From The Penetration Testing Execution Standard
Jump to: navigation, search

PTES supports SOPA protests

Today, January 18th 2012, has been declared as SOPA Blackout day. While kids all around the world are crying their hearts out because they can't find anything on the internet anymore sites across the depleted IPv4 spectrum are dressed in fancy black. It's how emo the internet gets when people (or corporations) try to regulate it. PTES decided not to go black, mainly because we like the default wiki theme so much but also because it'd be a tad bit better to educate. Here goes :

An analysis of SOPA by Jonathan Cran

So... the whole thing's a little ridiculous. What they're proposing won't work. The reddit article clearly explains the issue, i'd suggest reading that if you haven't already.

http://blog.reddit.com/2012/01/technical-examination-of-sopa-and.html

My takeaway is that this is an extension of current rights provided to copyright holders under the DMCA. This legislation expands the DMCA "takedowns" to enable copyright holders to: Have domestic assets seized if the offending site is hosted in the US. Require U.S. sites and search engines to remove all links to a foreign site known to be hosting their material. Require U.S. advertising services to no longer serve ads linking to a foreign site hosting copyrighted material, or display ads (e.g. AdSense) on the site. Require U.S. payment networks to cease any transactions between the foreign site and U.S. customers. Require U.S. service providers to block customer access to the foreign site (DNS blacklisting). Copyright holders would have to first prove the offending site was: used "primarily as a means for engaging in, enabling, or facilitating the activities" of copyright infringement or counterfeit products; or designed by its operator "as a means for engaging in, enabling, or facilitating the activities" of copyright infringement or counterfeit products. If these two criteria are met, the office of the Attorney General can then serve a court order to entities in the U.S., requiring them to take specific actions against the site.

So... why would you care about SOPA/PIPA as a pentester? You already know how the internet works, and you can just use a vpn service, or even just a different DNS server outside of the US to escape the blacklisting.

Notice that "facilitating the activities" of copyright infringement is super-broad. -- If i add a link to my profile for piratebay.org, am i now faciliting and can my site be taken down? Does facilitating mean talking about how to obtain copyrighted material? What about info on reversing or exploiting software? Making a site host copyrighted content is now sufficient to get it taken down, blacklisted and seized. -- Sounds a lot like a kiddie porn site, no? -- We all know there's no way to upload content to an unsupecting host.

http://www.metasploit.com/modules/exploit/windows/http/coldfusion_fckeditor
http://www.buayacorp.com/files/wordpress/wordpress-advisory.html
http://www.exploit-db.com/exploits/17644/

... The legislation has profound implications for affecting the architecture of web applications - Search engines and other media sites will need to have a way to remove any and all "offending" content. Permanently. Which means increased complexity, which means more vulns. Also, more time monitoring and blacklisting domains == less time on monitoring actual criminals. The DMCA is thought of as a media-and-content-protection law, but it's also used to threaten security researchers (SNOSoft vs HP, Blackboard vs Billy Hoffman, Sklyarov vs Adobe, the list goes on) - Read https://www.eff.org/wp/unintended-consequences-under-dmca for more details. There's no reason this legislation wouldn't be used the same way.

So, say you're a site that hosts (OR LINKS TO) copyrighted content. How would you work around the takedown provisions of ProtectIP?

Register 10 new domain names every day, and ensure they all point to your IP. - Ensure these make it into the search engines. Make Google spend half its time chasing you down. Publish your IP, far and wide. -- And provide DNS / VPN / proxy service for users. Don't advertise with US-based entities. Submit to foreign search engines. Host outside the US. Ensure your traffic reaches your audience, just not on servers in the US (This'll really help the recession.)

Further Reading: http://blog.reddit.com/2012/01/technical-examination-of-sopa-and.html https://www.eff.org/sites/default/files/filenode/2012_dmca_exemption_requests_no_appendix.pdf https://www.eff.org/wp/unintended-consequences-under-dmca http://www.chillingeffects.org/reverse/faq.cgi#QID196

This is less technical than i though it would originally be. -- Mainly because to avoid all this BS, you just need to point to a non-participating DNS server. So... avoiding it is trivial, and the web will just grow around the legislation, admittedly with a bunch of money and time wasted.

SOPA for Dummies by Wim Remes

http://www.slideshare.net/wremes/sopa-4-dummies

So when SOPA or PIPA does get approved, what do I do?

Meh, it's as simple as creating a one-hit wonder (did you hear that RIAA?). Just find a DNS server that isn't hosted in the U.S. and change your computer's DNS settings :

On Linux operating system : http://www.cyberciti.biz/tips/linux-how-to-setup-as-dns-client.html

On FreeBSD operating system : (modify /etc/resolv.conf)

On Microsoft Windows 7 / Vista / XP / Server 2000 / 2003 / 2008 operating system : http://www.thewindowsclub.com/how-to-change-dns-settings-in-windows-7-vista

On Mac : http://www.plus.net/support/software/dns/changing_dns_mac.shtml