Slashdot Mirror
RIAA Website Hacked
gattaca writes "A lack of security controls allowed hackers to "wipe" the Recording Industry Association of America's (RIAA) website on Sunday.
The existence of an SQL injection attack on the RIAA's site came to light via social network news site Reddit. Soon after hackers were making merry, turning the site into a blank slate, among other things.
The RIAA has restored RIAA.org, although whether it's any more secure than before remains open to question, TorrentFreak reports."
Normally I don't advocate cracking someone's site. It's childish and petty. Kinda like the RIAA itself.
But, for some reason, I'm having a really hard time working up any real sense of moral outrage over it.
This probably makes me a bad, biased person.
C'est la vie!
Chas - The one, the only.
THANK GOD!!!
It would have been so much better to make it a temporary mirror for thepiratebay.org :D
Wonder if they would have started a lawsuit against themselves...
No, this falls far short of justice. Justice would have been posting a bunch of copywritten songs and announcing to the world where to find them. Even better:
* Record an original piece
* Post it
* Sue the RIAA for hosting it
Just blanking a site is lazy.
He's getting rather old, but he's a good mouse.
So you're saying that wrecking a database on an informational website that could likely be replaced from backup in less than an hour is the equivalent to the RIAA's normal business practices?
Well there you go Slashdot, we're even now. No complaining about the RIAA until they do something new.
instead I would have used my cunning to download the latest Britney album to their server in DRM-free MP3 format. And then promptly reported them to themselves.
if they made innocuous little changes here and there, such as changing the words "do not support file-sharing" to "fully support file-sharing." It probably would've the RIAA much longer to realize they've been had, and I'm sure they would've gotten some interesting calls and e-mails :-D
God, schmod. I want my monkey man!
ZOMG!!!!11111oneone!!1! The RIAA got hax0rzed. Well I guess they had it coming to them. While I understand their cause, I do not understand their tactics, their methods, or how they say they fight for the artists. I must say good job to the people who found the SQL injection flaw. May their programmers be whipped and stoned... well... I guess they would just throw lawsuits and blank CD's at their programmers and accuse them of stealing MP3's. Oh well. still great news.
-- Josh
"Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
Just blanking a site is lazy.
--
This space intentionally left blank.
Irony, thy name is gnick.
While I hold little sympathy for RIAA in this matter, I would rather people found different and legal ways to thwart the RIAA's mission.
Homo homini lupus
they were using copyprotection on their site.
Do not rule out the RIAA to hire someone to do the hacking to win moral high ground.
RIAA may now turn their media machine to connect evil hackers with the pirate bay and try to put them in the same corner as child molesters and nazis.
Break the sound barrier - bring the noise.
Or at least post press reports of dropping the charges to people who download. Then see if the judge ruled that it was hacked or if it was legitimate. Then we can use the RIAA's tactics in court to sue them.
There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
If you are going to break into a website, then you need some sort of plan for when/if you succeed.
How about a statement like this:
"The protections applied to this website were more robust than the Digital Rights Management that is applied to CDs DVDs and other forms of digital media. Yet even that didn't stop a determined individual. If this website were a CD, it would be leaked all over the internet, and once cracked, DRM simply becomes an impediment to the legitimate users."
At least they could have tried to make it relevant. However, it is quite possible that they didn't have all that much time or total access to the site. (though if you can erase something, I'm pretty sure that is as close to total access as you need) I'm not too familiar with databases and websites so I don't know how far they could go with it.
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
I like the site a bunch, so I say this with a twinge of reluctance. And I certainly don't like the RIAA. But that kind of behavior is plain criminal. Doesn't matter who owns the computer, it is private property and deserves respect as such.
Maybe it was people protesting the RIAA's plan to put RFID chips on CDs to combat piracy that caused the attack.
Anybody got a screen capture?
Free the Quark 3 from asymptotic confinement! Bring your charm! Don't get down! All colours and flavours welcome!
So you're the most hated site on the internet essentially, especially by people who proudly go by the name "pirates". And you don't protect your site??? Who exactly is running this operation?
"Four words: They had it coming."
Well if we're going to use that excuse then why stop at web site defacement? Why not put out a contract on the heads of the music companies? After all "they had it coming". What's that? Society says it's not OK? So's copyright infringement and that's not stopping anyone. Why should this be any different?
"HA HA!"
I have nothing clever to put here...
The OP should have posted a link to RIAA.org so that it could have been slashdotted. =)
From the screenshots:
If you want my opinion, it was an inside job. The RIAA got so jealous over they content that they decided to delete it than share it
First... I agree that shutting someone else up is not a great way to have a conversation...
But if you are going to do something like this, then have a little panache.
For example, you could upload a few Mp3's with links to download them from the site.
Or upload some key quotes "Copyright should be good for forever less one day".
