The Snowden revelations have made it clear that online privacy is certainly not a given.

Just a few days ago we learned that the Canadian Government tracked visitors of dozens of popular file-sharing sites.

As these stories make headlines around the world interest in anonymity services such as VPNs has increased, as even regular Internet users don’t like the idea of being spied on.

Unfortunately, even the best VPN services can’t guarantee to be 100% secure. This week a very concerning security flaw revealed that it’s easy to see the real IP-addresses of many VPN users through a WebRTC feature.

With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden” home IP-address, as well as local network addresses.

The vulnerability affects WebRTC-supporting browsers including Firefox and Chrome and appears to be limited to Windows machines.

A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw.

IP-address leak

The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole.

Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability.

Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config” in the address bar and set the “media.peerconnection.enabled” setting to false.

TF asked various VPN providers to share their thoughts and tips on the vulnerability. Private Internet Access told us that the are currently investigating the issue to see what they can do on their end to address it. (Update: PIA published an article on the issue today)

TorGuard informed us that they issued a warning in a blog post along with instructions on how to stop the browser leak. Ben Van Der Pelt, TorGuard’s CEO, further informed us that tunneling the VPN through a router is another fix.

“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,” Van der Pelt says.

“During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,” he adds.

While the fixes above are all reported to work, the leak is a reminder that anonymity should never be taken for granted.

As is often the case with these type of vulnerabilities, VPN and proxy users should regularly check if their connection is secure. This also includes testing against DNS leaks and proxy vulnerabilities.

Update: Freebsd also appears to be affected by the vulnerability.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Reddit is without doubt one of the most popular sites on the Internet. The community-driven behemoth is the world’s 28th most popular site according to Alexa, rising to 9th most trafficked in the United States.

Founded in 2005, the vocal SOPA opponent‘s last set of published stats (Oct 2014) paint an awesome picture: 174 million unique visitors from 186 countries viewed some 6.1 billion pages.

Aside from posting the latest breaking news, AMAs, plus a million items in between, it will come as no surprise that in 2014 some of Reddit’s users also infringed copyright. Details of subsequent complaints have previously remained private but thanks to the publication of Reddit’s very first transparency report, we now have more of an insight.

While the company has some fascinating thoughts on copyright (which we’ll come to in a moment) it’s notable how few takedown requests Reddit receives.

In 2014 the site received just 218 requests to remove content, 81% of which were DMCA-style copyright notices.

Interestingly and unlike those who send the notices, Reddit reveals that “real humans” examine each and every request received. It’s clear that in many cases they don’t like what they see.

From 176 DMCA complaints received, Reddit removed content in just 76 instances, 38% compliance overall. For a variety of reasons, in 62% of cases Reddit rejected notices completely.

Overbroad

As previously reported here on TF, on many occasions copyright holders have approached Google in an attempt to have entire Reddit communities removed from its indexes. The search engine mostly rejects those requests and Reddit isn’t impressed by them either.

“We received many copyright takedown requests for entire subreddits. We (and the DMCA) require specific identification of allegedly infringing content, not broad demands to delete entire reddit communities,” the company reveals.

Links don’t infringe copyright

Reddit doesn’t host any content of its own but instead users can post links to material hosted elsewhere, which they do in their millions every day. However, when those links point to infringing content such as movies, music or TV shows, copyright holders tend to see that as facilitation of infringement. Nevertheless, Reddit has its own opinions on what breaches the law.

“A significant percentage of the copyright takedown requests we received were for user-submitted URLs that link to content hosted on other websites. Because links do not generally infringe copyright, we exercise extra scrutiny in assessing takedowns for links,” the company says.

Of course, Google might argue the same point but instead it removes millions of links to content every single week.

Notices fail to meet legal requirements

Under the DMCA a copyright holder can request content to be removed from a third-party website via the sending of a properly formatted DMCA notice. Such notices must include:

– A physical or electronic signature of the person authorized to act on behalf of the copyright holder
– Clear identification of the original infringed work
– Clear identification of the allegedly infringing content

According to Reddit, many notice senders fail to make the grade.

