ISPs assist in cutting off file-sharing users

Home

Newsletter

Search

Reviews

Polls

Contact

This issue

Library

Upgrade

Preferences

Unsubscribe

Windows Secrets Newsletter • Issue 196 • 2009-05-07 • Circulation: over 400,000

BONUS DOWNLOAD

Find a great company whether you need it or not
Our free bonus this month is based on Andy Lester's new book, Land the Tech Job You Love. It's packed with helpful how-tos on writing killer résumés, completing job applications, securing those valuable employment interviews, and more. The printed book won't be available until June, but all Windows Secrets subscribers can receive an excerpt of two enlightening chapters simply by visiting our preferences page, after which a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Table of contents
TOP STORY: ISPs assist in cutting off file-sharing users
FOLLOW UP: Google silently corrects Gmail CSRF hole
WACKY WEB WEEK: Never put in an honest day's work again!
LANGALIST PLUS: Find the cause of spontaneous reboots
BEST SOFTWARE: How to make Twitter work for your business

ADS

Update your PC faster with PC Updater
PC Updater will update your PC with all the latest updates specifically for your computer. Update your computer the easiest way possible. We have been working on this product for over 1 year to make your PC updates as painless as possible.
PC Updater

Free PC performance & security scan
Take a few minutes to find out why your PC is so slow. Run the free PC Pitstop Optimize 2.0 scan and receive a free custom report detailing common issues that might be keeping your PC from running at full speed. Over 100 million scans run. Scan now!
PC Pitstop

Never reinstall your XP again
New technology: no set-up, no loss of data or applications. The ultimate professional repair tool. Free PC booster with every scan, get it now!
Reimage.com

See your ad here

TOP STORY

ISPs assist in cutting off file-sharing users

By Becky Waring

Internet service providers are cooperating more and more with copyright holders to crack down on illegal downloading and peer-to-peer file-sharing.

Some of the changes are due to strict new piracy laws, but others appear to arise from sheer self-interest on the ISPs' part.

Somali pirates aren't the only ones making headlines recently. The widely publicized Pirate Bay verdict in Sweden has sent a chill down the spines of BitTorrent freaks worldwide and cast a spotlight on the intensifying battle against illegal downloaders.

In addition to helping convict the Pirate Bay operators, Sweden's new Intellectual Property Rights Enforcement Directive (IPRED) allows courts to order ISPs in that country to reveal to copyright holders the names of anyone suspected of sharing files illegally. The copyright holders can then use the information to sue or collect damages. Immediately after the law went into effect last month, Internet usage in Sweden dropped by 30%.

While most ISPs in the U.S. and other countries will release information about subscribers only when presented with a court order, these ISPs may not be displeased by the increased pressure being placed on file-sharing networks. Reducing peer-to-peer traffic by the threat of legal action would help unclog the ISPs' networks and free up some of their bandwidth.

"Fundamentally, ISPs (like all communications carriers) have a primary obligation to their customers not to inspect traffic unless it is necessary for the service, or to disclose information without being required to do so," Electronic Privacy Information Center (EPIC) president Marc Rotenberg told me in an e-mail interview.

However, Rotenberg also notes that "ISPs are being pulled in several different directions. Advertisers want access to ISP data traffic for marketing. Governments want ISP data retained for surveillance. But the ISPs have one of the most stable business models around — a subscriber-based service — and clear obligations to protect the privacy of their customers."

Just last year, Charter Communications introduced a deep-packet inspection (DPI) program to gather information from subscriber traffic that online ad firm NebuAd would have used to deliver targeted advertising. Aborted due to the widespread outcry, the program nonetheless illustrates the power of today's filtering technology.

According to EPIC, "DPI provides ISPs with access to the content of all unencrypted Internet traffic that ISP customers send or receive." DPI used to be logistically infeasible on a large scale due to the resources required, but that's no longer the case.

Basically, if unencrypted files are coming through your pipe, your ISP can read them. And since most e-mail, browsing, downloading, and media streaming is not encrypted, your data and your privacy are at risk.

