Slashdot Mirror
RIAA Website Hacked
gattaca writes "A lack of security controls allowed hackers to "wipe" the Recording Industry Association of America's (RIAA) website on Sunday.
The existence of an SQL injection attack on the RIAA's site came to light via social network news site Reddit. Soon after hackers were making merry, turning the site into a blank slate, among other things.
The RIAA has restored RIAA.org, although whether it's any more secure than before remains open to question, TorrentFreak reports."
if they made innocuous little changes here and there, such as changing the words "do not support file-sharing" to "fully support file-sharing." It probably would've the RIAA much longer to realize they've been had, and I'm sure they would've gotten some interesting calls and e-mails :-D
God, schmod. I want my monkey man!
But, could that open letter be used as evidence? It came from their website then if they try to use "well, anyone can make things on the internet look that way! Just because the IP address and website are ours it doesn't mean it's our data!" couldn't we counter argue that with their IP sniffing and screen shots or whatever?
I know it would never work. The judge would ph34r t3h ev1l h4xx0rz! But, if fun to dream isn't it?
Ask not what you can do for your country. Ask what your country did to you
Can you co-opt the police and feds to conduct raids of private property on your behalf? No? The RIAA can and regularly does, confiscating anything that could conceivably be used to produce and distribute music, including vehicles and computers. It doesn't even matter if an organization, such as authorized mixtape producers, are acting within the law... their property is confiscated first and questions are asked later, usually past the point where a business can survive.
The RIAA are among the least of those who deserve to have their property rights defended.
If I post a bug report on a vulnerability in some piece of software, am I doing something wrong?
It is not my obligation to report it to the people who made the vulnerable software.
Your mentality is that of the DMCA.
MABASPLOOM!
No matter how many times the RIAA repeats its mantra, making any form of information available is not a crime
If someone punches you in the face, do you beat them to death with a crowbar? No, you punch them back. If someone pulls a knife on you, do you pull out your grenade launcher?
My blog
And if you are going to hack a site, why not keep the site but insert and modify the pages just slightly so that the meaning of some statements will be slightly off the target. Harder to do, harder to spot but a lot mor fun for the world to figure out.
Even better if no backups exists for the site... Or if it isn't spotted until the backups are recycled!
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
> If I post a bug report on a vulnerability in some piece of software, am I doing something wrong?
How about if you use that bug by submitting a link to the exploit, and in the submission title promote the use of that hack? How about if then a large segment of that community joins in? And by that action they collectively takes down a privately owned server and cause damages? Who is responsible then? Nobody?
I think we get enough of New York Country Lawyer's imbecilic legal theories as is. There's no need for him to be squeezing in "precedent from postings on defaced website" between "innocence by reason of single motherhood" and "innocence by reason of cerebral palsy". Why the hate there, Otter? You an RIAA member or stockholder, or just a grumpy old sod?
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
A lot of the posts on this news seem to focus on what could have been done instead of just blanking the site, but do we have any evidence that the wipe was the only thing that occurred? If the person/people who did this really wanted to hurt the RIAA then this would be a good way to get some trojans onto RIAA computers. To be really sneaky they might have even done some research on which IP blocks are most likely assigned to RIAA and member networks and only infect computers coming from those blocks, thus sparing most innocent visitors. Then you've got a direct line into RIAA operations and much more valuable data than whatever is on their web servers. Not that I'm advocating this, merely postulating that there could be more at work than a simple website wipe.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
I'm pretty sure the SQL injection is still there... I amn't getting any SQL errors, but appending "' AND '1'='1" to a certain URL will return the desired result, whereas "' AND '1'='2" doesn't.
Nah, how about a bunch of press releases saying that "the RIAA was wrong to sue music fans for sharing songs therefore we are dropping all the charges" and then seeing if the judge would say that if it was a cracked site or the RIAA itself.
The linchpin of the RIAA's lawsuit factory rests on the supposition that an IP address is exactly identical to a person. What the IP address does is legally identical to a person doing it. That's their argument.
So, if their website were to be hacked, wouldn't that exact same rule apply to whatever content was there? Their IP address is legally the same as the person/corporation/entity who owns it, right? That IS their argument, after all.
So why not use that against them in a legal sense?
It would be brilliant. The RIAA lawyers when they were brought into court for whatever happened to be uploaded there would have to make the argument that an IP address DOES NOT equate to the owner of the IP address in order to defend themselves.
They'd have to make our argument for us, and in front of a judge.
You couldn't ask for a better precedent.
Weaselmancer
rediculous.
I had a co-worker that was in Naam, and he related to me how he would play with GL's. He said he would shoot at telephone poles within 20 feet of him, and you would be able to see the nice little ring of spikes in the pole. I believe the modeling of grenade launchers is highly inaccurate.
They ARE out to get you simply because They are in it for themselves and they don't care about you.
Not really, those things need to be funded anyway in order to make the threat credible. The lawyers and prosecutors would be paid anyway, though I suppose you could factor in danger pay.
"Over-fining is much better then working this out. Especially if you don't know the correct percentage that the person will be caught."
How? It's a bit complicated for a back of the envelope calculation, but it wouldn't take an applied mathematician more then a day or two. And considering the costs of over-fining, the investment would be worth it. And if you look at crime data, it is extremely stable. We can estimate the probability of getting caught pretty well.
From a purely economic point of view, money taken from fines are just as damaging to society as money stolen. Once you take this to account, and assume a Pareto income distribution(and assume that people commit a crime when the expected value of the crime is above their wage rare), it's surprisingly easy to find a fine that minimizes the total amount of money stolen(by criminals or government).
It's x/p-c/p, where c depends on income inequality. So actually, an optimal fine would be less than what I naively calculated earlier.
Even if the RIAA weren't about what they are about, they'd still deserve it. Let's say the RIAA was all about giving out fluffy bunnies to children with Leukemia. If they chose to put a site on the hostile environment that are "teh intarwebs" which contained SQL injection vulnerabilities, they had it coming. Seriously. An SQL injection has to be the most well documented and easiest to use vulnerability of all time. It is also one of the easiest to fix, and if a site is vulnerable that raises *serious* doubts about the competence of the developer. And if something is easy to crack, then you have to assume it will be. Especially if you are the RIAA and have a massive bullseye mounted on your back.
The funniest part of it all is that I'd imagine that with an SQL injection-type attack it is really hard to prove malicious intent. So if they caught the people who did this and they walked because their lawyers were somehow able to cast doubt on malicious intentions, that would just be poetic justice for the RIAA (sir, I was just trying to create the userID ";truncate table users;"). Heck, XKCD just about says it all!
blah blah blah
The RIAA itself does not manufacture or distribute any of these recordings. The RIAA is an advocacy group. The do not control the product, they do not decide what does and does not get published. Even on their sponsor labels they have no control of what gets produced. How can you be a monopoly if you don't control anything?
If Sony wanted to put out an album of a homeless guy banging on an empty garbage can and screaming obscenities there's is nothing the RIAA can do to stop it. (See Yoko Ono for reference)
If Island Records decides that it wants to make Anthrax's Persistence of Time album public domain there is nothing the RIAA can do to stop it.
If Columbia wanted to pull every album they publish off the shelves and take it all out of print there is nothing the RIAA can do to stop it.
Some monopoly. They have zero control.
Dedicated Cthulhu Cultist since 4523 BC.