Twitter Hits Back at Court, Prosecutors Over ‘Occupy’ Order

A police officer with a bullhorn addresses a large group of protesters affiliated with the Occupy Wall Street movement who attempted to cross the Brooklyn Bridge, Saturday, Oct. 1, 2011 in New York. Photo: Will Stevens/AP

In the battle to fight online fishing expeditions by law enforcement officials there is little we can do individually to protect ourselves — which makes it all the more important for internet companies like Twitter and Google to fight back on our behalf.

That’s exactly what Twitter did when it filed a surprisingly feisty motion (.pdf) this week in New York City Criminal Court to quash a court order demanding that it hand over information to law enforcement about one of its account holders — an activist who participated in the Occupy Wall Street protests — as well as tweets that he allegedly posted to the account over a three-month period. The company stepped in with the motion after the account holder lost his own bid to quash the order.

In its motion to quash, Twitter pointed out to the judge that the order would essentially force the company to break the law by handing over data without a warrant. Twitter also took issue with the judge’s ruling that the account holder had no right to fight the order on his own behalf.

The company further dinged prosecutors by pointing out that they could have saved everyone the trouble of dealing with this in court if they had simply printed or downloaded the publicly available tweets themselves.

“To the extent the desired content is publicly available, the District Attorney could presumably have an investigator print or download it without further burdening Twitter or the Court,” Twitter wrote in its motion.

The American Civil Liberties Union applauded Twitter’s move.

“This is a big deal,” wrote Senior Staff Attorney Aden Fine. “If Internet users cannot protect their own constitutional rights, the only hope is that Internet companies do so.”

Last January, the government, in an investigation of Malcolm Harris, asked Twitter to hand over all tweets posted to the account of @destructuremal between Sept. 15 and Dec. 31 last year, as well any information Twitter had about the owner of the account, including his e-mail address.

Harris was arrested last October for disorderly conduct during a protest that was conducted on the Brooklyn Bridge.

Prosecutors sought tweets made to the account “to refute the defendant’s anticipated defense, that the police either led or escorted the defendant onto stepping onto the roadway of the Brooklyn Bridge.” They sought the information using a 2703 order, which allows authorities to obtain data without a warrant under the Stored Communications Act, or SCA.

More powerful than a subpoena, but not as strong as a search warrant, a 2703(d) order is supposed to be issued when prosecutors provide a judge with “specific and articulable facts” that show the information they seek is relevant and material to a criminal investigation. The people targeted in the records demand, however, don’t have to themselves be suspected of criminal wrongdoing.

The Justice Department used the same type of order in December 2010 to demand information from Twitter about several people associated with the secret-spilling site WikiLeaks as part of a secret grand jury investigation. Twitter fought back in that case as well.

After Twitter received the demand for information about Harris’s account, the company notified Harris, who decided to fight it.

But on Apr. 20, Judge Matthew A. Sciarrino, Jr., denied Harris’s motion to quash the subpoena, saying that he had no standing to fight the order because he had “no proprietary interests” in the account holder’s information or in the tweets. To back this assertion, the judge quoted from Twitter’s terms of service agreement stating that account holders granted Twitter “worldwide, non-exclusive” right to use use, copy, or display the content. Since the defendant granted this license to Twitter by agreeing to the terms of service, this “demonstrates a lack of proprietary interests in his Tweets,” the judge wrote.

The judge also rejected Fourth Amendment protections Harris claimed, because the judge said that online content stored on a third-party server was not physical and therefore did not have the same privacy protections that applied, for example, to a home. Particularly when that data was published online where the public could see it.

While the Fourth Amendment provides protection for our physical homes, we do not have a “physical home” on the Internet,” the judge wrote. “What an internet user simply has is a network account consisting of a block of computer storage that is owned by a network service provider. As a user, we may think that storage space to be like a ‘virtual home,’ and with that strong privacy similar to our physical homes. However, that ‘home’ is a block of ones and zeroes stored somewhere on someone’s computer.”

Where Harris’s role in the fight ended, Twitter picked it up.

