Cloud storage firm flags malware as "Copyrighted Material," boots security researcher

Filed Under: Featured, Malware, PDF

A malicious software researcher finds herself in company with First Lady Michelle Obama and science fiction author Neil Gaiman: booted from the web by hard-headed copyright protection algorithms.

Mila Parkour, a researcher who operates the Contagio malware blog, said on Thursday that she had been kicked off the cloud-based hosting service Mediafire, after compressed and encrypted Windows patches and malware samples she stored on its site were flagged as "copyrighted material."

Locked account

Parkour said that she was notified on Thursday that her account on Mediafire was suspended and content she posted had been flagged and removed for violations of the U.S. Digital Millennium Copyright Act (DMCA).

In particular, Parkour said the site objected to her post of a Microsoft patch and what she described as "an old, malicious PDF attachment" linked to phishing attacks in 2010. Parkour wrote about the malicious attachment on her blog here.

Parkour, an independent security researcher based in Washington D.C., is a noted expert on malicious software. Her Contagio website, is an oft-cited resource for analysis of malicious code and attacks.

Suspension notice

Information posted on Mediafire indicated that the company had received a complaint from a French firm, LeakID, a Paris-based firm that describes itself as a "digital agency ...founded by experts from the world of radio, television and Internet."

LeakID markets "Leaksearch," an "ownership tool that will alert you within seconds if your being pirated."

According to Parkour, Mediafire received a notice from LeakID claiming that it was "acting on behalf of the copyright owners," though the owners and presumed copyrighted content weren't named.

Under the DMCA, organizations that receive notices of copyright infringement must prevent the file from being shared, regardless of the legitimacy of the complaint.

Parkour said that she appealed to Mediafire upon receiving the copyright violation, but that all questions on the issue were referred to LeakID. The researcher filed a counterclaim protesting the copyright infringement claim using an online form, but had not received any response from LeakID.

LeakID flagged three files for what the company considered three copyright violations: a link to a Microsoft Office patch file related to an August, 2011 blog post on Contagio and two encrypted ZIP files containing malicious PDFs used in online phishing scams that Contagio examined in separate posts in April and August, 2010.


In an instant message conversation with Naked Security, Parkour said that she doubts the malicious PDFs contain any copyright violations. LeakID seems to have a business model to "scout the web for all they find and then offer it for sale to copyright owners... there is no explanation of WHY and HOW they decided it was copyrighted," she wrote.

Both copyright owners and firms that host content are increasingly relying on algorithms to spot content online that may violate laws like the DMCA. That has led to a rash of head scratching "takedowns."

In just the last week, an online video stream of the annual Hugo Awards on the online streaming service Ustream was blocked, preventing internet viewers from seeing star author Neil Gaiman accept an award.

Ustream blamed the content filtering service Vobile for the error – a charge that Vobile denied, blaming, instead, its customers who "must decide for (themselves) what it does with" the information Vobile's monitoring system gives them.

Michelle ObamaThat scenario played itself out again on Tuesday, when a live stream of First Lady Michelle Obama's address to the Democratic Convention was unceremoniously yanked from YouTube for suspected copyright violations.

A search of the internet reveals countless complaints from other bloggers and website owners about fishy LeakID takedown notifications.

Parkour said the incident has shaken her faith in cloud-based services. In addition to malware samples, her Mediafire account hosted other, personal data as well – all of which is now inaccessible to her.

She said that, in the wake of the incident, she has received offers from other anti-malware websites and said she will switch hosting providers, but is weighing her options carefully.

Update: Mila has regained access to her files, although future access is still unclear.

, , , , , , , , , , , ,

You might like

14 Responses to Cloud storage firm flags malware as "Copyrighted Material," boots security researcher

  1. geoff in oz · 1092 days ago

    So, is there an intelligent reason to put your stuff on the 'cloud' and have it subject to scrutiny by unscrupulous opportunists like LeakID.

  2. cassandratoday · 1092 days ago

    The entertainment industry (MPAA® and RIAA®) has almost succeeded in their goal of destroying the World Wide Web.

