Slashdot Mirror
Anti-piracy Vigilantes Tracking P2P Users
brevard writes "From SecurityFocus comes news that a pair of coders with a deep hatred of software pirates have gone public with a months-old experiment to trick file sharers into running custom spyware they wrote that scolds users and phones home to a server. They circulated the program disguised as sought-after downloads like Unreal Tournament 2004 and Microsoft source code, and they have a website that updates in real time whever someone executes it. They've logged IP addresses for over 12,000 'pirates' since January. The EFF says the vigilantes may be committing a crime."
That's what they are essentially spreading. There's asses should land in jail as soon as possible.
Indefinitely Detained US Citizen
They say they are tracking software pirates.
But realy pirates don't use p2p apps for warez.
That's kiddie crap.
More like they are tracking 14 year old's with a cable modem.
try IRC, now if they could track that, it'd probably blow their minds.
I believe most of us feel angry when reading about these vigilantes. I know I do. However, I would encourage all of us to remember that if these vigilantes were, say... tracking down spammers... then we would be extatic.
Yes, I'm aware that there's a difference between pirates and spammers. But keep in mind that the RIAA probably sees P2P users the same way that we see spammers. Annoying, a growing threat, and obsessed with large penises.
The same users that are too lazy to look up free alternative software are going to go through their file sharing archives looking for virii and trojans?
Always going forward, 'cause we can't find reverse.
Not true, most people that use P2P software are total morons, or at least there are enough to keep it spreading
you would also think a 2mb file size would tip people off that its not UT2k4 or Win2k Source Code
You may not like it or agree with it (I sure don't) but right now it's the law. If we don't like a particular law (such as copyright) then we need to get our elected officials to change it.
For the same crimes virus creators are jailed.
The EFF says the vigilantes may be committing a crime.
Vigilantes are, by definition, committing crimes.
A vigilante is a private citizen who acts outside the law, taking the law into their own hands.
Some people (e.g. the vigilantes themselves) see this as a Good Thing -- enforcing Justice, where Justice would otherwise go unenforced.
Others (such as myself) see vigilantism as the roots of rebellion and chaos -- acting as a private government, in defiance of duly constituted authority.
Not that I have a hell of a lot of respect for duly constituted authority. Most of the cops I've met have been decent people, however, there's a long, sad history of cops acting as vigilantes, outside the law. Not to mention police states, governments run by mobsters, etc. etc.
-kgj
-kgj
I don't much care one way or another about the issue of going after software pirates, as there are some major assholes on both sides of the issue. But the problem with this approach is that if there are bugs in the antipiracy software it could end up screwing up a lot of people's systems and causing major expense and loss of time and effort. Moreover, it looks like people could convert this into intentional malware by renaming it, so that someone looking to download freeware documents on, say, the history of microprocessors, could end up with this crap on his machine. So I object strongly to the means, though I am ambivalent about the intent.
The article is pretty light on that point. I think anyone who downloads "UT2K4 Keygen.exe" or "Photoshop Full.exe" knows exactly what they are trying to get, and they know the risks of what they are doing. And therefore, if someone wants to write an app that phones home and tells the companies that someone is trying to use a crack, what's the harm?
SmashTech - No smashing of tech involved
For those of you attempting to probe the moral questions of this project.
What if my software, downloaded with no warranty from Gnutella, displayed the weather conditions in Kenya?
I'd have their IP, and I could even safely retrieve the ID with legitimate pretenses.
However, since my software rebukes the downloader for downloading a file that appeared to be a crack, it is a Trojan and a danger to the peoples of the free world.
Just a thought.
clifgriffin > blog
It is a Trojan - it doesn't have to do anything malicious, just something that is blatently NOT what its description (filename in this case) suggests. And you're capturing data from the users that run it, so it could be argued that it is in fact malicious.
On a related note, isn't it illegal to sell grass to someone while saying it's marijuana?
yeah, it's intent to supply, no controlled susbtances required.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I've said many times on Slashdot that if you want P2P to be taken seriously and not be labeled as a haven for pirates, you need to actively engage in discouraging the use of P2P for illegal file trading. These guys are actually doing that. Good for them. At least they're not acting like some hand-waving Slashbots ranting about how no one takes P2P seriously, all the while refusing to acknowledge that the majority of data transfered on P2P networks is copyrighted, and furthermore refusing to do anything about it.
