Leonardo Errati
Italian fiascos: PiracyShield

Italian fiascos: PiracyShield

2024-10-09

The big red button to nuke the web.

The July 14th 2023 law no. 93, which came into force on August 8th, grants new powers to the Authority to strengthen its functions for a more effective and timely counteraction against online piracy related to live broadcast events.

(Piracy Shield's website)

Born to "protect" football broadcasters and risen to fame after blocking access to Google and CloudFlare, Piracy Shield is pushed as the new Italian horizon in the war against internet piracy. But is it really? Does it even work? And what does football have to do with blocking CloudFlare?

I don't really follow football, but I find this an excellent cautionary tale about good security practices and bad political ideas. This story is pieced together from personal experience and online sources. I will update this as the story develops.

ACT 1, Piracy Shield: origins

The money trail

Giovanni Falcone, Italian magistrate notorious for his fight against the Sicilian mafia, used to "follow the money trail". This forensic technique can also be applied to understand Piracy Shield.

In October 2023 [1] DAZN and Sky bought the 2024-2029 exclusive rights to Italian A-series football games for 900M Euros. Aurelio De Laurentiis, chair of the Napoli Footbal Club, prophetically commented:

It’s a defeat for Italian football. [...] DAZN is not competent and is not good for Italian football, just as Sky isn’t either.

But they were unfazed, and publicly set a goal of 1000M in revenue each year [1].

War preparations

DAZN and Sky increased the cost of their subscriptions, but it was not enough. They made ready for war against pirates, those illegally broadcasting live football games. The reader might not be familiar with the "pezzotto", which even has a dictionary entry:

Pezzotto. A specific decoder used to illegally access the content of Italian and foreign pay-TV channels.

(Treccani Encyclopedia)

They teamed up with a legal partner: enter Studio Previti ("Studio Previti Associazione Professionale"), a large Rome-based law firm founded by Cesare Previti, former politician, convicted in 2006 for judicial corruption and permanently disqualified from holding public office and practice law. The law firm is now run by his son.

Their strategy? They planned to construct their own Death Star, a superweapon to annihilate all pirate websites from the web. Well, the Italian web, at least.

Plans for Piracy Shield

Coding Piracy Shield

Sp Tech Legal is an IT company connected to Studio Previti: It was their job to develop the ultimate weapon.

Sp Tech Legal offers integrated legal tech solutions for the protection of copyrights, trademarks, and other distinctive signs, in collaboration with Studio Previti.

(SP Tech's website)

The idea is simple. Large copyright holders (Sky, DAZN, Rti-Mediaset, Lega Serie A, Lega Serie B) will monitor the web and create takedown tickets, containing information such as:

  • website IP or its Fully Qualified Domain Name (FQDN); for example www.leonardoerrati.com. is my FQDN
  • some proof of presence of pirated content

The final product is a cloud-based webpage running on Microsoft Azure, only reachable via a Virtual Private Network (VPN) and containing takedown tickets for all Italian Internet Service Providers (ISPs) to see. ISPs are then forced to completely halt any flux of information from the targets within 30 minutes.

Access service providers, search engine operators, and information society service providers involved in any capacity in the accessibility of the website or illegal services must implement the Authority's directive without delay and, in any case, within a maximum of 30 minutes from notification.

(July 14th 2023 law no. 93, Article 2, Comma 5)

In July 2024, IT recruiting agency DECKX published a job posting:

The specific project we are working on is anti-piracy software for Lega Calcio. We collaborate very closely with DAZN, Sky, and all the organizations and companies that broadcast football matches. [...] During the week, the Super Junior will be responsible for monitoring pirate streaming networks, and during matches on weekends (3/4 weekends per month are required, for a total of one hour per day, not the entire weekend), they will eliminate them using Piracy Shield.

This allegedly belongs to SP Tech Legal, and gives an insight in their potential team:

  • Lorenzo Foti, CEO with a technical background (PHP) as a developer
  • Two super-seniors: one focuses on development in Go and is a former pirate, the other handles system operations and is the forensic expert (online investigations, evidence collection, support legal teams)
  • The operational team: a junior developer and a junior focused on technical relations and monitoring.
  • A group coordinator

Sp Tech Legal was displeased,

SP Tech Legal s.r.l. hereby states that the job advertisement [...] was erroneously published by the recruiting company Deckx s.r.l. without any assignment from SP Tech Legal s.r.l. itself. The text and content of the advertisement are, therefore, in no way attributable to SP Tech Legal s.r.l., which further specifies that it has promptly taken legal action against Deckx s.r.l. to protect its rights, which have been severely infringed by this unlawful conduct.

and we never heard of this kerfuffle again.

Piracy Shield under development

ACT 2, Piracy Shield in action

The first cracks

Lega Serie A gifted Piracy Shield to the governative agency AGCOM (Autorità per le Garanzie nelle Comunicazioni, in English "Italian Communications Regulatory Authority"). It went live between February 1st and 2nd 2024 [2], with a budgeted operational cost of 1.9M in 2024.

