The Podjacker Threat

Schlemphfer writes "As everyone knows by now, podcasting has taken off in a big way. But over the past week, several tech journals and The Daily Source Code have reported on the threat of 'podjacking,' the creation of an alternate RSS feed without the consent of the podcast's owner. I'm the host of a podcast, which has the dubious distinction of being the first widely-publicized victim of a podjacking. To teach others from my experiences I have posted an article entitled Preventing and Surviving a Podjacking (also available in PDF). So far this story has attracted widespread but generally inept media and blogger coverage. This article sets the record straight on what really happened, and shows the simple steps every podcaster should take to protect their shows from podjacking."

PLEASE, enough with the words!

[RPoet]

Do we HAVE to invent new contorted words for every variation of everything these days? Podjacking? Webinar? Blogosphere, podosphere? Vlog? Moblogging? I'm in pain here!

Re:PLEASE, enough with the words!

[gid13]

You will like this page:

http://www.thebestpageintheuniverse.net/c.cgi?u=ba nish

Re:PLEASE, enough with the words!

[dr_dank]

Do we HAVE to invent new contorted words for every variation of everything these days? Podjacking? Webinar? Blogosphere, podosphere? Vlog? Moblogging? I'm in pain here!

Those are perfectly cromulent words.

Re:PLEASE, enough with the words!

[tpgp]

Do we HAVE to invent new contorted words for every variation of everything these days?

Well, Podjacking certainly sounds better (to the writer of the linked article anyway) then I'm-a-retard-who-doesn't-understand-how-the-intern et-works-jacking

Yeeeesh. No doubt people foolish enough to get sucked into using the word 'podcast' will lap this up like the sheep they are....

Re:PLEASE, enough with the words!

[geekwithsoul]

How do you think English stays a living language? Is "podjacking" any worse than "coldcocked" or "fortnight?" Terms are developed and the good ones stick around and the bad ones disappear (as happened with "fortnight"). No one says you have to use "podjacking," if you don't like it come up with something else and if it is good, other people will use it.

Or would you rather be like the French and have some group decide what words can be allowed (not that actual French speakers listen to them much)?

Re:PLEASE, enough with the words!

[Shimmer]

Except it's not really broadcasting and you don't have to use an iPod. In reality, "podcasting" is nothing more than listening to MP3s from an RSS feed.

I think it's rather amusing to observe these people thinking that they've invented a new medium when it's really just a minor variation on plain old web browsing.

Re:PLEASE, enough with the words!

[Data+Link+Layer]

I don't know about the rest of you guys, but I use the word fortnight as much as possible.

Re:PLEASE, enough with the words!

[.com+b4+.storm]

I think it's rather amusing to observe these people thinking that they've invented a new medium when it's really just a minor variation on plain old web browsing.

Yeah, just like the web was just a minor variation on plain old FTP. Gee, yeah, all they've done is make an existing form of information phenomenally accessible.

Easy

[Hey+Pope+Felcher+.+.]

Why not just let the podcast be distributed, and announce the name of your website at various intervals?

Not only will this allow the wider distribution of your ramblings, but also help save on bandwidth.

Re:Easy

[salzbrot]

If you (and the person who modded you interesting) had read TFA, you knew that this does not help you save bandwidth.

The podjacker creates a feed that points to your podcast, so the podcast gets downloaded still from _your_ site. Now he gets this feed as the "official" feed for your show listed on iTunes, yahoo etc. At this point, you are at his mercy. So if he decides to delete this feed (as happened in this case), you loose all the subscribers that subscribed via this feed, which is essentially all except for the few that subscribed directly through your website.

What is even more scary is, he could point his feed to a completely different podcast or download yours, add commercials to it and earn money from your hard work without you even noticing while your listeners think you put the adds in there.

Re:Easy

[bitspotter]

You know, how hard is it to promote your domain name in the stream? Every streaming station I've ever heard may have lost the commercials, but they still plug the website every chance they get. "Podjackers" can jack the feed, sure - but the audio and video content are considerably more difficult to "jack".

If users have it drilled into their head merciless that the feed can be had from a big bold link on the front page of that domain that guy's incessantly blathering, then when they lose the stream, they'll know exactly where to go - the source.

Then again, I notice when my radio stream goes offline. I don't notice when a careless feed moves without telling me. It just disappears into the sea of other feed content. Guess you better make content good enough to be missed, huh?

uh, uh, uh, uh,

[everphilski]

uh, uh, uh, uh, ooooh baby....

er.... sorry, you caught me at a bad time, I was podjacking...

