Cease and Desist from Getty Images in France
Monday, 2 January 2017
I have this irrational belief that the few days around the beginning of the year sets the pace for the rest of the year. If that's true, then 2017 is going to be exciting.
Over the holiday break, while other people where spending time with family and opening gifts, I received a cease-and-desist letter from Getty Images. The first time I received a cease-and-desist letter from them was over two years ago -- Getty Images claimed that I was violating their copyright, and I showed that it was Fair Use. After Getty Images withdrew their complaint, I thought it was over.
I was wrong. (Au contraire!)
Like a weird déjà vu, Getty Images now claims that my writeup of the previous events violates numerous French laws and they demand that I remove my remarks. I suspect that they are using French laws as a façade because they have no basis for a complaint in the United States.
Since they sent me an 11 page complaint (PDF), I sent them an 11 page response (PDF). (And yes, I included footnotes for references and citations.) Without further adieu, here is my reply -- reformatted letter for the web:
Over the holiday break, while other people where spending time with family and opening gifts, I received a cease-and-desist letter from Getty Images. The first time I received a cease-and-desist letter from them was over two years ago -- Getty Images claimed that I was violating their copyright, and I showed that it was Fair Use. After Getty Images withdrew their complaint, I thought it was over.
I was wrong. (Au contraire!)
Like a weird déjà vu, Getty Images now claims that my writeup of the previous events violates numerous French laws and they demand that I remove my remarks. I suspect that they are using French laws as a façade because they have no basis for a complaint in the United States.
Since they sent me an 11 page complaint (PDF), I sent them an 11 page response (PDF). (And yes, I included footnotes for references and citations.) Without further adieu, here is my reply -- reformatted letter for the web:
Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033
January 1, 2017
Cabinet Bouchara Avocats
c/o: Vanessa Bouchara
17, rue de Colisee
75008 Paris, France
Dear Vanessa Bouchara and Cabinet Bouchara Avocats,
I received your registered letter (RK 00 128 368 8 FR) from France on the evening of December 27, 2016. The letter states that you are the legal adviser to GETTY IMAGES and demands that I "cease and desist" by removing remarks from a blog entry where I discuss the previous letter that I received from Getty Images in 2014. I have placed a copy of your entire letter online at:
http://audio.hackerfactor.com/2016/getty-letter-20161227.pdf
As you noted, the blog entry that you want me to alter is located at:
http://www.hackerfactor.com/blog/index.php?/archives/625-Dear-Getty-Images-Legal-Department.html
There are many problems with your cease-and-desist letter, which I am detailing here. I am sending this response to you and to the legal department at Getty Images headquarters in Seattle, Washington, USA. Suffice to say, I will not be making any changes to my blog entry or web site based on your cease-and-desist letter.
Problem #1: Intentional effort to pass over the deadline
Your letter, dated "Paris, December 19th, 2016" included a demand that I respond within 8 days of the letter's date. On the last page of your letter, you explicitly wrote "before the 27th of December", otherwise you threatened to escalate your demands.
As I am sure that you are aware, airmail from Paris, France to the Fort Collins, Colorado in the United States typically takes 7-14 days to be delivered. In addition, (1) you incorrectly addressed the letter; my city's name "Fort Collins", not "Port Collins", (2) you sent the letter during the busiest time of the year for the US Postal Service and during a time when the US Postal Service was closed for a national holiday,[1] and (3) you sent the letter during a time when employees across the nation take time off for the holidays. Each of these delayed the response time.
In effect, you intentionally took steps to ensure that your letter would be delivered after your self-imposed deadline. As I noted, I received it on December 27th, which is after your deadline. You granted me no time to formulate a response or consult with my legal representation before your deadline expired. This clearly shows that you were not acting in good faith when you sent your letter.
Problem #2: Lack of jurisdiction
The cease-and-desist letter includes numerous French legal references. However, French law does not apply in this matter.
My 2014 blog entry begins by stating that I had received a copyright infringement claim from Getty Images. The blog entry includes a link to the actual letter:
http://audio.hackerfactor.com/2014/getty-takedown-20140715.pdf
As noted in the 2014 letter from Getty Images, they list their address as "605 5th Ave S, Suite 400, Seattle, WA 98104 USA". Moreover, they sent their letter to my address in Fort Collins, Colorado, United States. Neither of these addresses is in France.
My 2014 blog entry includes my response letter. At the top of the response letter are the addresses of the sender and the recipient. Again, the correspondence was from a US citizen in the United States of America and to a company in the United States of America.
At no time was there any mention of France or Getty Images in France. The country of France has no jurisdiction in a discussion between a US citizen and a US company. Your repeated citations of French laws have no basis since this falls under the jurisdiction of US laws.
The "Termes et conditions d'utilisation du site" (Terms and conditions of use) listed on Getty Images' French web site explicitly states that the "Droit applicable et juridiction compétente" (Applicable law and jurisdiction) is Seattle, Washington in the United States.[2] The terms and conditions explicitly state that any dispute falls under the jurisdiction of the United States. The text of this web page has not significantly changed since at least 2015.[3] Thus, even Getty Images in France states that French law does not apply.
Original text from http://www.gettyimages.fr/company/terms, retrieved on December 30, 2016 Translated to English by Google Translate Droit applicable et juridiction compétente
Tout litige lié d'une quelconque façon à votre utilisation du Site ou du Contenu Getty Images sera soumis à un arbitrage confidentiel à Seattle, Etat de Washington, Etats-Unis, sauf si vous avez violé ou menacé de violer les droits de Getty Images en matière de propriété intellectuelle ; dans ce cas, Getty Images pourra rechercher l'obtention d'une injonction ou autre mesure analogue dans tout tribunal d'Etat ou fédéral de l'Etat de Washington, et vous acceptez la compétence exclusive de ces tribunaux en la matière. L'arbitrage dans ce cas sera conduit par un arbitre unique selon les règles de l'American Arbitration Provision. La sentence arbitrale sera irrévocable et pourra faire office de verdict dans tout tribunal compétent. Dans les limites du droit en vigueur, aucun arbitrage lié aux présentes dispositions ne pourra être joint à un arbitrage impliquant une autre partie soumise aux Conditions d'Utilisation du Site (procédures d'arbitrage groupé ou autres).Applicable law and jurisdiction
Any dispute relating in any way to your use of the Site or the Getty Images Content will be subject to confidential arbitration in Seattle, Washington, USA, unless you have violated or threatened to violate the rights of Getty Images in Intellectual property; In this case, Getty Images may seek an injunction or similar action in any State or Federal Court of the State of Washington, and you agree to the exclusive jurisdiction of such courts in this matter. The arbitration in this case will be conducted by a single arbitrator in accordance with the rules of the American Arbitration Provision. The arbitral award shall be irrevocable and may serve as a verdict in any court of competent jurisdiction. Within the limits of the law in force, no arbitration related to these provisions can be joined to an arbitration involving another party subject to the Conditions of Use of the Site (collective arbitration procedures or others).
Problem #3: Statute of Limitations
As noted in your letter, my company is located in Colorado. The state of Colorado places a statute of limitation on defamation claims. As defined under C.R.S. 13-80-103(1)(a):[4]
3-80-103. General limitation of actions - one year. (1) The following civil actions, regardless of the theory upon which suit is brought, or against whom suit is brought, shall be commenced within one year after the cause of action accrues, and not thereafter:
(a) The following tort actions: Assault, battery, false imprisonment, false arrest, libel, and slander;
Similarly, the statute of limitations for defamation in the state of Washington is defined in RCW 4.16.100, limiting actions to within two years.[5]
My blog entry was posted on July 15, 2014. However, your cease and desist letter is dated December 19, 2016 – over two years later. Your letter was sent long after the statute of limitations expired. Moreover, I can provide proof that people at Getty Images, and specifically affiliated with their legal department, viewed the specific blog entry in July 2014.
Problem #4: Use of the word ‘Extortion'
The first page of your letter states that my blog uses the word ‘extortion' in a litigious manner. You added:
Indeed, the combination of the words <<GETTY IMAGES>> and <<extortion>> on the search engine Google bring us directly to your web site.
As I am sure that you are aware: my company, Hacker Factor, is not affiliated with Google and has no control or insight into how Google ranks web pages. Moreover, a search for these words currently shows that my blog entry is the 4th result. The first two results are from Art Law Journal and the third is from ExtortionLetterInfo.com, which is run by attorneys. Although my blog entry is the 4th result, the 5th result comes from the Illinois State Bar Association.
