small security suggestion for new archive downloads

[Decklin Foster]

I'm now using download.wmfo.org as outlined in the handbook, and I've noticed that the form, while it does check the password, redirects you to the same serve.php URL as used in the public archive player. It *seems* like I can download anything from the archives with curl from there, even older shows. I am planning on doing that over time to replace my personal MP3 archives of my own shows with FLAC, but I'm not going to overload the server (or my wifi) by doing it all at once, so I have not checked extensively.

My suggestion is: thread the password through download.wmfo.org (POST form) to the archive server (GET url). In serve.php, if the requested audio is more than 2 weeks old (or whatever the current DMCA legal rubber chicken is), require that the password be present. The password, obviously, is not super secret or complex, but I think it would allow for keeping a nice clean URL that can be downloaded without cookies/javascript/etc but still make it clear (to the 1 or 2 people who care about this) that sharing the URL publicly would be a no-no.

[Nick Andre]

I have a slight resistance to doing so on the principle that the 2 week law is dumb. Technically people have been prosecuted for "hacking" for manually specifying URLs in such a manner, a regulation which is equally (well, significantly more) dumb. The old system also lacked any security (if only that the parameters were far more annoying, having to specify S_YEAR, S_MONTH, S_DAY, S_HOUR, E_YEAR, E_MONTH etc etc). That documentation was publicly available and was the basis on which I wrote the download.wmfo.org script back when I hosted it on the super hidden wmfo.axfp.org before people asked me to port it over because so many started using it. For legal purposes, given that our public interface blocks you from committing this egregious violation of the highest level of DMCA bullshit I have deemed that sufficient (though I have not checked with lawyers on the subject and lack any substantive legal experience besides emailing my mom's real estate tenants to tell them that they don't get interest on their security deposit).

I have even left indexing enabled for people who are curious and wish to explore the archives in that manner. We might get into trouble given that /serve.php spits out a manual of how to use it if it doesn't like the parameters you supply (excepting a geniune 404) but as they say ¯\_(ツ)_/¯

Of course anyone who disagrees with me is welcome to complain or change it themselves.

With respect to downloading all your shows:

• The system is still MP3 only before 5/10 or whatever because we simply weren't recording in lossless. It will do the same thing as the old system and concatenate MP3s to create the malformed and semi-invalid MP3s that SoX gets angry with and spits out WAVs that have been pitch shifted 4.3 semitones upwards (hence why I discarded the transcodes and went with the old way). There were also a few hours during which I was tinkering and destroyed the archives on the new system so it's configured to check first for old-style MP3 files and activate the new transcode only if they're not present. Code is on github if you're interested.
• The http vm has 8 cores and a 10 gigabit connection to our RAID so you probably won't be able to overload it ;-)

On a side note I think the birds that were flying around the annex last week have taken up residence outside the ops-ffice and are staring at me right now.

--Nick

On Thu, May 26, 2016 at 2:05 PM, Decklin Foster <dec...@red-bean.com> wrote:

I'm now using download.wmfo.org as outlined in the handbook, and I've noticed that the form, while it does check the password, redirects you to the same serve.php URL as used in the public archive player. It *seems* like I can download anything from the archives with curl from there, even older shows. I am planning on doing that over time to replace my personal MP3 archives of my own shows with FLAC, but I'm not going to overload the server (or my wifi) by doing it all at once, so I have not checked extensively.

My suggestion is: thread the password through download.wmfo.org (POST form) to the archive server (GET url). In serve.php, if the requested audio is more than 2 weeks old (or whatever the current DMCA legal rubber chicken is), require that the password be present. The password, obviously, is not super secret or complex, but I think it would allow for keeping a nice clean URL that can be downloaded without cookies/javascript/etc but still make it clear (to the 1 or 2 people who care about this) that sharing the URL publicly would be a no-no.

--
You received this message because you are subscribed to the Google Groups "wmfo-ops" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wmfo-ops+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Belinda]

LOVE the indexing!  Thanks so much for pointing that out!

Belinda

--

Belinda

Bubbles in the Think Tank
WMFO 91.5FM Boston/Medford
http://bubblesinthethinktank.com

Order "7 Inches In Heaven" now!
http://love.bubblesinthethinktank.com/

[Andy Sayler]

Given that the entire archive system is pretty legally grey, I don't have an opinion on this much one way or another. Note, however, that the two weeks isn't some magic DMCA thing. It's just an arbitrary length of time picked to try to provide some "fair use" legal cover. Indeed, many copyright law readings would make the archive illegal all together (at least for external download). Our content licenses almost certainly don't permit such as use. Maybe it's fair use, but that would be a more liberal reading of fair use that US courts have generally supported. Hence why you don't ever see music archives (talk radio is okay) of any for-profit radio stations.

Really, I wouldn't be too surprised if the day comes when you get a cease and desist letter and have to take down the public archives all together - or find the money to fight an uphill fair use legal battle. At that point, putting in place real access control in order to continue offering archives for internal use will be necessary, but for now, it probably doesn't make much difference one way or another.

[Chris Major]

Help, I was trying to download my show today and am having problems I used the download.wmfo, adjust it to 12:00.00 but no luck. I put in Freeform for a password. I keep getting a error on my windows player.
Chris