Recently, (the previous time) FTB was down for several days because of our hosting service’s response to a DMCA takedown request. The whole story is weird, and has some odd implications. “I am not a lawyer” sort of applies here, but there’s more to it than that.

Remember, I worked in computer security since the mid 1980s, and have some experience with abuse systems and workflows – but this one is baffling. It points to interesting flaws in the system, too, but I’m not going to point those out and dwell on them because they lead to interesting denial of service attacks against  other sites. Ah, screw it, go make the world burn.

Briefly, we must first understand DMCA. DMCA is a pure hunk of evil, pushed into place by huge providers in order to cover their asses. Perhaps you may (if you are my age) remember Harlan Ellison’s famous lawsuit against AOL for carrying copyright infringing digital versions of his books. Ellison apparently settled out of court for a substantial amount. Just getting his legal expenses back would have been a substantial amount. [techdirt] The issue was real: what is the liability of a business like, say, youtube, that makes ad revenues off of displaying and publishing copyright infringing material? In fact, when youtube first started, the founders illicitly uploaded copyrighted movies and such, in order to make the site more attractive. The rest, as they say, is history. But the Ellison case revealed a dagger poised at the heart of the internet, in the form of copyright. Something needed to be done to protect the tech-bros and all their investors from the ravaging hordes of musicians, writers, photographers, movie studios, etc., whose material was being constantly ripped off. DMCA was the tech industry’s response to the problem, which is – I have to say – practically solomonic. What they did was lobby for a “safe harbor” law that shields them from copyright liability, so long as they act “diligently” to protect the copyright holders. If a copyright holder contacts a provider and begins a formal process to declare infringement, the provider takes it down until the dispute is resolved. In return, the provider cannot be sued for copyright infringement.

Sounds reasonable, right?

It’s reasonable until you look at it more closely. When you look at it more closely, its tuned to allow big tech companies to have a “get out of jail free” card and, in return (I’m trying to be funny, here) it places the burden on the copyright holder. So, if you’re a photographer who has shot a popular image that shows up in 1,293 myspace pages, you are responsible for policing all those myspace pages. And the facebook pages. And youtube, and and and and. Meanwhile, those sites get to continue serving up your content (along with revenue-generating ads!) with no liability. Imagine if you were an amateur photographer, who shot a photo that became a popular myspace page decorator, and now suddenly you’re getting none of the ad revenue your image is driving, and your only recourse is to complain. A lot.

DMCA’s formal process is a “takedown request” which attests that a) you are the copyright holder of a given work, b) you do not want your work displayed in the way it is being displayed c) please take it down. The recipient of the DMCA takedown has 30 days to remove the offending work, notify the person who posted it, and that’s it. There is a provision where the person who posted the work can contest the takedown request, and the whole process can go back and forth.

Back in the day, I had a big problem with people using some of my photos and claiming “that’s me!” (mostly, professional escorts …) or worse, they’d take one of my photos, photoshop on it a bit, and post it claiming it was their artwork. Then, there were the well-meaning unaware creative talents who’d take one of my photos, and put some stupid piece of doggrel poetry on it, and post it as theirs. Those folks were a huge problem because a) obviously they understood nothing about copyright, b) obviously they didn’t care anything about copyright, c) it was personal for them and they’d go to great lengths to get slapped around by an angry artist. I’m not going to bore you all here with stories of copyright infringement, though, I’m just going to talk about a couple DMCA cases that have affected FTB and how and why, and why DMCA is an evil piece of shit legislation. But, I used to have to constantly – to the tune of 5 or 6 a week – write DMCA takedowns, just for deviantart. I gave up on the rest of the internet. Then, I gave up on deviantart, too.

8/25/2021, I got an email forwarded to me from PZ, our iron-fisted overlord, that was a WTF-a-gram asking basically, “what trouble have you gone and created this time?”

Knuckling my brow, in my best Eyegore imitation, I started digging to figure out what was going on.

And, it was weird. The page in question was my recipe for peanut butter sriracha pasta sauce, and the image that was being DMCA’d was one I shot of some pasta, on my kitchen counter. I immediately replied with an image indicating I was the copyright holder, and proving it – after all, since I had downsampled the image, the claimant would have had to have the original to be able to produce the downsampled version, right? But that does not matter, DMCA has specific provisions and the service is only interested in minimal response that keeps them within the safe harbor provision:

See, it doesn’t matter if you can prove it’s your image, you still have to take it down because the machinery of DMCA is very specific and all it amounts to is: if you’re the copyright holder, it’s your problem.

