We are all accustomed to the skull drudgery in the endless war between copyright holders and pirates.  Pirates endlessly shuffle torrents for movies, songs, and books around the globe staying one step ahead of authorities.  While copyright holders engage in the high-tech game of wack-a-mole to stem the tide of piracy.  But there is a new kid on the block – Popcorn Time.

Popcorn Time runs on various operating systems and operates on the P2P BitTorrent protocol.  Another P2P client would not be so interesting except that Popcorn Time streams content.  A couple of key areas that set off my spidey senses.

No copyrighted files stored on viewer computers
Content is streamed from peers, buffered, watched, and discarded after reboot.  In P2P protocols individual users host and share file fragments or blocks of data.  Each peer in the network may not have an entire file and it’s often the case.  Blocks are assembled by peers until an entire file is recreated.  Targeting individuals for piracy of copyrighted material is less common but when it occurs authorities focus mostly on those that host or store the copyrighted materials.

Torrent sites unnecessary
Downloading content with traditional Bittorrent clients requires locating a torrent file for the movie or music file of interest.  The torrent file provides the technical information necessary for the P2P client to locate peers and begin downloading.  If Bittorrent has a weakness, it’s that it requires participants to locate a torrent file of interest.  As a result, hosting torrent files is risky business.  Law enforcement efforts to date focus on shutting down torrent hosting sites like The Pirate Bay.  Popcorn Time still requires torrents but reduces complexity for users by integration with YIFY and reduces complexity for users.

From the security and privacy professional perspective, Popcorn Time is going to stir some new debate on two fronts.  When does data become illegal:  1 byte, 100 bytes, a block, 100 blocks, a file?  Next, Popcorn Time is easy to use.  No more shady torrent sites, or futzing with Tor clients to conceal identity (if people even care).  Popcorn Time is essentially NetFlix for pirates – it’s that easy.  It’s likely Popcorn Time will go viral and it when it does it will be interesting to see how industry reacts.

An aside, as I have mentioned in previous articles, I’m not a lawyer but if you are and wish to comment on the post for readers we would welcome your thoughts.  Enjoy!

–Milton


[Updated On, March 14, 2014]

I received an email from Vizify this morning.  Yahoo is closing Vizify.  Bummer.

“We appreciate that you invested time in creating and sharing your bio and apologize for any disruption we may be causing you. We’re going to miss our bios, too, but we’re taking the following step to make the shutdown smoother.”

On the brighter side perhaps they can bring some of their talent to a larger audience.  An updated FAQ is provided.

[Updated On, March 12, 2014]

Eli Tucker (@etucker) Vizify co-founder, provided a link indicating, “Yahoo will not use any Vizify user data except for purposes directly related to Vizify bios and services”.
[Original Post, March 12, 2014]

Most of us have an idea about how our personal information is used when we sign up for an online service.  It stands to reason, participation requires sharing some personal information.  But what happens to our personal data when a company acquires another?

Vizify is an an online service where participants share personal background like, work history, Twitter connections, noteworthy Tweets, professional associations, and more.  The benefit of Vizify is that it presents professional and personal life in a info-graphic style dashboard that’s easy for others consume.  If you want to see Vizify in action, take a look at my profile.

Now that everyone an idea of Vizify’s services, let’s think about the acquisition further.  I was wondering what would happen to my personal data when Yahoo purchases this company.  Investigating further, I reviewed Vizify’s online privacy policy (image shown).

Image: Vizify Privacy Policy

First of all, Kudo’s to Vizify for the worlds shortest privacy policy.  Most privacy policies I review these days read like the Dead Sea Scrolls.  Vizify’s privacy policy is short and to the point.  In fact, the policy is quite clear about what happens during a merger or acquisition.  Any personal data  shared with Vizify will be included in the negotiations or sale of the company.  In this case, personal data shared with Vizify is now Yahoo’s property.

Small disclaimer, Yahoo was a previous employer, I know how important security and privacy is to Yahoo.  I’m not concerned about this acquisition.  However, what if a different company purchased Vizify?  Considering more chilling scenarios, what if an insurance company purchased another company with medical information like WebMD?  WebMD does not hold medial records in the strictest sense and not subject to government regulations like HIPAA but they do have a treasure trove of medial information.  Continuing the thought, what if LinkedIn wanted to sell information about your job searching to the highest bidder which may include your employer?  My point is not to stir up conspiracy theories but personal information can be used in chilling ways that’s difficult to imagine.

It’s a fact that companies are sometimes purchased solely for the competitive value of their intellectual property (e.g., patents, information).  I’m not a lawyer, but outside of corner cases like medical records or credit card information, there are few laws describing protections for personal information or the disposition of personal data after corporate acquisitions and mergers.

 –Milton

[Updated on, January 29, 2014]

According to Kreb’s on Security the attackers leveraged a local admin account named “Best1_user” present on PoS terminals to gain entry.  The account is a default administrative account installed by the PoS maker.  The PoS maker notes the password to the account is unimportant since it cannot be used for logon.  Hum…

[Original Post, January 28, 2014]

2013 has been a busy year for cyber criminals according to Marble Security.  Marble’s snappy info-graphic is eye popping.  I notice the number of compromised Target accounts appears somewhat conservative, new estimates are around 110 million (Target notes 70 million).  If you want to see the letter’s Target is sending to customers you can look at mine (click to expand image).

Digging a little further into the disclosure web site referenced in the email, there are two main areas of action for Target.

  • A $5 million dollar contribution to a new security coalition educating the public on phishing attacks
  • Free credit report for compromised accounts

Educating the public on phishing scams is responsible since information leaked during the breach will undoubtedly be use for Spear Phishing their customers.  Spear Phishing is a technique used by attackers to target individuals with highly personalized emails making them an effective vehicle for malware delivery.  Finally, you are offered a free credit report but only you register to receive it. Target notes on their site they are making some internal improvements but they are not specific.

“We are committed to making this right and are investing in the internal processes and systems needed to reduce the likelihood that this ever happens again. We have retained a leading third party forensics firm who is conducting a thorough investigation of this incident.” [Target]

I noticed Brian Krebs has some detailed news on his security web site (A Closer Look at the Target Malware, Part II).  Apparently PoS terminals (credit card readers) were sending captured personal data to attacker systems for later use and abuse.  Sigh…

–Milton

The following is a public and global outcry for government surveillance reform from some of the
worlds largest companies: Aol, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo!

http://reformgovernmentsurveillance.com/

My concern is that while the data under discussion belongs to the preceding companies, the information belongs to us, it’s all distinctly our most private personal information under discussion.  The principles described by the web site are a good starting point but they need to be written from the perspective of consumers — consumer privacy expectations.  Global consumer privacy expectations must be applicable to both businesses and governments alike.  It seems doubtful addressing one without the other will have the desired positive outcome on consumer confidence.

For more information about business drivers behind privacy reform see, A Crisis of Confidence Costs Real Money.

–Milton

I found the following YouTube video link on EFF.org of Senator Ron Wyden (D-OR).  The Senator speaks out for American rights and privacy before the Senate.  In spite of legislation trends, Congress may not be so one sided against individual rights as you might imagine.  Senator Wyden provides an interesting pro-privacy perspective along with some lessons from history.  Likewise, contrary Senate opinion would be interesting to hear.  Unfortunately, understanding lawmaker decisions fully is difficult since they are predicated upon material non-public or classified information in part.

Media:  Wyden Floor Statement on FISA Reauthorization Act and Proposed Amendments
Of course, the FISA extension passed by a landslide.  If your curious to see how your state represented you please refer to the following link, FISA Amendments Act of 2008 Five Year Extension.
@spoofzu