RIAA Website Hacked

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Monday January 21, 2008 @02:43AM from the maybe-someone-just-typed-rm--rf dept.

gattaca writes "A lack of security controls allowed hackers to "wipe" the Recording Industry Association of America's (RIAA) website on Sunday. The existence of an SQL injection attack on the RIAA's site came to light via social network news site Reddit. Soon after hackers were making merry, turning the site into a blank slate, among other things. The RIAA has restored RIAA.org, although whether it's any more secure than before remains open to question, TorrentFreak reports."

39 of 247 comments (clear)

Well by Chas · 2008-01-21 02:45 · Score: 5, Funny

Normally I don't advocate cracking someone's site. It's childish and petty. Kinda like the RIAA itself.

But, for some reason, I'm having a really hard time working up any real sense of moral outrage over it.

This probably makes me a bad, biased person.

C'est la vie!

--

Chas - The one, the only.
THANK GOD!!!
1. Re:Well by morgan_greywolf · 2008-01-21 03:04 · Score: 5, Insightful
  
  But, for some reason, I'm having a really hard time working up any real sense of moral outrage over it. Four words: They had it coming.
  
  You can't really going around acting like an ass and then expect to be treated with respect by anyone, especially if your site is riddled with basic security problems like SQL injection. Next time, hire a Web developer who isn't a stupid fscktard before gallivanting around, suing everyone, their 80-year-old grandmothers and their 6-year old children into oblivion.
  
  --
  My blog
Why wipe it? by Loibisch · 2008-01-21 02:51 · Score: 5, Funny

It would have been so much better to make it a temporary mirror for thepiratebay.org :D

Wonder if they would have started a lawsuit against themselves...
1. Re:Why wipe it? by webmaster404 · 2008-01-21 02:54 · Score: 4, Insightful
  
  Nah, how about a bunch of press releases saying that "the RIAA was wrong to sue music fans for sharing songs therefore we are dropping all the charges" and then seeing if the judge would say that if it was a cracked site or the RIAA itself. Or how about a plea to stop DRM by saying "it is not working" or at least informing people about the evils of DRM. The possibilities are endless, just blanking a page.... how unprofessional, it did no good to the world the way then the way it could have been done.
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
2. Re:Why wipe it? by techpawn · 2008-01-21 03:34 · Score: 4, Interesting
  
  But, could that open letter be used as evidence? It came from their website then if they try to use "well, anyone can make things on the internet look that way! Just because the IP address and website are ours it doesn't mean it's our data!" couldn't we counter argue that with their IP sniffing and screen shots or whatever?
  
  I know it would never work. The judge would ph34r t3h ev1l h4xx0rz! But, if fun to dream isn't it?
  
  --
  Ask not what you can do for your country. Ask what your country did to you
3. Re:Why wipe it? by Machtyn · 2008-01-21 04:18 · Score: 5, Insightful
  
  My question is how often does the average consumer really visit a website like mpaa.org, riaa.org, or any other corporate entity presence? For me, it is less than 0.005 (or less than a 1/2%). I think the last time I visited riaa.org was a couple years ago when /. mentioned the site had been hacked. I've never visited a General Motors website, the company that makes my favorite breakfast cereal or laundry detergent. I've just never had the desire.
  
  I suspect that the average person visits their favorite news site, gaming portal (like games.yahoo.com or legitgames.com or whatever), fark/digg/slashdot, and blogs of the different varieties. My wife will occasionally do searches for recipes, information on baby stuff, etc. We'll hit newegg.com, amazon.com, or other storefronts.
  
  Am I wrong in my thinking that the average person would visit a site like mpaa.org, riaa.org, or other industry specific org sites? We all use tires to drive on, have you ever visited the site for Michelen or Dunlap tires? Do they have a trade org site that issues news, warnings, and user information regarding recalls/defects of certain tires? If so, I've never even considered searching it out.
  
  My point is that very few people would see it to make it worth putting information touting your propaganda. However, if it was outrageous enough, perhaps it would make news and people might visit (by which time it would be too late, as the site would be fixed).
Re:Let me be the first to cry by gnick · 2008-01-21 02:52 · Score: 5, Funny

No, this falls far short of justice. Justice would have been posting a bunch of copywritten songs and announcing to the world where to find them. Even better:
* Record an original piece
* Post it
* Sue the RIAA for hosting it

Just blanking a site is lazy.

--
He's getting rather old, but he's a good mouse.
I wouldn't have wiped... by blake1 · 2008-01-21 02:53 · Score: 5, Funny

instead I would have used my cunning to download the latest Britney album to their server in DRM-free MP3 format. And then promptly reported them to themselves.
It would've been funnier by SirLurksAlot · 2008-01-21 02:53 · Score: 5, Interesting

if they made innocuous little changes here and there, such as changing the words "do not support file-sharing" to "fully support file-sharing." It probably would've the RIAA much longer to realize they've been had, and I'm sure they would've gotten some interesting calls and e-mails :-D

--
God, schmod. I want my monkey man!
1. Re:It would've been funnier by webmaster404 · 2008-01-21 03:13 · Score: 4, Funny
  
  No the RIAA gets LOTS of visitors... they are just part of a DDOS though.
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
Re:Let me be the first to cry by phillymjs · 2008-01-21 02:55 · Score: 5, Funny

Just blanking a site is lazy.
--
This space intentionally left blank.

Irony, thy name is gnick.
RIAA will use this by BadHaggis · 2008-01-21 02:57 · Score: 5, Insightful

to justify further restrictions on P2P software. I'm sure they will be able to twist this attack into some type of political message to show that the P2P community is just a bunch of cracking criminals which need to be stopped.
While I hold little sympathy for RIAA in this matter, I would rather people found different and legal ways to thwart the RIAA's mission.

--
Homo homini lupus
1. Re:RIAA will use this by webmaster404 · 2008-01-21 03:07 · Score: 5, Insightful
  
  We have found legal ways. Its called not buying albums or buying into DRM. However, the RIAA thinks that it is always P2P networks that are to blame for every loss that they suffer. So if the RIAA loses sales, its not because more people are buying indie band CDs or downloading non-RIAA songs, its because of those pirates never ever because most of the music is more noise then music. The RIAA has no logic, they are used to being a monopoly. Even when we win we lose.
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
2. Re:RIAA will use this by chortick · 2008-01-21 04:03 · Score: 5, Interesting
  
  From a recent Economist article http://www.economist.com/business/displaystory.cfm?story_id=10498664:
  
  "IN 2006 EMI, the world's fourth-biggest recorded-music company, invited some teenagers into its headquarters in London to talk to its top managers about their listening habits. At the end of the session the EMI bosses thanked them for their comments and told them to help themselves to a big pile of CDs sitting on a table. But none of the teens took any of the CDs, even though they were free. "That was the moment we realised the game was completely up," says a person who was there."
Or is it? by mach1980 · 2008-01-21 03:01 · Score: 4, Insightful

Do not rule out the RIAA to hire someone to do the hacking to win moral high ground.

RIAA may now turn their media machine to connect evil hackers with the pirate bay and try to put them in the same corner as child molesters and nazis.

--
Break the sound barrier - bring the noise.
This gives reddit a bad name by maynard · 2008-01-21 03:06 · Score: 5, Insightful

I like the site a bunch, so I say this with a twinge of reluctance. And I certainly don't like the RIAA. But that kind of behavior is plain criminal. Doesn't matter who owns the computer, it is private property and deserves respect as such.
1. Re:This gives reddit a bad name by maynard · 2008-01-21 03:18 · Score: 4, Informative
  
  But the community joined in on the hack with gusto. The comments are worth a read too.
2. Re:This gives reddit a bad name by Pulzar · 2008-01-21 03:22 · Score: 4, Insightful
  
  Reddit only reported it, much as how Slashdot would have reported it. No where in the story does it say that Reddit hacked it, no more so then if FOX or CNN reports a murder did they murder that person.
  
  How's that the same? Reddit didn't report that the site was hacked, they reported that it can be hacked and how, and then somebody hacked it.
  
  --
  Never underestimate the bandwidth of a 747 filled with CD-ROMs.
3. Re:This gives reddit a bad name by Rahga · 2008-01-21 03:38 · Score: 4, Interesting
  
  Can you co-opt the police and feds to conduct raids of private property on your behalf? No? The RIAA can and regularly does, confiscating anything that could conceivably be used to produce and distribute music, including vehicles and computers. It doesn't even matter if an organization, such as authorized mixtape producers, are acting within the law... their property is confiscated first and questions are asked later, usually past the point where a business can survive.
  
  The RIAA are among the least of those who deserve to have their property rights defended.
wow by kellyb9 · 2008-01-21 03:26 · Score: 5, Insightful

So you're the most hated site on the internet essentially, especially by people who proudly go by the name "pirates". And you don't protect your site??? Who exactly is running this operation?
1. Re:wow by Osurak · 2008-01-21 03:48 · Score: 5, Funny
  
  So you're the most hated site on the internet essentially, especially by people who proudly go by the name "pirates". And you don't protect your site??? Who exactly is running this operation?
  Ninjas.
Well-It's all relative. by Anonymous Coward · 2008-01-21 03:26 · Score: 5, Insightful

"Four words: They had it coming."

Well if we're going to use that excuse then why stop at web site defacement? Why not put out a contract on the heads of the music companies? After all "they had it coming". What's that? Society says it's not OK? So's copyright infringement and that's not stopping anyone. Why should this be any different?
1. Re:Well-It's all relative. by sponglish · 2008-01-21 04:30 · Score: 5, Funny
  
  If someone punches you in the face, do you beat them to death with a crowbar? No, you punch them back. If someone pulls a knife on you, do you pull out your grenade launcher?
  
  Yeah, well... You're not from Chicago.
  They pull a knife, you pull a gun. He sends one of yours to the hospital, you send one of his to the morgue. That's the Chicago way... Now do you want to do that? Are you ready to do that? I'm offering you a deal. Do you want this deal?
  
  --
  "I improvise. It's my greatest talent. I prefer situations to plans..." --Wintermute, William Gibson's "Neuromancer"
2. Re:Well-It's all relative. by hoggoth · 2008-01-21 04:34 · Score: 5, Insightful
  
  > If someone pulls a knife on you, do you pull out your grenade launcher?
  
  Ummm... yes.
  
  If someone escalates to lethal force with me, I will respond with lethal force and it will be very important to *win*. Therefore, yes, I will respond to a knife with a grenade launcher.
  
  Hell, I say nuke them from orbit.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
3. Re:Well-It's all relative. by Captain+Splendid · 2008-01-21 04:37 · Score: 5, Funny
  
  If someone pulls a knife on you, do you pull out your grenade launcher?
  
  Sounds like the annual Cheney family reunion to me.
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
4. Re:Well-It's all relative. by derfy · 2008-01-21 04:46 · Score: 5, Funny
  
  Hell, I say nuke them from orbit.
  
  It's the only way to be sure.
5. Re:Well-It's all relative. by Mercano · 2008-01-21 04:59 · Score: 4, Funny
  
  If someone pulls a knife on you, do you pull out your grenade launcher?
  No, that's just not a good idea. I mean, if someone is coming at you with a knife, he's probably at very close range, so if you tried using a grenade launcher, you'd probably taking yourself out with him. (The range for splash damage is probably understated in most video games.) A shotgun or a submachinegun would be a far better choice.
  
  --
  #include <signature.h>
Obligatory Nelson quote by ndtechnologies · 2008-01-21 03:26 · Score: 4, Funny

"HA HA!"

