Through no real fault of its own, uTorrent creator BitTorrent Inc. has become associated with the massive piracy carried out every day by its users. Due to the company sharing its name with the successful protocol, for many BitTorrent piracy and BitTorrent Inc. are one and the same thing.

That incorrect perception has proven corrosive for the company, so much so that for the past several years BitTorrent Inc. has been on a mission to position itself as the friend of content creators rather than their foe.

Now, following dozens of self-certified claims that the company doesn’t support piracy, BitTorrent Inc. has somewhat inevitably found itself in the crosshairs of the music industry.

In a letter dated July 30, 2015 sent from Brad Buckles, Executive Vice President of Anti-Piracy, the RIAA asks BitTorrent Inc.’s CEO to live up to his company’s claims of being a musicians’ champion. It begins with a subtle but serious reference to the company’s Distributed Hash Table.

“This year marks the 10th anniversary of BitTorrent Inc.’s development of a distributed hash table (DHT) approach to file distribution, and yet, as we have previously discussed with your company, we remain very concerned about the overwhelming use of BitTorrent Inc. developed clients to infringe our members’ content,” Buckles begins.

Building the RIAA’s case, Buckles says that software developed by BitTorrent Inc. facilitated approximately 75% of at least 1.6 million torrent based infringements in the United States during 2014.

Again referencing BitTorrent’s DHT – the system which allows torrents to be shared even when external BitTorrent trackers go down – the RIAA says that a sample of 500 audio torrents extracted from the database showed that 82.4% were “highly likely” to be protected by copyright.

Turning to comments previously made by now-former BitTorrent Chief Content Officer Matt Mason, Buckles challenges the notion that “the piracy happens outside the BitTorrent ecosystem.”

“[As] the above data clearly shows, this argument is disingenuous when BitTorrent Inc. itself is the source of the software that is used so overwhelmingly for infringement,” Buckles says.

Referencing Mason’s earlier comment that anyone using BitTorrent for piracy was “doing it wrong”, Buckles insists that the company now actually does something concrete to mitigate piracy.

“We urge BitTorrent Inc. to live up to those words and take meaningful steps to deter this widespread infringement occurring using its own products and services,” Buckles says.

The RIAA concludes with a list of hashes of its members’ works that have been infringed via BitTorrent Inc.’s “products and services” along with a suggestion that the company needs to take continuous action moving forward.

“We are willing to establish a process to share the hashes with BitTorrent Inc. on a regular basis so that BitTorrent Inc. can use the information to deter further infringement of those files via its goods and services,” the RIAA adds, while helpfully offering additional support, if needed.

“We also know of several companies that offer services to help identify infringing torrent sites and files that may be useful in helping BitTorrent Inc. take steps to reduce their facilitation of infringement.”

The RIAA stops short of asking BitTorrent Inc. to block or filter content in any specific manner but it’s clear what the music industry group has on its mind.

It’s been a long time coming but this move against BitTorrent Inc. is not unexpected and the company must’ve been preparing for the day for a long time. The ball’s now in the uTorrent creator’s court and it’s going to be a fascinating game, little doubt about that.

RIAA’s letter to BitTorrent Inc.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Malibu Media, the Los Angeles based company behind the ‘X-Art’ adult movies, is one of the most active copyright trolls in the United States.

This year alone they have filed a 1,104 individual cases against alleged downloaders.

The main goal of the company is to demand settlements of a few thousand dollars, without going to trial. However, defendant Micheal Harrison decided to fight back and wants to have his case heard before a jury.

The lawsuit in question dates back to 2012 and both sites are now gearing up to present their arguments in court. This is new territory for the porn company, and recent motions reveal that the ‘copyright troll’ is worried about its image.

In particular, Malibu Media is worried that the ‘porn’ stigma and terms such as ‘copyright troll’ may influence the jury. It therefore asks the court to ban the use of these terms during the trial.

“If Defendant is permitted to refer to Plaintiff as ‘a copyright troll,’ ‘pornographer,’ ‘porn purveyor,’ or ‘extortionist,’ the negative connotations of those titles are clear and Plaintiff would be unfairly prejudiced in attempting to prove its case,” Malibu writes (pdf).

“The jury would likely be led to abandon its impartiality if those or similar titles are permitted in the courtroom,” they add.

According to the porn company using the term “porn” in court may lead the jury to believe that it its films are not entitled to copyright protection. In addition, they believe that it would trigger preconceived negative connotations.

