The New York Times is running an article about what the RIAA and major labels are up to. Seems they are funding research into attack users computers, internet connections. The two companies named are Overpeer and MediaDefender.

Its time to turn up the heat folks. I urge you to contact the RIAA and tell them this is unacceptable. I urge you to maintain a firewall and record attacks. I urge you to contact your Representatives and Senators and tell them this is unacceptable behavior on the part of the recording industry.

We need your help in this WAR the RIAA and their members have declared on the American public and their customers. We can't do it alone. We need funds so we can travel for face to face meetings with our legislators, and to contact them by phone. Please donate what you can.
Bill Evans founder of boycott-riaa.com

Some excerpts from the article:

The record companies are exploring options on new countermeasures, which some experts say have varying degrees of legality, to deter online theft: from attacking personal Internet connections so as to slow or halt downloads of pirated music to overwhelming the distribution networks with potentially malicious programs that masquerade as music files.

The covert campaign, parts of which may never be carried out because they could be illegal under state and federal wiretap laws, is being developed and tested by a cadre of small technology companies, the executives said.

Interest among record executives in using some of these more aggressive programs has been piqued since a federal judge in Los Angeles ruled last month that StreamCast Networks, the company that offers Morpheus, and Grokster, another file-sharing service, were not guilty of copyright infringement.

Since the law and the technology itself are new, the liabilities — criminal and civil — are not easily defined. But some tactics are clearly more problematic than others.

Among the more benign approaches being developed is one program, considered a Trojan horse rather than a virus, that simply redirects users to Web sites where they can legitimately buy the song they tried to download.

A more malicious program, dubbed "freeze," locks up a computer system for a certain duration — minutes or possibly even hours — risking the loss of data that was unsaved if the computer is restarted. It also displays a warning about downloading pirated music. Another program under development, called "silence," scans a computer's hard drive for pirated music files and attempts to delete them. One of the executives briefed on the silence program said that it did not work properly and was being reworked because it was deleting legitimate music files, too.

Other approaches that are being tested include launching an attack on personal Internet connections, often called "interdiction," to prevent a person from using a network while attempting to download pirated music or offer it to others.

"There are a lot of things you can do — some quite nasty," said Marc Morgenstern, the chief executive of Overpeer..

"Some of this stuff is going to be illegal," said Lawrence Lessig, a professor at Stanford Law School who specializes in Internet copyright issues. "It depends on if they are doing a sufficient amount of damage. The law has ways to deal with copyright infringement. Freezing people's computers is not within the scope of the copyright laws."

Randy Saaf, the president of MediaDefender, another company that receives support from the record industry to frustrate pirates, told a congressional hearing last September that his company "has a group of technologies that could be very effective in combating piracy on peer-to-peer networks but are not widely used because some customers have told us that they feel uncomfortable with current ambiguities in computer hacking laws."

Read the entire article (free registration required)

Fairly obvious. Most of the more damageing attacks - trogens, file deletion - will never be used. The industry wants them just in case. A very likely attack is fake files which redirect users to legal purchase pages. In fact mediadefender already offers this, along with the already familiar loop duds. Both of those are prefectly legal.

The most damageing attack we are likely to face is a DoS, where the RIAA or its labels simply run (or hire) a bot which searches for infringeing files and downloads everything from that users, pretending to be millions of clients to queue jump. The bot either sucks up the bandwidth or limits bandwidth and sucks up slots. Either way, the network gets badly damaged. More damageing attacks such as ping flooding or trogens are a possibility, but very unlikely because of the potential problems from people caught in the middle. I dont think any company would like haveing its internet connection pingflooded because someone was downloading music at work.

