Feeds:
Posts
Comments

Archive for December, 2013

[This is a post about security and privacy.  In this post, I speak about what could go wrong if you do not properly secure your computer, and my thoughts about encryption and privacy.]

I am reviewing a case where a group of “zombie” infected computers have been hacked to work together (a “botnet”), and it appears as if the courts are going after ZeroAccess as the crime ring behind the botnet. In my readings, a federal judge has blocked the IP addresses belonging to ZeroAccess-infected computers because they allegedly directed many of their millions of infected computers to click on a number of paid ads, where the advertisers using Google, Bing, and Yahoo! have paid out an estimated $2.7 Million per month from the ad revenue generated as a result of these clicks. The lawsuit is for what is known as “click fraud,” and it got me thinking about 1) the application to the bittorrent lawsuits, and 2) to privacy and security in general.

While I have NO REASON to think the following is happening, it is completely plausible that one or more “infected” computers could be directed to connect to various bittorrent files without the computer owners being aware of the “zombie” status of their computers (e.g., the software is being run as a service, or minimized without an icon showing on the desktop).  While the connections to the bittorrent swarms are happening, the copyright trolls could be “coincidentally” monitoring the bittorrent swarms as the downloads are happening unbenownst to the computer owner. When the copyright holders (“copyright trolls”) send the DMCA letters to the ISPs, or when they file John Doe copyright infringement lawsuits against the subscribers, the ISPs would correctly confirm and coroborate that it was the subscriber’s ISP who was connected to the bittorrent swarm at that particular date and time, and the problematic conclusion would be that it was the subscriber who downloaded the file. And, when the download was complete, even though the malware would likely “cover its tracks” by deleting all traces of itself, it would be programmed to leave the downloaded copyrighted file in some obscure randomized file folder on the subscriber’s computer to be “conveniently” found by the forensic examiners during the lawsuit. I understand that malware could also actually alter the computer’s logs based on analyzing the computer owner’s past browsing history and program usage (most people do not clean this) to make it look as if it was the ACCUSED SUBSCRIBER who was “at his computer at the time of the download.” This could all happen without the knowledge of the subscriber being aware that the computer was infected with the malware or that the illegal downloads were taking place.

While this feels a bit sci-fi’ish, and again, I have no reason to think this is actually taking place, the technology is certainly around for this to happen.  I have personally watched enough podcast videos on Hak5 demonstrating how this could be done, and I could figure out ways to alter the malware program to gain administrator access to the computer and change the system logs on the computer before deleting itself.  If someone as simple as me could figure out how to do it, for sure the more crafty ones will eventually stumble onto this scheme as well. For this reason, I am writing this article as a warning to take your computer’s security and your online privacy seriously, and here are the simple steps I would take if it were my own computer.

Step 1: Don’t balk, but make sure you have antivirus software and anti-malware software running on your machine. Also make sure your software and virus definitions are up to date. I have my personal favorites as far as software goes, but quite frankly, free or paid software both do their job fine. There are many free anti-malware programs out there, so make sure the one you use is not malware itself. For free malware detection, I find SuperAntiSpyware and MalwareBytes to be sufficient.

Step 2: Protect your identity and your browsing habits. This depends on how much “tin hat” you want to go, but I personally use JonDoFox’s version of the Firefox browser. There is a STEEP learning curve to use it (meaning, the add-ons will initially break most of the websites you use, and most websites need to be configured once before you get it the way you like it), but in my opinion it is worth the effort to learn. You can check your current browser security at http://ip-check.info/ (by the way, I do not use JonDo anonymization software because they charge by the actual usage; rather, I opt for the less secure route of encrypting my traffic using a secure VPN provider). On the flip side, for convenience, I also use Comodo Dragon Chrome which is a faster, less secure browser, but I have many add-ons that I’ve installed (e.g., Scriptsafe, AdBlock Plus, etc.), and I keep the software running in the Sandboxie software. That way, if some critter gets past my defenses (e.g., think, “CryptoLocker,” or other ransomware which encrypts your files and charges you hundreds of dollars in bitcoins as ransom to decrypt them), it won’t get access to my hard drive files.

