TMG have the contract to carry out the monitoring of file-sharers as part of the French government’s enforcement of its ‘Hadopi’ 3-strikes regime. Given the politically sensitive nature of the work, the subsequent leak of information and software tools from TMG was all the more embarrassing.

In order to maintain confidence in the system, Commission Nationale de l’informatique et des Libertés (CNIL), the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data, were sent in to investigate the breach.

While CNIL investigated, TMG was forced to sever its online connections with the Hadopi agency. Instead, information on infringements was sent through the postal system on DVD.

According to Numerama, CNIL had given TMG until September 16th to get their systems in order. That deadline having passed, today CNIL made an announcement.

“On July 29th and September 13th 2011, TMG detailed the procedures implemented to improve the security of its information system,” said CNIL in a statement.

CNIL noted that since the changes carried out by TMG were “satisfactory” and met legal requirements, their investigation into the anti-piracy company is now over. TMG and Hadopi will now link back up online in order to transfer infringement data between them.

Despite TMG’s obvious shortcomings, at this stage they appear to have avoided public admonishment. However, rightsholders may now have to share some of the responsibility for the embarrassment and failures at TMG.

“In France, before rights holders can collect IP addresses of infringing users, they have to ask and obtain an approval from the CNIL,” Numerama’s Guillaume Champeau told TorrentFreak.

Guillaume says that in order to obtain this approval, the four rights holder organizations – SCPP, SPPF, ALPA, SACEM/SDRM – submitted an application in which they described the security measures TMG was forced to abide by.

“But it appears TMG did not abide by all of these requirements, and even the rights holders organizations did not. For instance, they said they would audit TMG every quarter, which they didn’t,” he adds.

“As these rights organizations are the ones who where directly in touch with the CNIL, as they are legally speaking ‘in charge of the collection’ of the IP addresses, they are the ones who may be found in violation of their pre-approval promises.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

From the various files made available, some were easily viewable with a standard text editor, others – such as an executable called server_interface.exe – were more tricky. Thanks to a admittedly fairly hostile Full Disclosure security report we now have a clearer idea of what the package is capable of.

Penned by ‘CULT OF THE DEAD HADOPI’, the report refers to TMG as “Too Many Gremlins” along with reports not to expose them to bright lights. In it the server_interface.exe code is described as a Delphi service to which anyone can connect and start sending commands, no authentication (username/password) required. Perhaps even more worrying is a script which accepts auto-updates.

“An attacker can use the ‘Auto Update’ feature (\x82) to force the server to download updates from an evil FTP server he controls. Of course, a downloaded file is executed
just after the download,” write the researchers.

“Hence, anyone who wants to raise an army against Too Many Gremlins, look for an open port on TCP 8500,” they add.

The implication here is that if this software was present on all TMG servers, in addition to being able to turn them on and off at will a hacker could take them over with custom code of his own choosing, potentially creating “an army” which could be used to attack TMG or indeed, anyone else.

Commenting on the research, Bluetouff told TorrentFreak that the discovery of the vulnerabilities mean that the French 3 strikes program might already have been compromised.

“If TMG is vulnerable to injectioning on the system used to provide IP addresses to the HADOPI, the whole process is fu**** up,” he explained.

“Someone could for example inject the Culture Ministry’s IP range, or worse, gain access between TMG and HADOPI’s VPN by stealing certificates… then gain access to a huge amount of personal data,” he added.

“For instance we don’t know if this new ‘test server’ leak can compromise the LAN(S) of TMG with this exploit. Opacity is even for HADOPI. That’s why they went to audit TMG’s infrastructure with the CNIL [French Data Protection Office].”

“Anyway, this new episode shows that HADOPI was right to close their access,” he concludes.

That closure of access is a reference to Hadopi severing their Internet links to TMG once they found out about the leak and resorting to shifting IP addresses around by DVD and the postal system instead. That is hardly efficient and undoubtedly TMG will be working hard to get back into the 21st century.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Blogger and security researcher Olivier Laurelli, aka Bluetouff, told us that a TMG virtual machine had been leaking data, including security tools and, according to a later report by news resource Numerama, IP-addresses of French citizens.