"Ambiguity" in the last paragraph translates to "Its not legal, but were working on it" . The P2PPPA is dead now, right? I think it is? If its not and it somehow passes the whole thing changes of course, and we get hit with everything from ping flooding to fakes to programs that remove the infringeing files by deleteing everything eith the extension MP3

Intrestingly, it isn't too difficult to make a wave file which can severly damage speakers. Square wave. The sudden change in velocity of the cone can tear them apart and the high-voltage pulse when the field reverses ruins the electronics. Its like a mini tesla coil. Soon I am going to prepare one of those as part of my collection of publicly available test files . It will have the volume low to prevent accidental damage.

these piece of crap music industry should have something majorly done them... This is bs.. We all need to get together and boycott these motherfuckers.....

Why are they imune to anti-hacking laws?!?!

The RIAA are just putting more dirt on their coffin.

Well, they're going to have one hell of a time building something that will delete 'illegal' files since they can never know if something is illegal or not.

We need to do more than boycott them
slikk. We need to start writing the representatives who bow to them and tell them enoughs enough, that we will not tolerate their wholsale allegiance to the money interests. Every registered voter who opposes the RIAA needs to get serious about this. And don't e-mail them. Spend a few cents on a stamp. Bulk mail gets more attention by the staff.When they see the physical evidence of the publics outrage, they will start to doubt the solidity if their terms.Write those Fuckers!

ok, I'm not a programmer, but I can do math better than RIAA. Let's use rough numbers to make this easier and maybe the RIAA will understand. Shareman Networks alone has, (let me check the websit for the most current number) well the main site only lists 220 million total downloads and I know that I've had to download it more than a couple times do to computer difficulties, but then you factor in those who use kazaa light and have never downloaded kazaa from their site and 220 million, that's roughly the population of the US. Now, given that it's a prerequisite to be a computer user to being using kazaa the percentage of programmers across the shareman network population would be higher than average. I'm going to pull what seems to be a modest number out of the air and if someone else has a better informed, more accurate number please tell me. Let's say 0.1% of kazaa users are programmers. that's 220,000 programmers. 220,000 programs who like filesharing. let's say each of these programmers donate 40 hours in one month. Now if we say that programmers are paid on average $30 an hour (a low estimate) than that's $264,000,000 worth a man power in one month at a leisurely pace. Now...can the RIAA match that?

This is my reason for saying that we, not them, have the monetary advantage.

They've been doing that already on Gnutella Networks and servers. Nothing new. Boycotting doesn't seem to have an effect on them anymore. Not enough kids are doing it. They couldn't even keep boycotting "The Dixi Chicks" when they had their chance.

Just be extra careful of what and whom you download off of. I have yet to get a spoof or a fake file.

hmmmmmmm, wonder if we can attack them in return?

if they can hack, so can we.

This right here is why I have both a firewall and anti-virus software running at all times. And I routinely back up my MP3s. Now I know this would be a near impossibility for those who have thousands of files, but for those who use DVD to back up files wouldn't have a problem. And I try to keep my block list up.

Freezing someone's computer is definitely against the law. It's like slashing someone's tires to keep them from going to the store (claiming that they'll steal their product when they get there).

I've downloaded plenty of spoof files and loops. That's why I have a seperate folder for my real music and holding folder for stuff I download. Before it even goes into the real folder, I listen to it to make sure it's right. I also try my best to get proper times on the songs. Sure, this doesn't help if they spoofed or looped it for that long, but it makes sure I get a file that's close to the real thing.

To the RIAA (I'm sure they read all this): When I get a job and get some bills paid, then maybe I'll buy your CDs. Right now I can't. I can't buy your product without money. Sure, I've bought some CDs this year, but I've had to download others. Eventually I'll buy the real ones, if you'll let me.

This is another case that shows that there are few boundries that the cooperate state wont go past. Of course they have to be aware that if this type of action were to take place on private computers. The gloves would be comming off and the private sector would no longer be inclined to not hack them right back. It is interesting that the article does not mention specific company's. It could very well be the fear of retaliation that keeps them in the dark. Just like a cockroach.

