Ernesto Van der Sar, writing for TorrentFreak: Netflix CEO Reed Hastings says that the recent crackdown on VPN and proxy users hasn't hurt the company's results. The VPN blockade only affects a small but vocal minority, according to Hastings, and there are no signs that hordes of subscribers are abandoning ship. Earlier this year Netflix announced that it would increase its efforts to block customers who circumvent geo-blockades. As a result, it has become harder to use VPN services and proxies to access Netflix content from other countries, something various movie studios have repeatedly called for. When asked about the impact of the VPN changes on the results, Hastings brushed the issue aside as a minor detail that doesn't impact the bigger picture in any way. "It's a very small but quite vocal minority. So it's really inconsequential to us, as you could see in the Q1 results." Earlier this year, Hastings also admitted that a VPN-blocking policy might be impossible to enforce.

An anonymous reader writes: Fan Binxing, architect of the China's infamous Great Firewall, was put in the embarrassing position of having to use a VPN in front of a live audience when trying to access a blocked web page. Fang Binxing was giving a speech on internet safety at his alma mater, the Harbin Institute Technology. During the speech, he presented a defense for internet sovereignty and used North Korea's own version of the system as a talking point. Things got awkward really fast, however, when he attempted to access blocked web pages hosted in South Korea to demonstrate his point. From there his speech went from being a defense of the Firewall to a demonstration of its stupidity. Unable to access the websites he needed to continue his speech, Fang somewhat unexpectedly resorted to the same illicit tool which all expats in China are all familiar with: the beloved VPN. This raises one question: Is China's Great Firewall that easy to circumvent, or are members of the government treated differently than normal citizens?

An anonymous reader writes: During a recent round table discussion, Netflix CEO Reed Hastings commented on the company's controversial move to begin blocking the use of proxy VPN/DNS services. "We have the obligation to respect the content rights that we buy; it's just a simple fairness thing. Someone else has paid for the rights in Germany, so we should respect that, just as we would expect the same in return," he said. "The basic thing is if we license a movie here [the U.S.], and then another network licenses it in Germany, then we don't have the rights to display it in Germany. That's why we have to enforce those VPN rules, just like Amazon Prime Instant Video and others do as well. Think of it as the maturation of Internet TV."

An anonymous reader writes from an article published on TorrentFreak: [A] criminal complaint details the FBI's suspicions that 25-year-old Preston McWaters had conveyed "false or misleading information regarding an explosive device." The FBI started digging and in February 2016 two search warrants against Twitter and Facebook required them to turn over information on several accounts. Both did and the criminal complaint makes it clear that the FBI believes that McWaters was behind the accounts and the threats. With McWaters apparently leaving incriminating evidence all over the place (including CCTV at Walmart where he allegedly purchased a pre-paid Tracfone after arriving in his own car), the FBI turned to IP address evidence available elsewhere. "During the course of the investigation, subpoenas and search warrants have been directed to various companies in an attempt to identify the internet protocol (IP) address from where the email messages are being sent," the complaint reads. "All the responses from [email provider] 1&1, Facebook, Twitter, and Tracfone have been traced by IP address back to a company named London Trust Media [doing business as] PrivateInternetAccess.com. A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States," the FBI's complain reads. "However, London Trust did provide that they accept payment for their services through credit card with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through PayPal, Bitpay, Bit Coin, Cash You, Ripple, Ok Pay, and Pay Garden."

While McWaters is yet to be found guilty, it's a sad fact that some people will use anonymizing services such as VPNs, pre-paid phones and anonymous email providers to harass others. And thankfully, as this case shows, they'll need to hide a lot more than their IP address to get away with that level of crime.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

tedlistens writes: When Ugandans went to the polls last Thursday in presidential and parliamentary elections, they participated in the most heavily-contested political battle since multiparty democracy began in 2005. As reports swirled of vote buying and excessive use of force by the police on opposition protesters, it was the attempt to block access to Facebook, Twitter, WhatsApp and mobile phone-based money services that produced the loudest reactions. In a country with the youngest population in the world, where 77 percent of the population is under 30 years of age, mobile apps have become vital to communication and commerce. During the three-day ban, an estimated 1.5 million citizens, or 15 percent of the internet-using populace, downloaded VPN software and Tor to reroute their internet connections and return to social media, where discussion about the election continued to rage.

