Now I think I know what really happened. Check out update #3 on Kotaku article.
The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.
I read the article and my list of possible explanations are correct.
Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.
If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of "Click this link to reset your password".
Normally that's where a fraudulent password reset request would end unless someone had access to a user's email account, however seconds later they received another email saying the request was completed.
Sony just stated on their blog that this was a "URL exploit", so now I present two other explanations which I forgot to list.
4. Sony set their script to automatically bypass the second phase so people wouldn't have to check their email account.
Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they're going to bypass it themselves?
5. Sony let blank auth keys reset passwords (the official explanation?)
Maybe the programmer accidentally put something like a = instead of == for matching... But the structure of the links make me call bull on this.
1. They had the reset password auth key generator key from the previous intrusion, or got in again and stole it
The most likely scenario.
2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
Very poor design I've seen on some sites before but you'd have to be incompetent or negligent to code something like this.
3. They guessed it or social engineered it
Unlikely...
I don't think that's a good idea. If someone decided to copy a URL with the old domain name and posted it on twitter for example, anyone without the browser add-on would still get the seizure page. Webmasters would also have to individually set up their sites with rewrite rules and HTML filters to accommodate their old domain names. It's questionable whether they're going to get those domain names back in the future or if the usage of the old domain name only by people with an add-on would be substantial enough to warrant extra coding & CPU usage.
I'm not knocking the guy for his first try. I've never programmed a FireFox add-on in my life, nor created a patch privately or publicly, besides updating the required version string :) I only know some of the ins and outs of how it's done.
This was a good first step and even if development stopped tomorrow, it has at least has brought awareness that domain name seizures can be bypassed a lot easier with a browser add-on compared to the other options that have been proposed.
I've noticed that the plugin doesn't forward embedded content(img & object html tags that use the old domain). There isn't wildcard support to forward subdomains from the old site to the new, only "www". The EFF's HTTPS Everywhere add-on for FireFox has solved both of those problems, it's just not being marketed for redirecting seized domain names. Unfortunately for Chrome users, their implementation of forwarding URLs, and possibly MAFIAAfire's method too, may be incompatible with Chrome due to the way it currently handles HTTP requests.
MAFIAAfire updates it's ruleset every time the browser starts which is inefficient and can bog the source servers down. A better implementation would be to store the ruleset, only update it every 3-5 days via subscription, and have a manual override button. Users should be able to put in their own ruleset URLs too, which would be a crucial feature if all of the 4-5 default ruleset mirrors died.
Pre-registration of alternate domain names can be a honeypot whether it's intended by the author to be one or not. Torrent-finder verified their old domain name prior to the seizure on Google Webmaster Tools, and used the "Change of address" feature after it was seized. A system like that can expedite the change fast enough without exposing the new domain name.
Finally, it's too focused on the United States even though it isn't the only country seizing domain names. Having a politically loaded name like that might get the plugin booted from the mozilla add-ons directory. I commend the author of the plugin for making it, but he should realize it's not just movie & music companies that want to seize domain names. If the EFF's plugin had a ruleset subscription feature it could serve the same purpose without so much of the baggage.
I'm not recommending that someone should actually should try that test though. It's really a reference to what the MPAA would say Hotfile had the ability to check by default (all filesystems store filename and size) which is clearly not enough to determine that they match.
If someone wanted to try that test they should make sure all documentation is kept that the data uploaded was random , make a published report about it, and maybe upload from Starbucks. Personally I don't think it would be worth the effort. I doubt Hotfile is that stupid to use filename+size matching and a simple email to them should suffice if you really wanted to know, without the possibility of getting mixed up and accused of pirating or something.
Second of all, if Hotfile does not have some sort of database of equivalent files, they are under absolutely no obligation to put one in place. Just making that clear.
I've just realized that possibly even having a database in place might not be enough justification to take any links down that weren't in a notice. Every Hotfile link is accessible publicly but someone needs to know the link first. All of them have 16 digits that Hotfile generates and the filename at the end, making it nearly impossible to find without actual link distribution. It would be stretching the "making available = distribution" argument pretty far but I can see Hotfile losing a case if they had a database of exact files and didn't act on them though.