A first mishap occurred while providing VPN credentials. For instance, the username given to DAZN would be dazn@piracyshield.net. This is just an id, not an e-mail address. Usernames and passwords were allegedly sent as plain text via e-mail in a .zip compressed file; moreover in a few days an anonymous bought the piracyshield.net domain, so e-mails from addresses like info@piracyshield.net are now a threat.

Right on point, Piracy Shield's code, interface, and documentation were leaked three mere weeks after deployment, allowing for some insight. For instance, one must be sure the Death Star does not destroy important websites (like www.google.com) or components: how would you implement it? Most likely, not like this.

def check_unwanteds(self, value):
result = self.whois.get_text(value)
result = result.lower()
if 'cloudflare' in result or 'namecheap' in result or 'amazon' in result or 'google' in result:
return True
return False

This code just checks whether the name contains cloudflare, namecheap, amazon or google. Totally unexploitable. Regarding the leak,

[...] Piracy Shield was absolutely not hacked; rather, some confidential information was merely shared on GitHub, [...] this did not affect its functionality in any way. An investigation into this leak is currently underway by the competent authorities.

(Massimiliano Capitanio, AGCOM, in an interview)

We will be meeting Massimiliano Capitanio again, keep him in mind.

And what about government websites? Well, the platform has an hardcoded list of 11 thousand sensible websites, including those of the government.

Heretics

Some took notice, few took action. In October 2023 Assoprovider, an association of over 250 Italian IT providers, filed an appeal with the Regional Administrative Court (TAR) against July 2023 law no. 93 (the anti-piracy law). [3]

They had their request rejected in January 2024, as

Assoprovider's appeal lacked grounds, there are no real dangers for providers in implementing the new procedure. Moreover, the platform has been successfully tested in the previous months.

(Federico Bagnoli Rossi, president of FAPAV, a federation of copyright holders [4])

Internet Service Providers were forced to block content at an unsustainable rate, with questionable techniques and under serious legal threats; this is the result of bad design and bad politics. All pieces were set and catastrophe was inevitable.

Piracy Shield is ready

Patient zero

On February 15th 2024, Piracy Shield blocked access to Zenlayer's whole Content Distribution Network (CDN). A CDN is a network of strategically distributed servers, connecting you to the closest one to improve connection speed. What happened, and how?

A Zenlayer-hosted website was likely (and illegally) streaming movies or football games, copyright holders produced a takedown ticket and Service Providers received it; we can only speculate on what happens after this step.

  • If Piracy Shield provides an IP address, Service Providers probably block them. This means Italian users will be unable to view them.
  • If Piracy Shield provides the FQDN instead, like www.leonardoerrati.com., Service Providers allegedly try to find and block all connected IPs. For instance, my website has four (185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153) and they would probably all be blocked.

In most cases CDN-hosted websites share IP address, meaning that if you block the IP of one you block all. Blocking that pirate website caused the whole CDN to be unavailable from Italy.

As far as I know, Zenlayer is the first large victim of Piracy Shield.

Piracy Shield activated

Friendly fire

Incidents have been so many that it's best to just use a table and stick to the largest ones. I will include all that came to my attention. If I manage to find reliable sources, I will also add the downtime.

date downtime friendly target
2024-02-15 Zenlayers's CDN
2024-02-24 Cloudflare's CDN
2024-08-18 37d Samsung's IPTV
2024-08-18 37d LG's IPTV
2024-10-19 6h Google's & YouTube's CDN
2024-10-19 6h Imperva's CDN
2024-12-01 DDay's CDN

Non-malicious websites could technicall yask AGCOM to be unblocked, but the service was unavailable for the first few weeks, and wouldn't cover any kind of damage anyway.

ACT 3, Piracy Shield versus the backlash

This is a short act. With voices about "Piracy Shield v2" coming from AGCOM - I kid you not - our story is not over yet. Still, what happened after Piracy Shield took out Google, CloudFlare, and such?

AGCOM is ruled by a board of four commissioners, elected from either the Senate or the Parliament. Our old friend Massimiliano Capitanio is currently one of them; he leads the Piracy Shield project and strongly defended it in various occasions.

These are absolutely false and unfounded claims. [...] Since the platform's launch, no DNS or IP address owner has, as provided by law, submitted a request to AGCOM to have a site reinstated. There is such a rigorous procedure for those who report issues that, to my knowledge, no Public Administration websites have been blocked in these weeks.

(Massimiliano Capitanio [5])

Some politicians [6] and AGCOM commissioners [7], however, are starting to disagree.

(Partial) conclusion

Famous politician Niccolò Machiavelli once wrote that "the end justifies the means". He would probably have a change of heart knowing about Piracy Shield. Its end is reasonable, but its means are inherently flawed: due to the structure of the web it will perhaps never work as intended.

While experts agree on this, commissar Capitanio says this is "fake news". The worst part? Allegedly, it is not even solving the original money problem as A-Series rights holders have seen no increase in revenue. We are sure there must be a lesson in all this.

Piracy Shield waiting...