The company pointed out to the judge that in rejecting Harris’s standing to oppose the order, he had selectively quoted the company’s terms of service, leaving out one important part. It was true that in agreeing to the terms of service Harris granted Twitter the right to publish his Tweets, but the terms of service also stated that users “retain your rights to any Content you submit, post or display on or through” Twitter.

To hold that users do not have a proprietary right in their tweets “imposes a new and overwhelming burden on Twitter to fight for its users’ rights, since the Order deprives its users of the ability to fight for their own rights when faced with a subpoena from New York State,” Twitter wrote.

Twitter also further argued that handing over the data violated Harris’s Fourth Amendment protection against warrantless searches.

“Specifically, the SCA has been held to violate the Fourth Amendment to the U.S. Constitution to the extent it requires providers to disclose the contents of communications in response to anything less than a search warrant, … and the Fourth Amendment’s warrant requirement applies even when the government seeks information about allegedly public activities,” Twitter wrote.

Twitter also noted that per the SCA, a 2703 order can only compel a provider to produce content that is more than 180 days old, which would discount many of the tweets the government is requesting that will not be that old for a number of months.

Finally, Twitter argued that because the company is located in California, New York prosecutors needed to obtain a California subpoena to seek the data.

Pirates Beware: DVD Anti-Piracy Warning Now Twice as Fierce

The government and Hollywood join forces to create a new anti-piracy warning

Hollywood and the federal government have partnered to create updated and even more annoying anti-piracy warnings that will be included in new home-release DVDs and Blu-ray discs beginning this week, the government said Tuesday.

The new warnings now have three scary logos intended to deter those who might violate copyright law by making a back-up copy, ripping a movie to a tablet-friendly file, uploading it to a peer-to-peer network or make illegal copies to send to military service members in Iraq.

The original logo has been included since 2004 on the Motion Picture Association of America members’ movies, with the now-famous FBI tough-talking “anti-piracy warning label” which cautions customers who legitimately purchased a movie about the criminal penalties for copyright infringement.

Added alongside the FBI’s logo in the new version, however, is a Homeland Security Investigations “special agent” badge. That reflects the agency’s new power, handed down in 2008, to seize web domains engaged in infringing activity under the same forfeiture laws used to seize property like houses, cars and boats allegedly tied to illegal activity such as drug running or gambling.

What’s more, as an added bonus that’s even better than a James Cameron director commentary, movie fans will be treated with a second annoying screen (above) touting the National Intellectual Property Center.

That screen, like the others, presumably will be made unskippable during viewing. The warning says, “Piracy is not a victimless crime. For more information on how digital theft harms the economy, please visit” The center’s logo is tough, too, with a hawk clenching a banner that reads “Protection Is Our Trademark”.

Oddly, such warnings are rarely included in versions uploaded and downloaded via P2P networks.

That’s probably smart since the old FBI logo was copyrighted of sorts, with the movie, recording and software industries retaining exclusive rights.

The authorities moved that logo out of copyright last year. There was a maximum six-month sentence and other penalties for using the insignia without FBI approval.

ICE said the new versions, like the old one, may not be used without permission and are not in the public domain. The government said the major studios of the Motion Picture Association of America are authorized to use them.  They are Disney, Paramount, Sony, Fox, Universal and Warner Brothers.

The National Intellectual Property Center (.pdf) was approved as part of the PRO-IP Act in 2008 and acts as the government’s anti-piracy bureau. The act also gave Immigration and Customs Enforcement, under the auspices of the Department of Homeland Security, the power to seize infringing websites under a program now known as Operation in Our Sites.

“Our nation’s film and TV business is critical to our economy,” ICE Director John Morton said in a statement. “Its creativity and imagination have made American entertainment one of our greatest exports over the decades, but criminals are increasingly engaging in new forms of digital theft. Law enforcement must continue to expand how it combats criminal activity. Public awareness and education are a critical part of that effort.”

In the past two years, the authorities have seized more than 750 sites allegedly engaged in infringing activity.

Wired reported Monday about a hip-hop music site — the victim of a secret government process — that was seized for a year before it was given back to its New York operator without explanation or apology.

