Before anyone mentiones about it, yes, I did check the commented out images too. They're funny cats as well, probably commented out to ease the load of the page.
Other gems from the list: www.kids.net.au/forward.php?url=www.energizingbuddies.cc/... apparently the domain expired, and the ACMA decided to censor the redirect link instead of telling kids.net.au to remove the link! The whole forward.php has disappeared since, as well as that entry, the energizingbuddies.cc existed back in 2002...
The happysong.com.tw url... which has phpBB2 url with a sid in it. A session ID! So, nobody browsing the forum would actually get their access censored, only the guy with that specific session ID and the people that link to that specific URL.
Ofcourse, 4chan's/b/ and encyclopedia dramatica are on the list, too. Since they censor stuff like animal cruelty as well I can understand that, because there probably is plenty of risque material on the sites.
Also spotted sam hocevar's (VLC developer) site on the list, with two urls. Apparently he saved an animal abuse image from 4chan and somehow got it on the ACMA blacklist.
There are also plenty of porn sites with a referrer in the url, a lot of TGP's like that on the list. Shows that whoever submitted them for review was browsing porn and actively clicking around. Some of the sites are listed multiple times with different referrer IDs in the URLs too, egrep '/\?(id=)?[a-z.]*.?$' for a list. One site is listed 3 times with different referrer in the URL:)
A bunch of newsgroups have been censored at either myusenet.net, free-usenet.net, groups.google.com, groups.google.com.au or usenet-replayer.com. Only single groups, pages or messages. And ofcourse, the same content is still available at the other usenet archive sites.
Well, that's some gems to begin with. Haven't bothered doing a full analysis of the content, kinda lacking the willpower to do more than just random dabbling.
Not a hoax. I've confirmed it myself by ripping websites_ACMA.txt out of Integard filtering software. Even if it's not identical to ACMA's own list, it damn well is identical to Integard's version of ACMA's list.
My favourite from the list: files.kavefish.com/pictures/collections/funny_cat_pictures/_index-list.html
It's just funny cat pictures and nothing suggets there's ever been anything else.
Also, the list (although a month older than one on Wikileaks) can be obtained from Integard filter software. Hex edit the integard.exe and change first occurence of "datetimepicker.js" to websites_ACMA.txt, then login to integard's webUI and request that file. Apparently there's a whitelist of files the webUI server can give to the user. I've confirmed myself that the lolcats URL is indeed in that ACMA file from the filter software...
>> They called him for questioning on Wednesday 20 February 2008. > Oh my god! I time-travelled 2 days in the future? Or maybe Finland is on GMT+42?
The date is accurate for the questioning, the news just travels so fast that the actual questioning hasn't happened yet. They sent the "invitation" last friday (15th), and it arrived in mail this monday (18th). I got a prior notice about it through email though.
Actually, Someone's been checking through the whole list I've published and it now appears perhaps ~15 out of 1000 might be child porn. I haven't verified this yet and I'll have to go sleep soon too so I'll do it later. Still, that's a fairly small portion. I might have to back down my claims that 99% appear legit and say that 98.5% seem legit:)
The references to and instrument store and doll store both relate to same blocked domain. Specifically, it's a whole Japanese ISP's web server. One of the users probably has something the Finnish Police doesn't like, and that's all it takes to block the entire server.
The reference to "Windows tips in Thai" is to a whole ISP's server blocked in Thailand. They provide free web boards, so it's fairly reasonable to assume that those free boards are used to post child porn links. Child porn groups tend to communicate over forgotten guestbooks, forums, they use freesites to publish stuff, etc.
The whole point is that these legit sites are collateral damage, and the police doesn't care the slightest about it. As a matter of fact, the police has released a FAQ which quite directly suggests that since there are so many sites on the internet it doesn't matter if a few of them are blocked.
"Finnish ISPs are required by law to block access to sites on the list, according to The Register"
Actually, The Register doesn't say this. There exists a law specifically crafted due to this child porn censorship program, but it technically doesn't mandate ISPs into participating to the censorship. Well, except for the fact that the people behind the law have made public statements that if voluntary "self-regulation" isn't enough, then there will be such a law. So, it's not exactly voluntary when the ISPs are being threatened, but technically they can claim it's not required by the law...
Anyway, regarding the free speech advocate who has gotten his site censored, that's me. I've written a little bit of text in English about my page and the situation.
Unfortunately, the only people to profit from filtering are people who sell filtering systems and the pedos who will setup more secure distribution channels out of necessity. Oh, and ISPs who will use this for PR purposes. And "child rights" groups who only want to police the children and will secure more funding through all the attention they get from these kind of pointless operations...