There are many web sites that describe techniques to write articles for search-engine optimization (SEO) in order to improve search rankings. This includes The Content Factory's "7 Secrets of Professional SEO Article Writers"[6] and wikiHow's "How to Write SEO Content."[7] My blog entry uses none of these guidelines and was not written using any SEO techniques. Thus, I have made no attempts to influence my web page's ranking on Google.
In addition to search results, Google's search engine offers search term recommendations based on commonly searched phrases. These recommendations include "getty extortion letter 2015", "getty extortion letter 2016", and "getty images lawsuit class action". My blog entry does not control these recommendations; these recommendations are based on real searches typed in by people looking for information.[8] To be clear: first people have the desire to find information about Getty Images and extortion, and then they see results from legal experts and my blog. Thus, the opinion that Getty Images is involved in extortion appears to be widespread and shared among many people, including attorneys, and is not limited to my blog entry.
In my blog entry, I use the word "extortion" six times. The first three times are in quoted text from other sources, including news outlets and law firms. The remaining three uses are in opinion and speculation based on the cited references.
Since my web site is in the United States of America, it is written in American English. According to the Merriam-Webster dictionary for American English,[9] extortion is defined as "the crime of getting money from someone by the use of force or threats." In the case of the 2014 Getty Images copyright infringement letter, your client demanded money under the threat of legal action. This matches the definition of "extortion".
Because I am located in Colorado, Colorado state laws apply. Colorado state law defines "extortion" in 18-3-207 C.R.S.:[10]
The person, without legal authority and with the intent to induce another person against that other person's will to perform an act or to refrain from performing a lawful act, makes a substantial threat to confine or restrain, cause economic hardship or bodily injury to, or damage the property or reputation of, the threatened person or another person
The Colorado legal definition is similar to the definition from the dictionary. However, Colorado adds in the phrase "without legal authority". As I pointed out in my 2014 blog entry, I used the images correctly under Copyright Fair Use (Title 17 section 107)[11]. In addition, Getty Images withdrew their infringement claim, indicating that they were acting without legal authority. I documented the response from Getty Images on my blog at:
http://www.hackerfactor.com/blog/index.php?/archives/627-A-Victory-for-Fair-Use.html
Since Getty Images is headquartered in Seattle, Washington and has an office in Los Angeles, California, those laws may also be applicable. Both Washington RCW 9A.56.110[12] and California Penal Code 518 PC[13] offer similar definitions for "extortion".
Perhaps there is a better word that you could recommend instead of "extortion" to describe your client's actions. Would you prefer that I use blackmail, shakedown, or swindle? My preference is to use the word "extortion" since it appears to match the dictionary and legal definitions.
Problem #5: Anti-SLAPP and retaliation
I believe that this cease-and-desist letter from Getty Images is an attempt at a SLAPP lawsuit. As summarized at Wikipedia:[14]
A strategic lawsuit against public participation (SLAPP) is a lawsuit that is intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition. Such lawsuits have been made illegal in many jurisdictions on the grounds that they impede freedom of speech.
Getty Images has offices in California. California has very strong anti-SLAPP laws (see California Code of Civil Procedure sections 425.16, 425.17, and 425.18). These laws are specifically intended to prevent the chilling effect to free speech from the threat of costly litigation.
Although Colorado does not have dedicated anti-SLAPP laws, it does have laws that protect First Amendment rights without fear of retaliation.[15] In the case of Getty Images:
and now:
- On July 14, 2014, I received a letter from Getty Images claiming copyright infringement.
- I responded on July 15, 2014 by showing how my use complied with Copyright Fair Use.
- On July 22, 2014, Getty Images withdrew their claim of copyright infringement.
Your cease-and-desist letter appears retaliatory since it is in response to the previous unsupported claim of copyright infringement. Moreover, the threat to "initiate all appropriate action against you" (on the final page of your letter), a short response time, and no opportunity to consult with legal counsel before your deadline appears consistent with a SLAPP lawsuit and extortion practices.
- On December 27, 2016 (over two years later), I received a letter from the legal representation of Getty Images that accuses me of defamation and damages from my write-up of the previous events.
Problem #6: Recommending the use of an attorney
Much of your cease-and-desist letter focuses on comments to my blog entry. In particular, you highlighted key words and phrases that you claim are litigious, intolerable, and reprehensible. For example, in my comment #2.1.1, you highlighted the words "Admit nothing":
Hello Sheila,
I am not an attorney; do not interpret my suggestions as legal advice.
1. Consult with an attorney.
2. Admit nothing.
3. Review the requirements for copyright fair use. http://www.copyright.gov/fls/fl102.html
Similarly, in comment #3.1, I wrote (with your bold emphasis):
Hi Sri,
I am not an attorney. It sounds like you need an attorney who specializes in copyright.
You should also check your contract with the developer. There should be an indemnification clause. If they provided the picture, then it's their problem.
But do NOT contact Getty directly! At this point, get an attorney and have the attorney contact Getty.
Both of these comments repeat advice that I have received from attorneys: when involved in a legal issue, do not admit fault before consulting with an attorney. For clarity, your specified alterations recommend that recipients of letters from your client should admit fault without an attorney.
Your letter also took offense at comment #4.1, where I provided contact information for Getty Images (with your bold emphasis):
There is a phone number in the PDF:
1-800-972-4170 for Getty Images License Compliance.
Personally, if I were you, I would record the phone call. (Then again, I'm the kind of guy who records the calls and posts them as MP3s online.)
I want to emphasize that your client provided and recommended this phone number as a point of contact in their letter from July 2014.
Similarly, you appear to have taken offense when I recommended that people respond to Getty Images and not ignore a legal notification. You highlighted the following words as litigious from comment #9.1:
Hi tammy,
I wouldn't ignore them. I'd send them a letter.
NOTE: I am not a lawyer and this is not legal advice. You should consult with an attorney.
You, as the legal representative of Getty Images, want me to remove the recommendation to respond to legal notices from Getty Images. Is it your recommendation that recipients should ignore copyright infringement letters from Getty Images? If your legal recommendation is to ignore letters from Getty Images, then I will consider updating the blog entry so that it conveys the correct message.
You also selected one of my introductory paragraphs:
Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.
These comments are factual and not litigious. Many people have reported successfully ignoring the letters and some people have been sued by Getty Images. (See footnotes [16] and [17] for examples.)
While I have not addressed each of your highlighted selections, each claim is equally baseless. In your letter, you wrote that these comments "suggested to web users to deny their legal obligations toward [Getty Images]." Your claim is false. My remarks repeatedly advise people to consult with an attorney. At no time do I "incite to violate GETTY IMAGES' rights" as you claim.
Problem #7: Censorship of blog comments
Many of the remarks that your letter claims are litigious were written by other people who left comments on my blog. As noted in Problem #2, France has no jurisdictional claim and United States laws apply.
In the United States, we have a law called the Communications Decency Act of 1996 (47 U.S.C. § 230(c)(1)).[18] As noted by the very capable attorneys at the Electronic Frontier Foundation,[19] this law protects intermediaries that host or republish speech from a wide range of liability and defamation claims.
On December 15, 2016, the "Consumer Review Fairness Act of 2016" (H.R. 5111) was signed into law.[20] (Your letter is dated four days later.) This law protects the right for consumers to give negative reviews online and elsewhere. This law provides legal protection to both my blog entry and the comments submitted to my blog entry.
Your cease-and-desist letter directs me to censor the free speech of people who leave comments on my blog. However, I have no legal obligation to remove, censor, or redact opinions that your client, Getty Images, finds objectionable.
Problem #8: Alleged damage to reputation
Your letter begins by noting that Getty Images is a large company ("the biggest global database") that "enjoys an established reputation both domestically and internationally". However, your letter failed to mention that this reputation includes being well-known for sending unsupported copyright infringement letters. For example:
These are just a few of the many citations that I have found. The first two examples pre-date my blog entry. The other two were written independently of my blog. As noted by the Google recommendations in Problem #4, people associate Getty Images with extortion before accessing my blog. This shows that Getty Images had established their reputation as a "bully" and "copyright troll" that sends "extortion letters" before my text was written, and that my blog has not altered this reputation.