“We rejected many copyright takedown requests because they did not include the information required by the Digital Millennium Copyright Act (DMCA),” the company reports.

Conclusion

Overall and despite its millions of users, it appears that Reddit does not have a significant copyright infringement problem, despite the fact that several sub-reddits are dedicated to linking to infringing content. For now most copyright holders are ignoring the site, while others prefer to complain to Google instead.

Reddit’s 2014 Transparency Report can be downloaded here (pdf).

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

The MPAA is best known for its efforts to protect the rights of the major movie studios. However, the group also has some intellectual property of its own to defend.

A few weeks ago the MPAA sent a cease and desist letter to Minneapolis beer brewery 612 Brew, who’re known for their tasty beers including the popular “Rated R” brand.

The movie industry group pointed out that the company was using the “Rated R” trademark without permission and urged the beer maker to drop the name to avoid confusion.

The MPAA registered “Rated R” at the trademark office in the eighties as a certification mark, indicating that a movie is rated unsuitable for children under 17, unless they’re accompanied by an adult.

While movie ratings have nothing to do with beer, the MPAA took offense at the name after the brewery filed their own trademark application. According to 612 Brew co-founder Kasak, the MPAA didn’t want the beer makers to use any of the “Rated” variants.

“[Our beer] could have been PG, PG-13 or R. It didn’t matter. As long as it contained the word ‘rated’ it would still get flagged,” Kasak told Minneapolis / St. Paul Business Journal.

An MPAA spokesperson confirmed that the group sent a cease and desist letter but further details are not available.

The brewery first responded to the demands by arguing that the Rated R name can be used as they clearly operate in a different industry. The MPAA wasn’t convinced though, so 612 decided that it was easiest to change the name.

The trademark specifically notes that the MPAA doesn’t have an exclusive right to the word “rated,” but 612 Brew decided to go for a different variant.

Starting this year the name of “Rated R” beer was changed to “Unrated,” which isn’t trademarked by the MPAA. While the change is a setback for the brewery it’s co-founder doesn’t believe it will harm business in the long run.

“It’s going to take some time for people to get used to it, but it will be OK. It’s a great beer and they’ll drink it regardless of the name,” Kasak notes.

The brewery now has to hope that the “unrated” name won’t cause any headaches in the future. A quick search reveals that there’s an “unrated” trademark application in progress by a “yoga pants” outfit, so fingers crossed.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

In a few weeks time the Popcorn Time phenomenon will reach a symbolic milestone when the ‘Netflix for Pirates’ celebrates its first birthday.

Of course, after serving millions of users in a short space of time, copyright holders have their eyes on the now-several forks of the popular project. Today we have news of yet another effort to limit the software’s reach.

PopcornTime.io is considered by many to be the true successor to the original Popcorn Time project that was shut down just weeks after it launched in 2014. Its development team is proudly open source and operates with an ethos closely aligned with that of the original team. It also receives similar legal threats and the latest to involve the project is somewhat of a head-scratcher.

PopcornTime.io has a blog where it publishes important updates. The latest entry heralds the project’s latest Android client in all its bug-fixed glory. It’s presented using the Ghost open source blogging platform and quite bizarrely copyright holders are trying to change that.

“The Greek equivalent of RIAA are threatening @TryGhost with legal action because we host @popcorntimetv’s blog,” Ghost founder John O’Nolan said this week.

“Good luck with that, Greece.”

Somewhat intrigued, TorrentFreak contacted O’Nolan – the former Deputy Head of the WordPress UI Group – who confirmed the threats.

“We were incredibly shocked to be contacted by a representative in 2015 requesting the personal information of one of our users without any basis. The clear lack of understanding here is worrying on many levels,” O’Nolan told TF.

And it gets worse. In the first instance O’Nolan thought that his company was actually hosting Popcorn Time’s blog, but in fact its being hosted by the project itself. All O’Nolan does is offer the completely neutral Ghost blogging platform.