This kind of pointless action doesn't help anyone except those who hunger for power. The people who try to objectively evaluate the situation are flagged as pedophiles due to subject being such a taboo.
In the long run, all filtering schemes will only make distribution systems stronger. Child porn is already distributed in password protected rar files in certain places, and anonymous p2p networks have hundreds of gigabytes of the material in circulation. Technology isn't the problem here, the problem are the people who distribute the material. Any attacks on technology will fail as long as the people and their interests remain.
Essentially, any filtering mechanism depends on ability to detect the illegal act. If you prevent every method of distribution possible, the only channels left for child porn distributions are ones which are currently impossible to detect. Thus, in the long run this will only make it safer and more secure for people to download child porn. With filtering in place, the end users will know that if they're able to get the material, it means it probably cannot be traced.
If you want real solutions to the child porn problem, you should attack the people involved. "Divide and conquer" is the basic strategy, the different groups have to be isolated from each others and dismantled. Currently there are large anonymous p2p networks which are mainly run by people who want to share files, namely to perform copyright infringement. The child porn distributors use the same networks. If you want to eliminate child porn, you need to isolate these two groups from each others by giving them different goals. Currently, they both want to hide what they're doing from the authorities. One straightforward solution would be to allow filesharing for non-commercial purposes and encourage it to be done in plain sight and moderated networks, so child porn distributors couldn't piggyback in warez networks. Not going to happen anytime soon, eh, so does anyone else have any other ideas?
You can also find my research and opinions about the issue linked from there. Please send mail if you have anything to add or any corrections to my content.
I can confirm that there exists an execution path between XCP code and DeDRMS. However, navigating executables isn't like using road maps, so I have no idea under which conditions this execution path activates. It exists, however, which means the code really uses it directly or indirectly. Now it's up to the data flow to determine when it gets triggered, and analyzing that will take longer...
It indeed doesn't make much sense to include all these things there. Most likely, they just stole some bigger piece of code and got all the little features as an extra bonus. That'd be the most simple explanation, anyway, and it'd make sense too.
These pieces are definitely not for identifying or disabling software, they're linked into the executables just like all other libraries normally are. There are execution paths throughout the thing. I was just able to find an execution path from a function that has a string "CDXCP3" to the DeDRMS code. I'd say this first one is XCP specific, although it'd take more research to find out how exactly the code uses this stuff.
Reverse engineering takes times, especially since I don't have access to latest and greatest commercial tools that exist for tasks like this. The only reason this stuff is staying unanalyzed is because the protection is used on a CDs that very few computer experts would ever buy. Or at least I wouldn't:)
Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.
That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.
Wrong, it isn't used for identifying anything. The GO.EXE only contains the strings and data but it isn't used there. I wasn't able to find any code in the executable that uses the data (for any purposes), and I looked pretty hard. It's been statically linked but unused. HOWEVER, there are more binaries on the CD compressed in XCP.DAT, which get installed to the system along with the DRM crap. At least one of these binaries contain LAME code for certain. The GO.EXE might not be enough for a case, but that's just the tip of the iceberg. There's real infringement in at least one other executable.
The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/ There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
Well, since the version strings in question are generated by macros when version.c is compiled, it is 100% clear that the translation units containing lame code have been statically linked against the exe. Most if not all of it has been removed by optimizing compiler, though, so there's the POTENTIAL for violation if any of the code remains and is used. Either way, I'd like to know why it was linked. That's pretty difficult to do by accident, really...
Re:The $sys$ prefixing thing was apparently wrong
on
Sony Rootkit Phones Home
·
· Score: 2, Informative
Heh, it's OK. I should've nuked the first comment the very moment I realized it was wrong, not after getting submitted to slashdot. I didn't realize I could do that since I only created blogger.com account to post to Mark's blog and was totally unaware of any features it had:o
Ohwell, all publicity is good publicity, even if it makes me look like a jerk for a day:)
Sorry, no bonus. The Van Zant CD with the rootkit has a CDDA logo. It's a multisession CD with real audio tracks with malware on a data track. Plus apparently one extra data track without filesystem, no idea what that is, shows up in my ripper.
In the front cover, no notice of protection. On the side, no notice. On the back, facing towards front, on left side of the cover (you know), there's "Content enhanced & Protected" text. On the reverse side, it says "Certain computers may not be able to access the digital file portion of this disc. Use subject to applicable end user license agreement". It says it needs a mac or PC with windows, pentium II, IE5, DirectX 9, 128M ram. Says that ripping with windows media player 9.0 works, and is compatible with Windows Media portable devices and Sony Walkmans.