-everphilski-

Re:uh, uh, uh, uh,

[jcr]

Don't you know podjacking can make you go blind, boy? Now, say 10 "Hail Marys", and ego te absolvo.

-jcr

Re:uh, uh, uh, uh,

[Poltras]

podjacked at the moment. Please come again later.

Apple?

[RPoet]

Apple has nothing to do with this story, so I don't see why it's filed in the Apple category. Apple did not invent podcasting; they were even late adopters of it.

Re:Apple?

[Suburbanpride]

Its not just about fetish for apple brands. Apple holds the majority of market share, so its likely that the majority of people listening are listening on ipods. Sure there is a fair amount of marketing involved, but without the iPod (and Itunes easy of use), most people wouldn't be listening to *pod*casts.

Xerox invented the GUI, apple just brought it to the people.

Re:Apple?

[1u3hr]

Apple has nothing to do with this story,

Did you RTFA? The submitter's big problem is that iTunes (what company owns this?) listed his podcast via the pirate feed. So when that stopped, he lost all his iTunes subscribers, the pirate asked for money to reinstate. iTunes could not change the listing, only delete the old and put up a new one.

My precious data.

[croddy]

It's MINE.

MY. OWN.

MY data. My precioussssss....

He lost control of his statistics

[wild_berry]

His RSS feed was no longer the unique source of downloaders, that's all. The guy had and has many listeners who found access to his podcast through non-sanctioned mirrors of his RSS feed. He thought he controlled the access to his podcast via his RSS feed, but the Internet has lots of redundancy -- without his realising so. Someone else found his material via other means, for which he isn't able to track site visitors, and this upset him. I'm not really sympathetic.

Perhaps there is mileage in protecting one aggregator of news on the web, but you hardly see Taco complaining that ArsTechnica and Digg find ways to present the same news resources to their readers.

Re:He lost control of his statistics

[Surt]

If you read the article, I think you'll find he has a pretty legitimate concern. Imagine if google kept url listings. Which they do:

http://www.google.com/search?q=site%3Awww.yahoo.co m&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=o rg.mozilla:en-US:official

Now imagine that they allowed anyone to register a site mapping. For example, maybe I should register www.yahoo.com, and have it forwarded through my domain. Then one day, maybe, I decide that instead of forwarding to the real yahoo site, i'll just redirect all the visitors to my own site. What's to stop me?

That's the problem with podjacking.

Re:He lost control of his statistics

[Surt]

I doubt that the method of indexing was explained in the fine print. When I sign up with an indexing service, such as google, I have an expectation that they are listing my site. The advantage for them is advertising: listeners looking for shows come to their site, and they have a lot of shows if I and others participate in the bargain.

What I specifically do not expect, is for them to forward listeners to my site through a frame, keeping the bookmarks of my users for my site pointed at google. I expect that delisting from google will have no impact on existing bookmarks for my site's users, just that new users will not find my site on google.

Furthermore, the indexing service went and registered his show on other search engines, also redirecting through their site, and that definitely wasn't an expected part of the bargain. And now he's having trouble getting his listing corrected with other indexing sites, because they all think the podjacker owns the show.

Same as hotlinking

Please, for the love of God, stop making up these stupid blog/pod mashup words for insignificant events. Someone made a metadata file that points to your content. This is the same as hotlinking (where someone makes an HTML file that points to your content). Who cares?

Re:Same as hotlinking

Please, for the love of God, stop making up these stupid blog/pod mashup words for insignificant events.

Please, stop with all the plogsmacking. You are negaposting the webpinionsphere.

This is funny

"I could see at a glance the danger posed by this incorrect listing"

Yes, imagine the danger of people listening to the wrong inconsequential ramblings of somebody with no life.

The consequences are beyond words!

Re:*Gnashes Teeth*

[xnderxnder]

Hey, it could be worse.. he could have called it podsquatting.

Eew!

Lesson

[okjeff]

Let this be a lesson to the podcastees: Meat is the greatest thing ever.

Re:Lesson

[TubeSteak]

All I wanna know is: If we're not supposed to eat animals, why are they made of meat?

Never used that method to sign up for the feed

[eltoyoboyo]

From TFA the problem was similar to search engine content hijacking, which I have experienced. I have never directly subscribed to a feed in this way. I have always navigated to the home page first and then clicked on the RSS/ATOM/XML link to add to my feed.

