RIAA/MPAA Contractor Deploys Malicious Adware Trojans 883
RichardX writes "Overpeer, the organization responsible for seeding many peer to peer networks with damaged, corrupt and fake files has now found a way of hiding spyware and adware inside Windows Media files by using a DRM loophole and is using this technique to further pollute p2p networks." Several readers sent in a PCworld article on the same subject.
I Wonder... (Score:5, Insightful)
lawsuit? (Score:1, Insightful)
If they can do it... (Score:5, Insightful)
I wonder.. (Score:5, Insightful)
wmf? Probably misguided on their part (Score:5, Insightful)
Unbelievable (Score:2, Insightful)
People should stop taking such a passive stance to all the criminal acts commited by the MPAA and RIAA. Fight fire with fire.
Comment removed (Score:5, Insightful)
Re:If they can do it... (Score:2, Insightful)
Stay away from WMA files (Score:1, Insightful)
How hard is it to simply stick to MP3s? I avoid WMA files like the plague. Even if there is an exploit for MP3s, I doubt it would be effective on all clients.
Get legal and save yourself the trouble... (Score:1, Insightful)
If spyware/malware is illegal... (Score:2, Insightful)
After all, two wrongs don't make a right, no?
Ah Microsoft (Score:5, Insightful)
Re:Unbelievable (Score:2, Insightful)
Amusing. I thought that was what the RIAA and MPAA was doing.
Re:I Wonder... (Score:2, Insightful)
PS: Anyone that ever encodes anything to WMA/WMV is a MORAN anyway. They need to get a brain.
Re:So how.. (Score:5, Insightful)
Re:wmf? Probably misguided on their part (Score:1, Insightful)
The problem (Score:5, Insightful)
However, at the same time, said people are admitting in court that they downloaded (or attempted to download) media for which they didn't hold the copyright.
One possible way around this is if someone already has purchased the CD/DVD and wanted to download a copy so they could archive the original (because they have CD/DVD hardware that couldn't rip the original to disk). Of course, this idea has not been tested in court, and would probably be a protracted and expensive battle to fight.
Re:So how.. (Score:5, Insightful)
Re:If they can do it... (Score:5, Insightful)
as a format. Windows Media Player? Stick a fork
in it, it's done.
Pirated? (Score:4, Insightful)
then... (Score:1, Insightful)
Re:Virus?? (Score:5, Insightful)
Of course, if there is an easy way to get a product free, people are unlikely to demand it at any price other than free, and so the business will fail unless it can either stop the free distribution of its products, or start selling products that are more difficult to distribute for free.
Under these criteria, the model of selling content that is easily obtainable for free IS destined to fail, whether demand exists or not, since the demand exists at a price point (free) that is by definition unable to generate profits. This is why these organizations are so afraid of filesharing. They can't figure out a way to maintain their current business model, and they haven't figured out a viable alternative business model, in the presence of filesharing.
So if a hacker sets a virus loose, it's bad... (Score:5, Insightful)
However, they do have all right to do this in some respects. They are putting up crap on a P2P network, just like any other idiot. Still, what gets to me is the system in general. When a lone hacker writes a virus, he gets jail time. When a corporation writes a virus...
But then, what should P2P users do? If they're so serious about P2P, they'll either take the risk or find a new way of sharing files that finds the trojans and whatnot.
Although really, I'm suprised the government isn't stepping in right abou... Wait, nevermind.
vigilante justice (Score:1, Insightful)
Mr. Morgenstern's mindset is provincial. p2p networks span international borders. In Canada, downloading music from p2p networks is explicitly legal regardless of its origin. Thus, within Canada Mr. Morgenstern is promoting punishment of people who are not breaking the law, but merely going against his beliefs.
In Canada, those who attempt to punish people who haven't broken the law are called vigilantes and criminals. They go to jail when caught.
This is great! (Score:5, Insightful)
BTW, I remembered the option for something like "automatically download rights management software" when installating Windows Media Player, what, 10 is it now? I hesitantly clicked yes. Now that I've done so, I can't find an option inside of the program to say no. Odd.
