The New Yorker has a Paywall Problem, Part 2

Comments left throughout The New Yorker’s JavaScript code include an email address of a faculty member at Lehman College.

Eleven years ago, when Jon Lech Johansen was a 15-year-old kid in Norway, he sat at his computer and banged out code that would become known worldwide as DeCSS, the base for a program allowing people to copy encrypted DVDs.

This was shortly before Johansen quit high school. It was before he won awards — including the EFF Pioneer Award — for his work. It was before he moved to San Francisco and became known for reverse engineering other software. And it was before he — and his unknown accomplices — were sued in Norway and the United States for cracking the anti-copy code put onto DVDs.

And it was years before he was cleared of the charges that he had violated the United States’ anti-circumvention law.

A quick survey turns up very few other precedents for the hacker-to-media-security journey. So to write about the relationship between the two, we must take a look at whether Johansen taught media companies anything about hackers, security, and content.

Media companies, as we know, have a lot on their plates right now — shrinking ad sales, revenue loss, hemorrhaging readership, job cuts — but there’s another problem that doesn’t often get talked about (at least not in the editorial departments). That’s this: Have media companies invested enough in the skills and expertise to operate effectively in the digital age?

Last week, we wrote about a loophole in The New Yorker’s paywall. To determine whether a user who “hopped” over a paywall, either by editing code or by guessing a password, would be in legal trouble, we turned to Louis J. Alex, a copyright lawyer at Cook Alex Ltd., a Chicago firm specializing in intellectual property and technology law.

Alex agreed to speak in general terms about future anti-circumventing litigation. Here’s what he said: “Whether or not something would be unlawful would be a very fact-intensive inquiry.”

Meaning, we can infer, that evidence and intent will play large roles in prosecuting cases against hackers.

So out of curiosity, we started browsing The New Yorker’s website code, the HTML and JavaScript files that are publicly accessible for anyone to view. If there were anything deemed private, it probably wouldn’t be in these files. After all, The New Yorker is a media heavyweight. The magazine has been around since 1925. It has a million subscribers. It’s owned by Condé Nast, has offices in Midtown Manhattan, and employs a lot of smart people. But the deeper we dug, the more shocked we became. We discovered a security flaw that, by typing a few lines of code in a browser’s JavaScript console, allows anyone to skip past the paywall and gain access to The New Yorker’s entire digital archive.

We had some tense conversations about how specific our details about the paywall’s inadequacies should be; after all, 2600, the magazine that publicized Johansen’s DeCSS, was successfully sued by the content providers. Programmers we talked with varied in their opinion, ranging from the take-the-big-media-company-down argument to the let-them-know-and-help-them-fix-it strategy.

Carole Theriault, a senior security consultant with Sophos Ltd., said, “Once they have fixed the problem, then you publish your story. You could also agree on a time for publication with them. If you play ball, they might give you a quote.”

It’s important to note that The New Yorker didn’t actually write this code. It seems that they outsourced the software development to an Australian company called Realview. We sent off messages to both The New Yorker and Realview and are waiting for a reply.

For now, here’s a taste of our findings:

The bulk of the paywall code lives in two JavaScript files found on the archives page.

The first file contains the encryption and decryption code. It’s been obfuscated, a common practice that makes it harder for humans to read. But this is by no means a security measure because code that is obfuscated can always be un-obfuscated.

The second file has the code to check whether you’re a subscriber. Shortly after we published our story last week, they’ve cleaned it up quite a bit. But the original version included a scatter of comments left by the programmers. For example, line 762 revealed the email address of a woman who teaches at Lehman College in New York. We emailed her to ask if she knew anything about this; she didn’t, but said she was a “long-term faithful reader” of The New Yorker. The file had a trove of comments detailing the authentication process, the server response for a valid user, and many other things that should have been removed from a public-facing JavaScript file. It was as if an absentminded surgeon had left his scalpel, forceps, and gauze inside a patient.

We showed this to a few programmers, and the consensus wasn’t good. Essentially, the paywall is so poorly designed — to the point of being amateurish — that The New Yorker might as well not have one up. The way to create a secure system is to protect the content on a company’s server, not on the client side. This is true for any type of media, whether it’s music, movies, or writing. That the entire digital archive is hosted on Realview servers makes the vulnerability worse because Realview had the opportunity to protect it but didn’t. Unfortunately, this isn’t a bug that can quickly be patched in one day. It could take weeks.

To make matters worse, this affects not only The New Yorker but also any of Realview’s client publications using the paywall code — which is pretty much all of them.

This story was reported by Kevin Shalvey and Jesse Young