|
Another Lawyer Would Like to Pick Your Brain, Please |
|
Friday, December 29 2006 @ 05:17 PM EST
|
Another lawyer would like to pick your brain. Ray Beckerman, the attorney for Marie Lindor in UMG v. Lindor, would like to make sure he understands a tech issue, and he'd like your input on it. He's had input from other tech sites as well, but folks there told him to ask Groklaw, and so he is. You'll need to read some reports in order to help, and he includes links to them in his request. I think you can sum up his viewpoint on the overview like this: the music industry is targeting end users, who are simple folk who lack the resources and sophistication to defend themselves adequately, even when they are innocent, and thus important legal issues are being decided on an uneven playing field. He's trying to do something about that, so we don't end up with lop-sided case law. This isn't at all about condoning copyright infringement. You all know where I stand on that. But he raises a real issue. When you find yourself on an uneven field, one weapon that can help is to use what you have skillfully, as in David and Goliath. What he knows you have is technical expertise, and he'd appreciate it very much if you'd share that knowledge with him here, so he can prepare for an upcoming deposition. He asks for questions to ask an expert witness for the other side, but in addition, if you can point out flaws in the MediaSentry's investigations methods and/or Dr. Jacobson's materials, I think he'll be able to figure out the right questions from that.
Here's his request:
***********************
As many of you may already know, the courts of the Netherlands and of Canada have rejected the "investigations" conducted by the RIAA's "investigator", Tom Mizzone of MediaSentry. See, e.g. BMG v. Doe and Foundation v. UPC Nederland , based largely on the type of reasoning set forth in the indendent experts' report of Prof. Sips and Dr. Pouwelse of the Parallel and Distributed Systems research group of Delft University. Their report critiqued the "overly simplistic" nature of MediaSentry's work, in that it had omitted a number of procedures which would have been thought necessary to a sound online 'p2p filesharing piracy' investigation.
It should therefore come as no surprise that in the United States, more particularly in UMG v. Lindor, in Brooklyn federal court, the RIAA is trying to prevent disclosure of the "instructions", "parameters", and "processes" of MediaSentry's investigation. In fact, at the oral argument of its protective order motion, the RIAA took the positions that (a) MediaSentry and its investigators are not experts at all; (b) MediaSentry will not testify as to any copyright infringement, but will merely testify as to what it did, and (c) the only witness who will actually be testifying that there was a copyright infringement will be a Dr. Doug Jacobson of Iowa State University, the founder and co-owner of Palisade Systems, Inc., who supposedly will connect the dots based on what MediaSentry will testify that it did.
They have submitted the following materials from Dr. Jacobson: an April 2006 boilerplate report, a December 19th declaration in support of a motion, and a 26-page, single spaced, curriculum vitae, which goes into such detail as identifying some of Dr. Jacobson's students.
Ms. Lindor has noticed Dr. Jacobson's deposition and requested documents from him; the deposition is presently scheduled for February.
We are the attorneys for Ms. Lindor, the defendant in this law suit, a middle-aged Brooklyn woman who works as a home health aide, and -- believe it or not -- has never even used a computer in her life, much less been an "online distributor". In view of the great pool of technical talent out there among Groklaw's readers, we thought it appropriate to reach out to the technical community through the good offices of Groklaw to vet Dr. Jacobson's "report" and "declaration" and his voluminous curriculum vitae, and request input as to appropriate questions to put to this expert witness.
|
|
Authored by: gbl on Friday, December 29 2006 @ 05:37 PM EST |
If any.
---
If you love some code, set it free.[ Reply to This | # ]
|
|
Authored by: gbl on Friday, December 29 2006 @ 05:38 PM EST |
Anything interesting happening?
---
If you love some code, set it free.[ Reply to This | # ]
|
- FCC approves AT&T-BellSouth merger - Authored by: SpaceLifeForm on Friday, December 29 2006 @ 05:56 PM EST
- Year end financials late?? - Authored by: TeflonPenguin on Friday, December 29 2006 @ 07:31 PM EST
- Apple stock options scandal deepens - Authored by: Anonymous on Saturday, December 30 2006 @ 02:46 AM EST
- Ford US cars to get bluetooth, Microsoft operating system - Authored by: Starlite528 on Saturday, December 30 2006 @ 03:00 AM EST
- Where are the drivers? - Authored by: jo_dan_zukiger on Saturday, December 30 2006 @ 03:10 AM EST
- It's so unfair! - Authored by: Ian Al on Saturday, December 30 2006 @ 03:46 AM EST
- Is FORD selecting MS because of some DRM feature (is there a patent)? - Authored by: Anonymous on Saturday, December 30 2006 @ 05:05 AM EST
- So.... - Authored by: The_Pirate on Saturday, December 30 2006 @ 05:42 AM EST
- So.... - Authored by: Anonymous on Saturday, December 30 2006 @ 09:46 AM EST
- And - Authored by: Anonymous on Saturday, December 30 2006 @ 11:19 AM EST
- Ah!!! It's that "Trusted CoMMuting" wotzit that's all the rage now, toodle pip! - Authored by: SirHumphrey on Saturday, December 30 2006 @ 09:11 AM EST
- Found On Road Dead, Fix Or Repair Daily - Authored by: SpaceLifeForm on Saturday, December 30 2006 @ 11:26 AM EST
- Scratch Ford from any future purchases - Authored by: Anonymous on Sunday, December 31 2006 @ 03:44 PM EST
- Request a different OS when you buy a car. - Authored by: Anonymous on Tuesday, January 02 2007 @ 01:03 AM EST
- Free as In Freedom vs. Free as In Beer - Authored by: jplatt39 on Saturday, December 30 2006 @ 09:22 AM EST
- Happy Holidays, Eh? - Authored by: TheBlueSkyRanger on Saturday, December 30 2006 @ 10:02 AM EST
- Sony's rootkits - Authored by: Anonymous on Saturday, December 30 2006 @ 11:25 AM EST
- Sony's rootkits - Authored by: Anonymous on Saturday, December 30 2006 @ 01:02 PM EST
- Happy Holidays, Eh? - Authored by: AdamBaker on Saturday, December 30 2006 @ 11:27 AM EST
- Happy Holidays, Eh? - Authored by: Anonymous on Saturday, December 30 2006 @ 12:35 PM EST
- Sony source - Authored by: grouch on Saturday, December 30 2006 @ 07:03 PM EST
- Sony source - Authored by: Anonymous on Saturday, December 30 2006 @ 09:53 PM EST
- Happy Holidays, Eh? - Authored by: jplatt39 on Saturday, December 30 2006 @ 12:02 PM EST
- Not suprising - Authored by: Altair_IV on Saturday, December 30 2006 @ 02:59 PM EST
- I'm a bit confused here? - Authored by: Fredric on Saturday, December 30 2006 @ 09:59 PM EST
- Ubuntu Founder on Microsoft "Challenge" - Authored by: Anonymous on Saturday, December 30 2006 @ 12:52 PM EST
- Beyond Windows - Vienna - Authored by: Anonymous on Saturday, December 30 2006 @ 01:10 PM EST
- Circuit Judge William Gary rules secrecy trumps freedom - Authored by: SpaceLifeForm on Saturday, December 30 2006 @ 06:54 PM EST
- 666 comments - Authored by: Anonymous on Sunday, December 31 2006 @ 07:49 AM EST
- 666 comments - Authored by: Anonymous on Sunday, December 31 2006 @ 08:16 AM EST
- Re NewPicks- "Our Interview with Jeremy Allison", at BoycottNovell.com - Authored by: Anonymous on Sunday, December 31 2006 @ 09:00 AM EST
- Standard of proof - Authored by: cricketjeff on Sunday, December 31 2006 @ 11:42 AM EST
- Happy New Year everyone :) - Authored by: SilverWave on Sunday, December 31 2006 @ 12:12 PM EST
- Re NewPpicks: Mandriva Flash, Linux on a USB key, is its Best Seller... -ECC? -Wear Leveling??? - Authored by: Anonymous on Sunday, December 31 2006 @ 01:33 PM EST
|
Authored by: tknarr on Friday, December 29 2006 @ 05:47 PM EST |
My immediate thought is that MediaSentry's instructions processes and
procedures are the majority of "what they did". If MediaSentry's going to
testify at trial about what they did, then isn't what they did exactly what's
supposed to be handed over during discovery so the defense can prepare for
cross-examination? I'm not a lawyer, but isn't what the RIAA's claiming here
"We're going to have them testify about what results they got, but we're asking
to not let the defense look at how they got those results."? I don't think
that'd fly in any court in any other area, would it? Tech aside, the RIAA's
position should be attackable based on bog-standard law and rules. [ Reply to This | # ]
|
|
Authored by: pointym5 on Friday, December 29 2006 @ 05:52 PM EST |
It'd be awfully helpful to at least summarize the situation of the case. The
linked page is hard to digest, to say the least.
If the defendant has "never
used a computer", then somebody must have had a computer somewhere
such that the case could make it this far. In other words, I think it'd be
pretty unlikely that the RIAA could push a case this far against a defendant who
was not in any way associated with a computer connected to the Internet.
Thus,
at least, how is the defendant associated with the computer or computers
identified as instrumental in the alleged misdeeds? [ Reply to This | # ]
|
- Some Potential Questions - Authored by: Weeble on Friday, December 29 2006 @ 07:08 PM EST
- Some Potential Questions - Authored by: Arker on Friday, December 29 2006 @ 07:34 PM EST
- IP Numbers.... - Authored by: brian on Friday, December 29 2006 @ 07:50 PM EST
- IP Numbers.... - Authored by: alisonken1 on Friday, December 29 2006 @ 08:08 PM EST
- IP Numbers.... - Authored by: Minsk on Friday, December 29 2006 @ 08:53 PM EST
- IP Numbers.... - Authored by: Anonymous on Saturday, December 30 2006 @ 02:41 AM EST
- IP Numbers.... - Authored by: Anonymous on Saturday, December 30 2006 @ 04:22 AM EST
- IP Numbers.... - Authored by: JThelen on Wednesday, January 03 2007 @ 09:37 AM EST
- Internet *PROTOCOL* - Authored by: Weeble on Friday, December 29 2006 @ 09:57 PM EST
- IP Numbers.... - Authored by: Anonymous on Saturday, December 30 2006 @ 02:40 AM EST
- Check the times - Authored by: Anonymous on Saturday, December 30 2006 @ 11:47 AM EST
- IP Numbers.... - Authored by: Anonymous on Saturday, December 30 2006 @ 07:33 PM EST
- IP ADDRESSES - Authored by: Anonymous on Tuesday, January 02 2007 @ 09:10 PM EST
- An unimportant correction - Authored by: Arnold.the.Frog on Friday, December 29 2006 @ 07:53 PM EST
- Some Potential Questions - Authored by: Anonymous on Friday, December 29 2006 @ 07:57 PM EST
- Some Potential Questions - Authored by: Anonymous on Friday, December 29 2006 @ 08:16 PM EST
- Also have the question of IP spoofing be brought up and - Authored by: Anonymous on Saturday, December 30 2006 @ 11:37 AM EST
- Some Potential Questions IP Address Assignment - Authored by: Anonymous on Sunday, December 31 2006 @ 07:43 AM EST
- Why have internet if you've never used a computer? n/t - Authored by: Anonymous on Friday, December 29 2006 @ 07:57 PM EST
|
Authored by: gbl on Friday, December 29 2006 @ 05:54 PM EST |
Two obvious problems with the expert evidence are the screen shots which can be
trivially faked and the person actually operating the computer.
The second,
is the more interesting. No matter who bought the computer, where the computer
is located or who pays the internet connection bills, unless there is evidence
that the accused actually performed the alledged actions then I would have
thought that the case was fatally flawed.
With a Windows PC, it is entirely
possible that the computer was under the control of a third party. Unless this
can be demonstrated to be impossible there is no knowing who had access to the
PC.
--- If you love some code, set it free. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 05:54 PM EST |
Just a thought. [ Reply to This | # ]
|
|
Authored by: tknarr on Friday, December 29 2006 @ 05:59 PM EST |
OK, tech hat on. The first thing I notice is that he's using screenshots and
logs provided by MediaSentry. Given a text editor and Photoshop I can make
screenshots and logs that'll show any file you want being downloaded from any IP
address you want, including addresses like 987.654.321.0 that can't physically
exist. I can make the electronic forms so absolutely accurate that there's no
way for the good Doctor to tell they were faked just from the logs and
screenshots themselves. It probably wouldn't take me more than an afternoon to
do it by hand, and if I'm going to do it for a living I'll spend a few weeks
writing some scripts and programs to do it automatically. It's maybe a
half-hour's work to write a small Perl script that'll take the IP address,
hostname and such obtained from checking the target user's info from Verizon and
edit a logfile template to make it appear that that IP address downloaded the
files I want to show it downloaded. Heck, it's the same kind of script I use
routinely to do things like take a template .profile and customize it
for a specific username when creating a new user. So the first thing you want to
do is look at chain of custody: how were the logs and screenshots handled from
the point where they were recorded to the point where they were handed over to
the good Doctor for analysis. If MediaSentry can't show at every step how they
were secured against tampering, how can they prove the logs and screenshots
weren't in fact tampered with? I'm sure one of the Perl geeks around can, given
a sample logfile, give you a Perl script that'll edit the logfile on-the-fly in
front of the court to produce a log showing that the judge was sharing
the file from his office machine. Extra points for having the Perl geek write
the script in front of the judge, to drive home just how trivial it is. :) [ Reply to This | # ]
|
|
Authored by: jmc on Friday, December 29 2006 @ 05:59 PM EST |
One thing that caught my eye in the declaration was the statement (paragraph
5)
Based on how IP addresses are defined, it is not difficult to
determine whether a computer was connected to the internet via a wireless
router
This, of course, is complete rubbish. He ought to be
challenged on that point.
[ Reply to This | # ]
|
- One thing that caught my eye - Authored by: Anonymous on Friday, December 29 2006 @ 06:12 PM EST
- One thing that caught my eye - Authored by: nuthead on Friday, December 29 2006 @ 06:21 PM EST
- One thing that caught my eye - Authored by: david_koontz on Friday, December 29 2006 @ 06:24 PM EST
- I strongly disagree - Authored by: jbb on Friday, December 29 2006 @ 07:47 PM EST
- Sorry, you're wrong - Authored by: Arker on Friday, December 29 2006 @ 07:55 PM EST
- DSL-modem/router - Authored by: rsmith on Friday, December 29 2006 @ 08:02 PM EST
- I strongly disagree - Authored by: maz2331 on Friday, December 29 2006 @ 09:04 PM EST
- you are mistaken - Authored by: Anonymous on Friday, December 29 2006 @ 10:12 PM EST
- Sorry, you're wrong - Authored by: Anonymous on Friday, December 29 2006 @ 11:32 PM EST
- DHCP is Not Required - Authored by: Anonymous on Saturday, December 30 2006 @ 01:07 AM EST
- sarcasm? - Authored by: jo_dan_zukiger on Saturday, December 30 2006 @ 03:07 AM EST
- sarcasm? - Authored by: Anonymous on Saturday, December 30 2006 @ 04:34 PM EST
- I strongly disagree with your disagreement - Authored by: Anonymous on Sunday, December 31 2006 @ 12:50 AM EST
- One thing that caught my eye - Authored by: grouch on Friday, December 29 2006 @ 07:53 PM EST
- One thing that caught my eye - Authored by: Minsk on Friday, December 29 2006 @ 09:47 PM EST
- Private blocks of IP addresses - Authored by: Anonymous on Friday, December 29 2006 @ 09:49 PM EST
- One thing that caught my eye - Authored by: tpassin on Friday, December 29 2006 @ 11:17 PM EST
- Jacobson's report us almost useless (for the prosecution) - Authored by: darkonc on Saturday, December 30 2006 @ 02:11 AM EST
- Wireless hotspot, maybe - Authored by: Anonymous on Sunday, December 31 2006 @ 07:08 PM EST
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:20 PM EST |
Mankind has built an earth-wide 'computer' consisting of some 600 million
'nodes', nominally belonging to individuals, and interconnected by this Internet
thing.
Very few people, perhaps no-one, understands how it all works. 600
million people, with mutually-incompatible agendas, represents significant
complexity. Most of the time it sort-of works, but (like sailing in the North
Atlantic) sometimes storms blow up and change the rules without warning.
Now,
the 'complaint' is that some sequence of 0's and 1's (in this case representing
a song), have been transferred from one part of this 600-million-element
computer to another part of it, without the permission of someone who needed to
give permission.
So, a few questions to ask might be
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:20 PM EST |
I thought Sharman Networks already paid 100 billion USD to settle the case. Is
this an attempt to double-charge?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:26 PM EST |
... on the data from the hard drive I reviewed, that this hard drive
was not the same hard drive that was used to share copyrighted sound recordings
as shown by then MediaSentry materials.
So where did the hard drive
of the suspect machine go? Perhaps they have the wrong machine? the wrong
person? Are they changing the charges to obstruction of justice? Was the
apartment searched for the "other hard drive"?
And, good Dr., when you
were in college, did you not borrow albums from fellow students and record them
on tape? Did you not share you record collection with others? (he did go to ISU
and there is hearsay albums sharing evidence available)
Or is this
another case of if we say it loud and long enough, it will come true and we will
win?
Happy New Year Everyone wb[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:31 PM EST |
I am not a computer expert much less a MS Windows but it is
my understanding that all MS computers are configured with
a public file that is open to the internet.
It is also my understanding that MS computer a noterous
buggy with most MS computer's which are connected to the
inter security compromised and not protected with a fire
wall compromised in about 30 minutes.
It is also my understanding that there exist bog networks
which consists of thousands of computers used to send
untraceable e-mail commonly called spam.
If the above is true then is it not as likely that the poor
lady has a compromised computer that is being used to
fordward untraceable mp3 files as it is that her son whic
does not live with her download copyrighted music.
From another point I thought that it was improper for the
suee to demand some surrender their HD to them so that the
suee could examine the HD and/or place whatever the suee
deem appropriate on the HD. If this is what happened it
seems to me there is just as high a probability that the
suee is dishonest as it is that the lady's son is.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:31 PM EST |
I agree that if Jacobson is going to testify as to the procedures that
MediaSentry used, they should have to provide you with that information during
discovery.
However, there are some inconsistencies here with Ms. Lindor that should
probably be put to bed in order to form a proper defense.
First of all, if the defendent has never owned nor operated a computer, how is
it that Verizon Internet Services can identify her as the subscriber of record?
Is this a case of missing identity? Why would someone without a computer
subscribe to an internet connection. When looking at this, I would request
specifics from Verizon - exactly when the DHCP lease was granted, and when it
was released. I would confirm that the internet connection was DSL (I don't
think Verizon has any other subscription info), and if so, they may be able to
identify the phyiscal loop that was connected. Some more technical folks here
can address that.
The second think I would look at is the Kazaa user name they provide - jrlindor.
Do the initials JR mean anything of substance to the defendent? Siblings,
Parents, Cousins, etc. Ruling all of them out may serve to put a bit of doubt on
linking the user to the defendent.[ Reply to This | # ]
|
|
Authored by: Kilz on Friday, December 29 2006 @ 06:32 PM EST |
Looking at the "April 2006 boilerplate report" In #18 it states that
the IP address shared 624 files, "most of them are copyrighted music
files". But the MediaSentry system log and download log shows them only
downloading 11 files. Exactly how did they tell the files were copyrighted
songs? It is a known fact that Kazaa is flooded with fake music files,
http://news.bbc.co.uk/2/hi/technology/2962475.stm . How dose Media sentry know
the 624 songs are not fakes if they didnt download them?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:36 PM EST |
I see that there are a number of comments already that maybe the screenshots are
faked.
While, anything is possible, I think it very unlikely, and in any case virtually
impossible to prove, that the screenshots were faked. The RIAA presumably has a
witness who will make a sworn declaration that the screenshots accurately
represent what they saw on screen. I assume that witness will not tell lies.
And more importantly, I assume that the court will not think that witness is
telling lies, unless the witness contradicts himself in some fundamental way.
So for the sake of this discussion, while it is theoretically possible to fake
screenshots, I think it best to assume the screenshots are genuine
representations of what was displayed on the screens in question.
However, there is a more fundamental question:
How could anybody know whether what was displayed on the screen by the media
sentry software, accurately represented what was happening on the Internet??
Everybody knows that nearly all software has many bugs.
Everybody who has used a computer has encountered situations where a computer
display inaccurate or incorrect information as a result of a hig.
The only way to determine whether the Media Sentry was likely to have displayed
correct or incorrect information, is for experts to examine the software (both
source code and testing of it in a live environment), and to testify as to their
opinion on whether the media sentry software accurately collects and displays
the information that it is supposed to.
If the plaintiff has an expert who will testify as to the accuracy of the Media
Sentry software, the defendant's expert should have access to the same
underlying information for assessing the accuracy of the Media Sentry software.
If the plaintiff does not have an expert who will testify as to the accuracy of
the Media Sentry software, then how does anybody (including the court) know
whether the Media Sentry software is accurate? For all we know, it could be
displaying screens of random errors. It would seem to me blatantly unfair to
simple assume the Media Sentry software perfectly does what one side claims it
does with no supporting evidence.
As to this deposition, I would ask the RIAA's expert these questions:
Q1: So you came to your conclusions by examining the screenshots and other data
from Media Sentry?
Expected Answer: Yes
Q2: Would you have come to different conclusions if the Media Sentry displayed
different information, for example a different IP number?
Expected Answer: Yes
Q3: Did you personally verify the data, such as IP numbers, that Media Sentry
supplied, were accurate
Expected Answer: No [if he says Yes to this one - this opens a whole new line of
questioning], but I verified that their procedures of what they did would
produce accurate results.
Q4: Is your understanding that the process that Media Sentry used is, and the
data that they generated, such as IP addresses, came from a computer program?
Expected Answer: Yes [if he says no - ask him how come there are screenshots??
Eventually he must conclude data on the computer screen comes from a program]
Q5: Have you ever experienced bugs, problems, incorrect output from computer
programs?
Expected Answer: Yes
Q6: Is it possible that the data from media sentry, such as IP addresses, which
came as output from Media Sentry's process, may not contain errors, for example,
because of computer program bugs.
Expected Answer: At this point, he will either say yes, or start explaining why
it's unlikely. Get him to answer whether it is _possible_.
Quatermass
IANAL IMHO etc.
[ Reply to This | # ]
|
- Fake screenshots probably not? Faulty screenshots - possibly? - Authored by: PJ on Friday, December 29 2006 @ 07:19 PM EST
- Aye... - Authored by: Anonymous on Friday, December 29 2006 @ 07:21 PM EST
- Direction of burden of proof - Authored by: Anonymous on Friday, December 29 2006 @ 07:26 PM EST
- Fake screenshots probably not? Faulty screenshots - possibly? - Authored by: capt.Hij on Friday, December 29 2006 @ 08:12 PM EST
- HDD serial number et al. - Authored by: Peter Baker on Friday, December 29 2006 @ 08:20 PM EST
- Fake screenshots probably not? Faulty screenshots - possibly? - Authored by: Anonymous on Saturday, December 30 2006 @ 06:50 AM EST
- Software Review - Authored by: Anonymous on Saturday, December 30 2006 @ 11:18 AM EST
- WHY DONT THE STUPID DUMMIES WEB CAM THE EVENT - Authored by: Anonymous on Saturday, December 30 2006 @ 12:24 PM EST
- I dont' think that flies. - Authored by: Doghouse on Saturday, December 30 2006 @ 03:08 PM EST
- Some obvious followup questions to the above - Authored by: Anonymous on Saturday, December 30 2006 @ 05:26 PM EST
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:38 PM EST |
Seems to me the RIAA has to prove several things:
1) defendant knowingly offered files for public download
2) said files are in fact copyrighted by the RIAA or groups which they
represent
3) somebody somewhere downloaded one or more of the files, in their entirety,
from defendants computer (the way I understand it, with most filesharing, only a
small portion of a file is download from each peer.) Would downloading 1
second's worth of music still constitute infringement ? What about 10 seconds ?