Naturally the revelations generated controversy, with the Hadopi agency announcing that they had suspended electronic connections with TMG and had resorted to shifting file-sharing monitoring data around on DVD instead.

As the pressure mounted on TMG, in the middle of the week they called in Commission Nationale de l’informatique et des Libertés (CNIL) to investigate the security issue. CNIL is the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data,

Then yesterday, Telecom Paper reported that TMG would sue the person responsible for finding the security flaw, but adding that it would be unusual for the French courts to prosecute people who expose lax security as doing so is deemed to be in the public interest.

TMG’s position, however, is slightly more awkward than that.

After first trying to play the situation up, using language such as “we have been the victim of data theft”, TMG followed up with claims that the exposed information was in fact nothing to do with their main systems. Furthermore, the server from which it came allegedly carried no live end-user data and was in fact a mere test machine. According to a source quoted by PCInpact, this is why TMG left it unprotected.

So on what basis would TMG sue Bluetouff? TorrentFreak asked him.

“TMG first said to the press it was an unprotected test server with no confidential data, and that there was no hack. So I’m really wondering on what basis they could attack,” he explained.

“I guess they need to sue someone because of insurance stuff or just to avoid admitting their own fail. So just wait and see but I’m quite sure they won’t sue.”

Bluetouff then reminded us of the security flaw he discovered in software developed by ISP Orange, which inadvertently leaked users’ IP addresses as it tried to block file-sharing.

“Orange had the same reaction, to send me lawyers first over their splendid ‘hadopiware’. Then they tried to understand what happened and who is guilty of what afterwards,” he explained.

Then within minutes we had another message from Bluetouff. “Wow, that was fast,” he said.

As predicted, TMG had announced that they won’t sue after all, unless they find evidence of “a formal intrusion”, something which presumably won’t be possible on a server they left deliberately open.

Time will tell what conclusions the CNIL data inspectors will draw from the episode. Their report is forthcoming.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

However, to get caught sharing copyright material, Internet users have to be monitored on file-sharing networks by the rights holders. The entertainment companies entrusted that spying job to Trident Media Guard (TMG) but during the last few hours, much to the amusement of opponents of France’s approach to enforcement, TMG has been hacked.

Actually, hacked is probably too strong a word, since it appears TMG left the front door open.

“A virtual machine leaked a lot of information like scripts, p2p clients to generate fake peers, local physical addresses in the datacenter and even a password that could lead to a major global TMG security breach,” French security researcher Olivier Laurelli, aka Bluetouff, just informed TorrentFreak.

TorrentFreak obtained copies of the files leaked from the TMG server (image above, cropped) and we’re in the process of trying work out exactly what they do which may take some time.

One of the files is an executable called ‘server_interface’ while there are also batch files which appear to start two file-sharing clients, eMule and Shareaza. These are likely to be special versions, probably modified for conducting both monitoring and spoofing on eD2K and BitTorrent networks respectively. The screenshot below (of code labelled ‘Poster’ in action) also appears to be connected to the publishing of fakes on file-sharing networks.

Another file – cmd_auto_update_cmd_file.txt – is the one carrying the worrying password referred to by Bluetouff earlier.

TMG’s security appears to be so low that Bluetouff suggests that either Christmas has come early for people wanting a poke around around an anti-piracy system or it’s some kind of weird honeypot.

TorrentFreak was also supplied with a list of IP addresses which pulled up some interesting web interfaces but we won’t publish those nor the leaked files for now.

“It’s a huge fail that could impact the graduated response (repression), during the next days,” Bluetouff concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Although their activities with Hadopi will be limited to monitoring and gathering evidence against file-sharers, we saw them trying to smother a lone file-sharer with their P2P-spamming technology, for which they have submitted a patent. The screenshot below shows TMG ‘DDoSing’ the BitTorrent user in question.

