your a** belongs to the RIAA now ....

[BJ_M]

http://online.securityfocus.com/archive/1/306476

Jan 13, 2003


-----BEGIN PGP SIGNED MESSAGE-----

___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't **** with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.


Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de


Problem Type:
Local && Remote


Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP


Exploit Available:
Yes, attached below.


Technical Description of Problem:
Read the source.


Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29tAA oJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJsFFhywKWzMoiT/Qiy4FV+r1inukA==
=OjMp
-----END PGP SIGNATURE-----




[ attachment: (application/octet-stream) ]

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wj8DBQA+IwO0HNGnlyGZsA8RAuusAJ49gGSCJzKlRpn+7b9vd+ GYydWzUQCgjq3Ofe2n
WBnlQNf4GeyaFTit5N0=
=RBjc
-----END PGP SIGNATURE-----


source code here for example ::

http://online.securityfocus.com/archive/attachment/306476/2/


On another forum it has been noted that all firewalls pass the data no problem if they had been set up for file sharing.

[Nelson37]

This looks like a possible hoax. Some of the language would seem inappropriate coming from a corporate entity.

This would also seem to create a HUGE liability problem for the RIAA. If this were to corrupt a legitimately owned software program or to attempt to charge someone with a crime for having an audio file on their PC which they actually own, I would think they would get their collective asses sued off.

I am not surprised that such an effort would be made, however.

Illegal search and seizure, invasion of privacy, theft, vandalism, all these come to mind.

Sounds like just downloading a freeware player to use on audio and video I actually own could affect my equipment, this would constitute a criminal act on their part.

I don't really disagree with the RIAA's goal, I just think they are approaching this from the wrong direction. Did radio kill album sales? No, it increased them. What they need to do is make their product better and less expensive, and drive the pirates out of the market. Set up a legit site where people can DL hi-quality MP3's for 10 cents each, with zero production costs, they will make a mint.

[oddbod77]

Wow, a buffer overflow in an MPEG audio player that most people have never even heard of. Clem get the shotgun the RIAA is coming...

But seriously folks ZDNet NEWS: RIAA says it's not making a worm

[BJ_M]

yes of course its a joke -- for now ... i posted it because it rather plainly rather says its a hoax ..

but :

The music industry isn't hacking back, but someday it might. A bill sponsored by Reps. Howard Berman, D-Calif., and Howard Coble, R-N.C., would allow copyright owners and such groups as the RIAA and the Motion Picture Association of America to disable, block or otherwise impair a "publicly accessible peer-to-peer file-trading network." Nowadays, that's called hacking.

[FoxGarrison]

It took us about a month to develop the complex hydra, and another month to bring it up to the standards of excellence that the RIAA demanded of us.

If the RIAA's website being hacked almost once a week is any indication of the "standards of excellence" this BS exploit is built upon...I can't wait for this incredible piece of technology to surface to the masses!

[Feslmogh]

Huh...
Yesterday this came from Foxnews.com...

Music, Tech Groups Make Digital Copyright Deal


Wednesday, January 15, 2003
By Liza Porteus


WASHINGTON — Music and technology circles usually at odds over how to prevent consumers from illegally downloading songs from the Internet have reached an agreement on how to tackle the problem of global piracy.





"The world's leading technology companies and the music industry have reached a landmark agreement," Business Software Alliance President Robert Holleyman said during a press conference Tuesday. "These principles will guide our efforts ... and will have a huge impact on the future of the Internet."

The digital copyright battle has pitted Silicon Valley against Hollywood, leaving Congress wrestling with how to get federal laws up to date with technological wizardry.

Aware that Congress was coming perilously close to finding a legislative solution, the tech industry and movie and music makers decided to meet in the middle, concluding that any government intervention is likely to be bad intervention.

"What we're saying is, we don't need our heads banged together," said Hilary Rosen, president of the Recording Industry Association of America, which represents the nation's record companies.

Hollywood and the music industry have long argued that more mechanisms need to be included in certain products like CDs or DVDs to prevent unauthorized copying and distribution. The tech industry, on the other hand, has complained the controls are too expensive and complex and don't give them enough leeway to thwart hacker attempts.

The compromise means the tech industry will support aggressive enforcement against digital pirates and, in exchange, the music industry will lobby against government requirements to build protective controls into new entertainment gadgets which may make it more difficult for consumers to share music and movies.

"Let's be realistic — a government technology tech mandate won't solve the problem of online piracy and poses such a threat to the future of the digital economy and the digital consumer, that technical mandates must be rejected," said Ken Kay, executive director of the Computer Systems Policy Project, made up of CEOs from the nation's top computer companies such as Microsoft and Dell.

RIAA, CSPP and BSA, whose members include Microsoft, Apple Computer and Adobe Systems, agreed on a core set of principles to guide their digital content policy activities through this Congress.

The agreement includes a set of seven principles for the industries to abide by.

They will encourage privately-funded consumer awareness campaigns about the rights and wrongs of digital copying but explore what federal role can be played; have the two industries figure out how to best protect against piracy while still meeting consumer expectations of new music and good technology; and support private and governmental enforcement actions against copyright infringers.

The principles also say legislation should not limit the use or effectiveness of tools used by the industries to limit unauthorized access, copying or redistribution of digital products. The industries will support technical measures to limit illegal distribution of copyrighted works as long as those measures don't harm individual users' data or equipment and they don't violate any private rights. The groups also agree that government's role should be limited to enforcing current laws and that they will seek out common ground in policy debates.

The lobbying groups and other technology companies have argued that current laws can stem piracy so long as they are properly enforced. The 1998 Digital Millennium Copyright Act is one such law. The measure restricts what consumers can do with digital music and movies, is "generally working as it was intended," Holleyman said.