- International Business Times (February 7, 2014):[21] "That practice has earned Getty Images a reputation for being a bully, an extortionist and a copyright troll. It's so pervasive -- thousands of letters are sent out each year -- that it has sparked a virtual sub-industry of websites, blog posts and message boards devoted to offering advice for website owners on the receiving end of the ominous correspondence."
- Art Law Journal (April 13, 2014):[22] "Getty Images leads a new breed of copyright trolls who target these infringers, sending extortion letters designed to scare them into paying hundreds of dollars or risk a more expensive lawsuit." As already noted, this description is consistent with a strategic lawsuit against public participation (SLAPP).
- Illinois Bar Journal (November 2014, Volume 102, Number 11, Page 518):[23] "Getty Images is famous for sending fear-inducing copyright-infringement notices to individuals and small businesses."
- The Balance (November 15, 2016):[24] "Getty will listen more closely to an innocent plea when they hear your response through an attorney who may also remind Getty of words such as, harassment, falsely accused, extortion, tort, and counter suit."
Problem #9: Alleged damage to services
The opening page of your cease-and-desist letter claims that comments on my blog "seriously jeopardize its practice". This claim is vague and unsubstantiated. Your claim provides no details that show how my specific blog entry, written over two years ago, has "seriously jeopardized" the ongoing operations of "the biggest global database" and the "supply, development and worldwide distribution of online images, videos and music", as you wrote in your letter.
According to financial reporting sites, Getty Images has had significant issues for several years:
These investment reports identify significant business problems at Getty Images and specify primary causes. At no point do any of these reports or press statements mention any impact from my blog entry. The problems at Getty Images pre-date my blog entry by more than a year. My blog entry and related comments do not appear to have had any significant impact on Getty Images' ability to provide "supply, development and worldwide distribution of online images, videos and music". To put it bluntly: don't blame me for your client's problems.
- In 2013 (before I posted my blog entry), Bloomberg reported, "Getty Images Inc.'s debt were placed on review for a possible cut by Moody's Investors Service because of weaker-than-expected results from the photo archive".[25] In September 2013, Moody's placed Getty Images on review for downgrade, and in October 2013, Moody's downgraded Getty Images.[26]
- In 2014, Bloomberg reported that Getty Images "burned through a third of its cash in the last three months of 2014" due to declining earning from the "photo archiver's ability to invest and curb its access to credit".[27] In the same Bloomberg report, an analyst at Moody's Investors Service is quoted as saying, "They don't have as much capacity as Moody's would like to see for them to be more competitive [against rivals]."
- In 2015, Bloomberg reported improved earnings from Getty Images, but that the "company is still having trouble in its biggest division, known as midstock" and that "Getty posted revenue of $54.4 million in that unit, which sells photographs to websites and small businesses ... down from $65.4 million last year."[28] In November 2015, Moody's downgraded Getty Images again.[29]
While Getty Images does report having an office in Paris, France, their corporate headquarters are located in Seattle, Washington, United States. If Getty Images in France takes issue with actions performed by their corporate headquarters, then I suggest that they take their grievances up with their corporate management and not attempt to restrict my First Amendment rights.
Conclusion
None of my statements denote defamation or litigiousness because they are true. As noted in my blog entries and in this letter, I have cited references. More references can be provided as needed.
The registered letter that I received from Cabinet Bouchara Avocats, representing Getty Images, contains many disturbing claims and actions, including:
These issues show that your law office has not acted in good faith and your client has no basis for action.
- You intentionally sent the letter such that it forced me to miss the arbitrarily short eight-day deadline.
- Your letter attempts to transfer the jurisdiction of a communication between a US citizen and US company from the United States of America to France. This appears to be an intentional effort to circumvent applicable US laws and jurisdiction.
- Your law office ignored the statute of limitation for this claim.
- Your letter takes issue with my correct use of the word "extortion".
- The cease-and-desist letter attempts to violate my free speech rights and seeks to censor my criticism of Getty Images by legal threat. This appears to be retaliatory, harassment, and a violation of anti-SLAPP laws.
- The alterations that you demanded advise (1) against recipients seeking legal representation, and (2) against recipients responding to copyright infringement letters from Getty Images. By US legal standards, this is exceptionally bad advice.
- Your cease-and-desist letter demands that I remove, redact, or censor comments left by third-parties on my blog. This is a direct violation of their freedom of speech and is expressly protected by US law.
- The cease-and-desist letter alleges that my blog entry has damaged Getty Images' reputation. However, that reputation was clearly established prior to my blog entry and has continued unabated, without impact from my blog entry.
- The letter alleges that my reporting of factual actions performed by Getty Images, and my opinion of those actions, is responsible for "seriously jeopardizing" the business practices at Getty Images. Yet, your letter provides no proof of this claim.
(You may also want to check the citations in your letter. For example, on the last page you cite the "Fist Civil Division of the French Supreme Court". I believe the word is "First" and not "Fist".)
Your letter made no mention of a preferred response method. In order to expedite my response (rather than waiting 7-14 days for a registered letter), I am emailing it to you at the email address listed on your law office's website: http://en.cabinetbouchara.com/vanessa-bouchara.html. In addition, I will be posting this letter to my blog – since you appear to read my blog.
Happy New Year,
Dr. Neal Krawetz
Owner, Hacker Factor
[1] http://web.archive.org/web/20161229045224/https://www.usps.com/holiday/holiday-schedule.htm and https://link.usps.com/2016/11/14/peak-projections/
[2] http://www.gettyimages.fr/company/terms
[3] http://web.archive.org/web/*/http://www.gettyimages.fr/company/terms
[4] http://tornado.state.co.us/gov_dir/leg_dir/olls/2013TitlePrintouts/CRS%20Title%2013%20%282013%29.pdf
[5] http://apps.leg.wa.gov/RCW/default.aspx?cite=4.16.100
[6] http://www.contentfac.com/7-secrets-of-professional-seo-writers/
[7] http://www.wikihow.com/Write-SEO-Content
[8] http://searchengineland.com/how-google-instant-autocomplete-suggestions-work-62592
[9] https://www.merriam-webster.com/dictionary/extortion
[10] http://tornado.state.co.us/gov_dir/leg_dir/olls/sl1994/sl_275.htm
[11] https://www.copyright.gov/title17/92chap1.html#107
[12] http://apps.leg.wa.gov/rcw/default.aspx?cite=9A.56.110
[13] http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=PEN§ionNum=518.
[14] https://en.wikipedia.org/wiki/Strategic_lawsuit_against_public_participation
[15] http://www.dmlp.org/legal-guide/anti-slapp-law-colorado
[16] http://www.extortionletterinfo.com/forum/getty-images-letter-forum/attorney-advises-to-just-ignore-the-getty-mccormack-letters/ and https://www.quora.com/What-is-the-best-way-to-deal-with-a-Getty-Images-settlement-letter
[17] http://www.ibtimes.com/getty-images-lawsuits-enforcement-or-trolling-fear-letters-dwindling-stock-photo-1554122 and https://www.scribd.com/document/205476676/GettyX5
[18] https://www.law.cornell.edu/uscode/text/47/230
[19] https://www.eff.org/issues/cda230
[20] https://www.congress.gov/bill/114th-congress/house-bill/5111 and https://www.whitehouse.gov/the-press-office/2016/12/15/statement-press-secretary-hr-3471-hr-4419-hr-5111-hr-5509-hr-5995-s-795
[21] http://www.ibtimes.com/getty-images-lawsuits-enforcement-or-trolling-fear-letters-dwindling-stock-photo-1554122
[22] http://artlawjournal.com/tips-responding-getty-images-demand-letter/
[23] https://www.isba.org/ibj/2014/11/lawpulse/yourclientgotgettyimagesdemandlette
[24] https://www.thebalance.com/can-i-ignore-a-getty-settlement-demand-letter-no-3514934
[25] https://www.bloomberg.com/news/articles/2013-09-04/caryle-group-s-getty-images-ratings-on-review-for-cut-by-moody-s
[26] https://www.moodys.com/credit-ratings/Getty-Images-Inc-credit-rating-823229142
[27] https://www.bloomberg.com/news/articles/2015-02-25/carlyle-s-getty-images-said-to-run-tight-on-cash-as-profit-drops
[28] https://www.bloomberg.com/news/articles/2015-07-30/carlyle-s-getty-images-debt-jumps-after-earnings-said-to-improve
[29] https://www.moodys.com/credit-ratings/Getty-Images-Inc-credit-rating-823229142
The End is Near
Saturday, 31 December 2016
I had really wanted to end this year with a happy, positive blog post. Unfortunately, the topics that I typically focus on have all been really negative. For example, I often comment on politics and how the decisions by governments impact computer security and technology. However, this year has been filled with extremely negative political news. Our rights to free speech and computer privacy are so threatened that the Internet Archive is actively deploying a complete backup in Canada -- in order to mitigate any efforts to censor online content. They are also actively mirroring public government records for fear that they will be removed or altered. This fear seems justified since the removals and alterations have already begun.
