Slashdot Mirror
Anti-piracy Vigilantes Tracking P2P Users
brevard writes "From SecurityFocus comes news that a pair of coders with a deep hatred of software pirates have gone public with a months-old experiment to trick file sharers into running custom spyware they wrote that scolds users and phones home to a server. They circulated the program disguised as sought-after downloads like Unreal Tournament 2004 and Microsoft source code, and they have a website that updates in real time whever someone executes it. They've logged IP addresses for over 12,000 'pirates' since January. The EFF says the vigilantes may be committing a crime."
That's what they are essentially spreading. There's asses should land in jail as soon as possible.
Indefinitely Detained US Citizen
Isn't that fraud or false advertising? And aren't they encouraging piracy in a way by making more hits come up everytime someone searches for a particular app? On a related note, isn't it illegal to sell grass to someone while saying it's marijuana? Aren't the penalties the same? Why should this be any different. Charge them with piracy, slander for posting your IP, and being sleazy bastards for beating MS/SCO to this idea.
They say they are tracking software pirates.
But realy pirates don't use p2p apps for warez.
That's kiddie crap.
More like they are tracking 14 year old's with a cable modem.
try IRC, now if they could track that, it'd probably blow their minds.
I believe most of us feel angry when reading about these vigilantes. I know I do. However, I would encourage all of us to remember that if these vigilantes were, say... tracking down spammers... then we would be extatic.
Yes, I'm aware that there's a difference between pirates and spammers. But keep in mind that the RIAA probably sees P2P users the same way that we see spammers. Annoying, a growing threat, and obsessed with large penises.
The same users that are too lazy to look up free alternative software are going to go through their file sharing archives looking for virii and trojans?
Always going forward, 'cause we can't find reverse.
Not true, most people that use P2P software are total morons, or at least there are enough to keep it spreading
you would also think a 2mb file size would tip people off that its not UT2k4 or Win2k Source Code
You may not like it or agree with it (I sure don't) but right now it's the law. If we don't like a particular law (such as copyright) then we need to get our elected officials to change it.
For the same crimes virus creators are jailed.
Piracy = copyright violation Piracy != theft
The EFF says the vigilantes may be committing a crime.
Vigilantes are, by definition, committing crimes.
A vigilante is a private citizen who acts outside the law, taking the law into their own hands.
Some people (e.g. the vigilantes themselves) see this as a Good Thing -- enforcing Justice, where Justice would otherwise go unenforced.
Others (such as myself) see vigilantism as the roots of rebellion and chaos -- acting as a private government, in defiance of duly constituted authority.
Not that I have a hell of a lot of respect for duly constituted authority. Most of the cops I've met have been decent people, however, there's a long, sad history of cops acting as vigilantes, outside the law. Not to mention police states, governments run by mobsters, etc. etc.
-kgj
-kgj
I don't much care one way or another about the issue of going after software pirates, as there are some major assholes on both sides of the issue. But the problem with this approach is that if there are bugs in the antipiracy software it could end up screwing up a lot of people's systems and causing major expense and loss of time and effort. Moreover, it looks like people could convert this into intentional malware by renaming it, so that someone looking to download freeware documents on, say, the history of microprocessors, could end up with this crap on his machine. So I object strongly to the means, though I am ambivalent about the intent.
And again, mac users don't have to worry about their malware.
The article is pretty light on that point. I think anyone who downloads "UT2K4 Keygen.exe" or "Photoshop Full.exe" knows exactly what they are trying to get, and they know the risks of what they are doing. And therefore, if someone wants to write an app that phones home and tells the companies that someone is trying to use a crack, what's the harm?
SmashTech - No smashing of tech involved
For those of you attempting to probe the moral questions of this project.
What if my software, downloaded with no warranty from Gnutella, displayed the weather conditions in Kenya?
I'd have their IP, and I could even safely retrieve the ID with legitimate pretenses.
However, since my software rebukes the downloader for downloading a file that appeared to be a crack, it is a Trojan and a danger to the peoples of the free world.
Just a thought.
clifgriffin > blog
It is a Trojan - it doesn't have to do anything malicious, just something that is blatently NOT what its description (filename in this case) suggests. And you're capturing data from the users that run it, so it could be argued that it is in fact malicious.
the absolute funny part is that is it OBVIOUS when a file is your guy's trojan horse... it only works because many p2p downloaders dont pay attention to file sizes and number of sharers... your junk is too small to be correct.
you are only catching really stupid kiddies that scream "ohhh shiny!" and click...
maybe next time you guys should first off research your prank more before deploying it as it only fools the morons into downloading.