To try and get to the bottom of this curious situation we contacted the organization targeting Popcorn Time. AEPI, the Greek Society for the Protection of Intellectual Property, did not officially respond to our request for comment. However, we did manage to learn more about this music group’s claim.

It appears that since Popcorn Time allows people to download movies and TV shows that have music playing in the background, AEPI believes that Popcorn Time should pay royalties and/or a music licensing fee to do so legally in Greece.

While it seems unlikely that the project is interested in any such license, the complaint to Ghost has only warmed relations between the blogging platform and Popcorn Time.

“If you ever have a need for more security/encryption features – don’t hesitate to reach out,” O’Nolan ‏informed the project. “Likewise if you have any trouble with your current host, we’ll host you.”

And as far as Popcorn Time are concerned, there’s only one blogging platform for them.

“We use Ghost as our blogging platform because it’s lightweight yet packed full of features. Unlike WordPress you can concentrate on writing your post. Throw in the fact it’s open source and written on Node.js and it’s the perfect match!” the team told TF.

It’s not been a good 2015 for AEPI thus far. Earlier this month the anti-piracy group lost its bid to have various torrent sites blocked by local ISPs. The Athens Court ruled that barring access to torrent sites such as KickassTorrents and The Pirate Bay would be disproportionate, unconstitutional, and would hinder ISPs’ entrepreneurial freedoms.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Soon after its U.S. premiere on January 9, pirate copies of the new Liam Neeson movie Taken 3 began appearing online. While quality was decent for a ‘cam’ recording, it was nothing to get really excited about.

As it happened that didn’t matter too much since most downloaders were already preoccupied with the recent flood of high quality Oscar screeners. Nevertheless, those who ventured into a cinema to record Taken 3 are likely to have exposed themselves to considerable risk.

In many countries one can end up in jail for such activities, especially when recording is followed by uploading to the Internet. But just a week later new events meant that the Taken 3 pirates’ dance with danger would largely be forgotten.

Last Thursday an HD copy of Taken 3 appeared on all major torrent sites but thanks to an earlier tipoff, that came as no surprise to us. Several days earlier a source already told TF that a “pristine” copy of Taken 3 would become available on January 22. So how did he know? The answer lies thousands of miles away in the Middle East.

OSN is a pay TV network with its headquarters in Dubai, United Arab Emirates. The network offers international entertainment content such as movies, TV shows and sporting events. Perhaps surprisingly to readers in the West, it also provides access to movies still running in U.S. theaters.

As can be seen from the image of an OSN TV screen below, Taken 3 was due to air on the PPV network on January 22.

TF was assured that a copy would quickly by pirated using OSN as several other popular movies had also been ‘capped’ from the same source in recent times. Sure enough, the first copies to appear online last Thursday all appeared with tell-tale Arabic subtitles or a suspiciously narrow image window where they’d been cropped out.

While it’s not easy to say whether all ‘subbed’ copies now online originate from the first original ‘capping’ of Taken 3, we know that the first ‘big’ copy on Western sites (uploaded by a group called CPG) was not the first overall.

Those honors fell to a group called “weleef” who uploaded this “exclusive” to Arabic forum ArabScene shortly after the first showings on OSN.

Of course, thanks to this source people from all around the globe were able to watch a good copy of the movie, despite it still playing in cinemas in the United States and elsewhere. Sadly, even those wanting to pay for the movie in the U.S. will have to wait until April 2015 for a VOD release.

Why Hollywood treats citizens in the Middle East and Asia better than its home audience is anyone’s guess, but if defeating piracy is the goal the practice might be backfiring.

Our source says that a Chinese VOD site already has 50 Shades of Grey listed for an end of February release, two weeks after its Valentine’s Day premiere in the U.S. Only a month to find out if that leaks too.

Update: A new and non-subtitled copy of Taken 3 is now flourishing online. The source? An OSN set-top box…

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.