Step 2.1: This belongs to the previous step, but encrypting your traffic is very important. There is a phrase, “I have nothing to hide… from people I trust,” and I stand by that phrase. With the NSA and government snooping, and the ISPs watching your every move, regardless of whether you are doing something wrong or not, it is a smart idea to not give all of your shopping and browsing activities to your ISP and to Uncle Sam. There are also many commercial trackers and social networks who track you for commercial purposes as well — everything I say above applies for them too.

Step 3: Secure e-mail, secure chat… The best way to protect your e-mail is to encrypt it.  Unfortunately, e-mail by its nature is insecure, and even if you encrypt the contents of your e-mail, the METADATA (e.g., your own e-mail address, to whom you are e-mailing, the time and date of your e-mail, along with the geolocation of you IP address you use to connect to the e-mail server, etc.) remains exposed.  The only foolproof way I know to encrypt e-mail is to use Pretty Good Privacy (PGP) software.  The problem is that it is simply inconvenient.  In order to encrypt your e-mail, you need to not only setup and share your own public and private keys, but you need to find and look up the keyrings of those you want to communicate with.  While there are attempts to incorporate encryption into e-mails (e.g., projects such as gnupg), the average person does not encrypt their e-mails, and trying to get everyone to do so is just an exercise in futility.  Plus, we know that the NSA saves encrypted e-mails for the sole purpose of trying to “break” the encryption because “if you use encryption, you are presumed to be using it for a criminal purpose.”  Thus, I am unhappy with the current state of technology with the adoption of encryption for sending e-mails, but for the time being, this is the way it is.

Secure chat is very easy, and there are many convenient ways to encrypt your instant messages.  Whether you are using the Pidgin software with the encryption plug-in, or whether you are using Cryptocat or any of the secure chat softwares readily available for the PCs, iPhones, and Androids, achieving perfect security is very doable.  For me, I do not encrypt my e-mails, and whenever I have a friend or peer who has the capability to encrypt our chat sessions, I have him do so just for the “geeky” fun excitement of it.

Step 4: Keeping your own computer clean and neat. Your Microsoft Windows operating system keeps logs of pretty much everything you do, and it is specifically the failure to clean up after yourself which can give malware the chance to impersonate you. Similarly, by not regularly cleaning up after yourself, should you one day face a lawsuit, a forensics expert can glean an ungodly amount of information about you, your whereabouts on a certain date and time, and your activities (e.g., whether you were surfing the web or writing a text file, and, which text file you were writing at that particular time and date) just by reviewing your logs. Now I personally do not trust my Microsoft Windows operating system not to “spy” on me, and if I had it my way, I’d run a Linux operating system (I have in the past, and I may in the future), but for the time being, be aware that the “privacy” settings in Windows stops NOBODY from snooping on you. I have not figured this one out yet (especially since most of my law firm’s software are Windows-based), but Windows is simply a minefield of privacy leaks and data you don’t want about yourself recorded and logged.

While this is certainly not even close to a solution, I run CCleaner from Piriform regularly to clean up the logs and to keep my computer relatively clean.  I would love to delve into the depths of my operating system and tweak certain settings to shut off the “phone home” leaks in my system — I simply do not have the time, the “tin hat” motivation, or the skill to do so.

Step 5: Lastly (and there are probably a million other steps I could take, but I like to keep things simple). I encrypt my hard drive data 1) in my computer, 2) outside of my computer (e.g., external drives and thumb drives), and 3) in the cloud. There are many ways to do this, most popularly is the “TrueCrypt” software. If you cannot encrypt your drives (I cannot, since my computer is a Windows 8 machine and TrueCrypt has not figured out how to encrypt UEFI systems yet), then create a large container, and set up your programs (e.g., Thunderbird Mail) to store your files in your encrypted container.  Better yet, install the program onto the encrypted drive so that it is not in your C:\Program Files folder.  That way, if your computer is ever stolen or lost, your programs and your data will remain unusable and encrypted. I often take this one step further and have Windows configured (to the extent possible) to use the encrypted drive to store my “Desktop” and my “My Documents” folder. Thus, if I do not unlock the encrypted drive when I first log in, my computer does not work properly, and I get a blank desktop. Along with this, my computers have log-in passwords which I have activated before the operating systems even boot. I have this running because even little me knows which piece of software one can run to bypass the password on Microsoft Windows machines.