I've said many times on Slashdot that if you want P2P to be taken seriously and not be labeled as a haven for pirates, you need to actively engage in discouraging the use of P2P for illegal file trading. These guys are actually doing that. Good for them. At least they're not acting like some hand-waving Slashbots ranting about how no one takes P2P seriously, all the while refusing to acknowledge that the majority of data transfered on P2P networks is copyrighted, and furthermore refusing to do anything about it.
My favorite comeback line: "Maybe we should outlaw knives because someone might do something illegal with them!" -- completely off-target. Right now, the situation with P2P isn't that a minority of people are using P2P networks to trade copyrighted materials, but that a minority of people are using P2P networks for trading non-copyrighted materials. Until P2P fans actively pursue and discourage the use of P2P for illegitimate uses, P2P will continue to have a bad rap and be pursued by copyright holders.
but what if the program is altered to not delete itself?
And the muscular cyborg German dudes dance with sexy French Canadians
And some of us consider phoning home fairly malicious.
No, I don't want a free iPod
That's what they (the "victims") are essentially spreading. There's asses should land in jail as soon as possible.
Sorry, that's not my personal view (I don't believe in locking people up for small-scale copyright infringment) but it is the view of some, such as the content creators whose property is being infringed on.
I just find it ironic that just changing the subject line of your message from "Trojans" to "Illegally distributed software" gives us a whole new look at this issue: after all, most of the people engaging in P2P distribution of copyrighted material live in countries where it's illegal and probably punishable by a jail sentence.
The majority of people here seem to be engaging in double think: messaging people who engage in P2P copyright infringement that what they're doing is wrong and publishing their IP addresses is a Bad Thing, yet tracking down the online behaviour of spammers and then publishing their real world addresses (without any consideration for what might happen as a consequence) is a Good Thing.
Can someone please explain to me how one is so wrong yet the other is so right? (Preferably without resorting to the kind of language that you wouldn't use in front of your mother?)
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
We had the IP when they downloaded the software.
It's one thing to have someone's IP address. It's another thing altogether to post it as public information. Just because someone else may be in violation of copyright doesn't give you the right to violate their privacy.
And you're making the assumption, which isn't necessarily valid, that your victims intend to violate copyright in the first place. If I lose my CD-Key to a game but still own the media, why should I not be allowed to use an alternate key? Surely ownership of the physical media is proof that I have license to operate the software in question.
!#@%*)anks for hanging up the phone, dear.
You only had it if they downloaded it from you, though - which certainly can't be guaranteed in a p2p environment.
quidquid latine dictum sit altum videtur.
you forget one more thing...
I own a 100% legal copy of Cakewalk home studio 2002
my install CD is broken so I have a choice of buying another copy or making my LEGAL copy work.
so I download off Kazaa the iso file of the CD burn a new one and voila...
now the frothing at the mouth Software people here would want me hanged for stealing money out of their mouths by not buying a new copy of their software every 30 seconds but who cares... I am doing NOTHING illegal and simply circumventing a disdain for customer service fr omthe company that makes the software.. I'm still using MY legal serial number and codes... I STILL have the legal license (AKA the box and other paper drivel that says so.)
Do not look at laser with remaining good eye.
Wow you're smart.
What about those IP addresses that were coming from the people who downloaded your illegal trogan from morons that weren't you.
Next.
Was that an intentional part of the design? Or did you guys just overlook the ALT-F4 shortcut when you designed the program?
!#@%*)anks for hanging up the phone, dear.
Probably "entrapment". An equivalent situation would be if the local law enforcement decided to leave a palette of boxed electrical goods on the street (let's say laptops or toasters), but which had wireless surveillance cameras built in. Once turned on, the machine would then broadcast images of the users back to headquarters. The authorities would then claim they had captured photographs of known thieves. Is that fair?
Not too long ago, Soviet Russia embarked on a long hard social experiment, called communism...:)
See, the problem with social experiments is, you have to get the buy-in from society. Can I go to the local girl's school and start looking under people's skirts and claim I'm just doing a social experiment...I'd be arrested in an instant.
Here's what you are really doing -
Malone: You said you wanted to get Capone. Do you really wanna get him? You see what I'm saying is, what are you prepared to do?
Eliot Ness: Anything and everything in my power.
Malone: You wanna know how you do it? Here's how, they pull a knife, you pull a gun. He sends one of yours to the hospital, you send on of his to the morgue! That's the Chicago way, and that's how you get Capone! Now do you want to do that? Are you ready to do that?
