Megaupload User Demands Return of Seized Content

An Ohio man is asking a federal judge to preserve data of the 66.6 million users of Megaupload, the file-sharing service that was shuttered in January following federal criminal copyright-infringement indictments that targeted its operators.

Represented by civil rights group Electronic Frontier Foundation, Kyle Goodwin wants U.S. District Judge Liam O’Grady, the judge overseeing the Megaupload prosecution, to order the preservation of the 25 petabytes of data the authorities seized in January. Goodwin, the operator of OhioSportsNet, which films and streams high school sports, wants to access his copyrighted footage that he stored on the file-sharing network. His hard drive crashed days before the government shuttered the site Jan. 19.

“What is clear is that Mr. Goodwin, the rightful owner of the data he stored on Megaupload, has been denied access to his property. It is also clear that this court has equitable power to fashion a remedy to make Mr. Goodwin — an innocent third party — whole again,” the group wrote the judge in a Friday legal filing.

The legal filing, the first representing a Megaupload customer, follows a similar move by the Motion Picture Association of America, whose desire to save the data is very different from Goodwin’s. Last week, it asked Carpathia, Megaupload’s Virginia-based server host, to retain the Megaupload data, which includes account information for Megaupload’s millions of users. The MPAA said it wants that data preserved because it might sue Megaupload and other companies for allegedly contributing to copyright infringement.

Megaupload allowed users to upload large files and share them with others, but the feds and Hollywood allege the service was used almost exclusively for sharing copyright material — which Megaupload denies.

A hearing on the data issue is set for next month.

Federal authorities have said they have copied some, but not all of the Megaupload data, and said Carpathia could delete the 25 million gigabytes of Megaupload data it is hosting.

Carpathia said it is spending $9,000 daily to retain the data, and is demanding that Judge O’Grady relieve it of that burden. Megaupload, meanwhile, wants the government to free up some of the millions in dollars of seized Megaupload assets to be released to pay Carpathia to retain the data for its defense and possibly to return data to its customers.

The criminal prosecution of Megaupload targets seven individuals connected to the Hong Kong-based file-sharing site, including founder Kim Dotcom. They were indicted in January on a variety of charges, including criminal copyright infringement and conspiracy to commit money laundering.

Five of the members of what the authorities called a 5-year-old “racketeering conspiracy” have been arrested in New Zealand, pending possible extradition to the United States.

The government said the site, which generated hundreds of millions in user fees and advertising, facilitated copyright infringement of movies, often before their theatrical release, in addition to music, television programs, electronic books, and business and entertainment software. The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

Tags: ,
Back to top

Hackers Breach Credit Card Processor; 50K Cards Compromised

Photo: Jim Merithew/Wired.com

Global Payments Inc, an Atlanta-based payments processor, has been broken into by hackers, leaving more than 50,000 card accounts potentially compromised, according to news reports.

The breach occurred sometime between Jan. 21 and Feb. 25, according to notices that Visa and MasterCard sent to banks recently. The extent of the breach and damages are still unknown, but it appears to be rather small based on initial reports from the Wall Street Journal and elsewhere.

A notice sent by credit union service organization PSCU to its customers indicated that Visa alerted it on Mar. 23 that 46,194 Visa accounts might have been compromised. But that number was downgraded to just 26,000 after eliminating duplicate account numbers and cards with invalid expiration dates, according to the Journal.

Only about 800 accounts are known to have had fraudulent activity on them so far, according to security blogger Brian Krebs, who broke the story and reported that both Track 1 and Track 2 data had been taken, making it easy for criminals to clone the cards and use them for fraudulent activity. The number of accounts showing fraudulent activity could rise, however, as the investigation continues. Krebs reports that sources in the financial industry have told him that possibly as many as 10 million cards may turn out to have been at risk of compromise in the breach.

The last big breach of card processors was in 2008 against Heartland Payment Systems, which resulted in more than 100 million cards potentially compromised.

Hacker Albert Gonzalez was sentenced in March 2010 to an unprecedented 20 years in prison for his role in connection to that breach.