Or upload Jefferson's statements on copyright.
ah well...
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
that someone report them for using unlicensed software.
How about some screenshots?
Kevin
Irrational Diversions
Attacking their website will only aid them in public opinion. This gives credit to their argument that people who oppose them are criminals.
I slapped as many of the screenshots I could find together. I'll try to update. Either way, here's the hack...
Velcroman98.googlepages.com/riaa/
Kevin
Irrational Diversions
Looks like someone was using the RIAA web server's CD-ROM drive to listen to their Sony album collection again...
This sounds like the best idea for what should have been done. (Except with a few hundred pieces, not just one, as the penalties are based on the number of items available for download AIUI, whether or not anyone actually downloaded them).
If they then used the 'But we were hacked, it wasn't our fault' defense, and win because of it, that would then be easier to use as a defense by anyone else whose website/PC was used for distributing copyrighted materials. The RIAA could not then say 'you should have taken reasonable care to secure it'.
If they lose, then all their fines could go to the funds to defend innocent people against them.
Hackers: 1
RIAA: 0
Goooooooooooooooooooooooooo!! Hackers!!!!!!!!
Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
For whatever reason, as much as I try, I can't bring myself to feel sorry for the RIAA. They stand between me and the reasonable use of content that I purchase with my hard earned cash. If I purchase an MP3, I expect to be able to listen to that MP3 anywhere that I listen to music. But thats not the case. While I can listen to it on my computer, I can't lug my desktop out to my car with me. So I must use my mp3 player. Except, my mp3 player is a 6 year old creative jukebox. Not compatible with any modern DRM scheme. I must then spend MORE money on a newer mp3 player or risk legal implications by stripping the DRM away from the mp3. That's like buying an orange at the grocery store and being told that I can't use my fingers to peel it because my fingers aren't "compatible" with the skin of the orange. Instead, I must buy a knife to legally peel the skin from the orange. But I can't just buy any knife. I hafta buy an "iKnife." As a consumer, I feel no sympathy for the RIAA.
Whether by ignorance or lack of attention to detail, the RIAA left a security hole big enough to drive a truck through. Someone figured out where the hole was and then posted instructions on how to drive the truck. It was only a matter of time before someone jumped into the drivers seat. While my understanding of SQL isn't exactly at a mastery level, it seems to me that this exploit could have been easily avoided. So, as a system admin, I again feel no sympathy.
Having said that, this is/was illegal. Those who helped deface the RIAA website have done nothing more than stoop to the level that the RIAA has made its home in for some time now. The RIAA is not averse to using tricks, legal games, and outright dishonesty in pushing its agenda. How is hacking their website any better?
There are better and more legal ways to fight the greed that the RIAA represents. All hacking their website does is add another dimension to an already complicated problem. Way to go guys.
Just because you can, doesn't mean you should.
Actually, the only way to be "sure" is to nuke them in person.
Otherwise there's always the real possibility that they were able to take cover.
Chas - The one, the only.
THANK GOD!!!
Given that socio-economic status has a strong correlation to both absolute and "healthy" life expectancy, each successful "life-ruining" lawsuit which results in a corresponding drop in socio-economic status could be interpreted as being some fraction of a murder.
I'm sure they have accumulated enough fractions by now to cover the members of the board, and maybe a few tiers of upper management too. Since they are the most compensated, they must be the most responsible, right?
NB. Tongue is firmly in cheek.
Others have noted that a splendid opportunity to do something really insidious to the RIAA site was wasted. It's worse than that. Even a brain-damaged idiot has enough sense to hire somebody to make the site 'way more difficult to hack next time.
So when somebody finds the next vulnerability, allow me to suggest that before they act, they view "The Yes Men vs The WTA". It's funny, it's subversive in the best sense of the word, and it shows what you can accomplish with a little imagination.
When you've got a bunch of asshats like the RIAA bent over a chair with their pants to their knees, letting them go with a warning verges on criminal irresponsibility.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Irongnick?
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If they just restore the site from backup, without patching the SQL injection vulnerability, then the RIAA is RIAAlly st00p3d.
Now, parking a whole bunch of Scientology materials on their server would be quite funny.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
No, the OP should NOT have posted a link to RIAA.org, that could cause it to be Slashdotted. :]
The RIAA can sue its own ass off. I only support any company which isn't on their client list.
The only way to get them to listen is by NOT listening.
Mullah Omar was right but for all the wrong reasons.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
A lot of the posts on this news seem to focus on what could have been done instead of just blanking the site, but do we have any evidence that the wipe was the only thing that occurred? If the person/people who did this really wanted to hurt the RIAA then this would be a good way to get some trojans onto RIAA computers. To be really sneaky they might have even done some research on which IP blocks are most likely assigned to RIAA and member networks and only infect computers coming from those blocks, thus sparing most innocent visitors. Then you've got a direct line into RIAA operations and much more valuable data than whatever is on their web servers. Not that I'm advocating this, merely postulating that there could be more at work than a simple website wipe.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
I'm actually surprised this happened only just now.
