Back in July we reported that the Alliance for Creativity (ACE) and the Motion Picture Association (MPA) had obtained a DMCA subpoena compelling Cloudflare to hand over the personal details of sports streaming service HeHeStreams.
Soon after, the site – which in the main facilitated access to MLB, NBA, NFL, and NHL content – disappeared and began redirecting to ACE. We can confirm that a settlement was reached but since both sides are honoring their agreement, no further details are available.
For HeHeStreams’ operator, who founded the site in 2016/17, felt the shutdown marked the end of an era from which he could move on but that wasn’t to be the case. A separate criminal investigation representing a different set of rightsholders was already underway, one that doesn’t come with the option of a civil settlement.
HeHeStreams Operator Charged With Numerous Crimes
Joshua Streit, better known online as Josh Brody, was named yesterday as the operator of HeHeStreams. According to the Department of Justice, Streit has been charged with numerous crimes including computer systems intrusions at Major League Baseball and the illegally streaming of content from MLB, NBA, NFL and NHL to the public, for profit. He was also charged with attempting to extort $150,000 from MLB.
Before diving into those details, an explanation of HeHeStreams’ operations is in order.
HeHeStreams Was a Special Type of IPTV Service
The majority of traditional IPTV suppliers facilitate access to pirated streams by offering them from their own servers. This is a model that burns through lots of bandwidth and is seen as a necessary cost of doing business. What HeHeStreams managed to do is eliminate these costs almost completely by not utilizing pirated streams at all.
Instead, it found a way to connect HeHeStreams users to genuine streams offered by the sports broadcasters. This had obvious upsides – no more massive streaming server bills and since official streams rarely break down or buffer, a bunch of happy customers.
“Streit obtained the copyrighted content by gaining unauthorized access to the websites for those sports leagues via misappropriated login credentials from legitimate users of those websites. One of the victim sports leagues sustained losses of approximately $3 million due to Streit’s conduct,” the DoJ notes.
This method of using official streams to supply ‘pirate’ customers was alluded to in our interview with Akamai earlier this year. A pair of DISH lawsuits against SportsBay and Nitro IPTV also illustrate the same problem, one that broadcasters need to fix.
Quite why these gaping loopholes aren’t being closed isn’t clear but what we do know is that disclosing such vulnerabilities can go horribly wrong.
Bug Bounty Or Criminal Extortion?
Back in the summer, TorrentFreak sought comment from Joshua Streit on the ACE/MPA settlement deal. After he declined, the discussion shifted to the apparent loopholes at DISH-owned Sling TV referenced in their lawsuits, ones that fail to prevent non-customers from piggybacking onto legal streams.
How these are exploited went unexplained but without mentioning any services in particular, Streit indicated that he had been trying to share knowledge of serious vulnerabilities with one (or more) providers. He expressed some frustration at their apparent reluctance to work together. We later got the impression that things had improved but that was clearly not the case.
According to the criminal complaint filed by the US Government, around March 2021 Streit emailed an MLB employee noting that he’d previously disclosed a network vulnerability but was disappointed by the company’s response. “The lack of gratitude is frankly shocking,” he reportedly wrote.
Streit later sent another email noting that he’d reported yet more vulnerabilities to the company over a particular weekend and he had two reporters who cover MLB matters interested in the story. An unnamed MLB executive then contacted Streit by phone and reportedly found him “upset” by MLB’s failure to acknowledge his efforts.
Streit allegedly informed the MLB executive that he expected to be financially compensated for the work he’d done but was told that while MLB has no bug bounty program, the company “appreciated” his disclosures. Streit responded that bug bounty programs are useful for cooperation and according to the complaint, added that it would be bad for MLB if the media found out about the vulnerability.
After a gap of several months, Streit allegedly emailed MLB again in the hope that the earlier discussions could be continued. The MLB executive replied, informing Streit that “people here are concerned about this as unauthorized access to our systems” but then went on to ask Streit what kind of money he was expecting. $150,000, apparently.
Serious vulnerabilities can return big bug bounties and there is no question this vulnerability is serious. The complaint against Streit says that an analysis conducted by just one of the sports leagues reveals losses of almost $3m to the HeHeStreams operation alone. And herein lies the problem.
It’s not known if MLB would’ve been more responsive to a neutral third-party discloser but at least as far as FBI Special Agent Joshua Williams is concerned, Streit’s overall conduct means that his request for payment amounted to extortion.
“[I] believe that…although the defendant approached MLB in the guise of being helpful to MLB, his simultaneous intrusion into MLB accounts and illegal streaming of MLB content on the illicit streaming website indicates that Streit acted knowingly and with the intent to extort MLB,” Agent Williams writes.
Potentially Serious Prison Time
As per the Department of Justice, 30-year-old Streit from Minnesota is charged with:
One count of knowingly accessing a protected computer in furtherance of a criminal act and for purposes of commercial advantage and private financial gain, which carries a maximum sentence of five years in prison.
One count of knowingly accessing a protected computer in furtherance of fraud, which carries a maximum sentence of five years in prison.
One count of wire fraud, which carries a maximum sentence of 20 years in prison and one count of illicit digital transmission, which carries a maximum sentence of five years in prison. He also faces one count of sending interstate threats with the intent to extort, which carries a maximum sentence of two years in prison.
Of immediate interest here is the reference to “illicit digital transmission”. This terminology is used in the Protecting Lawful Streaming Act (PLSA), a law that made certain streaming conduct a felony. It was signed into law last December and as far as we’re aware, hasn’t been used until now.
The criminal complaint can be found here (pdf)
Many thanks to TorrentFreak for the breaking news.