So-called screener copies of the latest movies are some of Hollywood’s most valuable assets, yet every year and to the delight of pirates, many leak out onto the Internet.

Over the years, Hollywood has done its best to limit the leaks, but every 12 months without fail, many of the top titles appear online in close to perfect quality.

With that in mind, the studios have been testing Netflix-like systems that negate the need for physical discs to be sent out.

One such system has been made available at Awards-Screeners.com. Quietly referenced by companies including 20th Century Fox, the site allows SAG-AFTRA members and other industry insiders to view the latest movies in a secure environment. At least, that’s the idea.

Late August, TorrentFreak was contacted by security researcher Chris Vickery of MacKeeper.com who told us that while conducting tests, he’d discovered an exposed MongoDB database that appeared to be an integral part of Awards-Screeners.com.

“The database was running with no authentication required for access. No username. No password. Just entirely exposed to the open internet,” Vickery told TF.

The researcher’s discovery was significant as the database contained more than 1,200 user logins. Vickery did not share the full database with TF but he did provide details of a handful of the accounts it contained. Embarrassingly, many belong to senior executives including:

– Vice President of International Technology at Universal Pictures
– ‎Director of Content Technology & Security at Disney
– Vice President of Post-Production Technology at Disney
– Executive Director, Feature Mastering at Warner Bros
– Vice President of Global Business & Technology Strategy at Warner Bros
– Director of Content Protection at Paramount Pictures
– VP of corporate communications and publicity for 20th Century Fox

While the hashed passwords for the above would be difficult to crack, the database itself was publicly offering admin-level access, so it was a disaster from a security perspective.

“Any of the values in the database could have been changed to arbitrary values, i.e. create-your-own-password,” Vickery said.

According to the researcher, this vulnerability had the potential to blow a hole in the screener system and could’ve had huge piracy and subsequent law enforcement implications.

“Theoretically, it would have been possible for a malicious person to log into any of the 1,200+ user accounts, screencap an unreleased film, and torrent it to the world,” he explained.

“There’s also supposedly video watermark technology that makes it possible to trace which account it came from. So basically you could have framed any of the users for the distribution as well by using their account to do it.”

The screenshot below shows Vickery’s view of the database, in this case highlighting the availability of a screener copy of the soon-to-be-released Oliver Stone movie, Snowden.

Vision Media Management, which claims to be the largest Awards screener fulfillment operation in the world, is the outfit in charge of the system. It’s described in the company’s promotional material as a “Secure Digital Screener” platform “selected by the MPAA major studios as the preferred secure content delivery method for Awards voters.”

Like all responsible data breach hunters, Vickery did his research and decided to inform Awards-Screeners.com and Vision Media Management of his findings. Initially, they appeared somewhat grateful.

“During my telephone conversation with Vision Media Management, which consisted of me, their lead counsel (Tanya Forsheit), and their CTO (Doug Woodard), they were very surprised and worried. They didn’t understand how this could happen and claimed that the system should have nothing loaded into it currently and was purged months ago,” Vickery said.

“This is not believable due to time stamps of activity in the database. In the ‘Snowden’ screenshot, for example, you can see that the entry was updated on 7/13/2016.”

Vickery also informed the MPAA of his discoveries and was told by the organization’s Office of Technology that it was “currently working diligently” with Vision to “evaluate the situation and take appropriate remedial action.”

Meanwhile, conversations between Vickery and Vision Media Management continued. The researcher says that the company tried to downplay his findings with claims that the database had been secure and contained only test data.

However, when Vickery asked if he could release the database, he was advised it was too sensitive to be made public. The company then began a drive to convince the researcher that security at Amazon, one of Vision’s vendors, was to blame for the leak. Vision’s lawyer also suggested that Vickery had “improperly downloaded” the database.

In a follow-up mail, Vickery made it clear to Vision that allegations of “improper downloading” were incompatible with the fact that the database had been published openly to the public Internet. And, after all, he had done the responsible thing by informing them of their security issues.

“I have cooperated with and contributed to data breach-related investigations conducted by the FTC, FBI, US Navy, HHS/OCR, US Secret Service, and other similar entities,” he told the company. “Not a single regulatory or government agency I have interacted with has even suggested that what I do, downloading publicly published information, is improper.”

In subsequent discussion with Vickery, Vision Media asked for time to assess the situation but by September 4, the researcher had more bad news for the company.