Which is my way of saying that search engines are good, but
<dons jounalism professor hat>
you have to check your sources.
<doffs jounalism professor hat>

*Scratches Head*

[kermitthefrog917]

I still have no idea what a freaking podcast is and how it is any different than normal streamed audio. Or what a blog is in comparison to a personal daily-updated website. Or what a...

Seriously... It seems that stupid people decided on stupid terms so that they could express their stupid selves online even though they could have done it before. That's a lot of stupidity. And stupidity is an odd thing: It never gets used up. Maybe its like entropy, is always increasing...

Re:*Scratches Head*

[Nick_dm]

Podcasting isn't streamed audio, it's just providing an RSS feed with links to audio files so they can be downloaded automatically by a client, rather than having to actually go to the website.

Re:*Scratches Head*

[Kelson]

Or what a blog is in comparison to a personal daily-updated website.

Shorter. Fewer letters to type, fewer syllables to say.

Do you always refer to the "television set," or do you turn on the "TV" or "telly?" Do you drive a "horseless carriage" or "automobile"... or you you drive a "car?" Do people call your "cellular phone" or do they call your "cell?"

Same thing.

As for podcasting, it really is different from streaming audio. It's downloadable audio (or video) that is announced via a subscription system (generally RSS these days) and then -- and here's the key -- automatically downloaded by a client during idle time (and optionally transferred to an audio player). The idea was originally that the podcast client would download content overnight and transfer it to your iPod, and you could then play it anywhere you wanted during the day. It's been generalized, but the name stuck.

Vegan.com podcast?

[saskboy]

Sorry, but it has to be said:

Save a cow...Eat a Vegan!

-/Karma burning calories

Jipahddis, establishing bases in Podjackistan

[ScentCone]

Enough.

WHAAAAAAAAT

Cant this PODJACKING make sense? how about like CAR JACKING, when someone jacks your car...how about when someone jacks your POD it is called podjacking....and when someone jacks your podcast its PODCASTJACKING

The Usage Axiom

[Crash+Culligan]

This could be a variation of the "Law of Unintended Consequences."

Invent something new. There will be at least one person, each, who:

1. thinks it's incredibly cool,
2. thinks it's incredibly overblown,
3. will try to profit from it by using it, and
4. will try to profit from it by stealing someone else's work with it.

``Podjacking'' summarized

[TrumpetPower!]

1) Register evilpodjackingdomain.com.
2) Find somebody else's podcast.
3) Mirror that podcast's XML file at evilpodjackingdomain.dom/pwn3d.xml
4) Get evilpodjackingdomain.dom/pwn3d.xml listed in as many podcast directories as possible.
5) Wait.
6) Blackmail original podcaster with threats of modifying / removing your local mirror; all subscribers through evilpodjackingdomain.dom/pwn3d.xml would get whatever you want them to get regardless of what the podcaster wants.
7) Profit.

Cheers,

b&

Recent Father/Slashdotter Conversation

[Ranger]

Father:*knock* *knock* Son, I need to use the RSStroom.

Slashdotter: **long pause** Go away. I'm busy!

Father: Open this door right now! You better not be podjacking in there!

Re:*Gnashes Teeth*

[Kelson]

Carjacking. Skyjacking. Podjacking.

It's official. English is officially jacked up.

I don't get it

[wampus]

So, as I understand this, more people were listening to the podcast, because some aggregator site picked up his feed. Whats the problem here? Read your damn URI at the start and end of the show and be glad you are getting heard.

If you want absolute control over the content you are creating, start a regular radio station and pay the FCC for a monopoly on your slice of the air. Better hire some IP lawyers and invest heavily in DRM, too.

Close, but read the full article.

[bigtallmofo]

Someone else found his material via other means, for which he isn't able to track site visitors, and this upset him.

You're right on here, but read a little further in the article and you realize he asked for the listings directly from the "Podjacker"! After he admits this, he says that they didn't do it how he assumed they would have done it. Then he goes on to still label them a "Podjacker".

I responded to an email somebody sent me about podkeyword.com, and I gave the site a visit and submitted my URL for a few listings. When I launched my show in October of 2004 I went everywhere I could to post its URL, and I quickly forgot all about my five minute visit to podkeyword.

I guess the only remaining comment I have on this topic is that I'd like the 5 minutes I spent reading the article back. Total waste of time - there literally is nothing to see here.

embed official URL in mp3 metadata

[AMusingFool]

Seems like embedding the official URL in the mp3 metadata would be a good first step in establishing control.