Holy shit. They really are trying their hardest to create more problems for themselves. Obviously most of the tactics mentioned wouldn't be used, because of their illegality, but the fact that they even consider them is sad and appalling.

Any such drastic measures will surely spur the hackers of the world to flex their muscles. I forsee more than humorous website hacking.

I haven't shared the utter disdain for the RIAA that most people here have. I don't use filesharing programs, so I had no opinion on that subject. But this is definitely provoking my ire.

I suggest sending e-mails to the following people:

1) Hilary Rosen (hrosen@riaa.com)
2) Randy Saff (rsaff@mediadefender.com)
3) OverPeer Info (information@overpeer.com)

They're crazy.

As much as RIAA.com goes down to hackers, they should be investing money in learning how to secure their own web server. And you can bet they will be facing retaliations if they "Hack" the wrong P2P user.

I don't condone hacking by anyone...but any fool can see that they're really asking for it here.

Hack a Shaq in Binary! bwahahaha

One person said "This right here is why I have both a firewall and anti-virus software running at all times."

Unfortunately your dinky software firewall means nothing to someone who knows what they're doing. Software firewalls can and often ARE pounded to their breaking point, at which point they cease to function.

This is why I use a setup that's dubbed a "sandbox". A sandbox is a fake system for hackers to hack around in and they don't get anything real. I build my own hardware sandboxes that run an unknown operating system that's stored in ROM so it's utterly impossible for hackers to make any changes to allow theirselves through the sandbox into my network.

The use of an unknown OS means no hacker has any experience in circumventing it. The OS was programmed from the ground up to rival the speed and efficiency of the Amiga Workbench OS... Infact it's actually a clone of Amiga Workbench that runs on x86 systems but the networking portion of it isn't related to the various stacks for Amiga.

This being said, it's basically a glorified router capable of playing video games, if it had any drives... If the hacker tries to hack anything on my network, unless I have set up port routing to that system (and they'd only have access to that system via that particular port) which requires physical access to configure, they get the sandbox to hack. The sandbox itself has a modified TCP/IP stack does not accept direct connections from the ethernet responsible connecting to the internet except for pings and the routed ports.

With that out of the way, the only security holes on my network are the servers I run. I personally use a modified Apache 1.x for my webserver. All currently known security holes in the version of Apache that I use have been patched.

Other than the Apache, I also run a basic mail server that only allows people on the protected side of the network to log into it. It'll take incoming mail just fine, it just doesn't let you retrieve any mail unless your IP happens to be a LAN IP.

I know it's a bit extreme concidering I'm just a home user. The web and mail servers are because I don't believe in doing anything unless I can do it myself. Besides that, running my own mail server seriously limits the amount of spam I recieve. Also, I can manually block any known spammer's entire ISP from e-mailing me, thus removing them from my hair entirely.

The kind of security I run on my network is completely unhackable. I'd issue a challenge with a reward for successfully hacking into my network, but I have neither the money nor the bandwidth to issue such a challenge.

This isn't to say I can't be flooded offline... Wether or not the sandbox accepts connections is irregardless of the fact that the ISP I use will still relay the attempted connection to me. At any rate the worst that can happen to me is I get flooded to the point my entire connection lags. A quick call to my ISP to change the IP can fix that.

Software firewalls like ZoneAlarm or BlackIce or any others are so inneffective you'd be better off not doing anything. I have no proof of this but I think leading software firewalls intended for personal use actually fake hack attempts, either that or they're extremely jumpy and think a ping is a hack attempt. I've seen people that just logged onto AOL and messaged me, 5 seconds later "Hold on, ZoneAlarm says someone's trying to hack me". Come on, they were on for like what? 5 seconds? Nobody's going to try to hack an AOL user within 5 seconds of logging on! ZoneAlarm should be renamed to FalseAlarm!