You are using the same means software pirates use to get back at them, Mr. Malone. Now, unless you are Sean Connery in The Untouchables, that ain't legal.
We're just doing a social experiment...to see how a program spreads, who downloads it, etc...
Kinda like some 'curious' virus writers?
The logging happens when they click a button.
Do you tell them of that fact before they click?
It appears you don't. There is no other escape button on the popup window. No other mechanism, other than alt-F4, to dismiss your box.
You give the user little opportunity to not have it phone home.
If this was in fact a "social experiment," I have a few questions:
If this was a genuine social experiment, these questions have already been answered, somewhere. Otherwise, I think we can chalk this up as a prank designed to embarass people.
!#@%*)anks for hanging up the phone, dear.
"Mislabeled" is not the same as "intentionally falsely labeled".
You know, I'm starting to notice that he isn't answering some of the more important questions that have been asked, and he seems to be reitirating a lot of the same stuff. I hope he's either away from his computer, busy with work, or has some good excuse not to be answering all these questions that he so far seems to be avoiding.
Me thinks he's in over his head.
WWJD.... for a Klondike bar?
Let's see, a huge cargo container of US Soldiers that look potentially ready to pounce is being passed off as contraband relief supplies lands in Iran or Cuba, but all it really does (for now) is phone home to GW Bush and say "I'm here". Would you expect the Cubans or Iranians to be happy about it?
So, your assumption that you have not done something malicious is self serving. If I post the personal information of the doctors from Planned Parenthood on a website frequented by right wing religious wackos, I can claim innocence, and intent would be difficult to prove in law, but a reasonable person would generally agree that the intent is clear.
Therefore there are two key points. First, you use social conventions and the assumptions of you victims to gain entry to their property. You do not, in fact, knock at the front door, state you true intent, and gain there express written approval. You do in fact use deceit and, admittedly, the users greed, to gain entry. Second, you do collect data without authorization, and, apparently, pass judgment on those you trick. In a way it is no different from the religious wackos taking pictures of cars at a porno shop and then sending letters passing judgment on the owners. Which, of course, is one of the key points of vigilantism. The passing of judgment without due process. Even the red handed person may not be the murderer. We generally like to bring that person to court to prove beyond a shadow of a doubt that he or she is in fact guilty.
When I first read the story it sounded a bit of hoot, and I thought the writers were a some rather clever people, probably misguided and improperly educated, who wanted to raise awareness of an issue. Though you probably broke laws, it was a level of activism that, though I would disagree with the cause, was merely a nuisance. However, now it seems like you guys are just delusional with visions of grandeur. I am very afraid. You are hiding behind objectivity, and there is little more dangerous than a person that feels they have leave to ignore the moral compass. As such I am posting anonymously.
I urge you to read some real books. Learn about philosophy and ethics and the damage caused by those that valued beliefs and personal posesions more than the physical and social realities of the world.
I speak for myself when I say that "vigilante" is not a word we ever claimed. We aren't raging against internet piracy or p2p.
Oh really? Your statements on website would seem to disagree with that
"At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.
Other 'interesting statements:
3. We dissagree with the notion that this is a "Trojan".
Our program is aboslutely dormant unless specifically and purposefully executed by the downloader.
Exactly the same as the Beagle and other email trojan variants.
We aren't reporting these people to anyone in the law enforment field, even though we should be.
Yes you are. By posting it online, in real time.
We could go on...
Can someone please explain to me how one is so wrong yet the other is so right?
Vigilantilism is wrong. Period. Rule of law is characterized by a state monopoly on justice. If you don't like rule of law, there are plenty of countries where it doesn't apply.
Or, in a language your mother would use: Two wrongs don't make one right.
Yet again, it all depends on what they do....we don't collect anything without them making defined, deliberate actions.
Seems a defined, deliberate action would be if they clicked a button saying "Click here to send your IP to our database"
You really didn't think this, or any of your arguements for it through, did you?
WWJD.... for a Klondike bar?
Even if we assume that these vigilantes are doing nothing morally wrong themselves at what point should they be responsible for opening a security hole in a system which can be exploited by other more malicious stalkers? Can these vigilantes show that their code is 100% secure such that only they can make use of the resources that it provides?
Spyware and malware and P2P programs and instant messaging programs may not be malicious in and of themselves but they're all coded by half-hacks who aren't very interested in security. Do they properly check their buffer overflows, input validation, or ensure perfect alignment with a proper handshake protocol?
I think not...
Let's say that the law would tolerate the vigilante retrieval of stolen property. At what point is the vigilante liable for leaving the backdoor open?