Only federal privacy legislation can prevent such filtering and information gathering. Right now, the U.S. Congress is working on just such a privacy bill, but any legislation able to pass the House and Senate will likely be tempered with provisions for copyright holders.

Recording industry's new global-scare tactics

So what are the rights-holders doing? After many years of futile efforts, the Recording Industry Association of America (RIAA) finally recognizes that filing lawsuits against individual illegal downloaders is ineffectual in reducing piracy and is a public-relations disaster to boot. The association has stopped filing new cases in the U.S.

Instead, the RIAA instituted a new "graduated response" program earlier this year under which ISPs forward warning letters threatening repeat offenders with account suspension, termination, and other consequences.

The strategy attempts to make parents responsible for their children's activities, school administrators liable for the network use of their students, and ISPs accountable for all their users. Underlying this policy is the belief that suspension or cancellation of Internet access can be applied much more broadly than lawsuits — to millions of customers rather than to hundreds.

The first warning letter typically contains this statement: "Please bear in mind that this letter serves as an official notice to you that this network user may be liable for the illegal activity occurring on your network. This letter does not constitute a waiver of our members' rights to recover or claim relief for damages incurred by this illegal activity, nor does it waive the right to bring legal action against the user at issue for engaging in music theft."

ISPs are cooperating with this program, but not just to appease the RIAA. They are mandated by the Digital Millennium Copyright Act to pass on the letters and to provide illegal downloaders' identities to copyright holders, pursuant to a court order. Any action beyond that is up to the ISPs.

Some service providers cut off access after repeated infringement, while others leave further enforcement up to the RIAA. For example, Comcast says it has already sent 2 million warning notices to downloaders but that it has no plans to cut off users' access.

AT&T agrees. At last month's Leadership Music Digital Summit, AT&T senior executive vice president Jim Cicconi avowed that "AT&T is not going to suspend or terminate anyone's policy without a court order. What we do is send notices and keep track of violations and IP addresses. It's our view that any stronger action has got to rest with the copyright owner ... That's what the courts are there for."

However, other countries are taking a harder line by enacting new laws and requiring that ISPs suspend repeat offenders. Here are a few examples:

In Ireland, major ISP Eircom was sued by four large music labels this January. The companies were seeking to have the ISP monitor its subscribers for illegal file-sharing. A settlement was reached that will disconnect customers after three strikes.
In Taiwan, a new anti–file-sharing amendment was passed in April that makes it a crime to deploy peer-to-peer technology that facilitates the exchange of copyrighted material. In addition, users who are caught downloading copyrighted material more than twice face restrictions on their Internet access.
In France, legislators are working to pass a similar law that would "boot repeat file-sharers from the Internet for up to a year at a time," according to an Ars Technica report. A blacklist preventing suspended users from signing up with any ISP in the country would be maintained, and ISPs who fail to promptly cut off suspects would be subject to a €5,000 fine for each instance.

Perhaps the most onerous and insidious part of the proposed French law is that users will also be required to keep their networks secure with certified software so that they can't claim that someone used their network without their knowledge. This puts the responsibility on network owners for the actions of their users, whether family, friends, students, employees, or customers. The law may be altered before it passes, but so far it has major-party support.

MPAA and RIAA identify illegal downloaders

The laws aren't the only things getting tougher — so are the downloaders. Predictably, P2P users are employing technology to fight technology, creating an arms race between file-sharers and the recording industry.

To identify illegal downloaders, the RIAA, Motion Picture Association of America (MPAA), and other industry organizations are taking advantage of the public nature of peer-to-peer file-sharing and streaming networks to determine users' IP addresses. Then they get court orders to force ISPs to identify subscribers. In Canada, the courts have ruled that no warrant is needed and that an IP address is public data, just like a home address.

File-sharers who want to hide from this type of surveillance are using proxy services and anonymous networks such as Freenet, GnuNet, and Mute. While these services currently offer only a small fraction of the content of BitTorrent and Gnutella, the anonymizing movement has grown fast since the recent prosecution of the Pirate Bay operators in Sweden.

