The final day of Devcon – still lots to get through, although, for the sake of some team members, we might need to speak slowly and quietly…

We started the day with a Foundation financial overview from natethomas. Even as a non-profit, volunteer-run organisation, keeping Kodi going is an expensive undertaking by the time you take into account events and conferences, hosting, legal, development hardware, and similar. This in turn led to a conversation about future logistics: we have a large team now, and it’s getting increasingly challenging to get the team together to meet, discuss, work, and socialise while we continue to make your favourite media centre software. We also want to continue to attend and increase our engagement with FOSDEM, ELC, CES, VDD and other open source and multimedia events.

Our next topic was infrastructure with kib. The Kodi systems respond to literally millions of requests per day for such things as downloads and addon updates, so we’re looking after a significant infrastructure. We have multiple servers for the forum, wiki, main web site, build server and mirroring, all of which need to be managed, backed up, maintained, upgraded. Given our recent extended forum downtime, that was clearly part of the discussion as it’s unacceptable in every respect. We need to look again at how we host our content, our architecture, and any weak points.

We then moved onto a brief conversation about addon security. This is a big topic that will need to be progressed separately: addon sandboxing to protect the core code and operating system, for example, or signing and hashing to ensure code integrity.

Tooling was our next topic, led by razee and martijn. Do we have all the tools that the developers need? Are there better ways and methods? How do we take work out of the system, perhaps through automation of some basic sanity checks? How do we make it easier for people to contribute code and get it accepted and merged?

We then moved on to forum moderation, with a discussion led by darrenhill. All forum users should be aware that we do not allow forum conversations or support threads that touch on piracy, guided by a non-comprehensive list of banned addons on the wiki. However, new piracy addons appear all the time, so we need to consider how we better maintain and publicise this list, including making it clearer to new forum sign-ups: we still get too many people who sign up specifically to ask for help with an unsupported addon, for example. The conversation then moved on to log files, and users who edit these to deliberately try to hide addons/repositories. Finally, we moved on to the sanctions we take against users who repeatedly breach the forum rules, and the basis on which we take action while trying to remain fair and transparent.

Moving on, we came back to a topic we covered earlier in the conference: whether an addon should ever be allowed to modify another addon, or whether an addon should be allowed to disable anything when it finds something that it’s decided is somehow “undesirable”. This is clearly a contentious issue. As a rule, nothing should ever break a working installation, either by changing core Kodi files or by altering some other part of a user’s installation that was already there. The current issue with addons checking for the presence of others, however, is clearly more complex as there may be legitimate reasons for such behaviour, such as a compatibility check. Expect a more formal announcement on this subject in the forums in the near future.

Our final conversation of the day, then – and the final one of the conference – was alwinus and the addon subsystem. He talked us through the current addon system, and some of the problems and limitations it presents: it’s not easily extensible, there are limitations on interoperability between addons, SQL dependencies impacting performance, and there are some inherent instabilities in the addon handling code that can trigger a crash. Simply put, there is a series of improvements proposed that will address these issues: limit SQL dependencies, remove async thread handling, cache more information, move away from dependency on cpluff.

And that’s it for Devcon 2017: time for people to head out, to airports, train stations, wherever.

Thank you to everyone for their attendance and contributions!

Source link

Last November, the cybercrime unit of the French military police shut down the country’s largest pirate site, Zone-Telechargement (Download Zone). This was a huge problem for the millions of people who visited the site on a daily basis.

Founded in 2011, Zone-Telechargement’s popularity soared after the closure of Megaupload, which was also hugely popular in France until its shutdown early 2012. It’s been dead ever since though, despite suggestions it might somehow return to life.

Interestingly, however, a site claiming to be a reincarnation of the original is now trying to scoop up traffic, with promises that the excitement can be found at a new URL.

“Welcome to the new Zone-Telechargement! This is the new address of the indexing site to find movies and series,” a notice on the site reads.

“We make every effort to ensure that you can watch your movies and series in the best conditions and in complete safety. Therefore, we invite you as a Zone-Telechargement user to help us in our big mission! Share our site, talk about it!”

This cloned pirate site is not what it seems

During the past couple of days, people have certainly been talking about it, but not for the usual reasons. As reported by NextInpact, the site already has 100,000 links on Google after being launched sometime in August.