Where is the limit drawn ?
4) supposed downloaders were not authorised to download said files *
5) downloaders still have possesion of copies of these files (else if they just
listened and deleted them, how does this differ from the defendant inviting them
to her house to listen to a CD, or indeed, lending the CD to a friend ?)
6) downloaders listened to the files as music. For example, if I download a
music file, and instead of listening to it as music, I simply look at a hex dump
of the file, am I still in breach of copyright ?
* Part 4 is particularly interesting to me. I own various music on old vinyl
records, and since I don't currently have a record player, I will occasionally
download a playable copy to listen to. Am I infringing copyright when I do so ?
I could equally well buy a new record player and listen to the same music that
way.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:46 PM EST |
She claims to never even have used a computer, which could be true.
However, they continue to refer to the Defendant's ISP, internet account, and
computer.
The Defendant's name is Marie Lindor.
Verizon identifies Marie Lindor as the subscriber of an IP address on the
internet.
The hard drive of the Defendants computer was mirrored in the process of
collecting evidence, and was found to have 700 music clips that were in a folder
to be shared with other internet users.
The KaZaA account refered to was jrlindor@KaZaA.
Who is jrlindor? An alternate name that she uses? A relative?
First, I would say that mirroring a hard drive is collecting information very
far beyond any possible discovery request.
Second, I can't believe that they made her pay for the hard drives so they could
mirror her computer.
Third, the Plaintiff is claiming that the files were in a directory made
available for sharing. Can they prove that any of the files were actually
copied by other KaZaA users?
Fourth, They are claiming that she was distributing music. Even if another
KaZaA user copies music from her shared folder, who is really making the illegal
copy? The one who owns the copy, or the one who copied it?
Fifth (don't throw rocks at me), people being cought on an unlevel playing field
can still be guilty.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 06:46 PM EST |
I would go after him about the Hard Drive pretty thoroughly. He says "The
correct hard drive would have shown" and "This is not the same hard
drive used to share..."
He is basically stating that the hard drive that he looked at is the wrong hard
drive.
However, the only proof that he has that this is the wrong hard drive is that it
must be the wrong hard drive because it doesn't prove his case.
More appropriately, the state of the hard drive - with very few files or
information on it - more supports the defendents claims.
I really think it's quite funny actually - he's basically saying "The hard
drive didn't have the evidence I was looking for, so it must have been the wrong
hard drive".
Translation: "The grooves in the barrel of the 9mm pistol recovered from
the defendent did not match those of the bullet recovered from the deceased.
Therefore, it is our conclusion that the wrong 9mm pistol was recovered from the
defendent"[ Reply to This | # ]
|
|
Authored by: zip1 on Friday, December 29 2006 @ 06:57 PM EST |
"MediaSentry and its investigators are not experts at all";
Then why is the evidence they collected being allowed to be used?
To tell the truth what they have collected sound like some kind of forensic
evidence. if it's not, should it not be considered third party hearsay and not
be allowed?
I don't think any court would allow the results of any DNA test that I
preformed in any court room. If they are allowed to present such evidence the
the people meathods, procedures must be allowed to be reviewed and challenged.
If they did not document there methods of obtaining this evidence in a forensic
manner the example of how such evidence can be faked should be present. This
should case a large doubt in the authenticity of there evidence.
When it come to electronic evidence the methods used to obtain are very
critical to it's authenticity. if there not willing to stand behind there
methods for there collection of evidence then I would attack this by showing
what the proper standards for collecting electronic evidence is. If they are not
willing to show those methods then all of the evidence they are presenting is
not valid. Especially in showing how such evidence can be faked.
You also need to know there procedure, methods and instruction, to insure there
aledge evidence was collecting in a legal manner. By duplicating in test cases
of trying to
obtain the same information they are claiming. If they don't will be a way to
have all such evidence removed from the case since the defendant won't have any
way to verify the authenticity of the evidence.
with no evidence then no case.
They are not a government organization so the can't hide behind the veil of
protecting there methods of collecting the evidence to protecting future
investigation. In fact
some of the possible methods used may actually not be legal for a private
investigator to use.
The HP scandal is an example of what some of these private investigators may do
and the people who gave them instructions.[ Reply to This | # ]
|
|
Authored by: nuthead on Friday, December 29 2006 @ 07:08 PM EST |
I notice in the boilerplate report that he never ties the kazza account to the
defendant's computer, it just simply says "a computer". Only the user
ID remotely connects the two. That's THIN. Further, he only attests to the IP
addresses being reigstered to the defendant by the ISP and not any other
evidence to actually prove it was the defendant and not someone logged in using
her credentials. There's no definite tie between the those three items (the
kazaa account, the IP and the PC). It's very circumstantial and should be pretty
easily picked apart. It's like saying a car was involved in a hit and run; there
was a car on the road at the time that was the same unique colour as the
defendant's, therefore it was the defendant's car that did the hit and run. [ Reply to This | # ]
|
|
Authored by: Cringa on Friday, December 29 2006 @ 07:09 PM EST |
Long time enjoyer of Groklaw, first time responder. But this time I just had to
share.
Having read the declaration I do find it odd how he can make the claim that the
pc was on a wireless connection. This really made me chuckle as ip addresses
that are assigned to a pc are usually of the default 192.169.***.*** variety
tied to the MAC address (hard address on the internet card). This in turn is
usually nat'd to the mac address of the router which in turn is then tied to the
verizon address of the subscriber.
With that thought...if it was a wireless router the question begs to be answered
is..."was the wireless access point secured?' And even if it was secured
thru WEP or password, anyone with a laptop and a sniffer can usually crack the
authentication as long as they are within range.
Next up, even if it wasn't a wireless router, and someone already mentioned
this...how do we know that the music on the machine wasn't there legitimately
and the pc was in fact acting as drone (hijacked).
Next point, I have un-installed KaZaa from my kids pc and the uninstall process
still leaves indication of its presence...so the question is how do you know
that the Kazaa was a full install? (dlls, registry settings, file count etc).
If it wasn't a full install or wasn't completely removed in the process, what
evidence is the Dr. saying it was installed and working?
Point - raise of hands, how many of you have clicked on a link only to be
inundated with popups etc? I had to rebuild a few machines because of pc's
being hijacked by spy ware from someone downloading the 'Ask Jeeves' tool bar
extension for IE5. Hijacking on Windows pc's happens to the best of us and
there are times when the only result is to rebuild to correct the issue (sony
rootkit anyone?)
One last item to chew one - my kids were told to not install Kazaa and they were
told to not use it because it is illegal to file share music....but unbeknownst
to me they had installed it and didn't use it.
But low and behold, Kazaa had been inadvertently set up to use our pc as a file
share device and in the middle of night the pc was being re-activated to the net
after being put to sleep...yep, someone had liked my kids itunes or ripped music
and was accessing it.
Another item of interest, how does one make the assessment, based on a hdd
showing little use, that it isn't the original? If the person hardly uses that
pc...then the less amount of fragmented files will show...if he is basing this
decision on his experience then I would ask him the number of times he has
looked at minimal use pcs. Has he done a comparative analysis so he has a
baseline based on usage, hdd size etc to make this a valid decision?
Well, good luck to you and your client![ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:11 PM EST |
As in the static case, two devices cannot effectively function if
they are directly connected to the Internet simultaneously with the same IP
address.
While this is true, a possible defense would be to point
out that there is a technique call IP hijacking. Basically, an attacker
performs some kind of denial of service attack on the victim computer,
effectively knocking them of the network. The attacker then spoofs his/her IP
and MAC addresses to be the same as the victim computer's IP and MAC addresses.
The router, not knowing that the victim computer is no longer able to access the
network, sends all packets to the attacker's computer which now looks just like
the victim's computer.
This technique allows a person wishing to commit a
crime to easily frame someone else for their illegal activity. This is also why
most criminal computer crime cases are so difficult to prosecute. Not only do
they have to prove that the person sitting at the computer is the person that
committed the crime, they also have to prove that the IP address was actually
assigned to that computer.[ Reply to This | # ]
|
- IP Hijacking - Authored by: PJ on Friday, December 29 2006 @ 07:14 PM EST
- IP != person - Authored by: grouch on Friday, December 29 2006 @ 09:50 PM EST
- IP Hijacking - Authored by: Anonymous on Saturday, December 30 2006 @ 12:15 AM EST
- IP Hijacking - Authored by: vadim on Friday, December 29 2006 @ 07:30 PM EST
- IP Hijacking - Authored by: Anonymous on Friday, December 29 2006 @ 07:39 PM EST
- IP Hijacking - Authored by: nuthead on Friday, December 29 2006 @ 07:44 PM EST
- IP Hijacking - Authored by: Anonymous on Friday, December 29 2006 @ 07:59 PM EST
- Not true - Authored by: Anonymous on Friday, December 29 2006 @ 11:50 PM EST
- IP Hijacking - not likely in this case - Authored by: SpaceLifeForm on Friday, December 29 2006 @ 08:13 PM EST
- IP Hijacking - sort of - Authored by: Anonymous on Friday, December 29 2006 @ 08:53 PM EST
- Not exactly true - Authored by: Anonymous on Saturday, December 30 2006 @ 02:49 AM EST
- IP Hijacking - Authored by: russm on Saturday, December 30 2006 @ 06:24 PM EST
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:13 PM EST |
How do we get in contact with Ray on questions for Dr J ? Will he provide an
email address.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:16 PM EST |
In statement 5, Jacobsen claims that "Defendant's computer had a public
Internet Prodocol ("IP") address and was not connected to the internet
via a wireless router. I base this data mentioned above, as well as on the
registry entries recovered and the fact that there was no internal IP address
here".
This statement in extremely thin IMHO:
a) He claims in (6) that he doesn't have the "right" harddrive, so how
does he know what is in the registry of the "right" hard-drive and how
it assignes IP. He doesn't.
b) Even if he did have the right hard-drive, I assume the police didn't
confiscate the computer right away and someone might have removed the router and
reconfigured the PC before the police took it. Just because it is setup to go
directly to the internet directly and not through a router does not mean it was
doing that at the time of the alleged misused downloads. He cannot possibly say
with certainty that the system, at the time of the offense was configured the
way he says the "wrong" harddrive indicates it is now.
c) Since he cannot prove that the machine was directly connected and it wasn't a
router connected (using NAT and port forwarding).
Verizon Internet Services might be able to show what MAC addresses was used in
the DHCP requests. If they happen to be the same as the computer doesn't prove
anything (since most routers can "spoof" MAC addresses for valid
reasons), but if their different (or change) that indicates that equipment
changed, router used etc.
And even if it was directly attached to the internet, without a firewall, that
just means there are almost a certainty that someone had hacked into the machine
(trojan, hacker etc) since statistically that happens very fast.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:32 PM EST |
You might not be able to accuse them of falsifying data - but it seems like you
you can make them prove that there was not an opportunity for someone else to
do so between the time the image was taken and when it was shown to you. [ Reply to This | # ]
|
- chain of custody - Authored by: Anonymous on Friday, December 29 2006 @ 07:40 PM EST
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:34 PM EST |
I have looked over this stuff, but not very deeply. But, as part owner of a
small ISP that has just spent a few days cleaning up phising scams placed in
accounts of users with weak passwords, let me suggest you get someone to look at
the hard drive for the possibilty of viruses and scripts that could have been
placed there without the owners knowledge. The attacks these days to 'own'
machines is relentless. Law enforcemnt really needs to step up to the plate on
this issue. They seem oblivious to how much crime is going on, or just don't
care. :( Of course, if it is profitable to go after it, as in the case of the
RIAA......[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:35 PM EST |
He didn't even look at the songs / files themselves
11 songs were
downloaded, and is testifying that of the 624 songs, most are protected by
copyright???
a) Check if the "Copyright" applies to the songs title or the
music therein.
b) If the copyright applies to the title, then this suit
may not be filed correctly.
c) If the copyright applies to the music, then
how does he know what was in those files???
How does he know that the files
were audio and music files? Again, by the filename?
Just because a file ends in
MP3, doesn't mean it is an audio file.
Did MediaSentry even keep the 11
songs (files) they downloaded? Was a secure chain of custody kept?
The expert
even says in Point 14 that he didn't even *look* at the 11 songs (files). As
such,
how can he possibly testify that even these 11 songs are infringing
copyright, or that these
were the songs that actually were
downloaded?
Fake Songs
The RIAA was in the practice of
distributing fake song files with obvious blemishes.
How do we know that she
wasn't redistributing the freely distributed fakes?
Isn't there a rule in
law that Company A can't sue Company C for using Company B's services,
if a
contract exists between Company A and Company B allowing Company B to do what it
is doing?
Professional Licensing
This expert is not a
Professional Engineer, and does not belong to a professional regulating body
(like Doctors, Lawyers, Accountants, and Engineers). In Canada, a P.Eng. is
held to a code of conduct when
involved in legal proceedings. Computer science
professors aren't.
Technical Correctness
This individual
isn't offering entirely correct testimony.
He is quoting truisms from the
manuals that say how this technology is supposed to work.
He is not actually
saying how it can work. As such, he misses key details. Like two computers
can
share the same IP address and function on the network. This function has been
exploited many ways:
1. Two computers sitting behind a firewall.
2.
Fail-over clustering. When one computer goes down, the other continues with the
same IP address as if nothing happened.
3. Industrial networks. Two
computers co-exist at the same IP address. They just aren't both active
simultaneously.
This can be done deliberately for technical reasons, however it
is also a big source of DHCP problems.
Industrial networks tend to operate
computers separated for long periods of time.
If one gets disconnected, another
can reuse the IP address of the former. In certain conditions, the
former can
decide it likes its old IP address, and when it is reconnected reuse it.
The
problem happens when both computers simultaneously use the same IP address.
In
DHCP, this problem happens so often that there are special protocols and
notifiers to notify the
system administrator of this. Did anyone check to see
if these protocols were triggerred in this case?
The situation in industrial
networks is analogous to home networking, as in home networks many people
leave
their computers off much of the time.
4. Deliberate Spoofing:
a) Network
monitoring (for engineering purposes)
b) Network attacks
5. This guy is
simply wrong. Two computers can function on
a network with the same IP
address.
Back in 95, I did this to someones server for 6 months. The network
didn't fail. (It did generate
a pile of IP errors, but that was another story.)
I think he is forgetting:
a) Not all communication requires correct IP
addresses (ex: NetBEUI or IPX protocol stacks)
b) If I want to be an ass, I
won't use the IP address given by the cable company. In fact,
I should steal
someone elses IP address, so the DHCP tables can't identify my computer.
Sometimes,
this will work and I get my internet connection. If it doesn't, I
randomly pick another IP address
and try again. If two computers are using a
duplicate IP address the default behaviours are:
i) DHCP client bugs
off
ii) Newest computer using that IP address bugs off
iii) Oldest
computer using that IP address bugs off
Any way you look at it, the result
is non-obvious.
c) If I want to be a really annoying hacker, I monitor the
network for existing IP pair, MAC address combos.
When the computer switches
off, I set my computer to reuse the same addresses. The DHCP server never
knows
any different. No one even knows what I am up to until the RIAA goes and
knocks on my neighbours house!
MAC Addresses
Did anyone get the
MAC addresses of the computers involved in these connections?
If they don't
match, it is extremely likely someone was spoofing the IP address.
If the MAC
address is available, it is still possible that some hacker faked both the
TCP/IP address,
and the MAC address simultaneously. If this was a good hacker,
they would do this. Then you could
ghost a PC to someone else's cable
connection and the authorities could never trace it back to you.
Could the
MAC address of the cable modem (I am assuming this is a cable connection) be
changed?
If so, what is to stop someone from spoofing the MAC address with the
hardware shipped from Verizon, as is?
If not, what is to stop someone from
changing the MAC address on some other piece of hardware?
The MediaSentry
info may not have the Mac address, but the Verizon info should have
it.
Kazaa as a Background service
Does Kazaa operate as a
background service?
Is it possible that the person using the computer might not
know if it is running?
If this is the case, what would stop someone from
remotely controlling the computer and using
it as a drone in file sharing
activity?
Could some person at a past point have set up Kazaa on the
computer, and this was unknown to the person charged?
Also ask if the expert
can distinguish between Kazaa and Kazaa Lite, and if so, how? Can he accurately
identify even which program was used to share the data?
Possibly Related
Historical Failure
You might want to look up the router failure that
caused them to start encrypting (checksum) routing tables.
The story goes into
how in the early days of the internet, a router on the west coast decided it
was
actually the router on the east coast. It triggered a massive internet
failure. The result was
that routers received encrypted (checksum) routing
tables, that were periodically checked to
ensure validity. Thus if a router
failed, it could not cause a cascade failure to the entire Internet.
I bring
the router failure up, because it is an historic and well documented example of
duplicate IP addresses.
Known Hackers
Did anyone check to see if
any know hackers were operating from the cable companies system? Specifically,
with a company the size of Verizon, one would have to assume that multiple
customers were doing misdeeds simultaneously, many times a day. Verizon might
even have numbers on this, like complaint rates, e-mail spam rates, suspected
zombie computers, etc.
[ Reply to This | # ]
|
|
Authored by: div_2n on Friday, December 29 2006 @ 07:38 PM EST |
Background on Kazaa
*When someone installs Kazaa, it creates a
shared folder that begins sharing files in that folder
*If someone's
computer is set to start Kazaa automatically when their computer is turned on,
those files are being shared without further interaction on the user's
part
*If someone unwittingly stores files of their own creation and
usage in that folder, it can be shared without them being aware.
See:
http://www.hpl.hp.com/
news/2002/apr-jun/kazaa.html
http://www.p
cworld.com/article/id,101726-page,1/article.html
Discussion on
Security
*If someone operates a wireless network without
encryption, it is trivial for a cracker (common media terminology is hacker) to
grab personal information "out of the air" and go to great lengths to hide their
own identity and use that of people legitimately using the wireless network.
This includes cloning MAC addresses of wireless cards, creating email address
and/or P2P accounts using names found in unencrypted
communications.
*Even if someone uses wireless encryption, it is not
guaranteed that someone can't compromise the network. This is especially true if
WEP 64 bit is used and somewhat true if WEP 128 bit is used. Other encryption
schemes such as WPA and WPA2 are better, but not a panacea.
*Microsoft
Windows operating systems are notoriously susceptible to all flavors of malware
which could allow a cracker to either "funnel" data through an innocent person's
computer without their knowledge (including music) or even be able to steal
login and passwords to various accounts. This could include a Kazaa account that
might have been created (but never used).
*While not as likely as other
possibilities, it is not impossible for a cracker to steal the login and
password to a high speed account such as DSL. Many providers allow the
possibility to login with one account to multiple places. So in the case of
someone that rarely uses their DSL and shuts their computer and/or network off
at night, a cracker could login as them and use their account for illegal
activity. Bellsouth is an example of one company that allows this in many (if
not all) of their DSL markets. Further, in the case of Bellsouth, if someone
were to obtain the email address of the account holder, the password could
likely be derived from the phone number corresponding to the account. Verizon
may or may not have similar practices.
Background on TCP/IP
forensics
*If an ISP keeps accurate logs, it is possible to
determine what account was using an IP address. It is not guaranteed that
someone could determine for certain what device was actually using the account
at the time. MAC addresses can be cloned. Passwords can be stolen. Wireless
networks can be hacked. Computers can be remotely controlled without the owner's
knowledge.
*It is impossible to be 100% certain what computer is
performing any action behind a common home router due to all of the above
issues. Furthermore, it is also completely impossible to determine who is
actually using the computer at the time due to the above
issues.
Bottom Line
If the question really is "Was Ms.
Lindor guilty of sharing files based on the evidence at hand?" then from a
technological perspective, there is no way any expert on the planet can assert
the answer with complete confidence. There is an intrinsic level of uncertainty
that cannot be reconciled technologically. Period. End of
discussion.
If the question becomes "Is an internet account holder
liable for activity that is conducted using that account carried out in a manner
so clandestine that it is outside the technical ability of the account holder to
detect and/or prevent?" then that opens up a legal discussion I am completely
unqualified to cover.
Questions to ask the other
side
1) How can you be certain exactly what computer was performing
the file sharing services of the IP address in question?
2) How can you
be certain that an authorized computer using that account was not compromised by
a cracker/hacker that was then performing the sharing?
3) Is it
possible that an authorized computer had Kazaa installed on it but never
actively used where the files being shared were placed there by the owner of
legitimate content who used legal means of "ripping" their music off for
personal use?
4) How can you be certain that the screen shots you have
were not tampered with in any way?
5) How can you be certain that the
home network of the internet account in question was not compromised and being
used without permission?
I sincerely hope this information helps.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:39 PM EST |
Dr Doug Jacobson's prior experience:
One of my graduate students,
under my supervision and guidance, developed a system that monitors peer-to-peer
networks and other forms of file sharing for child
pornography.
These things tend to work by scanning p2p chunks
for something that looks like a JPEG file and then matching the colors against
some "typical porn" color dictionary. I'd be very interested to know how he
thinks this can determine the ages of the actors involved when even a human
looking at the picture can't get a reliable estimate.
I know that
pornography now requires registration in the USA (can't have amateurs doing it
for fun and bringing down profit margins) so maybe there is a watermark that can
distinguish between registered and unregistered photographs.
After a bit of
a google search, I found this:
http://j
udiciary.senate.gov/testimony.cfm?id=902&wit_id=2564
where he explains
the mechanisims behind Palisade products and it would seem that they only
monitor the network for queries that seem related to child pornography
which is then presumed to be a reliable estimate of how much is actually
out there.
I also note his comment:
You don’t have to look for
pornography on peer-to-peer networks; it will find you. There are no effective
controls regarding content provided on a peer-to-peer network, the only
information you are given is a file name. A good example of this problem hit
home this spring when I was teaching my information warfare class. To give
students an opportunity to study the security problems associated with
peer-to-peer networks, I set up a peer-to-peer node. I searched for a file that
I had created and placed on the peer-to-peer network. I received several matches
to my search request, but when I downloaded and viewed the files, they contained
embedded links to pornography sites.
This seems like blatent
scare-mongering given that the problem of spam has crept into every
communications medium (even the telephone) so the same scare-factor should apply
to email, web browsing, usenet news, irc, and the list goes on.
Both of the
above are examples of half-truths that Doug Jacobson uses to make his testimony
sound more impressive than it really it. Quite likely there will be other
similar weak points in his arguments.
Anyhow, the above link is worth a read
if you want to see where this guy is coming from.
