the IT city, the I.T. Baby


The day you unexpectedly became a criminal

I wrote this for the other blog, but it’s an interesting attack vector I thought I’d share over here (also I’ve been pressed for time so not too much content this side of blogdom) – I’m sure your kid will be claiming it’s what got them in a few years.

One of my many jobs involves a video production company, and I was tasked with attempting to locate a means by which we could distribute a movie to an audience that wanted it and wanted to help distribute it to others, yet without the requirements to install a player, or provide 500 copies of proof we own a license for the music, host a high speed server, and it would be nice if the movie could disappear from the face of the planet after so many hours.

Think charity promo mini movie and you’ve about got it.

Piracy of it wasn’t a huge concern, but the attempt was to make it an event that ended and drew people in at around the same time so that discussion and participation happened then, not months later. Anyway, this was what I was researching when I discovered you could be distributing copyrighted movies, child porn, or participating in other illegal activities just by reading a web page with a little code on it.

While you may have known that actively participating in bandwidth exchange in the TOR network meant you were at some point helping distribute the dark web and all the sundry stuff it contains, the same now is possible just by reading an article about how you’ve accidentally become a criminal.

No, I’m not doing that to you. Which is what I would say if I were doing this to you.

So for purposes of explanation but not finger pointing, a Javascript application like WebTorrent shows that by visiting a webpage you can participate in legal torenting movie distribution while you’re watching a movie doing nothing other than landing on the page. You can click it if you’re not at work, don’t worry, nothing illegal there although it might trip your work’s torrent filters.


Should you not want to click it at work, what happens is the script loads, a video box like YouTube pops up and starts playing a movie, on the left you’ve got a graphical representation of who you’re connected to on the internet and grabbing pieces of the movie to watch from other people, who are similarly watching the movie or just sitting there seeding it.

At the same time you’re giving out pieces of the movie you have to people out there.

But, there doesn’t have to be a box showing a movie and who you’re connected to, and there doesn’t have to be any indication that anything is going on. You could just be sitting reading about how you’re now a criminal and find out when the FBI showed up that the web page had been injected with code that loaded a Javascript and you’ve been seeding child porn and warez every time you visited.

Site operators might not even have a clue that their sites had been injected as it could potentially come in the form of a crappy ad, such as we’ve seen on our site from time to time.

Torrenting in the backgroundYou can disable Javascript at the moment to prevent a Webtorrent-style code from running as it’s not a virus or an evolutionary leap in attack vectors, it’s just a tool that’s cool.

Unfortunately disabling Javascript is going to mean the web’s a pretty lame place reminiscent of the 90’s when a <blink> tag was all the rage.

You can also pop open Task Manager, which I did while the WebTorrent page was sitting there – you can see it in this image still sending and receiving the public domain movie they’ve got for a demo.

Now on the positive side, you can potentially slack help companies like Netflix or Hulu distribute content after the probable loss of Net Neutrality coming with this administration, so you’re not stuck with a hiked bill for Netflix to pay for more bandwidth. Just a little time on a webpage that helps decentralize content delivery.

But it’s not just torrenting and video, there’s not a lot in place to prevent a malicious plugin from doing most web operations. Last year we saw a rise of Javascript DDOSing, your computer turned into a bot while a Pikachu ad with dollar signs in its eyes ran attacks in the background and dared you to click him.

Now I could scare you and tout VPNs here. I stand to make a lot of money should you actually sign up for this one or that one. But honestly you could probably mitigate this attack vector with TOR should you be worried about it.

Just the next time you hear about someone being charged with pirate distribution, hacking, etc, realize it could just be from visiting a web page with scripting turned on and nothing to protect their IP address. Or it could be from a disgruntled IT coordinator who had full access to everything, especially setting startup pages.

The web’s gotten a lot more dangerous to the casual browser.

Of course your compromised computer doesn’t give you a criminal record, but I can guarantee if there’s 30 gig of exploited minor videos on your computer when the FBI comes knocking (even knowing you didn’t download them,) your next couple of months is probably going to be unhappy.

So yeah, slow internet? pop open task manager and make sure something isn’t currently using all of your upload bandwidth, and consider investing in a VPN, packet monitor/active firewall, or downloading something to tell you when you’re using bandwidth or ports predominantly associated with hacking and not expecting to.

Paul King

Paul King lives in Nashville Tennessee with his wife, two daughters and cats. He writes for Pocketables, theITBaby, and is an IT consultant along with doing tech support for a film production company.