In international news, we have Brexit, multiple terror attacks in Europe, attacks on police, the Syrian crisis and the rise of anti-Muslim bigotry. The only solid positive news that I could find was the recent Colombia peace agreement with FARC (let's hope the peace lasts longer than the 50 year war).
Cyber attacks were certainly up in 2016. The Democratic party email hacks, the Republican party email hacks (that they deny, but it really looks like it happened), the NSA was compromised, another Yahoo breach, massive DDoS attacks, the FBI's quest to compromise the San Bernardino iPhone, and the banking SWIFT network was exploited. And that's nowhere near the full list.
The Internet of Things (IoT) has also been a heated point of negativity. While there are many more Internet-enabled gadgets, they seem to have a near-universal lack of security. 2016 saw the the rise of Mirai -- a massive botnet of IoT devices. While this is a relatively new development, it was clearly just the tip of the iceberg. Already, we have seen another Mirai variant and there are reports of a new, bigger, and badder botnet. From a network defense viewpoint, 2017 is shaping up to be a very ugly year.
Self driving cars were all over the news. A couple of people died because of this. And Uber's self-driving cars were kicked out of San Francisco due to safety concerns (and a lack of permits).
Many of my blog entries focus on debunking fake stories and exposing altered photos. Again, 2016 was not a pleasant year. "Fake news" and "Post-Truth" was all over the news (both in content and in descriptions of the problem). When people see potentially fake pictures, they upload them to my FotoForensics site for analysis. For the first time since the site came online, the number of political and war pictures surpassed the number of dating site pictures. The only silver lining here is that tech companies like Google and Facebook suddenly took notice that they are a big part of the problem.
Sometimes I blog about celebrities. But 2016? David Bowie and Prince, Florence Henderson and Alan Thicke, Carrie Fisher and Debbie Reynolds... If I listed all of the names here, then this blog would read more like a who's who obituary of treasured artists who influenced entire generations. (And yet, we're still left with One Direction. Seriously?)
Occasionally I branch out and blog about some of my other interests. Earlier this month, I even tried to create my first gingerbread house. I never realized how hard and time consuming this was. While I never finished it, I have a new level of respect for food artists.

(Yes, it was going to be a tie fighter blowing up a house.)
There were a couple of good things this year, and a lot of it happened in the scientific community. My list of the biggest discovers include proof that gravitational waves exist, SpaceX successfully landed their reusable rocket, and measles was eradicated in the Americas. Beyond science, there was a new Star Wars prequel that was really good, the Cubs won the World Series, and uh... I'm sure there's more....
I really wanted to end this blog entry with a positive note. The Boss suggested that I change focus and do something with puppies and kittens and unicorns. I've never been much of an artist, but here I go:

Have a Happy New Year,
Neal Krawetz, Hacker Factor
In international news, we have Brexit, multiple terror attacks in Europe, attacks on police, the Syrian crisis and the rise of anti-Muslim bigotry. The only solid positive news that I could find was the recent Colombia peace agreement with FARC (let's hope the peace lasts longer than the 50 year war).
Cyber attacks were certainly up in 2016. The Democratic party email hacks, the Republican party email hacks (that they deny, but it really looks like it happened), the NSA was compromised, another Yahoo breach, massive DDoS attacks, the FBI's quest to compromise the San Bernardino iPhone, and the banking SWIFT network was exploited. And that's nowhere near the full list.
The Internet of Things (IoT) has also been a heated point of negativity. While there are many more Internet-enabled gadgets, they seem to have a near-universal lack of security. 2016 saw the the rise of Mirai -- a massive botnet of IoT devices. While this is a relatively new development, it was clearly just the tip of the iceberg. Already, we have seen another Mirai variant and there are reports of a new, bigger, and badder botnet. From a network defense viewpoint, 2017 is shaping up to be a very ugly year.
Self driving cars were all over the news. A couple of people died because of this. And Uber's self-driving cars were kicked out of San Francisco due to safety concerns (and a lack of permits).
Many of my blog entries focus on debunking fake stories and exposing altered photos. Again, 2016 was not a pleasant year. "Fake news" and "Post-Truth" was all over the news (both in content and in descriptions of the problem). When people see potentially fake pictures, they upload them to my FotoForensics site for analysis. For the first time since the site came online, the number of political and war pictures surpassed the number of dating site pictures. The only silver lining here is that tech companies like Google and Facebook suddenly took notice that they are a big part of the problem.
Sometimes I blog about celebrities. But 2016? David Bowie and Prince, Florence Henderson and Alan Thicke, Carrie Fisher and Debbie Reynolds... If I listed all of the names here, then this blog would read more like a who's who obituary of treasured artists who influenced entire generations. (And yet, we're still left with One Direction. Seriously?)
Occasionally I branch out and blog about some of my other interests. Earlier this month, I even tried to create my first gingerbread house. I never realized how hard and time consuming this was. While I never finished it, I have a new level of respect for food artists.
(Yes, it was going to be a tie fighter blowing up a house.)
There were a couple of good things this year, and a lot of it happened in the scientific community. My list of the biggest discovers include proof that gravitational waves exist, SpaceX successfully landed their reusable rocket, and measles was eradicated in the Americas. Beyond science, there was a new Star Wars prequel that was really good, the Cubs won the World Series, and uh... I'm sure there's more....
I really wanted to end this blog entry with a positive note. The Boss suggested that I change focus and do something with puppies and kittens and unicorns. I've never been much of an artist, but here I go:
Have a Happy New Year,
Neal Krawetz, Hacker Factor
Access to Public Information
Tuesday, 27 December 2016
I am a huge fan of the Internet Archive (archive.org). They have a fundamental belief that information should be retained. Unfortunately, other organizations seem to be intentionally blocking access.
As an example, Facebook often changes their terms of service. It's easy to see their current terms of service. But what did it look like last year or two years ago? This is where the Internet Archive's Wayback Machine comes in. They occasionally mirror Facebooks terms of service, allowing you to see every version going back years.
Beyond their Wayback Machine, they also have "collections". Unlike the web mirrors from the Wayback Machine, the Collections are groups of files uploaded by hundreds of people. For example, I had my own mirror of North Korea's Flickr account -- made shortly after Anonymous compromised the DPRK's Flicker account and hours before DPRK deleted their account. If I keep these files to myself, then they'll be safe but unavailable to anyone else. So instead, I created a Collection at the Internet Archive and uploaded them for public access. Now anyone in the world can see pictures from North Korea's (now deleted) Flickr stream -- both the official pictures and pictures uploaded by Anonymous.

Over the weekend, my RootAbout server began sending me alerts, informing me that connectivity to archive.org was down. I received one alert on 2016-12-24, a handful on 2016-12-25, and a complete lack of connectivity on 2016-12-26.
Fortunately for me, I've been working on a new traceroute system (same general purpose, very different method). This allowed me to rapidly identify the source of the blockage: Comcast. Specifically, te-0-2-0-26-pe02.910fifteenth.co.ibone.comcast.net (50.248.118.157). Here's one way I identified it:
I reported these observations to the Internet Archive. While they haven't made any official statement yet, they did confirm that I'm not the only one seeing this.
While I have nothing authoritative, I did come up with some plausible scenarios:
If the filtering changes, spreads, or is removed, then I'll update this blog entry. Meanwhile: "Hey Comcast! Why is your router at 50.248.118.157 filtering access to the Internet Archive?"
Update 2016-12-28: The block has been removed. It appears that beginning on 2016-12-21, the IP address used by archive.org was involved in a DNS-based network attack. The attack used UDP packets, so the network address was forged to appear to be from archive.org. (There is no indication that archive.org was actually involved in the attack; this is network impersonation.) This is done to attack a service, and via forging the origination, to get the impersonated victim banned at multiple points on the Internet. The timing of this attack and targeted points where the bans occurred strongly correspond with the Internet Archive's desire to mirror all public government documents.