:)
The RIAA must be one of the most hated computer related organizations on the planet.
I'm pretty sure a lot of people have attempted to hack the RIAA in one way or another. I mean c'mon, if you're into the "black-hat" thing and you're looking for a new target wouldn't the RIAA be a very obvious and satisfying target?
'I took the RIAA' down!, now that would be one hell of a e-peen enlarger.
Though the method used now was really really sloppy on their side. I can imagine their internal IT team must deal with a lot of attack attempts, so this being the first time, doesn't that make the RIAA pretty much bulletproof?
That being said...
HA!
Life starts at the end of your comfort zone.
No, this falls far short of justice. Justice would have been posting a bunch of copywritten songs and announcing to the world where to find them. Even better:
* Record an original piece
* Post it
* Sue the RIAA for hosting it
Just blanking a site is lazy.
I would have thought true justice and victory would be achieved if someone had deleted the RIAA's database of targets^wfilesharers. Of course those who were already at a point where dead trees were involved would still get troubles, but it would still slow them down. Even better: get the information then wipe it and share the info.
I am really worried that http://riaa.org/ is still up - so I load it in my browser and then I keep hitting refresh every second to make sure its still there ;)
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
... "YOOZ Netscape... YOOZ Netscape... YOOZ Netscape... YOOZ Netscape..." from, oh, around 1999?
Well, seems like RIAA could be a scratched record... "They had it coming... They had it coming... They had it coming... They had it coming..."...
LASR Disc (Like A Scratched Record)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
There was some confusion over at Reddit yesterday as to whether the database actually had been wiped or if it was simply overloaded from all the crazy querying. It started when someone posted a link to the riaa site that had an XKCD comic superimposed via a XSS attack. The site was also basically DOSed at some points from all the reddit/digg traffic.
Fortunately for the RIAA, the old content of the site has been archived by the Internet Archive.
Although that poses a rather uncomfortable dilemma for the RIAA: should they thank archive.org for saving their content...or sue them for copyright infringement?
Please correct me if I got my facts wrong.
I'm pretty sure the SQL injection is still there... I amn't getting any SQL errors, but appending "' AND '1'='1" to a certain URL will return the desired result, whereas "' AND '1'='2" doesn't.
PHP and Apache are both outdated on their (RIAA) website with both an HTTP Trace method vulnerability and PHP vulnerability : http://osvdb.org/show/osvdb/12184 http://osvdb.org/show/osvdb/877
"Religion is something left over from the infancy of our intelligence, it will fade away as we adopt reason and science as our guidelines." --Bertrand Russell
Nah, how about a bunch of press releases saying that "the RIAA was wrong to sue music fans for sharing songs therefore we are dropping all the charges" and then seeing if the judge would say that if it was a cracked site or the RIAA itself.
The linchpin of the RIAA's lawsuit factory rests on the supposition that an IP address is exactly identical to a person. What the IP address does is legally identical to a person doing it. That's their argument.
So, if their website were to be hacked, wouldn't that exact same rule apply to whatever content was there? Their IP address is legally the same as the person/corporation/entity who owns it, right? That IS their argument, after all.
So why not use that against them in a legal sense?
It would be brilliant. The RIAA lawyers when they were brought into court for whatever happened to be uploaded there would have to make the argument that an IP address DOES NOT equate to the owner of the IP address in order to defend themselves.
They'd have to make our argument for us, and in front of a judge.
You couldn't ask for a better precedent.
Weaselmancer
rediculous.
RIAA will use this to justify further restrictions on P2P software.
So far, the RIAA hasn't shown any signs of restraint whatsoever. I don't think haxx0ring their webpage is suddenly going to spur them on to new heights.
They're already about as depraved as you can get anyways.
Weaselmancer
rediculous.
...so were the Founding Fathers when they signed the Declaration of Independence. And Martin Luther King when he fought established racism with peaceful civil disobedience. And Gandhi when he fought for civil rights and against discrimination and foreign domination. And Rosa Parks when she sat in the front of the bus.
Being a scofflaw puts you in pretty good company.
Weaselmancer
rediculous.
I didn't know that complaining about the RIAA is now a crime.
You seem to take the mistaken view that everyone who complains about the RIAA etc. also does filesharing. Well, I've got news for you: While there's certainly a large intersection of both groups, they are not identical. I for one am very pissed by the current developments of copyright legislation, DRM etc. But I've never in my life started a file sharing program. Neither to download, nor to upload.
That doesn't mean I buy lots of CDs or DVDs, though. But then, they still get their share for every data backup I do, because of the fees on the blank CDs/DVDs. Not that those backups contain anything they have the copyright on, mind you.
