While the majority of DMCA copyright complaints are sent to hinder the online distribution of music, movies and TV shows, the legislation can also be used to deal with code and software issues.
Just last week, Indian blogger Thejesh GN discovered that an ISP was injecting javascript into customers’ browsing sessions. This led to lawyers representing the script writers to send a DMCA notice to Github, where Thejesh GN had published the code.
Now Github finds itself in the spotlight again, this time over a serious matter involving one of its users and Viacom-owned TV giant Canal+.
The trail of the story began mid-week when Github published a DMCA notice received from the “Legal Manager” of the Industrial Protection Department of CANAL+ Group. The person, whose name was redacted, explained that he/she is in charge of anti-piracy at the company and was seeking the urgent assistance of the code repository.
“All the data and codes published and contained in this [now deleted] directory are confidential and could be used to steal personal data in our CRM [Customer Relationship Management system],” the complaint reads.
The Legal Manager added that the ‘codes’ are connected to a confidential CANAL+ project titled “Kiss deploy” and asked for their urgent removal.
“We request you to remove immediately all the data and files contained in this repository,” the notice adds.
With the repository removed (shown above), CANAL+ were probably happy with Github’s response. However, there were indications that this wasn’t the first correspondence that Github had received from CANAL+ on the matter. We did some digging, were proved right, and were surprised at what we found.
Earlier correspondence between CANAL+ and Github obtained by TorrentFreak reveals a much more serious situation at the TV company and criminal allegations being made against the Github user.
“The 22d of May 20015, we had a compromission [sic] on our AWS project with an access key in order to create bitcoin. The 26th of May 2015, we have found our access key on [the above mentioned] Github repository,” the same legal manager reveals.
“After analysis of this repository, we can state that all the code and the secrets contained in this repository are about Canal+ project.”
According to the complaint, CANAL+ asked Github on four separate occasions to remove “illicit content” published on the site by a user called “hooperp” who the TV company claims has committed serious crimes against them.
“As we have explained, ‘hooperp’ has hacked one of our servers and stole all the data and codes of our new CRM [Customer Relationship Management] software project: ‘Kiss deploy’,” CANAL+’s head of anti-piracy revealed.
“All the data and codes published and contained in his [now removed directory] are confidential and could be used to steal personal data in our CRM.”
Ouch.
With our efforts to track down ‘hooperp’ stalled, we contacted CANAL+ for an official statement. That wasn’t straightforward though, with the company requiring the press to first sign up for an account.
Nevertheless, we did so successfully and received the following email in response. Considering the hacking allegations above, it shines unwanted light on the company’s security procedures. In case anyone is wondering, the blocked-out area hides a plain-text password.
CANAL+ Group did not respond to TorrentFreak’s requests for a statement. Github declined to comment.