Let's say that malware and spyware and spammers really are nothing more than advertising methods used to boost the economy (which can be argued as "good"). At what point are the authors of those progams liable for the malicious attacker or stalker who relies on them to identify easy targets?
Let's say that posting signs for your candidate on someone else's front lawn would be legal. Are you liable if a serial killer decides to pick his targets based upon lawn signs?
Implications are more than just one step removed from the source.
+++ATHZ 99:5:80
Perhaps you ought to put a disclaimer on your site then: "I will publish your IP address"
Your computer is broadcasting an IP address!
One line blog. I hear that they're called Twitters now.
They purport to have a list of pirates...
What they have is a list of people that downloaded something that most likely isn't a copyrighted work written by them (and admittedly made available freely online by themselves).
Not only that, they're infringing on the trademarks of the software they purport to be in order to run this little experiment, and a case could also be made that they're doing damage to the name of that software by associating it with their invasive software without consent from the actual publisher of the original work.
I'm all for protecting a product with the laws that are in place, but the laws shouldn't be taken into people's own hands with invasive and untested software.
I think your argument does work, but only for serious applications. I've paid for the applications I use frequently. There are some extremely expensive applications that I'd be interested in exploring out of personal curiosity (specifically, Gaussian and Fortran95), that I would pirate if I could even find. However, if I found a serious application for it, I'd pay for them - since their software would be directly benefiting me in my work. As it stands, if I pirate the software, it only benefits them: They get market mindshare, and they haven't lost a sale - I'm not buying it either way at this point.
The problem with the argument comes from games. There is really no serious use for games, and no business use either. Personally, I will pirate games but either delete them or buy them if I find that I've continued to play it. However, there is no reason that this should be so for anyone else. Back in the old days, if you were under working age, getting a game involved hours of parent-begging to buy NES carts. Now it involves piracy, and I don't really have a good answer for that. I don't think that kids appreciate having an actual boxed copy of their game, or the complexities of IP ethics. They just want it, and they want it now, consequences and fairness be damned.
However, related to the topic at hand. These people are reporting me as a pirate for using cracks. I think that anyone who has ever purchased a game, and hunted around for the install CD so they could play the game that they already installed on their HD would prefer to not have to do that. So, even if I have purchased a game legitimately, I'll generally run the cracked version.
It strikes me that somebody who downloads something from an 'untrusted' computer, and then runs the component. Obviously accepts all the warnings of their firewalls, that the component is trying to open a connection to the internet, then wonders why it didn't 'generate a license key to UT2004'.
These people really need to be taken offline as they probably consitute the biggest threat to the Internet with regards to click happy crazies who believe that installing trojans, virus et al... is something they were born into this world to do.
I think this is a VERY interesting social experiement. Sure it may be illegal, but still - its very interesting.
Considering legality though, did you know when you installed MS Oulook, that if I sent you an email that you read in HTML format, I could log your IP address? Does that mean MS have written some software that they know can be used to 'phone home' that they are doing something illegal?
Discuss...
There's a lot of people saying that because the people downloading these files have been breaking the law they deserve everything they get.
So far as I can see though they haven't actually broken the law themselves. They have downloaded a file with a particular name, this file is not illegal to download or use on your computers so I don't see any crime being commited there.
On the other hands the program writers are almost certainly breaking the law by running spyware etc on your computer without your permission.
I'm not saying I agree with stealing stuff of P2P because I don't but I am saying that in the case the downloader has done nothing wrong.
Can you spot the shoot-self-in-foot-notes?
..what, outlook? Got it! Thanks for clearing that up!
1. No data is collected by our software that isn't already collected when our software is downloaded. The only personally identifiable information that we have would be the executer's IP address. However this information is freely available at time of download and is completly public information.
Uhm, wait, but collecting IP addys is data. And you also collect what file they were trying to download, and where/who they got it from? I'd say building a track list of a 'social' network of where a file goes and by how/whom is plenty of data.
I'm sorry,but thats a load. Get a better legal advisor, next!
3. We dissagree with the notion that this is a "Trojan".
A trojan horse gains access to a system through deviant methods. Not through user initiated downloads on a P2P network. Secondly, a trojan horse by definition has a payload or attempts to give the author access by working from the inside. Our program is aboslutely dormant unless specifically and purposefully executed by the downloader. And the program is riddled with cues to what the contents might be. For instance, the company name is "C.R.A.P. Citizens Raging Against Pirates". Not what you'd expect from a "legitimate" crack or keygen.
