Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Thursday, September 6, 2012

Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)

Update5: 
Mediafire notified me the other day that they had confirmation from LeakID that the notices they submitted  were done in error. They restored all the file access.
I want to thank all who helped me with the posts and updates Paul Robert from SophosLabs, Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter  and the Mediafire team for the über fast response to the posts and resolution. I guess LeakID do not speak to victims directly, never heard from them.


Update4:

robocoparchive.com
This is last Update 4, after which we will return to normal operations. Yesterday afternoon the Director of MediaFire Customer Support reached out and we exchanged a couple of long emails. In short, he pointed out they have to comply with the DMCA notices and apologized for the interruption. I pointed out that LeakID did not comply with the DMCA filing rules, in particular, they did not "identify the copyrighted work claimed to have been infringed" and  falsely stated  "that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed." In result, they (LeakID) do not deserve any respect and Mediafire relationship with LeakID undermines customer trust in Mediafire and cloud services in general. 

I must note that the account was un-suspended pending the the "infringement investigation" results. My counterclaim will be answered or expire on September 16, after which I hope all charges will be cleared. This reactivation happened only thanks to the magazine and blogpost articles. Normally, the three strikes result in account closing suspension pending the results. (Sept. 8, 2012 - I just received a reply to my email from the MediaFire President and CEO Derek Labian assuring me that they investigate all the suspended accounts and  it would be resolved regardless of any posts as they take these claims seriously, but not as fast as I would like. He also stated that if mistakes were made, they were made by LeakID and not Mediafire.)

I understand that that the claims came from LeakID and I do understand that all claims must be checked and it takes time to check them. However, I do not appreciate auto-enforcement of American laws by foreign (and American) robots who do not even follow the filing laws.  I think accounts should be suspended after the claims are proven to be true not before.

Here are links to a related court case and an EFF article about Warner Brothers, who used  LeakID services to crawl Hotfile links and file baseless copyright infringement notices en masse. 
New hosting:
We had very kind offers from many people, including those who we know well and highly trust. We are thankful and might accept an offer later.  At this point, it looks like there is not a lot of data in the public facing storage of Contagio (we are talking a few GB at this point), and we can host it on a DeepEnd Research server.

New Data / new posts
All new posts will have download links to a new storage. Exchange and Mobile Exchange public upload boxes will upload data to Mediafire, after which it will be copied to the new storage as it comes. 

Old data / old posts
The old data will be mirrored to a new location and will be relinked in each post very gradually or very fast, depending on the copyright robots craziness and resulting DMCA notices. I will provide a link to the entire collection on the new storage for Contagio/Contagio Mobile/ Contagio Exchange so you can save to your own storage and not to worry about future issues. You can do it now too - all blogs have "Download it all" links on the right side.

Mediafire 
Mediafire will host Upload boxes and all incoming new data will be mirrored to a new storage. Old links will point to Mediafire for the time being - until we change them.   


Update 3 
August 7, 2012 
I am delighted that Mediafire unblocked my account. I believe it is still in danger of being blocked due to the copyright violation pending claims ( see the screenshot below) but at least I can get access to my 34+ GB of data and pull it out in one piece. I am glad Mediafire responded - not directly to me but at least by unblocking it. I hope LeakID meet a more serious problem than Contagio on their path and get sued.

I want to thank  Paul Robert from SophosLabs, Soulskill- Slashdot, Dan Kaplan from SC Magazine for their articles, everyone who made posts on Twitter (https://twitter.com/#!/search/snowfl0w) and sent emails with invitations for hosting, offers of legal help, and advice. I hoped this would get resolved peacefully and and it did for now,  and quicker than I hoped. Thank you all again.


I will be gradually relinking files to a new storage. Mediafire service has been fast and convenient but I do not want to deal with the copyright robocops that can cause a shutdown at any moment.
I hope the account stay active during the time of transition.   

Mila




Update 2

Once again, thank you all for your offers of help, advice, RTs and mentions of Twitter. It really helps and I appreciate it.

