Why RIAA Keeps Getting Hacked By Michelle Delio
Story location: http://www.wired.com/news/technology/0, ... 48,00.html
02:00 AM Jan. 03, 2003 PT
The Recording Industry Association of America may not want people to share digital files, but the organization certainly seems to be in favor of open access to its website.
On Monday, the RIAA site was hacked for the sixth time in six months.
This time, the defacement resulted in bogus press releases on the front door, touting the joys of cheese and interspecies romantic relationships.
The RIAA's role as the music industry's voice against digital piracy makes it an obvious target for those who are angered by what they see as the organization's overly vehement crusade for copyright owners' rights.
Since the RIAA site is such a tempting target, many wonder why the organization hasn't made more of an effort to secure its site. On Monday, access to the site's supposedly private innards was gained in much the same way as it was last August.
Some security experts said in no uncertain terms that the latest defacements indicate the RIAA is clueless about technology. They charge that this ignorance has resulted in the RIAA attempting to combat digital file sharing in ineffective, counter-productive ways.
"It's obvious that they don't get the Web, and they don't get technology, or they'd understand how to protect their own website," said Wall Street systems administrator Anthony Negil.
"The flaws that people are exploiting to access their site are elementary security issues and there's no excuse for an organization that purports to understand the dark side of the Internet to leave such gaping holes in their own network infrastructure."
In response to the August defacements, the RIAA upgraded its server software. But the software wasn't the problem.
"My opinion is that the people at the RIAA (who are) making the statements about P2P hacking and the (Digital Millennium Copyright Act), the executives and legal staff, are completely disconnected from the technical folks who actually run the website," said Robert Ferrell, a systems security specialist.
Ferrell and others predicted that if the RIAA escalates its anti-piracy efforts, the organization's site will be completely knocked off the Internet.
"The RIAA honestly has no idea what they're up against. They will be toast the first time they try to shut down a P2P network being used by any serious black hats," Ferrell said.
The last time the RIAA site was hacked, downloadable pirated music was posted. This time, a URL allowing access to the RIAA's system for posting press releases was made publicly accessible, allowing people to post messages which then appeared on the RIAA's official press release page.
The URL was widely circulated on Internet relay chat groups on Monday. People merrily posted bogus press releases and waited for the RIAA's reaction.
Hours later, they were still waiting. The hole stayed open for seven hours.
"Hey, don't you think they should have noticed that press release urging people to have sex with barnyard animals by now?" one chat participant asked, several hours after the bogus press releases first hit the RIAA site.
A spokeswoman for the RIAA said the problem would have been identified and handled sooner had it not occurred over the holiday vacation week. She declined to comment on why the RIAA site has suffered so many security problems over the past few months.
"I believe that the RIAA honestly has no idea what they're up against," Ferrell said. "The RIAA and MPAA are Internet disasters of potentially epic proportions just waiting to happen, and while I don't ordinarily side with defacers and script kiddies, in this case I'll make an exception."