Politech: FC: Trapping anti-music piracy spiders: "RIAA Pit of Confusion"

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Politech mailing list archives

FC: Trapping anti-music piracy spiders: "RIAA Pit of Confusion"

From: Declan McCullagh <declan () well com>
Date: Sat, 17 May 2003 12:10:41 -0400

[One problem with this approach is that it looks like the RIAA is spendingmore time targeting FTP sites than web sites. --Declan]


---

From: "Paul \"Evil Genius\" Music" <evlpawl () cox net>
To: "DeClan" <declan () well com>
Date: Sat, 17 May 2003 00:24:49 -0500

http://www.kuro5hin.org/print/2003/5/16/163447/493

RIAA Pit of Confusion (Culture)

By salimfadhley
Fri May 16th, 2003 at 10:13:06 PM EST

After reading about the RIAA threatening to sue yet another innocentarchive operator, I decided to take some direct action: It occurred to methat the RIAA keep falsely accusing others of piracy because they put theirfaith in an unintelligent spider - a fact which can be simply exploited tomake my servers into an RIAA no-go-zone...

Whilst spidering is nothing to worry about (and only to be expected on apublic site), the way the association fires off legal threats based on thisspider results alone seems wrong. Since this spider does not actually lookat the whole title of the file, or even it's content, I figured I couldhave some fun at their expense:

What if I could write a `tarpit' script that could create a large number ofinterlinked automatically generated web sites. If their spider tried toscan my server it would be fooled into thinking that it had found atreasure trove of MP3 sites. Anybody who took the time to look at the sitecould see that the site contains no pirate content at all.


How might the RIAA react to such a thing?

They could upgrade their spider so that it only recognises valid tracknamesthat are in-fact MP3s. (e.g. it would know that`elephant_wiggle-Madonna.mp3' is not a real Madonna song). This would limittheir ability to detect only correctly named MP3 files, and force them touse their spider responsibly.Every single suspect site would need to be hand-checked in order to verifythat a genuine breach of copyright has taken place - this wouldsubstantially decrease the return on investment for their spidering projectbecause it would be labour intensive, again forcing a more responsibleapproach to detecting offenders.They could blacklist my server to prevent their spider from looking at itin future - that would be at least a small victory. If they blacklistedenough servers it would be the same as giving up!They could send me a legal nastygram instructing me to disable my tarpit...Since I do not live in the USA, this might not be enforceable.


How it works

The Pit of Confusion is a pure PHP script that can automatically generate avery large number of web-sites with links to MP3s. It contains a settingsfile which contains lists of famous artist names and random words that canbe used to make silly song titles. There is also a download managercomponent - designed to deliver MP3 files in the most inefficient possible way.

As with any web-site, the action starts with a URL. Normally, the firstparts of the URL just signifies the server on which the site runs, howeverI have used a Dynamic DNS service to encode the two key site parametersinto the hostname. I learnt that trick from this website. The first twoparts of the domain name tell the script how to build the page: If you visit:


http://madonna.ricky.music.stodge.org

It will show you `Ricky's' Madonna page. The script does not know anythingabout Madonna or any of her songs - it just uses information provided atrun-time to set up the basic variables. Anything in the form ofa.b.music.stodge.org will get handled by the same server.

Notice how slowly the page loads - that is because there is a configurable`annoying delay' built into each transaction. Assuming that the spidersystem has a fixed maximum number of threads, it makes sense to tie theseup for as long as possible - but not so long as to deter a person wishingto verify that there are no pirated files on the site.

Next it builds up a list of randomly named MP3 links that include the thechosen Artist's name in the title. If you try to click on the link, insteadof delivering a pirated file it sends a non-copyrighted music file via adownload manager that ensures that the download will take a very long time.The idea is to tie-up as many threads as possible on whatever system isdoing the spidering.

Finally it makes some links to a selection of other random sites producedby the same system. The idea is to keep the spider in the tarpit for aslong as possible


Notes

This is just my first attempt. No doubt, by now more talented scripters cansee weaknesses in my plan - this is why I intend to share the source-codeof my project with anybody who wants it. If you want to help out, pleaseleave a message in this board and I will get back to ya!


Full discussion: http://www.kuro5hin.org/story/2003/5/16/163447/493




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------

By Date By Thread

Current thread:

FC: Trapping anti-music piracy spiders: "RIAA Pit of Confusion" Declan McCullagh (May 17)