TorrentSpy: second round for studios

Posted on by
Reply

 End of March, under the pressure of studios TorrentSpy ceased to work (see TorrentSpy: first round for studios. A Californian federal judge knocked down for a second time TorrentSpy. The judge ordered TorrentSpy to pay 111M$ (72M€) to MPAA. This high penalty is mostly due the accusation that TorrentSpy destroyed evidences. TorrentSPy refused to gave information about its “customers” and destroyed the corresponding data.

Having ceased any activity, TorrentSpy will not be able to pay MPAA. But the message is a strong warning for tracker sites based in the United States. Will it have any impact on the other tracker sites (for instance The Pirate Bay, or Mininova)?

RIAA forecasts the return of DRM

Posted on by
Reply

At last conference Digital Hollywood, David HUGHES, head of RIAA’s technology division, forecast that DRM will return to protect music. His rationales are simple. He listed 22 ways (or should we say business models) to sell music. Twenty methods require some way to enforce some limitations in consumption, i.e. DRM.

In fact, HUGHES highlighted one characteristics of DRM that is often forgotten. DRM facilitates versioning, i.e., different types of commercialization of the same song. Currently, DRM free songs are sold either as a song, or as a full album. Other ways , for instance as part of a subscription, or pay per listen, may sell this same song at a lower price (but with less freedom of consumption). But, these methods require to limit the consumption to the defined limitations (for instance only once in case of pay per listen). Here comes back DRM.

HUGHES highlighted that DRM should become transparent for consumers. Then, they would not care any more.

Currently, DRM free is the trend in music industry. Four majors sell some songs DRM free. Nevertheless, if they will find new ways to sell songs, HUGHES may be right.

Mashup security

Posted on by
Reply

A new trend in Web design is to add many mashup gadget on Web2.0 sites. Many sites offer huge libraries of such mashups. Adding mashups to sites is extremely simple. Mashups add easily more features, a more professional look, … Unfortunately, they add also potential vulnerabilities.

A mashup is a piece of source code (often java) with Ajax framework . It has a known “documented” set of features. But, are there no hidden features? Potentially, some code could create leakage of data. It is interesting to see that people may be very careful with incoming mails, but totally unaware of mashups and accept anyone as soon as it is good looking. Once more it is a question of trust. Do you trust the developer of the mashup?

IBM has proposed an authentication framework for mashups: SMash. It is an open source project. This is a first step. But that the source is authenticated does not mean that the mashup does not carry a bad payload. The question should be do you know the authenticated entity? do you trust it? Can you examine the code?

Other companies such as MICROSOFT are also working on the topics. No doubt mashup security may become soon a hot topics once the first malware mashups will become mainstream.

Nintendo stroke back the linkers

Posted on by
Reply

The Nintendo DS is heavily hacked through the use of extension cards so called linkers. With these cards, it is possible to play any “ROM” game available. Officially, these linkers are only to allow playing backups rather than the original game. A linker may store several games. Nevertheless, the ROMs of every published games are widely available on the Internet. Interestingly, these linkers do not require any modification of the host console. This is not the case for instance for Nintendo Wii’s hacks that require hardware modifications

Interestingly, Final Fantasy: Cristal Chronicles had a strange behavior when used with some linkers. After 20 minutes, the DS displayed the screen “Thank you for playing” and stopped the game. Only the most widely sold linkers (i.e. M3 and R4) were affected. Linkers using other technologies such as Cycloid or Sunny Flash were not affected.

On the forums, the debate was raging. Two schools were fighting. Some people claimed that it was a bug of the linker. This type of linkers patches the ROM. Some people claimed that it was a new copy protection scheme designed by Nintendo that targeted the two main linkers. The favor was for the second hypothesis. A bug that nicely ends up with a greeting screen is highly unlikely. Whoow I would have dreamed of such nice bugs when I wrote software ;-).

The first response from the linkers’ provider was to distribute a clean patched ROM for Cristal Chronicles. It took them several days. The second riposte was to issue a new release (1.17) of the firmware that solved the problem. It took them several weeks.