An anonymous reader writes: Avast carried out a curious experiment at the Barcelona Mobile World Congress. They've set up 3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it. Researchers randomly logged some traffic stats just to prove a point about how easy is to hack users on a public WiFi network. They also recommended using a mobile VPN app when navigating the Web via public WiFi.

An anonymous reader writes: An interesting paper from a PhD student in Ontario outlines a system which in initial tests has proved 97% effective at unmasking geo-spoofing VPN users. The Client Presence Verification (CPV) system presented in the paper utilises analysis of delays in network packets in order to determine the user's location, disregarding the IP address geolocation information which currently underpins the efforts of content providers such as Netflix to prevent VPN users accessing content which is not licensed in their country. The detection system was tested at global network laboratory PlanetLab using 80 network nodes based in the U.S. and Canada.

Tackhead writes: Having won a $200M judgement against Microsoft in 2010, lost a $258M appeal against Cisco in 2013, and having beaten Apple for $368M in 2012, only to see the verdict overturned in 2014, patent troll VirnetX is back in the news, having been awarded $626M in damages arising from the 2012 Facetime patent infringement case against Apple.

An anonymous reader writes: Australian unblocking service uFlix recently announced that Netflix has begun implementing its plans to block users who take advantage of web proxies and VPNs to get around location restrictions on content. Shortly afterward, the service rolled out a fix to restore service, despite Netflix's efforts. The article makes the case that Netflix is probably just fine with this: "Netflix, ultimately, is caught between a rock and a hard place. The company has gone on record many times criticizing the way content licensing deals are negotiated globally. Of course, Netflix would love to be able offer a consistent library of content around the world. But it also has to stay on-side with those who hold the rights to the content, otherwise they may threaten to pull shows and movies altogether. The result is that Netflix is going through the motions of blocking VPNs, even though it understand perfectly well that these measures are doomed to fail."

An anonymous reader writes: If Netflix's promise to invigilate users' IP addresses and block VPNs is more than a placatory sop to the lawyers, and if the studios would rather return to fighting piracy by lobbying governments to play whack-a-mole with torrent sites, the streaming company's long-term efforts to abolish or reduce regional licensing blockades could falter this year. This article examines the possible hard choices Netflix must make in appeasing major studios without destroying the user-base that got their attention in the first place. I wonder how long VPN vendors will keep bragging that their services provide worldwide streaming availability, and whether some of them will actually do a decent job of it.

An anonymous reader writes: Netflix have announced they'll be taking further steps to ensure users are not circumventing geo-restrictions. David Fullagar, Vice President of Content Delivery and Architecture at Netflix says "Some members use proxies or "unblockers" to access titles available outside their territory. To address this, we employ the same or similar measures other firms do. This technology continues to evolve and we are evolving with it. That means in coming weeks, those using proxies and unblockers will only be able to access the service in the country where they currently are. This announcement comes just days after Netflix Chief Product Officer Neil Hunt said that a VPN blocking policy might be impossible to enforce."

An anonymous reader writes: Netflix's chief product officer Neil Hunt has admitted that the company has 'no magic solution' to subscribers who use VPNs to access content not licensed for their geographical region, commenting that 'It's likely to always be a cat-and-mouse game'. Hunt notes that Netflix can only rely on lists of VPN IP addresses, and that these can easily be changed. However since Netflix subscribers pay for the service via geographically linked credit and debit cards, this article wonders if Netflix really believes that hundreds of thousands of their subscribers are permanently in migration or on holiday — and also that venerable old VPN IP addresses — ones so well-known that they are routinely challenged by services such as CloudFlare — never seem to have any trouble connecting to a Netflix account.

An anonymous reader writes: The IT community was shaken a few weeks ago when Juniper Networks firewalls were found to contain "unauthorized code" that seemed to enable a backdoor. Now, Fortinet firewalls have been found to contain an apparent SSH backdoor as well. "According to the exploit code, the undisclosed authentication works on versions 4.3 up to 5.0.7. If correct, the surreptitious access method was active in FortiOS versions current in the 2013 and 2014 time frame and possibly earlier, based on this rough release history. The weakness was eventually patched, but so far, researchers have been unable to locate a security advisory that disclosed the alternative authentication method or the hard-coded password." A spokesperson for Fortinet told El Reg, "This was not a 'backdoor' vulnerability issue but rather a management authentication issue."