“Such preconceived negative connotations may impart that Plaintiff’s works are not entitled to copyright protection or that Plaintiff should be treated differently under the law simply because of the industry that it is in,” Malibu writes.

The company wants to avoid these potential problems and has asked the court to restrict the defendant to the terms “Plaintiff” and “Malibu Media” when referencing the porn company during trial.

Defendant Micheal Harrison doesn’t agree with the request and this week he asked the court to dismiss the motion (pdf). Malibu Media is a producer of pornographic movies and should be described as such, he argues.

In addition, the defendant points out that “copyright troll” is a proper description for the business Malibu is engaged in, noting that the company has filed approximately 3,539 lawsuits in the United States.

If Malibu’s requests are granted it would not mark the first time that certain terms have been banned during a copyright trial. Hotfile was previously granted a motion that prohibited the MPAA from using “piracy,” “theft” and “stealing,” but this case was settled before the proceedings started.

Aside from the controversial terms, Malibu Media also asked the court not to accept references to “copyleft” blogs and to exclude an expert testimony of WiFi hacking and other speculative defenses.

The court has yet to decide on whether any terms, citations or other evidence will be off-limits during the trial. In any case, it will prove to be an interesting battle.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

With the phenomenon spreading around the world, the blocking of ‘pirate’ websites is emerging as a key anti-piracy strategy of the entertainment industries.

Europe has been a key battleground for the movement and if rightsholders have their way, yet another new regional country will implement blocks soon.

The current action involves German performance rights organization GEMA. Known for its aggressive anti-piracy stance, GEMA’s case dates back seven years when it found music tracks on major file-hosting sites (Rapidshare, Netload, Uploaded) being distributed via a links site known as 3DL.am. Since it couldn’t contact 3DL’s operators to deal with the infringement, GEMA expanded its fight elsewhere.

In a subsequent complaint, GEMA demanded that in order to reduce further copyright infringement, leading German ISP Deutsche Telekom should take technical steps to stop its customers from accessing 3DL.am.

The ISP refused, stating that as a mere ‘dumb pipe’ it has nothing to do with the infringement on the site. Furthermore, blocking one site would simply lead to increasing numbers of similar demands, the ISP argued.

In 2013 the Higher Regional Court of Hamburg rejected GEMA’s case on the basis that Deutsche Telekom is not the direct host of 3DL.am (now 3DL.tv). A subsequent appeal was also dismissed. However, persistence from the rights organization means that the case is now being heard by Germany’s Supreme Court.

Oliver Süme from Eco.de, the Association of the German Internet Industry, believes that GEMA’s efforts are destined to fail.

“The legal situation thus far is that [consumer ISPs] are not liable for infringements on the Internet. It is therefore pointless to impose on the providers the role of an auxiliary police force,” Süme says.

“Furthermore, the required technical measures to control and filter the traffic of Internet users violates telecommunications secrecy and data protection laws that we have fought in favor of for years.”

The Supreme Court says that a decision on the case will be handed down in November. In the meantime, 3DL continues business as normal.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

When entertainment industry groups speak publicly of the piracy situation, the rhetoric suggests that the sky is falling, that the very future of the business is at risk if something isn’t done quickly.

In truth it’s been that way for more than 30 years but that doesn’t stop successive governments in countries around the globe taking the threats seriously. And considering the size of the entertainment industries and the influence of those running them, it’s not difficult to see why.

In Australia, calls to do something about the “scumbag theft” carried out by “copyright bandits” have escalated to almost fever pitch in recent years, with 2014 seeing the most concerted effort yet to crack down on file-sharers and the sites they use.

In response, Attorney-General George Brandis and Communications Minister Malcolm Turnbull asked the Cabinet to develop legislation which would allow ‘pirate’ sites to be blocked by ISPs. In March 2015 the Copyright Amendment (Online Infringement) Bill 2015 was introduced and after just three months of consideration by parliament, the legislation was passed into law.

Considering the demands for dramatic and urgent action, one might think that rightsholders would be already queuing up to have the first sites blocked. But according to a report from ABC, that point is still a long way off.

While it appears that pay TV company Foxtel will be the pioneer of the very first legal case under the new legislation (probably against a big player such as The Pirate Bay), the timescale for implementation being quoted by the company is not a matter of weeks, but loosely described as arriving “in the coming months”.