About Time
When I first spoke with the Internet Archive's Brewster Kahle, he described their service as providing another dimension for the web: time. Google, Bing, Yahoo, and other search engines are great at showing you what is online right now. However, they don't show you how a web site has changed over time. This is where the Internet Archive comes in: they record snapshots of web sites so you can see what it looked like on a specific date.As an example, Facebook often changes their terms of service. It's easy to see their current terms of service. But what did it look like last year or two years ago? This is where the Internet Archive's Wayback Machine comes in. They occasionally mirror Facebooks terms of service, allowing you to see every version going back years.
Beyond their Wayback Machine, they also have "collections". Unlike the web mirrors from the Wayback Machine, the Collections are groups of files uploaded by hundreds of people. For example, I had my own mirror of North Korea's Flickr account -- made shortly after Anonymous compromised the DPRK's Flicker account and hours before DPRK deleted their account. If I keep these files to myself, then they'll be safe but unavailable to anyone else. So instead, I created a Collection at the Internet Archive and uploaded them for public access. Now anyone in the world can see pictures from North Korea's (now deleted) Flickr stream -- both the official pictures and pictures uploaded by Anonymous.

Filtering
I run a web service called RootAbout. This is a search-by-image service that has indexed the Collections at the Internet Archive. (It does not yet index the Wayback Machine; only the Collections.) Although it searches for pictures at the Internet Archive, it doesn't mirror their content. RootAbout depends on connectivity to archive.org in order to retrieve metadata and thumbnail images.Over the weekend, my RootAbout server began sending me alerts, informing me that connectivity to archive.org was down. I received one alert on 2016-12-24, a handful on 2016-12-25, and a complete lack of connectivity on 2016-12-26.
Fortunately for me, I've been working on a new traceroute system (same general purpose, very different method). This allowed me to rapidly identify the source of the blockage: Comcast. Specifically, te-0-2-0-26-pe02.910fifteenth.co.ibone.comcast.net (50.248.118.157). Here's one way I identified it:
- Identify the target. This is a simple hostname look-up: archive.org has address "207.241.224.2". I repeated this from a couple of different locations on the Internet, just to make sure it wasn't a DNS issue.
- Traceroute. I performed a traceroute to archive.org from my RootAbout server:
$ traceroute archive.org
The "* * *" means it timed out. Using Wireshark, I see no reply at all. This means that there is no connectivity right outside of my hosting provider.
traceroute to archive.org (207.241.224.2), 30 hops max, 60 byte packets
1 ip-65-183-76-61.rev.frii.com (65.183.76.61) 0.442 ms 0.410 ms 0.363 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 *^C - Varying addresses. Generally, when connectivity goes down, it goes down for an entire subnet. In contrast, filters are often applied to single network addresses. The Internet Archive has a very large network range (207.241.224.0 - 207.241.239.255), but their "archive.org" web server is only located at one address in that range. I decided to test other addresses in that range. Since archive.org's IP address ends with ".2", I decided to test ".1" and ".3".
$ traceroute 207.241.224.1
and
traceroute to 207.241.224.1 (207.241.224.1), 30 hops max, 60 byte packets
1 ip-65-183-76-61.rev.frii.com (65.183.76.61) 0.393 ms 0.352 ms 0.304 ms
2 te-0-2-0-26-pe02.910fifteenth.co.ibone.comcast.net (50.248.118.157) 2.726 ms 2.709 ms 2.756 ms
3 hu-1-3-0-3-cr02.denver.co.ibone.comcast.net (68.86.84.161) 3.596 ms hu-1-2-0-5-cr02.denver.co.ibone.comcast.net (68.86.86.125) 4.133 ms hu-1-3-0-0-cr02.denver.co.ibone.comcast.net (68.86.83.5) 3.424 ms
4 be-10817-cr01.seattle.wa.ibone.comcast.net (68.86.84.206) 29.929 ms 29.921 ms 29.884 ms
5 hu-0-10-0-1-pe05.seattle.wa.ibone.comcast.net (68.86.88.126) 27.845 ms 27.838 ms 27.804 ms
6 as11404-1-c.seattle.wa.ibone.comcast.net (23.30.206.34) 29.863 ms 30.063 ms 30.032 ms
7 cr2-sea-b-te-0-0-0-9.bb.spectrumnet.us (174.127.140.158) 28.229 ms cr2-sea-b-te-0-0-0-8.bb.spectrumnet.us (174.127.140.154) 29.098 ms 29.312 ms
8 cr1-529bryant-te-0-0-0-18.bb.spectrumnet.us (174.127.140.146) 38.349 ms 38.568 ms 38.576 ms
9 cr1-200p-a-hu-0-7-0-21-0.bb.as11404.net (192.175.28.143) 39.250 ms 39.527 ms 39.491 ms
10 agg2-200p-a-te-0-0-0-3.bb.spectrumnet.us (208.76.184.46) 38.693 ms 38.779 ms agg2-200p-a-te-0-0-0-5.bb.spectrumnet.us (208.76.184.50) 38.739 ms
11 archive.org-BE.demarc.spectrumnet.us (208.76.187.90) 38.493 ms 38.505 ms 38.470 ms
12 207.241.224.1 (207.241.224.1) 38.767 ms 38.749 ms 38.714 ms
$ traceroute 207.241.224.3
traceroute to 207.241.224.3 (207.241.224.3), 30 hops max, 60 byte packets
1 ip-65-183-76-61.rev.frii.com (65.183.76.61) 0.379 ms 0.339 ms 0.295 ms
2 te-0-2-0-26-pe02.910fifteenth.co.ibone.comcast.net (50.248.118.157) 3.952 ms 4.004 ms 4.117 ms
3 hu-1-2-0-3-cr02.denver.co.ibone.comcast.net (68.86.84.61) 4.278 ms hu-1-3-0-3-cr02.denver.co.ibone.comcast.net (68.86.84.161) 4.811 ms hu-1-3-0-5-cr02.denver.co.ibone.comcast.net (68.86.84.169) 4.777 ms
4 be-10817-cr01.seattle.wa.ibone.comcast.net (68.86.84.206) 29.870 ms 29.849 ms 29.811 ms
5 hu-0-11-0-1-pe05.seattle.wa.ibone.comcast.net (68.86.88.154) 27.909 ms 27.892 ms 27.919 ms
6 as11404-1-c.seattle.wa.ibone.comcast.net (23.30.206.34) 27.886 ms 27.935 ms 27.926 ms
7 cr2-sea-b-te-0-0-0-9.bb.spectrumnet.us (174.127.140.158) 29.397 ms cr2-sea-b-te-0-0-0-8.bb.spectrumnet.us (174.127.140.154) 28.120 ms cr2-sea-b-te-0-0-0-9.bb.spectrumnet.us (174.127.140.158) 28.097 ms
8 cr1-529bryant-te-0-0-0-18.bb.spectrumnet.us (174.127.140.146) 38.419 ms 38.407 ms 39.744 ms
9 cr1-200p-a-hu-0-7-0-21-0.bb.as11404.net (192.175.28.143) 39.616 ms 39.439 ms 39.397 ms
10 agg2-200p-a-te-0-0-0-2.bb.spectrumnet.us (208.76.184.44) 39.040 ms agg2-200p-a-te-0-0-0-7.bb.spectrumnet.us (208.76.184.54) 39.703 ms agg2-200p-a-te-0-0-0-2.bb.spectrumnet.us (208.76.184.44) 39.022 ms
11 archive.org-BE.demarc.spectrumnet.us (208.76.187.90) 38.631 ms 38.623 ms 38.589 ms
12 wbgrp-registrar.us.archive.org (207.241.224.3) 38.811 ms 38.809 ms 38.802 ms
This is a clear indication that the filtering is specific to one IP address (archive.org, 207.241.224.2) and not a generic network routing issue. - Decoding Hostnames. Many network provides embed informative strings in the hostname. In this case, te-0-2-0-26-pe02.910fifteenth.co.ibone.comcast.net is extremely informative:
- "comcast.net" identifies the provider as Comcast.
- "ibone" identifies Comcast's Internet backbone service. (This is different from cbone, which is for Comcast-to-Comcast routing.)
- "910fifteenth.co" identifies the building. This router should be physically located at 910 Fifteenth Street, Denver, Colorado. According to Google Maps, that's in the heart of downtown Denver. In that building are a couple of big colocation providers, including Level3, CoreSite Denver, and Massive Networks Denver.