But this is no ordinary pirate site. In fact, it’s not a pirate site at all. While it looks exactly like its pirate namesake, the site links only to legal content on platforms such as Amazon, iTunes, and other official sources.

NextInpact reports that the site is hosted in France and uses film posters and metadata hosted by the National Film Center, which grants official vendors access to a database of supporting content to help them sell their products online.

So, could this be an innovative and unconventional service set up by elements of the film industry to suck in pirates, perhaps?

TF decided to look into the possibility by pulling information from WHOIS, DNS and MX records, hoping to find a trace of who’s behind the operation. None of the searches yielded much information of direct value but they did turn up something else.

Zone-Telechargement.al, it seems, is not on its own. Hosted on the same server at OVH in France is Voirfilms.al which clones VoirFilms.org, a pirate site that was ordered to be blocked by the Paris District Court earlier this year.

Two peas in a pod on the same server

Just like Zone-Telechargement.al, Voirfilms.al only links to legal content. However, when one searches for movies, at least the first two sets of links to content contain affiliate codes for Amazon and a local service, meaning the site’s operators get a kickback from any sale.

Given they use the same host server, mail server, and referral codes (tag=blue0d7-21 for Amazon), we considered it likely that the same people are behind both domains, passing them off as pirate sites in an effort to generate revenue.

Then, on Friday afternoon, NextInpact editor Marc Rees contacted us with a really interesting update. After further research, Rees had concluded that anti-piracy outfit Blue Efficience was probably behind the scheme. Sure enough, after contacting founder and CEO Thierry Chevillard, the company confirmed the project.

“We always had the idea to promote the legal offer. Anti-piracy protection is good, but it is insufficient without this component,” Chevillard told Rees.

Chevillard said that since video-on-demand platforms have difficulties in getting themselves noticed over pirate sites, his company took the decision to mimic the pirate strategy.

“[T]he pirate sites are extremely talented at putting themselves ahead in search engines where they beat the legal offers,” he said, adding that using similar weapons was the solution.

Chevillard told NextInpact that his company initially published links to content without the affiliate kickback but later took the for-profit route in order to “partially offset the costs, even if we are far from covering the costs of developing and operating the site.”

Of course, there’s a certain irony in an anti-piracy outfit actively pirating a pair of pirate sites, particularly since it clearly pirated the pirate sites’ logos and graphics, in order to pass the clones off as the real thing. However, Chevillard sees them as fair game and says his company will take action in the unlikely event the pirates take legal action.

The big question, of course, is whether the clone sites are having the desired effect of encouraging legal purchases. According to early data from Zone-Telechargement.al, around five purchases are made out of every 1000 clicks on content listed by the site.

While Blue Efficience’s cover has been well and truly blown, the company is undeterred and says it will expand its pirate site cloning business. If the strategy reaches any scale, that could be a whole new level of spam for would-be pirates to wade through. Nevertheless, there is a comedy ending to this story.

It appears that since the fake sites are so convincing, rival anti-piracy outfits have been asking Google to take down pages (1,2) from its indexes. Most ‘impressive’ are the efforts from takedown outfit Rivendel, which has filed dozens of complaints against these ‘pirate’ sites. Ouch.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Source link

YouTube is the world’s leading video and music service and has partnerships with thousands of artists and other publishers around the globe.

While many are happy with the revenue they’re generating from the Google-owned platform, there has been a lot of negative commentary as well.

Several major record labels are complaining about the so-called ‘value gap‘ and the low payouts per streaming view, for example. This view is shared by the Content Creators Coalition (c3), an artist-run advocacy organization for musicians.

The group has just released two new ads calling on the streaming service to give artists more options to prevent piracy while calling on Congress to update the DMCA.

Rehashing the old Apple vs. Microsoft ad theme, the first video depicts an artist who is trying to get pirated content removed from the site. In the ad, YouTube is not particularly helpful, suggesting that pirated content is quickly re-uploaded after it’s removed.

Interestingly, there is no mention of the Content-ID program which many creators successfully use to prevent pirated content from reappearing. The vast majority (98%) of all copyright complaints are currently handled automatically through the Content-ID system.

Takedown Whack-a-Mole?

The second ad complains about poor payments. In this video, the artist gets paid more from all smaller streaming services, even though these generated only a fraction of the views compared to YouTube.

