Daily Archives: December 20, 2021

Malaysia in pocket of big business: Passes Bill to Imprison Illegal Streaming (even devices!) for 20 years

Posted on by

Laws that forbid the illegal uploading and downloading of copyrighted content are common around the world but the rise of streaming has sometimes exposed gaps in legislation.

Piracy-equipped Kodi devices, illegal streaming apps, and similar tools have led legal specialists to attempt to apply laws that didn’t envision the technology. In Malaysia, for example, it took a decision by the High Court last May to determine that the sale and distribution of streaming devices configured for piracy purposes does indeed constitute infringement under the Copyright Act.

But Malaysia was far from done. After previously informing the United States Patent and Trademark Office (USPTO) that the economic harm being caused to broadcasters and rightsholders in the country was a “serious problem”, Malaysia said it had amendments on the table to more directly tackle the illegal uploading, provision, and sharing of access to copyright works.

House of Representatives Passes Copyright Amendment Bill

This week Malaysia’s Dewan Rakyat (House of Representatives) passed the Copyright (Amendment) Bill 2021 which, among other things, will more directly address the challenges of illegal streaming.

“Act 332 is amended to ensure copyright laws implemented will provide more efficient and effective protection in line with current demands and to fulfill the needs of the business community and stakeholders,” said Domestic Trade and Consumer Affairs Minister Datuk Seri Alexander Nanta Linggi.

The amendments are focused on those involved in the provision or facilitation of illegal streams. The term “streaming technology” is repeatedly referenced and for the purposes of the act this includes computer programs (apps and other software tools), devices (streaming hardware of all kinds) that, in whole or in part, are used to infringe copyright in a protected work.

How the amendments will be used in practice remains to be seen but the scope appears to be intentionally broad and could result in significant punishments for those found to be in breach of the law.

Punishments for Illegal Streaming Facilitators

The first section of the amendment deals with those who “commit or facilitate infringement” of copyright by manufacturing a streaming technology for sale or hire, importing a streaming technology, selling or letting for hire (including offering, exposing or advertising for sale or hire), and/or possessing or distributing a streaming technology in the course of a business.

It expands to include distributing or offering to the public an infringing streaming technology or service other than in the course of a business, to such an extent “as to affect prejudicially the owner of the copyright.”

Anyone who contravenes these amendments will be guilty of an offense and upon conviction shall be liable to a fine of not less than 10 thousand ringgit (US$2,377) but not more than two hundred thousand ringgit (US$47,545). In addition to the possibility of fines, there are also custodial sentences that could reach a staggering 20 years imprisonment in the most serious of cases.

Those hoping to use a corporate structure as a shield are also put on notice. When any offenses are committed by a corporate body or by a person who is a partner in a firm, everyone from directors to managers will be deemed guilty of the offense and may be charged severally or jointly, unless they can show they had no knowledge and conducted due diligence to prevent the offense.

The details of the amendments can be found here (pdf)

Source: Malaysia Passes Bill to Imprison Illegal Streaming Pirates For Up To 20 Years * TorrentFreak

Considering the broadness of this law, it looks like selling a mobile phone, PC or laptop – which are all capable of streaming illegal content – could become punishable.

Bad things come in threes: Apache reveals another Log4J bug

Posted on by

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.

CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.

That’s the third new version of the tool in the last ten days.

In case you haven’t been paying attention, version 2.15.0 was created to fix CVE-2021-44228, the critical-rated and trivial-to-exploit remote code execution flaw present in many versions up to 2.14.0.

But version 2.15.0 didn’t address another issue – CVE-2021-45046 – which allowed a remote attacker with control over Thread Context Map (MDC) to cook up malicious input using a JNDI Lookup pattern. The result could be remote code execution, thankfully not in all environments.

Version 2.16.0 fixed that problem.

But it didn’t fix CVE-2021-45105, which the ASF describes as follows:

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.

Vendor-agnostic bug bounty program the Zero Day Initiative has described the flaw as follows.

When a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server.

[…]

Source: Bad things come in threes: Apache reveals another Log4J bug • The Register