Category Archives: Anti-Piracy

ISP Wrongfully Sent 300 “First Strike” Letters To Innocents

Posted on by

According to a report which has flown almost completely under the radar, last year an ISP sent out around 300 “first strike” warning letters wrongfully accusing innocent subscribers of Internet piracy. ISP Eircom implemented the scheme in partnership with the recording industry and is now being investigated by the Irish Data Protection Commissioner.

Image is Loading....

In February 2009, IRMA – representing EMI, Sony, Universal and Warner – reached an 11th hour out-of-court settlement with Irish ISP Eircom on the issue of illicit file-sharing. The deal would see Eircom introduce a graduated response system for dealing with errant subscribers.

“Eircom is proceeding with implementation of the protocol which could result in the suspension and ultimately disconnection of broadband service for those customers who deliberately and persistently infringe copyright,” the company said in a December 2010 statement, reiterating their commitment to the scheme.

But little did we know that the fears of “3 strikes” opponents had already come true.

From deep inside the “how the hell did the majority of the media miss this department”, it now becomes clear that by October 2010, Eircom had already sent out around 300 warning letters to completely innocent subscribers.

The company seems to have tried to play down the error saying that computer clocks were incorrectly adjusted to compensate for daylight saving time, some comfort to the unlucky letter recipients.

According to TJ McIntyre at digital rights site EDRI.org, as a result of this failure the Irish Data Protection Commissioner is now investigating the entire Eircom scheme.

“The significance of this case goes well beyond simple technical failings however, as the complaint to the Data Protection Commissioner (DPC) has triggered a wider investigation of the legality of the entire three strikes system,” he writes.

The DPC is said to be not only investigating the complaint but also “whether the subject matter gives rise to any questions as to the proportionality of the graduated response system operated by Eircom and the music industry.”

McIntyre says that when the Eircom/IRMA deal was being agreed, the DPC expressed concerns with it, not least over the question of whether or not IP addresses are personal data. However, until someone raised a complaint, that issue was put on the back burner. The delivery of 300 false “first strike” warning letters appears to have met that criteria.

“The complaint in this case has now triggered that action, and it seems likely that the Commissioner will reach a decision reflecting his previous views that using IP addresses to cut off customers’ internet connections is disproportionate and does not constitute ‘fair use’ of personal information,” McIntyre explains.

“If so, the Commissioner has the power and indeed the duty to issue an enforcement notice which would prevent Eircom from using personal data for this purpose – an outcome which would derail the three strikes system unless Eircom successfully challenges that notice before the courts, or unless the music industry were to succeed in its campaign to secure legislation introducing three strikes into Irish law.”

The way this story has flown largely under the mainstream tech news radar will have been a relief to Eircom and IRMA. Something tells us that is about to change.

Read

Major Vulnerability Found in Leaked Anti-Piracy Software

Posted on by

Trident Media Guard, the company entrusted by the French government to monitor file-sharing networks for copyright infringement, recently had some of their tools leaked onto the Internet following a security breach. Now researchers have published an analysis, with claims that an auto-update feature makes TMG’s servers vulnerable to remote code injection and execution.

Image is Loading....As detailed in our earlier reports, anti-piracy company Trident Media Guard (TMG) recently failed to secure some of their systems. Blogger and security researcher Olivier Laurelli, aka Bluetouff, originally reported the breach which included a wide open virtual ‘test’ machine containing various tools. These, of course, spilled into the wild.

From the various files made available, some were easily viewable with a standard text editor, others – such as an executable called server_interface.exe – were more tricky. Thanks to a admittedly fairly hostile Full Disclosure security report we now have a clearer idea of what the package is capable of.

Penned by ‘CULT OF THE DEAD HADOPI’, the report refers to TMG as “Too Many Gremlins” along with reports not to expose them to bright lights. In it the server_interface.exe code is described as a Delphi service to which anyone can connect and start sending commands, no authentication (username/password) required. Perhaps even more worrying is a script which accepts auto-updates.

“An attacker can use the ‘Auto Update’ feature (\x82) to force the server to download updates from an evil FTP server he controls. Of course, a downloaded file is executed
just after the download,” write the researchers.

