[Year 12 IT Apps] Privacy filter gone very wrong

ATKINSON-BUCK, Damien Damien.ATKINSON-BUCK at ivanhoe.com.au
Tue Jun 15 14:00:54 EST 2010 

An interesting article highlighting the need for proper data security measures
http://torrentfreak.com/isp-attempts-to-block-file-sharing-ends-results-in-epic-failure-100614/

ISP Attempt To Block File-Sharing Ends in Epic Failure
Written by enigmax<http://torrentfreak.com/author/enigmax/> on June 14, 2010

In response to the country's "3 strikes" Hadopi legislation, last week a French ISP began offering a service to block file-sharing on customer connections for 'just' 2 euros per month. It didn't take long for awful vulnerabilities in the system to be found which breached not only the privacy of subscribers, but exposed them to new security threats.

France's big, bad, scary Hadopi legislation and the systematic tracing, monitoring, reporting and disconnecting of file-sharers is all but here, so it seems there's no better time for other companies to start making money from it.

Last week saw French ISP Orange take the opportunity to start providing a service which, at least on the surface, is designed to put the minds of subscribers at rest. For a 2 euro per month payment, Orange is offering a service which "allows you to control the activity of computers connected to your internet line, from downloading 'illegally' using peer-to-peer networks. You can protect up to three computers connected to the same internet line."

The software, which is Windows-only, runs in the background and utilizes a blacklist maintained and updated by Orange. Precisely what is on that blacklist remains a secret.

"Our solution is intended primarily for parents who want to make sure their children do nothing illegal on P2P networks," the company said in a statement to French media last week while adding that just because the software is running, it doesn't mean that users are fully protected against legal action under Hadopi.

History tells us that whenever a company gets involved in anti-piracy action, they leave themselves open to being probed. Several anti-piracy companies and groups have seen their systems examined and even hacked over the years, and Orange is no different.

Bluetouff<http://bluetouff.com/author/bluetouff/> has documented his findings on the Orange system and they are pretty surprising.

Using WireShark to sniff the output of the software on his location network, Bluetouff was able to identify an IP address used by the software to obtain its updates.

"The software communicates with a remote server, a Java servlet actually located on the ip 195.146.235.67," he explains.

Nothing too out of the ordinary there - except that all information is not only being transmitted in the clear but all information on that server is public<http://www.theinternets.fr/2010/06/13/actu-le-logiciel-anti-p2p-dorange-neglicence-caracterisee/> (via
http://195.146.235.67/status), meaning that every user had their IP addresses exposed to the public. But it doesn't stop there.

[OrangeHadopiServer]

Whoever set up the security on the server admin panel didn't do a very good job. The username was set to 'admin' and the password set to 'admin' too. This morning that gaping hole was still open<http://www.theinternets.fr/2010/06/14/actu-logiciel-anti-p2p-dorange-le-servlet-est-nomme-hadopitechnical-servlet/>.

[OrangeHadopi]

TorrentFreak is informed that people have accessed the server and have discovered that it's possible to send malware to anyone using the software which makes a bit of a joke out of Orange when it claims: "The software runs in the background to ensure your safety without disrupting the important tasks that you perform"

"People don't know whether to laugh or cry," Astrid Girardeau from TheInternets.fr told TorrentFreak. "Because it is a new Hadopi fail. And because, Christine Albanel<http://torrentfreak.com/?s=Christine+Albanel>, the ex-Minister of Culture, is now the executive of communication, for... Orange."


Damien Atkinson-Buck
Member of Academic Staff (Secondary)
p:

+61 3 9490 3848

f:

+61 3 9490 3490


e:

damien.atkinson-buck at ivanhoe.com.au<mailto:damien.atkinson-buck at ivanhoe.com.au>

w:

http://myivanhoe.net



The Ridgeway Campus
PO Box 91 The Ridgeway
Ivanhoe Victoria
3079 Australia


[cid:image003.png at 01CB0C93.2B8E6830][cid:image002.gif at 01CA7CC2.074C48E0]<http://myivanhoe.net/>

[cid:image003.gif at 01CA7CC2.074C48E0]<http://myivanhoe.net/>













Privacy, Virus and Copyright Warning

The information contained in this electronic message (e-mail), and any files transmitted with it:

* is intended for the named recipients only. If you have received this in error, please advise the sender and delete it and any copies immediately;
* Any personal information in this email must be used in accordance with the Privacy Act 1988 and this always applies even if it has been sent to you in error.
* represents the views of the sender and does not necessarily represent the views or formal advice of Ivanhoe Grammar School;
* may be subject to Copyright, so no further use should be made of it without the author's permission.

The School does not represent or warrant that the email or any files attached do not contain errors or are free from computer viruses or other defects nor does it accept responsibility for any loss or damage resulting directly or indirectly from the use of the email or any attached files.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.edulists.com.au/pipermail/itapps/attachments/20100615/b02a8cfb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 39386 bytes
Desc: image001.jpg
Url : http://www.edulists.com.au/pipermail/itapps/attachments/20100615/b02a8cfb/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 43637 bytes
Desc: image002.jpg
Url : http://www.edulists.com.au/pipermail/itapps/attachments/20100615/b02a8cfb/attachment-0003.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 230 bytes
Desc: image003.png
Url : http://www.edulists.com.au/pipermail/itapps/attachments/20100615/b02a8cfb/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.gif
Type: image/gif
Size: 18304 bytes
Desc: image004.gif
Url : http://www.edulists.com.au/pipermail/itapps/attachments/20100615/b02a8cfb/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.gif
Type: image/gif
Size: 36244 bytes
Desc: image005.gif
Url : http://www.edulists.com.au/pipermail/itapps/attachments/20100615/b02a8cfb/attachment-0003.gif

More information about the itapps mailing list