My favorite comeback line: "Maybe we should outlaw knives because someone might do something illegal with them!" -- completely off-target. Right now, the situation with P2P isn't that a minority of people are using P2P networks to trade copyrighted materials, but that a minority of people are using P2P networks for trading non-copyrighted materials. Until P2P fans actively pursue and discourage the use of P2P for illegitimate uses, P2P will continue to have a bad rap and be pursued by copyright holders.
but what if the program is altered to not delete itself?
And the muscular cyborg German dudes dance with sexy French Canadians
And some of us consider phoning home fairly malicious.
No, I don't want a free iPod
That's what they (the "victims") are essentially spreading. There's asses should land in jail as soon as possible.
Sorry, that's not my personal view (I don't believe in locking people up for small-scale copyright infringment) but it is the view of some, such as the content creators whose property is being infringed on.
I just find it ironic that just changing the subject line of your message from "Trojans" to "Illegally distributed software" gives us a whole new look at this issue: after all, most of the people engaging in P2P distribution of copyrighted material live in countries where it's illegal and probably punishable by a jail sentence.
The majority of people here seem to be engaging in double think: messaging people who engage in P2P copyright infringement that what they're doing is wrong and publishing their IP addresses is a Bad Thing, yet tracking down the online behaviour of spammers and then publishing their real world addresses (without any consideration for what might happen as a consequence) is a Good Thing.
Can someone please explain to me how one is so wrong yet the other is so right? (Preferably without resorting to the kind of language that you wouldn't use in front of your mother?)
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
We had the IP when they downloaded the software.
It's one thing to have someone's IP address. It's another thing altogether to post it as public information. Just because someone else may be in violation of copyright doesn't give you the right to violate their privacy.
And you're making the assumption, which isn't necessarily valid, that your victims intend to violate copyright in the first place. If I lose my CD-Key to a game but still own the media, why should I not be allowed to use an alternate key? Surely ownership of the physical media is proof that I have license to operate the software in question.
!#@%*)anks for hanging up the phone, dear.
You only had it if they downloaded it from you, though - which certainly can't be guaranteed in a p2p environment.
quidquid latine dictum sit altum videtur.
you forget one more thing...
I own a 100% legal copy of Cakewalk home studio 2002
my install CD is broken so I have a choice of buying another copy or making my LEGAL copy work.
so I download off Kazaa the iso file of the CD burn a new one and voila...
now the frothing at the mouth Software people here would want me hanged for stealing money out of their mouths by not buying a new copy of their software every 30 seconds but who cares... I am doing NOTHING illegal and simply circumventing a disdain for customer service fr omthe company that makes the software.. I'm still using MY legal serial number and codes... I STILL have the legal license (AKA the box and other paper drivel that says so.)
Do not look at laser with remaining good eye.
Was that an intentional part of the design? Or did you guys just overlook the ALT-F4 shortcut when you designed the program?
!#@%*)anks for hanging up the phone, dear.
The logging happens when they click a button.
Do you tell them of that fact before they click?
It appears you don't. There is no other escape button on the popup window. No other mechanism, other than alt-F4, to dismiss your box.
You give the user little opportunity to not have it phone home.
If this was in fact a "social experiment," I have a few questions:
If this was a genuine social experiment, these questions have already been answered, somewhere. Otherwise, I think we can chalk this up as a prank designed to embarass people.
!#@%*)anks for hanging up the phone, dear.
"Mislabeled" is not the same as "intentionally falsely labeled".
I speak for myself when I say that "vigilante" is not a word we ever claimed. We aren't raging against internet piracy or p2p.
Oh really? Your statements on website would seem to disagree with that
"At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.
Other 'interesting statements:
3. We dissagree with the notion that this is a "Trojan".
Our program is aboslutely dormant unless specifically and purposefully executed by the downloader.
Exactly the same as the Beagle and other email trojan variants.
We aren't reporting these people to anyone in the law enforment field, even though we should be.
Yes you are. By posting it online, in real time.
We could go on...
Can someone please explain to me how one is so wrong yet the other is so right?
Vigilantilism is wrong. Period. Rule of law is characterized by a state monopoly on justice. If you don't like rule of law, there are plenty of countries where it doesn't apply.
Or, in a language your mother would use: Two wrongs don't make one right.