The Tao of math: The numbers you can count are not the real numbers.
I heard the scientology site got hacked this weekend and so did the RIAA website. Someone...PLEASE!...someone do it again only this time post negaive scientology propoganda on the the RIAA website and RIAA properties on the scientology website. They would have to sue each other, and considering the tactics both sides like to use the resulting trial could take 100 years or more.
TCP Sequence Prediction: Difficulty=0 (Trivial joke)
IPID Sequence Generation: All zeros
OS and Service detection performed. Please report any incorrect results at
http://insecure.org/
Nmap finished: 1 IP address (1 host up) scanned in 97.560 seconds
Raw packets sent: 3595 (166.500KB) | Rcvd: 1082 (50.154KB)
root@fosters:/home/kevin#
Apparently not
Their web guy wanted to make a backup, but when he produced a spindle of CD-Rs, someone yelled, "Pirate! He's stealing our stuff!" He was lucky to make it out of there alive, but they did jam two subpoenas up his ass before they threw him out the door.
I wonder if by posting these ideas on /., this will actually _be_ done now. There's a good chance the crackers (or some copycats) read /.
Not sure about the others, but Gandhi broke laws he considered unfair, then submitted himself for the punishment for those crimes, informing the court (and press) that as soon as he was let out, he would break the law again. He didn't commit other crimes while trying to further his political position.
I wonder if it's possible for someone to donate most of their wealth to charity, then break copyright law as a protest. What are the penalties in civil court if you cannot afford to pay the damages?
Lol - before you sue the RIAA you gotta get thousands of people to download it. Then you can charge them some insane amount of money per download.
-- www.kiwicommunications.com --
"Way full of holes"? Really? I read the entire thread of "discussion" that you pointed to, and found very little in the way of actual discussion. Did you provide the right link?
Also, here are some FAQs with replies to some questions about the movie.
"The greatest obstacle to discovery is not ignorance - it is the illusion of knowledge." - Daniel Boorstin
Yeah I also re-read the discussion after I posted and thought "well genius, you just set yourself up..."
I still think that The God that Wasn't There is not a good critique of Christianity. Did you follow the other link I provided in the thread?
Wait, here it is:
http://www.answeringinfidels.com/index.php?option=content&task=view&id=87
I will follow your link after posting and see what they say.
Seven Days with Ubuntu Unity
...for clearly stating what needed to be said. Not only was it authentic frontier gibberish, but it expressed a courage little seen in this day and age.
Weaselmancer
rediculous.
There is a notion that when society has decided that something is wrong, then it should be codified as law and enforced by the government, which, as Eric Raymond says, tries to maintain a monopoly on violence. Vigilante justice is the antithesis of this: an individual who believes that something is wrong and punishes the offender can cause no end of trouble, since for any act at all, someone believes that it is wrong.
/.ers know how much evidence there is that that actually works that way.
The Tyranny of the Majority is a terrible thing, and so there are supposedly checks and balances built into the system. Here in the USA there's something about inalienable rights (free speech, bearing arms (hmm), driving a fucking huge sociopathic SUV, etc). But people are supposed to be punished according to the Law, which reflects the rational consensus of the People.
But what happens when the consensus of the People and the Law have little in common? As has been said earlier in this thread, laws in the USA are bought and often written by corporations, and their motives have nothing to do with the good of society. So the law becomes farther and farther removed from right and wrong.
What's the answer? Well, really, if control can't be wrested from the hands of corporations, revolution will be necessary, but it will of course be very difficult to buy more guns than the US Army (yes, that's right, since Bush declared martial law, the Army is permitted to use deadly force on US soil against US citizens). I hate to use a term like cyber-warfare, but it is not unreasonable to expect that the revolution will initially take the form of crackers vandalising corporate faces. I'd be surprised if this did any good--it's more like a mob throwing rocks at tanks--but I'd be surprised if we didn't see more of it in the coming decades. Pirating music scarcely counts as warfare: it's nice to think that it's depriving the corporations of their lifeblood, but most
But yes, things are getting worse and not better, and we should be seriously wondering what can be done to make things better again.
Of course, the only political battle that matters a whit is whether we ward off global warming, deforestation, groundwater toxification, ozone depletion, topsoil degradation, overpopulation, air toxification, ecosystem destruction, and giant mutant carnivorous ducks. I'm not saying that wresting control from the corporations isn't important for that--it is vital and urgent. I'm just saying that where your music comes from doesn't matter worth a damn if we have a planet of perpetual war over diminishing resources. It's already begun, but you ain't seen nothin' yet.
"The biggest problem with communication is the illusion that it has taken place."
If I could get people to start calling me Iron-gnick, I would.
He's getting rather old, but he's a good mouse.