Digging around a bit more,
this turned up:
http://deseretnew
s.com/dn/view/0,1249,510053167,00.html,
which contains yet another
half-truth:
Pornography is just one of several problems with P2P
technology Hatch's committee has been examining as it weighs how and whether to
regulate it. Other problems have included embedded "Trojan horse" commands in
some files that have led some people to inadvertently give others access to
their tax returns, medical files, e-mail and other data.
Of
course, trojan horse files are a problem for email, ftp, www and everything
else. They have always been a problem and it is a general issue for system
security (don't give the standard desktop user a pathway to root access for
example, like Win95, WinXP-home and Ubuntu-Linux all do). Bashing peer-to-peer
will not protect us against the trojan horse.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 07:40 PM EST |
The 'expert' testimony put up by SCO was not always of the highest quality. For
instance, the evidence of Marc Rochkind was lame even though he has excellent
Unix experience.
Dr. Jacobson seems to have good credentials but that doesn't mean his evidence
is unassailable.
He admits that the hard drive he examined had nothing to do with any file
sharing. Does he contend that it is a fake? What about the dates on the files?
(In other words, is there any evidence that someone formatted the hard drive
and re-installed the system?) Is it the same hard drive that came with the
computer? Is there evidence that there was ever another hard drive installed in
the computer? What evidence does he have that this particular computer was
involved in file sharing? He does not mention a MAC address. He doesn't think
there was a wireless router involved but he can't connect the hard drive he was
given with the file sharing. Is he supposing that there must have been another
computer?
When I worked for her majesty I was responsible for a lot of equipment that was
connected to Bell Canada landlines. For very important circuits, there were
little red caps on the punch block connections. Other than that, things might
get a little wild and wooly. I bet they have no proof that the consumer's line
was the only one with access to that telco circuit. I will also bet that the
telco punch blocks are located in places that aren't particularly secure.
Another question would be about who in the telco has access to user IDs and
passwords. The original installer would have such access and I'll bet the
customer never changed their password. In other words, just because there was
no wireless connection doesn't mean there was no other connection. Just because
the customer had the user ID and password doesn't mean that no one else had
access to it.
Depending on the telco involved, the record keeping might be somewhat spotty and
therefore not very good evidence. [ Reply to This | # ]
|
|
Authored by: rsmith on Friday, December 29 2006 @ 07:50 PM EST |
Things you should ask your client:
If she doesn't have a computer, who in her house does? Children, tenants?
Is there a DSL connection to her house? [modem is slow for file sharing]
If so, does the DSL router have wireless capability?
[If true, then someone else could be using the DSL connection without her
knowledge; wireless access points can be easily cracked if the access point is
not well configured to keep out unauthorized access. And that requires quite a
lot of knowledge]
Is the connection shared with others?
Some things you could ask the "experts":
Did the investigation yield IP (internet protocol) addresses? If so, what
is/are the adress(es)
[You need an IP address to trace a computer]
If so, specify how was this linked to the defendant?
[First, they'd have to find the ISP (internet service provider). (You'd have to
check that the IP addresses in question really belong to the ISP they thought it
belonged to.) Then they'd have to ask the ISP which customer was using the IP
address in question at the time. (most ISP dynamically allocate IP addresses. So
the IP address of a computer can change over time.)]
How were records from the ISP obtained.
[Were the records obtained legally? (do you need a warrant for that?)]
Can you prove that it is her computer?
Can you prove that the computer in question wasn't a zombie? (i.e. taken over by
another without the user's knowledge or consent)
Can you prove that the files you found in the shared files folder actually
contained copyrighted material, and especially that it contained the material
implied by the filename?
[According to the testimony from the TU Delft experts, 50--90% of the files on
KaZaa are not what they pretend to be.]
Did you download the files? If so, how can you prove that they actually came
from the computer allegedly owned by defendant?
[The protocol used by KaZaa (fasttrack) can and will download from several
sources if possible. See the Wikipedia article:
http://en.wikipedia.org/wiki/FastTrack]
Can you prove that the files in the shared files folder on what is alleged to be
defendant's computer were actually downloaded (from that computer) by anyone?
If so, provide specifics on the alleged copyright violations. What copyighted
content was downloaded from the computer in question at which dates and time?
[If the copyrighted content was never downloaded from the machine in question,
then the plaintiffs have suffered no injury.]
Can you prove that the computer in question was switched on and connected to the
internet when the alleged copyright violations took place?
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
|
Authored by: CondorDes on Friday, December 29 2006 @ 07:52 PM EST |
Standard disclaimer: I'm not a lawyer, I'm a geek. My
thoughts on the subject may or may not be correct, or
worth anything.
But here are my general thoughts. I'll try to look more
specifically at the documents a bit later.
In order to prove their case, it seems to me they would
have to establish a strong chain of evidence. That chain
might look something like this:
First, they might show that one or more copyrighted songs
were made available for download.
Second, they might present evidence linking the song to
the IP address of the computer that shared it (that is,
the computer that made it available for distribution).
Others have already explored the potential weaknesses
here, so I'll leave it at that.
They must map this IP address to an Internet Service
Provider (ISP). This can be done fairly reliably using
the ARIN database. (see http://www.arin.net)
Once they know which ISP is involved, they might show that
the file-sharer's IP address was in use by a specific
account at the ISP, *at the time the file-sharing took
place*. This usually involves asking the ISP to share
that information (much like asking a phone company for the
call log of a particular phone number). Time is important
here, because an IP address may be used by many different
customers.
ISPs usually maintain one big pool of IP addresses, which
they give out at random to customers when they connect to
the Internet. When a customer disconnects (e.g. shuts
down his/her computer for the night), that IP is now free,
and can be assigned to another customer. The ISP usually
maintains a log describing which customers were using
which IP addresses, and when.
In the simple case, the customer has one computer which is
directly connected to the Internet. The IP address would
then identify that specific computer. But perhaps the
customer has multiple computers in the house, and is
sharing his/her Internet connection. The IP address would
also be shared by all of those computers. Internet
traffic to/from that IP address could be for any of them,
and there's no way to tell after the fact which computer
it's actually for.
So now let's assume the opposition has linked the
file-sharing to an IP address, and the IP address to a
specific account at an ISP.
Finally--and IMHO this is the hard part--they might show
that the defendant was the person using the computer that
held the IP address in question. Aside from all the
real-life doubts that may be raised (Perhaps the account
holder was on vacation at the time, and had a friend
house-sit?), there is also the issue of which computer was
responsible.
If the customer had more than one computer on the
Internet, he or she most likely has a router that is
responsible for sharing the connection amongst all the
computers.
Maybe it's a wireless router. If it's a wireless router,
is it properly secured using WEP or WPA? If not, it's
possible for John Doe to come by and use the Internet
through the customer's wireless. The traffic to/from John
Doe's wireless laptop will pass through the customer's
Internet connection, so it will all use the customer's IP
address.
Can the opposition demonstrate this *didn't* happen? If
the customer has an open wireless network, how can the
opposition show that the copyrighted song was shared from
one of the customer's computers, and not from J. Random
Wireless User's? (I'm not aware of any conclusive way to
demonstrate this after the fact. I suppose it would be
possible to show circumstantial evidence -- such as the
presence of file-sharing software and the song in question
on the customer's computer, but just because it's there
doesn't mean it was used.)[ Reply to This | # ]
|
|
Authored by: mashmorgan on Friday, December 29 2006 @ 07:55 PM EST |
Case falls apart on the first point Para 12.
Each computer has an unique address like a postal system. Ie send an mail to a
company and therefore all users in that company are defendants.
In my capacity as a forensic investigator, we would demolish the case on that
that argument alone. They cannot prove it.
Glad UK courts would not allow this stuff to go further than a rebuttal report
which the authorities (the CPS/Police in my case) would drop.
Its pathetic to be honest.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 08:01 PM EST |
Haven't read anything but the intro yet, but this stuff comes to mind.
1. From the introduction one is startled to read the following:
----------------- "--[The Defendant] has never even used a computer in her
life, much less been an "online distributor." -------
This is a fact that UMG can not technically contradict against Defendant's
declaration. This immediatly makes others in her household suspect. Since it
may be a crime, they can take the fifth and make it impossible for UMG to prove
that the Defendant did anything with her computer. Might she be civilly liable,
after notice, as the owner of the computer, maybe. The important thing here is
not to provide evidence against yourself. Make the plaintiff prove it if they
can.
Some questions in this area for Media Sentry:
?????????????? On the first date of your tests, who was online during your first
procedure?
???????????? On the second procedure? Third? etc? {all the answers should be
I don't know.}
????????????? Is it not true that your procedures can't determine who is
online?
?????On the second day of your tests who was on during the first procedure?
.......
.................Continue with the same line of questining so that for every day
and every procedure they say "I Don't know" and "the user can't
be determined." Spend a lot of time establishing this and it diminishes
the value of what they have determined.
Demonstration: One can also attempt a demonstration if you are sure how things
will operate. At deposition or in the courtroom have computers A and B both
connected to the internet. Have the plaintiff on A monitor computer B and
conduct suspect activity. Show the limits of Plaintiffs procedures in that it
can not tell who is on the computer.
[ Reply to This | # ]
|
|
Authored by: yorkshireman on Friday, December 29 2006 @ 08:04 PM EST |
Two things strike me as being very odd about Jackson's 19 Dec declaration.
1) Wifi
=======
He makes a statement that "the defendant's computer .... was not connected
to the Internet via a wireless router".
This statement is either made based on information that we haven't seen on
Groklaw or it is simply untrue. I have a DSL connection at home which goes into
a wired router/firewall and then the wired router is connected to a second
wireless router/firewall which protects the computers on the inside.
It would be impossible for someone on the Internet to know what happens on the
inside of my network without (illegally) breaking through the outer firewall.
The lawyer should explore this point in detail and particlularly why Jaskson
felt it necessary to include it in the first place. It seems to me an admission
that their case is weakened (or lost) if a wireless connection is involved.
This is presumably because many users setup wireless connections with no
security or WEP security which can be cracked easily.
2) The Hard Drive (or is it image?)
Mr Jacksons statements regarding the hard drive are confusing - perhaps
deliberately? He is either saying that someone deleted the incriminating data
in a way which Media Sentry's imaging software was unable to detect - Or he is
agreeing that the defendant is not guilty.
Perhaps he is obliquely accusing MediaSentry of incompetence in imaging the
disk. Media sentry could have used Forensic disk imaging software that would
have told Jackson eveything that the original disk would have. If they chose
not to use it then it is their fault.
Of course the defendants windows computer could have been infected by a Trojan
and remotely used to share the files via Kazaa also. This could be difficult to
detect for an inexperienced computer user.
For the sake of argument, (even if) the logs prove the Internet connection was
used to share these files. I can't see any evidence that they know which
computer was used (wired or wireless and with/without the defendants
permission). Let alone who the user was.
Any more Info on the case would be useful to help form an technical opinion.
IANAL.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 08:05 PM EST |
What been observe (other people already catch it)
IP address and deposition from Verizon is not enough
to claim that the defendant's computer (physically) was
operated on 8/72004 between 6:12:45 AM EDT
and 7:08:30 AM EDT.
The expert build only one part of the chain:
WWW -> KaZaA -> IP
The missing link is IP -> Defendent's computer.
As usual the foggy/doubt part been skiped in expert deposition. That where
defence should take a carefull look.
Yes, Verizon tell that IP 141.155.57.198 were assign to
Defendant. But that is not enough.
!!! The fake is possible through MAC address.
The routers/cable_modem (device throug which Internet connection made) can be
re-porgram to a different MAC address.
I am sure that the MAC address from defendent's cable modem been abused by
somebody. Remeber MAC address is printed on the package box of cable_modem.
Anybody can pick it and use.
Verizon don't care unless collision happen (the same MAC from two different
physical locations). Because, defence claim that person almost never use
computer that is possible.
The abuse scheme is easy. Pick a trashed box. Get info about defendent' MAC
address and internet operator. Re-program the MAC address and go ahead. The
Verizon will see that defendent serf through Internet when actually defendent is
innocent.
That version is supported by expert deposition (see paragrah 6). Expert confirm
that hard drive is not the same as been used for illegal sharing the copyright
content.
I suggest the following strategy:
- Pull up the questions abou MAC address and lead to conclusion that Verizon
testimony is not enough to claim that defendent's computer been used (fake
possible because MAC address can be re-programed). If expert will refuse to
confirm search in Google You will find precise instruction for any operation
system.
- Pull up the expert opinion about hard drive in support of previous statment.
Additional discovery:
- Pull the log from Verizon about how frequently (in their record) defendent use
computer. It is also possible that after computer been collect by police sombody
still abuse the MAC address. In this case Verizon record will show that abuse
happen even after defendent was physically inable to do it.
- Ask Verizon to provide log with specific details of connection. Usually it is
impossible to identify the region/city/street where the request come from.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 08:05 PM EST |
Hard to say anything definitive. Paper of Prof. Sips and Dr. Pouwelse is
self-explanatory.
Probable questions are stated there.
0. [As was noted by others] How can you guarantee that provided screen shot is
authentic?
1. [By the paper] How did you ensured that identified file name wasn't fake?
2. [By the paper] How did you ensured that IP address wasn't hijacked? Wasn't
faked? Can ISP testify to the IP address validity?
3. [From my head] How can you ensure that works found on client's hard drive
were not legally acquired? Broken CD, ripped from friend's CD, etc may lead to
mp3s w/o any identifiable source. Files on P2P networks use checksum for
validation. OMG. the checksums by themselves may not be properly validated: even
little alteration to the file (e.g. correction of artist name) leads to
different checksum. Does the checksum of the files match the checksum of the
files found on P2P network? (If one cannot prove that somebody actually
downloaded the file in question - one cannot claim that "distribution"
right was infringed).
4. [From my head/paper] How did you verified that somebody actually downloaded
the works in question from clients computer? How can you test that the works in
question came from clients hard drive? Did the works were actually available
from client's computer - not just some file names??
[ Gosh. We are about convicting person. How can one rely on unreliable evidence
for that sake??? You U.S people really surprise me. ]
IOW I can hardly add anything to the list of what the guys already have put on
the paper. Internet is P2P by its nature - applications like Kazaa are just
advancement of such model.
Summary:
IP address may not be equaled to unique identifier - due to all technical
obstacles normal internet connection has to workaround (NAT, firewalls, proxies,
etc). Add here now practiced address hijacking, zombie proxies, etc - there is
no mean definitive mean to identify person behind IP address. (e.g. classical
SYN-flood attack
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
uses precisely the fact that IP address may not be properly validated. The
attack may be fended off only by attacked hosts themselves - and only passively.
Host cannot actually detect that it is under attack.) The paper covers that.
Filename as seen on P2P Networks like Kazaa are not definitive. (I by myself was
on receiving end of the problem: knoppix.iso often turns up being some random
pr0n somebody tries to download from corporate computer under fake name.) There
is no guarantee whatsoever that file with particular name actually contains the
copyrighted material in question. The paper explains that.
Checksum which is often used as alternative to file names for download
identification may be faked. Both MD5 and RC4 were proven to be suspectible to
easy (~ linear time) attack (iow file of the same size but with different
content).
RC4: http://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack
MD5: http://en.wikipedia.org/wiki/MD5CRK
Shortly: even widely used checksum algorithms cannot be taken for granted when
comparing copyrighted work to file found on P2P network. And the paper mentions
that.
P.S. I programmed networks. I programmed Unices. I know many architectures and
studied many system designs. I know some P2P (mostly BitTorrent, eDonkey,
Gnutella) technologies. (Kazaa uses FastTrack. I can try to dig up tech info on
it too, but the network is largely undocumented - by all means proprietary one).
If you have concrete questions - try thephilipsNO@SPAMgmail.com (NO SPAM
removed) contacting me directly. I'm techi - not best legal conversation
partner, but yet. I am not a genius - but engineer. If I can help - I would
gladly do. Especially while on xmas vacations ;)[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 08:05 PM EST |
How did MediaSentry get this information on the P2P network ? i.e sit in the
background and sniff out traffic based on p2p or would it install itś
self on any PC connected to the internet that was not secure ? Like a virus ?
In the description on TCP/IP Dr J has no comment about email spoofing or IP
spoofing which is highlighted by the fact as stated by Dr J that the hard drive
sample given was not the one that had was using Kazza. It is very easy to phish
email account and passwords from users and even send infected emails without you
even knowing, to your email list. Dr J should know about this as a owner of a
security networking company. Basically he can say it went to this IP address
however, he can not prove it was this computer or person in question !
Dr J also stated that a wireless network was not involved. How can he back that
up ? NATing in routers is one why you can great your own shared netwrk at home
to many. The ISP has you listed as only one user or destination / source address
however the router knows there are many behind it that are connected. So it is
not that clear cut. Does your client have a router or WiFi ? Or does Ms Lindor
have Bluetooth or WiFi laptop turned on ? These can be hacked and access by
third person through Ms Lindorś PC.
What security does Ms Lindor have on this PC is any ? If there is none, what
trojans were on this HD ? Dr J has had a look at this HD however he did not say
he did forensic test only spoke about it. He is making all the right noises
however there seems to be little action to prove this was done. It would appear
he only looked for Kazaa installation files and share locations. Very basic
search ! Based on the fact he has very little time as he is doing book reviews,
committees and teaching. He has spent very little time ( lack off techincal info
)in proving what he is saying other than using his heavy CV to back himself. i.e
what tools did Dr J use to come to the conclusion this HD was not the one used
in the great file sharing scam ?
What type of music is download / Dr J stated header files are sent. Is ths type
of music Ms Lindor listens too ? If its Pink I would doubt a middle aged woman
would be listening to. My parents are middle aged and they like the 50s 60s
music. Elvis, Beatles, Everly Brothers, Platters, Diana Ross etc etc. Do they
match what was downloaded ?
Dr J can not prove by MediaSentry data that Ms Lindor was the person at the PC.
They are pointing in that direction. Yes Officer the robber ran that way.
However Dr J even stated the HD given was not the used to download files. Sorry
wrong machine. Your Honor I have an IP address though ! Is that all you got ?
[ Reply to This | # ]
|
|
Authored by: cybervegan on Friday, December 29 2006 @ 08:10 PM EST |
About the defendant's internet connection:
How did the defendant's computer connect to the internet? Cable modem? DSL
modem? Dialup modem?
Does the ISP log any identifying information such as the MAC address if the
connection is cable or dsl?
If so, do they match those in the defendant's computer?
Was another computer's MAC address ever associated with the defendant's
account?
Did the defendant's computer have more than one network device - wireless or
wired?
If so, was "internet connection sharing" enabled?
If wireless, was the network secured with WEP?
If wired, was there another computer on the defendant's premises to which this
one could have been networked and sharing its internet connection?
About the defendant's computer:
Has a "friendly neighbour" or relative ever offered to help her out
with her computer? May they have tampered with it's configuration to allow them
to attach to the internet through it without her knowledge?
Can the investigators prove that the defendant's computer was not infected with
a backdoor trojan or rootkit that could have allowed a cracker to remotely use
her computer without her knowledge?
If the hard disk image doesn't contain any of the files the investigators
allegedly downloaded, did they in fact find the disk that they downloaded them
from? Was this disk ever in the possession of the defendant?
---
They must be able to prove every link in the chain:
That the files were downloaded by the investigators.
The IP address of the computer to which they were downloaded.
A disk image of this computer, with the files on it.
The connection details of this computer - IP address, means of connection,
configuration or log files to support this.
Log files of the TCP/IP conversation between the defendant's computer and this
computer.
The IP address of the computer from whence they were downloaded.
That the IP address was assigned to the defendant's account.
That the defendant's computer was attached to the internet via this account at
the time the evidence was gathered.
That the files downloaded were found on the defendant's computer (even if they
had been deleted).
That the defendant's computer actually had a kazaa-family p2p program installed
on it.
That the files were located in a folder that was or had been shared by the
sharing program.
That the files were put into the shared folder by the defendant.
That the defendant knew that putting the files into the shared folder was likely
to lead to them being illegally downloaded.
To summarise:
files downloaded including MD5 and SHA hashes
disk image of investigator's machine after downloading files, including MD5 and
SHA hashes
investigator's MAC address
investigator's IP address
DHCP server logs or IP configuration details from investogator's PC
investigator's ISP logs showing that they had a connection at the time
defendant's ISP's DHCP server logs, including time, IP and MAC address
defendant's computer's MAC address
sharing software installed on defendant's PC
image file of defendant's computer hard disk, incl MD5 and SHA hashes, showing
that the files were present, the hashes match, and were in a shared directory,
and that a sharing program was installed
That would be a reasonable start, but is not all-inclusive.
DHCP servers invariably keep details of the nodes (network cards) that they dole
out addresses to.
MD5 and SHA hashes show whether or not files have been tampered with or were
different.
The downloaded files and the files from the defendant's computer should be
played to the court to prove that they are what the prosecutors say they are.
I wouldn't consider myself an expert, but that's how i'd go about it, and then
i'd look for more holes in my reasoning, and go over it again.
regards,
-cybervegan
---
Software source code is a bit like underwear - you only want to show it off in
public if it's clean and tidy. Refusal could be due to embarrassment or shame...[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 08:13 PM EST |
If I understand all of this correctly, the simplest explanation is that her
computer got taken over by somebody who turned it into a music server, and
eventually she decided that the computer was acting funny/running slow/crashing
too often, and had it fixed. In the process of fixing it, the hard drive was
wiped by the fixer, leading to the drive with very little on it (just what she
put on it since the fix).
If this is the true situation, what is her liability for the stuff put on her
machine without her knowledge or consent? Under current law, I think the answer
is, zero. A decision otherwise would make life very expensive for a lot of
clueless PC users. It might be a net positive change, but it would certainly be
a huge change from the current situation.
MSS2[ Reply to This | # ]
|
|
Authored by: CondorDes on Friday, December 29 2006 @ 08:27 PM EST |
5. Based upon my review of the foregoing materials,
as well as on my
education and experience, it is my
opinion and belief that the defendant's
computer had a
public Internet Protocol ("IP") address and was not
connected
to the Internet via a wireless router.
But he does not say
which IP address, or whether
that IP address matched the one found by
MediaSentry.
Indeed, he doesn't link the computer he examined with the
infringing computer discovered by MediaSentry at all.
I base this on
the data mentioned above, as well as
on the registry entries recovered from the
computer and
the fact that there was no internal IP address
here.
What techniques did he use to recover the computer's
IP?
Can he demonstrate that the lack of an internal IP
address conclusively
indicates the computer was not
used
behind a router? Can he present the logs
on which his
statement was based? How can he be sure the logs are
comprehensive? Perhaps the computer failed to log its
IP.
Based on
how IP addresses are assigned, it is not
difficult to determine whether a
computer was connected to
the Internet via a wireless router. This computer
was
not.
This is, at best, a half-truth. It is possible to
distinguish between public and private IP addresses, which
can determine
whether a computer was behind any type of
router (wired or wireless) with high
probability. (See RFC
1918.)
However, most wired and wireless routers use the same
scheme for assigning IP addresses. Also, wireless routers
often do not
distinguish between computers that are
plugged in via Ethernet and computers
connected via
wireless. (On some, but not all, wireless routers,
it is
possible to tell the router to make the distinction,
but this is not the
default.)