The two industries will begin planning an organization meeting of key industry executives within the next few weeks to "determine how our industries can best work together on digital content issues going forward," Holleyman said.

The principles are being applauded by some in the tech industry and on Capitol Hill.

"The legislative and rhetorical salvos that have typified the debate over the past year have been extremely counterproductive and have drawn attention away from the real problems and their market-based solution," said Jonathan Zuck, president of the Washington-based Association for Competitive Technology, which mainly represents small tech companies.

"The technology and entertainment industries have more in common than difference and a less heated environment will allow us to better find solutions that meet the needs of these industries and consumers."

Rep. Howard Berman, D-Calif., a strong supporter of the music industry, said he would be interested in hearing from the three industry groups if they think more copyright law is necessary.

"I hope the rest of the creative and technological communities get on board with a unifying message, and thus we can 'tone-down' the divisive rhetoric that has otherwise predominated many copyright and technology debates," Berman said in a statement.

It's thought that the agreement could affect a proposal by Sen. Ernest Hollings, D-S.C., which made huge waves in the content community last year. His bill would prohibit the making and distribution "digital media devices" — such as handheld music players or CD players — unless they include government-approved copy restriction technology.

But Hollings spokesman Andy Davis said his plan was to get the technology and music industry talking about how they themselves can protect content, not so much to enact another restrictive law.

If Tuesday's announcement is a sign that the content community and the tech community are going to sit down and work it out on their own, "then that's exactly what he had hoped for," Davis told Foxnews.com. But if it's merely a way to get around the impasse the two sectors have thus far reached on the topic of digital right management, "then we're right back to square one and that would be very unfortunate."

"If they were to do nothing, then obviously, he would continue to pursue the legislation."

[Mirror_Image]

"The sky is falling!"
--Chicken Little

[rhuala2]

OK so it is a joke, but lets say for the sake of argument that they do try somehting like this in the future...

They want to write complicated software that will modify a person’s media player, infect their computer and then spread via p2p network.

THEY CAN"T EVEN KEEP THEIR OWN SITE FROM BEING HACKED!!

Their own website has been hacked 7 times in the last 6 months! The last one put up direct links to several of the top P2P programs and said on their home page that they were sponsored by the RIAA - no joke!

Then they would want to go around and start infecting everyone’s computer! Kazaa alone has about 3 million people on at any given time. They are basically asking for a war with the general public, gee I wonder who will win. Even if they did everything perfectly right and exactly within the letter of the law, the mass public will still win, the laws can and will be changed. You think the US government or any government is going to prosecute 15% of their entire population! If you took it the letter of the law, I'm sure that 70-90% of all computer users have at least 1 file on their computer that is not 100% legal, some they may not even know about.

Also, if they slip up anywhere (very high probability since they can't even protect their own web site). They could be sued by 20 million people for infecting their computer and causing problems. I may just sue them and say that I lost a 100 page document because their "tampering" cause my computer to crash and lost me a very very VALUABLE document. Imagine the pains in them trying to prove that their software tampering didn't cause the problem! It's unlikely that changing Winamp causes Word to crash but it is POSSIBLE and therefore opens them up to all kinds of accusations. Not only that but that could set a huge precedent where now every software developer now has the right to go around and infect everyone’s computer just to make sure no one is doing anything illegal with their product. Soon we'll have 5000 companies all infecting my computer because they are suspicious of what I might be doing.

No all the IRAA is doing is throwing gasoline on a flame and further inflaming the public and all those nasty little hackers out there that have far toooo much time on their hands... jmo though

Good luck to the RIAA, the sooner they embrace the fact that the public is their customer and their lifeline and not their evil stealing nemesis the sooner they will work with the public in creating new more efficient and internet friendly models for selling their property.

rhuala

[tenders]

maybe this is all part of thier plan to create some sort of mass panic to scare everyone to stop!

[WeedVender]

And so its called ILLEGAL

[VideoMann]

It all sounds great but wait until Consumer Groups, and others call their lawyers and file lawsuits for 1) defective products, 2) invasion of privacy, 3) violation of the fair usage.

It will not be a cakewalk for RIAA, and whichever manufacturer decides to make deals with them.

[WeedVender]

so say that the RIAA will be able to hack...

If someone like Microsoft steals a program (which they have done hundreds of times to others) that I developed, then I have the right to sue them and hack them?

Or just that I make a bogus MP3 File that I made and then put it into My Shared Folder then rename it to someone like Eminem, open Kazaa change the description to Eminem also and then let them hack away. I would be able to sue them because they hacked into my computer and violated their rights in the bill.

Excuse Me but we have some very STUPID polititians in office

[marvel2020]

SCREW the RIAA, bunch of ********.

I don't use them P2P programs anymore ever since the best "NAPSTER" was stopped .

So it ain't gonna bother me what they do.

And i don't really buy any CD's anymore either, except for the Groups i like and who disserve it.

What man makes, MAN CAN BREAK!!!!

[gobama]

Yeah, well what the RIAA is doing with this "Gobbles" security group is illegal. No matter what anyone thinks about p2p or whatever, someone snooping around your computer system and then trying to use some "evidence" they got against you is pure nonsense. Blackice is crap anyway, stay with Sygate and I guarantee you that you will not be affected. Also, stay away from opensource programs like the fmpeg123 software.

[BJ_M]

it was a joke -- read the whole thread ///


hehehe

[The village idiot]

But if it was real, it would be illegal.

[gobama]

geez, you had me going there I did "selective" reading and went off on a tangent. Sorry about that. Cheers