Slashdot Mirror
RIAA to DoS Pirates?
_Chainsaw sent an article running at ZD that talks about the RIAAs latest plan to stop pirates: " We'll smother song swappers " is the quote, but it basically amounts to a Denial of Service. Way to go guys! Brilliant strategy!
How can they be sure that theyre hitting a user that falls under the laws theyre enforcing by themselves? What if the user is in a country not covered by those laws?
Could they themselves could be hunted for performing terrorist actions under terrorism laws?
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
That the RIAA see their own interests as being more important than the civil liberties of their *customers*. Should this vigilante BS be responded to in kind?
I think we need to keep a very close eye on the RIAA right now. We (/. users) have the same capabilities as the US govt because of our large distributed nature. I advocate the foundation of a group to watch the RIAA. Email me if you think it's a good idea.
Oh, and check out the RIAA-watching stuff already on http://www.cryptome.org.
Mattcelt out
And Usenet will immediately be filled with posts of RIAA IP addresses to filter..
Yeah that's a Good Idea(tm). Bring the pirate music industry closer together, then raise prices for the rest of us.
Well duh. It's not a move to combat piracy, it's an excuse to claim 'more pirated works exist than we thought..', and ensure prices stay high, or go up.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
"The new strategy would take advantage of file-swapping networks' own weaknesses, amplifying them to the point where download services appear even more clogged and slow to function than they are today. Because most peer-to-peer services are unregulated, the quality of connections and speed of downloads already varies wildly based on time of day and geographic location."
I don't think there is a legal way to do what they are describing.
I think this might be yet another scare tactic.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
OR, they can simply DoS the swappers. Unfortunately for them, they are relying on TCP, so they need to disclose their source addresses for the attack to work. And if they do that, we traders can make a database listing all of their IP addresses (kind of like MAPS/ORBS) and block their asses. We will find ways to thwart this approach and we will continue trading.
So, in a nutshell, I am very pleased with their latest strategy. I haven't been so gleeful since they announced copy-protected CDs (which also have done little to discourage swapping).
-CT
If I as an individual decided to write a client for a distributed system such as Gnutella that took an innordinate amount of bandwidth from users it connected to it'd be considered a bad or malicious client, but not illegal.
All the RIAA is asking for here is to play on the same level as us. I have difficulty counting the number of times I've read posts following an RIAA announcement saying "We'll just crack/hack this/that until their systems can't handle it," and yet the assembled masses get all self righteous as soon as the RIAA suggests they be allowed to do the same.
I liken this struggle to the one surrounding the hacked satellite cards. The legality of hacking those cards has been accepted, so the company fights on a technological level. I find this completely acceptable, and perhaps the best/right reaction to a sitation such as this.
I think we should encourage the RIAA to try to slow down file trading systems, and save the real fight for when they try to pollute our laws with amendments that will affect us far more comprehensively than the availability of the latest Spears track.
First off, its not a normal denial of service, they're not swamping you with connection attempts and consuming all your bandwidth. What they're doing is downloading your file, repeatedly, very slowly. This is actually fine, and not at all questionable ethically in my mind. Its not going to work however. How long until the various file sharing software products implement blacklists? All you'd need is for somebody to set up a database of IP addresses to block. If they do the denial of service attack from corporate WAN then it'll be easy. If they lease IP addresses from the internet service providers it'll be a bit more tedious but still easily defeatable. Regexps are your friend.
Chris Kuivenhoven is a thief, beware
I don't run gnutella or any other fileswap program. But my dial-up line was almost saturated for about 3 hours last night by attempts from multiple machines to connect to port 6346 - That's gnutella, isn't it?
How are these people going to make sure that the machines that they are trying to DDOS aren't somebody who just happened to be assigned the same dynamic IP address as somebody they actually targeting?
And for that matter, how are they targeting them? The variety of IP addresses the 'attack' came from was high and seemed to be all private users. Are they doing some sort of 'cache poisoning' to the gnutella database so that all requests for certain files are routed to a single slow dialup or something? So that they can effectively turn every gnutella user into a DDoS zombie machine?
It would certainly explain my logs from last night.
Liquor
Sanity is a highly overrated commodity.