BTW I charge $150 an hour for the servicing of any electronic device (I design my own motherboards for the hell of it, so you get what you pay for.) If the RIAA ever manages to do any damage to my computer by the use of a trojan or any sort of malicious program, I can and will repair the damage, then send them the outrageous bill. When they fail to pay the bill for the repair of my systems (which they'd have to since they're the ones that vandilized them), I'll sue for the bill plus punative damages. So I hope they actually DO go through with this, I could use a good laugh!

St-Alia-of-t I have a router that pretty much stops almost everything, but I still use a software firewall mostly for logging purposes. That way if I do get hit, I can have evidence so to speak. I've used those logs at least three times to nail script kiddies and get there accounts supsended. (I don't go after the casual users but when I get 20 hits over a 24 Hour period from the same person they are toast.

Well St-Alia how does all that spiel help anyone? I fail to see the relevance of such a post when there are very few people here with the knowledge to even write a simple encryption program much less an entire OS.

A software firewall might be the best one can do. Yeah it can be broken, but it's better than nothing. Hardware firewalls, routers, and DHCP servers can be put together, but all that requires money and again knowledge. Your post doesn't seem to be anything more than you bragging about your setup.

What bragging? He's talking about an overly glorified Router. Oh I'm sorry, "sandbox". As for software firewalls failing, sure some can; but once that actually occurs your OSes tcp/ip stack was foobared anyway.

"BTW I charge $150 an hour for the servicing of any electronic device (I design my own motherboards for the hell of it, so you get what you pay for.)"

So which chipset manufacturers have authorized you?

Bad Raid. Bad, feeding the trolls.

Firewalls aren't going to help. Different attacks. The copybombbots arn't going to use anything too complicated, just ping floods and trogen files spread through p2p networks. Firewalls are ineffective against those.

There is no way to defend against flooders. Imagine how the RIAAs bots would do this:

1. The bot searches for a known infringeing file. Repeat.
2. Compile a list of all users shareing more than x infringeing files
3. Either:
a. connect to these users, act like another client, use all queue slots and upload bandwidth.
or
b. ping with a constant 512Kbs, enough to overload most p2p connections.


No effective defences, through it may be possible to track and block the bots. They will move around quite a bit through.

The other threat is p2p-transmitted files, which look like music but perform any one of a range of malicious actions from pointing the user to a pay download site to deleting every shared music file. Well, this one we can defend against. From a techincal position its very difficult to put executable code in a music file (Except WMA files, which support a fairly powerful scripting system). There are minor buffer overflow vulnerabilities in some version of WMP, winamp and windows XP explorer which allow executable code to be ran from MP3 files, but these are very version specific. I think a malicious file will be either an MP3 containing a short rant about piracy and someone saying the URL of a pay download site or a WMA file.

Of course, these plans by the RIAA and co are strictly last resort measures. We will probably never see anything more sophisticated than automated complaints to ISPs and dud files, but its best to be prepared.

Only dud users are gonna screw up and download dud files. Seriously, when they make a dud file, the bitrate shows up something like 171 or 184, or anything except 128, 160, 192, 256, or 320. Its just a dead giveaway.

All this talk about firewalls is mute anyway. If you have the expertise to setup a sandbox, then you were never worried, and if you don't, then you are never gonna be safe.

No, its a well known fact that some labels have been makeing dud files and putting them on the networks. These duds usually contain either degraded audio, loops or occasionally a warning.

Ok all this talk has gotten me worried, so i checked my firewall and there were a few violations. Now, I know the RIAA hasn't started any of that yet, but I'd like to get into practice of tracking these things down. I found a website to perform a standard 'whois' command and if, in the future, the RIAA pulls a stunt like the ones they are threatening, I'll go download myself a bunch of dummy files, move my real stuff out of my shared folder, and wait for them to come for me. I'm just willing to bet they won't remember to make their bots screen out their own dummy files. Once something happens, I'll get a lawyer and sue their asses off for all I can get (I'm not greedy, just pissed). But I need to know how to prove it was them. Any suggestions?

