More incompetence revealed on the part of France's "three-strikes" copyright enforcer

Last week, the private company responsible for enforcing France's "three strikes" copyright law was found to be massively insecure, prompting France to suspend the program. Under France's HADOPI copyright law, households lost their Internet connection if they received three accusations of copyright infringement committed on their network. TMG, the private contractor that maintained the system, suffered a massive breach when hackers showed that they hadn't taken even the most rudimentary steps to secure their servers.

Now, Ars Technica reports that it's not just TMG's security that's flawed -- the breach has also revealed that its data-gathering system is as untrustworthy as its perimeter security:

TMG's server was running a custom-written administration program coded in Delphi. It had the unusual security feature of not requiring any authentication at all, allowing anyone connecting to port 8500 to send commands to the server. The commands it supports are limited--shutdown or reboot the computer, stop or start a peer-to-peer client, and update the software on the server--but due to their shoddy design these commands are sufficient to allow hackers to do whatever they want. The update command connects to an FTP server, retrieves a file, and then executes it--all without authentication--and rather than connecting to a specific FTP server, it allows the server to be specified when the update command is given.

This allows an attacker to set up their own FTP server, put their malicious program onto the server, and then tell the TMG system to update from the hacker-controlled server. In this way, they can make the TMG server run whatever software they want. If all of TMG's anti-piracy servers are running the same administrative program, then they are all susceptible to being attacked in this same, trivial way.

French "three strikes" anti-piracy software riddled with flaws

(Image: Drapeau Hadopi, a Creative Commons Attribution (2.0) image from 17962689@N08's photostream)



  1. Hmmm, pity they are shut down for the moment, I really could have used a few extra servers to store and distribute my war3z from…


    I mean, I’ve put some thought into how I’d put a backdoor into a program – it’s the kind of idle speculation that pops up when you write programs. What they’ve done here is makes anything I’ve come up with seem like weapons-grade stealth – it’s so bleedingly obviously stupid that you could have used it as satirical humor among first-grade programming students.

    Didn’t anyone think about this? Or was is deliberate sabotage from a programmer unhappy with what he was writing?

  3. And they say your taxes are going to waste…

    Almost worse than the horrible insecurity itself is that these incompetent asshats are being paid a decent wage – I could’ve taken that money, maybe had some hope of affording a deposit on a house, and I damn well would have done a better job of the software in return. Knowing the skew towards techie types around here, I wouldn’t be surprised if half the people reading this could say the same.

    I’m finding it harder and harder to deal with both my anger at the harmful absurdity of it all, and with my utter powerlessness to do anything about it.

    1. damn well would have done a better job of the software in return

      I hope that by ‘a better job’ you mean that you would have included a hidden bit torrent client in the install package.

      You’re talking about writing tools that enable rights violations. I think it is perfectly acceptable for the people who are trusted to write such software to deliberately do it in ways that waste the time, money and reputation of the people who are trying to establish such systems.

      Personally, I’d consider it my ethical duty to do so, and to lie to the people contracting me to write such evil software, to make them believe that any such mistakes or flaws were purely accidental.

  4. Isn’t the very first thing in O’Reilly’s “Essential System Administration” something to the effect of “FOR THE LOVE OF GOD, CLOSE OFF YOUR FTP PORTS!!!”?

  5. “Hey guys, we landed that lucrative government deal !”
    – “Great, have the intern whip up something in Delphi.”

    Also, are they using Delphi because Pascal was named after a frenchman ?

  6. That sounds so broken it’s hard to imagine that it isn’t intentionally broken.

    I wonder if the programmers working on that project maybe use their internet connections for file sharing?

  7. While it would be cruel, it would have driven home a point if someone made it so that EVERY IP address was reported as being in violation three times, and shut the entire nation down.

  8. Somewhere in France, an former underpaid, exploited intern at TMG is laughing his/her ass off. I juste hope they don’t get caught.

    I mean, I get that people make mistakes, but one that huge in a place that was certain to be attacked one day…I don’t see how it could be anything but intentional. Even for TMG.

  9. This reminds me of Just replace “President, etc.” with “policy maker/ copyright enforcer” and “Engineer who installed the red button” with “programmers who wrote and maintained the system”

  10. For all he seeminlgy knows about the subject matter that asshat Sarkozy probably would have given the contract to his assistant´s nephew who knows about computers. The people in charge of our planet´s future. What a fucking joke.

Comments are closed.