So, yea, it pretends to be a CD. I don't know the standards to know if this is really a valid audio cd since it's multisession. It's definitely about trying to screw the consumer, though, since it tries to break the cd playback ability of the computer with the malware it ships with, under guise of "DRM".
Re:The $sys$ prefixing thing was apparently wrong
on
Sony Rootkit Phones Home
·
· Score: 5, Insightful
Btw, Since distracting CD-ROM functionality by randomizing the signal a little seems to be "OK", you can expect the record companies to target P2P apps with future DRM systems. If it's OK to screw your system and ripping software, it's going to be ok to screw your p2p if they think you're sharing their stuff. This kind of malware along with DRM is a slippery slope, and you'll never know where it ends if you tolerate it even a little.
Re:The $sys$ prefixing thing was apparently wrong
on
Sony Rootkit Phones Home
·
· Score: 5, Interesting
It won't install under Virtual PC. It requires that the CD is in drive during installation, and doesn't detect this to be the case when using Virtual PC. It probably just can't handle multisession CDs...
Anyway, as a bonus, even though the rootkit doesn't install in virtual PC, it still calls home and tells sony about you:)
Go and check it yourself, and compare to lame sources. The data from tables.c is included in the executable in identical form (several large tables), also all the version strings are included, which the DRM system doesn't check.
The data is there, the big question is if it was linked accidently, or if it actually uses LAME code as well.
Slashdot Mirror
Before anyone mentiones about it, yes, I did check the commented out images too. They're funny cats as well, probably commented out to ease the load of the page.
Other gems from the list: ... apparently the domain expired, and the ACMA decided to censor the redirect link instead of telling kids.net.au to remove the link!
www.kids.net.au/forward.php?url=www.energizingbuddies.cc/
The whole forward.php has disappeared since, as well as that entry, the energizingbuddies.cc existed back in 2002...
The happysong.com.tw url ... which has phpBB2 url with a sid in it. A session ID! So, nobody browsing the forum would actually get their access censored, only the guy with that specific session ID and the people that link to that specific URL.
Ofcourse, 4chan's /b/ and encyclopedia dramatica are on the list, too. Since they censor stuff like animal cruelty as well I can understand that, because there probably is plenty of risque material on the sites.
Also spotted sam hocevar's (VLC developer) site on the list, with two urls. Apparently he saved an animal abuse image from 4chan and somehow got it on the ACMA blacklist.
There are also plenty of porn sites with a referrer in the url, a lot of TGP's like that on the list. Shows that whoever submitted them for review was browsing porn and actively clicking around. Some of the sites are listed multiple times with different referrer IDs in the URLs too, egrep '/\?(id=)?[a-z.]*.?$' for a list. One site is listed 3 times with different referrer in the URL :)
A bunch of newsgroups have been censored at either myusenet.net, free-usenet.net, groups.google.com, groups.google.com.au or usenet-replayer.com. Only single groups, pages or messages. And ofcourse, the same content is still available at the other usenet archive sites.
Well, that's some gems to begin with. Haven't bothered doing a full analysis of the content, kinda lacking the willpower to do more than just random dabbling.
Not a hoax. I've confirmed it myself by ripping websites_ACMA.txt out of Integard filtering software. Even if it's not identical to ACMA's own list, it damn well is identical to Integard's version of ACMA's list.
The list is real.
My favourite from the list: files.kavefish.com/pictures/collections/funny_cat_pictures/_index-list.html
It's just funny cat pictures and nothing suggets there's ever been anything else.
Also, the list (although a month older than one on Wikileaks) can be obtained from Integard filter software. Hex edit the integard.exe and change first occurence of "datetimepicker.js" to websites_ACMA.txt, then login to integard's webUI and request that file. Apparently there's a whitelist of files the webUI server can give to the user. I've confirmed myself that the lolcats URL is indeed in that ACMA file from the filter software...
Norway has a different list, with different kind of sites blocked.
Here's a partial list for Norway: http://lapsiporno.info/blocked.nextgentel
Heck, here's one for Sweden, too: http://lapsiporno.info/blocked.glocalnet
And now that I'm at it, Denmark: http://lapsiporno.info/blocked.cybercity
Also, it might be just a matter of time until Finnish Police tries to push my site into lists of other countries too.
>> They called him for questioning on Wednesday 20 February 2008.
> Oh my god! I time-travelled 2 days in the future? Or maybe Finland is on GMT+42?