I tried to call LeakID but got their answering service. I also talked a with Mediafire support person, who kindly explained to me that:

1. They do not discuss legal / account suspension matters over the phone but only via email and ticketing. I need to wait for their answers via email. Waiting..
2. My account was suspended for 3 consecutive copyright violations.

I was surprised but I figured out what they were:
1. August 9, 2012 
"The file named Office2010-kb2289161-fullfile-x64-glb.exe is identified by the key (pgfawjnsdt8zt88)."
This is a free Microsoft Office patch for Office 2010 downloadable from here http://www.microsoft.com/en-us/download/details.aspx?id=22189. I had it in my mediafire account folder and posted here.  When I got this notice in August, I thought it was paranoid and silly, considering that these patches are free for all Windows users and copied to every WSUS system freely but I did not research the copyright details on the patches so I did not feel like spending time and just removed the file. It was a mistake as they counted it as strike 1.
Update Sept 7: As requested, the full notice sent regarding the MS office patch is pasted here, together with the Youtube videos that were embedded in it. It is 31 pages long. http://contagiodump.blogspot.com/2011/09/mediafire-dmca-office2010-kb2289161.html

2. September 6, 2012 
"CVE-2009-0927_CVE-2009-4324_CVE-2007-5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip is identified by the key (0cbxoda8dpbjnh8)"
As I said, it happens to be an encrypted zip with a malicious PDF attachment described here http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html
I did file the counterclaim this morning but it was strike 2.

3. September 6, 2012 
While I was arguing with the tech support on email about file 2, the third "violation" was found and account was suspended.
"CVE-2009-4324 PDF 2010-04-20 5f49a04d3738b6026852207419bc0789c article on US Taiwan policy.zip", which is an encrypted zip with a malicious PDF posted here http://contagiodump.blogspot.com/2010/04/cve-2009-4324-pdf-ustaiwanpolicypdf.html

I tried to explain below that it is not a copyrighted file but is an example of an exploit.

 Interestingly, their emails come with embedded youtube videos - some ads of sorts. I don't know what kind of copyright infringement claim comes with ads, I guess the victims of their bullying click on the videos hoping for explanation of the craziness and LeakID or Mediafire get paid for it?

Also, my file was listed in the message in a very long list of other files that belonged to other users - see part of it on the screenshot, which is utterly unprofessional for an official copyright claim.

In a way, it reminds me of malware scareware that locks your computer for "copyright infringement" -described here http://www.fbi.gov/news/stories/2012/august/new-internet-scam, except they are real and my account suspension is real too.

LeakID cannot see file contents because of the password and their decision was made based on the filenames / mask searches. Not sure what kind of alert my file names triggered - maybe some keys or some movie names, but the lack of discretion and investigation is astounding. If Contagio were a company, I would be wondering if these are my competitors filing such complaints to take me out of business, as it seems to be a perfect way to DoS any service these days.


Update:  Thank you all for the offers of support (really appreciate it) and additional information - see links below from bloggers who had their own works removed or were/are in a similar situation with LeakID and various hosting services. 

==================================================================

Contagio file downloads are not available indefinitely (thanks to Mediafire and LeakID ideas about copyright)


This morning I got pop ups on my Mediafire  Pro (paid) account about copyright violations on my account, in particular CVE-2009-0927_CVE-2009_5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip, which happens to be an old malicious PDF attachment described here http://contagiodump.blogspot.com/2010/08/aug-3-cve-2009-0927-cve-2009-4324-cve.html
The picture of the pop up is below. The file is encrypted with an uncommon password, making it impossible to accidentally unzip and infect anyone, thus does not violate any anti-malware rules. In any case, the argument was about copyright, not malware.

Mediafire support suggested filing a counterclaim with a French copyright watchdog company called LeakID, after which they promised to unblock the file if LeakID do not respond.

I sent an email to LeakID and to Mediafire support. After a number of emails back and forth and many protests on my part, I gave up and filed the counterclaim. I was against filing it first because there is no any investigation, checks, or presumptions of innocence. I can see nothing but trolling based on some grep mask they use to search through file sharing services and cause the suspension.

