Last week, the private company responsible for enforcing France's "three strikes" copyright law was found to be massively insecure, prompting France to suspend the program. Under France's HADOPI copyright law, households lost their Internet connection if they received three accusations of copyright infringement committed on their network. TMG, the private contractor that maintained the system, suffered a massive breach when hackers showed that they hadn't taken even the most rudimentary steps to secure their servers.
Now, Ars Technica reports that it's not just TMG's security that's flawed -- the breach has also revealed that its data-gathering system is as untrustworthy as its perimeter security:
TMG's server was running a custom-written administration program coded in Delphi. It had the unusual security feature of not requiring any authentication at all, allowing anyone connecting to port 8500 to send commands to the server. The commands it supports are limited--shutdown or reboot the computer, stop or start a peer-to-peer client, and update the software on the server--but due to their shoddy design these commands are sufficient to allow hackers to do whatever they want. The update command connects to an FTP server, retrieves a file, and then executes it--all without authentication--and rather than connecting to a specific FTP server, it allows the server to be specified when the update command is given.
French "three strikes" anti-piracy software riddled with flaws
This allows an attacker to set up their own FTP server, put their malicious program onto the server, and then tell the TMG system to update from the hacker-controlled server. In this way, they can make the TMG server run whatever software they want. If all of TMG's anti-piracy servers are running the same administrative program, then they are all susceptible to being attacked in this same, trivial way.
(Image: Drapeau Hadopi, a Creative Commons Attribution (2.0) image from 17962689@N08's photostream)
In 2010, after years of bitter fighting, the French National Assembly passed “Hadopi,” the worst copyright law in history, which provided for disconnecting whole families from the Internet if their network connection was implicated in an accusation of copyright infringement.
The Copyright Alert System — a “voluntary” system of disconnection threats sent to alleged file-sharers, created by entertainment companies and the large US ISPs — has just celebrated its first birthday, having spent $2 million in order to send out 625,000 threats to people it believed to be infringers. How’s that working out for them? […]
In Graduated Response Policy and the Behavior of Digital Pirates: Evidence from the French Three-Strike (Hadopi) Law a team of business-school researchers from the University of Delaware and Université de Rennes I examine the impact of the French “three-strikes” rule on the behavior of downloaders. Under the three-strikes law, called “Hadopi,” people accused of downloading […]
Looks like all of your potential employers are hiring candidates with programming skills (which you don’t have). With all of the languages out there today, it’s tough to know where to start.With the Complete Front-End to Back-End Coding Bundle, you can beef your resume up in all the right places, no confusion necessary. This package of […]
Those of us who love music wish we could listen to it 24/7. But it’s impossible when we’re trying to converse with our friends, or when are swimming in the local pool.That is, until now. The KOAR Bone Conduction Bluetooth Headset, now 48% off, has changed the audio game.Made with lightweight titanium memory metal, this headset boasts patented bone conduction technology to transport sound […]
It’s one thing to enjoy dinner at home and a nice glass of Cabernet Sauvignon with your best friend, Netflix, but it’s another thing entirely to make that meal from scratch and get that wine delivered right to your doorstep.But what if we told you there’s a way to make this possible? To keep your social life, […]