Been There

[somethinghollow]

I noticed several sites were ripping off my content from my RSS feeds. Some of them are ad sites that, no doubt, gather like-minded blog posts, publish them on their site, and shit ads all over them. Others seem to be attempting to do some sort of service. What with Google punishing duplicate content posts, I don't want my content redistributed without my permission. So, I implemented a system with mod_rewrite and PHP on my site that checks the user agent before allowing access to any page. If the user agent is unknown, it shows a page saying that I don't know who they are but I'll see about allowing them access to my site. I then enter their user agent in a database, after doing some research, and decide whether to allow them or not. Eventually, I'm going to tie this into my robots.txt file so that it denies robots there (if they bother to look) in addition to showing the robot a access denied page.
 
It isn't the easiest solution (takes a lot of time to manage) and won't always work (e.g. they set their UA to one that looks like a valid browser or some other UA that I allow), but it clears most of the riffraff, i think.

Just verify referring URL?

[hafree]

Why not just verify the referring URL before sending out the Podcast archive? This is how most sites avoid people deep-linking into theirs, or loading high-bandwidth content such as videos or even images from their web servers. This can be done by making your RSS feed dynamically generated by a CGI script, or even just using a htaccess file for the directory containing your podcast.

MOD PARENT UP, this guy is a tool

[brunes69]

What a waste of my time.

No one "jacked" anything, this guy submitted the site to this URl forwarder himself The site that "podjacked" him is no different than cjb.net or tinyurl.com or any other redriector service.

It is anyone's fault this guy is a complete tool and does not realize what he is doing.

Re:MOD PARENT UP, this guy is a tool

[Surt]

The problem is, they made themselves out to be a directory service, not a forwarding service. A directory service maintains pointers to content, rather than forwarding content. That way delisting doesn't impace existing users of the content. TinyURL is in the forwarding business, and they make that clear.

Furthermore, the 'service' registered his show on legitimate directory services as coming from them. I can't see any way to make that look legitimate. It would be like finding out that tiny url went and registered themselves on google as being the source for your website!

Re:Slashdot overrun by old fogies

[Simon+Brooke]

I don't think many people understand what a podjacking is. Does it mean someone else distributes an identical podcast file as their own, or does it mean they make their own podcast and pretend is comes from another source?

What has happened here (if I understand it correctly, and someone will correct me if I don't) is that the guy puts up his mp3s at http://myrealserver.dm/podcast/content0001.mp3 and then he creates an RSS file which points to his mp3s at http://myrealsystem.dm/podcast/feed.rss. The RSS file is essentially a signpost: it isn't the content in itself, it just points to the content. Then, when he posts new mp3 content, he updates his RSS. What is supposed to happen is that people point their podcast client at http://myrealsystem.dm/podcast/feed.rss, and every time he posts new content and updates the RSS it's automatically downloaded.

But what he's complaining is that the 'podjacker', evilpirate, has done is created a new feed, http://evil.pirate/devious/feed.rss which also points to myrealsite's content. The file at http://evil.pirate/devious/feed.rss is automatically updated using something like wget so that whenever myrealsite adds more content, http://evil.pirate/devious/feed.rss gets updated too.

evilpirate now registers http://evil.pirate/devious/feed.rss with podcast search engines as the authoritative signpost for myrealsite. Users search for content on the search engine, and if they like myrealsite's content, they point their clients at http://evil.pirate/devious/feed.rss.

So now some - or even most - of myrealsite's users are finding new myrealsite content through evilpirate's signpost. This gives evilpirate the power to alter where the signpost points to, so that instead of getting myrealsite's content they now get rivalsite's content.

Re:Slashdot overrun by old fogies

[mzwaterski]

You need to re-read.

1st dude told 2nd dude to stop directing traffic through their URL to 1st dude's site. (Pretty sure it was more of a redirect than a mirror of an RSS file).

2nd dude complied.

1st dude realized that iTunes had used 2nd dude's URL for 1st dude's listing.

1st dude is sad because all iTunes people who signed up with 2nd dude's URL are lost.

1st dude tells 2nd dude to put URL directing traffic to 1st dude's podcast backup. 2nd dude decides to capitalize and ask for money.

1st dude not happy.

Re:Ho Hum...

[Kasis]

I think it's worse than a non-issue. The complainant seems to almost be in the wrong, not to mention misguided.

Marcus [the podcaster] contacted Lambert to ask that his listing be removed. Lambert did so. This, however, caused Marcus' listenership to crash by some 75 percent, he claimed. Marcus then asked that his listing temporarily be reinstated on Podkeyword

and regarding "extortion"...