The date is accurate for the questioning, the news just travels so fast that the actual questioning hasn't happened yet. They sent the "invitation" last friday (15th), and it arrived in mail this monday (18th). I got a prior notice about it through email though.
Actually, Someone's been checking through the whole list I've published and it now appears perhaps ~15 out of 1000 might be child porn. I haven't verified this yet and I'll have to go sleep soon too so I'll do it later. Still, that's a fairly small portion. I might have to back down my claims that 99% appear legit and say that 98.5% seem legit :)
The references to and instrument store and doll store both relate to same blocked domain. Specifically, it's a whole Japanese ISP's web server. One of the users probably has something the Finnish Police doesn't like, and that's all it takes to block the entire server.
The reference to "Windows tips in Thai" is to a whole ISP's server blocked in Thailand. They provide free web boards, so it's fairly reasonable to assume that those free boards are used to post child porn links. Child porn groups tend to communicate over forgotten guestbooks, forums, they use freesites to publish stuff, etc.
The whole point is that these legit sites are collateral damage, and the police doesn't care the slightest about it. As a matter of fact, the police has released a FAQ which quite directly suggests that since there are so many sites on the internet it doesn't matter if a few of them are blocked.
"Finnish ISPs are required by law to block access to sites on the list, according to The Register"
Actually, The Register doesn't say this. There exists a law specifically crafted due to this child porn censorship program, but it technically doesn't mandate ISPs into participating to the censorship. Well, except for the fact that the people behind the law have made public statements that if voluntary "self-regulation" isn't enough, then there will be such a law. So, it's not exactly voluntary when the ISPs are being threatened, but technically they can claim it's not required by the law...
Anyway, regarding the free speech advocate who has gotten his site censored, that's me. I've written a little bit of text in English about my page and the situation.
Unfortunately, the only people to profit from filtering are people who sell filtering systems and the pedos who will setup more secure distribution channels out of necessity. Oh, and ISPs who will use this for PR purposes. And "child rights" groups who only want to police the children and will secure more funding through all the attention they get from these kind of pointless operations...
This kind of pointless action doesn't help anyone except those who hunger for power. The people who try to objectively evaluate the situation are flagged as pedophiles due to subject being such a taboo.
In the long run, all filtering schemes will only make distribution systems stronger. Child porn is already distributed in password protected rar files in certain places, and anonymous p2p networks have hundreds of gigabytes of the material in circulation. Technology isn't the problem here, the problem are the people who distribute the material. Any attacks on technology will fail as long as the people and their interests remain.
Essentially, any filtering mechanism depends on ability to detect the illegal act. If you prevent every method of distribution possible, the only channels left for child porn distributions are ones which are currently impossible to detect. Thus, in the long run this will only make it safer and more secure for people to download child porn. With filtering in place, the end users will know that if they're able to get the material, it means it probably cannot be traced.
If you want real solutions to the child porn problem, you should attack the people involved. "Divide and conquer" is the basic strategy, the different groups have to be isolated from each others and dismantled. Currently there are large anonymous p2p networks which are mainly run by people who want to share files, namely to perform copyright infringement. The child porn distributors use the same networks. If you want to eliminate child porn, you need to isolate these two groups from each others by giving them different goals. Currently, they both want to hide what they're doing from the authorities. One straightforward solution would be to allow filesharing for non-commercial purposes and encourage it to be done in plain sight and moderated networks, so child porn distributors couldn't piggyback in warez networks. Not going to happen anytime soon, eh, so does anyone else have any other ideas?
I'm sure he feels super
I've written some pages about Sony's XCP DRM system.
Summary about the DRM, what it does, and what its problems are: http://hack.fi/~muzzy/sony-drm/info.html
You can also find my research and opinions about the issue linked from there. Please send mail if you have anything to add or any corrections to my content.
I can confirm that there exists an execution path between XCP code and DeDRMS. However, navigating executables isn't like using road maps, so I have no idea under which conditions this execution path activates. It exists, however, which means the code really uses it directly or indirectly. Now it's up to the data flow to determine when it gets triggered, and analyzing that will take longer...
It indeed doesn't make much sense to include all these things there. Most likely, they just stole some bigger piece of code and got all the little features as an extra bonus. That'd be the most simple explanation, anyway, and it'd make sense too.
:)
These pieces are definitely not for identifying or disabling software, they're linked into the executables just like all other libraries normally are. There are execution paths throughout the thing. I was just able to find an execution path from a function that has a string "CDXCP3" to the DeDRMS code. I'd say this first one is XCP specific, although it'd take more research to find out how exactly the code uses this stuff.