- "pe" typically denotes a peering service. Peering is one of those big net neutrality debate issues. Companies typically pay a premious for a high speed dedicated peering connection that bypasses most of the Internet.
- Other Routes to Archive.org. I tested traceroute from sites that could connect to archive.org. This includes my office, a coffee shop, and a friend's home network. They could all reach archive.org (it doesn't look down to them). However, traceroute showed that none of them went through the same Comcast router (50.248.118.157). Instead, they all followed the same route starting at 68.86.84.206 (Comcast in Seattle). This is consistent with the previous finding, that Comcast's router in Denver (50.248.118.157) is filtering the network traffic.
- Other Routes through Comcast. I spot-checked connectivity from my server to other online services. Facebook, Google, Bing, Slack, and many others were working without issue. Then I got the idea to see who else uses Comcast's router in Denver...
$ traceroute nih.gov
There it is, at hop #2. As far as I can tell, the connection path from my server to most .gov sites route though 50.248.118.157. This would appear to be someone trying to filter access to or from archive.org for some gov sites, and my server happens to be seeing the filtering from the other side.
traceroute to nih.gov (54.235.145.223), 30 hops max, 60 byte packets
1 ip-65-183-76-61.rev.frii.com (65.183.76.61) 0.478 ms 0.437 ms 0.368 ms
2 te-0-2-0-26-pe02.910fifteenth.co.ibone.comcast.net (50.248.118.157) 2.543 ms 2.593 ms 2.507 ms
3 hu-1-2-0-2-cr02.denver.co.ibone.comcast.net (68.86.84.177) 4.450 ms hu-1-2-0-4-cr02.denver.co.ibone.comcast.net (68.86.86.113) 4.408 ms
hu-1-2-0-5-cr02.denver.co.ibone.comcast.net (68.86.86.125) 4.350 ms
4 be-11724-cr02.dallas.tx.ibone.comcast.net (68.86.84.230) 16.845 ms 16.794 ms 16.734 ms
5 be-12441-pe01.1950stemmons.tx.ibone.comcast.net (68.86.89.206) 16.304 ms 16.259 ms 16.581 ms
6 50.242.148.102 (50.242.148.102) 17.284 ms 16.171 ms 16.095 ms
...
I reported these observations to the Internet Archive. While they haven't made any official statement yet, they did confirm that I'm not the only one seeing this.
Why Filter?
I've been scratching my head, trying to figure out why someone would want to filter one specific address at archive.org. It isn't like this address is used to attack the Internet. For example, the Internet Archive runs lots of bots, but they use different addresses than this service. As far as I can tell, the filtered address is only used for the web server at "https://archive.org/". They are blocking access to archive.org, and not from.While I have nothing authoritative, I did come up with some plausible scenarios:
- Accident. Someone edited a configuration file and accidentally pasted in the wrong network address for filtering.
- Deliberate Content Filtering. A month ago, the Internet Archive made a big announcement: they are building a new backup facility in Canada. This is in direct response to the new President-elect, who has repeatedly mentioned filtering access to information on the web. This filtering could be a first attempt to restrict access to information on the Internet. (He's not even President yet, and we're seeing content filtering.)
- Deliberate but Wrong Filtering. A week ago, the Internet Archive announced a new priority: mirror content from government sites. Donald Trump believes many baseless conspiracies, including unjustified beliefs about Muslims, China, Russia, and climate change. There is a strong belief that Trump will impose a revisionist history -- either removing or altering government documents that include proven facts but run contrary to his unproven beliefs. By mirroring these pre-revisionist documents, the Internet Archive ensures that publicly funded research will remain accessible and unaltered.
With my traceroutes, I have demonstrated that this router at Comcast sits on a path from archive.org to government sites. Thus, this filtering could be an attempt to prevent the Internet Archive from mirroring these public documents. (If there are no public copies, then who can claim that it was revised?) If this is the reason for the filtering, then the filtering was implemented wrong; they banned access to a web server that doesn't do the mirroring, and didn't ban the IP addressed used by archive.org's mirroring bots. - DoS. Maybe someone else wants to deny access to archive.org. All it would take is for someone to poison some critical routers and block network connectivity. But if this is the case, then they really screwed up. They blocked access for a minority of services on the Internet, and not for most users.
If the filtering changes, spreads, or is removed, then I'll update this blog entry. Meanwhile: "Hey Comcast! Why is your router at 50.248.118.157 filtering access to the Internet Archive?"
Update 2016-12-28: The block has been removed. It appears that beginning on 2016-12-21, the IP address used by archive.org was involved in a DNS-based network attack. The attack used UDP packets, so the network address was forged to appear to be from archive.org. (There is no indication that archive.org was actually involved in the attack; this is network impersonation.) This is done to attack a service, and via forging the origination, to get the impersonated victim banned at multiple points on the Internet. The timing of this attack and targeted points where the bans occurred strongly correspond with the Internet Archive's desire to mirror all public government documents.
Tracing Routes
Saturday, 24 December 2016
I've been diving a lot deeper into network forensics over the last few months. One of the things I've been doing is separating expected traffic from unexpected traffic. And when I find unexpected traffic, I've been looking closer at the origination points.
Networking technology changes over time. I've noticed that lots of the old protocols that we used to rely upon are pretty worthless today. For example, telnet and FTP have been virtually replaced by Secure Shell (ssh, scp, and sftp).
Yes, there are still some devices that ship with telnet and/or FTP installed. However, those services are typically for local maintenance and not for across-the-Internet remote management. Unfortunately, people don't filter or disable these services, so they end up making the device vulnerable to remote compromises. On my own servers, I constantly see attackers polling for possible telnet services. According to the folks at the Internet Storm Center, these are botnets like Mirai trying to spread to unprotected Internet-of-Things (IoT) devices. Based on the rate that I'm seeing bots poll my own servers, an unprotected device with telnet enabled will likely be compromised in less than three minutes.
I still think that ISPs should consider blocking telnet (23/tcp) just as most of them block netbios (137/udp, 138/udp, 139/tcp, etc.). Meanwhile, hardware manufacturers could alleviate this problem by reducing the TTL for local maintenance ports. If telnet on your new webcam should only be accessed by the local network, then the manufacturers should set the TTL to something low, like 4 hops. This way, a bot that finds the port cannot login because it cannot complete the TCP handshake. (The SYN-ACK would expire before reaching the attacker.)
Back when I first used the Internet (mid-1980s -- I feel old), WHOIS was very useful. In fact, it was useful for over two decades. But today? Not so much. Today, we have:
This trace shows the route from my server to Google. It goes from my hosting provider (Front Range Internet; FRII) to a Level3 server in Denver, to Google (1e100.net). Traceroute sends three packets at each step of the way, and I can see the response times in milliseconds. For this purpose, traceroute is a great way to identify routes and even identify network congestion (huge time delays or timeouts).
However, today's network architectures reduce the usefulness of traceroute.
There are a few alternatives to these traceroute issues. For example, since many routers block ICMP echo-request packets, there are now options to do a traceroute using TCP or UDP packets. While Windows still defaults to ICMP, Linux defaults to UDP and finishes when it receives an ICMP destination unreachable message. However, some networks even filter these messages.
There are also alternate concepts, such as paris-traceroute and dublin-traceroute. These systems attempt to identify load balancers and map out all alternate routes.
(For full disclosure: paris-traceroute works as advertised, but it has a huge number of options that must be adjusted in order to get solid results. In contrast, I never got dublin-traceroute to work. The code wouldn't compile, and trying to apt-get the pre-compiled code also tried to bring in a page full of replacement dependencies -- too many for my liking, so I didn't install the executables.)
As we enter the holiday gift-giving season, remember all of your new IoT gadgets. Check them for telnet, FTP, and other open services. Be safe online by making sure that your new gizmos are protected by a firewall. While this won't prevent every network attack, it will certainly cut down on the obvious ones.
Networking technology changes over time. I've noticed that lots of the old protocols that we used to rely upon are pretty worthless today. For example, telnet and FTP have been virtually replaced by Secure Shell (ssh, scp, and sftp).