Flip that around and imagine I’m Disney Corporation. Now, one of my small army of copyright infringement checkers identifies an infringing piece of video on youtube. They click a button, some expensive software grinds into action, and youtube gets a correctly formatted DMCA filed by a certified Media Mega Corp backed by an army of lawyers, and – that’s it. As Harlan Ellison once said, “you don’t fuck with the mouse” [ironically, that story is available online here] Did I forget to mention that, now that he’s dead and not filing DMCAs, his work is apparently undefended? So DMCA serves to defend the powerful and well-resourced against the powerful and well-resourced, but does fuck all for the little guy. One more example: I ran across one guy on fetlife who had 20 images in “his” portfolio that were mine, which he claimed to have taken. Thanks to DMCA, fetlife’s response was “you have to file 20 DMCA takedowns” and – worse yet – because the provider was meeting the terms of DMCA at a minimum, they didn’t do anything else, like look at the other images in the portfolio, or shut the account down.

Anyhow, the only response I could make to my DMCA at freethoughtblogs was to take down the image that had been flagged as offending.

There’s another flaw in the DMCA: the copyright holder has to attest and swear that they are the copyright holder, and provide a contact name, address, phone number. OK, that’s interesting. The other problem is that the claimant has to provide a link to where their copy of my allegedly infringing material is hosted. So, there’s a URL included in the DMCA takedown that takes you right to the other guy’s page… and your piece of copyrighted material. I expect that by now you’ve realized there’s a problem here. In computer security terms: 1) disclosure of PII, and 2) denial of service. The claimant has to attest that they actually are a real person and own the copyright to the work, but that can all be completely fabricated.

In fact, in the DMCA case from 2021, the contact information provided was not entirely accurate. The DMCA form had a phone number in Turkey, and the name of Mohammed Tawfiq. The phone number did not work. It took me a bit of digging but I pretty quickly had his home address and actual phone number, and called him up, and asked him to take down his site because he was annoying all the Wrong People. That is not strictly true. I will attach a story about annoying the Wrong People in an appendix to this post.

Obviously, the site that was hosting the stolen copy of my recipe is now down, but because of the wonders of the DMCA process, it is possible that freethoughtblogs’ provider could suddenly decide to reactivate an old case and drop a bunch of IP blocks all over my pages here. Or worse. This is what Tawfiq’s site consisted of:

It’s a basic link-farm. When you employ one of those “Search Engine Optimization” sites, this is the kind of thing that’s going on behind the scenes. They publish link-farms that link to popular stuff (like my sriracha peanut butter pasta sauce!) and then try to manipulate search engine algorithms through proximity. This sort of link-farm is created automatically by grazing a bunch of sites for terms matching a search, then mashing up a bunch of content and vomiting out HTML that is automatically uploaded to a hosting service. Naturally, the current generation of these things will be AI-driven, so they won’t immediately light up pattern matches and may be mistaken for legitimate content. Actually, I may have phrased that wrong – they will be legitimate content because lots of legitimate sites are letting AIs write their news and articles, already, and it is no longer possible to determine what’s human-originated, or even if it matters.

Pages like this are generally not hosted on US providers, and sending them a DMCA takedown is completely pointless, because the DMCA is US law and some site in Romania is going to give absolutely no shits at all and that only because it’s not possible to give negative shits. Again, DMCA shows its uselessness for actually protecting copyright – all that matters is providing the safe harbor for US-based content aggregators.

Now, if you’ve been paying attention thus far, you’re probably wondering, “then why did our squirrel issue a DMCA? If he had just left his pirated link-farm on the down low, nobody’d ever know and nobody’d try to take it down.” That’s a really good question. And, I asked a few of the internet security wizards I know, and got back a bunch of /shrug. Most hardcore internet security folks ignore scammers because the scamming field evolves extremely rapidly and the scams are plentiful, confusing, sometimes stupid, and often complicated. Also, they change so fast it’s hardly worth keeping up to date on them. For example, in this case, it could be that Mr Mohammed Tawfiq was pursuing a search-engine optimization technique that made sense in 2009, read about it in 2010, and tried it in 2013 by which time it barely worked at all. Google, youtube, etc., – AKA “the sites that matter” – invest time and money into digging into this stuff because it’s highly relevant to their ad-sales business, but nobody else does because none of us are making gigantic piles of money selling ads.

