MediaDefender: Victim of hackers or just a victim of karma?
Unless you have been living under an internet rock this past week, you have heard all the news surrounding the company MediaDefender. From MediaDefender’s website, “MediaDefender, Inc. is the leading provider of anti-piracy solutions in the emerging Internet-Piracy-Prevention (IPP) industry. We provide services that stop the spread of illegally traded copyrighted material over the Internet and Peer-to-Peer networks.”
In February 2007, MediaDefender launched a video sharing site called Miivi.com. Back on July 4th it was discovered that the video download site MiiVi was really a “honey pot” (fake site) put up to track individual downloading videos illegally. In an interview with Ars Technica, chief executive Randy Saaf stated that “MediaDefender was working on an internal project that involved video and didn’t realize that people would be trying to go to it and so we didn’t password-protect the site”. MiiVi was showdown that same day, July 4th, 2007.
This past week, 6 months (700 MB) worth of emails were leaked out and spread all over the internet. The emails contain information about the various tactics and technical solutions for tracking p2p users, and disrupting p2p services. Following MediaDefender’s subsequent email leak, TorrentFreak alleged that MediaDefender’s statement about it being an “internal project” (see quote above) was revealed to be a deliberate falsehood. The emails revealed that the site was closed when this fact became public knowledge, and was scheduled to be re-launched as www.viide.com. Viide.com has not yet been opened up to the public.
Quoted from an article on Arstechnica
“MediaDefender’s damage control program went into full swing shortly after that. When Douglas pointed out that information about MiiVi had been added to the MediaDefender Wikipedia page, Saaf decided that he wanted it taken down. “Can you please do what you can to eliminate the entry? Let me know if you have any success,” Saaf wrote. “I will attempt to get all references to miivi removed from wiki,” developer Ben Ebert replied. “We’ll see if I can get rid of it.”
After a statement Saaf sent to Digital Daily was included in a blog entry, Saaf sent an e-mail to a handful of MediaDefender employees asking if it would be a good idea to post it to the Digg.com news site. He also suggested possibly having MediaDefender employees post comments. Referring to the Digg community, MediaDefender co-founder Octavio Herrera replied, ‘They aren’t going to believe you.’”
In an additional blow (and I am sure not the last), the group known as the “MediaDefender-Defenders”, who are responsible for distributing the leaked emails initially, have today leaked the source code MediaDefender used “for the ‘trapping’ and decoy software that MediaDefender uses to spread fake files on P2P networks.”
As security professionals we all understand that hacking, in and of itself, is not evil or wrong. Hackers are no more “terrorists”, as locksmiths are cat burglars. In fact, hacking is merely the discovery of information whether it be in software or hardware. It’s the choices you make and how you use said knowledge that really starts to define the “white” versus “black” hats in this realm. That said, I’d like to state I don’t endorse or condone pirating movies or music, nor hacking with mal intent. Now that I have gotten all the disclaimers out of the way, I would also like to state that I also don’t endorse or condone MediaDefenders tactics in “preventing piracy”. These unethical and in some cases illegal business techniques are really the root cause of why they are in such hot water now. Two Wrongs Do Not Make a Right. Some might say what the hackers did falls under this mantra too, but in this case, they didn’t hack for mal intent per se. It was an expose. They revealed the unethical techniques used by this corporation, no differently than any undercover journalist would. Just because the technology has changed doesn’t make it any different then a 20/20 hidden camera or “to catch a predator” style journalism. These hackers are the modern day “deep throat” (the informer not the movie). I don’t want to glorify there actions too much, but at the same time it had to be said to squash any “double standard” remarks. Infecting P2P networks is not the way to handle this issue. MediaDefender is no different then the bored 13 year old kid in China who writes the next big worm or virus. I could go on and on about the techniques they used but with a little help from Google you can read the leaked emails and see for yourself. Regardless of how you feel about illegal downloading or swapping of music and movies, I think you should read over them and ask yourself if you feel the actions by this corporation was ethical as a business, and if there techniques are any better than the “criminals” they were out to prevent.
I really do think in this case MediaDefender is really only a victim of one thing, karma.