Pirate Bay itself is introducing iPredator this month, a global service that promises more anonymity than traditional virtual private networks (VPNs). According to TorrentFreak, "the weak link in any VPN/anonymity service is always their willingness (or otherwise) to hand over your customer data when pressured under the law. However, with iPredator, this should not be an issue since the service is promising to keep no logs of user activity whatsoever."

Sounds foolproof, right? Well, only if no laws are passed requiring ISPs to keep user logs — as has been proposed in Great Britain — and only if ISPs don't use DPI to see what you're downloading and filter it out before it even gets to you, as may become the case in Australia.

The Australian Federation Against Copyright Theft (AFACT, which is similar to the MPAA) launched a lawsuit last fall claiming copyright infringement against major Australian ISP iiNET. AFACT appears to want Australian ISPs to filter out illegal downloads for the movie industry.

In the long term, according to EPIC's Rotenberg, "the best safeguards for ISP data may come about from a combination of good privacy law and stronger technical measures, such as IPsec."

In the meantime, if you're concerned about the privacy of your Web downloads, use a VPN, proxy, or anonymizing service as a first line of defense. The free Tor program is one such option; you'll find more information about the software at the Tor Project site.

Becky Waring has worked as a writer and editor for CNET, ZDNet, Technology Review, Upside Magazine, and many other news sources.

Table of contents

ADS

Save up to 76% on quality inkjet ink
We offer the sharpest prices on the Web for quality ink and laser toner. Bonus: save an extra 10% by using coupon code DAS926M. Free shipping to contiguous U.S. locations for all orders over $50. Offer expires 5/31/2009 and excludes OEM items.
4InkJets

Are your computer's drivers up-to-date?
Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
Drivers HeadQuarters

Get your message seen by 400,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
Windows Secrets Newsletter

See your ad here

FOLLOW-UP

Google silently corrects Gmail CSRF hole

By Scott Spanbauer

The good news is that Google has eliminated a security hole that could allow a hacker to get into your Gmail account, as I reported in an April 23 story.

The bad news is that Google chose to remain so tight-lipped about the change that even its own engineers and many security researchers were unaware of the fix, something that doesn't inspire confidence.

As recently as April 24, Google support staff were confirming that its e-mail service had a security hole known as cross-site request forgery (XSRF or CSRF, pronounced "sea-surf"). In an e-mail to a Google Apps user, Google Apps Team member "Heine" wrote:

"I've looked into this for you and found that our engineers are aware of the issue and are working to have a patch available at the earliest.

"I have been assured that the likelihood of this issue actually occurring is very limited, but at the same time I do want to stress that we take the matter seriously."

What Google's staff apparently didn't know is that someone had quietly closed the hole in Gmail earlier, and that it never afflicted the Mail feature of Google Apps in the first place. On April 27, Google spokesman Jay Nancarrow notified me that the company had fixed the CSRF flaw, saying:

"We want users to know that on March 12, we fixed the vulnerability that was brought to our attention. We never received any reports of the vulnerability being exploited, and do not consider this case to have been a significant issue. A successful exploit would have required correctly guessing a user's password within the period that the user was visiting a potential attacker's site. Nevertheless, we implemented additional measures that effectively prevent the attack. We always encourage users to choose strong passwords, and we have an indicator to help them do this when creating passwords."

In an e-mail interview, Nancarrow stated that the problem had been corrected by encrypting each visitor's session cookie with a separate security token. This would prevent a hacked Web site from stealing the Gmail password of a user who happened to be visiting the site — which would allow the hacker to access other services such as Google Shopping, after the user signed in:

"We added an XSRF token to the password-change page. The attacking site will not have this token and hence cannot masquerade as a user trying to change their password."

Nancarrow also indicated, in response to a question, that Google had not reported the fix to ISecAuditors (ISA), the security firm that first discovered the hole.