So Scary! (Score:4, Insightful)
What many of you seem to fail to realize is that the purpose of this has nothing to do with actually damaging computers. Rather, what the recording industry is trying to do is stop people from using P2P. And they do this through fear. That's why they do the suing (your chances of getting sued are minimal, but plenty of people get scared and stop downloading). Now, plenty of morons (for who else would this tactic work on?) will hear that downloading music can give you viruses and adware - rumors will fly wildly.
At least, that's their hope. We'll see whether it works.
Re:Get legal and save yourself the trouble... (Score:3, Insightful)
Do you work for Microsoft, by chance? Perhaps the RIAA?
Re:I Wonder... (Score:5, Insightful)
Neither the RIAA nor MPAA would release any file unless they had permission to do so. It wouldn't be "copyright infringement" if they are granted the right to give you a copy.
Mod parent up (Score:4, Insightful)
Re:This is great! (Score:2, Insightful)
Illegal RIAA? (Score:2, Insightful)
Re:So how.. (Score:5, Insightful)
And yet, checking the local theater listings....
Yeah, piracy is bad. Not BAD, in all caps. Not Bad, with a capital B. But bad. But what the RIAA and MPAA are doing here is worse. It's sleazy, underhanded crap, and if a private citizen did shit like this, the hammer of the judicial system would get dropped on them in a heartbeat.
Kierthos
Terrorism (Score:5, Insightful)
The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons.
How is what the **AA are doing (hacking into music downloaders' computers and installing malware to further their cause against piracy) any different?
If this is the way they think they must do business, lets give 'em h*ll!
Re:Virus?? (Score:5, Insightful)
The media may be convinced that p2p is synonmous with illegal activity, but they love scaring viewers by "exposing" crimes that may be happening in your neighborhood! Right next door!
However, the "average user" is much more concerned with their pocketbook than with nebulous notions such as "intellectual property" and "digital rights management". When I bring up the subject to family members, friends and students, their eyes just sort of glaze over. I honestly don't think the average person gives a shit about copyright. The only people who care are those who make money by creating copyrighted works, and those who market/produce/protect those works.
At the high school where I teach and do tech support, the first RIAA lawsuits a few years ago sent a number of students and teachers scurrying to me to see if they might be in trouble for downloading music. My two favorites were the stoner kid who didn't realize he was sharing 4000+ songs on Kazaa, and the evangelical principal who subscribed to Roadrunner for the sole purpose of downloading Christian music (illegally).
The RIAA/MPAA fight is not one that they can ultimately win, because the rules have changed with the ease of copying. They should really look to the model that Scott Kurtz of PVP [pvponline.com] and Epitonic [epitonic.com] - give the content away as a means of promotion, then make your money selling related items such as t-shirts, books, concerts, etc. Sure, books and videos can also be pirated, but until they're as easily accessible as music is via an iPod or something similar, there's still money to be made. Hell, most bands make their money on tour from t-shirt sales.
Anyway, don't think for a second that the "average user" thinks p2p is "wrong" - most users I've encountered are just annoyed that it isn't easier to find things.
Re:I Wonder... (Score:4, Insightful)
Except in this case, the drug dealer is actually being paid by a corporation to distribute a substance that is normally just illegal but is now knowingly harmful (outside of the drug's regular effects). Isn't the corporation, who is sponsoring this harmful activity, legally culpable?
Re:Illegal? When large unsuable corps are involved (Score:5, Insightful)
Re:So how.. (Score:2, Insightful)
if that wasn't the case...the conversation would probably go something like this:
BigWig Holly Woodexec: Mr. Stuntman, we need you for this multi-million dollar budgeted movie we're making. The only stipulation is that you won't get paid until after the movie has had it's theatre run, and we see how well it performed. What do you say?
Mr. Stuntman: So you're telling me that I have to set aside months of my life, risk my neck for all your big explosions, car chases, motorcycle jumps, and building plunge-offs, and I won't get paid until AFTER the movie has had it's run in theatres AND you see how well it performed?
Bigwig: Thats right.
Mr. Stuntman: What happens if the movie is a flop?
Bigwig: You don't get paid.
Meanwhile, our hero Mr. Stuntman has made a beeline for the exit as soon as the words "don't" were uttered. Hollywood wouldn't last very long if this were the case.