However, even a database wouldn't tell you if equivalent files are infringing, or uploaded by the rightsholder. The MPAA might have to specify in the DMCA notices that they want "all copies removed" from the cyberlocker services and assert that they never gave rights to have their content stored anywhere on there. (Something tells me they'd find IP addresses on some uploads originating from movie studios themselves anyway :P)
Finally, this scenario shows how a simple filename+size match wouldn't be enough verification of exactness.
Person A:
Uploads 7 100MB split archives of a bootleg movie... Each file is named along the lines of "Archive.r00" "Archive.r01"
Person B:
Uploads 7 100MB split archives of his hard drive... Important documents, personal pictures and home movies. Each file is named along the lines of "Archive.r00" "Archive.r01". His computer is fried in a lightening storm and Hotfile retains the only copy while he looks for a new computer.
If the host received a DMCA notice for all or some of Person A's files they'd have to take them down. But do they go the extra mile and remove access, or at the very worst, remove Person B's files from their servers too? Only matching file hashes like MD5 or SHA1 can find duplicate files, not simply the filename & size. Person B could file a lawsuit if his files were deleted absent of any takedown notice. Hotfile probably has something in their terms to prevent someone for suing them for anything related to data loss but it wouldn't make it right to delete files before truly determining the contents are exact.
One way to test this(without trying to sue them of course if they act on it), would be to duplicate a filename of a public link that's imminently going to be removed like "H4ngover2.r00", with exactly the amount of data, but all random chars. Any service that uses a filename or filename+size as "matching" should be called out on it...
Couldn't the movie studios be confusing separate uploads and/or split part archives as being a file alias feature??? I don't see any feature like it described on their FAQ or Premium signup page.
If they allow people to make duplicate files that take up the same amount of storage(aka the "cp" command on any dedicated server) there's nothing wrong with that as no web host is required to hold a duplication log file or database of duplicate file hashes, and pretty much none of them do.
However if there is truly a file alias system being used, either by Hotfile to save storage internally or as a feature offered to their users, Hotfile should be able to remove access to an allegedly infringing file at it's source and all of it's aliases when they receive a takedown letter. There's no excuse not to!
Considering if my first sentence is true, the MPAA might then turn to arguing that Hotfile does have a database showing all filenames and file sizes on their server. But in my opinon, if there's no file hash system in place as well, Hotfile couldn't be sure if those files matched or that the name and size was mere coincidence, and removing access or deleting those files could be a setup for a breach of contract suit.
The only difference between a paid web host of the 90s and a "cyberlocker" today is a fake credit card #. I'm surprised they haven't sued any web hosts for allowing "x gigabytes" of storage already, or have they? Surely allowing people to store large files is always going to be for sharing pirated movies and not personal hard drive backups! And why stop there? They should start suing ISPs for letting people transfer that much information in the first place. They're all guilty!
It's funnier when censoring happens in real time in an "open" thread. Right before YouTube broadcasted President Obama's first live speech about the Libya intervention, they linked to his weekly address from a few days back on the top of every YouTube page. The speech was scheduled way too close to 4:20 on the west coast. People in the comments thread were complaining about a lot of different subjects, but the comments with the most upvotes were always about legalizing marijuana. Each were deleted as fast as they came up, while other people started dissing the censors in the comments. I might be wrong, but I think ICE decided to disable comments on all of their videos when they read someone's comment that said "this pig even looks like a pig", which was left up for a few months. You can't expect everyone to be classy on there...
They should make a new video that's clear and concise instead of spreading this union patronizing straw man FUD. They're hiding the fact that movie studios have the final say in who they employ, not the pirates. Sadly, when the MPAA's talking points are parroted by the government more people are likely to believe it's true.
"There are already plenty of easy-to-use tools on the market for users to set up preferences via browser extensions."
Most users aren't aware those extensions exist or the privacy risks associated with third party cookies at all. And some people who became aware yesterday or last week are asking their governments to regulate it. Where were they 16 years ago? LOL.
I guess nobody could have predicted the abuse of cookies would get to the point is at today, where a few big companies now have as much spying power as big brother and can track the exact sequence of pages a user visits no matter what site they go on. They're basically trading services like "free analytics" and "free comments" to website owners for their visitor's information and they take it hook, line, and sinker.
