Leaks Prove MediaDefender's Deception 230
Who will defend the defenders? writes "Ars Technica has posted the first installment in their analysis of the leaked MediaDefender emails and found some very interesting things. Apparently, the New York Attorney General's office is working on a big anti-piracy sting and they were working on finding viable targets. It also discusses how some of the emails show MediaDefender trying to spy on their competitors, sanitize their own Wikipedia entry, deal with the hackers targeting their systems, and to quash the MiiVi story even while they were rebuilding it as Viide. Oh yes, they definitely read "techie, geek web sites where everybody already hates us" like Slashdot, too."
The weakest link (Score:4, Interesting)
legal (Score:1, Interesting)
The phone hack makes clear that hackers are quite deep into their systems.
Journamalism 101 (Score:5, Interesting)
I know it's pointless to ask things like this of the /. "editors", but the summary of this story is almost completely useless to anyone who is coming to the story cold (like me).
Would it have killed someone to have rewritten the submission so that it explained:
?
I can go Google all that stuff and find out for myself, but why would I bother, if it's not clear to me why the story is important in the first place?
Thank God for Data Protection (Score:5, Interesting)
When.... (Score:3, Interesting)
Re:Totally Unprofessional (Score:5, Interesting)
And to that point - it is their JOB to surf porn at work, to seek out child porn and notify the DoJ and the New York Attorney General's office of the material so that the AG could pursue the offender as part of their own investigation.
Yet, I do agree that the use of profanity does show a lack of professionalism. Much like the theory that you can tell a lot about a man by the way he treats his waitress. These emails reveal that they have an air of arrogant superiority about themselves, that they operate above the law, and that they are immune from "teh bad d00dz". They are convinced of their moral authority and moral superiority.
To wit:
I have a fair level of certainty that they got themselves infected with spyware, adware, trojans. They surf sites in the dark corners of the 'intertoob' seeking out nefarious content, evil trackers and child predators. In going there, they are in the stomping grounds of the best of the worst when it comes to infecting computers using the most current 0day exploits.
(Side note -- Stick with me here)
I personally do not run anti-virus. I deal with malicious content all the time. I know what is running on my machine at all times. If I were to run an AntiVirus, it would delete half the files on my hard drive that was gathered as evidence in investigations, or malicious tool kits used to exploit systems that I use in teaching classes.
Whenever I venture to evil sites, I start up a virtual machine, I have two - they are called "Hindenburg" and "Titanic" that are not current on their patches and run no anti-virus. I purposely seek out infections and malware on these machines so I can analyze the machines postmortem. I have a tremendous amount of respect and even admiration for my opponents. They are VERY good at their game. As such, I am careful not to let my guard down.
(My point)
I'll bet that what they've done is get a real machine infected, one that was not sandboxed, connected to the internal domain, and the user was running with not just local admin privileges, but with full domain admin privileges. OOPS! This infected machine reported back to the hackers, who then connected back in to their hacked box and set up user accounts on the network and also rooted the boxes.
At this point, no amount of changing passwords or firewalls or IDS will get the intruders out. They need to rebuild every box on their network, from scratch. They need to stop thinking of themselves as an "academic institution" that needs full access to the internet (no outbound restrictions on the firewall) and where proper security practices "don't apply to them".
Proper security and safety protocols were not followed. The arrogant attitude of "we're security folks, policies don't apply to us" is what let this happen.
Further your affiant sayeth not,
Joel Helgeson
Sanitized wikipedia entries (Score:3, Interesting)
So the guys in PR are the only ones in the company posting over the long term. Anyone else doesn't work for the company, or won't be working there long (yerfired!).
Re:Mixed feelings... (Score:3, Interesting)
No attempt to get comments from the AG's office? (Score:5, Interesting)
A quick search this am for "new york attorney general mediadefender" turned up no mainstream press reports about this story.
According the ars piece, by the way, the AG's office appeared to be interested in porn downloads, not, as the editors here put it, "working on a big anti-piracy sting and they were working on finding viable targets." From TFA, "Although the full scope of the project cannot be extrapolated from the e-mails, the information available indicates that MediaDefender intends to provide the Attorney General's office with information about users accessing pornographic content. Other kinds of information could be involved as well." (That last sentence is so vague and general that it could refer to almost any information of any kind anywhere on the planet.)
Don't the editors at least read the stories themselves before they post them to Slashdot?
None of these comments is a defense of either MediaDefender or the NYAG. I'm more concerned about the shoddy reporting that passes for journalism on geek news sites like this one and arstechnica. Particularly the latter, since the articles I've read there in the past gave off the semblance of decent journalism.
Re:Thank God for Data Protection (Score:5, Interesting)
This doesn't stop the need for laws which are much more clear and restrictive on the use and control of personally identifying information, and which have more bite when they are enforced.
It's like with the mousetraps (Score:3, Interesting)
If you dish it out... (Score:2, Interesting)
Again I agree with the post above I feel sorry for some of the employees caught in the middle, but have little sympathy for the company.
