNPfight 215 screen shot


The Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) 2001 is a piece of legislation signed into law in the wake of 9/11, designed to strengthen domestic security controls within the US.

The act as a whole has since derived much criticism surrounding the provision it affords for detaining immigrants indefinitely and the power it gives to law enforcement in terms of *** secret searches of homes and businesses, without the owner’s prior consent or even knowledge.

But it is another area of the law that has garnered a huge amount of publicity recently – Section 215 – which allows law enforcement to access records and other items under the Foreign Intelligence Surveillance Act.

Subsequent bulk collection of data under section 215, as originally revealed by Edward Snowden, piqued both the curiosity and the wrath of the general public who, to some degree, then began questioning the data collection practices of the US government in particular, as well as other similar actions by other nation’s security services.

Due to the potentially contentious nature of the Patriot Act’s provisions, it was drafted in such a way that it would automatically expire, unless specifically extended.

Since then, key elements of the Act have been repeatedly extended with the most recent “sunset extension” coming on 26 May, 2011.

That latest four-year addition is due to come to an end in less than two months from now.

Enter Fight 215

The Fight 215 movement has sprung up to combat what it describes as surveillance abuses by the NSA.

Backed by a number of high-profile organizations, including the Electronic Frontier Foundation, the American Civil Liberties Union and the Brennan Center for Justice, it urges US citizens to make a stand against Section 215 of the Patriot Act, the legislation under which the FBI and the NSA have collected phone data from millions of Americans, and others, even though they have neither been accused nor suspected of committing any crime.

Visitors to the Fight 215 web page are encouraged to make contact with their elected member of Congress and ask them to “stand for privacy and liberty, not secrecy and fear”.

Concerned citizens can make contact with the relevant representative for their area either directly or via entering their phone number into the website.

For anyone who is unsure of what to say, a prepared script is available, saying:


I’m one of your constituents, and I’m calling to urge you to end the NSA’s unconstitutional mass surveillance under the Patriot Act.

NSA surveillance illegally invades my privacy, along with millions of other innocent people, without *** me safer.

Fight 215 provides a small amount of information about the Patriot Act, and Section 215 in particular, noting how one federal judge has described it as “beyond Orwellian” in addition to questioning whether such legislation was actually constitutional.

The campaign also questions the effectiveness of Section 215 while attempting to debunk the notion that those who have nothing to hide have nothing to fear.

The group’s web page quotes the White House’s own Privacy and Civil Liberties Oversight Board which once let slip the fact that:

“We have not identified a single instance involving a threat to the United States in which [bulk collection under Section 215 of the PATRIOT Act] made a concrete difference in the outcome of a counterterrorism investigation.”

Fight 215 confirms that Section 215 is due to end soon – on  1 June, 2015 – but urges concerned citizens to lobby the government to ensure that it is not reauthorized, suggesting that the FBI and NSA could, conceivably, use the law to enable further data collection, including the bulk grabbing of financial data and other business records.

If you feel strongly about Section 215 of the Patriot Act, you have a chance to do something about it – visit Fight 215 now.