Regulation won't fix the problem because a lot of the lawmakers are promoting some very bad plans like popups for everything and those laws would only have reach within their own country anyway. I think a good cookie whitelisting and third party cookie blocking system needs to be added to the browser cores. Extensions break between versions but a core addition wouldn't, and it would bring more awareness since it's a "new" feature. Users liked it when popup blocking was finally added into browser cores, and better cookie control would be along those same lines.
On the post: Well, That Was Fast: Sony's New PSN System? Hacked!
Re: Re: Re: Three possible explanations
The script set a cookie when someone reset a password. Then it let blank auth keys go through, and figured out what account you wanted to reset based on the cookie they set earlier.
On the post: Well, That Was Fast: Sony's New PSN System? Hacked!
Re: Re: Three possible explanations
Resetting passwords by email address alone(no DOB) is a standard way of starting a two-phase authorization.
If you read the forum thread that Kotaku linked to, you can see that someone received an initial email that said something along the lines of "Click this link to reset your password".
Normally that's where a fraudulent password reset request would end unless someone had access to a user's email account, however seconds later they received another email saying the request was completed.
Sony just stated on their blog that this was a "URL exploit", so now I present two other explanations which I forgot to list.
4. Sony set their script to automatically bypass the second phase so people wouldn't have to check their email account.
Heads should roll if this is true, but I doubt it. Why even make a two-phase auth system if they're going to bypass it themselves?
5. Sony let blank auth keys reset passwords (the official explanation?)
Maybe the programmer accidentally put something like a = instead of == for matching... But the structure of the links make me call bull on this.
On the post: Well, That Was Fast: Sony's New PSN System? Hacked!
Three possible explanations
The most likely scenario.
2. They found the auth keys in the confirmation page that shows after submitting an email address & DOB
Very poor design I've seen on some sites before but you'd have to be incompetent or negligent to code something like this.
3. They guessed it or social engineered it
Unlikely...
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re:
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Re: Re: Some suggestions
This was a good first step and even if development stopped tomorrow, it has at least has brought awareness that domain name seizures can be bypassed a lot easier with a browser add-on compared to the other options that have been proposed.
On the post: Technology Trumps ICE Domain Seizures: Browser Plugin Fix Created In Just Days
Some suggestions
MAFIAAfire updates it's ruleset every time the browser starts which is inefficient and can bog the source servers down. A better implementation would be to store the ruleset, only update it every 3-5 days via subscription, and have a manual override button. Users should be able to put in their own ruleset URLs too, which would be a crucial feature if all of the 4-5 default ruleset mirrors died.
Pre-registration of alternate domain names can be a honeypot whether it's intended by the author to be one or not. Torrent-finder verified their old domain name prior to the seizure on Google Webmaster Tools, and used the "Change of address" feature after it was seized. A system like that can expedite the change fast enough without exposing the new domain name.
Finally, it's too focused on the United States even though it isn't the only country seizing domain names. Having a politically loaded name like that might get the plugin booted from the mozilla add-ons directory. I commend the author of the plugin for making it, but he should realize it's not just movie & music companies that want to seize domain names. If the EFF's plugin had a ruleset subscription feature it could serve the same purpose without so much of the baggage.
On the post: Cyberlocker Responds To MPAA Lawsuit Which Tries To Give Hollywood A Veto On Tech It Doesn't Like
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
If someone wanted to try that test they should make sure all documentation is kept that the data uploaded was random , make a published report about it, and maybe upload from Starbucks. Personally I don't think it would be worth the effort. I doubt Hotfile is that stupid to use filename+size matching and a simple email to them should suffice if you really wanted to know, without the possibility of getting mixed up and accused of pirating or something.
On the post: Cyberlocker Responds To MPAA Lawsuit Which Tries To Give Hollywood A Veto On Tech It Doesn't Like
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
I've just realized that possibly even having a database in place might not be enough justification to take any links down that weren't in a notice. Every Hotfile link is accessible publicly but someone needs to know the link first. All of them have 16 digits that Hotfile generates and the filename at the end, making it nearly impossible to find without actual link distribution. It would be stretching the "making available = distribution" argument pretty far but I can see Hotfile losing a case if they had a database of exact files and didn't act on them though.