This complaint is not new either. Over the past several years, YouTube has been called out repeatedly for not paying enough. Not only that, the streaming service has also been accused of running a DMCA protection racket, profiting from pirated streams while hiding behind the DMCA’s safe harbor protections.

Pennies?

The Content Creators Coalition says that the advertisements will run on YouTube and other digital platforms as part of a significant new ad buy.

“Google’s YouTube has shortchanged artists while earning billions of dollars of our music. Artists know YouTube can do better,” c3 President and award-winning bassist Melvin Gibbs says.

“So, rather than hiding behind outdated laws, YouTube and Google should work to give artists more control over our music and pay music creators fairly when our songs are played on their platform.”

While these complaints are nothing new for YouTube, they are also intended to rally support from the public and lawmakers.

“Our ads send a message to the executives in Mountain View that artists are fighting back and mobilizing fans to push Congress to update the DMCA and end the legal neglect that has given Big Tech too much power over our work and society,” Gibbs adds.

YouTube itself paints an entirely different picture. The company previously stated that it goes above and beyond what it’s required to do by law, while paying billions to copyright holders.

“Content ID goes beyond a simple ‘notice-and-takedown’ system to provide a set of automated tools that empowers rightsholders to automatically claim their content and choose whether to track, block or monetize it on YouTube,” senior policy counsel Katherine Oyama noted.

“YouTube has paid out over $2 billion to rightsholders who have monetized their content through Content ID since it first launched. In fact, today well over 90% of all Content ID claims across the platform result in monetization.”

This music industry vs YouTube battle is far from over.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Source link

Just over a month ago, a Javascript cryptocurrency miner was silently added to The Pirate Bay. Noticed by users who observed their CPU usage going through the roof, it later transpired the site was trialing a miner operated by Coinhive.

Many users were disappointed that The Pirate Bay had added the Javascript-based Monero coin miner without their permission. However, it didn’t take long for people to see the potential benefits, with a raft of other sites adding the miner in the hope of generating additional revenue.

Now, however, Coinhive has an unexpected and potentially serious problem to deal with. The company has just revealed that on Monday night its DNS records maintained at Cloudflare were accessed by a third-party, allowing an unnamed attacker to redirect user mining traffic to a server they controlled.

“The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server. This third party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker ‘steal’ hashes from our users,” Coinhive said in a statement.

The company hasn’t revealed how long the unauthorized redirect stayed in place for, but it appears that all coins mined on sites hosting Coinhive’s script were ‘stolen’ during the period, instead of being credited to their accounts.

Coinhive stresses that no user account information was leaked and that its website and database servers were uncompromised. But while that’s good news, the method that the hackers used to access the company’s DNS provider lay in a basic security error.

Back in 2014, crowdfunding platform Kickstarter – which Coinhive used – fell victim to a security breach. After being advised of the fact by law enforcement officials, Kickstarter shut down unauthorized access, began strengthening its systems, while advising customers to do the same.

While Coinhive did respond to the warning to ensure that its data was safe, something slipped through the net. One piece of information – its Cloudflare account password – remained unchanged after the Kickstarter attack. It now seems the most likely culprit for this week’s DNS breach.

“The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014,” Coinhive says.

“We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account.”

While not mentioning Coinhive explicitly, Kickstarter warned earlier this month that the 2014 incident may not be completely over. In an update posted on the site Oct 6, Kickstarter noted that some of its customers had recently been hearing more information about the breach from notification service Have I been pwned?.

In the meantime, Coinhive has issued an apology and indicated it will find ways to reimburse sites which have lost revenue as a result of the DNS hack.

“We’re deeply sorry about this severe oversight,” the company said. “Our current plan is to credit all sites with an additional 12 hours of their the daily average hashrate. Please give us a few hours to roll this out.”

Based on earlier calculations carried out by TF, The Pirate Bay (if it was mining during the breach) could be potentially owed around $200 for the lost hashes, give or take. After turning off mining in September, the site reactivated it again in October, with no opt-out. The situation appears fluid.

While the hack is obviously a disappointment, Coinhive appears to have advised its users quickly and transparently, which under the circumstances is exactly what’s required. The fact that it’s offering compensation to users will also be welcomed.

The breach is the latest controversy to hit the company. Earlier this month, Cloudflare began banning sites which implemented Coinhive mining without informing their users. The CDN company said it considered non-advised mining as malware.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Source link