FYI: Anyone seen this?
From ISN:
http://www.theregister.co.uk/content/6/28842.html
By Andrew Orlowski in San Francisco Posted: 14/01/2003
The RIAA is preparing to infect MP3 files in order to audit and eventually disable file swapping, according to a startling claim by hacker group Gobbles. In a posting to the Bugtraq mailing list, Gobbles himself claims to have offered his code to the RIAA, creating a monitoring "hydra".
"Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org) to invent, create, and finally deploy the future of antipiracy tools. We focused on creating virii/worm hybrids to infect and spread over p2p nets," writes Gobbles.
"Until we became RIAA contracters [sic], the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks."
Gobbles claims that when a peer to peer host is infected, it catalogs media and sends the information "back to the RIAA headquarters (through specifically crafter requests over the p2p networks) where it is added to their records", and also propagates the exploit to other nodes.
"Our software worked better than even we hoped, and current reports indicate that nearly 95% of all p2p-participating hosts are now infected with the software that we developed for the RIAA."
The "hydra" is uncorroborated.
Gobbles attached two pieces of code, one of which jinglebellz.c details a frame header exploit for the Linux player mpg123. The code chastises OpenBSD lead Theo de Raadt for failing to checksum the public MP3s (written to celebrate each OpenBSD release). The group has singled out OpenBSD in its previous exploits
In their presentation to last year's DefCon, the group described itself as "the largest active nonprofit security group in existence (that favors full disclosure)," consisting of 17+ members.
"They're real, and they're damn good. They have made what appeared to be extremely exaggerated claims in the past, and when mocked, they have demonstrated that they are serious," one security expert familiar with their work, who declined to be named, told The Register.
"He's a funny guy," De Raadt told us. "This is a buffer overflow exploit," he confirmed. De Raadt said he was more concerned by social engineering than by external exploits. "We had Fluffy Bunny, now we have Gobbles. They come in waves. "
An exploit of this nature is of dubious legality, right now, but language in Howard Berman's "P2P Piracy Prevention" bill last year legitimizing such exploits was backed by RIAA chief Hilary Rosen:-
The Berman bill, ensured a copyright owner would not be liable for "disabling, interfering with, blocking, diverting, or otherwise impairing the unauthorized distribution, display, performance, or reproduction of his or her copyrighted work on a publicly accessible peer-to-peer file trading network, if such impairment does not, without authorization, alter, delete, or otherwise impair the integrity of any computer file or data residing on the computer of a file trader." Berman is expected to re-introduce the bill in this Congressional session.
On Tue, 14 Jan 2003 20:16:31 EST, blitz <blitz@macronet.net> said:
http://www.theregister.co.uk/content/6/28842.html
By Andrew Orlowski in San Francisco Posted: 14/01/2003
The RIAA is preparing to infect MP3 files in order to audit and eventually disable file swapping, according to a startling claim by
The RIAA denies all knowledge... http://www.eweek.com/article2/0,3959,827970,00.asp Of course, even if it were true, they'd probably want to deny it, since they haven't gotten their "hack back" legislation passed yet.... :)
The feeling in the music community is that this is almost certainly a hoax. Of course, RIAA apparently tried to legalize such activities in the Berman Bill. Regards Marshall Eubanks On Wednesday, January 15, 2003, at 12:09 AM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 14 Jan 2003 20:16:31 EST, blitz <blitz@macronet.net> said:
http://www.theregister.co.uk/content/6/28842.html
By Andrew Orlowski in San Francisco Posted: 14/01/2003
The RIAA is preparing to infect MP3 files in order to audit and eventually disable file swapping, according to a startling claim by
The RIAA denies all knowledge...
http://www.eweek.com/article2/0,3959,827970,00.asp
Of course, even if it were true, they'd probably want to deny it, since they haven't gotten their "hack back" legislation passed yet.... :)
T.M. Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@multicasttech.com http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
This is not entirely hoax. I know for sure (first-hand) that such actions were contemplated by at least some recording companies. --vadim On Wed, 15 Jan 2003, Marshall Eubanks wrote:
The feeling in the music community is that this is almost certainly a hoax.
Of course, RIAA apparently tried to legalize such activities in the Berman Bill.