Mediafire responded a few times and then completely blocked my account as a way to show they have the upper hand in this situation and are in control on my files regardless of what I think. The customer service representative "LaChandra" was very polite  but that does not change the fact that this is an unacceptable attitude to customers who do not violate anything but are being wrongfully accused by some third party organizations.

Apparently, anyone can contact any file sharing service and claim DMCA violations and make them suspend any file you don't like? All it takes is to claim you are a file owner or representative of the owner (LeakID are making illegal false claims in this case, as they are not and cannot be owners of it ) and the file will be suspended.

I am not alone, there are other people who are affected by this http://www.tumblr.com/tagged/leakid?before=1338438407.

If / when I get access to the files again, I will be moving them to another service, except I am not sure what kind of service, except my own hosting I can trust now. For me it is a black mark on all cloud services and a reason why I would be hesitant to recommend using cloud services for companies who are concerned about ownership of their files.



Dear MediaFire User:
MediaFire has received notification under the provisions of the Digital Millennium Copyright Act ("DMCA") that your usage of a file is allegedly infringing on the file creator's copyright protection. The file named CVE-2009-0927_CVE-2009-4324_CVE-2007-5659_350924123CBF1B126F4E38335ED6660D_conference_prog.zip is identified by the key (0cbxoda8dpbjnh8). As a result of this notice, pursuant to Section 512(c)(1)(C) of the DMCA, we have suspended access to the file.

The reason for suspension was:

BDM user "lachandra" says: Hello, My Name is Hervé Lemaire , CEO of LeakID, I am legal representative of lemaire which does business under the name Metropolitan, Authorized to act on behalf of the owner of an exclusive right that is allegedly infringed. You are hereby given notice valid under the DMCA copyright infringement notification requirements, 17 U.S.C.512. I am the designated agent of the owner of the copyrights of the images and audio/visual works listed below. I believe that the images and audio/visual works listed at the times cited below are being copied and distributed in a manner that has been not authorized by the owner of the copyrights, its agent or the law. All link below containing pirated versions of lemaire copyrighted works. The information in the notice is accurate, under penalty of perjury. Please remove all linksAs soon as possible, we will check them everyday. Thanks to inform us about y our actions. We appreciate your efforts toward this common goal. Very truly yours, Hervé Lemaire Leakid 15 bis rue de chateaudun 92250 La garenne colombes France 0033698211000 Contact lemaire Expendables -
===================

Mediafire pro reply 

Hello Mila,

Thank you for contacting MediaFire.
 Unfortunately we are bound by Federal law that if we receive a complete DMCA notice we have to prevent the file from being shared. The best thing to to do is follow the counterclaim process that was explained in the notice stating that the file was claimed for copyright. If you file a counterclaim the reporting party has 10 days to respond. If they do not we can restore the file.

I am sorry that you are going through this but you will encounter this with any reputable site as we have to follow the law. Follow the instructions in the email to begin the counterclaim process.

Best Regards,

LaChandra

MediaFire | Customer Support

Hello Mila,

This is what someone reporting a file must provide.
1. Identify yourself as either:
    1. The owner of a copyrighted work(s), or
    2. A person "authorized to act on behalf of the owner of an exclusive right that is allegedly infringed."
2. Identify the copyrighted work claimed to have been infringed
3. Identify the material that is claimed to be infringing or to be the subject of the infringing activity and that is to be removed or access to which is to be disabled, as well as information reasonably sufficient to permit MediaFire to locate the material in the form of a MediaFire.com URL/URLs.
4. Provide contact information that is reasonably sufficient to permit us to contact you, such as an address, telephone number, and a valid electronic mail address.
5. State that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agents, or the law.
6. State that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

If they do all that then we have to prevent the file from being shared. For more details on the information required for valid notification, see 17 U.S.C. 512(c)(3).