At my request, ISA researcher Vicente Aguilera Díaz examined the site again on April 30 and found that Google had indeed eliminated the security flaw in Gmail's password-change page:

"I see that they've added a security token that prevents the vulnerability from being exploited (since it requires that the token be known and, apparently, is cryptographically secure) ...

"I can confirm for you that Google did not communicate with me at any time (neither with me, nor with any of my co-workers) that they had corrected the vulnerability. It's strange, since I reported the problem to them and tracked it, but it appears that they've corrected it 'silently.' "

Google spokesman Nancarrow states that a similar flaw doesn't afflict the Gmail-like e-mail function in Google Apps, as has been rumored, because that site has for some time used an encrypted security token, whereas Gmail itself did not until recently.

Google's reasoning in keeping mum about the security flaw's existence and subsequent fix is that a successful Gmail account takeover using the exploit was unlikely. However, it was certainly possible, as demonstrated by a proof of concept that Aguilera published. ISA says the information was publicly disclosed only after Google declined to correct the hole following more than one year's notice.

Software developers inspire more confidence in their products when they work cooperatively and openly with the community of security researchers. Here's hoping that Google won't hesitate to communicate in a timely fashion when future flaws inevitably crop up.

Reader Ron Hancock will receive a gift certificate for a book, CD, or DVD of his choice for his help with the research for this article. Send us your tips via the Windows Secrets contact page.

Scott Spanbauer writes frequently for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of Jim Aspinwall's PC Hacks.

Table of contents

WACKY WEB WEEK

Never put in an honest day's work again!

By Katy Abby

There's just not enough time in the workday to idly surf the Internet, work on side projects, update your personal blog, and get all your work done. When your boss is breathing down your neck about that overdue report, something's just gotta give!

Take a hint from these crafty cubicle-dwellers, who've devised a global model for sure-fire success. This satirical solution may give you just the edge you need to outshine your co-workers while perfecting your trash-can basketball shot! Play the video

Table of contents

PERMALINKS

Use these permalinks to share info with friends

We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.)

The following link includes all articles this week: http://WindowsSecrets.com/comp/090507

Free content posted on May 7, 2009:

TOP STORY
By Becky Waring
ISPs assist in cutting off file-sharing users
Recording industry's new global-scare tactics
MPAA and RIAA identify illegal downloaders

FOLLOW UP
By Scott Spanbauer
Google silently corrects Gmail CSRF hole

WACKY WEB WEEK
By Katy Abby
Never put in an honest day's work again!

You get all of the following in our paid content:

	LANGALIST PLUS By Fred Langa Find the cause of spontaneous reboots Vista PC quits and restarts with no warning How to cut your Outlook files down to size Managing Vista's various power options Write-protect USB flash drives, lock out trouble
	BEST SOFTWARE By Ian "Gizmo" Richards How to make Twitter work for your business Communicating in no more than 140 characters Why some people hate Twitter: unbridled vanity Looking beyond Twitter's personal trivia Finding the serious uses for Twitter

Get our paid content by making any contribution

There's no fixed fee! Contribute whatever it's worth to you
Readers who make a financial contribution of any amount by May 13, 2009, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries
Each month, we send a full year of sponsorship to a different child. Your contributions in May are helping us to sponsor John Lester E., an 8-year-old boy from the Philippines who has three siblings and likes playing basketball. Children International channels development aid from donors to John Lester and his community. We also sponsor kids through Plan USA, Save the Children, and other respected agencies. More info

Use the link below to learn more about the benefits of becoming a paid subscriber!

More info on how to upgrade

Thanks in advance for your support!

Table of contents

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Program Director: Tony Johnston. Program Manager: Ryan Biesemeyer. Web Developer: Damian Wadley. Research Director: Katy Abby. Copyeditor: Roberta Scholz. Contributing Editors: Susan Bradley, Scott Dunn, Mark Joseph Edwards, Michael Lasky, Woody Leonhard, Ryan Russell, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents