Slashdot Mirror
Posting Publicly Available URL Claimed a "Hack"
Urban Strata writes "Popular mobile phone community HowardForums.com is being hit with take-down notices from MobiTV. At issue is the fact that a HowardForums community member uncovered a publicly accessible URL for MobiTV's television stream. This URL is not encrypted or authenticated in any way, and yet MobiTV sent site owner Howard Chui a cease-and-desist letter for hosting a forum with the public URL, claiming that doing so is equivalent to hacking their service."
Except it isn't just the URL they are complaining about.
Is it a hack? Not really
Does it allow people to watch TV that they didn't pay for? Yes
Does it prevent Verizon and MobiTV from receiving revenue that they should from the streams? Yes
Is it wrong? Yes
Does MobiTV and Verizon have the right to send a cease and desist letter? Sure
See folks, whether its a hack or not doesn't change the fact that its just wrong. There are too many people freeloading nowadays. The Internet makes it so much easier to freeload. And its becoming a disease. When MobiTV fixes their stuff, I'm sure a bunch of people in these forums will yell and scream about it, but few of them will actually starting paying for the service that they started to enjoy. I do agree though that MobiTV should be ashamed of themselves for leaving their service wide open.
I wonder how much their lawyer bills each time he has to send out a C&D for posting a link to qtv.mobitv.com/sprintTVlive.mcd.
Lookit me! I'm hacking the pentagon! And the CIA! And the FBI!
Hold on, one moment--someone's knocking.
In Xanadu did Kubla Khan
A stately pleasure dome decree
I thought companies realized that "Security by Obscurity" doesn't work many years ago. What a bunch of idiots.
if I leave my car doors unlocked, keys in the ignition, and a big sign saying "take me for a joyride" I can complain if someone does, infact, take my car, but the police will laugh at me in all likelihood when I report it.
Karma Whoring for Fun and Profit.
qtv.mobitv.com/sprintTVlive.mcd
Well, I found this in the Sprint forums and here we go:
qtv.mobitv.com/sprintTVlive.mcd
1. Copy and paste that link into the address bar.
2. Don't run it but save it to your computer.
3. Find it on your computer and OPEN it up. Select to open it with Internet Explorer or the browser of your choice.
4. There will be a whole bunch of links. Choose the channel you want to watch...
5. Get your LG Voyager and start up the browser.
6. Type one of the links into your Voyager and press OK!
There you go, live TV...
* * *
Heres the list for people too lazy to download the file
This is a shorter less messy version of the file
Bikinis, lingerie, and less. Beach, Bedroom, Hot tub. MAXX Look ??? All Girls. All the time
Seriously, this is probably something to draw attention to a service that few people knew about. Any publicity is good publicity, after all.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
And let the bad analogies begin!
You know, this is kind of like leaving the keys to your car....
"There are too many people freeloading nowadays. The internet makes it so much easier to freeload"
Jee, I wonder if you'd apply the same concept to OTA radio and Local TV with regards to magnetic recording media back in the 80s and 90s.
The fact of the matter is that they're claiming it is a hack, when it's their own stupidity and ignorance that allowed this to happen. Calling this a hack is just an attempt upon the person's character. People will begin to think the person that stumbled across this is a hacker, then they'll get that reputation, which in turn tarnishes the reputation of the non-hacker. It's character assassination and MobiTV should be nailed to the fucking wall while someone calls for their waaaaaahmbulance.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
As always, that kind of position is missing the fact that google is technically doing the same thing.
It's not that far fetch: imagine you are googling for your favorite show, and find some url with a video stream; and it's form a respectable "nbc.com" or the like website. How do you guess it's supposed to be a paying service?
Want a real life example? The other day I was looking for some bash command help, and the third google result was from http://www.experts-exchange.com./ If you access it directly, it hides the answers and asks you to pay. But from google, you get to the answers directly because of some glitch.
What I'm saying is you can't blame the user (or here, the website) if they never went through a dsiclaimer page that made them realise: "well, if I click this link, I will have done something illegal". Free equivalent services exist.
Don't take my posts literally; it's just code to control my botnet.
The URLs obtained with this "hack" play just fine in Quicktime as well.
____
~ |rip/\/\aster /\/\onkey
Hey, you should have paid 5 dollars to view this comment. Please cease and desist, because you are stealing my revenue.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
I wonder if they decided it simply wasn't worth the development effort to put their content behind encryption? Maybe they thought litigation against improper access would be cheaper, or at least simpler. With the RIAA's successes in court over the lsat few years, there is some precedent for that idea.
Yes, I know, secure connections are not rocket science. But it's business; the path perceived most profitable is the path chosen.
http://yro.slashdot.org/article.pl?sid=08/03/07/163232
/. are belong to U5!
I hav hax0r3d slashdot. All your
It's MobiTV's fault for leaving their service wide open, just like it's London Zoo's fault for letting people be able to see the giraffes from Regents Park.
What London Zoo should do is force people who walk through Regents Park to stare at the ground* so that they can't see the giraffes and thus have to pay to go and see them.
*Yes I know, 95% of London already stare at the ground whilst walking along the road.
Summation 2
security through obscurity does NOT work.
Can we not get them fined for being publicly stupid as a bag of hammers?
No offense meant to those hammers who are reading this post, or who may have a hammer waiting for them at home.
Support NYCountryLawyer RIAA vs People
This strikes me as basically being the same as a lot of user-uploaded photo sites. You can designate an album as private, and then people can't browse through it picture by picture. But if you send a direct link to the picture, it will be displayed.
The user expects these photos to be private. If you ran a intelligent dictionary attack against them (If photo "a1" exists, guessing "a2" isn't too hard) they'd probably be quite upset. I'd consider this to be immoral, certainly.
Poor security doesn't make it right. Now, if I was them, I'd concern myself much more with simply -fixing- the problem, but that rarely seems to happen. They have a professional, commercial site, they should be able to fix this quickly. So quickly that there wouldn't be a point to going after this guy, because it would be closed in 1-2 weeks. If it takes any longer than that, the site was poorly done in the first place.
This is a classic example of a site trying to be "secure" through obscurity. The correct response would not be issuing a take down notice, thus publicizing the issue. An intelligent response would be to move the service to a secure site that required credentials.
What exactly is MobiTV trying to claim is their IP? The URL? I didn't think such short addresses were copyrightable. I don't think they realize how the internet works. If I type in a URL in a browser, I'm sending a request for data back. It's up to mobitv what to return. If they don't want us to have access to the data, don't return it. Simple.
This situation reminds me a bit of the story a few weeks back, when the government was getting miffed at amateur satellite spotters for looking upward. The differences of course, being that the government couldn't make the satellites completely undetectable, even if they tried, and they did try...as opposed to MobiTV, who has the gall to bleat about "hacking" after being stupid enough to post a publically available URL.
____
~ |rip/\/\aster /\/\onkey
a kiddie porn site?
damaged by dogma
If anyone is interested you can watch these in VLC. Just open a network stream, select RTSP and paste in one of the URLS. Low quality, but interesting to think you could watch that on a phone.
You can tell I'm an aries because of my ram.
So I guess this means /.ers will now change their sig from 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0 to qtv.mobitv.com/sprintTVlive.mcd....
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
It is a good strategic move in the long run for the company: if they are able to make the forum remove the post, then it would be a precedent for future cases like that. However, it sounds, in a way, just an excuse to cover up for very sloppy behaviour. In the time you take to ask someone to remove a link, why not do something about the link that is already available: I can see that it is still there!
...when a Second Life user bought land before it went to auction using a non-linked but publicly accessible URL and he was banned and his assets seized.
http://secondlife.typepad.com/
Some interesting background reading. They settled, but the "hack" question was never answered by the court .
Ezekiel 23:20
What? I guess the site devs never heard of the obscure concept known in some circles as "cookies"?
In brief, security through obscurity is very bad security, but it's still security, and breaking somebody's security is illegal.
My first thought about the C&D letter is that it's stupidly counterproductive, because even if the recipient complies, the publicity will actually make more people aware of the URL than would otherwise. But then I realized that if management didn't send out the C&D letter, they'd catch grief from their stakeholders for "lack of fiduciary responsibility" or whatever. They could even get sued themselves. C&D letters are just one of those legal rituals big companies have to do, no matter how silly the context. Remember the New Zork Times?
What is stupid is thinking that nobody would find out about this URL.
Also the burden is on the host to restrict access to anything via standard protocols that they connect to the internet.
Here again the ego achieves the oppostite of it's intentions bringing attention, unless..
It is an ingenious plot by MobiTV to bring attention to their service, they have succeeded .. Hmmm
"an infinite player that has lost his finite mind" ~Infinite Play the Movie (it blends with reality)
If you download the mcmd file and look at it in a text editor it's just an XML playlist file. The rtsp:// streams play fine with Quicktime on Windows/Mac, having a few problems with mplayer on linux.
The more interesting thing is if you go to the URL in a Treo browser, it launches the SprintTV application and lets you stream all of them to your phone. Hell of a lot better than $5/month/channel.
http://qtv.mobitv.com/sprintTVlive.mcd
A recipe for misdirection:
* 1 link to "private" content
* 1 cup TinyURL(c) brand address shortening
* 2 lbs. unauthorized access
* 1 content owner
* An army of lawyers
Preheat oven to "Litigation". Route link through address shortening. Mix with unauthorized access, and let rise until content owner exclaims "IT IS TEH HAXORZ!1". Apply army of lawyers liberally to TinyURL for providing access to content. Place in preheated oven and bake until lawsuit reaches a golden brown. Cool before serving.
(Note: Recipe not tested.)
The links play in Quicktime just fine.
It's left blank because I have nothing to say to you punks!
Did anyone ready the PDF of the letter they sent to Howard . . . in Canada . . . citing the DMCA (a US law?) I don't know where HoFo's servers are, or if Canada has a DMCA-like law yet, but that seems pretty silly and maybe Howard should prep a backup server not in the US just in case. Then write the idiots at MobiTV a funny reply like the guys at the pirate bay do.
Silly MobiTV -- you can't copyright an URL!
everything in moderation
http://qtv.mobitv.com/sprintTVlive.mcd
OK maybe they're not, but they should be...
Genesis 1:32 And God typed
Is it wrong? Yes
WRONG. Based on your scenario we need to get permission from the site owner to visit any web site.
Any web site which is publicly available is de-facto a public web site. This is precedent since the inception of the www. Even if you had a button that said "Do not click unless you are a paid member of this site" you would have no legal leg to stand on if anyone else clicked it.
Everyone is making real property analogies to this. A web site is not a house, it is not a building, it is not a car. If it were, it would be taxed as such and we would all need written permission to visit each site.
channel name="MSNBC" href="rtsp://live.mobitv.com:554/1-CDMA.sdp" type="video/3gpp"
channel name="FOX News" href="rtsp://live.mobitv.com:554/8-CDMA.sdp" type="video/3gpp"
channel name="Discovery" href="rtsp://live.mobitv.com:554/3-CDMA.sdp" type="video/3gpp"
channel name="TLC" href="rtsp://live.mobitv.com:554/4-CDMA.sdp" type="video/3gpp"
channel name="Animal Planet" href="rtsp://live.mobitv.com:554/63-CDMA.sdp" type="video/3gpp"
channel name="NBC Comedy" href="rtsp://live.mobitv.com:554/1500-CDMA.sdp" type="video/3gpp"
channel name="ESPN Mobile TV" href="rtsp://live.mobitv.com:554/4103-CDMA.sdp" type="video/3gpp"
channel name="NBC Sports Mobile" href="rtsp://live.mobitv.com:554/1513-CDMA.sdp" type="video/3gpp"
channel name="Lipstick Jungle" href="rtsp://live.mobitv.com:554/1508-CDMA.sdp" type="video/3gpp"
channel name="Maxx Look" href="rtsp://live.mobitv.com:554/48-CDMA.sdp" type="video/3gpp"
channel name="Toon World TV" href="rtsp://live.mobitv.com:554/28-CDMA.sdp" type="video/3gpp"
channel name="Access Hollywood" href="rtsp://live.mobitv.com:554/1515-CDMA.sdp" type="video/3gpp"
channel name="Love Laffs" href="rtsp://live.mobitv.com:554/4104-CDMA.sdp" type="video/3gpp"
channel name="Bloomberg" href="rtsp://live.mobitv.com:554/52-CDMA.sdp" type="video/3gpp"
channel name="Tim Gunns Guide to Style" href="rtsp://live.mobitv.com:554/1519-CDMA.sdp" type="video/3gpp"
channel name="The Mic Hip Hop" href="rtsp://live.mobitv.com:554/910-CDMA.sdp" type="video/3gpp"
channel name="V40 Hot Hits" href="rtsp://live.mobitv.com:554/911-CDMA.sdp" type="video/3gpp"
channel name="Totally 80s 90s" href="rtsp://live.mobitv.com:554/96-CDMA.sdp" type="video/3gpp"
channel name="Double Z Country" href="rtsp://live.mobitv.com:554/72-CDMA.sdp" type="video/3gpp"
channel name="RandB Jamz" href="rtsp://live.mobitv.com:554/425-CDMA.sdp" type="video/3gpp"
channel name="Ritmo Caliente" href="rtsp://live.mobitv.com:554/97-CDMA.sdp" type="video/3gpp"
channel name="Chaos Extreme" href="rtsp://live.mobitv.com:554/913-CDMA.sdp" type="video/3gpp"
channel name="Shift Alternative" href="rtsp://live.mobitv.com:554/912-CDMA.sdp" type="video/3gpp"
channel name="USA Mobile" href="rtsp://live.mobitv.com:554/1503-CDMA.sdp" type="video/3gpp"
channel name="Bravo To Go" href="rtsp://live.mobitv.com:554/1502-CDMA.sdp" type="video/3gpp"
channel name="SCI FI Pulse Mobile" href="rtsp://live.mobitv.com:554/1501-CDMA.sdp" type="video/3gpp"
channel name="Oxygen" href="rtsp://live.mobitv.com:554/58-CDMA.sdp" type="video/3gpp"
channel name="Discovery Mobile" href="rtsp://live.mobitv.com:554/53-CDMA.sdp" type="video/3gpp"
channel name="A and E Mobile" href="rtsp://live.mobitv.com:554/17-CDMA.sdp" type="video/3gpp"
channel name="The History Channel Mobile" href="rtsp://live.mobitv.com:554/19-CDMA.sdp" type="video/3gpp"
channel name="NBC News Mobile" href="rtsp://live.mobitv.com:554/2-CDMA.sdp" type="video/3gpp"
channel name="Fashion TV" href="rtsp://live.mobitv.com:554/22-CDMA.sdp" type="video/3gpp"
channel name="Comedy Time" href="rtsp://live.mobitv.com:554/21-CDMA.sdp" type="video/3gpp"
channel name="MAXX SPORTS" href="rtsp://live.mobitv.com/50-CDMA.sdp" type="video/3gpp"
channel name="IGN" href="rtsp://live.mobitv.com:554/59-CDMA.sdp" type="video/3gpp"
channel name="Bombones" href="rtsp://live.mobitv.com:554/74-CDMA.sdp" type="video/3gpp"
channel name="CNET" href="rtsp://live.mobitv.com:554/23-CDMA.sdp" type="video/3gpp"
channel name="CSPAN" href="rtsp://live.mobitv.com:554/30-CDMA.sdp" type="video/3gpp"
channel name="CSPAN2" href="rtsp://live.mobitv.com:554/31-CDMA.sdp" type="video/3gpp"
channel name="Soulja Boy Tell Em TV" href="rtsp://live.mobitv.com:554/4100-CDMA.sdp" type="video/3gpp"
channel name="Ataku" href="rtsp://live.mobitv.com:554/83-CDMA.sdp" type="video/3gpp"
channel name="D40 Digital Camera" href="rtsp://live.mobitv.com:554/1346-CDMA.sdp" type="video/3gpp"
channel name="Bank of America" href="rtsp://live.mobitv.com:554/4101-CDMA.sdp" type="video/3gpp"
...a slashdot thread that consisted almost entirely of people arguing over what metaphor would be used to describe a situation.
God sues people for breathing His air.
One thing is very funny: In my country, it is (as stated explicitly in the law) perfectly legal to download (for personal use - i. e., "don't redistribute!") copyrighted works that have been made publicly available (*), just as you can record a radio broadcast on a tape or a TV show on a VCR. I am wondering what they would try to claim *here*. :-) If they are unable to control access to their media resources, well, it's none of my business.
(*) Suprisingly, this is OK even it the "publisher" is violating law, like some (many :-)) RapidShare uploaders - but in this case it's MobiTV who are being stupid :-)
Ezekiel 23:20
Pssst! Listen up! I've just discovered that an address where you can access intellectual property for free! The address is 700 Boylston St., Boston MA 02116. You know what? Between 9 a.m. and 5 p.m. every day they leave the door unlocked! That's right! You can walk right in!
And you know what you'll find? Millions and millions of books, including current bestsellers like Stephen King's Duma Key. Yep, you can just take it right off the shelf, sit down, and read it right there. Instead of paying $17 to $28 dollars, you can read it for free!
In fact, with a Massachusetts driver's license and a little sweet-talk it's not at all hard to do social engineering on the guy at the security desk and talk him into giving you an access card that will let you take that book right through security, right out of the building! For three weeks or more.
Is it a hack? Not really.
Does it allow people to read books that they didn't pay for? Yes
Does it prevent Scribners from receiving revenue that it would otherwise have received? Yes.
Is it wrong? No.
"How to Do Nothing," kids activities, back in print!
If you don't want people looking at your naked ass all day, put your pants on in the morning.
Have we ever slashdotted a TV provider before?
"Physics is to math as sex is to masturbation." -R. Feynman
Something I have noticed so far:
/. IQ is about 125, while the average public IQ is about 95.
Everyone here complains that they should just fix it....
perhaps in an effort to make it available to more users/devices (since it IS geared towards cell and smart phones) they did not encrypt it or make users go through a crazy registration/validation process. There are some phones that might not support the security (lack of processing power?)and there are users that would not jump through all the hoops.
We seem to forget that most slashdotters are willing to forgo convenience for security, but most sheeple (general public) are not, thats part of why we see so many instances of "secure" information being sent through "unsecure" channels. Its too much of an inconvenience to the end users to encrypt.
Just a guess, but I bet the average
How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
qtv.mobitv.com/sprintTVlive.mcd
Or you can go to the delphion patent server and append &page=0 to the end of the url to see the whole patent for which only the first page is supposed to be visible to non-paying customers. Hacking?
Your "walking into a gym" metaphor doesn't really cut it at all. A real analogy might be, Alice puts up a notice on a public bulletin board. Alice really only intends for Bob to read the message, but she posts it in public in plain English.
Eve comes along, and posts another note on the bulletin board that points out where on the board Alice's message is. (Over to the left three feet an up ten inches...) Alice proceeds to throw a fit about Eve's message.
If you put an unencrypted document on the internet, you display it in public. If you serve a stream to anyone who hits a URL, you have made that stream public. If you must have a property analogy, it is as though the gym owner decided to put all their gym equipment in a public park with a notice that says "Use this."
omg I h@x0r3d teh www.google.com, don't sue!
the only permanence in existence, is the impermanence of existence.
Probably others as well, not gonna weed through the long list already. Security through obscurity is no security at all. Basically, the persons have left their car not only in the middle of the parking lot unlocked, but the windows wide open for anyone to take. It is very illegal for someone else to steal it as that person does not own that vehicle. The police will arrest you, but your insurance my not cover the theft. Kinda get the picture? If the site has any type of disclosure or terms of use stating that using their URL in any way outside of their service is illegal, its illegal. You accept the terms of use or you don't. You go around the terms of use, you've just "hacked" the site. As for the re-occuring theme that I read above about freeloaders... If its not illegal, then why not? If it is, people probably need to be educated. If they persist even after education, yeah then they are in for a world of hurt due to their own actions. Face up to your actions and take responsiblity. If not, well... no one is perfect.
Hear is one you drive up to open tollbooth and there is no one to take your toll and the lane had it's green light on?
Here is the URL in case they take it down.
qtv.mobitv.com/sprintTVlive.mcd
and it's contents
Bikinis, lingerie, and less. Beach, Bedroom, Hot tub. MAXX Look ??? All Girls. All the time
If they don't want people to access a URL, they should take technical steps to prevent it from being accessed. An accessible URL is an invitation to use a service on that server. Having an accessible URL and then sending stupid legal letters is akin to putting an "Open House" sign in front of your house and then calling the police and pressing burglary charges when someone comes in.
From reading the responses to my own post, I can clearly see that we have a major problem in society today. The ability to casually get stuff that isn't yours and get away with on such a wide scale has severely eroded people's morality. At some point the cycle of money driving the ability of companies to give things away or be taken away will dry up. What will happen then?
Imagine you run a movie theater. You hire a guy to stand at the door and instruct him that when people come up and say "Can I pretty please watch this movie that is playing in theater 3 right now" he should say yes, open the door, and let them in.
/foo/bar.mpg it should say yes, and start streaming the movie?
Now imagine that you send legal threats to the people who asked and were granted admission, and your argument is "I didn't mean to tell my employee to let you in."
---
Imagine you run a movie streaming company. You buy a web server and instruct it that when people send a request asking to stream the movie at
Now imagine that you send legal threats to the people who asked and were granted access to the stream, and your argument is "I didn't mean to configure my web server to give you the stream."
---
Hacking would be when you tap the employee on the shoulder from behind, hit him with a bat when he turns around, and go watch the movie.
The masses are the crack whores of religion.
123 matches on Google as of 1:28 EST.
It's going to be fun watching this proliferate.
Having downloaded the file, which amusingly is still available, and persued its contents, I have the following question: Who the hell watches Lipstick Jungle on a cell phone? Who the hell watches Lipstick Jungle? What IS Lipstick Jungle? Whose mind is so vacant that they have to get a TV fix on their mobile phone?
As for the website itself, their complaint is rather like a bank putting all of their customers' account balances on a webserver, and then complaining when someone looks at someone else's account. Yes, the action is dickish at best, but the fact that it can be carried out is dickisher.
MobiTV will lose and their files are now all over the internet. Serves them right for: a: stupidity in not securing the URLs b: attacking the messenger HoFo, a hugely popular site resulting in a major PR disaster. I don't see this going much further. I wonder if Howard can sue MobiTV for defamation?
To be fair, mobile phones still have a lot of kinks to work out, and security measures could render services unusuable on many devices. Just think about the time complexity involved with real-time decryption which would be one possible solution, phones can't handle this. You can't really criticize them for this, as the mobile space is a bit chaotic right now and they had to make a business decision: Lose revenue by not supporting several popular phones, or let a few geeks get free TV. I'd say they made the right choice.
Charisma is the measure of someone's ability to lie with a straight face.
The Daily WTF published an article very similar to this, where a web site's "security" model involved simply having a user fill in their username and password (which was processed by client-side javascript) and then forwarding them to an unsecured URL. WTF Security.
When the article's author pointed out to the company how bad their security was, he was accused of "hacking" in. A very, very funny article...
"Flag on the moon. How did it get there?"
Experts Exchange intentionally reveals the responses to Google's spiders so that they get more search hits. IIRC, this is against Google's terms of service and is grounds for exclusion from results or reduction of relevance, but only seems to be enforced against people who abusively game Google in this way. NYTimes I think also was guilty of this with respect to Google's News search (but I'm not 100% sure on this.)
Move all sig!
Of course, you could ask a lawyer ... the general counsel's email is in the C&D letter. As a matter of fact, most of the suggestions here are so insightful and would provide the law firm with valuable information that I think all /.'ers should email the general counsel with their helpful advice.
I assumed it is but now I am not sure anymore...
The C&D letter is not directed at unauthorized people using their service. It is directed at people publishing information about them and their service.
There's nothing legal or moral about security by gag-order.
Did not see a single thing of sufficent interest to even warrent following the link.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
So, the next logical question to ask would be if it is immoral/illegal to view the comments that are at the bottom of the page. EE did a very blatant job of letting you know that they require fee for the services they are providing, but have effectively left the door unlocked. While we may dislike how they conduct their business, would it not be considered stealing if we were to gleen the answers from them when they ask for payment?
I know items on store shelves are for sale because they are, umm, in a store and have price tags. I know a web site with a public URL has something to sell when a box pops up and tells me what it costs and how to register and I can't otherwise get at the stuff gthe site is selling. I know a web site wih a public URL and something to sell was designed by someone without a clue when when nothing stands between me and the stuff that's being sold.
The best analogy here is this: A college town bar owner takes a truck full of six packs and sets them on the front steps of every frat house he can find, then calls the lawyers when he discovers the frat boys drank the beer without paying for it.
-- Slashdot: When Public Access TV Says "No"
Did these people learn nothing from the Wikileaks debacle? Or the AACS encryption key mess? Sending cease-and-desist letters and DMCA takedown requests over this sort of information only results in it being distributed more widely and seen by far more people.
"Does it prevent Verizon and MobiTV from receiving revenue that they should from the streams? Yes"
err.. No. or rather "Only if they would ahve paid for it anyways."
"Is it wrong? Yes"
Absolutely NOT wrong. It is not wrong to click on a publicly accessible link. That's what they are for. The only way to tell if someone doesn't want you to use a link is to secure the link.
Could I create a site called "myfamily.com" post a picture a took, and then sue anybody for linking to me site? no.
The Kruger Dunning explains most post on
Maybe they should charge MobiTv for providing them with consultation on security matters and determining where holes in their web applications lie. And perhaps for load-testing the servers too...
bacause they are used to convince law makers and the general public to pass draconian laws, and lock people up for unreasonable amounts of time.
It isn't steal, it's copyright infringement. There are two different terms for very good reasons. Copyright issues are very 'hot' right now so diluting and / or confusing the issue doesn't help.
The Kruger Dunning explains most post on
But if we're stuck on them for whatever reason:
View the internet as a series of doors. Knock on any given door and you will get one of the following:
1. Nothing.
2. A request for authentication.
3. Something for free.
Some people believe all doors aren't equally easy to find, but this is basically an illusion.
The question is whether knockers can know whether or not they should knock on the door and, if so, whether they are ethically obligated to use this information responsibly.
Generally speaking, knockers have no mechanism for knowing whether or not they should knock on a door. Door-owners are asking knocks by putting doors in place. Otherwise having a door simply makes no sense. So I find it difficult to find knockers at fault, generally speaking.
In a specific case like this where a knocker knows that they are not supposed to be receiving something for free, it is fairly obvious the knocker is ethically challenged. While the knocker may not agree with the idea of intellectual property, there are other ethical considerations as well. Rare will be the knocker whose true ethical position allows him to use the services for free. By societies current standards the ethics are clear.
However, there is still value in an unethical knockers actions, if only to encourage door owners to put in the appropriate access controls.
Once a door owner is aware of the problem, failure to put proper controls in place is, IMHO, a decision to offer the service for free. Sending a cease and desist letter is well within a door owner's rights and may be an effective temporary solution to the door owner's mistake. However, I think 'pound sand' is also an appropriate response. Door owners can instantly and permanently remove or change the door so it responds differently. Knockers are not responsible for propping up the door owner while he or she fixes the problem. And supporting this cease and desist idea promotes door owner laziness.
I'd always just used Google's Cache feature to see the content. I figured if Google could see the content, since I was using Google to search & they offer the cache view to their users, I'd vicariously inherited the right to view what EE was trying to claim as premium content. So I guess I was taking a longer route than I needed to, but the highlighting of my search terms is usually worth the effort when sifting through a lot of garbage anyway. The main difference is that the version Google sees has a "View Solution" button at the bottom of the first post, where the "public" version of the site has a subscription sign-up link.
I don't think it's all that scummy though, it's clever. It's sort of like the "Obtain key from office to use elevator" sign that's posted outside the building elevator (primarily used for freight or disabled people) in one of my workplaces. The only keyhole I could see near the control was the test/override one that all elevators have, so I pushed the summoning button, and found the elevator to be fully functional sans key. Not only that, but it doesn't even have the current possibility of being locked-out in such a way as to require a key. But does it deter 95% of the people who walk by the elevator, who instead use the stairs? Yep.
It's the same sort of social engineering trickery, discourage people with something that is designed to be prima facie misleading, but is actually utterly irrelevant to anyone who wishes to observe and test the purported limit. Other, less amusing examples include the ubiquitous "beware of dog", "premises under surveillance", and "security provided by $alarm_company" signs that project an unnecessarily elevated notion of trespassing risk on private property.
See, the same guy could write a cease and desist letter to Slashdot editors, or the New York Times for that matter. Unless and until that letter is attached to a court order to cease and desist, there's no reason to even respond to it. You should read it. You should keep it. Because it can be used as evidence against the person who wrote it later. But if you act on the demand in the letter, you should only do so because you were inclined to take that same action to begin with.
For anyone who gives in to "pressure" from a mere C&D letter... you make your choices, and the letter is irrelevant.
-fb Everything not expressly forbidden is now mandatory.
This is still character assassination. They're calling this person a hacker when it's very clear they are not a hacker - no forceful breach of security happened, no bypassing security measures, no database information stolen, nothing except finding/stumbling upon an open, unsecured URL that some idiot webmaster didn't have the common sense to secure. The issue here is that we have idiots using words without knowing what they truly mean and as a result they are harming this person's reputation. Were this to stick, potential employers would not hire this person on reputation of being a 'hacker.'
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
...as the destination itself.
While MobiTV is apparently staffed by morons, and should probably make a stronger effort to secure their content, it would seem that even though what they claimed is proprietary information was hidden in plain sight, was discovered by use of a debugging tool in violation of their TOS. Almost every software license prohibits decompiling, reverse-engineering, and the like, because almost every secret in the most proprietary software is hidden in plain sight, if someone has the correct tools.
If MobiTV is correct that someone didn't just happen across that URL or received it in a normal browser error dump, and actually used an unauthorized debugging tool to obtain the URL, then they may have a leg to stand on. Information acquired through illegal means and leaked to the public DOES NOT public information make. And I'd say they may be well within their rights to demand the information be taken down...but sometimes what's within one's rights isn't necessarily prudent to act on (hello, Streisand Effect!). But of course, that ultimately assumes that the individual who leaked that URL information acquired it by violating a contract he agreed to somewhere along the lines. Just so long as the instructions to obtain that URL are (a) usable by anyone coming from a public starting point, and (b) don't involve taking an illegal action along the way to the ultimate destination of that media URL, there really doesn't seem to be any leg for MobiTV to stand on. However, if the destination URL cannot be reached under those conditions, it should probably be considered to be as stolen and illegal as the TV some guy is trying to sell from the back of his car. Just because you bought stolen goods in an open and public transaction doesn't mean the transaction was legal in the first place. In this example, the seller didn't have the legal right to sell the item, so he couldn't legally transfer ownership to you.
I'd just like to point out that all of these (mostly crappy) analogies are very much the reason tech law is in the state it's in today. You really can't equivocate tech and the net with physical analogies. And it's because of explanations like this that the laws for these things are in the mess they're in.
Someone needs to sit down and say Yes, this is legal or No, this isn't legal without trying to equate it to stealing a book, or walking into a movie theatre, or whatever, and actually make a law out of it.
Personally, I'm with the it's-not-wrong-crowd-- if you want restricted access, you have to take the steps to make sure it's restricted. It's like--ah, nevermind. But seriously, one way or another, someone intelligent has to actually start ruling on this or we'll have people saying "It's like breaking into someone's car!" "Oh, it is? Okay, guilty!" from now until the heat death of the universe.
I don't think taking down that forum is going to do any good, the information is free now, they will have to take down every forum and website on the internet now. What dumbasses for having a unsecured URL that hosts what they consider sensitive data. Well, I found this in the Sprint forums and here we go: qtv.mobitv.com/sprintTVlive.mcd 1. Copy and paste that link into the address bar. 2. Don't run it but save it to your computer. 3. Find it on your computer and OPEN it up. Select to open it with Internet Explorer or the browser of your choice. 4. There will be a whole bunch of links. Choose the channel you want to watch... 5. Get your LG Voyager and start up the browser. 6. Type one of the links into your Voyager and press OK! There you go, live TV... Ask more questions if you need help.
So You Hacked Our Site!?
I think someone should trademark the term "Hacking," as people take it to mean both "trespassing online" and "breaching our illusion of security."
"We are Microsoft. You shall be assimilated. Competition is futile."
This reminds me of the real early days of web sites. Just past when people were excited about being able to put "hello world" up, and when they started charging people for content.
.htaccess actually can actually control access. But what do we do about the crappy billing company that doesn't actually give you login information, they just tell you to protect by HTTP_REFERER? :)
:) You can't blame Howard for your own security problem. Would "Bank of America" be able to blame the hackers, if there was a super secret file called http://bankofamerica.com/all_customer_info.3.7.2008.zip ?
"Secure" pages, were usually some obscure web page under the main site. Security was that your members are was called http://example.com/members_mysecret .
And then people started getting smarter. Oh my gosh, that
If this happened on all the super-kewl-elite hax0r sites, then the good old C&D wouldn't be doing much good, they'd be crying about how the hackers have infiltrated their security.
It does make me feel nostalgic, thinking of the folks who thought http://example.com/members_mysecret would always protect them.
So my advice. Suck it up, and hire someone who knows at least something about security, and make your application work securely, if you don't want the whole world to use your content.
Serious? Seriousness is well above my pay grade.
i'd say the best analogy would be something like this: imagine an outdoor gig (for example a car cinema or whatever they call them), there's a stage and audience area - it's all surrounded by a fence and they charge you if you want to enter; but there's a hill just outside the fence from which you can perfectly see and hear the whole performance; so would it be right to prosecute people for standing on that hill for not buying the ticket? or perhaps the whole thing should be design in a way that you cannot see/hear anything from that hill? couldn't think of anything better... i would probably found myself standing in the crowd on the hill, where would you be?
the reason why i thought of this is we had something similar in my home town - an outdoor theater; and while you couldn't see or hear performances from outside of the fence there were apartment blocks just next to the theater and every time there was a concert or any other event you could see whole families standing in the windows or on the balconies and i don't remember anybody charging them for tickets... just a side story and my two (euro) cents...
greetings
p.s. i didn't bother going through all the comments so if there's already something similar posted by fellow slashdotter well... bear with me
I reformatted the links to work in Firefox, am I a l33t hacker now too? Fox News MSNBC Discovery TLC Animal Planet NBC Comedy HD - NBC Comedy ESPN Mobile NBC Sports Mobile Lipstick Jungle HD - Lipstick Jungle Maxx Look HD - Maxx Look Toon World TV HD - Toon World TV Access Hollywood HD - Access Hollywood Love Laffs HD - Love Laffs Bloomberg Tim Gunns Guide to Style HD - Tim Gunns Guide to Style The Mic Hip Hop HD - The Mic Hip Hop V40 Hot Hits HD - V40 Hot Hits Totally 80s 90s HD - Totally 80s 90s Double Z Country HD - Double Z Country RandB Jamz HD - RandB Jamz Chaos Extreme HD - Chaos Extreme Shift Alternative HD - Shift Alternative USA Mobile HD - USA Mobile Bravo Mobile HD - Bravo Mobile SciFi Mobile HD - SciFi Mobile Oxygen HD - Oxygen Discovery Mobile HD - Discovery Mobile A&E Mobile HD - A&E Mobile The History Channel Mobile HD - The History Channel Mobile NBC News Mobile HD - NBC News Mobile Fashion TV Comedy Time HD - Comedy Time Maxx Sports HD - Maxx Sports IGN
A man puts up a billboard at a certain intersection in a great city containing a pornographic image that some people would be willing to pay gold to see. He builds a business plan around the simple-minded assumption that most citizens who have not paid him will remain unaware of the billboard's existence and location. An observant charioteer names the street address in his weekly news scroll, telling the strange story of the owner's simplemindedness concerning people's ability to buy chariots, travel on the public streets, and direct their attention at billboards standing out in public view. The owner feels some embarrassment at his weak-headedness being made known, and sends forth his legal counsel to the imperial authorities to accuse the driver of the arcane crime of Infringing Intellectual Property, which being translated into common tongue is Interfering with a Business Plan, thereby bringing even greater embarrassment to the scribe, who must endure his shallow knowledge of the law being made known to myriads of people far and wide.
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
okay guys. I just had a conversation with the president of MobiTV. He had this to say:
Quote: Howard, great catching up today. Again, we're big fans of the sight and our intention was never to bring your entire sight down or to "censor the Internet" like we're being accused. The irony is that is quite the opposite type of company we are and as one of the leaders in new media, we couldn't be more supportive of the rights of sights like yours. Please know that our first priority is always to fix any security issues with our system and we're doing that. Additionally, we also have a responsibility to our content and carrier partners to reduce the impact of any breaches to the system once they occur and that was really the basis for the correspondence you had with our legal team.