In sum, you could take privacy to an extreme. The best privacy is the “trust no one” type of privacy. For some cases (e.g., our cloud storage backup servers are “trust no one,” meaning not even the company who hosts our data has the keys to unencrypt the encrypted data which is stored on their servers), using the best security is feasible and doable. But there are limits and there are sacrifices to your privacy, and it usually comes at the benefit of having more convenience. Truly, the most secure password is one not stored in a text file, or written on a piece of paper, but one that is in someone else’s head (not even your own).  The best security is not using a computer or connecting to the internet at all. Then again, that is not feasible to most of us who live in the internet. However, learning to take steps to protect your privacy (within reason) can only work towards your benefit.


CONTACT FORM: If you have a question or comment about what I have written, and you want to keep it *for my eyes only*, please feel free to use the form below. The information you post will be e-mailed to me, and I will be happy to respond.

NOTE: No attorney client relationship is established by sending this form, and while the attorney-client privilege (which keeps everything that you share confidential and private) attaches immediately when you contact me, I do not become your attorney until we sign a contract together.  That being said, please do not state anything “incriminating” about your case when using this form, or more practically, in any e-mail.

Read Full Post »

As we near the end of 2013, I expect to see “2013 Year in Review” articles. I decline to write my own here, but it has been a very busy, work-intensive year. I would compare it to using nothing but strength and muscle to push metal against a spinning wheel with the result of seeing sparks flying.

Prenda is dead. Or, is it. Lawyers spent most of the year enjoying the exposure of Prenda Law, Inc.’s failings (or more accurately, “fallings”) where their scams and schemes became unraveled over and over again for all to see. Judges called them on their bluff, brought the principals into court, and ordered them to pay large sums of money. Yet, what was actually paid (and what will actually be paid) is still hidden from our eyes. My guess is that they’ll pay something, but compared to the millions they raked in since 2010, it will only be a tiny fraction of their windfall profits.

It is my opinion that what undid them was greed. Had they continued to sue defendants en masse, and had they continued to “name and serve” defendants and move forward with the lawsuits in good faith (if there ever was good faith), they may still be in business. Thankfully, where there is “rolling in dough,” there is also born greed and corruption. AF Holdings was born, the “Alan Cooper” alter-ego was invented, papers were forged, settlement money was sent offshore to various entities, honeypots were discovered (where it was discovered that Prenda Law Inc. was seeding the pornography they later sued on), and so-called paralegals became the named “owners” of the entities who were suing to enforce their copyrights. If all this (and getting caught) was not enough, they threw their own local counsel attorneys “under the bus,” they sued the internet and bloggers for defamation, and they started a war with the internet service providers (ISPs) and Cable Companies, a fight they could not have won. Why they went after the ISPs, nobody will know, but in my opinion, this was their mistake.

But this article is not only about Prenda, or the Steele|Hansmeier gang, or the Mark Lutz characters of the world (or their many life-altering experiences over the year), but it is also about what has been happening outside the federal courts (“out-of-court”).

A year ago, I wrote a few articles about Copyright Enforcement Group (CEG-TEK), a brainchild of Ira Siegel. After his experiences in the Northern District of California, followed by the experiences of his local counsel Mike Meier, Marvin Cable, and for a time, Terik Hashmi, their cases went silent in the federal courts. No new cases were filed, and for a time, all we saw were dismissals of our law firm’s clients.  Then, tens of thousands of so-called “DMCA Letters” began pouring out from various ISPs directing accused internet users to their copyrightsettlements.com website (no link, this is on purpose) to entangle themselves in their settlement system.