The fact that Foxtel is still at the “legal advice” stage on “how best to put the legislation into effect” has upset critics, who believe that rightsholders may have overstated the need for urgent new laws.

“We are astounded, given the urgency with which this law was passed at the urging of the rights holders, that so far they haven’t bothered to use it,” says Internet Australia CEO Laurie Patton.

“We would have thought that they’d have a raft of cases ready to go if the problem is that critical.”

While six weeks might appear to be a reasonable amount of time to put a case together (the legislation was passed June 26), it’s worth bearing in mind that the first blocking cases to be brought in any region have always been the most important. Their implications stretch far beyond blocking a single site.

Although each case will be different to some extent, the first case – if presented correctly – will provide a template for subsequent cases, saving rightsholders (and the courts) lots of time and money in the long run. Getting the system running smoothly from the start will be a key priority so it’s no surprise that Foxtel aren’t already waiting at the doors of the court.

Nevertheless, there are plenty of things to be done and according to John Stanton from the Communications Alliance, Australia’s ISPs still haven’t been consulted on the basics of what will need to be done following any injunction.

“ISPs hope that if applications are to be lodged, rights holders will discuss them in advance with ISPs, to provide an opportunity for some shared understanding on logistical and other issues,” Stanton says.

“These issues including timing, the provision by rights holders of a landing page to inform internet users why a website has been blocked, discussion of the various technical options for website blocking and the planned breadth of an application.”

Considering the importance of ISPs to the success of site-blocking, not having included or consulted them thus far is somewhat of a mystery and perhaps indicative of how far from presenting its first case Foxtel is.

Still, with years of training behind them in respect of geo-unblocking services such as Netflix, it could very well be that the introduction of the first site blockade will have a minimum of impact on Aussies anyway – whether it arrives in the next few weeks or in distant months.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Almost 18 months since it burst onto the scene in 2014 and Popcorn Time is still one of the most popular file-sharing applications on the market.

Millions of people use multiple variants of the Netflix-style tool everyday, with ease of use and wide content availability proving a hit with users old and new.

Popcorn Time’s success has also made it a target for anti-piracy companies desperate to shut it down, but today the software finds itself under attack of a different kind.

Antonios Chariton, aka ‘DaKnOb’, describes himself as a Security Engineer & Researcher. Currently in Greece studying for his B.Sc. in Computer Science, Chariton informs TorrentFreak that he’s discovered some serious security vulnerabilities in at least one fork of Popcorn Time.

“There are two reasons that made me look into Popcorn Time. First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time,” Chariton says.

The researcher says that the problems begin with “a really smart” technique that Popcorn Time uses to bypass ISP-level blocking in the UK. By utilizing Cloudflare infrastructure for part of its setup, it’s difficult to block Popcorn Time by DNS without banning the Cloudflare website, Chariton notes.

But cleverness aside, this is where the problems begin.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explains.

“The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”

As shown in the image below, Chariton says he was able to perform a “content spoofing” attack, in which he gave the movie Hot Pursuit the title of “Hello World” instead.

The researcher says that while he could’ve changed any other information in the Popcorm Time application, that wouldn’t be “exactly much fun”. So, to get pulses racing, he launched an XSS attack instead.

As shown in the image below, Cross-Site Scripting (XSS) attacks allow for potentially malicious scripts to be injected into other web applications.

“We have injected malicious JavaScript and the client application executed the code. Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” Chariton explains.

“This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

That’s obviously a pretty serious issue but Chariton does have some advice for the developers.

“HTTP is insecure. There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response,” he notes.

“Last but not least, just because something is Open Source doesn’t mean it’s audited and secure. Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do,” Chariton concludes.

Making the situation more complex is the number of Popcorn Time forks in circulation. Chariton told us that he carried out his tests on the variant available at PopcornTime.io but it’s certainly possible that the same issues exist elsewhere on lesser-used forks.

That being said, the developers behind the variant available at Popcorn-Time.se inform TorrentFreak that their version isn’t vulnerable to these exploits.

“These security issues don’t refer to Popcorn-time.se since we built Popcorn Time from scratch in C++,” the devs explain.

“We don’t use Node Webkit which is known for having security issues, but chose the longer route of building our platform on our own from the ground up to avoid just these kind of issues.”

TorrentFreak reached out to Popcorntime.io yesterday but at the time of publication we had received no response. Chariton has raised the issue here and it’s currently under discussion.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.