Most wired and wireless routers in their default
configuration (for example, Linksys and D-Link routers,
both of which I have
personal experience with) assign IP
addresses in the 192.168.x.x range. The
Linksys router at
work assigns these addresses without regard to whether I
am
connected via wireless or via Ethernet cable. I could,
for example, plug in
via Ethernet, and receive the IP
address 192.168.1.104. But when I come in
tomorrow and
connect via wireless, it's quite possible I will be
assigned the
same IP address.
6. ... this hard drive was not the same hard drive
that was used to share copyrighted sound recordings as
shown by the
MediaSentry materials.
That's like taking
fingerprints off of some
random Honda Accord
and trying to use them to show the defendant drove the
getaway car (which was a Jeep Cherokee).
The hard drive that was
provided and that I
inspected, showed little usage at all, as evidenced by the
lack of user created files and e-mails, and did not reveal
the evidence noted
above, which I believe the correct hard
drive would certainly have
shown.
So there was no evidence whatsoever that the computer
he
examined was used for copyright infringement. He
assumes the drive he examined
was not "the correct hard
drive", but (a) how can he demonstrate that it's not,
and
(b) if it wasn't the right drive, why did he examine it in
the first
place?
7. The hard drive that was provided did contain the
resume of
Gustave Lindor, Jr., and that document indicates
that he was living and working
in Brooklyn, New York
during the dates that the copyrighted music was being
shared.
That seems awfully circumstantial to me. If anything,
given the aforementioned lack of evidence, isn't that an
argument for his
innocence? [ Reply to This | # ]
|
|
Authored by: rsmith on Friday, December 29 2006 @ 08:29 PM EST |
Dr. Jacobsen's report contains something that might sink the plaintiff's case.
He states that the harddisk (or image, his declaration is ambivalent here) that
he received from the defendant's computer doesn't contain the Kazaa software or
copyrighted files.
His conclusion that he therefore wasn't given the correct harddrive (image?) is
the tail wagging the dog. It's an assertion without any evidence whatsoever.
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 08:33 PM EST |
How can any expert, anywhere in the world, reasonably claim that they can
associate an IP address with a specific user of a P-2-P network? IP Addresses
can be spoofed. It would be necessary to show that the IP address is tied to a
specific MAC address of a Network Card or port of a firewall, switch or router
owned by the defendant. Even then a MAC address can be spoofed. It would be easy
to use a packet sniffer to obtain the IP address and MAC address. The user name
could be made up by someone who knows her referentially. If I was on a jury and
you asked me to determine whether Miss Lindor was guilty of using a P-2-P
network just because an IP address was associated to an account owned by Miss
Lindor I would find her not guilty. Even given that copy righted files were
present on her computer and it appears that she had a P-2-P software application
installed and that software was offering files, how can you prove to me as a
jurist that she knowingly or should have known that this violation was taking
place? If my nephew comes to my home and uses illegal drugs in the bathroom does
that make me guilty of a crime? Yes it is my responsibility to supervise him as
a minor but I can't prevent him from illegal activities.
I read in one of the documents that the computer was owned by another, now
deceased person. Is it possible that the former owner was sharing files and left
this software on the computer? Assuming that it was someone else who was using
the computer in her home, how could I find her guilty when she apparently does
not even know how to use a computer? In the testimony of the two technical
experts they conclude that the methods used by the investigating company were
neither scientific nor discrete. One last observation, I am curious if there is
a body of case law wherein a court has found that the act of offering files over
a file sharing network constitutes a legal offense or do you have to show that
files were actually downloaded?
Finally, the R.I.A.A. appears to be using this and other cases to make examples
of people. This is tantamount to creating enough fear of criminal prosecution to
prevent file sharing activities. Asking someone to pay $750.00 per song in
penalty is ludicrous. The nominal value of a song these days is generally .99
cents. How can the R.I.A.A. and the music companies claim that this is a fair
and reasonable penalty without "proving" the actual loss? [ Reply to This | # ]
|
|
Authored by: rsmith on Friday, December 29 2006 @ 08:37 PM EST |
Ask the plaintiff if they can prove that the IP traffic linked to the
defendant's account was actually transmitted over to the telephone line running
to the defendant's house.
Because it might be another Verizon customer using defendant's loginname and
password. If she wasn't using the computer, she'd never know.
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:02 PM EST |
Just a couple of quick observations about the curriculum vitae: there are no
refereed-journal articles pertaining to computer forensics, which implies he is
not a recognized expert in that specialty; also, there is nothing I noticed in
the entire CV that indicates any detailed knowledge of the specific P2P
programs, or investigative programs, that allegedly are involved. Of course, the
CV is so verbose I certainly may have missed the needle in the haystack.
A background check of his overall character might be useful. For example, has he
ever been accused by his students of sexual harrasment, grades for a fee, etc.?
Are there ex-wives, and what do they have to say about him?
Also, it would be interesting to poke into the finances of his entrepreneurial
activities. For example, have there been discussions about future consulting
work contingent on the outcome of this lawsuit? [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:03 PM EST |
In my opinion the key flaw in their argument is the procedure used to establish
the IP address and identity of the computer and its user.
This process has to have the following attributes:
1. The information needed to establish the sequence of events must originate
with different people/organisations (ISP, MediaSentry, cable company, etc.)
2. The data used to establish copyright infringement must involve a sequence of
events, each at a different time (connection, assignment of IP address,
down/upload of file, disconnection, de/re-allocation of IP address, etc.)
The differing data sources in (1) will have provided timestamped logs purporting
to show those events in (2) which are then presented in such a way that they
match at particular times (as in this computer had that IP address when file x
was downloaded from it). Unless they can also provide a way to attest to the
accuracy of the timestamps in their logs no such link can be applied.
They must either have synchronised their differing systems to each other or,
more likely, to a known accuracy data source (as in an ntp server). In which
case they should both be able to provide their ntp synchronisation logs as
backup to their evidence. If not how does one know the times are accurate, or
sequence of the events exists?
In my experience large ISP's and companies in general have a quite cavalier
attitude to time accuracy on their systems. I've seen servers which were minutes
out, and hours out is not unusual, also sometimes with an incorrect timezone to
confuse things even more.
That's something to watch out for when comparing logs -- different timezones
because systems were in different locations. It's best to insist everything is
converted to GMT.
Hope this is helpful.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:03 PM EST |
(think the above comment is rather astute wrt computer taken over - there's
no reason that a hijacker couldn't read her name from other files and create a
kazaa account based on her name)
but, (ducking)
qualifications
2) What distinguishes your company as a "high-tech" computer security
company as opposed to other computer security companies?
IV - does Palisade have anything to do with your D&D experience?
from the declaration:
Did they give you a USB thumb drive to inspect?[ Reply to This | # ]
|
|
Authored by: Witness on Friday, December 29 2006 @ 09:16 PM EST |
It would seem to me that the music industry in an effort to preserve an ageing
market paradym had is in effect been using a form of blackmail or
"protection" scheme. While technically it may all be legal to
frighten people into paying up for "crimes" they did not commit, I
feel the music industry's actions should be carefully examined under both
Federal and State RICO laws. Certainly a pattern of gross miss application of
lawsuits can be easily discerned.
---
Witness[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:23 PM EST |
Dr. Jacobson's declaration states:
... this hard drive was
not the same hard drive that was used to share the copyrighted sound recordings
...
Thus the RIAA's expert appears to be challenging the chain
of evidence presented by MediaSentry: the evidence provided to him does not
support their analysis.
The remaining questions are along the lines
of:
- Did you witness the collection of the evidence?
- Are
the results provided by MediaSentry consistent with the evidence found on hard
drive which you examined?
- Is it possible to conceal the trace evidence
you expected to find?
- What technical skills would be required to
conceal this evidence?
[ Reply to This | # ]
|
|
Authored by: webster on Friday, December 29 2006 @ 09:24 PM EST |
Jacobson's Declaration
One can have a lot of fun with his $5 million dollars in grants. Ask how much
went inot his pocket. Ask him how much of his business relies on the perception
or reality of sending copyrighted material over the internet.
His tone and diction are negative. He talks about peer to peer as something
negative, that is sending improper unpermitted copyrighted files over the net.
Actually there is far more legal peer to peer such as email, chat, data, voice
and other legitimate content. He threw porn in but much of that is legal. An
estimate of total content, illegal content, legal copyrighted content, and
illegal copyrighted content might help diminish his claims. You can't ask this
stuff unless you know the answers.
From Jacobson's conclusions:
15) The materials can not disclose who was using the computer?? The materials
will not disclose whether the sights granted permission to download the
copyrighted material? The materials will not diclose whether the purported
permission was legitimate or not? The materials will not disclose whether or
not the copyright notice was on the site or not? The copyright notice itself
that is in the downloaded material does not say itself whether it is legitimate
to download the particular copy or not? Kazaa is just a tool that downloads
files? It has no copyright sensor?
16) Screenshots could mean several things depending what stage of the search
and download process is involved. Also files can be deleted and never used.
The expert can bring this out. The expert can also establish that anyone can
use the Kazaa user ID with just the password. So one or many different people
may have done the downloading.
17) He concludes that media Sentry downloaded 11 songs. From where? Is this
relevant? Where did they come from? Did they have permission? Was permission
noted on the site?
19) He concludes that for a while copyrighted songs were offered for
distribution. How were they offered? What action did the user take to offer
them? {None, it was involuntary and probably ignorant.} Have the expert
explain how this works for you. He can give your client an innocent and
unknowing explanation.
20) He says above that 624 sings were "offered for distribution."
Here he concludes they "were being distributed." Make him retract, or
explain and retract, to impeach these conclusions. Have him explain what a
subscriber is. Have him explain internet address. Have him explain that anyone
can use the computer, subscription, and internet address other than Ms Lindor.
21) He concludes the computer distributed material. Have him explain how that
happened without any intervention by the Defendant or anyone else. Have him
describe the "ignorant distributor."
22) He concludes music on the computer was downloaded from other computers on
the internet. Did the other computers pay? Did the other computers pay for the
right to make a gift? Can people make a gift of itunes tunes? How is an
ignorant to know the difference?
In general you can't mess with the expert. But get him to be your witness for
the simple stuff suggested above. Look for bias, money and plaintiff's or law
enforcement tendencies in the past and who fills his wallet. He has also
provided a wealth of background of his writings and experience. Contradictions
and puffery if any could effectively impeach him.
---
webster
[ Reply to This | # ]
|
|
Authored by: Joris on Friday, December 29 2006 @ 09:25 PM EST |
From the dutch case, this is something that weighed pretty heavily on the
decision of the dutch court:
Mr. Millin also testified that his
company provided a service called MediaDecoy which distributes bogus or
inoperative files over the internet. People downloading these files think
incorrectly that they are music files. The files are made to look like real
music files, but they are inoperative. When he was asked whether he could tell
whether any of the files allegedly copied from the alleged infringers were
MediaDecoy files, Mr. Millin stated that he had not listened to any of the files
copied from the alleged in-fringers and that listening to the files was not work
that his firm was contracted to do (…). There is, thus, no evidence before the
Court as to whether or not the files offered for uploading are infringed files
of the plaintiffs.
In other words there is no way to determine
from log files whether it is actual music you downloaded or just decoys. You
have to listen to the files to determine whether these are really the
copyrighted materials.
This is from the expert's
testimony:
I will testify that, based on the MediaSentry Userlog,
the music found on the Defendant's computer was downloaded from other users on
the Internet.
I wonder what is in that Userlog because how does he
know these are not "decoy" files ? Did someone listen to all the songs ? Does
the Userlog show all 624 files being downloaded ?
Another thing the
expert states:
Distributing files first requires that the user must
put the file into a shared folder.
Maybe Kazaa changed since I last
used it but back then you automatically shared everything you are downloading.
So distributing files also starts by downloading, the user does not have to put
the file in the shared folder, Kazaa places it there
automatically.
There is another little pearl in the dutch case although
probably not appropriate in an American court:
[...] it has been
established that Brein employed the services of MediaSentry, a third party, when
gathering IP addresses, thus Brein failed to meet the conditions under which
gathering IP addresses is lawful, according to the CBP. The Preliminary
Injunction Court also considered the fact that MediaSentry is an American
company and that the United States of America could not be considered to be a
country that has an appropriate protection level for personal data. Furthermore,
MediaSentry – by means of the software it employs - investigates the contents of
the IP addresses’ ‘shared folders’, and these ‘shared folders’ can also include
files that do not infringe on the rights of third parties, or files which are of
a private nature.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:26 PM EST |
In the expert report, point #14, Dr. Jacobson does not list the files downloaded
by MediaSentry amongst the articles he examined.
In the Motion to Compel, they say the hard drive is the wrong hard drive.
Do they actually have any evidence that any hard drive was used to download any
actual copyrighted files? How can they argue it was the wrong hard drive
without any evidence that anyone had files?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:33 PM EST |
Sorry a bit long.
As the RIAA is using the court system instead of cricket
bats to perform basic thuggay it is my belief that the
court system should be putting those abusing the system
behind bars and this should not be needed.
Looking at the documents I can't see any documents telling
me how the source documents are obtained. So the following
is speculations.
Assume we have two sorts of source documents
1) Screen shots are of some application that is taking
packets off the wire and then attempting to work out what
is going on.
2) Document from an ISP provider stating that the IP
address was being routed to a particular account.
Prof. Sips and Dr. Pouwelse pretty much summed it up. To
put it another way; Dr. Jacobson may be one bright cooky
but:
1) Is he being honest, is he independent? As has been
pointed out, screen shots are easy to create.
2) Did he make a fundamental mistake in understanding how
the protocol works?
3) Is his code correct?
Surely the court would require that enough information be
provided so your experts can come to some conclusion.
Two courts have said; you can't get past here; one would
have to be surprised if things go further.
But lets assume that he can prove he is honest,
independent, you get hold of his methods and they look
good, and you get the code, get an independent expert and
your experts conclusion is the code looks good how can
things go wrong for the good doctor.
I assume his system downloads a file from the P2P network,
records the IP address of the sender and then he finds out
where the packet is routed using ICMP. The service
provider then associates the IP address with an account
and bingo someone ends up in court.
I think it is safe to assume that bright people that are
fed up with the RIAA have put some effort into file
sharing without getting caught.
1) Have any of the computers along the way been
compromised?
You need to find the actual route taken by the packets.
That I would think is a valid discovery question.
The best way to cover your tracks is to be part of the
route and lie about how the packets are routed. That is
the computer doing the sharing is in the route list
discovered by the good doctor but the basic protocols used
to discover routes have been compromised. ( the packets
have to get to the compromised computer and be returned
but the story in between that can be completely bogus).
When the computer doing the sharing is asked about routing
it returns a story instead of the desired info. As the
ICMP protocol is standard this is a trivial program to
write if you have access to the TCP/IP stack
To put it another way, the truth can be hidden by any hop
along the way, to prove they have the right final
destination they need to prove no hop has been
compromised, including the victims ( see my introduction)
service provider.
One has to assume that the service provider logs show that
the packets arrived at the service provider. You have to
get the logs to make sure.
2)What has the good doctor done to prove that the routing
tabels of all the computers along the way have not been
compromised?
To compromise the ARP table entries all you need is the
desire and access to the network segment that you desire
to compromise. Once again if this happens on any of the
computers in the route the info the good doctor has is
rubbish.
Does the good doctor have the arp table entries from the
service provider, if they don't have that then all the
service provider can say for sure is this account and this
password was given this IP address.
You need to get hold of the logs so your expert can look
at them and come to some conclusion as to why the info can
be wrong.
As I point out in another post, it is trivial to change
your MAC address. So having the MAC address of the final
machine doesn't prove that someone who wanted to share
without the RIAA knowedge isn't involved.
3) "Account names and passwords" and arp table can be
compromised?
If your sure of your ground. Time to go after the service
provider. Perhaps they will fight the RIAA a little harder
if the path of least resistance is to fight their thuggay.
i) How are they sure that the user in question is the
right user for that IP address.
ii) What has the service provider done to prevent ARP
table corruption.
iii) What makes them so sure their computers haven't been
compromised?
The last one will make any network provider squirm, there
is no right answer.
4) The user's computer wasn't being used as a zombie.
Lets assume whats on the hard disk is the one they asked
for and that ISP has a secure network.
You need to get the OS version and patch level. You then
need a declaration from an expert that details how to turn
that OS version into a zombie and how to cover his/her
tracks so the good doctor see nothing.
Ask the good doctor why he assumed the victims was sharing
files instead of assuming that the machine was being used
as a relay by someone else. His answer will give you the
material needed by your expert to make a fool of him.
5) Now we come to point 5 and 6 of the December 19th
declaration
Point 5 says that this hard disk is from a computer that
is connected to the network ( I will come back to that)
and point 6 says this is not the hard disk we are after.
If point 6 is correct then point 5 is just wasted words.
Ask the good doctor why he made point 5 if this is not the
hard disk he is after.
Back to point 5.
As he is claiming this is not the disk he is after point 5
is wasted words however I'd be interested n why he came to
that conclusion. As the packet can be routed through a
wireless link with no knowedge of the sender/receiver I'd
be interested as to how he came to that conclusion.
In summary what has been provided.
A declaration that states I am a very clever person and I,
as the very clever person think this. I would have thought
the court needed a little more; when you get the little
more you will have what you need to shoot him down because
there are many ways for someone to hide there file sharing
from the likes of good Dr Jacobson.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:43 PM EST |
Apparently (according to what I have just Googled) you can see the traffic of
people connected to the same DSLAM as you.
"Key point: DSL typically
uses ATM, a layer-2 cell-switching fabric. The DSL provider typically providers
no Internet services, a layer-3 service. Instead, it connects you to an ISP of
your choice. The layer-2 ATM service is vulnerable to being hacked. Also, you
will see traffic such as broadcasts from your layer-2 neighbors." link
Here's a link to a guy who says he's hacked his neighbors' dsl.
hacker
In particular, the hacker says he was able to obtain and use the user ID and
unencrypted passwords of another user.
Given that criminal file sharers
might be expected to hide their tracks and given that the directions for hacking
dsl are easily googled, it would seem that the RIAA should have to make better
efforts to prove that the internet traffic did indeed come from the accused
persons premises.[ Reply to This | # ]
|
|
Authored by: philc on Friday, December 29 2006 @ 09:47 PM EST |
I am curious. How do you know that the files in question actually contain
copyrighted material? How do you know its not a performance by a different group
that has a different owner. A lot of groups record the same material. They
license the sheet music and interpret it themselves their performance can be
copy right.
Have they proven that they own the copyright to the material in question? Just
because its in their catalog doesn't mean they own it. Have they proven that it
is an authentic copy of their material?
How do you know the material in question is your copyrighed material?
How do you know that your victim has not paid you for a license to that work? Is
your record keeping accurate enough to assert that? For example if I buy a CD
from a music store and rip it so I can listen on my computer is that the same as
sharing? Do you have a record that I bought that CD?
How do you know I didn't pay for that material from a different source and just
duplicated the material by sharing?
It is very hard to prove that an individual did a particular thing with a
computer. Computers just don't track the information carefully enough.
How do you know that your victim and not someone else made the copy?
Actually, do you know that the material is actually on the victim's computer as
the result of the sharing? Some visitor can download to a memory stick and walk
away with the downloaded copy.
Paying and ISP for an internet connection doesn't mean you know who is using it.
If you have a Wireless setup anyone within range can use your connection. Even
if you don't have wireless, anyone in your household both residents and guests
can access the computer.
If you have a laptop that you use on multiple networks and maybe share with
friends it is even more difficult to pin down who did what to the system.
People break into computers and take over operation. These Bots can do pretty
much whatever the controller of the bot wants. How do you know that the system
was not compromised at the time of the download?
How do prove that people that buy software online from your partners are using
what they bought? How many years do to maintain records?
There is a matter of fairness. Sharing is part of our culture. We are taught
from an early age that sharing is good. You can buy a song for $1.00 at a RIAA
partner on-line store. You can "share" a $1.00USD song and its worth 5
years in federal prison a criminal record and $750.00-100,000.00 fine. You steal
the CD from a store and its a shop lifting.
You can listen to the song for free on the radio at no risk. You can load your
1.00USD song into your MP3 player and loan the player to a friend. However, if
you copy the song for your friend you are a federal criminal that hasn't been
caught yet.
How do you avoid becoming a victim of the RIAA? Its not easy. If you have a
computer connected to the internet make sure it is very secure. You may go to
Linux for added security. Use strong passwords and don't ever let anyone use it.
Second, don't have music around that you can't prove ownership to. Never have
music on a computer. Its just too dangerous.
I don't personally buy and download music or video because over time I lose my
receipts and I can't prove that I bought it. I don't buy music from music stores
for much the same reasons. Just because I have a CD doesn't mean I have license
to listen to it. I have some 30 years of purchased records and many old CDs that
I have lost the purchase reciepts. That doesn't even count the music that has
been given to me over the years. There is no hope of proving that a 5 year old
down loaded song is paid for.
When the RIAA and MPAA give up this piracy campaign I may start buying music and
video again. When I feel it is safe to do so.
In the meantime there are concerts, movies, theater, radio, tv, rented DVDs and
the music and video collection at the public library. I am well entertained. [ Reply to This | # ]
|
- Well put - Authored by: Anonymous on Saturday, December 30 2006 @ 01:13 AM EST
|
Authored by: Anonymous on Friday, December 29 2006 @ 09:50 PM EST |
Everything rests upon the Verizon records. Can Verizon prove that the records
are accurate?
Questions to ask:
Has Verizon billing & IP recording software ever had errors in it. (The
answer is yes: there has not yet been software written without bugs.)
Has Verizon ever charged customers based on records that could have been
incorrect. (The answer is Yes. If you have records that are not provably
correct, and you charge people...)
Could the Verizon records regarding this be incorrect?
Has RIAA proved the correctness of the records? (Ans - No, since they haven't
investigated the Verzon recording software.)
(What's the level of proof required? Balance of probabilities or beyond
reasonable doubt?)
Ask for a copy of the billing and IP recording software, both binaries and
source code, and test data, to verify it. (It's unreasonable to convict someone
on evidence that they lack tools to challenge.) Ask for evidence that it is
exactly this version of the software that was in use. You are looking for
matching MD5 checksum fingerprints, verified by an independent expert to be
sure.
Repeat this with the software RIAA use.
Now submit both software for testing and bug checking. Your expert may be able
to find bugs.
Is a Verizon record alone, enough to prove that the defendant had a computer
connected? (Ans: No. You require some non-reproducible item introduced by RIAA
onto a computer, to be present when the computer is later independently
examined.
Ask him how you would be able to prove irrefutably, that a file had originated
on the defendants computer. (To do this you would need to uniquely identify a
computer - GUID might be good enough - and the file would need to be
watermarked, in a non-reproducible way, with this information. This is not the
case here.) Ask whether the files are uniquely identified, if so, how. (Ans:
[Check this] Kazaa does not uniquely identify file.]
Given that there is doubt that the defendant had a computer attached to the
internet, and given that the file is not uniquely identified, is there some
doubt that the file originated on the defendants computer?
These questions should introduce reasonable doubt.
[ Reply to This | # ]
|
|
Authored by: Icicle Spider on Friday, December 29 2006 @ 10:06 PM EST |
Dr. Jacobson in his disposition concludes:
The hard drive that was
provided and that I inspected, showed little usage at all, as evidenced by the
lack of user created files and e-mails, and did not reveal the evidence noted
above, which I believe the correct hard drive would certainly have
shown.