Just as file-sharers make their IP addresses known when they connect to file-sharing networks and other file-sharers, anti-piracy companies do the same. As can be seen from a WHOIS on the range of IP addresses shown above (91.189.104.0 – 91.189.111.255), they belong to TMG.

Now, according to a report over at Numerama, TMG have also been busy setting up fake eDonkey servers (located on IP ranges 85.159.236.252 – 85.159.236.254 and 85.159.232.81 – 85.159.232.83). To avoid connecting to fake servers, users are advised to only use those listed here.

There does, though, appear to be an even greater threat. Fake file-sharing clients running on the IP address range 193.107.240.0 to 193.107.240.22 (again registered to TMG, this time in the UK) are connecting to users and gathering data about the files they are sharing. This is exactly the sort of data that will be used to generate warning letters which could eventually lead to Internet user disconnections.

Through some clever monitoring, Peerates were able to discover some of the files that TMG are monitoring, which include TV shows such as Heroes and music by The Black Eyed Peas.

As the IP addresses used by companies such as TMG get revealed, at some point they will have to change them for new ones. Equally, as new ones are brought into service, those will too be revealed to the public and so the cat and mouse game continues.

While the savvy file-sharer will probably be able to stay ahead of the game to minimize their chances of being monitored, the casual file-sharer may not be so lucky. But after a warning or two, rest assured, they too will change their ways. Whether that will be by using a VPN or heading back to the media stores will remain to be seen.

Update: TorrentFreak reader Marcel wrote in with the following information:

You can do reverse lookups in RIPE database and since the linked whois record points out that CB1756-RIPE (Casalta Bastien) is admin-c and tech-c for the TMG network you can do a reverse lookup for this ripe handle.

82.138.70.128 – 82.138.70.191
82.138.81.0 – 82.138.81.255
82.138.74.0 – 82.138.74.127
91.189.104.0 – 91.189.111.255
193.107.240.0 – 193.107.243.255
195.191.244.0 – 195.191.245.255
193.105.197.0 – 193.105.197.255

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Under the new Hadopi law, alleged copyright infringers will be reported to a judge once they have received three warnings. The judge will then review the case and hand down any one of a range of penalties, from fines through to disconnecting the Internet connection of the infringer.

Trident Media Guard, the investigative company that will be responsible for tracking down alleged infringers, was presented to the public today. Interestingly enough this private company was not appointed by the government but by the entertainment industries, including the major record labels and movie studios.

Among file-sharers Trident Media Guard (TMG) is not a new name. In fact, thousands if not millions of people have run into them already as they are known to hinder illegal downloads by spreading fake data. For their ‘revolutionary’ anti-P2P technology they have submitted a patent application which is currently under review.

Aside from polluting file-sharing networks, the company will now also be responsible for tracking and reporting pirates to the authorities. TMG has the capacity to record up to 25,000 infringements a day, and according to initial estimates 10,000 offenders a day are expected to receive a warning.

TMG’s tracking technology will cover a wide range of file-sharing networks, with four of them being monitored as a priority. There is little doubt that BitTorrent, eDonkey and Gnutella will be the major targets, but according to TMG it is also possible to monitor Rapidshare, newsgroups and streaming services.

How they will be able to monitor these non-P2P services remains a mystery for now, but it suggests some form of privacy invasion. Unlike with BitTorrent, a third party can’t simply see what a user is downloading as they do when they actively monitor a user’s P2P connections.

In the UK the ISP Virgin Media is trialling a technique which involves Deep Packet Inspection to monitor the level of illicit file-sharing across a percentage of its customer base.

Because systems like this are believed to breach the privacy of individual Internet users, the European Commission has been asked to review its legality.

Thus far no details have been published on the data gathering techniques of TMG, but considering the enormous opposition against the Hadopi law there is little doubt that their every move will be closely watched.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.