Yes, there are still some devices that ship with telnet and/or FTP installed. However, those services are typically for local maintenance and not for across-the-Internet remote management. Unfortunately, people don't filter or disable these services, so they end up making the device vulnerable to remote compromises. On my own servers, I constantly see attackers polling for possible telnet services. According to the folks at the Internet Storm Center, these are botnets like Mirai trying to spread to unprotected Internet-of-Things (IoT) devices. Based on the rate that I'm seeing bots poll my own servers, an unprotected device with telnet enabled will likely be compromised in less than three minutes.
I still think that ISPs should consider blocking telnet (23/tcp) just as most of them block netbios (137/udp, 138/udp, 139/tcp, etc.). Meanwhile, hardware manufacturers could alleviate this problem by reducing the TTL for local maintenance ports. If telnet on your new webcam should only be accessed by the local network, then the manufacturers should set the TTL to something low, like 4 hops. This way, a bot that finds the port cannot login because it cannot complete the TCP handshake. (The SYN-ACK would expire before reaching the attacker.)
WHOIS
Another example of a vestigial protocol is WHOIS. WHOIS permits users to query a domain and identify information about the domain's registrant. This data includes contact information in case there are problems with the domain.Back when I first used the Internet (mid-1980s -- I feel old), WHOIS was very useful. In fact, it was useful for over two decades. But today? Not so much. Today, we have:
- Spam (and yet, not spam). Spammers began harvesting the contact email addresses from the WHOIS registrations. As a result, many domains use a honeypot email account. A decade ago, my honeypot received hundreds of emails per month. But today, it can go months without any emails. The only time it consistently gets spam is when the domain gets near its renewal period. Then I get tons of spam about suspicious companies that want to help me renew my registration for a fee. (There's no third-party service fee if I do it myself, and doing it myself takes minutes. Also, there's no risk of using a scammer who pretends to be a helpful third-party.) Even though email addresses in today's WHOIS records receive very little spam, admins are so paranoid from previous experiences that it's hard to find a useful email address in case you actually need to contact the domain admin.
- Unverified info. There used to be an easy way to distinguish scam domains from real domains: if the domain info looked real, then it was likely real. However, today there is very little verification. I've seen legitimate domains with fake names, and companies that use fake addresses instead of their actual business addresses. Now, it takes a lot of digging to verify that the company actually listed the correct address as opposed to false information.
- Incomplete. You used to be able to depend on the WHOIS record to contain additional information like the registration and expiration dates. This is still true for many domains in the United States, but it isn't true for all domains. I often see domains out of Europe, Asia, and Africa that lack this information. Scam domains are typically registered and immediately used for scams. In contrast, old domains are more likely to be legitimate. Without the registration date in the WHOIS record, you cannot tell new from old.
- Private registration. All of those other issues assume that you can actually see the registrant information. Many domain name providers also provide anonymous registration. There's still a contact email address, but it's anonymized; "someone" should receive it, but you don't know who. There's also no direct contact address and no direct phone number, so you don't know anything about the domain owner.
Traceroute
When people talk about network traffic, they inevitably quote "traceroute" as a great tool. Traceroute allows you to identify the path between networked computers. For example:$ traceroute google.com
traceroute to google.com (216.58.217.14), 30 hops max, 60 byte packets
1 ip-xx-183-xx-xx.rev.frii.com (xx.183.xx.xx) 0.486 ms 0.398 ms 0.322 ms
2 ip-xx-17-xx-xx.rev.frii.com (xx.17.xx.xx) 0.411 ms 0.356 ms 0.268 ms
3 xx.34.50.xx (xx.34.50.xx) 3.361 ms 3.525 ms 3.803 ms
4 Google.ear1.Denver1.Level3.net (4.68.71.230) 3.223 ms 3.144 ms 3.118 ms
5 72.14.234.59 (72.14.234.59) 3.299 ms 3.767 ms 3.676 ms
6 209.85.250.237 (209.85.250.237) 3.661 ms 3.809 ms 3.704 ms
7 den03s09-in-f14.1e100.net (216.58.217.14) 3.611 ms 3.560 ms 3.535 ms
This trace shows the route from my server to Google. It goes from my hosting provider (Front Range Internet; FRII) to a Level3 server in Denver, to Google (1e100.net). Traceroute sends three packets at each step of the way, and I can see the response times in milliseconds. For this purpose, traceroute is a great way to identify routes and even identify network congestion (huge time delays or timeouts).
However, today's network architectures reduce the usefulness of traceroute.
- Alternate Routes. There are tons of alternate network routes and any long path might hit load balancers that select another route. Thus, hop #2 from traceroute may be based on route "A", while hop #3 may be based on route "B". With traceroute, you have no idea what the route looks like. Results past the first 2-3 hops are likely mixed up by load balancers.
- Filtering. By default, traceroute sends packets with a specified TTL (time-to-live). For example, it uses a TTL of 1 for the first packet. This results in an ICMP hop count exceeded response from the first router -- allowing traceroute to identify the first router. A TTL of 2 identifies the 2nd router, etc. If traceroute ever receives an "echo-reply" or "destination unreachable", then it knows that the scan is complete.
The problem is that many network providers filter out ICMP echo-request or echo-reply packets. As a result, traceroute will just show you timeouts ("* * *"). Most of the time, you'll see a bunch of timeouts rather than the actual host responding to the ping. (And for all of you techies who say that Linux uses UDP instead of ICMP, I'll get to that in a moment.) - Skipped. I've been diving deeper into traceroute and I've found that some routers will pass through ICMP hop count exceeded messages, but they won't generate them on their own. This results in a timeout during the traceroute scan.
- Blocked. Traceroute stops scanning when it receives an echo response, destination unreachable, or surpasses 30 TTL values. However, most network routers are configured to ignore ICMP packets. Thus, traceroute almost never finishes before hitting a ton of non-responses; it almost always hits the max TTL value for testing (30 hops).
- Random. I've found a couple of ISPs that appear to route traceroute packets differently. Rather than taking a direct route, they get randomly forwarded in circular routes, never reaching the intended host. In effect, the path identified by traceroute is as informative as the route from a pachinko machine.
There are a few alternatives to these traceroute issues. For example, since many routers block ICMP echo-request packets, there are now options to do a traceroute using TCP or UDP packets. While Windows still defaults to ICMP, Linux defaults to UDP and finishes when it receives an ICMP destination unreachable message. However, some networks even filter these messages.
There are also alternate concepts, such as paris-traceroute and dublin-traceroute. These systems attempt to identify load balancers and map out all alternate routes.
(For full disclosure: paris-traceroute works as advertised, but it has a huge number of options that must be adjusted in order to get solid results. In contrast, I never got dublin-traceroute to work. The code wouldn't compile, and trying to apt-get the pre-compiled code also tried to bring in a page full of replacement dependencies -- too many for my liking, so I didn't install the executables.)
The Up Side
I'm slowly making a list of the protocols I expect to see and "everything else". Since my server doesn't run telnet or FTP or WHOIS, I know that any unexpected requests are from hostile entities. And since most hosts are within 9-20 hops of my server, and most computers default to a TTL of 64 or larger, I know that an arriving packet with a TTL of 1 denotes someone running a traceroute. My new plan is to no longer ignore these packets; I'm now profiling them as hostile actors.As we enter the holiday gift-giving season, remember all of your new IoT gadgets. Check them for telnet, FTP, and other open services. Be safe online by making sure that your new gizmos are protected by a firewall. While this won't prevent every network attack, it will certainly cut down on the obvious ones.
You Better Watch Out
Sunday, 11 December 2016
As we enter the holiday season, I'm seeing more and more Internet-enabled devices available to consumers. The Internet of Things (IoT) is based on the concept of making everything network enabled. However, this always make me question "why would you want that?"
For example, there's a product called the iKettle. This Internet-enabled teapot allows your smartphone to start the water boiling remotely. But I have to ask: do we really need this?
Personally, if I want fast boiling water, then I use a microwave oven. 1 minute on high boils a cup of water. It takes me a minute to break out the mugs and cocoa powder, so I can multitask while the water heats. In contrast, the iKettle can boil the water ahead of time, but I still need to spend a minute pulling out mugs and cocoa powder.
As an aside, I find it ironic that my cocoa powder by Swiss Miss has "As much calcium as a glass of milk... just add milk."

(If I add water, then does that mean it doesn't have calcium? What if I use hard water?)
I'm not even going into the security risks related to how the iKettle can expose your wifi password. I mentioned that in a previous blog entry.