Case closed, no?[ Reply to This | # ]
|
|
Authored by: sk43 on Friday, December 29 2006 @ 10:07 PM EST |
Just for fun, I'll poke at the curriculum vitae, since that is likely a bit
unfamiliar to most readers here.
His curriculum vitae is 26 pages long, which means it is padded with fluff, even
without reading it. Such fluff is not necessarily bad - I know some extremely
distinguished people who do the same - but it means one must trim away the fluff
to find the true merits of the person.
He has spent his entire academic career (undergraduate to Associate professor)
at one institution. In my experience this type of total "inbreeding"
is unusual, and when it occurs, it is detrimental both to the individual and to
the institution. Not always bad, but it raises a "red flag".
He appears to be very successful at raising funding (~$5 million). I would like
to be responsible for as little as he is.
What is his connection to "MS & ME non-thesis degree Graduate
Students"? I can't recall ever seeing such a list on a CV before. Fluff.
He is first author or primary co-author of only 5 refereed publications, the
last of which appeared 16 years ago. Ouch!!! I have postdocs with more
substantial credentials.
In his declaration, he states "I also have an appointment with the Iowa
State University police department, where I aid in computer forensics". OK,
this appointment is with the ISU Campus Patrol. He says nothing about what he
has accomplished in this position. It's worth asking about.
His expertise is in networking. Nevertheless, on p. 4 of his deposition, he
offers an opinion about data recovered from a hard drive. Furthermore he states
"A forensic inspection of a computer hard drive ...". What is his
expertise and/or experience in forensic inspection of computer hard drives?[ Reply to This | # ]
|
- Good point - Authored by: Anonymous on Friday, December 29 2006 @ 11:03 PM EST
- Random thoughts - Authored by: Anonymous on Saturday, December 30 2006 @ 11:23 AM EST
|
Authored by: Willu on Friday, December 29 2006 @ 10:19 PM EST |
Hi,
Like some others here, I think that arguing the "not 100% certain"
parts is tricky. The fact that it is possible to fake screenshots doesn't make
such fakery likely - especially when someone will testify that they weren't
faked. I still think you should push on a) finding out as much about
MediaSentry as possible, and b) get an admission that it isn't 100% foolproof.
(e.g. Can the witness guarantee that media sentry has no bugs? Are they even
willing to quantify how many bugs it might have and the severity of those bugs?)
I just don't think they're likely to help you too much.
I'm also going to assume your client is innocent, and that she's not trying to
cover things up.
The Verizon logs show that the person logged in had a particular IP. Some
ISPs assign IPs by ID/password, and some by physical line - you need to check
what Verizon was using in that area. Is there any evidence that the
infringement wasn't some third party with a stolen ISP password? i.e. The logs
may have tied the infringement to the Verizon account. Can they tie it back to
the a particular phone line (for DSL), or cable segment (for cable modem)? If
not, how can they tie it back to a particular computer? If you have someone
else's DSL/Cable password, is it possible to log in as them and so obtain a
dynamic IP address as them without using a router or even being in the same
building? (Note, this behaviour would knock your client's connection out while
her account is being borrowed, but if she didn't use her connection she wouldn't
notice.) Does Verizon have any log of the modem ID (not sure about this, but
there may be one, and if it is different from your client's modem then you've
shown it was someone borrowing the account).
The HD being 'clean' is interesting. This suggests that either the verizon
account was being 'borrowed' and a different computer used, or that the computer
was re-formatted after use. So one question is: was there evidence that the
drive was re-formatted after the sharing took place? Or the inverse question -
was their evidence that the drive had NOT been re-formatted since the file
sharing took place? (or can you find such evidence or testify that it wasn't.)
I'm going to assume that someone can testify that it was your client's actual
HD. If the drive hadn't been re-formatted, then the Verizon account must have
been stolen/borrowed, or the logs were otherwise incorrect. If the drive had
been re-formatted since the alleged infringement then things are trickier for
your client - you're now in the position of trying to prove a negative. You
could fall back on the 'my machine was hacked and I re-formatted it to clean it
up' defence. That is a good question to ask the security expert: "If a
machine is hacked, is re-formatting and re-installing a common way of recovering
the machine?".
If another computer had been used, then all your client is guilty of is having
her password stolen. How responsible she is for behaviour that took place with
a stolen (or lent) password is a legal question I'm not qualified to answer.
It is also a little strange that the Kazaa account was for jrlindor and the
defendant is M Lindor. Does that bit of evidence point at a family member...
say a son who brought over his computer, unplugged his mom's and plugged his own
in? Although Gustave doesn't begin with j either. Are there multiple Lindors
in the area? Is it possible that Verizon got their logs confused?
Assuming that jrlindor was someone not related to Marie, are there any logs
from Kazaa showing what IP addresses jrlindor logged in from apart from ones
linked to Marie? Where do they lead? Does UMG have any MediaSentry logs of
jrlindor sharing files from an address that doesn't point to Marie? (i.e. if
you can track down jrlindor then you have a way to show mlindor innocent.) Does
Kazaa have any contact information for jrlindor? Where does that lead?
Be well,
Will :-}
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 10:41 PM EST |
1. Logs are only useful to the person who owns (or manages) the hardware that
created the logs. No administrator can do anything but <i>guess</i>
about logs that didn't come from their machine. This is because the activity
displayed in a log (or not displayed in a log) is highly subject to the device
making the log in the first place; as an analog: who can say what happened on a
particular day just by looking at a single page in someone's diary?
2. IP Addresses aren't as unique as the affidavit suggests. For example, there
are literally <i>millions</i> of hosts having addresses in the
192.168/16 range- a range of addresses where there only could be 65,535 possible
hosts. I guarantee there is overlap. Apple computer corp. used a set of
addresses already used on the Internet for the longest time and simply resorted
to address translation to delay renumbering. It's better to say two hosts can't
talk to <i>each other</i> if they have the same IP address, which
I'm sure you'll agree isn't the same thing at all.
3. There is nothing about an IP address that says what kind of equipment the IP
address was assigned to. An IP address has a lot more in common with a
<i>name tag</i> on a person at a party than it does with a
<i>street address</i> on someones home. IP addresses move, and
change, and get swapped all the time. Moreover, the name tag doesn't say
anything about what color shirt someone is wearing.
4. Hard drives do not get cleaned. Almost every single hard drive has a feature
called SMART which is a counter that says how many revolutions the disk has
before it is likely to fail. This is the only effective way of determining
<i>conclusively</i> if a disk had data on it or not (using the disk
itself)- but doesn't appear to now.
5. Experts don't say they are. The only person who should testify is Verizon,
and all they can state (certainly) is that her account was used to do this
downloading. Nobody else can state this <i>except</i> Verizon, and
nobody can state any better with any certainty.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 29 2006 @ 10:55 PM EST |
He might try asking Lewis A. Mettler who is a lawyer and knows quite a bit about
computers and such.[ Reply to This | # ]
|
|
Authored by: Bill The Cat on Friday, December 29 2006 @ 11:50 PM EST |
I own a web site that gets attacks all the time and they almost all indicate
they are from a European country. The give away is that the referrer and the
URL added script indicate that everything is in Russia. I started performing
traceroutes whenever an IP came in to see where it really was and, whenever
possible, I tried to capture the MAC address of the network card of the
originating host (not really usable to determine location). The bottom line is
that IP address spoofing is common and popular. How is it being proven that the
IP address logged was actually on the computer being identified?
Hard Drive recovery is a very specialized field and there are specialists that
do only this kind of work. If I wanted forensic evidence regarding a hard drive
and contents/previous contents and recovery methods, I would contact DriveSavers
or some similar professional to perform independent 3rd party analysis. The
companies that do this kind of work are Very Good at what they do.
In today's environment of hacking, spoofing and computer crimes, I wouldn't
accept that what appears to be obvious is really the truth without first doing
additional work. Just because a drive appears to be empty and a network address
appears to be used doesn't mean it is necessarily so. The drive could be well
used and the IP address may be a phoney.
---
Bill The Cat[ Reply to This | # ]
|
|
Authored by: hAckz0r on Saturday, December 30 2006 @ 12:07 AM EST |
Mr Jacobson states that there are just two ways to allocate an IP address,
however that leaves out yet another layer of complexity which can easily be
exploited by anyone who wants to keep their true identity a secret. Hint: anyone
sharing on p2p that does not want to be caught might do this! One can use an
easily obtainable utility to change their own network cards Ethernet/MAC address to some
other persons unique value (e.g Ms Lindor) that is configured for that ISP's
subnet, and then when the local DHCP server assigns the IP address the DHCP logs
will show not the hacker logging on but that person whose address is being
exploited. If Ms Lindor is not logged on at the time this will work, and if she
was rarely logged in then the probability of the hacker being successful is
greatly improved. All the hacker needs is to snoop the network record the
Ethernet addresses seen for a while and then use one that is currently not on
line and he will be assigned that persons IP address.
Another thing not
mentioned by Mr Jacobson is that the IP address assigned is very likely to be
different each time Ms Lindor were to login to the network. DHCP has a timeout
where the address is merely “leased” for a while and the address can actually
change from time to time. This means the network logs can show her logging in at
one point and the program can show the IP address being used to share
copyrighted materials, but unless they can prove that the DHCP lease had not
expired in that interim then they have no case. The lease can last just hours,
or weeks. Someone else could have been reassigned that same address at a later
point. Why does this happen? Because the ISP's do not want you running servers
on your home computer like a business, and if they make your IP address keep
changing out from under you then connections for downloading things go to
somewhere else, and you wind up paying more money for a business class
“fixed/static IP address”. This kind of policy can significantly increases the
ISP's profit margin if they can force you to pay for keeping the same address.
Ask the ISP how they do it, this could be important!
If Ms Lindor left her
machine online for any period of time, or even left it turned on, then it was
likely connected to the Internet even if she were not using it. If she did not
have the automatic updates for OS patches turned on then she was most likely
running with several BOT's installed on her machine with other people
controlling it from afar. Many hackers seek out machines to install file sharing
programs with the intent of doing copyright infringement, and the owner will
never know other than the disk making noise of the network or computer seeming
slow. I have heard that when installing a bran new Windows XP OS from the CD it
will take up to several hours of patch downloads and several reboots to complete
their installations, however the average time for the machine to be taken by a
hacker is in the statistical order of only five or so minutes! By the time you
are patched you machine is already toast. If she did not have a firewall enabled
then other people were likely using her machine for their own purposes. BTW –
Kazaa is not the only application that uses the FastTrack p2p protocol . Once
a hacker has your machine its easy to remotely install a non-Kazaa p2p server
application and run it using a back door without the owner knowing it.
Kazaa/FastTrack uses encryption over the Internet. The best that Mr
Jacobson could do is to see that connections were made to and from an IP
address or get a listing of the contents. He can not tell what data flowed
between two other nodes on the network. Only if Dr Jacobson downloaded
copyrighted materials (yes actually breaking the law) and checked the files MD5
or SHA-1 values of the downloaded materials against a database for copyrighted
materials then there is proof that someones machine had that data available, but
whose? Again, addresses can change. If the files were not physically found on
the disk drive then they still need proof that they were on that machine
sometime before. If you erase files on a Windows system the data does not
disappear so quickly and can still be recovered by any competent computer
forensic expert. If the Disk was wiped with a military grade utility then you
can prove that statistically by looking at the empty space on the disk. If they
did not do any of that then they did not do their homework and still have no
case. They still need proof, not conjecture or hypotheses.
I could go on,
but I have rambled enough and its getting late. Feel free to contact me off line
if you would like more discussion on any of this, or have any other questions I
can help with. --- DRM - As a "solution", it solves the wrong
problem; As a technology its technically infeasible. [ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 01:08 AM EST |
Document 114. Paragraph 5 contradicts Paragraph 6.
He's attempting to use information (registry entries) from the hard drive in
Paragraph 5 to prove the computer was directly internet connected. In Paragraph
6, he says it's not the same hard drive that shared files.[ Reply to This | # ]
|
|
Authored by: rjh on Saturday, December 30 2006 @ 01:34 AM EST |
Not a lawyer, but it seems that discovery would be less than thorough without
requesting and rceiving the source code for MediaSentry and any other software
that has been relied upon to gather "evidence" for the RIAA's
investigation.
I've read that some jurisdictions throw out DUI charges if there is a request
for breathalyzer source code, because the manufacturers consider it a trade
secret and won't provide it. This case might offer a similar offensive defence
opportunity.
---
Stop the car! My head just blew out the window!
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 02:39 AM EST |
This my opinion, based upon thirty years in the telecommunication industry,
including participation in the IETF, NIST, ANSI/ ISO/IEC, CCITT, ACM and IEEE.
While the good Dr. may know something about Computer and or Network
Security, he is not qualified to testify in this area for the reason listed
below.
First, he is not a Professional Engineer!
Second he has no association with the IEEE and or ABET.
Third, he is not an electrical or electronic engineer.
Fourth, he not a communications engineer or telecommunications engineer,
or any record of design, testing, or deployment of any telecommunications
systems or equipment.
Fifth, no employment history in the telecommunications industry or
telecommunications equipment / services provider.
His reliance on an IP address is simply bad science at best, or intentional
fraud at worst. He has made statements not supportable by science or
practice.
Six, no mention of work with NSA, DOD, or NIST.
I haven't found a single article published by the good Dr. in the following
association journals IEEE, ITU, IEC, ISO, ANSI, NIST.
As best as I can ascertain, the good Dr. has never been involve at either the
national or the international level in any telecommunications standard setting
activity.
My very first question of the good Dr. would be. " Dr. -----, would please
explain your formal and informal telecommunication training and
experience?"
My second question would be, "Dr. ----, can you tell if and when you be
came a member of the IEEE?"
My third question would be, "Dr. ----, can you tell what work experience
you
have in telecommunication equipment / services?"
Then I would, to have the good DR.'s evidence struck from the record as he is
not qualified to testify in this area.
One last comment ---
This is to PJ --- I'm reluctant to describe the science and details of what is
wrong with the good Dr.s evidence, as this can be used as a how to manual
for those who don't "need to know"! Is there an email address where
we can
send report outlines and how much time before reports need to be
submitted?
[ Reply to This | # ]
|
|
Authored by: Wesley_Parish on Saturday, December 30 2006 @ 03:52 AM EST |
Firstly, I don't have any brains, so picking them is likely to be not a very
fruitful exercise.
Secondly, there are some very strict guidelines in
the average Law of Evidence that I strongly suspect the RIAA is blithely
trampling under foot.
Thirdly, insofar as we can talk about a science
of law, we connect the practice of law to the practice of the natural
sciences, and they are nothing if not strict in their requirements of
reproduceability in experiments and data gathering, so that they can be
reproduced. Indeed, insofar as computer science is a natural science, it
also abides by those strict requirements of reproduceability. Your local
friendly philosopher of science should be more informative in that
respect.
Thus, if the RIAA is refusing to divulge its methods of
acquiring data, It should therefore come as no surprise that in the
United States, more particularly in UMG v. Lindor, in Brooklyn federal court,
the RIAA is trying to prevent disclosure of the "instructions", "parameters",
and "processes" of MediaSentry's investigation. my natural
assumption is that the RIAA is attempting to gain legal acquiescence in the
RIAA's public contempt of court.
Precisely why this contempt of court
should be tolerated by judge and jury, I am at a loss to imagine.
Have
fun! --- finagement: The Vampire's veins and Pacific torturers
stretching back through his own season. Well, cutting like a child on one of
these states of view, I duck [ Reply to This | # ]
|
|
Authored by: Peter Baker on Saturday, December 30 2006 @ 04:40 AM EST |
Actually, having worked on sync issues across large networks, another thought
just struck me (ouch :-).
Three conditions MUST be met before the log of the IP address has any value:
1. Verizons' servers must use time synchronisation (an absolute /must/ to follow
an event chain, usually done with NTP which also calibrates the system clock).
The problem is that (AFAIK) (x)ntp doesn't produce a continuous log unless
specifically set up to do so (it normally only logs on bootup) so even if (x)ntp
is running it may be hard to prove that it was running at the time the logs were
obtained other than by getting a statement of server build and bootup/service
configuration. That would not PROVE time was accurate but make the assumption
that it was accurate more acceptable.
2. The home computer must also use some form of time sync. However, few Windows
home users know the possibility even exists (and/or how to use it), in Linux
distros I've seen NTP setups appear (now using the 'pool.ntp.org' NTP server
approach as a way to distribute load). How accurate was the system time? Did
anyone check when gathering evidence?
3. The DHCP lease was valid at the time the IP address was logged. If it
wasn't, the lease had expired and one cannot assure the machine was actually
online at the time. In effect, the IP address would not be conclusive, and the
end user identification by means of IP address would thus be impaired.
However, caveat: if you have a home system log of at least 3 different IP
addresses that match Verizon's record you can work out with a degree of
certainty how accurate the logs are. But not just from a single instance, and
it would merely reduce the uncertainty, not remove it altogether.
---
= PB =
"Only a man can suffer ignorance and smile" - Sting
(Englishman in New York)[ Reply to This | # ]
|
|
Authored by: davcefai on Saturday, December 30 2006 @ 06:02 AM EST |
Looking at this case as something to be presented to a mostly non-technical
committee I would first summarise the case along these lines:
1. The RIAA claim that the defendant illegally shared copyrighted files to which
they hold the copyright.
2. The RIAA have not identified the files in question or demonstrated that they
do own the copyright.
3. The only possibly significant evidence presented is in the form of logs from
MediaSentry.
4. The RIAA have refused to present evidence regarding the method used to
generate these logs.
5. No evidence to show that the files were indeed present on the defendant's
computer has been presented. On the other hand the plaintiff's expert witness
has categorically stated that he found no infringing files on the Hard Disc he
was requested to examine.
Frankly I think that this is enough to blow the case out of the water without
confusing the judge!
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 06:07 AM EST |
The lightly used machine and the wrong HDD give us the answer. NO, when the
lease for a machine expires the router will assign the IP to another. Will there
be a record of the IP on the first machine, YES does that prove anything NO.[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 06:32 AM EST |
What is... COMPUTER SECURITY anyway? All questions of guilt on
a
computer can be looked at from this point of view.
---- Someone
above, might have mentioned something like what is
written below, so if so this
might be redundant- but a true story is
this...
Here is a story
of a friend of mine that is an extreme techie that for
free fixes other friends
Windows computers all the time...
One day when I was hanging out at
this fellows house, and this other
friend of his brings by his computer and says
that it is very slow and
that he leaves it on all the time on line (Cable or
DSL) and that he
comes home from work and sometimes finds that it is rebooted
(all by
it'self).
Upon examination of the computer a Trojan and other
files were found
deep in the system in areas that the average computer user
NEVER goes
to (not the Documents or Music folder). There was an backdoor
put
in and the computer was being used as a server for video files... the
name
of the computer on this backdoor network (if you will) was
"video_(profanity
redacted due to PJ's policy on bad language)".
The innocent user was
clueless.
I have seen the same situation at a relative I know of where
their kids
computer was being used in a similar way!
With the security
of Windows, and the fact that computer security is an
oxymoron (see:
Are
yo
u aware of experts say that computer security is an oxymoron (here is
who says
this)?
Authored by: Anonymous on Friday, July 28 2006 @ 08:40
AM EDT)
...one can only conclude that any system can be taken
hostage and
the RIAA's methods of accusing folks of doing something does not
take
under account that even if certain files exist on a computer, or
are
identified as being shared, the question remains if the actual
computer
owner or user of ANY COMPUTER CONNECTED TO THE INTERNET AT ALL can
be
found to be guilty beyond a shadow of a doubt of illegal copyright
sharing
activity as it is not beyond the reality of computer science
imaginations to see
where it can be easily proven in a courtroom
demonstration, in front of a jury
or a judge, that a trojan remote
control program could easily, without the user
or computer owner's
knowlege, set up a computer on any internet sharing network
that you
can also imagine (and there is more than one) and the average
computer
user on a high speed connection (or even dial up as a long time ago
I
once tracked a remote control session being created live, by someone
else on
the internet that I did not know, on a computer over a dial up
connection where
a RAM drive was created in RAM and the idea was that
this "cracker" would most
likely then run programs remotely to do other
stuff on this comptuer, all from
those files that were created on the
new drive)... anyway, the moral of the
story is this, NO WAY would any
user be able to know this was happening and in
fact there is a a good
chance that the anti virus software and any intrusion
detection
software that an average user would be using, would not have
a
clue that the computer is set up in such a way, and the person (or
computer)
that is controlling the other computer from afar could, if
they wanted to be a
real joker, then remove all traces of the trojan on
the host system and just
leave it set up to do it's thing in the
sharing mode to whoever that they wanted
it to share with (again
without any way to detect or know of the fact that the
system had at
one time been controled from afar by a remote user that did not
have
the computer owner's permission to be using that computer)!
In the
case described... then why is this person not innocent until
proven guilty...
and the RIAA can not ever prove that the WINDOWS
system was NOT a Trojan invaded
computer and that the user or owner
NEVER knew it, it just can not be
proven.
The CIA can not even be confident with any computer hooked to
the
internet that it can not be compromised!
Read this and the following
comments in the string that are important
as well:
I
read
an article about the CIA & we have done the same for years
too.
Authored by: Anonymous on Tuesday, August 22 2006 @ 01:23 PM
EDT
With all this in mind... if you had someone who was an expert
in
computer security on the stand (for any operating system that exists)
you
really can not "BEYOND a SHADOW OF A DOUBT" for the average user's
system that
is hooked up via DSL or Cable high speed internet, say that
the system was not
compromised and that the system was not at one time
controled from another
computer somewhere else on the internet.
And without being in the room and
witnessing that actual person
settting up the computer for illegal file sharing,
also keeping in mind
that even WITH such a witness (that would have to be
there 100%
of the time to also testify that in the next minute that the
person
felt guilty and ceased the ativity), that you can't prove the level
of
guilt that the RIAA is charing the average user of...! Just ask
the CIA
if a computer connected to the internet can be secured!
Or ask the
NSA! As if the CIA could protect a system they would
see no need to have 2
networks running (one inside that is not
connected to the internet, and one that
can be connected to the
internet)!
I have not read one article by any
security expert that says that any
computer system can be secured
100%. If such a computer
system were able to be secured then
Microsoft would have bought them up
as the higher bidder and you would be seeing
non-stop Microsoft ads on
every available media outlet to buy ad time on
(including bill boards)
proclaiming that this level of security is for
sale.
DRM and other such content security schemes even are
not 100% -
so look for the lowest common denominator, and ask youself if
"beyond
the shadow of a doubt, or even based on some circumstance
situation,"
can a court prove guilt - without risking the chance that the
penalty
is being applied to being applied to someone who is
truely
innocent. The state of the art
regarding
DNA of computer science and security just is one big gray area...
and
according to the REAL computer experts - it looks to remain a gray area
for
the rest of time, period.
Also read this:
Are
yo
u ready for your patent AUDIT? & that security salesperson who
sold security
with EULA?
Authored by: Anonymous on Wednesday, August 23 2006 @ 08:19
AM EDT
Read all the comments and following comments to understand this
as
well...!