Emails shared with TF show Vickery informing Vision of yet more security holes in its system, specifically a pair of publicly exposed S3 buckets located on Vision resources at Amazon. Vickery says these contained development and release builds of Vision’s Android app, development and deployment meeting notes, plus some unexplained references to Netflix.

In the run-up to this piece, Vickery advised Vision Media that a public disclosure would be likely so in an effort to provide balanced reporting, TorrentFreak reached out to Vision Media’s CEO for a statement on the researcher’s findings. At the time of publication, nothing had been received.

And after several conversations with Vision via email and on the phone, Vickery was drawing a blank this week too.

“Vision has not gotten back to me today, and we were very clear last week that they would be contacting me again by Thursday,” Vickery told TF. “I even sent them a little reminder earlier and asked if we were still planning to talk. No response all day.”

In the absence of an official statement from Vision Media, it’s impossible to say how many people accessed the Awards-Screener database before Vickery, or what their intentions were. Perhaps only time will tell but one thing is clear – a move to the digital space might not be the perfect solution for screener distribution.

Check out Chris Vickery’s report on MacKeeper

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

With more than 150 million users a month, uTorrent is by far the most popular torrent client in the West.

This popularity and the need for technical support means that parent company BitTorrent Inc. needs to maintain a community forum. With tens of thousands of visitors each day, it too is quite popular. However, it recently came to light that information the site held on its users was no longer secure.

In June, the uTorrent team issued a security alert which advised users to change their passwords. According to one of uTorrent’s vendors, a compromise of uTorrent’s database had occurred following a security issue elsewhere.

“The vulnerability appears to have been through one of the vendor’s other clients, however it allowed attackers to access some information on other accounts. As a result, attackers were able to download a list of our forum users,” uTorrent said at the time.

Since then things have gone pretty quiet but according to information just published, the problems might be about to get worse.

According to Hackread, the uTorrent database obtained during the breach has now gone up for sale on a darknet marketplace. Offered for sale by a user called “DoubleFlag”, it is said to contain emails and passwords from the forum.

“Out of a total of 394,769 accounts, some passwords are encrypted with Secure Hash Algorithm 1 (SHA-1) and some with the weak MD5 hashes,” the publication reports.

As can be seen from the screenshot above, the asking price is pretty low considering the number of accounts involved. The seller is asking just BTC 0.9580 ($602) for the data, which may (or may not) be an indication of its usefulness.

Another interesting detail coming out of this offer of sale is the claim from DoubleFlag that the data was obtained from uTorrent back in January. That’s a full six months in advance of the security alert from uTorrent.

The same January date is claimed by Haveibeenpwned.com, but that site states that ‘just’ 34,235 accounts have been compromised.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

In 2011, Dutch blog GeenStijl.nl published an article linking to leaked Playboy photos which were stored on file-hosting site FileFactory.

After filing a request with Filefactory, Playboy publisher Sanoma managed to have the photos removed from the platform. However, GeenStijl continued to find other sources for the photographs and linked to them instead. Sanoma said that this was an infringing act.

The case went to trial and was later referred to the European Court of Justice. The ECJ was asked to rule on whether the links posted by GeenStijl amounted to a ‘communication to the public’ under Article 3(1) of the EU Copyright Directive and therefore infringement.

After deliberating for months, the ECJ has just handed down its decision and it’s bad news for GeenStijl operator GS Media and others operating in a commercial environment. On the other hand, it may give a little more flexibility to the general public.

“In accordance with the directive concerned, Member States are to provide authors with the exclusive right to authorize or prohibit any communication to the public of their works,” a statement from the Court reads.

“At the same time, that directive seeks to maintain a fair balance between, on the one hand, the interests of copyright holders and related rights and, on the other, the protection of the interests and fundamental rights of users of protected objects, in particular their freedom of expression and of information, as well as the general interest.”

The Court says that when determining a ‘communication to the public’ several criteria need to be addressed, including any deliberate posting of links to protected works and whether the communication had any profit-making component.

In its ruling, the Court recognizes the importance of freedom of expression and notes the importance of hyperlinks when exchanging both opinions and information. It also accepts that determining whether a linked work is infringing could be a troublesome task.