(in fact, if such a thing happens and I have success in sueing them, I suggest every other person at this site do the same. If we could hit them with that many individual lawsuits, they'd go down in an instant)

ya know as much as i feel it is illegal to download music & movies without compensating artists and labels, it's crossing the line when the RIAA, not the gov't, decides to take the law in their own hands. i don't care, even if i was totally against the mp3 revolution, hacking into someones computer with the intent of damage is a crime, period. If our gov't gives them the the go ahead i'm moving out of this country. But ya know even if the RIAA starts this tactic, just guess on how many hackers will have a field day with the RIAA computers and their website, how many more hatemails and death threats they'll recieve? They still have a chance to drop this bullshit and start working with P2P instead of attacking new technology. I'm all for copy-protection of CDs. Video games, VHS, & DVDs have had it for years? But at this point copy-protection isn't a good resolution anymore..neither is attacking your customers. Ya know the old proverb.. never bite that hand that feeds you.

I do not condone hacking either, just wanted to point that out but if the RIAA does decide it's in their best interest to do such illigal activities just to stop P2P they will have a rude awakening by the script kiddies out there and there out there in droves. Firewalls do sqawt when you have to share and open up your drive so that you can dlownload. I use zone alarm. I have over 1200 attempts and over 300 high risks blocked when I check the stats so maybe it works but it wouldn't work against a professional hacker. Like I said, I have yet yo get a spoof or virus from Gnutella. And it it over run with fakes and spoofs.

The only VHS copy protection system is Macrovision. Its infamous for causeing incompatability problems with everything it touches.

SinisterX is right. If the RIAA attacks it could start the first full scale internet war. Every script kiddie on the net will get a new target. The RIAA will have to contend with everything from DDoS to viruses carrying anti-RIAA messages to experts hacking their network routers and wipeing IOS. That could take days to fix. Someone will write the most horrable trogens imagionable and target the RIAA, labels, even CD pressing plants.

All's fair in love and war. If they so much as TOUCH my computers, they will surely be screwing with other's computers, and I would have NO PROBLEM bringing their servers to a screeching halt, deleting the contnets of their servers, and leaving a note that says
"Stop screwing over artists and the public, by the way, I'm waiting under your bed with a chainsaw, I'm going to cut you up and hang you from an oak tree!" then I'd make a recording of a crazed laugh.
Maniacally,
Phoenix

Mike
Black Ice keeps logs of the attacks in evd files. If you used the IP whois site and got the ISP that owned that IP all you would need to do is send a complaining e-mail to the ISP with the IP address and a copy of the evd file. Be careful though sometimes people will plant viruses like code red in the evd files and if you send that to the ISP you look like the culprit. Though code red is really only a web page defacer the ISP won't like you very much for sending it to them. So scan the evd files before you send them. If they are infected well you're pretty much screwed as far as proof goes.

Zone logs all IP's as well, my firewall goes crazy over the weekends but thats due to logging in Gnutella. I wouldnt be able to sit here and do a whois search with over 1200 IP addresses. meh. I dont have time to worry about it as much. I wouldn't even know an RIAA IP if I saw one.

I am a member of the shadow realm I doubt they could hack me. this is just another scare tactic.

I don't download much music anyway.I am more concern with promoting myself most of the time

The hackers are on our side. I don't know a single hacker that is not a pirate. If the RIAA tries anything, they will be hacked forever. They had better be careful. Someone will be clever enough to build technologies to outdo whatever the RIAA can come up, which is pathetic. Trojan horses? Not with my firewall! Give it your best shot, Hilary. We're all waiting. Once you make consumers really mad, you can kiss your sales goodbye. Boycott-RIAA!

PhantomGhost,
Best watch your words. The "hackers" you speak of are often better known as "script kiddies." Script kiddies know nothing aside how to operate tools they are given. "Real" hackers are not interested in illegally copying music; most are quite well-paid for their programming, security, and/or engineering skills.