Of course, even if it were true, they'd probably want to deny it, since they haven't gotten their "hack back" legislation passed yet.... :)
Passed along without comment "I poisoned P2P networks for the RIAA" - whistleblower By Andrew Orlowski in San Francisco Posted: 17/01/2003 at 13:00 GMT "Gobbles", the German hacker who improbably claimed to have infected peer-to-peer file sharing networks and to "0wn" your computer this week, has confirmed that his brag was a hoax. That much, you probably suspected, as Goebbels (as we must now call him) failed to offer a shred of evidence in support of the notion that the RIAA was engaged in widespread intrusion of personal computers. But meet Matt Warne. He has an interesting tale to tell. For two years Warne worked for the global version of the RIAA, the IFPI which represents 1500 labels in 76 countries, with headquarters in London. The IFPI's primary mission is to "fight music piracy", and Warne worked with the RIAA and the biggest labels in implementing technologies to document and thwart file sharing. The IPFI co-ordinated efforts to glean detailed information about who was sharing what, and where. The organization, backed by the labels, was responsible for providing detailed evidence to the legal teams fighting Napster, Aimster and mined information about the burgeoning peer to peer networks, such as Gnutella. IPFI is responsible for trawling the world's web, ftp and irc channels and runs the automated system that sends warning letters to ISPs and webmasters. "We had to act quickly. EMI would ring up ask 'What's this FreeNet?' and want to know how many of their artists were on the network". Napster provided the first taste for the music industry in measuing the level of file sharing and was a war of attrition, says Warne. IPFI developed a custom version of a program called "Media Enforcer" which grew in sophistication. "The RIAA were very precise about what they wanted," says Warne. When Napster said it couldn't say what was on its network, the IPFI were able to provide file names. When users scrambled the names (using the pig encoder) and Napster said these were too hard to decipher, the IPFI was able to provide the real names. Poison Pill The technologies he worked on stayed on the right side of the law - just about - but Warne's most interesting claim to fame is that he suggested that the networks "poison" the emerging p2p networks with trash. "I was one of the people who suggested the 'rogue file' scheme on the file sharing services," he told us. "I suggested that they should put out files with legitimate titles - and put inside them silence or random noise - and saturate the file sharing networks with those files. That did start the poisoning." The goal was to discredit the networks so that casual users would quickly give up trying to download music. And so the plan went into action. The IPFI created a computer system that appeared to be many unrelated nodes, a network with many members that in fact resided in one location. A former record label employee also confirmed this week that the industries do order multiple DSL feeds to one location to simulate a P2P network. For the IPFI however, the poisoned network grew too expensive to justify. Before he left, says Warne, the IPFI's original poisoned system was closed down. The body wanted to concentrate its attentions on large scale copying outfits. However, more recent evidence suggests that the technique is being used by major labels in-house, instead, and the sheer quantity of junk files found on the peer to peer networks today - purportedly residing on individual's PCs - points to continuing "poisoning". Why? Because users abort a junk download, or quickly delete a file. The alternative explanation for the persistence of this noise material is that users are extremely inattentive, and that's difficult to believe. Missing the boat Warne left the music industry in disgust he says, "because the record industry is stuck in the past," and he vows never to return. Back in 1997 and 1998, the industry had the chance to develop online music services, he says. It saw what was coming. Which is true: at that time, the major labels were paralyzed by fear of online music and were downsizing accordingly, but refused to alter their business models, or extend into new areas. "Once Napster came along," says Warne, "people got used to getting stuff for free. They've introduced Emusic but people just ask 'why isn't it free?' If they'd introduced it in 1998, they wouldn't have this problem,' he thinks. "I've seen how they've destroyed talent. The greatest talent is from independents." He cites Eva Crawford, and Mariah Carey as examples, who were forced into styles by unsympathetic executives. So as you can see, the RIAA may not - strictly speaking - be "hacking you back". But the industry is extremely active in many other ways, and unlike so much of the trade press which sees an RIAA denial as the end of the story, their activities are only just beginning to emerge. Since Monday, we've also received a number of reports of some very curious IP traffic. If you're in a position to do so, can you please check your logs, so we can piece together the rest of this mystery? Æ On Wednesday, January 15, 2003, at 12:09 AM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 14 Jan 2003 20:16:31 EST, blitz <blitz@macronet.net> said:
http://www.theregister.co.uk/content/6/28842.html
By Andrew Orlowski in San Francisco Posted: 14/01/2003
The RIAA is preparing to infect MP3 files in order to audit and eventually disable file swapping, according to a startling claim by
The RIAA denies all knowledge...