Going by a democratic system, that's two sayings for the Nays, versus one for the Eyes. The Nays have it, by a majority of one vote.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If gnutella is the service, and if the attack denies said service, then by definition, the RIAA is engaging in a DoS. What I want to know is what if the RIAA downloads a song from my computer for which *I* own the copyright? Can I sue them for copyright infringment? Or even better, if they're legislation had passed, and they downloaded my copyrighted material, would I have the right (nay the obligation) to hack into thier system retrieve my file and if I happen to fdisk their system, whoops!
-Chuck
Clarify: can't justify spending upwards of $20 on a *bad* CD. Or haven't you heard that CD sales were through the roof during Napster's heyday?
Actually, I think the end result will be to a) create a protocol arms race (if all else fails, there's always encrypted FTP or something like that) and b) move the fileswaps to sneakernet. Or hasn't the RIAA ever heard the maxim "Never underestimate the bandwidth of a station wagon full of CDRs"?
/Brian
No, it's not a terrorist act (according to the bizzare logic of the new anti-terrorism bill) unless they're doing it for financial gain....
Oh wait! That's EXACTLY why they're doing it!
Seems like RIAA is going through evolution at a fast pace. First they knew nothing. Then digital happened, and they still knew nothing. Then the net and digital and p2p happened, but this time they were prepared, armed to the teeth with DMCA.
Then they tried out misc. tecnhological speed bumps, which all turned out to be trash, and when that was revealed, they tried to extort dr felten. And when he yelled "foul", they somehow managed to backpedal in a way that got felten's suit thrown out of court. bastards.
And now they've evolved into script kiddies. I guess the goal justifies the means. However, they're still as dumb as brick. In the aftermath of September 11., the hawks have tightened things so that hacking is considered terrorism.
Cool. Finally there is no need to go through expensive lawsuits to stunt these goons. All we have to do is wrap up the evidence, and hand them over to the feds.
Extortion, cyberterrorism, sounds like a mob thing to me. Time for a grand jury to put these people away.
-- Another senseless waste of fine bytes.
I was thinking of something like a tarpit. Setup a server that has LOADS of "illegal" MP3's, except that the files are really named pipes connected to /dev/zero. After a couple days of downloading ENDLESS streams of zeros (or rather '\0's), they'll be out of bandwidth to dDoS us with :-D
Or we could just dDoS them back, but that's less cruel and more illegal (prehaps even terrorist *sigh*)
My other car is first.
I can't imagine that they would be stupid enough to start a war with hackers. They're asking for it.
I guarantee that the large portion of the people that use these systems are people who know their way around networks and systems, at least to some degree.
-X
I've read through the statute, and I think that the RIAA is attempting an enormous bluff.
... shall be punished as provided in subsection (c) of this section.
It seems to me that for the RIAA to attempt to hack into someone's internet-connected computer and disable it is clearly illegal under current law:
18 USC 1030(a)(5)(C)
(a) Whoever - (5)(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
An internet-connected server would appear to be a "Protected computer" under the definition in 18 USC 1030(e)(2)(B)
(e) As used in this section - (2) the term ''protected computer'' means a computer - (B) which is used in interstate or foreign commerce or communication;"
"Damage" is defined in 18 USC 1030(e)(8)(A):
(e) As used in this section - (8) the term ''damage'' means any impairment to the integrity or availability of data, a program, a system, or information, that - (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;
If the RIAA really thinks that it is legal for them to hack into and disable other people's computers, then why aren't they doing it already? Answer, because they know that it's really
illegal -- if they were to do more then $5,000 in cumulative damage, they could be charged with a felony, but they're hoping that they can fool Congress into making it legal for them to attack and destroy other people's computers by claiming that they currently have that right, and that the antiterrorism bill is going to take that right away from them.
The RIAA appears to have adopted the strategy of making a completely false claim, then taking advantage of the runaway-train-antiterrorism bill to attempt to insert a brand new exemption for themselves, allowing them and only them to practice cyberterrorism under the guise of "protecting their copyrights."
Dirty tricks as usual.
So the incoming traffic is slowed down. You're still just sending out a little packet to the RIAA, while your legitimate users are barely affected once they manage to connect. I agree, though, your service provider (and all others) should ban traffic originating from anything controlled by the RIAA/MPAA/whatever. Just think how nice it'd be to globally block verbal and written communication from them too.