Other bloggers abused by LeakID:
  1. http://allfreematerial.blogspot.com/ Withdraw of 4Shared Recommendation - author
  2. http://iamtheleastmachiavellian.blogspot.ca Who is LeakID? Herve Lemaire? 
  3. http://inthezenarcade.blogspot.com  Damned Music-industry Cartel Assholes 
  4. http://drugpunk.blogspot.com In the interest of starting a dialogue on online file piracy...
  5. http://askearache.blogspot.com/ Rise of the Digital Music Database Bootlegger scam & Copyright Troll legal scammers.
  6. http://cleanxcut.blogspot.com/ So let's block.
  7. What are your thoughts on this 'alleged' copyright violation by my GRUB Theming Guide http://www.linuxquestions.org - open source developers
  8. http://madrotter-treasure-hunt.blogspot.com File removed by Mediafire.. 
  9. http://forum.xda-developers.com/archive/index.php/t-864216.html - open source developers
  10. http://www.tumblr.com/tagged/leakid and  http://www.tumblr.com/tagged/leakid?before=1338440557  - author
  11. First DMCA Counter Notice to LeakID & 4Shared.com  http://davishypnosis.com
  12. https://productforums.google.com/forum/#!category-topic/websearch/unexpected-search-results/HFUisAWVCFs
  13. SOPA Legislation  http://lists.newtontalk.net
  14. http://www.facebook.com/SevenStarHand/posts/385338081495246 - author
  15. http://www.knightmare.com/forum/viewtopic.php?t=2548&p=45827 - author

Links about LeakID. This article http://korben.info/leakid-la-solution-anti-direct-download.html explains how they are making money by searching and claiming to be the owner / representing owners of every item that their crazy engine tags. I wonder if they have malware authors among customers or they just grab everything and let their paying customers sort it out.
If this isn't  unlawful, I know what is.


Thanks to http://lesoleilestrare.blogspot.com/ for the links

25 comments:

  1. same thing here...http://iamtheleastmachiavellian.blogspot.ca/2012/09/mediafire-links-removal.html

    ReplyDelete
  2. This is a load of bs.
    How can a malicious file that is of questionable legality have legitimate copyright?

    ReplyDelete
  3. I received the exact same notification on one of my mediafire files. This company does not seem legit as my file in question is completely original. I don't even understand why Mediafire is letting this very questionable company, LeakId, bully its legitimate customers.

    ReplyDelete
  4. I just don't get this bs.. :-(

    Since when malicious sample is having a legitimate copyright?
    How in the h*ll they can judge the assumed copyrighted object since is protected?
    Who said that the claimed so-called "file" is a computer file? AFAIK is a "malicious code sample" NEVER be a file.

    Law is a two bladed knife... If I were you I will take this to court to settle.

    ReplyDelete
  5. On a serious note, there should be a police case filed against LeakID for spreading malware. After all they are claiming copyright for the malware. That should prompt a quick response.

    ReplyDelete
    Replies
    1. LOL... I think this would be the best tactic to take. They have filed a legal document that they attest to "under grounds of perjury". So victims of the virus/malware should have a simple case against LeakId as they claim ownership.

      I would LOVE to see this.... lmao.

      Delete
  6. I guess the Chinese/PLA are protecting their intellectual property through LeakId.

    ReplyDelete
  7. How can they file a claim in "good faith" if they can't open the file and see what's actually inside? Isn't the perjury in itself? And if they cracked the password, isn't that a violation of DMCA on their part?

    ReplyDelete
  8. get your money back and use a different site to store your files

    There is a always someone that will pay attention if you ask for your money back

    ReplyDelete
  9. DON'T USE THE CLOUD. You will run into this with every service you use, period. Get yourself an FTP server or something, but DO NOT use cloud services, they are all a "scam" with similar issues like this.

    ReplyDelete
  10. I agree with AnonymousSeptember 7, 2012 5:54 AM if they want to claim the file as theirs they can be penalized any damage or expenses it has caused.

    ReplyDelete
  11. Mediafire listed what is required in a DMCA takedown request. #2 is "Identify the copyrighted work claimed to have been infringed." LeakID's spammy takedown request doesn't do that, so it is clearly invalid. You have to wonder why Mediafire and the like don't simply ignore those. I understand sometimes it's easier to go along, but in this case it would literally be faster to scan the notice, see that it doesn't list what works are alleged to have been infringed, and just reject it out of hand.