The only reasoning I can think of for why the squirrels do a DMCA is they hope to take down the real site with the interesting content, and maybe when the real site is down their click score will go up, accordingly. It still does not make a huge amount of sense because then the squirrel should have gone after the interesting content, not a link on a page of interesting content. It may just be that the squirrels are experimenting with the search engines’ algorithms and trying to see what works. My guess is it’s a waste of time because the search engine guys are constantly worrying about overcoming such games, and are really quite skilled. Basically, google has a roomful of high end hackers who sit around thinking “how can we defeat the algorithm?” and then defeating the defeat technique before anyone else thinks of it.

Meanwhile: the entire ad economy balances wobblingly atop an ecosystem of scammers and marketers, both of whom are competing for the same thing – attention – and are willing to sink to any depths to get a few eyeball jerks or mouse-clicks. If the scammers get ahead of the game, the ad economy collapses because it no longer has value. Internet cognoscenti, of course, have always known that it has always never had any value, but that doesn’t stop the marketers.

[By the way, have you noticed, lately, how the quality of the ads on youtube has begun to drop fairly precipitously? There was a time when you’d get ads from big car companies, or insurance companies, but now it’s AI-voiced crap selling dick pills and nostrums. What we may be seeing is the beginning of the inevitable swan-dive in which the content of ads devolves to the kind of garbage that is hosted on free porn sites. Why is this happening? My guess is that it’s another thing we can blame on Elon Musk (!) – here’s the scenario: Musk’s messing around with the ad model at X, causes a bunch of the big media advertisers to leave, then they look at their numbers and realize that their ads on X really didn’t drive any business, anyway. They look around and conclude that “influencer” marketing is the way to go – i.e.: ads embedded in podcasts or vlogs by the content creators themselves, so that the ad cannot be picked out or blocked. Have you noticed, yet, how some podcasts dedicate 15 minutes of every show to reading stupid ads from pointless companies? This may be the beginning of the end for banner ads, except that since banner ads are cheap and will get cheaper, they’ll become a new form of internet spam. And, not that any of them are listening, when a podcast starts turning to embedded ads, I unsubscribe. It’s excruciatingly embarrassing to hear Malcolm Gladwell, a person I formerly respected a bit, shilling shit in his own voice. Fuck you, you ruined your legacy and it’ll be there for everyone to see/hear forever.]

The recent lengthy downtime at Freethoughtblogs was caused by a false DMCA takedown request. The provider sends an email, “you have 3 days to take down the offending copyright infringement” and if there’s no response, in go the IP blocks. You may have noticed the FTB logo vanished or was changed on some pages: the squirrel who issued the fraudulent DMCA takedown was running a link-farm of logo designs and (apparently) was trying a similar search engine weighting game, to Mohammed Tawfiq’s.

Security Operations Centers (SOCs) are all about managed work-flow. When they get an item, it goes in one side, and a crank gets turned. Sometimes actions are taken, when required, and sometimes the case is cleared. But everything is boiled down to “that which is not forbidden is compulsory” and the folks in the SOC are not allowed to think, or act, or really do anything more than turn the crank and get on to the next case. I’m certain that these messages are all boiler-plate:

So helpful. “In the event you provide us with a counter notice” is a funny thing to say in a reply to a counter notice, and the offer to “happily” provide it to the abuse reporter is just stupid: they know as well as I do that it’s going to a bulk mail account on a hosting service that nobody checks, because the person filing the notice is not and never was, real.

Where does this leave us? Well, if you want to get someone’s contact information, and they run a website, you can DMCA their hosting service and direct the response to a bulk mail account, then you wait until they do a counter-claim and you’ve got their real address/email address, unless they decide to lie, too. Or, if you want to take someone’s site down, you can start DMCA’ing chunks of it in a Resource Consumption Attack [rca: cyberinsurgency] – just go for a straightforward “death of 1,000 cuts” strategy but make sure you do it with carefully assembled layers of anonymity if you are going after the Wrong People. You can also, in fact you get for free, a denial of service opportunity, because if the target does not burn cycles responding, their provider will take them off the air for you. Of course this is all very naughty and it’s fraud because you’re attesting that you’re the copyright holder and nobody’d ever anonymously do something like that. Also, the big sites, naturally, have security teams and can afford to spend the time calling people at the hosting service, nudging the FBI, etc. This probably wouldn’t work against a well-funded well-defended target.