Even if we assume that these vigilantes are doing nothing morally wrong themselves at what point should they be responsible for opening a security hole in a system which can be exploited by other more malicious stalkers? Can these vigilantes show that their code is 100% secure such that only they can make use of the resources that it provides?
Spyware and malware and P2P programs and instant messaging programs may not be malicious in and of themselves but they're all coded by half-hacks who aren't very interested in security. Do they properly check their buffer overflows, input validation, or ensure perfect alignment with a proper handshake protocol?
I think not...
Let's say that the law would tolerate the vigilante retrieval of stolen property. At what point is the vigilante liable for leaving the backdoor open?
Let's say that malware and spyware and spammers really are nothing more than advertising methods used to boost the economy (which can be argued as "good"). At what point are the authors of those progams liable for the malicious attacker or stalker who relies on them to identify easy targets?
Let's say that posting signs for your candidate on someone else's front lawn would be legal. Are you liable if a serial killer decides to pick his targets based upon lawn signs?
Implications are more than just one step removed from the source.
+++ATHZ 99:5:80
They purport to have a list of pirates...
What they have is a list of people that downloaded something that most likely isn't a copyrighted work written by them (and admittedly made available freely online by themselves).
Not only that, they're infringing on the trademarks of the software they purport to be in order to run this little experiment, and a case could also be made that they're doing damage to the name of that software by associating it with their invasive software without consent from the actual publisher of the original work.
I'm all for protecting a product with the laws that are in place, but the laws shouldn't be taken into people's own hands with invasive and untested software.
Can you spot the shoot-self-in-foot-notes?
..what, outlook? Got it! Thanks for clearing that up!
1. No data is collected by our software that isn't already collected when our software is downloaded. The only personally identifiable information that we have would be the executer's IP address. However this information is freely available at time of download and is completly public information.
Uhm, wait, but collecting IP addys is data. And you also collect what file they were trying to download, and where/who they got it from? I'd say building a track list of a 'social' network of where a file goes and by how/whom is plenty of data.
I'm sorry,but thats a load. Get a better legal advisor, next!
3. We dissagree with the notion that this is a "Trojan".
A trojan horse gains access to a system through deviant methods. Not through user initiated downloads on a P2P network. Secondly, a trojan horse by definition has a payload or attempts to give the author access by working from the inside. Our program is aboslutely dormant unless specifically and purposefully executed by the downloader. And the program is riddled with cues to what the contents might be. For instance, the company name is "C.R.A.P. Citizens Raging Against Pirates". Not what you'd expect from a "legitimate" crack or keygen.
Okay, lets see, its not a trojan, yet its a trojan. It's not a trojan because it comes from a p2p network, and not
Okay, great idea, really, very funny! But WTF are these guys going to do with all this when, say, MS steps in with a great big legal order of doom saying 'we want to know everybody who thought they were downloading the windows source code'? Are these people even thinking that far ahead?
And I love the broad thinking that anybody downloading a keygen is a pirate, What, these guys never lost a Cd key before? Yesh. Get a grip kids.
Points for some very crative programing, but they lost points for not finding something better to do and not thinking ahead a few more feet of them.
My new top secret key -> C>N|KB
Um no it isn't. You don't download keygens and full copies of programs off P2P to "tune up" your software. You do that to pirate it, to violate the rights of the producer and to be a little prick.
Woah, way to go Mr. Assumptions. Why exactly can't I just rip out the CD protection code off the program I paid for? It's far more convenient for me to just install the whole thing in my 120 Gb hard drive, stash the box with the CDs safely and be on my merry way. I don't have to throw a tantrum, call the software company 100 times and make a revolution to change the system so that programs come without CD protection. I can simply spend 5 minutes downloading a tool and getting rid of it. Or I can put the keygen with the game in the hard drive so that I don't even have to worry where the manual or the box will end up.
What you're presenting here is a fallacy known as the False Dichotomy. The world is not "either you get the crack to pirate the program or you return it if you don't like the CD protection". After I paid for that software I'll modify it as I see fit to make it more convenient for me to use it, be it cracking the CD protection, installing 100 zillion mods or even cheating the crap out of it so that I can headshot the bots every time I want to. And I'll be damned if I let anyone tell me what I can or cannot do in my computer with the software I paid for.
---- Take the Space Quiz!