Think before you speak. Your ignorance makes a just cause look criminal.

An army of script kiddies can be quite effective. They may not be the best hackers, but they are persistant. The real hackers will join in as well in their more specialised way. Its a challenge "real hackers" may not be intrested in illegially copying music, but they are intrested in breaking the DRM encryption systems and inventing ways to stop copyright holders disrupting networks. "real hackers" are the people who work on some of the most sophisticated technology pirates use, designing better p2p network protocols and more effecient lossy compression.

A lot of people here are confident that nothing will get through their firewalls. It wont work. Firewalls are completly usless when your being faced with a DoS attack, and any trogens would probably go through the p2p program itsself. Firewalls wont help much.

No, to fight we need some kind of coordination. A way to find where these attacks are comeing from and stop them with a little DoS attack of our own. It would require a lot of people through, with the budgets were up against a gigabit fiber line direct to a backbone ISP would be pocket money.

OK, the music industry is going way too far. First, Someone needs to organize the couple of hundred million users of p2p networks to combat this. As has been pointed out, this could be a very powerful constituency. Is anyone doing this? I'm fairly new to this area and have only recently started following the news because of the riaa's actions. Can anyone direct me to an organization which is doing this? The second thing that needs to be done is to change the copyright law to expressly permit the user to be allowed to use the music they purchase as they see fit. This includes the privacy of their own homes, cars and yes, PRIVATE, p2p networks. The music industry has for too long enjoyed laws which lean too far in their favor. They are blatantly unfair to both the original artists who create the music and to the public who purchase it. The only people who are really benefit from these antiquated laws are the rich record executives and their lawyers. And yes, I've known a few and they are EXTREMELY rich and live in a luxury you would not believe. They want you to pay them everytime you listen to a song with their label on it, even though you have already purchased it. If you own a Ford Explorer, do you pay Ford everytime you drive it? How do they know I don't already own a cd or two of a song on my computer? (many of us have been know to purchase not one, but 2 copies of the same cd) How do they know the person uploading from me hasn't already shelled out $20 for the cd which is sitting in his car at the auto shop being repaired? The assumptions being made by the record company are not legitimate. Third, this constituency needs to raise money and lobby Congress. That's why copyright laws are the way they are. The record companies bought them. THat's how business is done in Wash, like it or not. They don't care about the average voter, they care about the $$ in their re-election accounts. Time to get real and start fighting. Just some food for though. Finally, this organization needs to find some law firm willing to file a class action lawsuit against the record companies should they start employing these clearly ILLEGAL hacking programs against p2p users. Lawsuits are very expensive and only a large law firm could fund such a thing, but the record companies are very rich and any law firm would make a millions in a settlement or verdit against the record companies if they started hacking into private networks and damaging peoples home computers. I would be willing to volunteer some of my time to such an effort. Please use these thoughts and get yourselves organized! Power to the people!

if riaa thinks they can fight against the techo wizards who support the free distribution of music, they are living in fantacy land, none of the software companies themselves , who employ the best minds in the country have failed, how riaa is going to try tapping into computer and destroy files is something i would like to see. In my opinion this is going to result on all companies supporting riaa and trying to help the implementing such a scheme getting hit hard by hackers and such.

It seems to me that we need a boycott-riaa IRC channel. As well as provideing another place to moan about unfair prices it would have a more practical use. A way to coordinate in real time. When one of us finds a potentially hostile node on a p2p network we can rapidly confirm, trace and study it. Then decide what to do about it.

you think converting mp3's into .ogg's would help? I don't think they have that kind of knowledge yet. Plus, there's a prog that allows playing those kinds of files. can't remember what it's called, but I think RIAA has no knowledge of it yet.

011001000110111101110111011011100010000001110111011010010111010001101000001000000111010001101000011001010010000001010010010010010100000101000001

Negotiating deals wastes time and energy. Strike fast, hit hard, and deliver your terms while they are still lying there face down on the ground.