Back to top

Megaupload Drops Universal Lawsuit to Focus on Criminal Charges

Embattled Megaupload is dropping a lawsuit against Universal Music that accuses the label of unlawfully removing from YouTube a four-minute video Megaupload produced featuring Kanye West, Mary J. Blige, will.i.am and others praising the notorious file-sharing service.

In dropping the suit, Hong Kong-based Megaupload is shifting its attention to criminal charges in the United States where its founder, Kim Dotcom, and top employees are accused of being responsible for facilitating wanton copyright infringement. Dotcom and four others were arrested in New Zealand in January, where they remain free pending possible extradition to the United States to face charges in one of the government’s largest criminal copyright-infringement cases.

“We have the criminal defense. We have the extradition proceedings,” Dotcom attorney Ira Rothken said in a telephone interview.

Rothken added that Megaupload is also facing a possible copyright infringement lawsuit for monetary damages from the Motion Picture Association of America.

“This is all incompatible with us maintaining the civil action,” Rothken said.

The Universal Music lawsuit being dropped (.pdf) was lodged a month before the January criminal indictments that were filed in a Virginia federal court. Megaupload was seeking damages in a California federal court on claims the removal of the $3 million video from YouTube soiled its “reputation as a responsible provider of file services — the very reputation that Megaupload’s investment in the Megaupload video and its numerous endorsements was designed to enhance.”

The Justice Department has seemingly turned the lawsuit’s allegations on its head.

The authorities shuttered Megaupload in January, seized all user data and indicted seven high-ranking Megaupload employees. Megaupload allowed users to upload large files and share them with others. The government alleges that the service was an excuse to encourage uploading of copyrighted movies, which Megaupload profited from via ads and premium subscriptions.

The government said the site facilitated copyright infringement of movies “often before their theatrical release, music, television programs, electronic books, and business and entertainment software on a massive scale.” The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

For the moment, Dotcom and the others are fighting the government’s extradition request and arguing about evidentiary issues.

In the now-scuttled lawsuit targeting Universal, Megaupload claimed the five-day takedown of the YouTube video in December was a sham designed to chill free speech. The suit sought unspecified damages and alleged the label had violated a provision in copyright law that forbids bogus copyright claims. The video has been viewed more than 16.6 million times.

YouTube, meanwhile, claimed Universal Music abused the video-sharing site’s piracy filters when it used them to take down the spot.

YouTube has engineered a filtering system enabling rights holders to upload music and videos they own to a “fingerprinting” database. When YouTube users upload videos, the system scans the upload against the copyright database for matches. If a full or partial match is found, the alleged rights holder can have the video automatically removed, or it can place advertising on the video and make money every time somebody clicks on the video.

Under the Digital Millennium Copyright Act, online service providers like YouTube lose legal immunity for their users’ actions if they don’t remove allegedly infringing content if asked to by rights holders. If the content is not removed, internet service providers could be held liable for damages under the Copyright Act, which carries penalties of up to $150,000 per violation.

Back to top

Politically Motivated Border Searches Could Be Unconstitutional, Judge Rules

An outspoken supporter of WikiLeaks suspect Bradley Manning can continue his lawsuit against the federal government over a border search-and-seizure conducted in 2010 after his return to the U.S. from a Mexico vacation, as a federal court ruled Wednesday that his constitutional rights may have been violated.

A federal judge denied the government’s motion to dismiss the case brought by David Maurice House, finding that the government’s search-and-seizure of his electronics may have violated his right to free speech – even if agents have the right to search travelers at the border for no reason.

“Although the agents may not need to have any particularized suspicion for the initial search and seizure at the border for the purpose of the Fourth Amendment analysis, it does
not necessarily follow that the agents, as is alleged in the complaint, may seize personal electronic devices containing expressive materials, target someone for their political association and seize his electronic devices and review the information pertinent to that association and its members and supporters simply because the initial search occurred at the border,” U.S. District Court Judge Denise Casper wrote. (.pdf)

The American Civil Liberties Union filed a federal lawsuit in Massachusetts in May 2011 on House’s behalf, charging that he had been targeted solely for his lawful association with the Bradley Manning Support Network.