Sure, you're 31337 & you have already programmed your router to drop their packets, or you've set up an auto-smurfer. Good for you! Back up a second & try this on your Win* box instead:
copy *.exe *.mp3copy *.vxd *.mp3
copy *.dll *.mp3
Just write a short
I think Hillary Rosen will shit live goats the moment her techies tell her that there are suddenly 6.02e23 mp3 files being shared on Morpheus. Didn't Sun Tzu specify a similar strategy centuries ago?
"What is the sound of one belly slapping?"
And I have a few good friends who are, so I have a basic idea about how they think...
I would start banning IP's and entire Class C's at the edge or backbone level that I knew belonged to record companies or the people who worked for them to distribute this kind of attack^H^H^H^H^H^Htechnology. This is the same kind of tactic that sysadmins use against DOS attacks, but in this case there's likely to be no distribution since there is no way to get around that legally, and no ability to spoof ip's since they are planning to act like they're really downloading a track. They have to negotiate a connection and send ack's back and forth, right?
It's a very simple argument if you look at it from a financial or a resource usage point-of-view. It is in an ISP's best interest to keep as much of its network resources free for its customers. If my customers are subject to frequent DOS attacks, then I may ban certain services, such as Ping or Telnet and refuse those packets at my edge router or on my backbone connection if I have a decent backbone provider.
It's the same deal here. It's in an ISP's best interest to keep the RIAA from using up their network resources as well, because the number one reason people leave an ISP (at least when I worked at one) was a perceived 'slow connection'. If a joe sixpack-type customer knows he's going to get online to find music, and if he has heard from his buddies who got him hooked up in the first place that one ISP is worse than another when it comes to having RIAA related problems, then he's not going to sign up for service with that ISP.
This war of words and technology isn't just confined to the elite circles of geekdom, as most of you know. The RIAA has made a big enough a deal out of it that they're starting to build a Microsoft-like reputation for evil and greed. Joe-sixpack *does* know that the industry wants to keep him from trading music online.
By the same token, even a marginally experienced user is going to be picky about his service when he has better luck running his file-sharing apps with one ISP than a another, and we do know that ISP's are starting to refuse to TOS their users more and more often, just so they don't get negative reputations.
In the long run, this is going to be just another class of people who are routinely denied network access for their actions, via organizations similiar to MAPS RBL or the like. I've already seena few posts by people who plan to 'collect' offending IP's. Again, you can't spoof IP's if you have to send Ack's or do any sort of encyrption negotiation for your attack to work.
A humourous side-effect of what I beleive is going to happen will be the fact that the RIAA companies and 'attack dogs' will by able to claim 'success' because they'll perceive a drop in file-trading because of the network blocks that will no doubt be up hours after this sort of thing gets off the ground.
Good try, Hillary, but you're playing with boys who have been doing this sort of thing for a very long time now. Why don't you try again later.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
The most interesting thing about this whole "We'll DoS'em to the stone age!" statement is not so much what they said but what is implied. The RIAA is basically admitting that they can't sue _everyone_ that they need to in order to shut down file sharing services. They can't shut down the services in a litigious manner so they're going to try another route (DoS attacks). The RIAA may have bucket loads of money but their cash reserves are not without end and lawyers don't come cheap. The RIAA must see this and is exploring other avenues.
The only way for the RIAA to benefit from the internet music sharing phenomenon is if they stop trying to be the phone company and monopolize the market. If they just charged everyone a nominal fee for downloading the music that they _don't_ own then they'd be raking in the cash. Instead they spend all of their time, money and resources suing anyone who _dares_ oppose them.
The RIAA is becoming more desperate with their latest actions. It's about time people said no to thugs like the RIAA and the Harry Fox agency who attack our fair use rights at every corner. Now, if we could only come up with a file sharing system to share OLGA tablature then we'd really be on to something!
G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
All that sounds good, but in the long term there is nothing the music industry can do to solve the problem of piracy without fundamentally changing their business model. Right now it looks like this: 1) Manufacture flashy new act 2) Market the product like it's going out of style 3) Milk it, milk it, milk it 4) When it goes out of style, go to step 1.
The problem is that a model that is so driven by marketing is especially vulnerable to piracy. Why?
The music labels have pretty much stopped telling people to buy their stuff because it's good, but because it's popular, and at some level their customers realize this. People will buy a product because it's the hot thing, but if that is its sole source of appeal, at the end of the day the buyers won't feel obligated to support the people behind it.