In fact, this year has a selection of Internet-enabled water bottles. There's the Hidrate Spark and the smart bottle by Thermos. Both track how much water your drink. The Thermos bottle even tracks the water's temperature. (I find it funny that it provides "real-time temperature readings" but is "not for use with hot liquids".)
Personally, I view this as oversharing. I don't think everyone on Twitter should know when that diaper is dirty. Besides, kids have their own built-in alarm system called "crying". Parents even have some built-in sensors -- like noses and fingers -- that can detect if the diaper is dirty. (And before you cringe at the thought of putting your finger into a diaper to see if it is dirty, just wait until you have to clean projectile vomit and diaper leaks. If you're that squeamish, then don't have kids.)
Amazingly, I can find lots of news reports about TweetPee, but no products for sale. I guess it didn't make it past the initial product reviews and limited testing.
I recently looked at some PTZ cameras (pan/tilt/zoom), since my old Fosscam died. (Fosscam just isn't built to last.) Some of the product comments were pretty startling. For example, there were complaints that some cameras won't work without Internet access. It seems that many cameras continually communicate with an external service, even if you want to use it on a private local network. Of course, the security geek in me makes me wonder: What are they sending and why?
There are also configuration issues. For example, many users don't change the default administrative password. And some cameras have backdoor accounts that cannot be disabled. As a result, there are plenty of private web cams that are publicly accessible. You can browse a list of them at Insecam. When I took a peek, I saw kids playing in swimming pools, an empty exercise room, a storage closet in Russia, and some guy sleeping on the job in Korea.
(For my own needs, I've converted a couple of old cellphones into Internet-enabled cameras using DroidCam. As long as the phone is plugged in, the camera is fine.)
Now, I can totally see this being marketed toward sleep researchers or people with sleep disorders like night terrors, insomnia, or sleep apnea. I can totally envision people who are into body hacking and sleep tracking really being interested in this bed.
However, that's not how Smarttress is being marketed. This Internet-enabled mattress is intended for people who suspect infidelity. On their web site, they actually have a heading titled "Lover Detection System". Not only can you determine when your lover is unfaithful, you can tell for how long, what positions, and how vigorously. The company actually sells it with the tag line: "If your partner isn't faithful, at least your mattress is."
Personally, I think this mattress is a waste of money. It's like when people write to me to forensically evaluate their spouse's computer because they suspect their partner is having an affair. First, I can't: it's called "digital trespassing" and it's a felony if I don't have the partner's permission. And second, if they have this kind of suspicion, then they don't need a forensic analyst; they need a divorce attorney. (Even if the accusation is false, they have serious trust issues in their relationship. Better to end it now.) By the same means, if you think your partner is unfaithful, then you don't need a digital bed.
Then again, maybe Smarttress should market this bed to dog owners -- along with a remote control audio system that shouts "Bad dog! Off the bed!"
For example, there's a product called the iKettle. This Internet-enabled teapot allows your smartphone to start the water boiling remotely. But I have to ask: do we really need this?
Personally, if I want fast boiling water, then I use a microwave oven. 1 minute on high boils a cup of water. It takes me a minute to break out the mugs and cocoa powder, so I can multitask while the water heats. In contrast, the iKettle can boil the water ahead of time, but I still need to spend a minute pulling out mugs and cocoa powder.
As an aside, I find it ironic that my cocoa powder by Swiss Miss has "As much calcium as a glass of milk... just add milk."
(If I add water, then does that mean it doesn't have calcium? What if I use hard water?)
I'm not even going into the security risks related to how the iKettle can expose your wifi password. I mentioned that in a previous blog entry.
In fact, this year has a selection of Internet-enabled water bottles. There's the Hidrate Spark and the smart bottle by Thermos. Both track how much water your drink. The Thermos bottle even tracks the water's temperature. (I find it funny that it provides "real-time temperature readings" but is "not for use with hot liquids".)
You better not cry
Back in 2013, Huggies tested a new product called TweetPee. This device attaches to a diaper and lets you know (via Twitter) whether your baby needs changing.Personally, I view this as oversharing. I don't think everyone on Twitter should know when that diaper is dirty. Besides, kids have their own built-in alarm system called "crying". Parents even have some built-in sensors -- like noses and fingers -- that can detect if the diaper is dirty. (And before you cringe at the thought of putting your finger into a diaper to see if it is dirty, just wait until you have to clean projectile vomit and diaper leaks. If you're that squeamish, then don't have kids.)
Amazingly, I can find lots of news reports about TweetPee, but no products for sale. I guess it didn't make it past the initial product reviews and limited testing.
Better not pout
Not every IoT device is related to liquids. For example, there is Bluesmart luggage. This Internet-enabled suitcase allows you to locate your bag anywhere in the world. As a frequent traveler, the more I think about Bluesmart, the stupider it becomes:- At the airport, you can expect questions like "Has your luggage been in your control this entire time?" If the answer is "yes", then you don't need Bluesmart. If the answer is "no", then Bluesmart won't tell you what happened when it was away.
- If you use it as a carry-on, then you know it is on the plane and you don't need Bluesmart.
- If you check it as luggage, then it is outside of the Bluetooth range; you can't control it.
- The specs say that it is also "Equipped with 3G Cellular Data and GPS". Except that you are supposed to turn off all cellular devices before getting on the plane. If the device is turned off, then you cannot track it. And if you leave it on, then it will likely have a drained battery after a long flight so, again, it won't work. (Cellular devices constantly try to connect to ground towers when flying, and that quickly drains the battery!)
- What about trains and buses? If your luggage isn't with you, then it's in a metal-enclosed luggage storage area. That means it has weak or no cell coverage, and no GPS.
- And what happens if you do discover that your luggage didn't get on your flight? Well, they're not going to hold the plane while they search for your bags. You'll just be happy to know that they lost your luggage before you took off, rather than after you land. And telling the airline the exact GPS location of your missing luggage probably won't help them recover it any faster.
Making a list and checking it twice
Of course, most of the people I've talked to are interested in wireless security cameras. One friend is using a new camera to watch his new puppy. Another used something similar to figure out which cat wasn't using the litter box. I'm also seeing more houses with cameras that watch the premises for potential burglars or thieves. (They may not be able to stop the crime, but they can still hand over pictures of the perpetrators to the police.)I recently looked at some PTZ cameras (pan/tilt/zoom), since my old Fosscam died. (Fosscam just isn't built to last.) Some of the product comments were pretty startling. For example, there were complaints that some cameras won't work without Internet access. It seems that many cameras continually communicate with an external service, even if you want to use it on a private local network. Of course, the security geek in me makes me wonder: What are they sending and why?
There are also configuration issues. For example, many users don't change the default administrative password. And some cameras have backdoor accounts that cannot be disabled. As a result, there are plenty of private web cams that are publicly accessible. You can browse a list of them at Insecam. When I took a peek, I saw kids playing in swimming pools, an empty exercise room, a storage closet in Russia, and some guy sleeping on the job in Korea.
(For my own needs, I've converted a couple of old cellphones into Internet-enabled cameras using DroidCam. As long as the phone is plugged in, the camera is fine.)
He sees you when you're sleepin', so be good for goodness sake
The funniest IoT device that I've heard about this year is the Smarttress -- an Internet-enabled mattress. This device includes multiple sensors that can identify when the bed is in use and how it is used.Now, I can totally see this being marketed toward sleep researchers or people with sleep disorders like night terrors, insomnia, or sleep apnea. I can totally envision people who are into body hacking and sleep tracking really being interested in this bed.
However, that's not how Smarttress is being marketed. This Internet-enabled mattress is intended for people who suspect infidelity. On their web site, they actually have a heading titled "Lover Detection System". Not only can you determine when your lover is unfaithful, you can tell for how long, what positions, and how vigorously. The company actually sells it with the tag line: "If your partner isn't faithful, at least your mattress is."
Personally, I think this mattress is a waste of money. It's like when people write to me to forensically evaluate their spouse's computer because they suspect their partner is having an affair. First, I can't: it's called "digital trespassing" and it's a felony if I don't have the partner's permission. And second, if they have this kind of suspicion, then they don't need a forensic analyst; they need a divorce attorney. (Even if the accusation is false, they have serious trust issues in their relationship. Better to end it now.) By the same means, if you think your partner is unfaithful, then you don't need a digital bed.
Then again, maybe Smarttress should market this bed to dog owners -- along with a remote control audio system that shouts "Bad dog! Off the bed!"
(Page 1 of 148, totaling 737 entries)
» next page