“This ruling affirms that the constitution is still alive at the U.S. border,” ACLU Staff Attorney Catherine Crump said in a statement. “Despite the government’s broad assertions that it can take and search any laptop, diary or smartphone without any reasonable suspicion, the court said the government cannot use that power to target political speech.”

Bradley Manning (Facebook.com)

U.S. customs agents met and briefly detained House as he deplaned at Chicago’s O’Hare Airport in Nov. 2010. The agents searched House’s bags, then took him to a detention room and questioned him for 90 minutes about his relationship to Manning, the former Army intelligence analyst currently facing a court martial for leaking classified documents to the secret-spilling site WikiLeaks. The agents confiscated a laptop computer, a thumb drive and a digital camera from House and reportedly demanded, but did not receive, his encryption keys.

DHS held onto House’s equipment for 49 days and returned it only after the ACLU sent a strongly worded letter.

House was on Manning’s Facebook friends list at the time of Manning’s arrest in May 2010 and was one of several Boston-area friends of Manning who were interviewed by federal agents following the soldier’s arrest. House helped set up the Bradley Manning Support Network, a grassroots group to raise money for Manning’s defense, and had visited Manning in custody at the Marine Corps’ Quantico brig at least three times before falling out with other Manning supporters and being removed from the visitor’s list by Manning’s family in March 2011.

During his detainment in Chicago, agents questioned House about his association with Manning, his work for the Support Network, whether he had any connections to WikiLeaks, and whether he had been in contact with anyone from WikiLeaks during his trip to Mexico. But according to House’s lawsuit, he was not questioned about anything “relating to border control, customs, trade, immigration, or terrorism, and at no point did agents suggest that plaintiff had broken the law or that his computer contained any illegal material.”

Data contained on House’s seized laptop included information concerning the Support Network, such as the complete Support Network mailing list, confidential communications between members of the steering committee about strategy and fund-raising activities, the identity of donors, lists of potential donors and their ability to contribute, and notes on meetings with donors.

Under the “border search exception” of United States criminal law, international travelers can be searched as they enter the U.S. without a warrant. Law enforcement agents have aggressively used this power to search travelers’ laptops, sometimes copying the hard drive before returning a computer to its owner. Courts have ruled that such laptop searches can take place even in the absence of any reasonable suspicion of wrongdoing.

But House’s suit, filed against the Department of Homeland Security, challenges the government’s right to conduct a suspicion-less search and seizure. The lawsuit asks a federal judge to declare the search an unconstitutional violation of House’s First Amendment rights of speech and political association, and Fourth Amendment right to be free from unreasonable search and seizure, and to order the government to destroy its copy of House’s computer files.

The government sought to dismiss the suit on grounds that House was asking the court to “create a new exception for electronic devices from the Government’s authority to conduct routine searches of closed containers at the border.

“There is no basis for the Court to conclude,” the government wrote, “that searches of laptops or other electronic devices at the border should be subjected to a different standard than that for other closed containers. Nor is there a basis for the Court to conclude that Plaintiff’s First Amendment rights were violated by the routine search and detention of his devices at the border.”

A graduate of Boston University, House is a former computer science researcher at MIT’s Center for Digital Business, and has been working as a computer security contractor more recently. At BU he founded the campus hacker space for student tinkerers.

House is not the only person to be detained in a border search for his perceived connection to WikiLeaks. Computer security researcher Moxie Marlinspike, whose company Whisper Systems was recently acquired by Twitter, was also detained in Nov. 2010 after returning to the U.S. from a trip to the Dominican Republic.

The agents escorted him to a detention room where they held him for 4 1/2 hours. During that time, a forensic investigator arrived and seized Marlinspike’s laptop and two cellphones, and asked for his passwords to access his devices. Marlinspike refused, and the devices were later returned to him.

Months before Marlinspike’s detention, security researcher Jacob Appelbaum was intercepted at a New Jersey airport and detained in July 2010 after returning on a flight from Holland.