  3. Bob · 1092 days ago

    Pretty impressive that LeakID can determine that the contents of encrypted files are copyrighted. Unless the security expert used a particularly weak encryption method, somebody is lying about the contents of those files.

  4. Joshua · 1091 days ago

    Why even bother using some crappy site like that? If you have your own server, upload files there... The only 'upload' website/service I would ever use is Dropbox... I despise others for the sheer fact of their limitations and waiting especially...

    • Adam Elteto · 1091 days ago

      Just remember, Dropbox still keeps track of your files, and it knows if you are uploading a file SOMEONE ELSE has already uploaded to his or her account. That is how they cut down on storage space. That means they know what exactly you are uploading. Now, if you encrypt a file with your own key that is never shared with Dropbox before you upload, Dropbox will not be able to identify or compare the file against existing files, so that may be one solution, but I suspect that a lot of users just conveniently drag and drop back and forth without thinking about the process.

      Ultimately, it is all about business. Dropbox and other cloud storage services are not charities. They have to cover their costs. If they want to stay in business, they also have to comply with laws and court orders. While there are paying customers of these services, there are many who only use free accounts.

      It is good to have a reliable preference of a cloud storage service, but it is important to remember that as long as your data is sitting on someone else's server, you will not have 100% control.

  5. Adam Elteto · 1091 days ago

    Just another case that reminds (again) the cloud-storage-enamored crowds that when you put your data in someone else's hands, you surrender control and ownership.

    This reminds me of the story about Dropbox saving bandwidth and storage space by not uploading duplicate files, even if the duplicate file was uploaded by a completely different user to a different account.

    I often read the excitement of users and developers on online forums gushing about a latest trendy app introducing Dropbox support, and how convenient and (allegedly) secure it all is, but the reality is that users of cloud storage services have no total control and should not have a complete piece of mind about the security of their accounts.

    Great cautionary and educational piece, Paul!

  6. Mick · 1091 days ago

    Piddly point but, my first red flag was the LeakID banner...managing *you* content?? Very professional, no wonder they have the rep perceived

  7. coz · 1091 days ago

    Sorry, but only an idiot would use cloud storage for anything, especially 'personal' usage.

  8. private eye · 1091 days ago

    someone in Paris in employed for watching US business
    on a side note:

    get your money back and use a different site to store your files

    There is a always someone that will pay attention if you ask for your money back

  9. Brian · 1089 days ago

    Anyone who trusts a cloud storage company with their personal or valuable data is an idiot.

  10. Matt · 1089 days ago

    Not to be pedantic but is she a malicious software researcher or a researcher of malicious software?

    • Tom Trevathan · 1088 days ago

      I was thinking the same thing. Not an unusual situation in the English language. For me, the "researcher of malicious software" would be the better usage.

  11. Barry Moss · 1088 days ago

    Companies like LeakID need to be held responsible for false claims. They should suffer the same penalties (include criminal charges) that befall people who make false allegations to the police and financial penalties for damages to the parties whose files/accounts have been blocked.

    At a minimum, any time LeakID or any other service is found making a false claim, they should be barred from making any claims for a period of 6 months. This would force them to become a lot more responsible or simply go out of business.

  12. Gary Pustizzi · 1079 days ago

    I think the telling part here is that Mediafire referred her queries to LeakID. She doesn't host her files with LeakID, but with Mediafire. Mediafire should have taken ownership of their actions, and "Manned up" when they decided to lock her out of her own files. Instead, they blindly followed the advice of LeakID, and subsequently *blamed* them when she came calling, asking "where the heck are my files". To top it off, one of the offending files was a patch from Microsoft...which, more than likely, was *publicly* released. Really, LeakID? Grasping at straws, are we? It makes me wonder who works for who, here. If they can't stand behind their actions, I would bet that they also *don't* stand behind their product offering(s). While I understand their concerns with the possibility of hosting pirated material, they need champion their customers when things like this happen. Otherwise, their customers will migrate to those providers that have their interests at heart, and Mediafire will be left wondering where did everybody go.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on, The Boston Globe,, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.