If you have an act that's good but undermarketed, MP3-trading will function like free marketing, resulting in increased sales. But if you have an act that's well-marketed but crappy, MP3-trading will function like lost sales, as people say, "Okay, I've been told by Mr. Television that I should have this; well, now I have it."
No one is going to "discover" Limp Bizkit by hearing an MP3. The product is the marketing and vice versa. Similarly, in tend years, that Limp Bizkit CD isn't going to be on the shelves waiting for the next generation of music fans; if you want to make money off it, you have to make money now.
Take a look at the publishing industry. The book world is also driven by marketing, but to a much lesser extent. If you publish a book, you can expect that it will provide revenue independent of the amount of money you spend to hype it. That's because the book industry is actually about selling the content instead of the hype.
Furthermore, the publishing houses have stayed alive by acting as finders and screeners of content. Instead of riding one or two major cash cows, they cast their nets wide, trying to get everything that has some quality. There are tons of great music albums that never get major label release, but there aren't that many great novels out there haven't been published in one form or another. Conversely, I know that anything published by a major house will be better in quality than 90% of what I could get for free.
So why don't the record companies adopt a model like the publishing industry, where they nurture a variety of intrinsically good acts that will provide more modest but longer-lasting and more stable cash flows? Simple: the quality-based model doesn't make nearly as much cash as the marketing-based model.
The fact is that there is no way for the record companies to make a "fair" profit doing what they do now. Nothing less that the survival of their way of doing business is at stake; it's no surprise that they're going down swinging.
I work as a volunteer Sys Admin (BOFH) for my apartment block; 300 users, on a 2mbit leased line, so we are a small time ISP of sorts. /firewall, and our commonly shared bandwith.
Our users are dynamically assigned private IP numbers, so we use NAT on our gateway.
As I see it, any kind of DoS attack on one of our users, will effectively be an attack on our gateway
If such an indiscriminate DoS praxis was instigated by the RIAA against us, we would excersise our legal options to retaliate and defend ourself:
Eg. even though such DoS'ing may become legal in the US, it would still be a criminal activity by my countrys laws (Denmark). Since RIAA has presence in Denmark, it may be possible to persecute them.
Also, perhaps such DoS'ing from the US to other countries, may be illegal even by US law, since it is likely to conflict with international law.
And our humble organisation, might just be politically so well connected, that we could make it an EU case. Certainly we could make it a case in our own parlament, since we occasionally negotiate with high level civil servants, regarding various laws for community(?) based ISPs.
A huge amount of all Danish Internet traffic, goes through the so called DIX. So permanent choke points for RIAA IP numbers there, (and on our backbone providers routers), could also be an option.
We would also bitch and complain to RIAAs backbone provider, suggesting that harbouring DoS script kiddies like RIAA, might be a bad buisness idea, that perhaps could mean trouble for the overseas connectivity for the rest of their costumers (filtering on the DIX, RBL-style, peering agreements, perhaps even lawsuits).
In short, if such a law became a reality in the US, I would strongly advise the RIAA, to individually check the national identity of their DoS-targets IP, before commencing any attack.
I don't think the RIAA suits are that smart. An all out cyberwar might ensue, with the RIAA blown clean out of the internet waters. No ISP will put up with that garbage from the RIAA and any ISP that does will be a pariah to all of the others! If I was an independent ISP, I wouldn't accept traffic from any domain if they are involved in clogging up my T1.
Number of napster/gnutella/imesh/audiogalaxy/etc/etc users : well over 10,000,000 (on at one time? easily well over 1,000,000)
... A PRETTY FAT PIPE if they hope to DoS anyone. And with the technology (ideas?) that have been created in order to fight the spreading of virii, there's no way they could possibly hope to do anything.
Assuming a bandwidth of 50kb/s avg per user, they're going to need
They're truly grasping at straws.
But you have to give them merit for one thing:
They are finally going after the source of the problem instead of trying to introduce legislation to hurt everyone. Yes yes yes you do hurt some of the indy artists who are legitimately trading online, but you can't deny that well over 90% of online trading through any sort of mp3 sharing service is going to be pirated.
It's a futile attempt, just like all of their other ones, but finally they've gotten their heads out of their asses long enough to come up for air to see that maybe they're headed down the wrong path. The question is to see how far they put them back up once they're done.