Advocatus Diaboli sends a report from Glenn Greenwald at The Intercept about the NSA's efforts to subvert encryption. Back in 2013, several major publications reported that the NSA was able to crack encryption surrounding commerce and banking systems. Their reports did not identify which specific technology was affected. The recent backdoor found in Juniper systems has caused the journalists involved to un-redact a particular passage from the Snowden documents indicating the NSA targeted the "two leading encryption chips" in their attempts to compromise encryption. Quoting: The reference to "the two leading encryption chips" provides some hints, but no definitive proof, as to which ones were successfully targeted. Matthew Green, a cryptography expert at Johns Hopkins, declined to speculate on which companies this might reference. But he said that "the damage has already been done. From what I've heard, many foreign purchasers have already begun to look at all U.S.-manufactured encryption technology with a much more skeptical eye as a result of what the NSA has done. That's too bad, because I suspect only a minority of products have been compromised this way."

itwbennett writes: Security researchers and crypto experts now believe that a combination of likely malicious third-party modifications and Juniper's own crypto failures are responsible for the recently disclosed backdoor in Juniper NetScreen firewalls. 'To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge!,' Matthew Green, a cryptographer and assistant professor at Johns Hopkins University wrote in a blog post. 'They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.'

An anonymous reader writes: In the wake of the discovery of two backdoors on Juniper's NetScreen firewall devices, Cisco Systems has announced that they will be reviewing the software running on their devices, just in case. Anthony Grieco, a Senior Director of the Security and Trust Organization at Cisco, made sure to first point out that the popular networking equipment manufacturer has a "no backdoor" policy. According to Grieco, Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. The reviewers will be looking for backdoors, hardcoded or undocumented account credentials, covert communication channels and undocumented traffic diversions.

itwbennett writes: In a blog post on Rapid7's community portal Sunday, HD Moore posted some notes on the Juniper ScreenOS incident, notably that his team discovered the backdoor password that enables the Telnet and SSH bypass. Quoting: "Although most folks are more familiar with x86 than ARM, the ARM binaries are significantly easier to compare due to minimal changes in the compiler output. ... Once the binary is loaded, it helps to identify and tag common functions. Searching for the text "strcmp" finds a static string that is referenced in the sub_ED7D94 function. Looking at the strings output, we can see some interesting string references, including auth_admin_ssh_special and auth_admin_internal. ... The argument to the strcmp call is <<< %s(un='%s') = %u, which is the backdoor password, and was presumably chosen so that it would be mistaken for one of the many other debug format strings in the code. This password allows an attacker to bypass authentication through SSH and Telnet, as long as they know a valid username. If you want to test this issue by hand, telnet or ssh to a Netscreen device, specify a valid username, and the backdoor password. If the device is vulnerable, you should receive an interactive shell with the highest privileges."

m2pc writes: Ars Technica reports that Juniper Networks firewalls have been discovered to include "unauthorized code" inserted into their ScreenOS software. Juniper has has published an advisory addressing the matter, with instructions to patch the affected devices.

From the Ars article: "NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 are affected and require immediate patching. Release notes published by Juniper suggest the earliest vulnerable versions date back to at least 2012 and possibly earlier. ... The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. 'The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic,' the advisory said." The rogue code was discovered during a recent internal source code review conducted by Juniper.

mache writes: My cousin is finishing up a major remodel of his home in Houston and has installed video cameras for added security. At my suggestion, he wired up all the cameras to be on a separate VLAN that only uses wired Ethernet and has no WiFi access. Since the Houston police will only respond to security alarms if the monitoring company is viewing the crime in progress, he must arrange for the video feed to available to a security monitoring company. I told him that the feed should use VPN or some other encrypted tunneling technique as it travels the Internet to the monitoring company and we proceeded to try and find a company that supported those protocols. No one I have talked to understands the importance of securing a video feed and everyone so far blithely suggests that we just open a port on his home router. Its frustrating to see such willful ignorance about Internet security. Does anyone know of a security monitoring company that we can work with that has a clue?