Forgot your password?
typodupeerror
Media (Apple) Media The Internet

The Podjacker Threat 354

Posted by Zonk
from the save-the-children dept.
Schlemphfer writes "As everyone knows by now, podcasting has taken off in a big way. But over the past week, several tech journals and The Daily Source Code have reported on the threat of 'podjacking,' the creation of an alternate RSS feed without the consent of the podcast's owner. I'm the host of a podcast, which has the dubious distinction of being the first widely-publicized victim of a podjacking. To teach others from my experiences I have posted an article entitled Preventing and Surviving a Podjacking (also available in PDF). So far this story has attracted widespread but generally inept media and blogger coverage. This article sets the record straight on what really happened, and shows the simple steps every podcaster should take to protect their shows from podjacking."
This discussion has been archived. No new comments can be posted.

The Podjacker Threat

Comments Filter:
  • So basically... (Score:1, Informative)

    by Anonymous Coward on Friday December 09, 2005 @01:42PM (#14221064)
    What we have here is a user who is clueless about the entire idea that feeds can be reassembled and redistributed and had such shoddy marketing that one such redistrubution - a fully automated one which he signed up for himself - got the top rankings everywhere. And then the threw a hissy fit which caused him to use most of his listeners, and was surprised that the automatic service wouldn't reinstate his feed.

    I guess next time he should choose to "podcast" (meh, still a horrid word) using Atom, which is the id element to always point to the original location of the feed. That won't stop anyone malicious, but at least it would prevent him from shooting himself in the foot like that.
  • Re:*Scratches Head* (Score:2, Informative)

    by Nick_dm (580691) on Friday December 09, 2005 @01:46PM (#14221108) Homepage
    Podcasting isn't streamed audio, it's just providing an RSS feed with links to audio files so they can be downloaded automatically by a client, rather than having to actually go to the website.
  • by TrumpetPower! (190615) <ben@trumpetpower.com> on Friday December 09, 2005 @01:47PM (#14221120) Homepage
    1) Register evilpodjackingdomain.com.
    2) Find somebody else's podcast.
    3) Mirror that podcast's XML file at evilpodjackingdomain.dom/pwn3d.xml
    4) Get evilpodjackingdomain.dom/pwn3d.xml listed in as many podcast directories as possible.
    5) Wait.
    6) Blackmail original podcaster with threats of modifying / removing your local mirror; all subscribers through evilpodjackingdomain.dom/pwn3d.xml would get whatever you want them to get regardless of what the podcaster wants.
    7) Profit.

    Cheers,

    b&
  • Re:*Scratches Head* (Score:3, Informative)

    by Kelson (129150) * on Friday December 09, 2005 @01:48PM (#14221128) Homepage Journal
    Or what a blog is in comparison to a personal daily-updated website.

    Shorter. Fewer letters to type, fewer syllables to say.

    Do you always refer to the "television set," or do you turn on the "TV" or "telly?" Do you drive a "horseless carriage" or "automobile"... or you you drive a "car?" Do people call your "cellular phone" or do they call your "cell?"

    Same thing.

    As for podcasting, it really is different from streaming audio. It's downloadable audio (or video) that is announced via a subscription system (generally RSS these days) and then -- and here's the key -- automatically downloaded by a client during idle time (and optionally transferred to an audio player). The idea was originally that the podcast client would download content overnight and transfer it to your iPod, and you could then play it anywhere you wanted during the day. It's been generalized, but the name stuck.
  • by hafree (307412) on Friday December 09, 2005 @01:56PM (#14221214) Homepage
    Why not just verify the referring URL before sending out the Podcast archive? This is how most sites avoid people deep-linking into theirs, or loading high-bandwidth content such as videos or even images from their web servers. This can be done by making your RSS feed dynamically generated by a CGI script, or even just using a htaccess file for the directory containing your podcast.
  • Re:Easy (Score:2, Informative)

    by Surt (22457) on Friday December 09, 2005 @02:02PM (#14221268) Homepage Journal
    It doesn't help him save on bandwidth because the podjacking site was forwarding the traffic. The problem is: what happens when they _stop_ forwarding the traffic? Suddenly, your audience can't connect to your show. And because you didn't know your audience was reaching you via a redirect, you may not have known you needed to tell people what your shows real address was.

    Plus, do you really want to have to try to explain to your less then optimally technological audience just how to fix their rss feed?