    ReplyDelete
  12. I can't see how anyone who is serious about security could ever host files in "the cloud".

    Oh and you won't be able to sue anyone since the contract you agreed to when you signed up doesn't allow for recourse beyond litigation. Enjoy!

    ReplyDelete
  13. Wow, this is a pretty comprehensive article. I knew I wasn't the only one getting screwed by this legal scamming, but it's bigger than I realized. Profiting from the suppression of knowledge dissemination, itself done completely without commercial intent, is simply deplorable.


    'There's no such thing as hell, but you can make it if you try.' People like Lemaire do nothing productive for society. He should find a real job.

    ReplyDelete
  14. In all fairness, the OP doesn't display the full notice. You can clearly see it's cut off. Also, one of the files she has listed in this post is Microsoft office 2010 full version x64, which looks very suspicious. I've read Mila for some time now and this was the first I questioned her integrity. I would of expected better attention to detail.

    ReplyDelete
    Replies
    1. @Anonymous. the full original notice is 31 pages long. I pasted it here for your enjoyment http://contagiodump.blogspot.com/2011/09/mediafire-dmca-office2010-kb2289161.html

      When it comes to law it is not what it 'feels like" or "looks like" matters but what it actually is. In this case, it is Security Update for Microsoft Office 2010 (KB2289161), 64-Bit Edition with the file name Office2010-kb2289161-fullfile-x64-glb.exe found here http://www.microsoft.com/en-us/download/details.aspx?id=22189. I don't think it is illegal to repost it, especially with full credits to Microsoft but I did take it down when they filed the claim.

      Delete
    2. Mila, your stuff is listed in the notice and Leak Id is claiming the posting of it is not authorized while claiming to represent the owner. It appears the real culprit is the law and Leak Id.

      Delete
  15. I hope you learned the importance of not hosting your content on sites not belonging to you. Go dish out some money on your own box and put it out there so it's under your terms. Register a domain outside the United States as well.

    I can't understand why people like this put their data out there and complain about the long process of getting it back online, accessing their data, unlocking their account, etc. People just don't learn.

    Host it yourself and others could have a more difficult time of taking it down.

    ReplyDelete
    Replies
    1. sure international waters/oil rig hosting, way to go.
      I dish out money to cloud providers and so do millions and millions of customers, including probably your current or future employers - in some form or fashion. If you host your own mail and web hosting and everything else, cudos. It was the way of the old age and maybe will be of the future, who knows. In any case, thank you for the advice.

      Delete
    2. I host my own web servers, mail, firefox sync, teamspeak, etc. (including all of the support systems, DNS, backup, firewalls, etc), it's really not that hard and can be accomplished on a budget when you leverage virtualization platforms.

      Furthermore, as long as I'm the IT manager (or higher) where I work, we're not going to host *anything* with "the cloud". The liability is just too great.

      So, people out there are taking a stand and aren't giving their digital assets freely to just anyone who asks.

      Delete
  16. Hi Mila,
    The embedded YouTube videos that you mention were added by Gmail, they are not in the original message. Gmail scans your mail for YouTube videos and offers you an embedded version so you can watch it without leaving your email. You used to be able to turn it off, but I don't think you can anymore. If you look at the other URLs mentioned in the takedown notice, you will see several YouTube links there and those are the ones that Gmail is showing.

    ReplyDelete
    Replies
    1. ah yes, it is from all those URLs, makes sense. Law enforcement in bulk

      Delete
  17. nice article on torrentfreak.com with a brief mention of your troubles...
    http://torrentfreak.com/should-bogus-copyright-takedown-senders-be-punished-120909/

    ReplyDelete
  18. Hi,
    It seems to me that what is required here is an automated process that files a report to the FBI every time a person or business claims ownership of maleware.

    ReplyDelete
  19. Hello. i was also having the same issue but Long Path Tool helped me in this situation. You can see here http://PathTooDeep.com. It might help you.
    Thanks and Regards,
    Attila

    ReplyDelete