[ Reply to This | # ]
|
|
Authored by: ausage on Saturday, December 30 2006 @ 06:38 AM EST |
First a note about BMG vs Doe in Canada.
The subpoena request by the music
industry require 5 ISP's
to identify the names and addresses of 29 John / Jane
Does
was denied for the most part because the only evidence
presented, the
affidavit of the president of MediaSentry,
was classified as hearsay since he
did not have any
personal first hand knowledge, but rather reported what
his
employees did. Secondly, the ISP's and the court also
doubted the accuracy of
the information that could be
retrieve from the ip address assignment log files
several
months after the alleged infringements. I believe that
both of these
items are relevant to the Lindor case.
I have the following observations about
Dr Jacobson's
reports.
Dr Jacobson's curriculum vitae could be very
important. It
appears to be very bloated and filled with a great deal of
inconsequential detail. It is the first time that I have
ever seen an academic
curriculum vitae listing the work of
students. Looking though the list of
"Honors and Awards",
none of them are recognizable, and many are questionable
(Phi Kappa Phi as an award ??). There is so much trivial
data in the document
(technical presentations to the Lions
Club ??) that it is hard to separate the
wheat from the
chaff.
If I were one of the Nazgul and wished to challenge his
credibility, I would use this to rattle his cage,
referencing papers written
by others and forcing him to
admit that was not his work, why is he taking
credit for
papers submitted and never published, why is he inflating
himself..
what is he trying to hide.. etc.
OTH, I have know doubt that Dr Jacobson does
poses some
technical expertise and perhaps that can be used to
support the
Lindor case. From his resume, I get the
impression that he needs to make
himself more important
than he knows he is and if he can be led into believing
that this is a case is mistaken ip identify, he may
provide the expert
testimony to back that conclusion up.
Especially after his Dec 19th forensic
report.
If his first affidate, Dr Jacobson provided what could be
called a
good simplification for the layman of ip address
assignment. I suggest that
during the deposition, to
stipulate that Ms Lindor's internet account with
Verizon
was either dial-up or DSL with dynamic address assignment,
as the case
may be, and then concentrate on the
information that is missing from his
report.
What is important in a case of mistaken IP address
identify is how the
internet address is assigned and how
and where the assignment is recorded.
1)
How does Verizon in Brooklyn (location is important as
this can vary from one
neighborhood to another) assign IP
addresses? Is the IP address assigned to a
circuit
identifier (telephone line), to a MAC (hardware ethernet
card)
address, or simply to a user account?
2) How much information about the address
assignment does
Verizon store in their log files and is it on the same
equipment that assigned the address, or is the information
transferred from
one piece of equipment to another.
3) How long is the raw information stored?
Is it
summarized and stored for longer periods? How accurate is
this process?
4) How accurate is the information in the log files (raw
and processed?) Has
anyone ever done any analysis for
this? Ask him to comment on the quotes from
the Canadian
ISP's in BMG vs Doe, where they stated that they were
uncertain
if the information was available and that it
would be difficult to obtain and
were unsure of the
accuracy. Both Rogers and Sympatico are ISP's similar in
size to Verizon (i.e. hundreds of thousands of
subscribers).
5) Suggest the
possibility that Ms Lindor's account was
hi-jacked by an unknown third party
and ask him to list
ways that this could happen, given that it is an account
that is rarely used. Could someone use her userid and
password? Would it be
possible to spoof a router? Could
someone install a trojan to forward traffic
through her
computer? What happens if two separate computers use the
same
userid at the same time? (Many ISP's do NOT detect
this condition. i.e. Cogeco
and Sympatico in Canada)
6) Ask him how would an expert detect if a little used
ip
address identity was stolen. Did anyone examine this
possibility seriously
for the Lindor case? Does Verizon
have the information to identify if the IP
address
assigned was actually routed to Ms Lindor's residence? Was
this
information examined at any time?
Under the heading "Descriptions of
Technologies Involved"
he provides a description in lay man's term of the
technologies involved. Although his descriptions are quite
lengthy, they over
simply, sometimes misrepresent the
truth, and leave out many important
details.
7) What kind of records and logs does Verizon maintain
about IP
address assignments. How are they generated? By
what program running on what
equipment? How are they kept?
How long are they kept? What information exactly
do they
contain? How does he know this?
8) Give the time span between the
Media Sentry discovery
of the alleged copyright infringement and the request to
Verizon to identify her, were the raw data logs available,
or was the
information Verizon provided based on some form
of summary of the raw data? Is
the raw data still for
analysis available? How does he know this?
9) In many
cable and DSL systems it is often possible to
have multiple computers connect
to the system, each
obtaining a different IP address, simultaneously. (I have
personally observed this with Cogeco Cable and
Sympatico.ca DSL in Canada). Is
this possible with Ms
Lindor's ISP. How does he know this?
10) Are there any
records indicating that Ms's
Lindor's account was ever used by multiple
computers
(different MAC addresses, circuit id's, multiple
concurrent IP
address assignments, etc.) Was a search done
for such records? If not, wny not?
How does he know this?
11) Can he testify to the accuracy of the information
contained is Verizon's subpoena response?
12) Does he know how Verizon
matched the ip address to the
user account? What log files were used? Were they
raw or
processed data? What data they contained? The equipment
and programs
that created them?
13) Can he describe how a user's computer connects to the
internet in Ms. Lindor's location. What equipment is used?
Which piece of
equipment assigns the ip address? Where is
the log record created? If it is not
on the same piece of
equipment how does the information get there? How many
pieces of equipment are located between the the user's
computer and the
location where the logs a kept?
14) Is it possible for another person to
connect to the
Verizon network at Ms Lindor's location using the account
assigned to her? What security measures does Verizon have
to prevent this from
happening?
15) If as stated on Groklaw it is true that the Verizon
account was
cancelled in July 2004 and the alleged
infringement occurred in Aug 2004, how
is it that the
account was still in use. Is it possible or even likely
that
some third party (an Verizon employee or
contractor) "converted" -- in a legal
sense -- the account
for their own illicit activities. If this happened, as an
expert how would this be detected?
16) Has any examined the records of use of
this account --
hours connected and bandwidth consumption -- to determine
it
the account was hi-jacked? Would this be possible?
17) Since the account was
cancelled is it possible that
Verizon made a mistake tracing the IP address
back to this
account? What information would be necessary to detect
this? Does
that information exist? Has it been checked?
18) Given that Ms Lindor had an
internet account that was
basically unused, was this not an ideal account for
some
third party to "convert" [used in legal sense] to their
own use for
illicit purposes.
19) Given that Ms Lindor has submitted her hard drive to
examination with the result that no evidence of infringing
music files or P2P
file sharing software was found, is
paragraph 22 of his April 12th declaration,
"I will
testify that, based on the MediaSentry UserLog, the music
found on the
Defendant's computer was downloaded from
other user on the Internet",
incorrect.
20) Given the previous question, is paragraph 21 of his
April 12th
declaration, "I will testify based on all the
information provided that the
computer that had the IP
address 141.155.57.198 on 8/7/2004 at 6:12:45 AM EDT
was
registered to the Defendant and that the said computer was
used to
distribute copyrighted music" also incorrect.
21) Does he have first hand,
personal knowledge that the
information provided by Verizon is correct?
22)
Has he had an communication with the person at Verizon
who signed the subpoena
response to determine if that
person has first hand, personal knowledge of the
accuracy
of the information it contained.
23) Does he have first hand,
personal knowledge that the
information provided by Media Sentry is
correct?
24) Is he aware of that courts in Canada and the
Netherlands have
rejected the investigations of
MediaSentry for use as evidence.
25) Is he
aware of the "Independent Experts Reports" of
Prof. Sips and Dr. Prowse
critiquing the methodology of
Media Sentry's "investigative" work? Would not
such a
report be relevant to his testimony?
26) Has he had an communication
with the individuals who
did the investigative work for MediaSentry to verify
the
accuracy of the information provided to him.
27) Is it true that the only
information he has from
personal, first hand experience is that the hard drive
from Ms Lindor's computer shows no evidence at all of
infringing files or P2P
file sharing programs.
28) Since the facts as he had personally determined,
contradict his April declaration, does that not mean that
the information he
based the April declaration on must be
flawed, incorrect or incomplete.
29) Is
not the most probable explanation of the facts that
some third party used Ms
Lindor's account from an unknown
location using an unknown computer and that Ms
Lindor is
innocent of all the allegations against her.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 06:40 AM EST |
AC
Waiting for the world the change...[ Reply to This | # ]
|
|
Authored by: talldad on Saturday, December 30 2006 @ 07:36 AM EST |
This man sounds like he could serve it up like IBM's lawyers to SCO - the RIAA
may wish they had never commenced the action! :-)
---
John Angelico
Down Under fan &
OS/2 SIG Co-Ordinator[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 07:45 AM EST |
There's something missing here.
According to the Affidavit and Expert Report (which does
not contain item (i) Disk drive from defendants computer
he states (item 21)
I will testify, based on all the information provided that
the computer that had the IP address of 141.155.57.198 on
8/7/2004 at 6:12:45 AM EDT was registered to the Defendant
and that the said computer was used to distribute
copyrighted music
So the Plaintiffs have already accepted that it was Marie
Lindor's computer that was used.
But then in the Declaration he says that the harddrive
supplied was not the one that was used.
So unless Marie Lindor has more than one computer or
changed her computer or harddrive since 8/7/2004 then this
would appear to prove that something is wrong with their
data collection from Media Sentry as the expert witness is
saying in one report that he's prepared to testify that it
was Marie Lindor's computer and then in another states
that it wasn't her computer.
Tim. [ Reply to This | # ]
|
- Something missing - Authored by: Anonymous on Saturday, December 30 2006 @ 08:58 AM EST
|
Authored by: Simon G Best on Saturday, December 30 2006 @ 08:06 AM EST |
I've just read the "April 2006 boilerplate report" (though I didn't bother
reading the CV appendix). There are some things I'd like to say. This is
pretty rough, though, as I haven't really spent time digesting
it.
On page 2, in the item numbered 12, there's the following
paragraph:-
Information is transported through the Internet
in small chunks called packets. Each packet traverses the Internet and is
reassembled by the destination machine. Each packet contains both the source
and destination IP addresses. The source address is analogous to the return
address on a letter and the destination IP address is analogous to the send to
address on a letter.
Some questions that came to my mind
were:-
- Can the sender give a fake source address?
- If the
sender gave a fake source address (meaning it would have really come from
somewhere else, of course), could the recipient know?
- How could it
know?
- Could it know where it really came from?
- If so,
how?
Also on page 2, in item 12, is the
following:-
Every computer or network device
directly connected to the Internet must have a unique IP address.
...
(Emphasis mine.) Computers (and the like) can be
indirectly connected to the internet. For example, my PC is sitting
behind a router that does Network Address Translation (NAT). So, my PC is
not connected directly to the internet, but
indirectly via my router. My router gets assigned an IP address by my
ISP, but my PC has its own, private IP address assigned by me (and there are
many other things out there with the same IP address). Indirect connectivity
may be significant.
Page 3, in item
13:-
This case involves illegal file distribution using
peer-to-peer networks. Peer-to-peer networks are a method used to distribute
files from a user's computer to other users on the internet. They can also be
used to obtain files from other users. Peer-to-peer networks are often used to
distribute copyrighted material like songs and movies. In addition,
peer-to-peer networks are also used to distribute other file including
pornography, child pornography, computer virus, and data files. A more detailed
explanation of peer-to-peer network is included
below.
Well, that's just shocking. It's an ignorant,
tabloid 'definition' of peer-to-peer networking. It reminds me of dihydrogen
monoxide (DHMO).
Firstly, as I understand it, 'peer-to-peer' is a kind
of network topology. It's not specifically to do with so-called
'file-sharing'. The internet itself is an example of a peer-to-peer networked
net. Unless I've got it horribly wrong (which I doubt), this is surely
really basic stuff for a computer network expert - isn't
it?
Secondly, he's playing word association games - "pornography, child
pornography, computer virus, and data files." (Oh, no! Not "data
files"!) It's just like DHMO - water made to
sound really scary and dangerous, as if it's a chemical that really ought to be
banned (or, at least, very tightly regulated). He's parading his bias
- blatantly.
Thirdly, even when it comes to "copyrighted material like
songs and movies", that doesn't mean there's any copyright infringement going
on. After all, the copyright holders might have given permission for such
distribution and redistribution. It might even be the copyright holders
themselves who are doing the sharing! (Wasn't there a story recently about the
BBC becoming a file-sharer?) Just look at the use of BitTorrent for
(legally) distributing software (such as Linux-based operating
systems). He's clearly trying to play on others' ignorance.
Despicable.
Again on page 3, in item
13:-
... The users of the peer-to-peer network often think
they are anonymous when they distribute files. In reality, they can be
identified using the IP address. The IP address of the computer offering the
files for distribution can be captured by a user during a search or a file
transfer. That IP address can be associated with an organization such as, an
ISP, business, college or university which can identify the user by the IP
address.
Firstly, users cannot directly be
"identified using the IP address", as it's computers (and the like) that have IP
addresses, not users. Users can move from computer to computer, but
the computers' IP addresses stay where they are. Different users can use the
same computer, without the IP address changing. More information would be
needed than just an IP address.
Secondly, there's also the issue of
indirect connections of various kinds. As well as such things as
routers that do NAT, there are things called 'proxies' on the internet. There
are various kinds of proxies, and the like, for various things - including user
anonymity. Add to that the question of fake source IP addresses, and it gets
interesting.
On page 4, still in item
13:-
With the decentralized peer-to-peer network, every
computer that is part of the network has its own list of files that are offered
for distribution, and each computer is connected to a small number of other
computers (neighbors). Each neighbor is connected to a small number of
computers and so on. When a user wishes to search for a file, a request is sent
to each neighbor and each neighbor sends the request to the next neighbor and so
on. If a computer gets the request and has a match, it will send a message back
to the requester telling them it has the file(s) and providing them with
information about the file(s).
Note that this is going from
neighbor to neighbor, not directly from one end to the other. Each
'hop' along that journey involves directly connected neighbors communicating
with each other over the internet. The IP packets don't go all the way from one
end to the other, but only from one neighbor to a directly connected neighbor.
So, the source and destination IP addresses in those packets will only be for
directly connected neighbors, not the two nodes at the ends of the
whole thing. That gives plenty of opportunities for shennanigans - who knows
what the intermediate nodes are really
doing?
Still on page 4, and still in item
13:-
Distributing files first requires that the user must
put the file into a shared folder. Information about the files within these
shared folders is uploaded to the index server and can be downloaded by other
users of the KaZaA network. This is analogous to putting a list of copyrighted
music you have available in a public place and telling everyone they are welcome
to stop by your house and pick up a copy of the song.
And
here's what I wrote in my quick notes:-
Pedantically
correct, perhaps, but it's clearly making it sound illegal. After all, in the
analogy, the user may well have the copyright holders' permission to do this,
and may, of course, actually be the copyright holder.
The
point of that is that this 'expert' is again trying to associate peer-to-peer,
file-sharing networks with illegal activities. It seems to be quite a theme
he's got going in this report. Again, I refer to BitTorrent as a good example
of why this is a misleading way to describe this technology.
On
page 6, in item 18, he says:-
... IP address 141.155.57.198
offered 624 audio and music files, most of them are copyrighted music files, for
distribution using the KaZaA program on 8/7/2004 starting at or around 6:12:45
AM EDT through at least 7:08:30 AM EDT.
even though, in the
preceding item, item 17, he says that MediaSentry only downloaded "11 songs".
"11" is not "most" of "624". Without downloading the other 613 things, how
could MediaSentry know what they were, or whether or not they were
"copyrighted"?
Again on page 7, item 16 says the "KaZaA user
id" is "jrlindor@KaZaA", while item 20 says that "Verizon Internet Services
identifies Marie Lindor as the subscriber of record for the IP address
141.155.57.198 on 8/7/2004 at 6:15:34 AM EDT." Is "jr" short for "Marie"? How
reliable are Verizon's records? Who else might have had access to Marie
Lindor's account?
Anyway, that's sort of my first impressions
response to that report.
--- NO SOFTWARE PATENTS - AT ALL! [ Reply to This | # ]
|
|
Authored by: PeteS on Saturday, December 30 2006 @ 08:13 AM EST |
I design hardware for a living, although I've written a lot of code at
all levels (direct hardware control to application) in my time.
The MAC
address of any device on a given network must be unique (for anything using an
ARP based protocol, anyway), but what most don't know is how that number
originally gets assigned and how it gets used.
When a manufacturer wants to
supply devices with MACS and MAC addresses (more properly known as an OUI, it gets a
range of numbers from IEEE (previous link goes there) and assigns one of the
numbers to each device.
So far, so good.
Now, that number is usually
stored in a small EEPROM (if anyone desires a link to a typical MAC device
datasheet, then ask, and I'll even throw in a typical design schematic),
but even if the MAC loads this number, it is still ludicrously easy to
tell the controller to use a different one. [Details on how to do this are
easily available - again, if details are desired, ask]
After all the
writings here on how to sniff a valid MAC and wait until it gets switched off,
it is a very simple matter to make any machine appear to be
something it isn't.
True story: When developing a next-gen video-on-demand
system, we had to assign MAC addresses internally - we never hit the outside
networks, so we simply re-used a few we had; 4 or 5 used on literally hundreds
of pieces of equipment, which led to some interesting issues when we 'forgot'
one and left it on a piece of running equipment and tried to assign it ;)
In
mass manufacturing, we don't assign MACs until the unit is completely tested, so
a known single MAC is used at the initial tests. The reason is the MAC is a
large part of the cost of the hardware to be shipped; we aren't going to assign
one to a defective piece of equipment.
Anyway - my point is that as it is so
incredibly easy to change the MAC address on virtually any MAC device
via software, it's not a reliable source of identifying a specific
computer.
Some companies use the onboard NIC information to tie a single
computer licence for their design tools to that computer (amongst some other
things), which gets really interesting when you have to change the NIC - I have
seen some acquaintances spoof (by reloading) the MAC on a new card to get their
tools operational until they could get a new key from the tool company involved;
in two cases I personally know of this was their only option as the companies
had gone out of business, so these skills are hardly ground
breaking.
PeteS
--- Only the truly mediocre are always at their
best [ Reply to This | # ]
|
|
Authored by: Neurophys on Saturday, December 30 2006 @ 08:19 AM EST |
Reading through this case, I get more and more puzzled. Why do RIAA go after a
lady who don't know anything about computers and where they suspect 11 illigally
downloaded files.
They must know they have a weak case. They are not stupid people so there must
be something very important for them in this case. Did they expect the lady to
be a push over? Do the try to get support for the notion that the house owner
may be liable?
Pål[ Reply to This | # ]
|
- Looking up - Authored by: Anonymous on Saturday, December 30 2006 @ 08:55 AM EST
- Looking up - Authored by: Anonymous on Sunday, December 31 2006 @ 01:53 PM EST
- Looking up - Authored by: Anonymous on Saturday, December 30 2006 @ 10:11 AM EST
|
Authored by: julian on Saturday, December 30 2006 @ 08:38 AM EST |
Occasionally when I use a Windows computer and I use "Network
Neighborhood" I find computers listed there that I know to have been off
line for months.
Most of us have also seen a web page that is supposed to be different than what
we are seeing.
So did Media Sentry allow for caching of data. Is the computer they think they
see on line just in some cache? How about the data, did it come from the
computer or a cache?
This could make timestamps inaccurate also.
---
John Julian[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 09:16 AM EST |
If the RIAA are trying to prove she was a distributor then given the ease of
compromising a Windows box (and the likelihood of a fairly non-tech user not
having proper AV protection) think they should also be proving it was done
maually by someone actually sitting at the PC and not by some remotely
controlled trojan.[ Reply to This | # ]
|
|
Authored by: jcaveman on Saturday, December 30 2006 @ 09:29 AM EST |
Almost every home router, wireless or otherwise, allows the arbitrary cloning of
MAC addresses. They actually need to be able to do this because many ISPs will
only allow the cable/DSL modem to sink with the MAC address of the machine the
connection was originally installed on. As a result it is possible to have the
router appear to have the same MAC as a PC behind the router/firewall, or any
other PC for that matter.[ Reply to This | # ]
|
|
Authored by: Neurophys on Saturday, December 30 2006 @ 10:05 AM EST |
Why didn't they attack a guy with one zillion up and downloads? Must be almost a
certain win, at least if they find P2P-programs and music files on the disc(s).
There must be some kind of strategy behind this.
Pål[ Reply to This | # ]
|
|
Authored by: KurtVon on Saturday, December 30 2006 @ 10:07 AM EST |
You say the hard drive image you were provided with showed that it was conected
directly to the internet. Correct?
And because of this, you claim no other computer that could have been connected
to the defendant's IP address. Correct?
You also say that the evidence provided by MediaSentry and Verizon points to
this computer as the one sharing files. Correct?
You want to confiscate another hard drive in a different computer, based solely
on the fact that it was in the same city at some point.
So how do you reconcile your claim that the computer you examined must be the
computer that was sharing files and the computer you are asking for could be the
correct one instead?
At his point he must either claim the defendants are colluding to destroy
evidence, or he must admit that he may be wrong about which computer was the one
involved. I'm assuming he goes for the former (which is the only response that
doesn't destroy his testimony).
Did you collect the evidence provided by MediaSentry? Did you have anything to
do with the authorship of MediaSentry? In your experience, have you ever used a
complex software program that had no bugs? Do you know how Verizon collects and
stores its user data? How much information do you estimate that database would
hold? Do you know how the information they provided was computed? In your
experience, have you used a very large database that contained no erroneous
records, and whose access was not subject to human or machine error?
Does the hard drive, by itself, indicate any evidence of collusion to destroy
evidence beyond the lack of use?
Given that the defendant admits she does not know how to use a computer, how
much usage would you expect to see on the hard drive?
So your accusation of criminal activity is based not on anything you have
directly observed, but your trust of third party analysis of third party
software combined with information supplied by a fourth party, any of which
containing even one single error would result in a false accusation?
Why would you trust this more than your own analysis of the hard drive?
[ Reply to This | # ]
|
- Screen shots - Authored by: Anonymous on Saturday, December 30 2006 @ 10:12 AM EST
|
Authored by: Anonymous on Saturday, December 30 2006 @ 11:04 AM EST |
In reading "Description of Technologies Involved - The Internet and
Addressing", there is an oversimplification that each computer has a unique
IP address. The missing piece is that they are temporally unique (i.e., no
other machine has that address at that time). The author does identify this a
few paragraphs later though.
Other possible directions:
- what about the MAC address of the Lindor computer. Without actually
temporally matching the IP address to the MAC address, the claim that it was
assigned to the Lindor computer becomes a my-word-against-yours argument.
- ask if IP addresses and MAC addresses can be forged. Using the zip code
analogy, can envelopes be stolen out of your mailbox? (i.e., identity theft
analogy?)
- was the Lindor system on cable modem, DSL or dial-up? If the later, 58
minutes to download 11 songs may be a tight squeeze (look at the file sizes),
especially since they were also busy identifying that many of the 624 files were
copyrighted. That's a lot of work to do if it wasn't automated. If it was
automated, take a look at their methods. If it involves hashing, ask them to
explain collisions.
- If it was dial-up, the IP address assignment argument may be moot.