"THEIR" cracker, "OUR" copyrights guardian (Score:3, Insightful)
Re:Virus?? (Score:1, Insightful)
Both of the following are true:
1.) "If something you want is priced higher than you can afford, it does *not* mean the item is too expensive. It means *you cannot afford it*."
SOLUTIONS: Find a way to make more money, so the ceiling on "what you can afford" rises, or curb your demand so that you no longer desire the item in question.
2.) "If demand for your item at your price point does not meet your expectations, it does *not* mean people are cheap/jerks/criminals. It means *you have overestimated the value of your product*."
SOLUTIONS: Lower your price (thereby increasing demand) until demand meets your expectations... or scale back your expectation to match the demonstrated demand at your price point.
Many music downloaders don't like to recognize statement number one (or its attendant solutions). The RIAA doesn't like to recognize statement number two (and ITS attendant solutions).
Thus, it's no wonder that many (not all) music downloaders and the RIAA are not talking "to" each other, but rather talking "at" and "past" each other.
Er, anyone have proof/confirmation? (Score:5, Insightful)
The one thing that I find strange about this story is that try as I may, I can't seem to find any information from the "usual" security sources about exactly how this works--as far as I can recall, bugtraq and full-disclosure haven't touched these. Moreover, the only articles about this are the p2pnet one and the PC World one--and the former appears to be derived from the latter.
Both articles are also oddly vague--"security experts" are mentioned, but no specific names dropped, and there are no technical details given at all.
Can anyone provide independent confirmation of this? In particular, if you have details of how one can embed executable code in a wma or provide a sample of such code, please send them my way via brendandg [at] colby.tjs.org
Re:Virus?? (Score:3, Insightful)
Except for one thing: File sharing does have a "cost." It may not cost anything monetary, but it costs quite a bit of time and effort to hunt down good quality files that are what they say they are. Not to mention then correcting any incorrect meta-data. Combined with bad/corrupted files, files that are mislabeled, disconnects, incomplete albums - file sharing has a cost in time and effort.
This is why Apple's iTunes Music Store is working as well as it is. It's an easy way to download good quality files. It may cost some money, but it's not excessively difficult. I believe that currently Apple doesn't actually pull in a profit off the music store, but it shows that there is indeed demand for online music stores - even though a "free" alternative exists. (Although it remains to be seen whether or not Apple can make money off of it.)
As another example, Linux is free, but there still exists a market for selling pre-packaged Linux. Well, except that people give away pre-packed Linux. But people are willing to pay if they get something "extra" like an easy-to-use installer and a number to call if things go wrong. Making something "easy" is worth something.
There's still a cost with filesharing, it just isn't monetary. It's in time and effort. As long as the total cost (in time, money, and effort) of downloading music remains less than the total cost of legitimately purchasing the CD, there will be a large market for downloading music.
The RIAA needs to find a way to make paying them cost less than going around them. One way would be online music stores, since being able to download a track for a small fee is much nicer than having to go to a store. Their current plan appears to be to push the total effective cost of filesharing above the cost of CDs, which while a solution, probably isn't totally feasible and doesn't offer people what they really want (a cheap, easy way to download individual tracks).
Apple's iTunes Music Store looks like a good solutions. Of course, they'll never totally elliminate filesharing, because for some people, their time and effort will always be less than whatever price they can offer them. But they can lower that group's number enough to remain profitable. (Kind of like they are right now.) And those people wouldn't be paying for music anyway.
Ut Oh, more grandmas... (Score:1, Insightful)
I guess thats big business for ya...
Re:If they can do it... (Score:5, Insightful)
Bing! You nailed it right there. Microsoft made an obvious policy decision long ago to shift developnment focus from end users to corporations, hence the ease with which 'bad' corporate users abuse the OS at the end user's expense.
Re:The problem (Score:3, Insightful)
Something very similar to this has been tested in court. Several years ago, mp3.com had a service to let you download mp3s of albums you owned.. ie, you put your CD into the drive and it verifies you have the album.. then you can download mp3s of the work. Well, at the end of the court fight, mp3.com lost a large judgement because even though the users of the service were downloading mp3s of albums they owned, mp3.com still did not have the legal authority to distribute the mp3 files. Only the copyright holder can have that legal authority.