http://www.eweek.com/article2/0,3959,827970,00.asp
Of course, even if it were true, they'd probably want to deny it, since they haven't gotten their "hack back" legislation passed yet.... :)
Regards Marshall Eubanks This e-mail may contain confidential and proprietary information of Multicast Technologies, Inc, subject to Non-Disclosure Agreements T.M. Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@multicasttech.com http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
In the immortal words of blitz (blitz@macronet.net):
From ISN:
Wow. With one post to bugtraq, gobbles has now successfully trolled the register, slashdot, and now nanog. Somebody buy that turkey a beer. -n ------------------------------------------------------------<memory@blank.org> "For years, I've been predicting that artists, writers, and filmmakers would be paid by the government not to produce work, just like farmers are paid not to grow food. Or that they'd be paid to make their work, but would then be forced to store it in a silo unshown or unread. But now I see I was a little off in my prediction. The Internet is that silo." (--Slotcar Hatebreath) <http://blank.org/memory/>----------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And from what I know of the problem, the Nullsoft guys already fixed this bug in Winamp v2.81+. The part of this thing that's so funny that people are eating up is the fact that they were NOT hired by the RIAA to do it. You can see at the bottom of the original statement, that they even say they're joking, but the exploit is real, and had nothing to do with the RIAA. RIAA even said they have nothing to do with it. I wished I had saved the link for the news.com story, but it's there if you look for it. - -- Thanks, Shon Elliott Systems Engineer; OptiGate Networks, Inc. blitz wrote: | | From ISN: | | | | |> http://www.theregister.co.uk/content/6/28842.html |> |> By Andrew Orlowski in San Francisco |> Posted: 14/01/2003 |> |> The RIAA is preparing to infect MP3 files in order to audit and |> eventually disable file swapping, according to a startling claim by |> hacker group Gobbles. In a posting to the Bugtraq mailing list, |> Gobbles himself claims to have offered his code to the RIAA, creating |> a monitoring "hydra". |> |> "Several months ago, GOBBLES Security was recruited by the RIAA |> (riaa.org) to invent, create, and finally deploy the future of |> antipiracy tools. We focused on creating virii/worm hybrids to infect |> and spread over p2p nets," writes Gobbles. |> |> "Until we became RIAA contracters [sic], the best they could do was to |> passively monitor traffic. Our contributions to the RIAA have given |> them the power to actively control the majority of hosts using these |> networks." |> |> Gobbles claims that when a peer to peer host is infected, it catalogs |> media and sends the information "back to the RIAA headquarters |> (through specifically crafter requests over the p2p networks) where it |> is added to their records", and also propagates the exploit to other |> nodes. |> |> "Our software worked better than even we hoped, and current reports |> indicate that nearly 95% of all p2p-participating hosts are now |> infected with the software that we developed for the RIAA." |> |> The "hydra" is uncorroborated. |> |> Gobbles attached two pieces of code, one of which jinglebellz.c |> details a frame header exploit for the Linux player mpg123. The code |> chastises OpenBSD lead Theo de Raadt for failing to checksum the |> public MP3s (written to celebrate each OpenBSD release). The group has |> singled out OpenBSD in its previous exploits |> |> In their presentation to last year's DefCon, the group described |> itself as "the largest active nonprofit security group in existence |> (that favors full disclosure)," consisting of 17+ members. |> |> "They're real, and they're damn good. They have made what appeared to |> be extremely exaggerated claims in the past, and when mocked, they |> have demonstrated that they are serious," one security expert familiar |> with their work, who declined to be named, told The Register. |> |> "He's a funny guy," De Raadt told us. "This is a buffer overflow |> exploit," he confirmed. De Raadt said he was more concerned by social |> engineering than by external exploits. "We had Fluffy Bunny, now we |> have Gobbles. They come in waves. " |> |> An exploit of this nature is of dubious legality, right now, but |> language in Howard Berman's "P2P Piracy Prevention" bill last year |> legitimizing such exploits was backed by RIAA chief Hilary Rosen:- |> |> The Berman bill, ensured a copyright owner would not be liable for |> "disabling, interfering with, blocking, diverting, or otherwise |> impairing the unauthorized distribution, display, performance, or |> reproduction of his or her copyrighted work on a publicly accessible |> peer-to-peer file trading network, if such impairment does not, |> without authorization, alter, delete, or otherwise impair the |> integrity of any computer file or data residing on the computer of a |> file trader." Berman is expected to re-introduce the bill in this |> Congressional session. | | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQE+JvLOt49dIzGDssARAiZXAKCESxgB20PMuAoAFB9Pf3jxtD3TrQCgkzBW qM9GchP8dtXe0/NDk1U1kIg= =lvzj -----END PGP SIGNATURE-----
What's even more of a joke is that The Register published it, when it was evident from the start that it was never true. Totally sick of the clueless hyping so-called security news when they don't even know what security is. On Thu, Jan 16, 2003 at 09:58:38AM -0800, Shon Elliott wrote:
And from what I know of the problem, the Nullsoft guys already fixed this bug in Winamp v2.81+.
The part of this thing that's so funny that people are eating up is the fact that they were NOT hired by the RIAA to do it. You can see at the bottom of the original statement, that they even say they're joking, but the exploit is real, and had nothing to do with the RIAA. RIAA even said they have nothing to do with it. I wished I had saved the link for the news.com story, but it's there if you look for it.
[snippage]
participants (8)
-
alex@yuriev.com
-
blitz
-
Len Rose
-
Marshall Eubanks
-
Nathan J. Mehl
-
Shon Elliott
-
Vadim Antonov
-
Valdis.Kletnieks@vt.edu