‘Android/NotCompatible’ Looks Like Piece of PC Botnet

A lot of recent attacks on Android users are attributed to fake websites of popular applications such as Cut the Rope, Instagram, Angry Birds, or Grand Theft Auto III. However, the very recently discovered malware NotCompatible uses a distribution method not previously seen in the mobile world. The malware hacks into vulnerable websites to inject a hidden iframe that points to a malicious application. This app is downloaded to the device without user consent when the victim visits the infected legitimate website. Let’s take a deeper look into this malicious application, which has a very interesting payload that is not common in the mobile world.

Several websites have been found with an injected hidden iframe, most of them based on an old version of WordPress and with a bad permission structure.

Malicious iFrame.

That piece of code redirects to another host, hxxp://android[censored], that detects if the browser agent is Android. In this case, the server gives the device the URL that points to the Android install package, which will be automatically downloaded and saved onto the device’s SD card. The malware is downloaded, but not executed; it requires user assistance to activate. To accomplish that step, the application names the downloaded file Update.apk and the application com.Security.Update to trick the user into believing that the download is a legitimate Android system update:

Installation Screen

As we see in the preceding images, NotCompatible will automatically start at boot. For this reason the application does not have an icon. It starts as a service running in the background only after reboot or when the device screen changes its state (between locked and unlocked). This service opens a backdoor to receive commands from a remote server.

The remote IP and port servers are encrypted with AES inside the .apk in /res/raw/data. During analysis, we decrypted this as port 48976 and port 38691. These parameters can be changed via a remote command sent by the control server.

NotCompatible uses the New I/O Proxy API implementation, which is a low-level API that provides access to intensive input/output operations. This API provides attackers an effective method to send and receive commands in custom packages.

Once the service is started, NotCompatible communicates with its control server to send TCP data packages with customized commands. The first message sent by the infected device is the following (always sent via TCP port 8014):


The control server receives this message, confirming that the infected device is active, and it responds with a Ping message:


To this the infected device responds with a Pong:


After this initialization protocol, the control server asks the device to access a specific HTML web page to authenticate itself by validating the string A35T7G:

We have seen similar behavior in a Windows PC malware (detected by McAfee as Generic.dx!bd3j) that sends and receives the same data packages to the same port but with a different control server IP address. This suggests that the infected mobile devices and the PC malware probably belong to the same botnet.

These commands can be remotely executed by the control server:

  • Send Error: Sends a custom packet with a specific byte when the command sent by the control server is invalid
  • ConnectProxy: Obtains the IP address and port as parameters and tries to open a connection to that remote host, probably to forward the network traffic sent by the control server to another host
  • ShutdownChannel: Closes a specific connection with a remote host
  • sendPong: Sends a custom packet with a specific byte when a packet with the last byte “4” is received (the ping). It is used by the control server to test network connectivity with the infected device.
  • setTimeOut: Sets a specific period during which the connection to a remote host is alive
  • newServer: Updates the configuration (AES encrypted in data.bin file inside the device) with a new control server
  • newReservServer: The same as newServer but with a backup control server

Based on our previous analysis, we conclude that NotCompatible is an unusual Android malware delivered to users using a drive-by attack that could represent a proof of concept for a targeted attack. The malware was designed to execute stealthy remote commands and act as a server proxy to redirect traffic through the device. This could be used to avoid the tracking of illicit acts by making the network traffic anonymous. Also, based on the network traffic similarities (commands, ports, strings), it is very possible that both the Android and PC malware belong to the same botnet. We will probably see more Android malware of this kind. McAfee Mobile Security detects this threat as Android/NotCompatible.A.

Apple Releases iOS 5.1.1

Apple has released iOS 5.1.1 for iPhone, iPod, iPad, and iPad 2 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, perform a cross-site-scripting attack, or spoof a website address.

US-CERT encourages users and administrators to review Apple Support Article HT5278 and apply any necessary updates to help mitigate the risk.

This product is provided subject to this Notification and this Privacy & Use policy.