Tag Archives: DMCA

News Bites for the Week Ending October 26, 2018

Poorly Secured Family of Adult Web Sites Leak Account Info

For those people who can think back to the hack of the Ashley Madison web site, this is kind of deja vu all over again.

100 megabytes of user authentication data was leaked – user names, IP addresses, passwords and email addresses.  Not THE most sensitive data, but most people who visit adult web sites do not advertise that fact.  But there is more.

One surprise is that there were OVER ONE MILLION email addresses compromised.

Along with, apparently, pictures that some people uploaded to some of the sites.  Suffice it to say those pictures are not of sunsets over the beach.

The owner of the 8 sites took the sites down almost immediately and told people to change their passwords.

One disappointing feature of the sites – the passwords, while encrypted (or technically hashed), were encrypted with a hashing algorithm over 40 years old and which can be easily decrypted.

All this does point out the dangers of posting data and pictures to the web – YOU don’t understand what their security practices are like.  It also points out that web site owners need to get a security review of their web site from time to time to make sure that they re not using 40 year old unsecure algorithms.  Source: Ars Technica.

 

Saudis “buy” Twitter Employee to Spy on Dissidents

The Saudis do not need any more bad news, but they are getting it anyway.  The Times has reported that the Saudis “groomed” (maybe bribed or blackmailed) a Twitter employee to feed them dirt on Saudi dissidents.  In addition, the Saudis, like the Russians, have mounted a huge disinformation campaign.  Social media has a huge challenge and no easy answers.  Source: The Hill .

 

NY Times Reports US Begins First LIMITED Cyber Ops Against Russia

In spite of the fact that President Trump says that the Russians are not hacking our elections, the United States Cyber Command is targeting Russians to stop them from interfering with the elections.  The campaign started in recent days.

The campaign comes after the Justice Department released a report last Friday outlining a Russian campaign of information warfare.

Not surprisingly, the Pentagon is not talking much about this – just like they would not talk about any spy activities or activities that would likely be considered illegal, aggressive or an act of war by the targeted countries.

Interestingly, the story says that the actions are “measured” and much less that what the Russians are doing.  Why?  Because they are worried that Russia might take down the US power grid or some other major cyber activity.

That is not comforting.  Source: NY Times .

 

UK Grocer Morrisons Loses Appeal of Breach Class Action

This is the UK and not the US, but still, this is interesting.  A disgruntled employee downloaded data on 100,000 employees, leaked it to the press and posted it online.  Data leaked include salary and bank account information.

Morrisons was sued not surprisingly but, somewhat surprisingly, lost.  Morrisons appealed the court verdict, but lost the appeal.  They now plan to appeal to the UK Supreme Court.

If they lose there, it will mark a turning point in security law.  The company maintains that they did nothing wrong and it was a rogue employee who leaked the data.  The employee is now in jail.  The court says Morrisons is responsible anyway.  Stay tuned because if the courts hold that companies are responsible for the unauthorized actions of their employees, boy oh boy.  Source: BBC .

Yahoo Settles One More Lawsuit for $50 Mil Plus Credit Monitoring for 200 Million

As Yahoo continues to feel the fallout from its data breaches in 2013-2014 that it failed to disclose, they agreed to another settlement covering 1 billion of the 3 billion users affected.

For this suit, they will pay $50 million, split between Verizon and Altaba (the company that controls what is level of Yahoo) and provide credit monitoring for 200 million people for 2 years.  Add to that $35 million in legal fees.

This, of course, is not the end.  It is only one lawsuit of many plus fines from regulators. Stay tuned for further settlements. This really poorly planned strategy of Marissa Mayer to hide the breach may wind up costing Yahoo and Verizon a billion dollars.  Source: Seattle Pi.

Score One For the Right to Repair Movement

Every three years the Librarian of Congress gets to arbitrarily decide who is breaking the law and who is not.  Really.  Specifically, he or she gets to decide who and why the Digital Millennium Copyright Act (DMCA) applies to.

Every three years, those people who got an exemption before have to go back to the Librarian and ask, again, mother may I?

One example is that the Librarian said that you can circumvent encryption and DRM tools to jailbreak your phone.

Another exemption allows educators to use encrypted DVDs (and break that encryption) in certain educational settings.

None of this gives you the tools to actually do it, but they can’t put you in jail or fine you millions of dollars if you succeed.

The newest addition to the list of approved exemptions from DMCA is for the right to repair movement, a growing group that says that people should have the right to repair things that they bought like cars, iphones and tractors.  John Deere, for example, said that while a farmer bought the metal pieces of that million dollar combine, they do not own the software that actually makes it work when you turn it on and if you don’t let an authorized John  Deere mechanic fix it, they will try to sue you into oblivion.

Now people can try to fix their cars, tractors, iphones and other devices.  It doesn’t mean that the manufacturers will help you – it just means that they can no longer sue you.  Source: Motherboard .

So You Think You OWN That Car You Bought?

Let me apologize at the beginning – this post is going to get a little strange.  The Digital Millennium Copyright Act or DMCA was passed by Congress mostly at the request of the movie and music industries who pay lobbyists a lot of money to strong arm Congress-people.  The DMCA has several provisions, but one of the most well known ones is the anti-circumvention provision.  The idea was to make it illegal to remove copy protection that companies put in place to protect their intellectual property, whether or not you plan to do anything illegal with it or not.  For example, if you buy a DVD and you want to play it on your tablet, you need to make a copy in a form that can be played on the tablet.  Doing that was illegal – even though many people do it, because in order to do that, you have to break the encryption on the DVD.