- how did MediaSentry identify that most of 624 audio files were copyrighted
without downloading them in that 56 minute window?
- the good doctor can only offer opinion based on the data presented to him.
This may or may not be the point of attack. We need to know how the data was
collected and how the evidence was preserved between collection and presentation
to Dr. Jacobson.
- what is a MediaSentry Trace?
- Verizon can vouch for the security/accuracy of their logs? (Who handles them?
How are they gathered? Who has access to them prior to archiving? Are they
digitally signed at some point?)
- Uh, certificate of registration? With whom, for what?
- MediaSentry is authorized to gather evidence by/for whom?
- 16-22 looks a lot like hearsay. He can only testify to that based on what
MediaSentry has "told" (given to) him. Doesn't "speech"
also include printed text?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 11:23 AM EST |
that as soon as htey label a witness NOT an expert his testimony is lessoned and
in fact it might even become called harasy (did i spell that right?)
And in my example because i had at one point done some time in jail they swore
me in as a expert witness of a person in jail ( weird) and as i wouldnt say what
they wanted just the truth they then labeled me a hostile witness. Wasn't very
fun and i didn't care i would not lie. And i hardly think a mere 8 motnhs in
jail could have me be called a expert. Which says a lot for media sentry having
the term "non expert"
you could easily get a true expert in to not only dispute there evidence but in
fact becuase you are witness make hte non expert look even less usuable.
note i am not a lawyer this was just some thoughts and soem opinions as well as
an example of expert versus non expert in a canadian court a law.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 11:45 AM EST |
I responded to this article with a few ideas. I thought of a couple more
possibilities this morning, and when I came back to update my post, it has
disappeared. Did I violate blog rules or something?
confused, dadgervais[ Reply to This | # ]
|
|
Authored by: UncleJosh on Saturday, December 30 2006 @ 12:02 PM EST |
I'm JR Lindor staying with my relative Marie. I log on her computer look at the
PPOE setup, copy the userid/password information onto a sheet of paper. I go to
my laptop, I put her PPOE information in my laptop PPOE setup. I plug the
ethernet cable out of her computer and into mine. Voila.
That's with PPOE. I have gone to my cousin's and brother's homes to visit,
plugged out their computer and plugged in my laptop and used their broadband
internet connection.
As the subject says just because the ISP at the other end of the wire says that
Marie Lindor owned that IP address at that time does not mean that Marie
Lindor's computer was hooked to the internet at that time.
Wireless or wired routers using NAT are not the only way to share a high speed
internet connection, particularly one in a home which is idle most of the time.
Unplugging ethernet cables is clumsier, but it certainly works.[ Reply to This | # ]
|
|
Authored by: rsmith on Saturday, December 30 2006 @ 12:02 PM EST |
Maybe we should start a collaborative effort to collect the IP addresses of
mediasentry's computers, so that every p2p user can adapt their firewalls.
Just a thought. :-)
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
|
Authored by: sk43 on Saturday, December 30 2006 @ 12:12 PM EST |
The hardest part of his resume to counter is his appearance in front of a US
Senate Judiciary committee. You need to hire Fyodor, from insecure.org, as an
expert. He has a picture on his website of the President visiting the National
Security Agency, and prominently displayed behind the President is Fyodor's
"nmap" program. A president and the NSA trump a Senate committee any
day.[ Reply to This | # ]
|
|
Authored by: cjames on Saturday, December 30 2006 @ 12:19 PM EST |
The RIAA's "equipment" is nothing more than hocus pocus until its
validity is either 1) Attested to by an expert; or 2) The technology becomes
established, widely accepted science and is accepted generally by courts.
Isn't this all well established by legal precedent set back in the 1950's and
1960's with police radars? Police couldn't use radars until/unless they either
brought an expert on a case-by-case basis, or the technology became widely
accepted as valid. And in the latter case, the police still have to show that
their equipment meets industry standards for accuracy.
The same is true for a host of other technologies: Lie detector tests, "red
light cameras," various forensic techniques such as mass spectrometers and
gas chromatographs, and so forth. You can't just jump in with some new gizmo
and convict someone, unless you have an expert willing to attest to the
results.
If MediaSentry aren't willing to testify as experts, and nobody else is willing
to testify as an expert that what MediaSentry did has any validity, then they
shouldn't be testifying at all.
And if they do testify as experts, the easy way to hit them is with controlled
experiments. It's very easy to claim, "We did thus-and-such, and this is a
valid way to prove the defendent guilty." But did they ever do a blind
test, for example have 50 users download data, and 50 users who don't, and show
that they can reliably identify, with 100% accuracy, the correct 50 violators?
I'll bet they've never tried this. Most computer programmers don't understand
scientific methodology.
Craig[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 12:26 PM EST |
I am trying to understand exactly how this network is laid out. Specifically,
can someone answer the following questions, please, please, please?
a) Verizon appears to sell modems with built in wireless or wired routing
capability. Do they sell plain modems, or only modems with built-in routers?
Was Lindor using a plain modem, a combined modem/wireless unit, or a combined
modem/wired line unit?
b) Does Verizon (for Lindor) use PPPoE? use DSL?
c) Can I login from anywhere in the U.S. inside Verizon's network, and reuse
Lindor's user ID? ie Does Verizon essentially support traveling user IDs? (A
traveling user ID permits the user to move to different phone lines. The user
ID is used to identify the customer, not the telephone line.)
d) Can Verizon link the user ID to a physical telephone circuit? (Circuit ID?)
e) Can the Circuit ID be tied to a MAC address? DSL modem unit?
f) Can the TCP/IP address be tied to anything physical? like the circuit ID, the
MAC address, DSL modem unit, etc.? Can the TCP/IP address be tied to a region
(like a state, city or street)? What region can the TCP/IP address be tied to?
g) Given f, where is the modem and did anyone examine it?
[ Reply to This | # ]
|
|
Authored by: rsmith on Saturday, December 30 2006 @ 12:34 PM EST |
Why didn't the provider terminate the account when asked to do so?
In the period since her husband died, at which times was the account active?
At what dates and times was Mrs. Lindor's account furnished with a new IP
address? How long did those address leases last?
Was there any traffic logged?
Can the provider prove that the connection to it's network made from Mrs.
Lindor's account actually came from her house?
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
|
Authored by: mlwmohawk on Saturday, December 30 2006 @ 12:50 PM EST |
This whole thing about going to user's computers bothers me for a number of
reasons, especially when they are Windows computers.
(1) Every computer has security exploits, there is no way you can ever be sure
that the supposed actions a computer makes are not done by some 3rd party using
an exploit.
(2) Wireless networking is practically impossible for a novice to setup securely
and get working. Thus, any accusation made against a computer by IP address
can't be taken seriously because a hacker in close proximity can piggy back on
someone else's wireless router.
(3) The records an ISP provides are not "evidence grade," i.e. there
is no proved accuracy. They are not tracking every packet and there is no
facility to prove that any one packet came from any one location. It all
"should" work that way, but doesn't always. That's why there is tech
support. If someone hacked their cable modem or dsl router, it is possible to
use a someone else's IP address if they are not on.
(4) Most computers are configurted as "single user," especially
windows, there is no proof that a guest or unknown third party did not commit
said crime outside the control or knowledge of the accused.
(5) The BIG issue is that NO ONE fully understands the inner workings of a
modern P.C. The best expert can still be surprised by a behavior or a security
violation. Because of this, NO ONE should be held responsible for what a
computer is said to have done. It isn't like a dog or anything, where you can
control the animal. It is a device that accepts commands and instructions from
3rd parties all the time without the knowledge of the owner. M$ has admitted
this in Windows.
[ Reply to This | # ]
|
|
Authored by: kberrien on Saturday, December 30 2006 @ 12:52 PM EST |
This research company hired by the RIAA used an internet connection in order to
'inspect' the infringer. Just as the RIAA subpoenas ISP's for connection
information of the 'infringer's', it might be helpful to seek the ISP records
for the research company. Depending on what information is logged at their ISP,
there might be some useful information to be gained regarding their actual
activity online. Also, the logs of the investigator's firewall if detailed
enough, would have a full records of the investigation. And given they are
involved in forensics, they SHOULD be logging everything!
Lacking any records from their ISP, or their firewall how can we say the
investigation ever happened?
Taking a note from the FLA breathalyser cases, call for the source code of any
utilities used by the investigators, and review it's accuracy. Perhaps they
will refuse as the FLA breathalyser company has...[ Reply to This | # ]
|
|
Authored by: rsmith on Saturday, December 30 2006 @ 01:11 PM EST |
You should have the computer in Mrs. Lindor's house analyzed by an independent
expert.
He could indirectly check if computer was used during the relevant period
through file access and modification times.
He could also check if your client is honest; Check if the Kazaa software and
music- or other files are present or if have been erased.
---
Intellectual Property is an oxymoron.[ Reply to This | # ]
|
- I wouldn't - Authored by: Anonymous on Sunday, December 31 2006 @ 09:22 AM EST
|
Authored by: PeteS on Saturday, December 30 2006 @ 01:36 PM EST |
On the subject where RIAA is attempting to prevent disclosure on the methods,
techniques etc., that were used by Media Sentry - this is insane.
All investigations have to use some method[s] to show that they are in fact
*valid* investigations.
Withholding the methodology used means that the techniques can not be checked or
tested, nor subject to opposing expert witness review. Haven't we been seeing
this type of conduct in SCOX v. World already?
My plain argument would be that if the methodology is withheld, then any
evidence gleaned from it should be struck *as I would not have an opportunity to
challenge that evidence*.
I could come up with a study that shows virtually anything I want, depending on
the methods used for measurement. Another way to look at it is that the method
used determines what results may be valid, and which are not. Not knowing the
method blinds me to what results I may rely on.
Now I am no lawyer, merely an engineer, but it certainly sounds equitable to me
that 'no methodology , no evidence' might be requested.
PeteS
---
Only the truly mediocre are always at their best[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 02:10 PM EST |
I've been involved in formal large-scale systems development, implementation and
operation for over 20 years, as a programmer, analyst, designer, project leader,
and custom software shop manager.
Here are some of my potential technical questions:
Do you know who (company, individuals, who managed the project, etc) wrote the
programs used by MediaSentry?
Have you ever participated in a commercial softare development project which
resulted in the implementation of or commercialization of a major software
system? What role did you play in that development? Did you ever play a
Quality Assurance management role in large-scale systems software development?
Do you know what underlying OS the MediaSentry software is deployed on? Is that
the same OS and version used for development?
Do you know what OS-level fixes or patches were applied to the development
machines? The operational machines? Was there a written plan for controlling OS
patch management? Was the plan adhered to at all times? How do you know that?
Do you know what OS-level errors existed in the development environment you have
testified about that were (or should have been known) known to the development
team or management but for which no manufacturer-provided fix was available?
Do you know what OS-level errors existed in the environnment you have testified
was used for which manufacturer-supplied fixes were available but were not
applied to the hardware at the time it was in use for the MediaSentry
development project?
[Same questions for the development tool set, and database systems tool set(s)
if relevant.]
Do you know what QA/QC standards were in place during the development, testing
and implementation of MediaSentry?
Do you know if there was a written set of QA/QC standards in place for guidance
of the QA team? Have you reviewed those standards?
Have you ever written and implemented a set of QA/QC standards used by a
commercial development team? How well did it work? In other words, was that
QA/QC team you managed successful in their work so as to provide bug-free
softare tools to management or the customers?
Do you know who was in charge of testing MediaSentry software during
development? What are their professional qualifications for managing Quality
Assurance? Who else was on that part of the development team?
Can you identify the testing methodologies they used to assure the software
worked properly in all circumstances?
Do you know what software development tools were used in the development of
MediaSentry tools? Are you aware of written development standards adopted by
the development team? Can you judge whether or not these standards were adhered
to by all developers during the projects?
Do you know if development programmers were allowed to participate in the QA/QC
testing, or was QA/QC handled seperately by an independent team?
What level of initial coding errors are thought to occur routinely in the
environment you have testified was used in the development of MediaSentry?
What level of program errors would be expected in a deployed (implemented)
system developed in this environment given the QA/QC procedures in place during
development and implmentation?
How is data gathered by MediaSentry stored?
Does the team using MediaSentry have a written set of standards for managing
data created by the MediaSentry tool?
Does the data management standard in place meet the minimum requirements of the
vendor of the tools being used for data management? [in other words, if they're
using Oracle, do they adhere to Oracle DBA standards?] Are staff managing data
certified by the vendor? Do they follow the written data management standards?
How do you know that?
Are changes to data generated and tracked by the system tracked as to date-time
stamp, the before-and-after condition of the data, the user-id of the individual
who changed the data, the tool used to change the data, etc?
Is it possible for an authorized user of the system to use tools not built into
MediaSentry to view the data generated and tracked by MediaSentry? Here I'm
suggesting that many systems can be touched by ODBC-capable tools like MS Access
or Excel, and data can be hacked by authorized users through these kinds of
back-dor tools...is this possible for MediaSentry data stores? Why not? [this
set of questions addresses the chain-of-control in the computer.]
How is the source code for MediaSentry managed? How is it protected? How are
code changes propagated into production?
Do they maintain a standard set of Development, Testing and Production systems?
Do programmers and other software team members have access to the production
code base? Why would you allow coders to change production code in an
uncontrolled manner?
How is the process of changing the production code base controlled? Is code
migrated from the development environment to the testing environment in a
controlled manner? Does the QA/QC team have access to the code itself or just to
the system generated from the source code? How is that access controlled?
When a new release is generated from the production source code base, who does
this? How is this process controlled and recorded?
There are more of these kinds of questions, but where I'm going here is that
without this kind of control of systems development, the system wouldn't be
qualified to track money, of health care records, or anything like evidence to
be used in real court cases.
These are some of the issues I deal with on a daily basis. I don't see much
real, commercial software development in this guy's resume.
As an acedemic, his relationship with the real world of software development
seems real scant. I doubt that there is a ton of major software development in
the mainly rural area he lives in.
These are the kinds of questions asked about our own systems, which support
folks who have to take people into criminal court. Obviously, I had a great
learning experience thinking about ways to improve our systems environment's
defensability.
Hope this helps. I'll be happy to discuss this at length if you want. PJ, you
have my email address if you need me. Best of luck to the legal team!
JR
[ Reply to This | # ]
|
|
Authored by: BsAtHome on Saturday, December 30 2006 @ 02:54 PM EST |
Compare this:
- at 18: The sharing started at or around 8/7/2004 6:12:45
AM EDT through at least 7:08:30 AM EDT
- at 20: Verizon identifies the
defendant at 8/7/2004 at 6:15:34 AM EDT as the assigned recipient of the IP
address.
There is a near 3 minute discrepancy between the start of
sharing and the assignment. That means that either the clocks are wrong while
measuring, or that the IP address tracked did not belong to the defendant at the
time.
One would expect the IP address to be assigned before the
sharing starts. Otherwise, you cannot connect to the internet at all. I.e. if
the timestamps are correct, then the defendant cannot be the one who has been
sharing at all.
If the clocks are off, then this is very sloppy work
because any network tech will tell you that timesyncronisation is of paramount
importance. The whole world is and has been using NTP for many years (see RFC958 from 1985).
Basically, if your clock is not correct within a small fraction of a second,
then you are at a near impossible task tracking events on the internet correctly
(unless you are the only one using it).
Even if the expert will testify that
he believes that the IP address was assigned to the defendant, it would
be nothing less than speculation. The timestamps are normally authoritative of
what happened.
--- SCOop of the day [ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 03:23 PM EST |
There's a lot of inflated distracting irrelevant (but interesting) waffle here
about NAT | DHCP | wireless | cable modems | etc. Courts prefer facts.
1: stuff moves on the internet between public IP addresses;
2: Plaintiff has knowledge of a public address from which the
alleged infringement took place;
3: Plaintiff has information from an ISP linking the public address
to the defendant;
Plaintiff's next step is to
a) specify which physical device used that address at the time of
the alleged infringement;
b) specify the geographic location of that device at the time
(hint: this may not be easy, and defence has no obligation to show how)
c) nail these to the defendant.
This ignores the questions of the alleged infringing content, which was
i. not found on the defendant's HD, and no evidence offered as to erasure;
ii. not identified with specificity, ie. was the file named eg.
Madonna_For_the_first_time.mp3 really a soundfile of that material, or
one of the dummy files thrown into the mix by **AA spooks, or
some other perfectly legitimate file of defendant's renamed for
a personal bizzarre purpose.
When I download dodgy stuff the first thing I do is rename it,
and put it somewhere away from the download|shared folder.
OT ob: it irks me how iTunes always keeps everything so neatly
organised and labelled ...[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 03:29 PM EST |
Since there are so many fake files on the fasttrack network, what I'd do is take
the list of songs alleged to have been shared and put it into another client
utilizing the fasttrack protocol. (I'd use giFT)
Download the songlist and see how many were real and how many were fakes. If
there are file hashes as well as filenames then you could pick the same file and
see what it was...
[ Reply to This | # ]
|
|
Authored by: Ninthwave on Saturday, December 30 2006 @ 03:41 PM EST |
How does the industry letting Microsoft Zune share files fit in with these
lawsuits. Is Zune not use a monopoly in two industries to limit consumer
choice.
---
I was, I am, I will be.[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 05:39 PM EST |
I would firstly ignore the advice about IP and MAC spoofing. MAC addresses are
barely relevant to this issue (they're used by computers attached to the same
network to talk to each other, not across networks like the internet).
IP spoofing/hijack is a. difficult at the best of times, b. generally an attack
against a person not the IP holder. Difficult to describe, but usually it's
about masquerading as a specific IP to a victim: unless you can show the
investigators were being victimised by an IP hoaxer, routing tables alone would
mean a very limited range of people (Verizon, or a nearby subscriber) would be
the only ones who could perpetrate such a job.
A few things seem to be worth concentrating on. First - the hard drive mismatch.
That seems to really indicate the computer that they analysed wasn't the one
that was used to share the files. Given the 'lindor' kazaa username, it seem
fairly improbable to me that it was a computer unconnected with Mrs. Lindor, I'm
afraid. You ought to be able to figure out what that other computer was.
Second, are Verizon sure about the IP being hers? The kazaa username again
suggests strongly it is, so this possibly isn't that strong a line of thinking.
I would think it's worth checking, though: especially ask how they can be
confident about the timestamps on the logs, I suppose.
Lastly, could there have been a security issue with her cable modem? Many of
them come with default passwords, and if you know the make/model of the modem
you can gain admin access. It's possible someone could set up port forwarding,
which would (from the outside) look a lot like an IP hijack. Did the
investigators fingerprint the remote operating system at all, or do any other
kind of analysis at the time? There could be other data there which makes it
further unlikely that Mrs. Lindor's computer was the one in use - modem hijack
would be an obvious way of casting doubt on it being something in Mrs Lindor's
control.
Personally, though, I would be looking at Gustave - "jr lindor" is a
bit too close to home for it to be chance, and while their technical case isn't
watertight by any means, it's still pretty reasonable.[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 05:55 PM EST |
Hi all. After tracking Groklaw since all the SCOX mess started, I'm posting a
first comment and hope I'll help :-)
I tried to look through the linked site but I don't have the time to look
through all the documents and those I though relevant did not contain any data I
could use for analysis (or not enough). I am base this comment on the few things
mentioned and on prior commentc by other users.
1. The report from Dr. Jacobson is I fear accurate from the little data I've
seen. I'd need more data about organisation of the Verizon service and details
of Ms. Lindon connection. Based on prior comments: If an integrated wireles
router/dsl modem device was used by Ms. Lindon, there is a probability that the
default configuration leaves the wireles part open for anybody within reach to
connect to internet. I have many times connected to the internet by
"using" such open devices. It is very common in urban areas that you
only need a wireless device (laptop with wifi card f.e.) and with a bit of luck
you can connect to the internet using sombody's else paid connection UNDER HIS
IP. This is not tracable further as the original subscriber, the devices lack
the loging capabilities. This is not even detectable by the ISP, as they only
see the front end MAC registered by the router/modem and the router provides
internal DHCP and NAT.
2. The HD examination looks suspicios. As was pointed out in previous comments,
if the data does not match, and there is no evidence of tampering then you have
the wrong person (HD). Dr. Jacobson concludes that the HD examined is different
to the HD content observed by MediaSentry.
3. The methods used by MediaSentry are one critical part in the defense. As
stated in prior comments, it is imperative that they can prove their own
accuracy and reliability. Also you should be able to cross examine their methods
by an independent expert. As any programmer will tell you, the computer does
always what you tell it to do and NOT what you WANT it to do. Thus they (or your
expert) should prove their methods used are accurate.
4. That no Kazaa installation/remnants were found on the HD is irelevant, there
is plenty of 3rd party software using the same protocol that can be used and can
be cleaned without trace.
5. Kazaa creates hashes of files that are unique for each file, so they can be
identified for more convenient downloading (resume or split downloads). Now
MediaSentry should have these hashes recorded in their logs (I guess. If they
don't they are grossly incompetent). It should be possible to create hashes with
same function from all the files on the HD and compare them. If no match is
found, you have a solid ground for one part.[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 06:56 PM EST |
I read Dr. Jacobson's reports and it looks to me like the technical information
is *solid*, and that a copyright infringement probably took place. What isn't
clear at all is whether the *defendant* is the person who performed the alleged
copyright infringement.
As to the specific request, for questions to pose during the deposition of the
witness, I don't have the expertise to do that. And I'm not sure that's a viable
strategy in this case, given the level of technical detail in the evidence
presented by the plaintiff. I would focus on defending the *client* on the basis
of the *law*, rather than trying to attack what I think is solid evidence.[ Reply to This | # ]
|
|
Authored by: tz on Saturday, December 30 2006 @ 07:30 PM EST |
It appears that the hard drive neither contains Kazaa, the downloaded files, nor
traces (old fragments, registry entries, etc.) of said files.
All they seem to have proven is someone using her account ID or MAC address
(assuming Verizon properly records such things) had a computer with a Kazaa
program and folder which Media Sentry could pull files from.
But the hard drive is the key - their expert says he can't find any evidence of
Kazaa on the drive.
I've had my credit card number used to charge things I've not bought. I have no
idea how it was obtained, but what is happening would be analogous to someone
using such a fake credit card to buy a gun which was then used to shoot a
person, and of course I have to be the shooter because my credit card number
appears on the transaction for the gun.
I think they have solved cloned cell phones, and some similar things, but it
wouldn't be that hard to hijack an account or connection.
There are at least 5 open access points my computers can see in my apartment
building. I could use any of those without the owner's knowledge (and some of
the protected ones are using WEP which could be cracked by next morning, if that
long).
If they found a hard drive or iPod or something with the files MediaSentry
found, it would be one thing. Instead they have an account registered to
someone who has never used a computer, and the hard drive indicates it never had
the files in question on it.
As far as methods, I assume MediaSentry uses Kazaa to pull files from various IP
addresses, then after verifying they are copyrighted, goes after the ISP to get
the account information, then relies on others to go the rest of the way. But
an IP address and account is only a pointer. It doesn't indicate what is at the
far end. That would need to be the actual computer, and they have not found
that computer.
(Note that really, really, expensive hard drive analysis can find deeper traces
in the very slight magnetic variations - cryptographers are generally the only
ones concerned with such methodd, and it would require millions to test which I
don't think the RIAA would spend).
