Tag Archive for: makes

Unpatched VPN makes Travelex latest victim of “REvil” ransomware

/in
It may take longer to get your money changed when you travel, since Travelex is doing everything on paper because of a ransomware attack.

Enlarge / It may take longer to get your money changed when you travel, since Travelex is doing everything on paper because of a ransomware attack. (credit: iStock Editorial/Getty Images)

In April of 2019, Pulse Secure issued an urgent patch to a vulnerability in its popular corporate VPN software—a vulnerability that not only allowed remote attackers to gain access without a username or password but also to turn off multi-factor authentication and view logs, usernames, and passwords cached by the VPN server in plain text. Now, a cybercriminal group is using that vulnerability to target and infiltrate victims, steal data, and plant ransomware.

Travelex, the foreign currency exchange and travel insurance company, appears to be the latest victim of the group. On New Year’s Eve, the company was hit by Sodinokibi ransomware, also known as REvil. The ransomware operators contacted the BBC and said they want Travelex to pay $ 6m (£4.6m). They also claimed to have had access to Travelex’s network for six months and to have extracted five gigabytes of customer data—including dates of birth, credit card information, and other personally identifiable information.

“In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the individual claiming to be part of the Sodinokibi operation told the BBC. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

Read 5 remaining paragraphs | Comments

Biz & IT – Ars Technica

Nintendo Responds To RomUniverse’s Lame Argument That First Sale Doctrine Makes The Site Non-Infringing

/in

You will recall that Nintendo, as part of its sweeping new war on ROM sites initiated a year or so ago, went particularly hard at RomUniverse and its site operator, Matthew Storman. Differentiating RomUniverse from other ROM sites is some combination of the fact that it’s run out of California as opposed to overseas, that the site is also a place to go get lots of other media that sure looks to be infringing on copyright, and Storman’s verbose attitude in making public comments that don’t paint him or his site in the best light. At the onset, as part of an attempt to crowdfund its legal battle with Nintendo, RomUniverse trotted out the claim that it was offering ROMs in an attempt to preserve video gaming history. It wasn’t a particularly believable argument given the rest of the site’s behavior and RomUniverse quickly opted for other legal arguments in court.

Storman appears to be defending himself in the matter and attempted to have the case dismissed on two grounds. The first is that Safe Harbor protections extend to RomUniverse, which Storman claims is simply a service provider and not participating or reaping commercial benefit from infringing material. Storman claims that Nintendo has acknowledged RomUniverse as a service provider by sending DMCA takedown requests to the admin for the site, at least some of which have been complied with. That, unfortunately, is not really how any of this works, as Nintendo details in its own response to Storman’s motion.

In 2009, Mr. Storman emailed members of his website that he would be adding new content including ROMs for various Nintendo game systems. In 2018, when Nintendo was successfully enforcing its intellectual property rights against other pirates, Mr. Storman bragged that he would continue to offer copies of Nintendo’s games.

Mr. Storman directly profits from this infringing activity by allowing users to sign up for “Premium Memberships.” While non-members are limited to one free download through the website, premium members pay $ 30 per year to Mr. Storman to download an unlimited number of pirated games, and at higher speeds than non-members.

That seems to be evidence of Storman and the site participating in the infringing activity and somewhat directly profiting from it. Whatever the DMCA safe harbors protect, that ain’t it. Nintendo goes on to argue that this sort of affirmative defense is not one to be made in preliminary motions, either, making one wonder if it isn’t time for Storman to get himself some actual professional legal counsel.

Storman’s latter claim doesn’t assuage that concern. In his petition for a dismissal, Storman claims that Nintendo actually has no standing to make the infringement claim, arguing that the uploads of the game content to the site were done by those that had legally purchased copies of these games. As such, Storman claims that First Sale Doctrine makes that game code the property of the purchaser of the game, who can resell it at will without it being infringing. As Nintendo again claims in its response, nah, dawg.

The first sale doctrine does not permit mass distribution of copyrighted works, copying of the copyrighted works or distribution of those copies, or the creation and sale of derivative works based on Nintendo’s copyrighted video games. See 17 U.S.C. § 109(a) (“the owner of a particular copy [of a copyrighted work]. . . lawfully made . . . is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy.”) (emphasis added). Indeed, Mr. Storman’s actions fall well outside of the first sale doctrine. The first sale doctrine only allows an owner of a lawful copy of the copyrighted work to dispose of that individual copy.

We have argued in the past that Nintendo, and other gaming companies, should really find better routes for mitigating or even making good use of the effects of piracy…but none of that makes the company’s rebuttal to Storman’s claims any less valid and correct. These are claims made at the improper time, that don’t seem to comport with the site’s behavior, and that represent a misreading of the law. That isn’t going to be good for Storman’s legal outcome prospects.

Again, to reiterate from our last post on this matter, it’s time for Storman to go into damage control mode. And for the love of god, get some professional legal assistance.

Permalink | Comments | Email This Story

Techdirt.

The Sixth Circuit Also Makes A Mess Of Section 230 And Good Internet Policy

/in

Yesterday we wrote about a bad Section 230 decision against Amazon from the Third Circuit. But shortly before it came out the Sixth Circuit had issued its own decision determining that Section 230 could not protect Amazon from another products liability case. But not for the same reason.

First, the bad facts, which may even be worse: the plaintiffs had bought a hoverboard via Amazon, and it burned their house down (and while two of their kids were in it). So they sued Amazon, as well as the vendor who had sold the product.

