piracy

DRM fails utterly

From John Siracusa’s “The once and future e-book: on reading in the digital age” (Ars Technica: 1 February 2009):

Nuances aside, the big picture remains the same: DRM for digital media distribution to consumers is a mathematically, technologically, and intellectually bankrupt exercise. It fails utterly to deliver its intended benefit: the prevention of piracy. Its disadvantages, however, are provided in full force: limiting what consumers can legally do with content they have legitimately purchased, under threat of civil penalties or criminal prosecution.

Prices for various services and software in the underground

From Tom Espiner’s “Cracking open the cybercrime economy” (CNET News: 14 December 2007):

“Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don’t think we are really winning this war.”

As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.

“From Trojan creation sites out of Germany and the Eastern bloc, you can purchase kits and support for malware in yearly contracts,” said [David Marcus, security research manager at McAfee Avert Labs]. “They present themselves as a cottage industry which sells tools or creation kits. It’s hard to tell if it’s a conspiracy or a bunch of autonomous individuals who are good at covering their tracks.”

Joe Telafici, director of operations at McAfee’s Avert Labs, said Storm is continuing to evolve. “We’ve seen periodic activity from Storm indicating that it is still actively being maintained. They have actually ripped out core pieces of functionality to modify the obfuscation mechanisms that weren’t working any more. Most people keep changing the wrapper until it gets by (security software)–these guys changed the functionality.”

Peter Gutmann, a security researcher at the University of Auckland, says in a report that malicious software via the affiliate model–in which someone pays others to infect users with spyware and Trojans–has become more prevalent in 2007.

The affiliate model was pioneered by the iframedollars.biz site in 2005, which paid Webmasters 6 cents per infected site. Since then, this has been extended to a “vast number of adware affiliates,” according to Gutmann. For example, one adware supplier pays 30 cents for each install in the United States, 20 cents in Canada, 10 cents in the United Kingdom, and 1 or 2 cents elsewhere.

Hackers also piggyback malicious software on legitimate software. According to Gutmann, versions of coolwebsearch co-install a mail zombie and a keystroke logger, while some peer-to-peer and file-sharing applications come with bundled adware and spyware.

In March, the price quoted on malware sites for the Gozi Trojan, which steals data and sends it to hackers in an encrypted form, was between $1,000 and $2,000 for the basic version. Buyers could purchase add-on services at varying prices starting at $20.

In the 2007 black economy, everything can be outsourced, according to Gutmann. A scammer can buy hosts for a phishing site, buy spam services to lure victims, buy drops to send the money to, and pay a cashier to cash out the accounts. …

Antidetection vendors sell services to malicious-software and botnet vendors, who sell stolen credit card data to middlemen. Those middlemen then sell that information to fraudsters who deal in stolen credit card data and pay a premium for verifiably active accounts. “The money seems to be in the middlemen,” Gutmann says.

One example of this is the Gozi Trojan. According to reports, the malware was available this summer as a service from iFrameBiz and stat482.com, who bought the Trojan from the HangUp team, a group of Russian hackers. The Trojan server was managed by 76service.com, and hosted by the Russian Business Network, which security vendors allege offered “bullet-proof” hosting for phishing sites and other illicit operations.

According to Gutmann, there are many independent malicious-software developers selling their wares online. Private releases can be tailored to individual clients, while vendors offer support services, often bundling antidetection. For example, the private edition of Hav-rat version 1.2, a Trojan written by hacker Havalito, is advertised as being completely undetectable by antivirus companies. If it does get detected then it will be replaced with a new copy that again is supposedly undetectable.

Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as specialham.com and spamforum.biz. In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mail server. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client’s PC using broker-provided software and control information.

Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account.

How movies are moved around on botnets

From Chapter 2: Botnets Overview of Craig A. Schiller’s Botnets: The Killer Web App (Syngress: 2007):

Figure 2.11 illustrates the use of botnets for selling stolen intellectual property, in this case Movies, TV shows, or video. The diagram is based on information from the Pyramid of Internet Piracy created by Motion Picture Arts Association (MPAA) and an actual case. To start the process, a supplier rips a movie or software from an existing DVD or uses a camcorder to record a first run movie in the theaters. These are either burnt to DVDs to be sold on the black market or they are sold or provided to a Release Group. The Release Group is likely to be an organized crime group, excuse me, business associates who wish to invest in the entertainment industry. I am speculating that the Release Group engages (hires) a botnet operator that can meet their delivery and performance specifications. The botherder then commands the botnet clients to retrieve the media from the supplier and store it in a participating botnet client. These botnet clients may be qualified according to the system processor speed and the nature of the Internet connection. The huge Internet pipe, fast connection, and lax security at most universities make them a prime target for this form of botnet application. MPAA calls these clusters of high speed locations “Topsites.”

. . .

According to the MPAA, 44 percent of all movie piracy is attributed to college students. Therefore it makes sense that the Release Groups would try to use university botnet clients as Topsites. The next groups in the chain are called Facilitators. They operate Web sites and search engines and act as Internet directories. These may be Web sites for which you pay a monthly fee or a fee per download. Finally individuals download the films for their own use or they list them via Peer-to-Peer sharing applications like Gnutella, BitTorrent for download.

6 reasons why “content” has been devalued

From Jonathan Handel’s “Is Content Worthless?” (The Huffington Post: 11 April 2008):

Everyone focuses on piracy, but there are actually six related reasons for the devaluation of content. The first is supply and demand. Demand — the number of consumers and their available leisure time – is relatively constant, but supply — online content — has grown enormously in the last decade. Some of this is professional content set free from boundaries of time and space, now available worldwide, anytime, and usually at no cost (whether legally or not). Even more is user generated content (UGC) — websites, blogs, YouTube videos — created by non-professionals who don’t care whether they get paid, and who themselves pay little or nothing to create and distribute it.