I look forward to continuing to find interesting and vibrant insights from HowardForums.
Best regards, Paul Scanlan Cofounder, President
So I guess everything is okay now. Thank you all for your support!
I tend to agree with you in all but one point:
Verbal or implied permission is sufficient to visit another person's house, so why not somebody else's website?
Just my $.02
hackerkey://v4sw5/7BCHJMPRUY$hw3ln3pr6/7FOP$ck6ma8+9u6L$w4/7CGUXm0l6DLRi82NCe3+9t5Sb7HMOPRen5a17s0DSr1/2p-3.62/-5.23g3/5
I already emailed MSNBC and let them know that MobiTV is distributing their channel with zero security causing them to lose revenue. Hopefully they'll light a fire under their ass. :D
Tech/Reviews blog
Your analogies all fall apart because they ignore the fact that these are requests.
The idea of an illegal HTTP request makes sense only when those requests are actual cracking attempts (e.g. SQL injection). Any other HTTP request must be seen as legal simply because it is a request. Making these illegal would be like making it illegal to ask a business for a freebie or discount. Such an idea is clearly absurd since no one is harmed merely by asking.
Legally speaking, if you ask a representative of a company for a freebie and receive it, you have not broken the law - even if you believe the representative should not have given you the freebie. The exceptions to this are when you know the employee is not authorized to give you the freebie. For instance, receiving a free TV from a stock boy at Target would probably not be legal. Asking for free money by waving a gun is clearly not legal. And it would not be legal to ask an employee you know personally to give you a discount or freebie you know he or she is not authorized to give.
Since a server is effectively an unknown representative of a company faithfully following clearly defined rules, asking it for something and receiving it is tantamount to the company authorizing your request. It doesn't really matter whether some people on a forum believe the server should not be handing out the information. Those people do not represent the company!
Once another company representative contacts you, well, then you know there is a problem with their representative and ethically (and perhaps legally) you should stop telling people about this great deal. However, if the company fails to do anything about this representative I would be very surprised if they have any legal standing since they clearly knew exactly what the representative was doing and took no action to stop it.
I am not sure I would go this far, but some certainly could argue that no authorization mechanism of any kind on the public internet is not possibly a "mistake" and so the company was - in fact - authorizing their representative to give away this information.
That the webmaster of howardforums.com should sue MobiTV for 'making available; after all thats the real crime here (just ask the RIAA)
*runs*
Question: what should mobitv have done to limit access? Password protect with a single global authentication token for all devices? Individual tokens for each subscriber? Going a step further to replace tokens with keys and encrypt the connection? How would this token/key information be protected on the device, assuming there's no hardware support for this?
I agree that there should be no ethical or legal implications tied to the action of sending an HTTP GET to a server, no matter the url (and excluding cases like DoS), but what would you consider the minimum level of "protection" to warrant calling unauthorized access a hack (or to phrase that better, to warrant calling the access howardforum's users performed "unauthorized")?
Evidently, the key to understanding recursion is to begin by understanding recursion. The rest is easy.
I guess the S&D got retracted. More info here. Damn! Just when you think there's going to be a good fight! What I want to know, now, is how does someone become the President of an Internet media company and still think a forum is a web sight.
Knowledge is the small part of ignorance that we arrange and classify. (Ambrose Bierce)
If I had made a mistake like this, publicly sharing something in a way that wasn't agreed to by the copyright holders, I'd be sued into the ground for filesharing.
... well, you probably know where I'm going with this.
Even without knowing the specifics of their contracts, I'm willing to bet that they're paying for every paying customers - not for every non-paying customer.
That means they're filesharers - filthy pirates who have to pay 150,000 US$ per incident of filesharing.
Just Slashdot alone is probably responsible for a few thousand incidents like this
But of course, that's not how the world works, is it?
We do not live in the 21st century. We live in the 20 second century.
Lesson #1. If your company sucks at security, blame it on the hackers.
Privacy is terrorism.
Nonsense! After all, it's already on your hard drive in your browser cache. That would be like someone giving you a book and making you pinky swear not to read beyond the title before joining their super-secret club. I refuse to consider it stealing when the 'object' has effectively been given to me.
.htpasswd file comes to mind in this situation. Taking action against people for redistributing the content is understandable and encouraged, but taking action against people for pointing out (linking) something you're distributing on your network is absolutely laughable.
This entire thread is just silly. There exist a myriad of ways to protect content on the Internet, a simple
I just read Slashdot for the articles.
Yeah, now at least I can understand what they're saying on TV. It's still crap, but at least I can understand it.
FYI, I'm using a Nokia E90, but any S60 phone should do :
1) start the 'Gallery' application
2) select 'Streaming links'
3) 'Options', 'New link'
4) select either 'Phone memory' or your memory card (whatever it's called) - I selected my memory card - then 'OK'
5) Enter a name for the stream, say the channel name that's in the file - eg "A and E Mobile", then 'OK'
6) Enter the URL as is in the file, including the rtsp:// - then 'ok'
then you get an entry in your 'streaming links' list, which you can click on. That will inform you that a connection to the server is needed and ask if that's ok - press 'ok' (if it's ok).
It didn't work the first time for me because I had the default access point set to a network that wasn't accessible. I'm using wifi, of course - yymv on a cell network (perhaps they block various ports).
Max.
Have these people learned nothing from past mistakes?