Conclusions
It seems that it was a nice strike from Nintendo. Of course, hackers won at the end (this is law 1). Nevertheless, the story raises interesting thoughts and question:
1- The way to counter the linkers was elegant and smart. Rather than stopping brutally the game, it allows to play sometimes as a teaser. This frustrates dishonest users (especially if the game is a good one). Nintendo already used this strategy with the game boy.
2- NINTENDO gained several weeks which is sufficient in the game industry. Most of the sales of a game are performed during the few weeks following the launch. It would be interesting to see if there was a visible impact on the sales (for instance a bounce once the news spread in the forums)?
3- Will NINTENDO be able to reproduce this strike with other games? Like the foreseen strategy of BD+.

Last issue of security newsletter is available

Posted on by
Reply

Security newsletter 9 is available. Our guest is Antoine JOUX (well known cryptographer). Together with the latest news, you will learn about about how to crack WEP in less than 6 minutes, that NOSTRADAMUS predicted next US president, and everything about Security of MPLS. The last article explains in detail the attack on disc encryption through freezing the memory. A great exploit from Princeton university.

The previous issues are available here.

6 May: Oups! Bad links. Thank you MK  :Wink:

Goolag Scanner: the latest product from Cult of the Dead Cow

Posted on by
Reply

Recently, the Cult of the Dead Cow (cDcreleased a new powerful hacking tool: Goolag Scanner. cDc is a famous group of hackers. They are used to provide serious “hacking” tools such as the famous BackOrifice (remote administration of a computer).

Goolag Scanner scans a web site for more than 1000 known vulnerabilities. The originality of this new tool is that the scan is not direct. It is down using Google requests. Thus, the scanned site is not aware that it is scanned!! Facing this new method, Google decided to limit the number of simultaneous queries for a site. The risk is that Google may blacklist the querying IP address. This makes the scan fastidious. We may expect that cDc will issue soon a version allowing to make a “batch” solution that would counterstrike this black listing.
goolagscan2.JPG

The obvious countermeasure is to have all the vulnerabilities patched. Another one is to have the file robots.txt listing the files allowed to be indexed by the bot and listing the forbidden ones. Google obeys to the rules defined by robots.txt. Unfortunately, some indexing tools do not care about robots.txt.

Is Goolag Scanner an evil tool? As for all cDc’s tools, they will of course be used by hackers. But, they can also be used by administrators as administration tools. BO2K is an efficient remote administration tool. GoolagScan is an efficient vulnerability scanner. Administrators should use them, at least to be level with hackers.

RIAA attacks project Playlist

Posted on by
Reply

 RIAA is suing Project PlayList. RIAA claims that “Project Playlist performs and reproduces Plaintiffs’ valuable works (and induces and enables others to do so) without any authorization whatsoever and without paying any compensation whatsoever.”

Project playlist allows users to build playlist and share them through social networks such as mySpace. In fact, project playlist does not store any songs. They offer a search tool that proposes only contents that are found on Internet public sites. Here is the description of their music search engine:

Our internet search engine allows you to locate media files that are freely available on the world wide web. The listings in our search engine are automatically gathered from music blogs, trade-friendly concert archives, artist websites, record label websites and other public sources. In addition to automatic gathering, we accept submissions to our search engine by our users.

Unfortunately, being available on web sites does not mean copyright free. Sources such as blogs are for instance often not extremely regarding about copyright. Thus, when giving access to the hosting site of the link, project playlist displays a banner with legal notices.

Below is the website (http://xxx.xxx/) containing the music file. Some music files located in this site may be subject to copyright. To be safe, don’t download from this site. If you like it, click here to download from iTunes or you can download the ringtone!

The page about copyright notices is extremely interesting to read. Some extracts:

Project Playlist, Inc. aspires to index and organize the music on the Internet in a responsible and efficient manner, and is therefore committed to copyright protection.

The creators and publishers of the songs you hear through project playlist.com or our embedded music player, are being paid a royalty for their work if they are members of ASCAP, BMI or SESAC or any one of over 125 other PSOs that represent songwriters and music publishers around the world. The more a song is included on our users’ playlists, the more royalties the writer and publisher of that song are paid by Project Playlist, Inc.

Our users are also allowed to post URLs of music files that they discover on the Internet. Our Terms of Use Agreement prohibits a user from posting a link to a music file that the user knows is not posted by the artist, record label, a music blogger or other third party for promotional or other legal uses.

Will it be sufficient for RIAA? Wait and see.