When you actively seek to disrupt somebody else's activities (legal or not), especially with questionable tactics it won't make you popular and there is going to be backlash.
Law enforcement activities should be left to law enforcement officers that have been empowered by democratically elected governments and are accountable for their methods and activities. When individuals or companies begin acting as vigilantes ( URL:http://en.wikipedia.org/wiki/Vigilante ) it undermines the very stability and fairness of a legal system. Fair applications of law require law enforcement and police officers to follow a legal process that minimizes the effect an investigation has on innocent bystanders, all further controlled by legal system and the judiciary.
I find it most disconcerting that a government law enforcement entity (New York Attorney General's Office) is apparently supporting this vigilante behaviour by turning a blind eye to let someone else do their dirty work.
There is no doubt that some people are using P2P networks to commit acts of piracy but that does not justify disrupting P2P networks and affecting innocent bystanders, using P2P for legitimate purposes.
Re:Roofers on the Death Star (Score:3, Interesting)
when i lived in seattle, i worked for a startup company in the same building as 180 solutions. our offices were right across the hall from theirs. at the time i had no idea what they did, and i would run into their people in the hall from time to time, usually it was their receptionist. she was really cute and very outgoing, far too nice to be working for such a despicable company. when i learned what they did and saw the collective internet angst directed at them, i wonder if she quit before word got out about them and she got her tires slashed or whatever.
i am glad that i haven't had to make any career decisions that put me in such a position. when the dotcoms in seattle all went under, i was worried i would have to take contract work for microsoft and listen to my wallet rather than my personal politics. fortunately, such a situation never arose.
Re:Actually (Score:5, Interesting)
Heh, they all but went out of their way to provide access to the hackers. The top brass had his emails being forwarded to his Gmail account, bypassing any and all security they had set up on the corporate network.
Then the hackers got the usernames and passwords and gained internal access to the network, establishing admin access on the domain. They apparently set up packet captures, or if MediaDefender were the ones capturing packets, they found them and this is where they captured the VoIP calls.
"Keyloggers, we don't need no stinking keyloggers!"
The worst infections to get rid of are those who have admin access to the network and who maintain their access using normal everyday network admin utilities (From my experience, the French are especially good at this). I have worked with sites that have been hacked where the intruders have obtained an administrator level password, then gone in and set up RPC over HTTPS on the domain servers, then the hackers have set up their own 2003 server, added it to the domain, promoted it to domain controller and had the hacked company's Domain Controller perform an outbound sync (using the RPC over HTTPS) to the hackers 2003 server. Any password changes the users make on the home network will be replicated to their off site "guest host" malicious server.
The hackers later added Distributed File Shares or DFS, and used it to replicate file shares (i.e. user folders) information to their hacked domain controller. The hackers basically set themselves up as a run-of-the-mill remote office that synchronizes over a low-speed wan link.
This company was totally Pwn3d... I wouldn't be surprised to see the same thing happened here with the amount of information they collected.
Re:Mixed feelings... (Score:3, Interesting)
Re:Mixed feelings... (Score:2, Interesting)
At the very least it's rather unprofessional behaviour. I won't go into how unprofessional it is to have your company's emails leaked onto the internet...
Re:Mixed feelings... (Score:3, Interesting)
When that's really all it's about, it's not worthless. But these guys aren't working on the problem of curbing piracy. The only way to curb piracy is to make ethical arguments (to the pirates) about the consequences of taking without paying -- the effects of denying patronage to artists (e.g. causing people to simply give up, causing some to "sell out" and seek dubious/compromising sources of funding, etc). These guys just put up minor roadblocks but don't actually give anyone a good reason to not pirate. Perhaps they are making piracy slightly less attractive compared to purchasing, but whatever they do is going to be so minor that the ill will it generates (and long term: technical resistance) counteracts it.
Also, one can't help look at these people, without thinking about the snakeoil salesmen who sell DRM to the media companies. DRM causes piracy, and loss of goodwill and revenue to whoever implements it -- the tangible costs to the snakeoil salesmen aside. There's simply no upside, and lots of downside. DRM truly is [less than] worthless, and these guys efforts are going to be tarnished by association, no matter how unfair, because they're going to be seen as part of the same overall misguided strategy. (That strategy being: telling potential customers "fuck you, we don't want your money.")
Funding police isn't like that. Funding police generally doesn't increase crime, unless you've got corrupt cops.
The comparison to disease treatment is more interesting, though, in that it evokes images of antibiotic-resistant pathogens. It's possible that these guys' attempts to sabotage communication will result in sabotage-resistant protocols (using signatures and distributed reputation systems, for example). But even in the treatment of disease, it's known and understood that you have to fight it all the way, and using a weak antibiotic ineffectively is a bad idea. That sounds a lot like what these guys are doing. They're training resistance, without actually making the effort to win.
The xxAA's money would be much better spent on education/propaganda (call it whatever, depending on your point of view ;-).