However, even a database wouldn't tell you if equivalent files are infringing, or uploaded by the rightsholder. The MPAA might have to specify in the DMCA notices that they want "all copies removed" from the cyberlocker services and assert that they never gave rights to have their content stored anywhere on there. (Something tells me they'd find IP addresses on some uploads originating from movie studios themselves anyway :P)
Finally, this scenario shows how a simple filename+size match wouldn't be enough verification of exactness.
Person A:
Uploads 7 100MB split archives of a bootleg movie... Each file is named along the lines of "Archive.r00" "Archive.r01"
Person B:
Uploads 7 100MB split archives of his hard drive... Important documents, personal pictures and home movies. Each file is named along the lines of "Archive.r00" "Archive.r01". His computer is fried in a lightening storm and Hotfile retains the only copy while he looks for a new computer.
If the host received a DMCA notice for all or some of Person A's files they'd have to take them down. But do they go the extra mile and remove access, or at the very worst, remove Person B's files from their servers too? Only matching file hashes like MD5 or SHA1 can find duplicate files, not simply the filename & size. Person B could file a lawsuit if his files were deleted absent of any takedown notice. Hotfile probably has something in their terms to prevent someone for suing them for anything related to data loss but it wouldn't make it right to delete files before truly determining the contents are exact.
One way to test this(without trying to sue them of course if they act on it), would be to duplicate a filename of a public link that's imminently going to be removed like "H4ngover2.r00", with exactly the amount of data, but all random chars. Any service that uses a filename or filename+size as "matching" should be called out on it...
On the post: Cyberlocker Responds To MPAA Lawsuit Which Tries To Give Hollywood A Veto On Tech It Doesn't Like
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
If they allow people to make duplicate files that take up the same amount of storage(aka the "cp" command on any dedicated server) there's nothing wrong with that as no web host is required to hold a duplication log file or database of duplicate file hashes, and pretty much none of them do.
However if there is truly a file alias system being used, either by Hotfile to save storage internally or as a feature offered to their users, Hotfile should be able to remove access to an allegedly infringing file at it's source and all of it's aliases when they receive a takedown letter. There's no excuse not to!
Considering if my first sentence is true, the MPAA might then turn to arguing that Hotfile does have a database showing all filenames and file sizes on their server. But in my opinon, if there's no file hash system in place as well, Hotfile couldn't be sure if those files matched or that the name and size was mere coincidence, and removing access or deleting those files could be a setup for a breach of contract suit.
On the post: Cyberlocker Responds To MPAA Lawsuit Which Tries To Give Hollywood A Veto On Tech It Doesn't Like
On the post: Did ICE Pirate An Anti-Piracy Video From NYC?
Re:
On the post: Did ICE Pirate An Anti-Piracy Video From NYC?
Re:
On the post: Should Governments Mandate Cookie Transparency?
It's really on the browser developers...
Most users aren't aware those extensions exist or the privacy risks associated with third party cookies at all. And some people who became aware yesterday or last week are asking their governments to regulate it. Where were they 16 years ago? LOL.
I guess nobody could have predicted the abuse of cookies would get to the point is at today, where a few big companies now have as much spying power as big brother and can track the exact sequence of pages a user visits no matter what site they go on. They're basically trading services like "free analytics" and "free comments" to website owners for their visitor's information and they take it hook, line, and sinker.
Regulation won't fix the problem because a lot of the lawmakers are promoting some very bad plans like popups for everything and those laws would only have reach within their own country anyway. I think a good cookie whitelisting and third party cookie blocking system needs to be added to the browser cores. Extensions break between versions but a core addition wouldn't, and it would bring more awareness since it's a "new" feature. Users liked it when popup blocking was finally added into browser cores, and better cookie control would be along those same lines.
On the post: CBS Reporter Posts YouTube Video Of Grammys... Only To Have CBS Send Takedown Notice
http://www.youtube.com/watch?v=U43Ate3Itjs
Next >>