The second is the loss of physical form. It just seems natural to value a physical thing more highly than something intangible. Physical objects have been with us since the beginning of time; distributable intangible content has not. Perhaps for that reason, we tend to focus on per-unit costs (zero for an intangible such as a movie download), while forgetting about fixed costs (such as the cost of making the movie in the first place). Also, and critically, if you steal something tangible, you deny it to the owner; a purloined DVD is no longer available to the merchant, for instance. But if you misappropriate an intangible, it’s still there for others to use. …

The third reason is that acquiring content is increasingly frictionless. It’s often easier, particularly for young people, to access content on the Internet than through traditional means. …

Fourth is that most new media business models are ad-supported rather than pay per view or subscription. If there’s no cost to the user, why should consumers see the content as valuable, and if some content is free, why not all of it? …

Fifth is market forces in the technology industry. Computers, web services, and consumer electronic devices are more valuable when more content is available. In turn, these products make content more usable by providing new distribution channels. Traditional media companies are slow to adopt these new technologies, for fear of cannibalizing revenue from existing channels and offending powerful distribution partners. In contrast, non-professionals, long denied access to distribution, rush to use the new technologies, as do pirates of professional content. As a result, technological innovation reduces the market share of paid professional content.

Finally, there’s culture. A generation of users has grown up indifferent or hostile to copyright, particularly in music, movies and software.

Modern piracy on the high seas

From Charles Glass’ “The New Piracy: Charles Glass on the High Seas” (London Review of Books: 18 December 2003):

Ninety-five per cent of the world’s cargo travels by sea. Without the merchant marine, the free market would collapse and take Wall Street’s dream of a global economy with it. Yet no one, apart from ship owners, their crews and insurers, appears to notice that pirates are assaulting ships at a rate unprecedented since the glorious days when pirates were ‘privateers’ protected by their national governments. The 18th and 19th-century sponsors of piracy included England, Holland, France, Spain and the United States. In comparison, the famed Barbary corsairs of North Africa were an irritant. Raiding rivals’ merchant vessels went out of fashion after the Napoleonic Wars, and piracy was outlawed in the 1856 Declaration of Paris (never signed by the US). Since the end of the Cold War, it has been making a comeback. Various estimates are given of its cost to international trade. The figure quoted most often is the Asia Foundation’s $16 billion per annum lost in cargo, ships and rising insurance premiums.

The International Maritime Bureau (IMB), which collects statistics on piracy for ship owners, reports that five years ago pirates attacked 106 ships. Last year they attacked 370. This year looks worse still.

In waters where piracy flourished in the past, the tradition embodied in figures such as Captain Kidd has persisted: off the Ganges delta in Bangladesh, in the Java and South China Seas, off the Horn of Africa and in the Caribbean. Three conditions appear necessary: a tradition of piracy; political instability; and rich targets – Spanish galleons for Drake, oil tankers for his descendants. A fourth helps to explain the ease with which it happens: ‘The maritime environment,’ Gunaratna said, ‘is the least policed in the world today.’

The IMB has not been able to persuade the international community or the more powerful maritime states to take serious action. The Bureau’s director, Captain Pottengal Mukundan, believes there is nothing crews can do to protect themselves. National maritime laws are not enforced beyond national boundaries – which is to say, over more than half the earth’s surface. Beyond territorial waters, there are no laws, no police and no jurisdiction. Many countries lack the will or the resources to police even their own waters. The IMB advises all ships against putting in anywhere near states like Somalia, for instance, where there is a near certainty of attack. … Piracy is a high-profit, low-risk activity.

The IMB urges crews to take more precautions, but owners can’t afford every recommended improvement: satellite-tracking devices, closed circuit cameras, electric fencing and security officers on every ship. Owners and trade unions discourage the arming of merchant ships in the belief that firearms will put crews’ lives at greater risk. Only the Russians and the Israelis are known to keep weapons aboard. Competition in the shipping business forces owners to minimise expenditure on crews as on everything else. A commission of inquiry into the 1989 Exxon Valdez spill that nearly destroyed the Alaskan coast reported that ‘tankers in the 1950s carried a crew of 40 to 42 to manage about 6.3 million gallons of oil . . . the Exxon Valdez carried a crew of 19 to transport 53 million gallons of oil.’ [Quoted in Dangerous Waters: Modern Piracy and Terror on the High Seas by John Burnett] With the automation of many shipboard tasks, vessels today carry even fewer seamen than they did when the Exxon Valdez ran aground. That means fewer eyes to monitor the horizon and the decks for intruders.

Air and land transport routes have come under tighter scrutiny since 11 September 2001, but improvements to maritime security are few. An oil tanker can carry a load that is far, far more explosive than any civil aircraft. And most piracy, including the seizure of oil tankers, takes place near countries with powerful Islamist movements – Indonesia, Malaysia, the Philippines, Yemen and Somalia. Lloyd’s List reported on 4 November that Indonesia is ‘the global black spot’ with 87 attacks in the first nine months of this year – ‘the number of attacks in the Malacca Straits leaped from 11 in 2002 to 24 this year.’ Indonesia, which consists of two thousand islands, is the world’s most populous Muslim country. It has experienced decades of repression by a kleptocratic military, communal violence and the degradation of a once vibrant economy. Radical Islamists have made it the focus of their activity and recruitment in Asia.