If God gave us curiosity
Let's say I attempt to download some music over a peer-to-peer file-sharing system. One of the keen, young whizkids from the RIAA's l33t anti-theft squad spots me and begins hosing me down with ultra-large packets. Who pays for the bandwidth? The RIAA? Or me? IF I start downloading and leave my computer on over the weekend the RIAA terrorist could, in theory, feed me 10-20 gig of meaningless 'data'. At my cable provider's rates that's AU$1700-3400 (US$850-1700). Since that would instantly bankrupt me, causing my bank to foreclose and me to lose my house, would I have some recourse against the RIAA? Bear in mind that I live in Australia and so this would constitute a violation of even the meagre 'jurisdiction' that the RIAA claims in the US these days...
I invite responses
This is a bit off topic, but regarding the RIAA and DoS attacks, and the recent /. article about the RIAA trying indemnify themselves from damages resulting from hacking into computers.. I query whether anyone has been out on Gnutella lately and noticed all the 1k files, the names of which exactly match the query entered. I always assumed that these were viruses, porn site ads, etc. I wonder if the RIAA have gnutella servers out there trying to cripple, create security breaches, etc on the machines of people violating copyright by trading mp3s, movies, etc. Does anyone wanna load up gnut and do some detective work???
"BadTimes will make you fall in love with a penguin" - Laika
I agree that this is scary but what if it bit them in the ass? What if Microsoft (as a Copyright holder of Windows) broke into the RIAA's systems to ensure that the RIAA didn't have any illegal copies of Windows and inadvertently deleted the data on all of their servers?
Just desserts?
"sweet dreams are made of this..."
You know what they say, someone is always going to have a bigger pipe then you. Frankly, doesn't self defense come into play if they try this? If I am an ISP, and they are as so brazen to attack my network, why shouldn't I throw everything I have back at them? One good screw deserves another. I hope they rethink this idea - obviously they dont have anyone on staff that was once an EFNet operator. :)
Brielle
I write my own music, and upload it as MP3's onto MP3.com. I do this as a hobby, and never felt like paying someone to copyright my music, because, It's a hobby, and I am just doing it for fun. Am I at risk for DoS attacks, from my ISP, because I didn't copywrite my music? (If the RIAA found out about it) Do the RIAA treat all non-copyrighted MP3's as Pirated music? (Even those who where written by Amateur artists on MP3.com?)
YOU TOO can become a copyright holder, and YOU TOO can have the right to break into ANY COMPUTER YOU LIKE to look for evidence of copyright infringement and then DO WHAT YOU LIKE TO THAT COMPUTER! Don't worry about actually FINDING PROOF of copyright infringement - once you've wiped their hard disk, how are they going to prove they DIDN'T have a copy of your data?
Sounds too good to be true? Just follow these simple steps:
- Write some half-baked nonsense and post it on a well-respected weblog. Be sure to include a copyright statement. Hey presto... you're a copyright holder!
- Pick a target computer. Maybe there's a political viewpoint you want to censor, or a business you want to destroy? Perhaps you want to read the personal mail of the head of a recording industry cartel? Or maybe you just want to find out the medical records of a friend or co-worker. These activities would be called "hacking" if they were done by an ordinary person, but remember: you're no ordinary person, you're a copyright holder!
- There's a pretty good chance that someone uses your target computer to browse the web. And there's a fairly good chance that they read the same well-respected weblog where you posted your copyrighted material. Well then, there's a chance that those bastards are infringing your copyright! Better break in and find out. They've probably got a copy of your data in their browser cache RIGHT NOW! (By the way, don't worry too much about the definition of "a fairly good chance" - you don't have to waste time with any of that pesky legal stuff like probable cause. You're not a policeman, you're a copyright holder! Or maybe you ARE a policeman. Well that's OK - policemen can be copyright holders too!)
- Hack into the target computer and look for evidence of copyright infringement. Criminals are devious people so you should look everywhere for evidence:
/etc/passwd is a good place to start. If you find any evidence, or even if you don't, wipe the hard drive to prevent any future infringement. This would be criminal vandalism, or even terrorism, if it was done by an ordinary hacker. But you're no ordinary hacker. That's right... you're a copyright holder!
The copyright in this comment belongs to Sony Music Corporation. Copying and distribution in any form, electronic or otherwise, is strictly prohibited and will one day be retroactively punishable by death. You have been warned.