“Hence, anyone who wants to raise an army against Too Many Gremlins, look for an open port on TCP 8500,” they add.

The implication here is that if this software was present on all TMG servers, in addition to being able to turn them on and off at will a hacker could take them over with custom code of his own choosing, potentially creating “an army” which could be used to attack TMG or indeed, anyone else.

Commenting on the research, Bluetouff told us that the discovery of the vulnerabilities mean that the French 3 strikes program might already have been compromised.

“If TMG is vulnerable to injectioning on the system used to provide IP addresses to the HADOPI, the whole process is fu**** up,” he explained.

“Someone could for example inject the Culture Ministry’s IP range, or worse, gain access between TMG and HADOPI’s VPN by stealing certificates… then gain access to a huge amount of personal data,” he added.

“For instance we don’t know if this new ‘test server’ leak can compromise the LAN(S) of TMG with this exploit. Opacity is even for HADOPI. That’s why they went to audit TMG’s infrastructure with the CNIL [French Data Protection Office].”

“Anyway, this new episode shows that HADOPI was right to close their access,” he concludes.

That closure of access is a reference to Hadopi severing their Internet links to TMG once they found out about the leak and resorting to shifting IP addresses around by DVD and the postal system instead. That is hardly efficient and undoubtedly TMG will be working hard to get back into the 21st century.

Read

Hurt Locker Makers Target Record Breaking 24,583 BitTorrent Users

Posted on by

After being honored with an Oscar for best motion picture last year, the makers of The Hurt Locker have now also secured the award for the biggest file-sharing lawsuit the world has ever witnessed. By targeting at least 24,583 alleged BitTorrent users, Voltage Pictures hopes to recoup millions of dollars in settlements to compensate the studio for piracy-related losses.

Image is Loading....March last year the law firm Dunlap, Grubb and Weaver imported the mass litigation “pay up or else” anti-piracy scheme to the United States.

The initial customers of the lawyers – who are also known as the U.S. Copyright Group – were relatively unknown indie film producers. But this changed when the makers of the Oscar-winning Hurt Locker (Voltage Pictures) joined up and sued 5,000 alleged file-sharers.

Voltage Pictures always threatened that this figure was just the start, and it now turns out that they were speaking the truth. In their quest to recoup their claimed losses, the studio has now added nearly 20,000 new defendants to the lawsuit, bringing the total up to 24,583.

This turns the Hurt Locker case into the largest BitTorrent lawsuit in history, breaking the two week old record set by The Expendables case earlier this month.

In a status report obtained by us, Voltage Pictures lawyers give the U.S. District Court of Columbia an overview of the massive list of alleged BitTorrent downloaders they filed complaints against. This report reveals that most defendants are subscribers of Comcast (10,532), followed by Verizon (5,239), Charter (2,699) and Time Warner (1,750).

The report also provides details on the agreements the lawyers have struck with various ISPs regarding the release of subscribers’ personal information. There is currently no agreement with Comcast, while Charter has promised to look up 150 IP-addresses a month and Verizon 100 a month for all ongoing BitTorrent lawsuits.

The above indicates that it may take several years before some ISPs hand over the requested information. It would take Verizon more than a decade to look up all the personal details in the various BitTorrent lawsuits, which begs the question of how long an ISP is allowed to store such private details.

The Hurt Locker case is currently being handled by former RIAA-lobbyist Judge Beryl Howell. She now has to decide if Voltage Pictures is allowed to proceed their legal endeavor and under what restrictions.

During the course of the year many of the defendants in the Hurt Locker case who were already subpoenaed have claimed innocence. However, last week Judge Howell decided to dismiss all 119 motions to dismiss, quash, and for protective orders en masse, adding them to the pool of targets.

Defendants whose ISPs give up their personal details are expected to receive a settlement offer from Voltage Pictures. The ultimate goal is not to take any of the individual cases to court, but to get alleged infringers to pay a substantial cash settlement to make legal action go away.

The math shows that this scheme could turn out to be extremely profitable for the parties involved. If ‘only’ 10,000 of the alleged infringers eventually pay a $2,000 settlement this would bring in $20 million. In comparison, that’s more than the $17 million The Hurt Locker grossed at the U.S. box office.

The Status Report


Read