Given the above, the Court found that knowledge of the potentially infringing status of a work plus commercial motivation play a pivotal role in determining whether a ‘communication to the public’ has taken place.

“For the purposes of the individualised assessment of the existence of a ‘communication to the public’, it is necessary, when the posting of a hyperlink to a work freely available on another website is carried out by a person who, in so doing, does not pursue a profit, to take account of the fact that that person does not know and cannot reasonably know that that work had been published on the internet without the consent of the copyright holder,” the Court’s statement reads.

“Indeed, such a person, does not, as a general rule, intervene in full knowledge of the consequences of his conduct in order to give customers access to a work illegally posted on the internet.”

The situation changes entirely when a person already has knowledge of potential infringement and is motivated by profit.

“In contrast, where it is established that such a person knew or ought to have known that the hyperlink he posted provides access to a work illegally published, for example owing to the fact that he was notified thereof by the copyright holders, the provision of that link constitutes a ‘communication to the public’,” the Court said.

When posting links for profit, the ECJ said that it expects people to carry out the “checks necessary” to ensure that work concerned has not been illegally published.

“When hyperlinks are posted for profit, it may be expected that the person who posted such a link should carry out the checks necessary to ensure that the work concerned is not illegally published. Therefore, it must be presumed that that posting has been done with the full knowledge of the protected nature of the work and of the possible lack of the copyright holder’s consent to publication on the internet.

“In such circumstances, and in so far as that presumption is not rebutted, the act of posting a clickable link to a work illegally published on the internet constitutes a ‘communication to the public’.”

The ruling is bad news for GS Media, who posted the links in the course of business even after being informed by Playboy that the content in question was infringing. The company says the decision is bad for the freedom of the press.

“The struggle for the survival of the free Internet including hyperlinks has today received a hefty blow,” a statement on Geenstijl reads.

“When commercial media companies – like GeenStijl – are no longer free and fearless to hyperlink, it becomes difficult to report on newsworthy new questions about leaking information, internal struggles, and unsecured networks within large companies.

“But we will not give up: for that press freedom we will fight on, in this case and beyond. Until then: careful when hyperlinking people, as today a minefield has been laid on the free internet.”

A landmark piracy trial in Sweden against the operators of streaming portal Swefilmer was suspended in June pending the ECJ’s decision. It appears that much will now hinge on whether the operators knew the content they linked was illegal and if a profit motive was involved.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

In recent years file-sharers around the world have been threatened with lawsuits, if they don’t pay a significant settlement fee.

These so-called “copyright trolling” efforts have been a common occurrence in countries such as Germany and the United States, and last week they started in Sweden as well.

Rightsholders are targeting thousands of alleged pirates. First, they ask the court for a subpoena to expose the personal details of account holders connected to certain IP-addresses, which they then present to the associated ISPs.

Some Internet providers have been cooperating with these requests, but not all. Most notably, the privacy-oriented ISP Bahnhof is doing everything in its power to prevent its customers from being exposed.

This week the ISP explained how its logging policies are tailored to only allow only requests that are made in criminal cases, not civil claims against BitTorrent users or other alleged file-sharers.

In Sweden, ISPs are required to keep IP-address logs for six months under the Electronic Communications Act (LEK). This legislation allows the authorities to demand this type of data in criminal cases, such as those involving murder and terrorism.

To comply with this requirement, Bahnhof has setup a database of logs which are stored for the minimal required period and can be accessed for these cases only. The regular logs are purged immediately.

Bahnhof, illustrating its logging policy

When copyright holders request IP-address details, which they do under the contested IPRED legislation, the ISP simply has nothing to hand over. This is very similar to the non-logging policies of many VPN services.

“We store logs for six months to fight crime, absolutely. But we save everything in a separate system, which is only used for LEK,” Bahnhof CEO Jon Karlung says.

“My impression is that some other operators have their clients’ IP addresses stored in several different places. They then also become more vulnerable to having to disclose data IPRED rules.”

Bahnhof itself has operated like this for years, but now that mass file-sharing cases have landed in Sweden the value of this policy is becoming apparent.

Rightly so, according to the ISP, which says it has found a good way to fend off copyright trolls.

“If all operators stored data the way we do, we would avoid the extortion letters altogether. Because we have the motto ‘Internet privacy’ we are very careful with personal data,” Karlung says.