For the small content publisher, like freethoughtblogs, the answer is pretty simple: you get a DMCA, you move the offending ${whatever} to another hosting site then reply to the DMCA request that you have taken down the offending ${whatever} – which their workflow software verifies is true, and the crank turns and the world keeps spinning. That’s a variant of a defensive security technique some of us used to call “make it google’s problem” because if you can make a problem become one of google’s problems they’ll be motivated to solve it. I  have no idea what google spends on DMCA workflow these days, but it’s got to be a lot. On the other hand, google is so big that it’s probably difficult to annoy it enough that it registers any annoyance at all.

But behold the brilliance of DMCA: since it serves the big well-funded guys, there’s no benefit to anyone who might invest the money to go after it and reveal DMCA for the stink-pot it is. This is one of those, “well, if I had Peter Thiel money…” things, where, if I had Peter Thiel money I wouldn’t do anything because I wouldn’t care, and I’d be an asshole who wanted to be on the wrong side of the problem, anyway. I think that there might be some traction had if a well-funded person whose copyright had been infringed began sending certified letters from their lawyer to sites that infringed their material regularly, saying something like: “We are notifying you that the following intellectual properties belonging to my client are often targets of infringement – see Exhibits A through Z, attached – now that you have constructive knowledge that these properties belong to my client, who wishes to defend their copyright, you have a duty to ensure that they are blocked before being made publicly available. We understand the DMCA process, and will defend copyright on other materials using that method, but we may attempt to recover damages and court costs from you if you ignore this notice, forthwith. We consider this notice to be permanent, and will notify you further if any of the copyrighted items come out from under copyright, at such a time as they do. Happily, etc, Dewey Cheatem and Howe LLP” I actually have talked to my actual lawyer, who actually told me that the approach would amount mostly to demonstrating “we are prepared to spend a lot of money on lawyers, fear us.” That’s about right. It works for Disney.

Annoying the Wrong People: back in the late 90s I was involved in a project where the company I worked at the time was supporting the FBI with some tech talent for a specific problem. There was a guy who was contacting various sites and telling them that they’d experience some unpredictable but damaging downtime if they didn’t pay a “consulting fee” – a basic shakedown. The guy who was doing it was in Europe but had gone after a few targets in the US as well, which is how we got dragged into it. I used to love “special projects” like that because they were always a chance to get creative and pull rabbits out of a hat, or whatever. So, I got started tugging on some strings and talking to some people who had website logs and people who knew people and it turned out that our guy was in Amsterdam, using a particular cyber-cafe. It looked like he had a few compromised boxes in places around the world, and he’d go to the cyber-cafe, have a smoke or whatever, and use one of their gaming systems to pop up an ssh shell to his compromised boxes, then he’d launch attacks from there. While the FBI guys were making muttering sounds about an orbital drop ship full of ninjas to catch him in the act, I just called the guy who owned the cybercafe and talked to him, asked him if he’d be OK with sending some IP traces off his firewall, and maybe setting up a drop camera to record the guy so we could figure out what he looked like. Then, I was going to call a friend of mine who lived in Amsterdam at the time, and have him followed. Most people do not expect to be followed and do not have good operations security. This guy certainly didn’t. Setting something like that up isn’t instantaneous – you have to talk people around to it, get them willing to play, answer their questions, etc. But everything was moving along then then, silence. The FBI guy who had been calling me for updates stopped calling. Finally, I called him (not always easy to do at that time) and he said, “oh, we’re not working that situation any more.” Why not? “Well, it turns out that the guy went after a Russian mafia-owned online gambling site* and they found pieces of him in several dumpsters around town.” Those are the Wrong People. The Wrong People use circular saws to resolve their DMCA takedown “requests.” The Wrong People’s lawyers are sleepy-eyed guys who wear raincoats even in the summer.

(* multiple redundancies there)