--
I have nothing clever to put here...
Slashdotting by megazork · 2008-01-21 03:30 · Score: 5, Funny

The OP should have posted a link to RIAA.org so that it could have been slashdotted. =)
Torrentfreak has the screenshots. by Spy+der+Mann · 2008-01-21 03:39 · Score: 4, Informative

http://torrentfreak.com/riaa-website-hacked-080120/

From the screenshots:
Who we are.
It appears that the article you requested has been temporarily removed.

Press releases and Statements
ThePirateBay.org - Get free music and movies!

Error
The page at http://riaa.com/ says:
RIAA sucks ... XSS ftw?

If you want my opinion, it was an inside job. The RIAA got so jealous over they content that they decided to delete it than share it :P
Sigh.... missed opportunity by Maxo-Texas · 2008-01-21 03:44 · Score: 4, Insightful

First... I agree that shutting someone else up is not a great way to have a conversation...

But if you are going to do something like this, then have a little panache.

For example, you could upload a few Mp3's with links to download them from the site.

Or upload some key quotes "Copyright should be good for forever less one day".

Or upload Jefferson's statements on copyright.

ah well...

--
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
This is not good by Anonymous Coward · 2008-01-21 04:03 · Score: 4, Insightful

Attacking their website will only aid them in public opinion. This gives credit to their argument that people who oppose them are criminals.
Nuke them from orbit. by Chas · 2008-01-21 04:56 · Score: 4, Funny

Actually, the only way to be "sure" is to nuke them in person.

Otherwise there's always the real possibility that they were able to take cover.

--

Chas - The one, the only.
THANK GOD!!!
1. Re:Nuke them from orbit. by orgelspieler · 2008-01-21 08:12 · Score: 4, Funny
  
  when you get to the promised land, you can download 72 songs from Itunes free of charge.
  Yeah, but they can only be from the Virgin label.
Re:Let me be the first to cry by smittyoneeach · 2008-01-21 05:12 · Score: 5, Funny

Irongnick?

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Re:Let me be the first to cry by smittyoneeach · 2008-01-21 05:17 · Score: 5, Funny

If they just restore the site from backup, without patching the SQL injection vulnerability, then the RIAA is RIAAlly st00p3d.
Now, parking a whole bunch of Scientology materials on their server would be quite funny.

--
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
Archive.org by RAMMS+EIN · 2008-01-21 07:07 · Score: 4, Funny

Fortunately for the RIAA, the old content of the site has been archived by the Internet Archive.

Although that poses a rather uncomfortable dilemma for the RIAA: should they thank archive.org for saving their content...or sue them for copyright infringement?

--
Please correct me if I got my facts wrong.
You bring to mind an interesting point by Weaselmancer · 2008-01-21 08:01 · Score: 4, Interesting

Nah, how about a bunch of press releases saying that "the RIAA was wrong to sue music fans for sharing songs therefore we are dropping all the charges" and then seeing if the judge would say that if it was a cracked site or the RIAA itself.
The linchpin of the RIAA's lawsuit factory rests on the supposition that an IP address is exactly identical to a person. What the IP address does is legally identical to a person doing it. That's their argument.
So, if their website were to be hacked, wouldn't that exact same rule apply to whatever content was there? Their IP address is legally the same as the person/corporation/entity who owns it, right? That IS their argument, after all.
So why not use that against them in a legal sense?
It would be brilliant. The RIAA lawyers when they were brought into court for whatever happened to be uploaded there would have to make the argument that an IP address DOES NOT equate to the owner of the IP address in order to defend themselves.
They'd have to make our argument for us, and in front of a judge.
You couldn't ask for a better precedent.

--
Weaselmancer
rediculous.
Re:Let me be the first to cry by SoulRider · 2008-01-21 10:43 · Score: 5, Funny

I heard the scientology site got hacked this weekend and so did the RIAA website. Someone...PLEASE!...someone do it again only this time post negaive scientology propoganda on the the RIAA website and RIAA properties on the scientology website. They would have to sue each other, and considering the tactics both sides like to use the resulting trial could take 100 years or more.