So, if someone wanted to "download a copy so they could archive the original," the only ones legally allowed to give it to them would be the media companies, and don't expect that to happen anytime soon. While you might have the legal right to make a backup copy if you can, the media companies hate that "fair use" and are only going to make doing that as hard as they can.
Patch it? (Score:2, Insightful)
Re:I Wonder... (Score:2, Insightful)
It appears that we are in a bizarre universe when it ocmes to the question of legality in any of this.
Downloading music you don't own is illegal, but we do it anyway.
Downloading copyrighted software is illegal, but we do it anyway.
One would think that knowingly polluting an individuals machine is just as illegal. The RIAA is entering a weird world where they are justifying a bad action with another bad action. Fixing the problem would seem to have a whole lot more to do with education than with monkeying with code in files.
Even worse, all this is getting foisted onto to consumers who don't know their ass from their elbow. In a lot of cases, you've got kids downloading material onto their parents' computer and thereby mucking up the works. Often the parents know little about how all of this works, and they are then unwitting victims of the actions of both the industry and the kids.
The only solution to this starts with decent ethical education.
Or, get everyone in the universe to listen to Gratefu Dead shows downloaded from archive.org (or my kids' band at Pure Volume [purevolume.com]- they guarantee their downloads to be completely adware free.
Sue them... (Score:1, Insightful)
Misses the issue... (Score:3, Insightful)
Re:So how.. (Score:3, Insightful)
OR
Oh, I can't get a return... Well, I guess I'm not going to be investing and therefore not employing stuntmen or painters. Sorry, guys.
Now, do I personally believe that movies need to be made on the scale that they are these days? Fuck no. But it is true that fewer stuntmen will be employed if the percieved return of investing in a movie is reduced. I don't give a shit for the stuntmen's plea, but if you are one of those who do, then don't do things which would reduce the percieved return on investment.
Porch stereo (Score:5, Insightful)
So how about we set a stereo system out on the front porch and shoot the thief when he sets foot on our property? Like hell they're gonna steal my music!
When recording industries become vigilantes and the justice dept looks the other way, it certainly makes it acceptable for the rest of us. Road rage justice (I just DARE you to cut me off), merchants hanging shoplifters, etc. all is acceptable now. Even more interesting is that the punished party may not necessarily be the owner of the affected PC. Imagine Best Buy rent-a-cops torching your apartment building because they're getting even with you for shoplifting some CDs. So what if the building is owned by someone else? If the RIAA can torch anyone's PC if it has an infected file, it legitimizes any business coming after any property associated with any crime.
Quite a monster you've created, Justice.
Re:Terrorism (Score:4, Insightful)
The primary purpose of this move is not to hurt downloaders, as others have suggested. The intent is to further pollute the p2p networks and scare users away; if you might get something nasty installed on your computer by downloading music (most people wouldn't understand what could and could not infect their computer) then you might decide not to risk it at all, and just give up and become a good citizen. Yes, it's a fear tactic. In fact, they might be willing to be sued by the few people who actually get infected and complain, if it means they can scare away an order of magnitude more people from downloading anything. Most people won't get infected, and won't complain, and might also stop downloading. It's a calculated risk.
Re:So how.. (Score:3, Insightful)
Re:So how.. (Score:5, Insightful)
Re:So how.. (Score:3, Insightful)
It almost makes you whish they'd just put the actors to whine in front of the camera.. "I used to make millions, and now thanks to those evil pirates, I get paid less than the painter.. the fucking PAINTER!!"
Re:So how.. (Score:3, Insightful)
contactus [overpeer.com]
Re:Illegal? When large unsuable corps are involved (Score:2, Insightful)
The whole AV industry is based on a ridiculous premise: that users habitually execute untrusted software, and the users want to be protected from anything bad happening. If the very premise is a contradiction and impossible to achieve, then the question of whether fraud (or incompetence) is happening, gets a little fuzzy.
The only rational thing for a user to do, is to stop executing untrusted software. And it works. It is very, very easy to use a computer without any sort of AV protection at all, and remain uninfected by viruses, spyware, etc.