Bahnhof’s CEO adds that other companies should think more carefully about where data is stored. The more databases there are, the more likely it is that they can be compelled to share subscriber data.

“The more different databases there are, the greater the risk that privacy is compromised,” Karlung adds.

Rick Falkvinge, founder of the Swedish Pirate Party, applauds Bahnhof’s logging policy. He discussed the issue in a recent article and informs TorrentFreak that data retention laws which are supposed to help catch terrorists shouldn’t be used against file-sharers.

“The damage these copyright trolls are doing to society is immeasurable. They were able to get shameless mail-order legislation justified by the war on terror, and are now turning those anti-terrorism laws against defenseless single mothers in order to protect a crumbling entertainment monopoly.

“There is absolutely no reason to tolerate, nor to forgive, this kind of behavior,” he adds

It will be interesting to see whether any of the ISPs currently handing over personal detailed connected to IP-addresses will follow suit and change their policies in the future.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Last December a New Zealand District Court ruled that Kim Dotcom and his colleagues can be sent to the United States to face criminal charges.

Judge Nevin Dawson found there was an “overwhelming” case for Dotcom, Mathias Ortmann and Bram van der Kolk, to be extradited.

This decision was immediately appealed and last week a lengthy series of appeal hearings kicked off at New Zealand’s High Court. Represented by a team of lawyers, the Megaupload defendants say that Judge Nevin Dawson failed to give them a fair hearing.

During the most recent hearing, which was live-streamed on YouTube, Kim Dotcom’s defense lawyer Ron Mansfield argued that the lower court made several errors in its final ruling.

For example, it relied heavily on the writings of U.S. Government lawyers. According to Mansfield, the verdict included copy-pasted text from U.S. contributions to the record of case (ROC) on close to 60% of all pages.

“At [156 pages of his 271-page judgment] the Judge has simply replicated in full passages from the US submissions on the ROC and asserted inferences,” Mansfield noted.

“He has erred by failing to weigh the evidence and to determine whether the asserted inference is available and reasonable. He also fails to even seek to adopt the inferences promoted,” he added.

Dotcom’s lawyer lists numerous errors allegedly made by the District Court, discussing them point by point while noting that not all U.S. evidence should have been taken at face value.

Errors

In essence, the defense’s argument boils down to the question of whether the claimed offenses committed by Megaupload and its employees warrant extradition under the treaty in place between the U.S. and New Zealand.

However, the copyright angle was also widely discussed. Dotcom’s lawyer highlighted that Megaupload was an Internet service provider. ISPs enjoy safe harbor protection and can’t be held criminally liable for copyright infringement.

The High Court will have to make a crucial decision on this issue, he added, which will determine if Internet service providers can be held criminally liable for user generated content. This is crucial to other ISPs but also the public at large.

“Ever since the printing press, the resultant copyright acts have achieved a careful balance between the competing interests of the content holder, new technologies that can be used to copy and the user,” Mansfield said.

“The US is seeking through this proceeding to change the historical and existing obligation imposed by the protection of copyright from the content holder on to a new technology, the ISP.”

To reach a conclusion, the court will have to consider what ISPs’ obligations are when it comes to user-uploaded and distributed works, as far as copyright is concerned.

“Do ISPs have a legal obligation to investigate and enforce copyright infringement, criminal or civil, by its users?” Mansfield questioned.

“Ultimately, are ISPs responsible for user generated content? And, if so, how might that impact on the careful balance achieved by Parliament through the Copyright Act?” he added.

Even if the court disagrees that Megaupload and its employees are not liable for copyright infringement, the extradition request should be denied on the basis that copyright infringement is not an extraditable offense under the U.S. / New Zealand treaty.

“There is no extradition offense under the US-NZ Treaty because….the essence of the conduct is the communication of copyright-protected works through the Internet,” Mansfield said.

Primary submission

The hearing was just the first day for Dotcom’s lawyer, and many more will follow. The prosecution is likely to disagree with many points and while offering counter-argument, a process that’s expected to continue for several weeks.

Kim Dotcom is aware of the stakes but is confident that the appeal will lead to a positive outcome.

“I can’t see how any impartial judge can extradite me. The law is just simply completely on our side. There is not even space for interpretation. That’s how clear the law is,” Dotcom tells TorrentFreak.

“But it’s a political case and there is a lot at stake for people in power. If I win they will fall as a result,” he concludes.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.