From a Section 230 perspective, this case isn’t quite as bad as the Third Circuit Oberdorf decision. Significantly, unlike the Third Circuit, which found Amazon to be a “seller” under Pennsylvania law, here the Sixth Circuit did not find that Amazon qualified as a “seller” under the applicable Tennessee state law. [p. 12-13] This difference illustrates why the pre-emption provision of Section 230 is so important. Internet platforms offer their services across state lines, but state laws can vary significantly. If their Section 230 protection could end at each state border it would not be useful protection.

But although this case turned out differently than the Third Circuit case and the Ninth Circuit’s decision in HomeAway v. City of Santa Monica, it channeled another unfortunate Ninth Circuit decision: Barnes v. Yahoo. In Barnes Yahoo was protected by Section 230 from liability in a wrongful user post. After all, it was not the party that had created the wrongful content. Because it couldn’t be held liable for it, it also couldn’t be forced to take it down. But Yahoo had offered to take the post down anyway. It was a gratuitous offer, one it didn’t have to make. But, per the Ninth Circuit, once having made it, Section 230 provided no more protection from liability arising from how Yahoo fulfilled that promise.

Which may, on the surface, sound reasonable, except consider the result: now platforms don’t offer to take posts down. It just doesn’t pay to try to be so user-friendly, because if the platform can’t get things exactly right on that front, they can be sued since, per the Ninth Circuit, Section 230 ceases to provide any protection. (And even if the platform might not ultimately face liability, it would still have to face an expensive lawsuit to get there.) So thanks to this case the Ninth Circuit ended up chilling platform behavior that we would have been better off instead encouraging to get more of. It may have won the battle for this person (their lawsuit could proceed) but it lost the war for the rest of the public.

This case from the Sixth Circuit presents a similar problem. Amazon did not have to do anything with respect to hoverboard sales, but it created liability problems for itself when it tried to anyway. Eventually it banned them, but more at issue is that it sent an email to purchasers indicating that there had been reports of problems with them:

“There have been news reports of safety issues involving products like the one you purchased that contain rechargeable lithium-ion batteries. As a precaution, we want to share with you some additional information about lithium-ion batteries and safety tips for using products that contain them.” The email included a link for the “information and safety tips,” a link “to initiate a return,” and a request that the recipient “pass along this information” to the proper person if the hoverboard was purchased for someone else. [p. 5]

The plaintiffs argued that the email Amazon sent was not enough of a warning and that it should have been more clear about the fire hazard. [p. 6] The Sixth Circuit did not decide whether it was adequate or not. What it did decide, however, was that Section 230 was no obstacle to the litigation continuing to explore that question.

Tennessee tort law provides that an individual can assume a duty to act, and thereby become subject to the duty of acting reasonably.

[…]

In this case, Plaintiffs allege that Defendant gratuitously undertook to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email, that Defendant was negligent in that undertaking, and that Defendant’s negligence caused them harm. The district court held that § 324A was inapplicable to Plaintiffs’ claims because it “contemplate[d] liability to third parties.” (RE 161, PageID # 2221–22.) And the district court also held that Plaintiffs forfeited any § 323 claim. The first holding was erroneous, and the second we need not address.

[…]

Plaintiffs argue that Defendant undertook to warn Plaintiff Megan Fox when it sent her the December 12, 2015 email, and that Defendant’s negligent warning caused physical harm to the other members of her family. Accordingly, while Defendant’s liability to Plaintiff Megan Fox is properly governed by § 323, Defendant’s liability to the other members of her family is properly governed by § 324A.7 See Grogan, 535 S.W.3d at 872–73. Thus, the district court’s holding that § 324A was inapplicable to Plaintiffs’ Tennessee tort law claim was erroneous.

Applying § 324A to the facts of this case, Defendant chose to send the December 12, 2015 email to Plaintiff Megan Fox, and in doing so plainly sought to warn her of the dangers posed by the hoverboard.

[…]

Thus, we hold that Defendant assumed a duty to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email. [p. 13-16]

The decision’s explanation of how tort law works is not striking. The problem is that all sorts of state tort law could reach the Internet, and strangle it, if state tort law could reach platforms. And here is a court saying it can, despite the existence of Section 230 generally saying that it can’t.

In a way, though, this case is much less dire for the Internet than some of the other cases we’ve discussed, like Oberdorf, HomeAway, and the Court of Appeals ruling in Armslist. Platforms can still avoid liability. But they will avoid it by curtailing the sort of beneficial activity Section 230 normally wants to encourage. In letting these state law tort claims go forward the decision reads as a big warning sign for platforms not to bother trying to help their users in similar ways. Amazon did not have to send an email, but by trying to reach out to users anyway it tempted trouble for itself it could have avoided if it had instead done nothing.

But if that fact doesn’t pull at the heartstrings, remember that the precedent will apply to any other platform, no matter how small. The moral of this story is that it is much safer for all platforms to do nothing than to try to do something. If trying to be helpful to users causes platforms pick up duties that they otherwise would not have had and face liability for not fulfilling them well enough, they won’t. They will be discouraged from trying, even though the public would be much better off if they were instead encouraged to continue these efforts. Curtailing Section 230 to allow state tort law to reach platforms now means that instead of getting more of the user-friendly behavior Section 230 tried to encourage, we will now get less.

Permalink | Comments | Email This Story

Techdirt.