Okay, lets see, its not a trojan, yet its a trojan. It's not a trojan because it comes from a p2p network, and not
Okay, great idea, really, very funny! But WTF are these guys going to do with all this when, say, MS steps in with a great big legal order of doom saying 'we want to know everybody who thought they were downloading the windows source code'? Are these people even thinking that far ahead?
And I love the broad thinking that anybody downloading a keygen is a pirate, What, these guys never lost a Cd key before? Yesh. Get a grip kids.
Points for some very crative programing, but they lost points for not finding something better to do and not thinking ahead a few more feet of them.
My new top secret key -> C>N|KB
This is untrue, and is seems to me like it's a loaded statement. Otherwise, Elliott Spitzer has just been blowing smoke for the past few years. It also means that the FTC and SEC have no power. People are in jail right now for their part in the illegal actions of their company. While certain folks have gotten away with certain shenanigans in the past, this is simply untrue today. Haven't you been keeping up with the news? It's been creported on pretty widely ever since the Enron bankrupcy. Elliott Spitzer has been all over it since before then (since the fall of the dot-com's) for shady practices in the investment banking industry.
Yeah, this is indicative of the "I'm powerless against the megacorporation" mentality. Fortunately, individuals still have certain protections in the US. Illegal is still illegal -- no matter who you are...regardless of how powerless you may feel.
-Turkey
Um no it isn't. You don't download keygens and full copies of programs off P2P to "tune up" your software. You do that to pirate it, to violate the rights of the producer and to be a little prick.
Woah, way to go Mr. Assumptions. Why exactly can't I just rip out the CD protection code off the program I paid for? It's far more convenient for me to just install the whole thing in my 120 Gb hard drive, stash the box with the CDs safely and be on my merry way. I don't have to throw a tantrum, call the software company 100 times and make a revolution to change the system so that programs come without CD protection. I can simply spend 5 minutes downloading a tool and getting rid of it. Or I can put the keygen with the game in the hard drive so that I don't even have to worry where the manual or the box will end up.
What you're presenting here is a fallacy known as the False Dichotomy. The world is not "either you get the crack to pirate the program or you return it if you don't like the CD protection". After I paid for that software I'll modify it as I see fit to make it more convenient for me to use it, be it cracking the CD protection, installing 100 zillion mods or even cheating the crap out of it so that I can headshot the bots every time I want to. And I'll be damned if I let anyone tell me what I can or cannot do in my computer with the software I paid for.
---- Take the Space Quiz!
We had the IP when they downloaded the software.
No, sir. You had AN IP Address. If that address is that of a proxy, you just accused N number of innocent people of executing a file they did NOT.
Speaking as one who does security auditing for a living and is quite familiar with the legalities involved here, were I you, I'd be anticipating a knock on my door from some guys wearing black suits and sporting no sense of humor. Good Samaritan laws do not apply to copyright or electronic device use laws.
As has already been stated previously, people can download these files for ligitimate purposes(highlighting the fact that they could already own the game). And by using the Copyrighted game name to distribute a trojan, you have placed yourself open to legal action from the copyright holders.
Vote for new mod!!! Score:-2,Imbecile
It's amazing to see how many people on slashdot are having problems with this. Is slashdot just made up of a bunch of kids who think it's cool and ok to steal software and make illegal copies of other copyrighted materials? Maybe some of the people here didn't understand that the fight for freedom wasn't for illegal activities! It was for the freedom to trade LEGAL files. File sharing itself is good. Trading music and pirated software illegally is BAD BAD BAD. Mod me as troll or flamebait if you want to. Just grow up!
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
What a refreshing story. Just when I'm ready
to give up hope, there's always something,
however small, that helps restore my faith
in humanity.
I remember a few years ago there was a sting
operation that nabbed a bunch of fugitives
by running a bogus sweepstakes. The
criminals were lead to believe they'd won
superbowl tickets and when they showed up to
claim their prize, they were arrested. Some
of these idiots were so dumb and brazen that
they were still asking for their tickets as
they were being carted away.
That's how I think of the criminals who are
complaining about this prank -- only they're
not being carted off to jail, where they
belong, but just being gently reminded that
there's a difference between right and wrong.
I wonder. Who out there would be nasty
enough to give the P2P criminals what they
really deserve? Hey, having your hard drive
wiped is better than doing time.
Since you seem to enjoy posting other people's addresses... do you mind yours being known? After all, it IS public information, right? Clifton Griffin 503 Piedmont St. Reidsville, North Carolina 27320 And does Mr. Leinecker know about your little project, and how because of your affiliation it could give his company a bad name? I just figured since posting addresses all over the place is one of your hobbies, the rest of us should join in!