Reverse engineering takes times, especially since I don't have access to latest and greatest commercial tools that exist for tasks like this. The only reason this stuff is staying unanalyzed is because the protection is used on a CDs that very few computer experts would ever buy. Or at least I wouldn't
That's outdated. mpglib was relicensed under LGPL some years ago already, check www.mpg123.de
Regarding GO.EXE, it's a cockup. I've posted a few other posts here explaining the real situation. LAME along with some other LGPL code is being used in other binaries on the DRM, I couldn't initially find them since they're compressed in XCP.DAT on the cd but they get installed on the system.
That only concerns GO.EXE, and while the analysis is correct for that executable, I checked for LAME references against every binary in the compressed XCP.DAT file after I managed to unpack it (thanks to freedom-to-tinker.com guys for providing description of the format). Turns out, there's more binaries including references to LAME, and this time there's actually code that uses the data as well. And not just LAME, there's also Id3lib included in one dll, and bladeenc and mpglib distributed along with the DRM. All of this is LGPL, it's code, and it's being used.
Wrong, it isn't used for identifying anything. The GO.EXE only contains the strings and data but it isn't used there. I wasn't able to find any code in the executable that uses the data (for any purposes), and I looked pretty hard. It's been statically linked but unused. HOWEVER, there are more binaries on the CD compressed in XCP.DAT, which get installed to the system along with the DRM crap. At least one of these binaries contain LAME code for certain. The GO.EXE might not be enough for a case, but that's just the tip of the iceberg. There's real infringement in at least one other executable.
The GO.EXE doesn't appear to contain LAME code even though it has been linked against it, however at least ECDPlayerControl.ocx on the CD (packed in XCP.DAT, installed along DRM) does contain code from LAME. It also uses Id3lib and mpglib, without attribution or any licenses shipped along. I spotted bladeenc dll there as well.
Check the bottom of my research page for info, http://hack.fi/~muzzy/sony-drm/
There's not much there at the moment but I'll be adding information as soon as everything can be properly confirmed and evidence gathered.
Well, since the version strings in question are generated by macros when version.c is compiled, it is 100% clear that the translation units containing lame code have been statically linked against the exe. Most if not all of it has been removed by optimizing compiler, though, so there's the POTENTIAL for violation if any of the code remains and is used. Either way, I'd like to know why it was linked. That's pretty difficult to do by accident, really...
Heh, it's OK. I should've nuked the first comment the very moment I realized it was wrong, not after getting submitted to slashdot. I didn't realize I could do that since I only created blogger.com account to post to Mark's blog and was totally unaware of any features it had :o
:)
Ohwell, all publicity is good publicity, even if it makes me look like a jerk for a day
Sorry, no bonus. The Van Zant CD with the rootkit has a CDDA logo. It's a multisession CD with real audio tracks with malware on a data track. Plus apparently one extra data track without filesystem, no idea what that is, shows up in my ripper.
In the front cover, no notice of protection. On the side, no notice. On the back, facing towards front, on left side of the cover (you know), there's "Content enhanced & Protected" text. On the reverse side, it says "Certain computers may not be able to access the digital file portion of this disc. Use subject to applicable end user license agreement". It says it needs a mac or PC with windows, pentium II, IE5, DirectX 9, 128M ram. Says that ripping with windows media player 9.0 works, and is compatible with Windows Media portable devices and Sony Walkmans.
So, yea, it pretends to be a CD. I don't know the standards to know if this is really a valid audio cd since it's multisession. It's definitely about trying to screw the consumer, though, since it tries to break the cd playback ability of the computer with the malware it ships with, under guise of "DRM".
Btw, Since distracting CD-ROM functionality by randomizing the signal a little seems to be "OK", you can expect the record companies to target P2P apps with future DRM systems. If it's OK to screw your system and ripping software, it's going to be ok to screw your p2p if they think you're sharing their stuff. This kind of malware along with DRM is a slippery slope, and you'll never know where it ends if you tolerate it even a little.
It won't install under Virtual PC. It requires that the CD is in drive during installation, and doesn't detect this to be the case when using Virtual PC. It probably just can't handle multisession CDs...
:)
Anyway, as a bonus, even though the rootkit doesn't install in virtual PC, it still calls home and tells sony about you
Go and check it yourself, and compare to lame sources. The data from tables.c is included in the executable in identical form (several large tables), also all the version strings are included, which the DRM system doesn't check.
The data is there, the big question is if it was linked accidently, or if it actually uses LAME code as well.