Appelbaum was detain for three hours and questioned about WikiLeaks. Appelbaum, a Seattle-based programmer for Tor, an online privacy protection service, has served in the past as a U.S. spokesman for WikiLeaks. He was reportedly told by the customs agents who detained him that he was randomly selected for a security search.

Update 3.30.12: To reflect House’s current work activity after leaving MIT.

(Image: YouTube)

Back to top

Satellite-TV Hacking Allegations Return for Murdoch

 
          

It’s been four years since Rupert Murdoch’s NDS subsidiary was largely cleared in a civil lawsuit charging that the company employed hackers to sabotage rival companies.

Now the allegations have surfaced again, this time with internal e-mails allegedly documenting a coordinated scheme to damage competitors to Murdoch’s media empire that was led by a former Israeli intelligence officer and former UK police officers working for the Murdoch firm. Their actions extended far beyond the original allegations, according to a BBC documentary and the Australian Financial Review.

The e-mails purport to show that security officers working for NDS were behind a piracy web site called The House of Ill Compute, or thoic.com, where hackers posted codes that allowed users to pirate pay-TV services for Murdoch competitors. The e-mails also purport to show that NDS withheld from one its clients, DirectTV, methods to fight widespread piracy at the same time Murdoch was attempting to buy the company.

NDS reportedly paid a hacker named Lee Gibling about $8,000 monthly to run the site, which garnered up to 2 million hits a day during its heyday in 2000.

NDS claims the site was just a honeypot to learn how pirates were scheming to defraud NDS and other satellite TV companies and says it never promoted piracy. But e-mails and interviews with sources indicate that after hackers posted codes on the site that were designed to hack smart cards used with pay-TV systems overseas, such as Canal Plus Technologies and OnDigital, NDS leaked the codes to other piracy sites to encourage their use among satellite thieves. NDS also is accused of reverse-engineering competitors’ cards with the aim of creating cracks for them.

NDS is a British-Israeli company and a majority-owned subsidiary of Murdoch’s News Corp. The company makes access cards used by pay-TV systems to prevent piracy of satellite signals. The most prominent of its clients was DirecTV — itself a former Murdoch company.

NDS was the target of earlier hacking allegations that were part of a years-long lawsuit filed by Nagrastar and its parent company EchoStar, NDS’s chief competitor, which made access cards for EchoStar’s Dish Network and other runners-up in the market.

The case, which ended in 2008, involved a colorful cast of characters that included former intelligence agents, Canadian TV pirates, Bulgarian and German hackers, stolen e-mails and the mysterious suicide of a Berlin hacker who had been courted by the Murdoch company not long before his death.

It also involved a former U.S. hacker named Christopher Tarnovsky who worked for NDS and was accused of helping pirates steal services from NDS competitors.

According to allegations in the lawsuit, in the late ’90s NDS extracted and cracked the proprietary code used in Nagrastar’s cards, which NDS didn’t contest. But Nagrastar said that Tarnovsky then used the code to create a device for reprogramming Nagrastar cards into pirate cards, and gave the cards to pirates eager to steal Dish Network’s programming. Tarnovsky was also accused of posting to the internet a detailed road map for hacking Nagrastar’s cards.

The convoluted case raised more questions than it answered, but a jury in San Diego largely cleared NDS of piracy in that case, finding the company guilty of only a single incident of stealing satellite signals, for which Dish was awarded $1,500 in damages. EchoStar was instructed to pay $19 million in legal costs.

Tarnovsky, who sat for a lengthy interview with Wired.com following the verdict and demonstrated how he reverse-engineered smart cards like those used for satellite-TV (see video above), has always asserted his innocence.

But according to the Australian Financial Times, Tarnovsky was just one of many actors associated with a secretive group of former policemen and intelligence officers within News Corp known as Operational Security.

That group, the paper says, embarked on a coordinated plan to derail Murdoch’s pay-TV competitors in Australia and elsewhere by distributing crack codes for competitor’s satellite services. According to the paper, which has published internal emails from the group, their actions devastated Murdoch competitors such as DirecTV in the U.S., Telepiu in Italy and Austar in Australia, and allowed Murdoch to then try and swoop in to buy up the businesses at reduced costs.

Back to top
« OLDER POSTS