In this particular case, the untrusted software is Windows Media Player. The very fact that it is capable of complying with DRM, proves that the software was not written with the users' interests in mind. If you run this stuff, you're giving your computer to someone else. Whether that someone else is Microsoft or the media companies or Joe Script Kiddie, is an unimportant distinction. If such a user then pays an AV company to protect them, then I can't see how they're dealing with the AV company in good faith. Thus, I have little sympathy for them if they are unsatisfied with the AV software's performance.
Re:I Wonder... (Score:5, Insightful)
Obvious objections, with answers:
1. "But that would be a death sentence for the company!" Yeah, and a prison sentence, of any length, is a death sentence for a lot of people -- getting stabbed in a fight, getting raped and infected with AIDS, etc. Doesn't stop us from sending people to prison, even those we know are likely to suffer such consequences.
2. "But what about all the workers who depend on the company for their paychecks? We shouldn't make them suffer!" We send people to prison who are the sole source of support for their families, and those families often suffer terribly. "Corporate imprisonment" would be harsh, deliberately so, and in the long run, the improvements in corporate behavior it would force would benefit everyone -- including workers, whose employers would be more likely to behave ethically if there were real consequences for not doing so.
Illegal practices? (Score:1, Insightful)
Dear MPAA: (Score:5, Insightful)
<sarcasm mode></sarcasm mode>
As sad as it is, all that really happened...
You don't have to be even mildly coherent to understand why people are downloading/trading movies.
Re:So how.. (Score:5, Insightful)
Re:I Wonder... (Score:5, Insightful)
This isn't entrapment or a sting. If a copyright holder or an agent acting on their behalf gets on to a peer to peer network and offers up copyrighted content and you download it, it's yours. Legally they can do nothing, they owned the rights to it and they offered it up and you took it. Thats why ALL the RIAA suits against traders were against uploaders. If you disable uploading you'll kill the networks (you won't kill emule/bittorrent but you won't get much benefit from them either) but you'll be protected from suits. IANAL.
Anyway, I was saying, this isn't entrapment or a sting. What this is is a malicious attack on a user's machine. A rights holder is offering up a file that it owns the rights to and the user is taking them up on it; the fact that they don't know it's a rights holder is irrelevant. Then, included in this they are using exploits and loopholes to install unwanted software on a user's machine designed to hurt the user's experience with their computer. Spyware that doesn't tell the user it's being installed and give them a license agreement and the option to disagree and not install is illegal just like computer viruses are illegal, infact there is no differentiating factor between this and a virus.
Re:So how.. (Score:2, Insightful)
How will this possibly help them? (Score:2, Insightful)
Re:A concerted effort to email all your files to t (Score:3, Insightful)
That would be rude and might be called a DDoS attack. Double foofoo on you for even sugesting it.
What would not be rude is asking the MPAA/RIAA every time you want to make a backup. You are required according to the flyleaf to contact them to get written permission to copy it after all. Everytime you download something you should ask them if you have permission to share it with others. Before you buy anything ask if they are members of the MPAA/RIAA and if so ask them to mail/fax you specific rights should you choose to buy it. Commit an act of civil obedience today.
Re:Porch stereo (Score:3, Insightful)
Ahh yes, here we go. Found a number of news [theregister.co.uk] articles, more on Google [google.com] but no resolution.
Re:So how.. (Score:3, Insightful)
This is flawed logic. The MPAA has never been able to point to a script and say, "This movie wasn't made because we were afraid it would be pirated." This is all a smokescreen generated to push the idea that the studios live hand-to-mount and that pirating really hurts them.
"The wealthly investors that are putting their money up will find some other less risky or higher ROI avenue to use their money and the stuntmen and painters will indeed be SOL."
You will always have some risk takers. The ROI is high even with pirating given that the movies that are pirated are usually high dollar hits. Again, this is a smokescreen and pure BS. When the MPAA can point to even one script and say, "we won't be making that movie because we are afraid it will be pirated" then I might give some credence to their spew...
B.