    In fact, if you read the article, this is what happened to him: the podjacker stopped forwarding his audience, and he lost a significant number of people. And because yahoo and itunes are being slow to fix his lookup, his lost audience really has no way to find him (a search on yahoo for the show turns up the podjacker, who will no longer send you the show)!
  • by brunes69 (86786) <slashdot&keirstead,org> on Friday December 09, 2005 @02:06PM (#14221302) Homepage
    What a waste of my time.

    No one "jacked" anything, this guy submitted the site to this URl forwarder himself The site that "podjacked" him is no different than cjb.net or tinyurl.com or any other redriector service.

    It is anyone's fault this guy is a complete tool and does not realize what he is doing.

  • by Simon Brooke (45012) * <stillyet@googlemail.com> on Friday December 09, 2005 @02:12PM (#14221355) Homepage Journal
    I don't think many people understand what a podjacking is. Does it mean someone else distributes an identical podcast file as their own, or does it mean they make their own podcast and pretend is comes from another source?

    What has happened here (if I understand it correctly, and someone will correct me if I don't) is that the guy puts up his mp3s at http://myrealserver.dm/podcast/content0001.mp3 and then he creates an RSS file which points to his mp3s at http://myrealsystem.dm/podcast/feed.rss. The RSS file is essentially a signpost: it isn't the content in itself, it just points to the content. Then, when he posts new mp3 content, he updates his RSS. What is supposed to happen is that people point their podcast client at http://myrealsystem.dm/podcast/feed.rss, and every time he posts new content and updates the RSS it's automatically downloaded.

    But what he's complaining is that the 'podjacker', evilpirate, has done is created a new feed, http://evil.pirate/devious/feed.rss which also points to myrealsite's content. The file at http://evil.pirate/devious/feed.rss is automatically updated using something like wget so that whenever myrealsite adds more content, http://evil.pirate/devious/feed.rss gets updated too.

    evilpirate now registers http://evil.pirate/devious/feed.rss with podcast search engines as the authoritative signpost for myrealsite. Users search for content on the search engine, and if they like myrealsite's content, they point their clients at http://evil.pirate/devious/feed.rss.

    So now some - or even most - of myrealsite's users are finding new myrealsite content through evilpirate's signpost. This gives evilpirate the power to alter where the signpost points to, so that instead of getting myrealsite's content they now get rivalsite's content.

  • by mzwaterski (802371) on Friday December 09, 2005 @02:15PM (#14221388)
    You need to re-read.

    1st dude told 2nd dude to stop directing traffic through their URL to 1st dude's site. (Pretty sure it was more of a redirect than a mirror of an RSS file).

    2nd dude complied.

    1st dude realized that iTunes had used 2nd dude's URL for 1st dude's listing.

    1st dude is sad because all iTunes people who signed up with 2nd dude's URL are lost.

    1st dude tells 2nd dude to put URL directing traffic to 1st dude's podcast backup. 2nd dude decides to capitalize and ask for money.

    1st dude not happy.

  • Re:Ho Hum... (Score:2, Informative)

    by Kasis (918962) on Friday December 09, 2005 @02:25PM (#14221485)
    I think it's worse than a non-issue. The complainant seems to almost be in the wrong, not to mention misguided.

    Marcus [the podcaster] contacted Lambert to ask that his listing be removed. Lambert did so. This, however, caused Marcus' listenership to crash by some 75 percent, he claimed. Marcus then asked that his listing temporarily be reinstated on Podkeyword

    and regarding "extortion"...

    "He wanted me to make sure no other directory services got the information from me, but I can't tell who are directory services, because we're not submitting anything," Lambert said. "People are coming to look at our list. I have a choice: I remove it from anywhere or I [don't] remove it. You can't restrict who comes to look at your Podcast. So his request wasn't technically practical.

    Podjacking is a very misleading term. Podjacking suggests that a user expecting to hear Marcus' podcast would be redirected to some other address. Doesn't seem to be the case. With regards to the "extortion": Marcus wanted Lambert to reinstate the feed, but in a way that wasn't supported and which would require custom code. Lambert agreed to do it but said it would cost a fee, which is a perfectly reasonable position. The article also seems to suggest that the free service was responsible for 75% of Marcus' traffic. How is this even remotely related to hijacking?
  • Re:Apple? (Score:3, Informative)

    by 1u3hr (530656) on Friday December 09, 2005 @02:44PM (#14221703)
    Apple has nothing to do with this story,

    Did you RTFA? The submitter's big problem is that iTunes (what company owns this?) listed his podcast via the pirate feed. So when that stopped, he lost all his iTunes subscribers, the pirate asked for money to reinstate. iTunes could not change the listing, only delete the old and put up a new one.

Swap read error. You lose your mind.

Working...