If U View A Public Url Mobitv Considers U A Hacker - Printable Version +- FocusCanada Forums (//www.focuscanada.net/forum) +-- Forum: Canadian Focus Community (//www.focuscanada.net/forum/forumdisplay.php?fid=3) +--- Forum: Off Topic (//www.focuscanada.net/forum/forumdisplay.php?fid=16) +--- Thread: If U View A Public Url Mobitv Considers U A Hacker (/showthread.php?tid=3739) |
If U View A Public Url Mobitv Considers U A Hacker - paolo - 03-07-2008 Basically this is what happening. It turns out Mobitv stores links to their feeds in a plain text file that anyone with internet access can view. Apparently viewing this text file is considered 'hacking'. These feeds do not appear to be protected in an anyway and it appears anyone with a compatible phone can view them. I'm sure Mobitv's content providers would be very interested to know that mobitv is broadcasting their intellecual property while taking such measures to protect it. It's like they're a movie theater with see through walls. If you walk by you can see what's going on but they don't want you to. Anyways Mobitv is asking us to remove the link to this text file. If we do not they are threatening to contact ICANN and HowardForum's host to get the site pulled down. http://www.howardforums.com/announcement.php?f=49 If U View A Public Url Mobitv Considers U A Hacker - NOS2Go4Me - 03-07-2008 Someone had to stumble the exact file, which isn't publicized... which is their point. They're posting "back door" access to content that they might not deserve access to. I can see exactly what they're getting at. Howard should nuke the thread and be done with it. If U View A Public Url Mobitv Considers U A Hacker - darkpuppet - 03-07-2008 a reply from one of the DIGG threads.. WiWavelength Wrote:I composed the following e-mail to Josh Andrews & Ellen McDonald, internal legal counsel to MobiTV. I encourage you to do likewise. Feel free to copy & paste. I do not quibble over my copyright. If U View A Public Url Mobitv Considers U A Hacker - darkpuppet - 03-07-2008 NOS2Go4Me,Mar 7 2008, 08:59 AM Wrote:Someone had to stumble the exact file, which isn't publicized... which is their point. They're posting "back door" access to content that they might not deserve access to. actually, in most cases, the file can be discovered strictly by accident. It's like embedded windows media files.... you try to open a link, your browser, doesn't recognize it because the plugin isn't installed correctly, and shows the imbedded object parameters. One of them points to a playlist. So you point your browser to the playlist, and voila... you get a list of media servers and links to the media. Looks like mobiTV uses the same sort of embedded object and playlist, which, with any bit of browsing around, one could easily stumble upon it. Anytime you make a portion of your app open to the outside world, that's the risk you take. You can take action against anyone using the data for illegal use (like take action against someone who's downloaded credit records for identity theft), but you can't just take action against someone who stumbled on free-to-air TV. It's really mobitTV's the one at fault and they're trying to limit their legal exposure to their clients. In reality, they can't do much other than make threats at this point as they're the ones that should be sued for breaking their contract (assuming that the contract had define the security requirements for the copyrighted content) If U View A Public Url Mobitv Considers U A Hacker - NOS2Go4Me - 03-07-2008 ^^ What isn't mentioned there is HOW they found out what file to use. How did they do it? If you're doing blind subdirectory listing attacks on a webserver, attempting to access info that the server doesn't give up by default when you access a hosted domain name (ie. http://www.mobitv.com), that's probing. They call it hacking, which it isn't... it's more of a "soft" brute force attempt to poll a server for resources that shouldn't be visible. On that note, there's no mention if a known IIS / Apache vulnerability was used to gain access to said file. There's no way they just "entered a URL" without knowing the exact destination. That's an awful lot of 404s to entertain for the sake of one content file. Either they "hacked" their phone's feed and found the source file or they probed the content server until they found the source file. Either way, it's a grey area at absolute best. Sure, if a misconfigured media player plugin gave up the URL, that's fine... but by accessing content that they shouldn't be able to (accessing wireless networks, anyone?), they aren't exonerated from legal obligations. Yes, they should have posted how they found the URL - which they won't, because they'll just keep doing so a little more privately in the future. Steve - LOL @ the Apache config page. But that also proves my point. By going there, you can't do blind directory listings. So, they had to know where to go. Chicken and the egg and all that. If U View A Public Url Mobitv Considers U A Hacker - darkpuppet - 03-07-2008 Brute force attacks can be considered hacking... what I'm saying is that anybody curious enough, could have found the URL in their phone, or another app that wasn't configured properly for sprint tv, which could have exposed the URL. I think if someone posted how they found the URL, HoFo would have a stronger leg to stand on. However, I think it's a bit of a moot point. A quick google search turns up a few hundred websites with the link. btw.. .go to qtv.mobitv.com and tell me that looks like a properly configured web server... |