"He wanted me to make sure no other directory services got the information from me, but I can't tell who are directory services, because we're not submitting anything," Lambert said. "People are coming to look at our list. I have a choice: I remove it from anywhere or I [don't] remove it. You can't restrict who comes to look at your Podcast. So his request wasn't technically practical.

Podjacking is a very misleading term. Podjacking suggests that a user expecting to hear Marcus' podcast would be redirected to some other address. Doesn't seem to be the case. With regards to the "extortion": Marcus wanted Lambert to reinstate the feed, but in a way that wasn't supported and which would require custom code. Lambert agreed to do it but said it would cost a fee, which is a perfectly reasonable position. The article also seems to suggest that the free service was responsible for 75% of Marcus' traffic. How is this even remotely related to hijacking?

Re:RTFA

[Surt]

He asked for a listing, not for a forwarding. There's a rather important difference.

Production vs. Marketing

[Shimmer]

This story seems to inadvertently prove that production and marketing are two different skills. The author was good at creating content, but so miserably poor at marketing that he didn't even realize where his audience was coming from. The "podjacker", on the other hand, created nothing, but apparently did an excellent job of marketing the author's content.

You might argue that the world would be better off without middle men such as marketers, publishers, etc. (I think the catchy phrase for this is "disintermediation".) But this story provides evidence that these people actually do add value in some cases.

Re:I'm Lutheran

[sunwukong]

Ha ha -- you've been clodjacked!

YAY HYPOCRISY

[mdxi]

"Web 2.0!" say the bloggers. "Podcast!" say the bloggers. "RSS/ATOM!" say
the bloggers. "Down with oppressive media! Democratize publishing!" say the
bloggers. And now that things are finally becoming standardized, and
XML-based, and easilly parsable and reusable, it turns out they don't LIKE
it when someone reuses *their* stuff in a way they didn't envision.

WHERE IS YOUR PRECIOUS "REMIX CULTURE" NOW?

Assholes.

Re:YAY HYPOCRISY

[argent]

I remixed culture and ended up with a sushi burrito!

Re:I'm Lutheran

[Profane+MuthaFucka]

Haha, you've been ... godjacked?

Mod_rewrite?

[tcdk]

Wouldn't it be fairly easy to make a mod_rewrite rule, that would block the redirects or forward them to a sod-off.html page?

I've made a few rewrite rules to avoid hotlinking of my images, and this seems possible to me.

Podcasting != Apple

[kuzb]

Why is any mention of podcasting immediatly associated with Apple? Editors, learn the language. Podcasting does not imply an Apple subject - quit categorizing it as such.

Re:I'm Lutheran

[jcr]

Well, never mind then. Podjack all you want, you're going to hell anyway!

-jcr

The Feud That Won't Die

[SFEley]

Arrrgh. These two people have been going back and forth at each other on on eWeek, the Yahoo! Podcasters list, many different blogs and podcasts, and they just won't shut up. At this point I am convinced they're competing with each other to see how much news coverage they can generate.

If you piece the two stories together, they're actually totally consistent on what happened:

1. The Vegan guy signed up for the PodKeyword guy's service, to get some exposure for his podcast on searches.
2. It worked. Search engines picked up PodKeyword's mirror of Vegan guy's feed.
3. Vegan guy was surprised to find that some of the major podcast directories were listing the PodKeyword mirror feed instead of his, and when people subscribed via those directories, they were subscribing to the mirror feed.
4. Vegan guy sent PodKeyword guy a request to discontinue the service. PodKeyword guy complied.
5. Vegan guy lost all the listeners that were subscribed via those directories, and flipped out.
6. Vegan guy sent PodKeyword guy another e-mail demanding that everything get turned back on but removed from any future search visibility. He was kind of an asshole about it.
7. PodKeyword guy responded in a far more assholish manner.
8. Lawyers got invoked, and then both sides launched media blitzkriegs.

That's the chronology, as both sides put it. Who's right? Who's wrong? Who gives a damn? This is not a technical conflict at its core, it's a personality conflict.

I think there's a good case to be made that RSS "feed hijacking" could happen as described: somebody mirrors your content without permission and becomes more popular than your original feed, then extorts you for your own readers/listeners. However, there's no evidence that it's ever actually happened. You'd have to be really failing to pay attention for it to succeed.

It's certainly not what happened here. The Vegan guy deliberately signed on for a questionable service, got pissed off when the service fragmented his audience, and then both sides started hitting each other with their dicks.

That's the whole story. And I do wish they'd shut up.