You bought the DVD – at least you own the little round piece of plastic, but the movie industry wants you to understand that you didn’t buy the movie – just the piece of plastic.  Instead, what you got along with the plastic disk, is a license to play what the movie industry put on the disk, but only in a way that the movie industry finds acceptable to them.  This really offends a lot of people.

The DMCA has some strange twists and turns, as is often the case with laws, and one of those is section 1201.  Every three years, the Librarian Of Congress, who is considered by many as one of the most powerful but at the same time obscure people in the country, gets to decide who gets a free pass to ignore the DMCA.  If no one asks the Librarian for a get out of jail free card and the Librarian doesn’t sign it, then you don’t get to ignore the DMCA and the free pass expires after three years anyway.

Probably the best known exemption is to jail break the iPhone.  First approved in 2010, this was renewed in 2012 and again this year.  And, to prove that they are not narrow minded, you can now legally jailbreak your iPad – something you could not do last year.  Needless to say, Apple was not happy when this was first approved.

And, apparently, it is now also legal to copy that DVD so that you can play it on your iPhone.

This, of course, also applies to Android devices.  They are not picking on Apple.

The one which is more important – and the subject of this post – is that you can now jail break your car.  This exemption is pretty narrow.  Kind of like the DVD movies before them, Deere and GM argued that you don’t really own your car.  You can own the sheet metal, the frame and the tires and stuff – but that software – you don’t own it.  The nice people at Deere and GM just let you use it.  That position, taken to extreme, would say that you can resell the car, but you have to delete the software first.  Of course, if you could do and did do that your car wouldn’t even unlock the door.  While you might say that is far fetched, that is exactly what the network equipment vendor Cisco does.  You cannot legally resell a Cisco router, because the license does not allow you to transfer the software.  Actually, you can sell it, minus the software, but then the new owner has to buy his own copy of the software.  Car companies have not gone there – yet.

You may remember that 60 Minutes segment from this summer where researchers hacked into a Jeep Cherokee and took over brakes and steering from miles away.  That was done by hacking into the infotainment system (fancy term for car radio) by way of the telematics system (fancy term for car cell phone).

Curiously, the exemption for hacking your car, which only lasts for the next three years unless renewed, DOES NOT allow you to hack either the infotainment system or the telematics system – the source of the Jeep hack.

It also only allows YOU to hack your car, not, for example, your mechanic, and it does not make tools that help you hack your car legal – those are still illegal.  And, for some bizarre reason which has no apparent basis in law, the Librarian said that you have to wait a year – until October 2016 – to legally hack your car.

The EFF and others are continuing to petition the Librarian of Congress to grant expanded exemptions, so this might change, but right now, them’s the rules.

Strange, huh?  Welcome to section 1201.

 

See the Wikipedia article on DMCA here.

Listen to a discussion of the subject on This Week In Law episode 327; it starts at around the 39 minute mark.  You can find it here.

Other information came from Boing Boing, Ars Technica and The Copyright Office,

Judge vs. Internet – Unclear Outcome

There has been a cat and mouse game between the movie studios and hackers since there were digital versions of movies.

The encryption that was on the original movie DVDs, CSS (content scrambling system), was cracked in a matter of a few days.

For Blu-Ray and HD DVDs, they created a new system, AACS (Advanced Access Content System) has been cracked several times, including by a software product called DVDFab.  DVDFab has cracked it before, but AACS is dynamic so the movie houses change it a bit and it all starts over.

Well this time the AACS consortium got a judge to agree that they were breaking the law by selling this software.  Breaking encryption that is used to control your usage of a movie violates the digital millennium copyright act and the studios fought hard to get that law passed.

This is where the simple part ends.

DVDFab is made by Fengtao, a Chinese company – well outside the reach of a judge in NY.

So the judge instead said that their domain names should be taken down and their credit card processors shouldn’t process payments (see article) for them.

The judge can probably say that to Facebook USA, but it is highly unlikely that the Chinese domain registrar for DVDFab.cn is really going to be too terribly concerned about the opinion of some judge in New York.

So, what actually happened?

  • Google removed search results to the U.S. DVDFab sites, but not the foreign domains (like DVDFab.cn)
  • Facebook froze their accounts, but the pages still display – they just cannot be updated
  • Twitter has shutdown some of the accounts – only those that contain the exact name of the software.
  • The U.S. based domain registries have stopped resolving the domain names, but not the foreign registries (except Japan).

Will this have much effect on customers who want the software?  That is unclear.  Most people who use a product like DVDFab understand that they are fighting against the DMCA, but probably don’t care.  They hark back to the Betamax ruling that said what you did in your own home, for yourself, was OK.  Whether that is true in this case is probably not relevant to those people and as long as they don’t advertise the fact that they are doing it, they are likely to avoid the radar of the studios.

It will have some effect on DVDFab – they will likely rebrand the software.  They already are using the DVDFab.CN domain name.

My guess is that this is a victory for the studios in name only and will have very little long term effect on the piracy of their movies.

My two cents.