There was a moment where I thought the “Six Strikes System” would kill CEG-TEK’s business model because the ISPs would no longer forward their “pay us now or else we will sue you” scare letters, and by depriving the copyright enforcement companies of their ability to contact accused internet downloaders in their homes and out-of-court (without the supervision of a federal judge), this would cause CEG-TEK and their ilk to go out of business, but this was a disappointment.

The “Six Strikes System” ended up being a dud. It only applied to a few of the “elite” ISPs, and those ISPs used the Six Strikes System to demand large sums of money from the copyright owners and sent the notices to their subscribers anyway, but only a truncated version of CEG-TEK’S “scare” letter. Comcast, case in point. I watched as a fight broke out between Comcast and CEG-TEK, where Comcast only forwarded a snippet of CEG-TEK’s letter, but still directed users to their CopyrightSettlements.com website so that the settlements can continue. Then in other letters, they botched the CEG-TEK settlement link alltogether, and then, did not include the link [in their letters] at all. (And, just for “me too” news as of today, “Johnny-come-late” to the game, RightsCorpis reported by Torrentfreak to have experienced the same thing).

In sum, the Six Strikes System did not kill CEG-TEK as I thought it would, nor did it hurt the “copyright trolls” or stop them from filing lawsuits. CEG-TEK merely found other ISPs and universities to cooperate with them by forwarding their settlement demand letters to the ISP’s subscribers, and CEG-TEK’s collection attempts have continued unhindered.

Lastly, there has been little slowdown to the copyright infringement lawsuits. As I predicted a few years back (link), the lawsuits merely got smaller and more focused (link). The days of suing 5000 “John Doe” defendants bunched together in one federal lawsuit are over. Similarly, the smaller lawsuits having just a handful of defendants [where the lawsuits are filed in the states in which the defendants live] are also over. Now, the lawsuits are so small and focused that it is common to have only one defendant in a lawsuit, and this has made it impossible for our firm to watch, read, and report on every case that is filed in every jurisdiction.  Then again, it has made it more expensive for the copyright trolls, and (ugh) more scary for the carefully targeted defendant.

In sum, it has been a year of grinding and a year of watching the effects of previous years of work change, alter, and shape the bittorrent lawsuits to the form in which they are today. Congress and lawmakers have been useless in making this copyright trolling phenomenon disappear, as have been the attorney generals and the various state bar ethics boards, who [with some very notable exceptions] have been sitting on their hands. I do not think the copyright troll problem has been solved in any way. Rather, the plaintiff attorneys have gotten smarter, smaller, and more focused.  As a result, they have flown below the radar of those who have the power to stop them. And, while the lawsuits continue, former copyright troll attorneys (Ira Siegel / CEG-TEK) have continued their efforts, just outside of the court’s ability to monitor, sanction, and control their out-of-court settlement activities. And, I need not say this, but many new copyright trolls have popped up based on the lack of legal supervision, and I am concerned to say that I do not see this going away any time soon.

John Steele and his Prenda Law Inc. gang are down. CEG-TEK is thriving. Old copyright trolls such as Lipscomb & Eisenberg, along with their many local counsel across the US [and their lawsuits] are thriving. Other no-name “baby” copyright trolls are growing up and have learned to navigate the broken federal court system. And most important of all, more and more people are getting entangled into their legal spiderweb of extortion, settlement demands, and lawsuits, both in and out of court. This is grim, I know.

But there are still voices out there — SJD’s Fight Copyright Trolls website, DieTrollDie‘s website, along with organizations such as the Electronic Frontier Foundation (EFF) who, [while they have been rightly so enveloped with dealing with privacy issues, government corruption, secret FISA courts, and fighting NSA police-state-like snooping techniques] are still very helpful in the copyright troll lawsuits with their countless efforts to make the problem go away once and for all.

So please allow me to be the first to wish everyone Happy Holidays, a safe winter, and a Happy New Year.

Warm regards,
Rob Cashman

Read Full Post »