Re:I Wonder... (Score:4, Insightful)
Also consider that for every law written, someone figures out how to get around it. In this case, companies could simply set up chains of companies ready to fly as soon as the Feds force a shutdown. They could even structure it so that assets are held by a separate company that is not legally tied to the "Evil, L.L.C.". As soon as "Evil, LLC" is shut down, "Evil2, L.L.C." starts up and assets are in the possession of the 3rd company ("Untouchable, Inc.") the entire time.
Re:Dear MPAA: (Score:2, Insightful)
Re:but the corner stores --are-- gone (Score:3, Insightful)
We had 3 local hardware stores in our area close in the past year. Who's pirating screwdrivers?
Independant businesses going up against big chains always run the risk of failure, especially when the chains they're up against step up their advertising as they have in the wake of the increase in piracy awareness (at least I think that's the reason - I've certainly seen a two- or three-fold increase in the amount of ads for CDs or DVDs from the major chains since the piracy crackdown, but that could be coincidence). I think that's likely to be just as big a cause, if not bigger.
Re:Virus?? (Score:2, Insightful)
"not if you're defending your..." (Score:3, Insightful)
This is like saying "Some people have burgled my house and escaped in a white car, so I'm gonna slash the tires of every white car I see."
IF those who deploy the software: >don't know that the person getting the trojan has broken the law (and there's no way they could know), and >don't know whether the person getting the trojan would consent to receiving it, then >those who deploy the software are criminal-crackers just as much as someone who defaces a website.
At least *some* p2p users *are* violating copyright, but statistical probabilities are no excuse for widespread harmful, criminal behavior.
Ahh the 1st amendment. (Score:3, Insightful)
It is all wrong. (Score:2, Insightful)
Does this mean that if I write a worm and embed it in a file say IbelieveIcanfly.wma or the something along those lines I will go away with it?
Or should they sue all those that click on it and get infected because they were obtaining copyrighted content illegally?
Yes email has been accepted by almost everyone and the law as a legal way of communication and sending files, plus the technology system and laws are trying to protect its integrity by tracking spammers, phishers, virus writters and all those bad guys.
However, this does not mean that the bad guys using p2p should go away with it. Worst of all this is a company that is endorsed by the RIAA a well known association though not sure whether it is still well respected by the masses, but this is an association that is always in court suing everyone from kids to big companies and sponsoring ads about moral behaviour and respect for the law. Aren't these double standards by the RIAA?
Okay, they may have calculated right, they have millions to dish to the lawyers and they may well be acting within the law or somewhere in the grey areas but they have no moral integrity. THEY ARE SADDISTS.
You may ban your child from eating candy and you are right to spank or ground him if he does but placing a thorny object carmouflaged as candy under you kids' pillow is not something humane.
Re:So how.. (Score:5, Insightful)
I must admit I was tempted to install Kazaa and search for and download the file mentioned in PC World's article, just so I could tell my state attorney general they tried to hack my computer. I finally decided it wasn't worth the hassle and potential media attention though. :)
I should note that given their current actions I don't trust them so I used a disposable address from Spam Gourmet to send from and only signed my first name. Maybe I'm paranoid, but I figure any company who thinks it's OK to basically attack other people's computers in the name of stopping P2P just can't be trusted to know both my full name and state.
Re:I Wonder... (Score:3, Insightful)
If you're in senior management and know your own ass may end up in jail for something illegal your company does, you're going to think a LOT harder about what you allow to happen and what you put a stop to. I seriously doubt you'd be ordering the shredding of documents to hide evidence.
One nice thing about this is it gets rid of the two objections you note. It's hard to say "but those people aren't responsible" because senior management IS ultimately responsible for the course of actions there company takes. Does anyone honestly think the CEO of Anderson Consulting didn't know about the orders to shred documents pertaining to Enron? Does anyone think the CEO of Overture (and it's parent company) isn't aware that they're putting trojaned files out there? Don't they deserve to pay the penalty for allowing that to happen? I think so.
Re:Illegal? When large unsuable corps are involved (Score:3, Insightful)
If they were totally upfront about what their program did in every (reasonable) respect, and didn't pull any nasty stunts like not uninstalling properly, then they would have every right to be considered "legit adware".
BTW, being able to intimidate someone legally does not necessarily make something "legit".