[ Reply to This | # ]
|
|
Authored by: The Mad Hatter r on Saturday, December 30 2006 @ 07:34 PM EST |
I spent most of the day thinking about this after reading all the files:
1) The RIAA is trying to hide something by not letting the MediaSentry contract
or instructions be shown. Possibly MediaSentry is being paid a bonus for every
"file sharer" sued, if so it is in their interest to find as many file
sharers as possible. This could lead to criminal actions on the part of
MediaSentry - possibly the RIAA has just realized this and does not want to be
held accountable for flawed directions? I don't know, but when someone wants to
hide something there's generally something wrong, so I suspect that this
information could kill the case.
2) MediaSentry is using unknown hardware and software in their efforts for the
RIAA. We have no reason to trust the hardware and software. Both hardware and
software bugs are common. Unless the software and hardware has been inspected by
competent outside staff we have no assurance that it is operating correctly.
3) The RIAA expert has testified that the hard drive in question was not used
for file sharing. This is very interesting. The expert does not seem to have the
knowledge to be declared an expert in these matters. In fact the wording of the
report makes it seem that the expert is a hired gun - who will say whatever
he/she is paid to say. Note the continued harping on "this is not the
correct hard drive as I cannot find the infringing files which have to be
here", and the fact that he does not allow for the fact that the correct
computer could have shared this address with the Lindor computer, possibly due
to an address reassignment by the ISP, or other unknown factors is interesting.
4) MediaSentry is not an expert? In that case why did the RIAA hire them? If
they are not an expert in what they are doing their evidence should be stricken
- they obviously do not have the knowledge to have developed the evidence.
5) Where is the list of files that were shared/downloaded? This is exceptionally
important - what if the file sharer that was detected was sharing 10 gigs of
files, and the computer only had a 5 gig hard drive? What if the sharer
specialized on Lois and Brahm, and the Lindor have no small children?
Hope this helps.
---
Wayne
http://urbanterrorist.blogspot.com/
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 07:40 PM EST |
I'm not sure if this helps or it hurts. It appears that the ip address
corresponds to a location in Manhattan that has about 2000 addresses, of which
about 500 are set up in a dynamic pool.
This would correspond to a fairly small number of customers. Does anyone have
any idea where these customers might be located? vs the location of Mrs.
Lindor?
http://www.trustedsource.org/query.php?q=141.155.57.198
Google Earth helps in looking up the provided longitude and latitude of 40.75 N,
73.997 W.
You can also type at the command line:
tracert 141.155.57.198
This will tell you how close you are to Mrs. Lindor's old IP address, in terms
of network separation.
[ Reply to This | # ]
|
|
Authored by: Ray Beckerman on Saturday, December 30 2006 @ 10:02 PM EST |
Just want to thank all of you who have given us the benefit of your thinking.
Lots of good ideas for us to explore.[ Reply to This | # ]
|
- billing - Authored by: grouch on Sunday, December 31 2006 @ 01:11 AM EST
|
Authored by: Anonymous on Saturday, December 30 2006 @ 10:33 PM EST |
> and -- believe it or not -- has never even used a
> computer in her life
In the absolute terms in which it is stated (never...
any...) I personally don't believe it. A judge/jury will
find it hard to believe it too.
If I was Ms. Lindor's attorney, I'd be less worried with
trying to refute the expert witness' testimony, and more
worried about anything in the computer's hd that might
indicate that she has indeed used it, at least once, since
it was bought. Or proof/testimony that she has used some
other computer in the past.
IANAL, does the law require evidence in direct
rebuttal to a defendant's testimony to be disclosed by the
plaintiff's attorney, or can he/she pull a 'Perry Mason'
(*) and surprise the defense?
(*) Admittedly, not the best analogy, since PM was usually
a defense lawyer.[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 30 2006 @ 11:14 PM EST |
I would add a few things.
As Sips and Pouwelse have said, pollution and lying are very common P2P
behaviors. I will elaborate a bit on why this is important. The only evidence
MediaSentry appears to have is that a file-search turned up a file with a name
of a copyrighted work. There have been numerous instances in the past where
people have had innocuous files with suspicious-sounding names and been sued.
In 2001 someone got into trouble over a file named "Harry Potter Book
Report". See about halfway down:
http://www.pacificresearch.org/pub/ecp/2003/epolicy02-07.html
There are a number of issues (some related):
1) How has MediaCenter determined the file infringes ANYTHING, much less the
particular item in the complaint? They do not download the whole file.
2) Do they sue just because a file shows up in the listing? Many people use
'upload blocking' tools, to prevent their computer from uploading content. The
content will show up when others search, but no distribution is possible. (E.g.
Bob has an upload blocker. Alice searches. Alice sees files on Bob's computer.
Alice can try to download from Bob, but will never get anything.) Reasons for
this are all variants on freeloading: Bob wants to get things from the P2P
network without contributing to it.
3) Even if they DO download the file and they DO know it is infringing, there
are serious questions about backtracking by IP address. It only gets to a
particular computer. The computer may have been compromised. People who run
illegal downloading sites oftentimes do not operate them legitimately. By which
I mean they don't run them on equipment they own, with utility accounts in their
name. They will often find existing poorly-secured machines that have high
availability and bandwidth, take them over remotely, then use them to warehouse
files. Any machine identified will need to be foresically examined for evidence
of such skulduggery.
Furthermore it is very common for personal computers to be used by more than
one person, but this is probably familiar territory.
4) Even assuming that the owner of the machine is the user of (say) Kazaa, AND
that MediaCenter downloaded the file to examine it, this STILL does not prove
that particular PC ever uploaded the file to *anyone else*.
You're the attorney, but I feel qualified as an armchair attorney at least :)
and I must point out that MediaCenter is the recording industry's agent. If
they invite Bob to give him a copy of a file owned by them, and he does -- they
cannot then sue him for copyright infringement, for they authorized it. If a
store hires someone to tell me that it's OK for me to take something without
paying for it, then tried to sue me for conversion, I can think of three or four
good reasons they cannot sue me for *that act*. You probably can too, so I
won't elaborate.
You may be able to argue that instead they need to show that either 1) Bob
uploaded the file to someone who was NOT an agent of the copyright owners, or 2)
Bob's mere possession of the file is itself a copyright violation. (Personally,
I feel that downloading is simply the act of RECEIVING an illegal copy someone
ELSE made (as part of an offer on the UPLOADER's part to give copies to anyone
who wants one, not because of a request the DOWNLOADER made), making downloading
(only) not direct infringement.)
5) Factual inaccuracy in "April 2006 boilerplate report" items 15 and
16(first items under Conclusions): Even if all 700 files actually exist, and
are what they appear to be, the fact a KaZaA search turned them up does NOT --
in ANY WAY -- prove where those files came from. KaZaA is NOT the only P2P
network, and there ARE legitimate ways the defendant could have come by those
files (she could have created them herself). How was it determined the files
were downloaded at all, much less from KaZaa?
6) The statements about not finding KaZaa on the hard drive he examined is very
strange. He appears to be claiming the machine was wiped before it was turned
over (that is, the defendant or someone else tried to destroy the evidence). I
interpret this as possible evidence of innocence, but lacking more details am
unable to come to any conclusion. I would want to know:
A) He said the hard drive was very sparse, due to "lack of user created
files", but he found files reference on Gustave Lindor, Jr. How many 'user
created files' would indicate the machine had been used? What was he looking
for, which he did not find?
B) In what context was the name of Gustave Lindor, Jr. found? "that
document indicates he was living and working ..." -- "that
document?" What document? You want to see that document. Was it personal
correspondence Mr. Lindor wrote and sent to the owner of the machine? Was it
(say) a document in progress (which tens to indicate he owned it)?
C) Did he conclude it was a new hard drive, or one which used to contain data
but had been erased? It is well known erased data can often be partially
recovered, and indeed securely deleting (meaning, making unrecoverable) things
is very difficult. How did he arrive at this determination?
D) There is a discrepancy. MediaSentry's data indicates the machine had KaZaa
installed? Then why does the machine itself contain no trace of it? How does
he reconcile this apparent contradiction, and more importantly how did he
exclude other potential explanations -- specifically the possibility
MediaCenter's data might be unreliable?
E) He apparently concludes the provided hard drive is a phony hard drive,
because he concluded the hard drive had been barely used. This implies he
believes the hard drive was purchased brand new, and Windows installed on it,
and this hard drive was then turned over instead of the real hard drive.
There are other signs of usage. If different programs were installed on
different dates over a period of some time, this would imply the machine was
used. What was installed, and when? Under Windows XP, the system event log
contains dated logging information for things the system finds important. If
this log contains entries over a lengthy period of time, this is a sign that
hard drive was in fact used. Was this log examined? If so, what was found? If
not, why not? (Its location is Control Panel - Adminstrative Tools - Event
Viewer)
7) You have claimed in the Groklaw article that "Ms. Lindor, the defendant
in this law suit, a middle-aged Brooklyn woman who works as a home health aide,
and -- believe it or not -- has never even used a computer in her life, much
less been an "online distributor".
This is very confusing, because it would appear the RIAA's expert has
forensically examined SOME hard drive. Yet if someone "has never even used
a computer", they certainly don't own one. Where did he get the hard
drive? What did he examine? Something doesn't add up.
If she has never even used a computer, how did she get fingered? My
understanding of the RIAA's process is they find an IP address which they think
shares files, then subpoena the subscriber info from the ISP.
How did the ISP come to conclude that someone who doesn't own a computer has
internet access? I see only a reference to Verizon's response, not the response
itself. I can only speculate. Is Verizon's database polluted? Did they make a
typographical error in their response? Was the account in her name, for a
computer in her home but owned by someone else? Has Ms. Lindor been the victim
of identity theft?
IP addresses do not remain constant, they change over time as customers come
and ago, and for many reasons. Who used that IP before and after the defendant?
How many times did that IP change hands around the time plaintiffs charge the
infringement occurred?
You will probably need to speak to Verizon. The RIAA's expert likely cannot
answer these questions. But he CAN answer what makes him so sure the defendant
is the right person, given she likely doesn't own a computer and can't even
operate one.
8) How is MediaSentry's evidence generated? Screenshots are trivial to
falsify. Is there a chain of custody? Has their software been audited to
ensure it isn't fraudulently manufacturing evidence? Has their software been
audited to ensure it does not accidentally misrepresent material facts? Are the
images produced cryptographically signed? (In short, cryptographic signatures
are a sort of tamper-proof seal; a block of data generated so that, if the data
is altered, it won't match the signature -- and the signature cannot be
falsified without a secret key.) Do they still have the downloads they claim
the defendant transmitted to them? (Whether it's a complete or a partial
download, they should still have it for examination.)[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 12:13 AM EST |
Lots of stuff covered above, but some more points I'd bring up. I'll mostly
stick to things I didn't see posted earlier when I skimmed through.
In his earlier, April 12, testimony, he claims two computer security patents.
I've looked at them, and am not impressed. In combination with the other
fluffing he's done on his background, it certainly makes it seem to me like he's
a puffer-fish for hire rather than an actual expert, especially when combined
with the (largely pointed out) deficiencies in his descriptions of the actual
technology involved.
Patent #6,044,402 is registered to the university, with his name included. This
is an insanely trivial and obvious patent that appears to cover a remotely
administered packet filter (which has only been around since the late 60's, if
not earlier).
The other appears to be #5,548,649 and is another insanely trivial,
prior-arted-to-death, never-should-have-been-granted one. This one just looks
like the same thing any VPN concentrator does. This is another trivial BSD/UNIX
hack that was around in the 70's, if not earlier.
He mentions a third, but does not give a patent number. Searching on
combinations of names given is not showing anything. As for clarification on
this one.
Important addition to this is his claim to be a "Certified Forensics
Computer Examiner". I found a certification with this title at
http://www.iacis.info/iacisv2/pages/training.php
Based on a quick look over, this seems like an incredibly basic certification.
It requires only a two week course with no prior computer experience. Judging
by the statements on that webpage, this certification is essentially worthless.
A notable example, from their recertification requirements page:
"For example, a proficiency test may consist of a Linux disk, in which you
are asked to look for images. You do not need to be an expert in Linux to work
this case. If you can image the disk successfully, identify it is some form of
Linux OS, and maybe even retrieve some images from the disk, then you have
successfully passed the test. Failing would be simply look at the disk in DOS
and determined there was nothing of apparent evidentiary value."
It could be worth comparing this certification to the GIAC Certified Forensics
Analyst certification.
I do notice that his CV lists no other certifications at all.
As an aside, I've looked briefly over the Palisade Systems products pages. I'll
state upfront that I work for a network security company that might be
considered a competitor, so my opinion is biased here, but I wasn't very
impressed. Any network security product that _requires_ Windows machines to
function (for the management, in this case) probably shouldn't pass the sniff
test.
Something I don't recall seeing mentioned in the comments, his description of
Peer-to-Peer protocols is decidedly deficient. He doesn't seem to recognize
that http and ftp (among others) are peer-to-peer.
On to his "Conclusions" section.
15) How is he testifying to procedures used by MediaSentry? Nothing listed in
the "Materials Considered" section addresses their procedures. Given
just this testimony, he can have no knowledge of them. How can he testify to
them?
20) This has been pointed out, but needs reinforcing. How is he testifying that
the sharing ocurred before the IP address was assigned? This directly
contradicts his own testimony about what is required to connect a computer to
the internet.
On to his CV.
It's interesting how many introductary classes he's teaching given the length of
time he's been a professor at this university. No idea how this compares to
others, but it caught my eye.
Some of his grant descriptions are a bit vague, saying things like "7
companies". Would be interesting to find out if any of his grant funds had
RIAA/MPAA ties.
I find it interesting that none of his journal publications has anything to do
with security. Two are on mosquito monitoring, of all things, and one is a
student paper about a cheap ski jump timer (I call it a stopwatch myself, but
that wouldn't be a paper).
Even his "Proceeding" publications show nothing past 2004 except a few
"submitted" that apparently haven't seen actual publication. Most of
the earlier ones seem to be about teaching rather than computer security per se,
which is probably fine for a teaching professor, but isn't going to help his
computer forensics credentials any. Oddly enough, it looks like the
publications are getting steadily _less_ technical as time goes by. It appears
the bulk of his technical work was early '90s or prior.
His "Technical Presentations" section seems to have the most computer
related security listings, but several of those are presentations to political
groups and the like (2005 Midwest Election officials Confrerence, for instance),
and politicans are hardly known for their technical acumen.
Patents mentioned above.
Under "Other", he includes attending three-day conferences. Is this
the kind of thing people normally put on their CVs?
This guy is definitely no Bruce Schneier. If you can get an actual computer
security expert in, he'll probably get torn to shreds. He does seem to have
some decent technical grounding, but I'm less sure of his security experience.
How he's supposed to evaluate MediaSentry's forensics with so little information
is beyond me.
Unfortunately, what there is from him so far is simply too vague. Aside from
the blatant self-contradictions (not the right hard drive, no evidence, timing,
methods) he hasn't said much of anything relevant. I would recommend getting in
touch with a real expert, like Bruce Schneier. Assuming you don't have the
funding for his time, he may be able to suggest someone expert who's interested
enough in this kind of case to work cheap or pro-bono. Then let the expert tear
apart the second-hand hearsay. At the least, post again here when the testimony
is available, and there's plenty who'll be willing to go over it.[ Reply to This | # ]
|
- CV spelunking - Authored by: Anonymous on Tuesday, January 09 2007 @ 06:56 PM EST
|
Authored by: Anonymous on Sunday, December 31 2006 @ 01:15 AM EST |
for those that didn't read, he's a certified forensic guy, and at least
professionally appears to have patented (and supervised another project)
specializing in p2p detection.
concur that it appears as though they want the actual hd or maybe it's common to
cya for forensic guys by saying they need it...unknown. to have anything less
than the actual thing and a solid chain would seem more of a Wish than evidence.
this needs to be All About media sentry's investigative process...but then
again we already knew that, and the good doctor appears to be available to make
representations on behalf of their methods. with Zero legal background, even I
can ask how that does not absolutely entitle Mr. Beckerman to discovery on
it--either that, or anything resultant from their process gets tossed, no?
also appears as though they are also concluding that some other person was
living and working in NY during the period _according_to_a_resume_ found on the
image. well, of course that must be factual--it's on a resume. okay,
tech-tech-tech, i know.
if i have the pdfs straight, the professor is reporting that there were 700
songs on the box (all downloaded), 624 of which were "being
distributed" & 11 of which were downloaded from 6:12:45 AM to 7:08:30
AM eastern 8/7/04.
o anyone who can comment on whether this is even physically possible by whatever
bandwidth connection means ms. lindor uses? so that's what 53:45 or 3225 sec,
and 624 songs => ~5.2 sec/song? or do kazaa transfers happen as some
parallel, distributed thing? actually 624 upped + 11 downed gives ~5.1 sec.
o not technical/rather legal, but what does "being distributed"
mean--is being on the list as available the same as "being
distributed" no technical help for Mr. Beckerman, just my personal
question... the pdfs say a tuple with song hash and ip address are in the
central server which is queried for availability. perhaps that's what he
means--the hashes and an ip are upped and thus "being distributed"?
Either way, that's legal stuff and I need to bow-out.
o okay, another question--can all that hashing even be completed in about an
hour on a box of the specifications which ms. lindor has? 700 songs hashed in
an hour? i assume that the 'client' has to perform the hashing (because it
could not be otherwise?)
o some (unclear) reliance on system and user.dat (and da0) is used to
establish/confirm the alleged activity--anyone knowledgeable wrt kazaa operation
can comment? question: is it possible that something might appear in any of
these files that the user has never used or might have no knowledge of? (A:
duh).
o the pdfs mention a string in the resume information and a permutation of the
same string as an id in the kazaa stuff; might this string also correspond to
the box name on the os image? and could this box name be viewed by the
botmaster controlling the machine? rhetorical, however true, and
retracted...but leading to question: did the good doctor look for, find, or
otherwise consider existence of other malware on the image under review? if
so... follow-up: is it conceivably technically Possible that any and all
alleged illegal activity could occur without ms. lindor doing anything except
leaving her machine run? (A: duh). i guess the other side's answer is simply
to boot the image with a network connection and monitor attempts to establish
outbound connections--presumably Mr. Beckerman has access to this image and
might verify whether or not this is the case in deciding if this avenue is of
use to him.
concur that address uniqueness/assignment looks weakest in his report, but
you'll need your ducks lined-up along the lines of what arker posts. report
contents might be boilerplate he's been using for years (and even maybe 6 or 7
years ago it would have looked more solid).
also agree wrt faulty screenies and i note that the good dr. is part EE. imo,
anyone prepared to represent authenticity wrt any s/w used by media sentry needs
to address Dr. Thompson's Turing acceptance address:
http://cm.bell-labs.com/who/ken/trust.html
one bonus question for the EE in dr. jacobsen is "how many places might
this apply in either Any machine of media sentry or in ms. lindor's
machine?"
google tells me that mr. beckerman knows far more than i do about media sentry,
but the word "heuristics", i mean c'mon!
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 01:25 AM EST |
To add the to comments of Teacher about Network Address Translation (NAT),
reference the program to allow a computer connected to the internet to be used
as a router.
On a Windows XP machine, go to <Start><Control Panel><Network
Connections><Share a Network Connection>. NAT builtin. Did the Ph.D.
think to check for this setup on the operating system? Did the computer have a
second ethernet connecton? Can this program be used via a USB port?
For a Linux machine (unlikely for Ms. Linders), see the program ipmasq.
Available on the Ubuntu repositories. The description says
-------------------------------------------------
securely initializes IP Masquerade forwarding/firewalling
This package contains scripts to initialize IP Masquerade for use as a
firewall. IP Masquerade is a feature of Linux that allows an entire network
of computers to be connected to another network (usually the Internet) with
only one network address on the other network. IP Masquerade is often
referred to as NAT (Network Address Translation) on other platforms.
By default, this package configures the system as a basic forwarding
firewall, with IP spoofing and stuffed routing protection. The firewall
will allow hosts behind the firewall to get to the Internet, but not allow
connections from the Internet to reach the hosts behind the firewall.
However, ipmasq now features a very flexible framework where you can
override any of the predefined rules if you so choose. It also allows you
to control if the rules are reinterpreted when pppd brings a link up or down.
This package should be installed on the firewall host and not on the
hosts behind the firewall.
IP Masquerade requires the kernel to be compiled with masquerading support
(please see documentation for specific kernel options required).
---------------------------------------------------
A program such as this for Linux is very likely to have been ported to one of
the BSD varieties and may have originated in the Unix community.
How did the professor rule out the existence on one of the many ways the IP
could have been spoofed or faked?
I see this as a case of "The car ran the red light but no one saw who was
driving so we will charge the registered owner." I also find the existence
of a Gustave Lindor, Jr. resume on the machine somewhat suspicious.
MSNTHRP
BS/MS Electrical Engineering[ Reply to This | # ]
|
|
Authored by: ikocher on Sunday, December 31 2006 @ 02:05 AM EST |
Connection service (ISP):
What kind of internet service does Ms Lindor has?
If it is a cable modem service, riaa will be asuming that _nobody_ in the cable
modem network modified their modem to use credentials of Ms Lindor, something
that is not correct to think. Modifing a cable modem unit is against the
contract with the provider, but it is not voodoo to do it. Reasons: spy (sniff)
the network, because the docsis system the cable modem network uses, bases its
security and authentication on the MAC address of the modem, not the one in the
ethernet side of it, but the one in the docsis (cable) side.
If the service is any type of xDSL, there are no MACs to get. In this kind of
service, it is pretty dificult for someone else to steal your service, and the
customer not noticing it. Also, implies heavy modification to cables in posts,
etc.
If the service is dial-up, the phone number from where it was called can be
faked. Take a look at Vonage. There is a way using that service, and also
applies to other providers, to "fake" from where the call comes. One
can do this even with "simple" and open software as asterix pbx.
Now, in case the service is a type of ppp other something, then the ppp
credentials might be a strong point for riaa, because those can't be easily be
stolen. PPP protocol uses challege-response for authentication, so the password
doesn't go into the wire. PPPoverEthernet is a sort of popular service, and can
be use with cable modem and xDSL. PPP (basic) is the one probably used for
dial-up, as there are other protocols for dial-up: SLIP, aol, etc. Now if she
handled the user/password to easy ... her fault!
I'm not from the us, so I don't know about isp there.
Can help more if you post a little bit more on the type of connection.
Networking equipment:
Also, if she has one of those wireless routers, in default configuration... no
security, etc... anyone around (100meter at least, but maybe more using the
right antenna) her home could have used it and she didn't noticed it. There is
a whole problem on this, legal/moral/etc. I think some city in the US outlaw
having an open system this way, don't remember now which and when exactly.
Computer(s):
Also, some posts have mentioned how easy it is to control a windows machine
remotely, without the user ever knowing it happened. If this is the case, then
this would have been used by the attacker for other purposes, or maybe even to
make this case. Ever heard about botnets? just google it!
Maybe an attacker wanted some song, and used one of the machines in his botnet
to do the 'job'... maybe more obscure... but I doubt it was for that. Also
botnets 'controllers' are for hire, you choose the 'job' and it gets done.
Also, does she ever received a friend with some computer and connected it to her
home network? Maybe the attack started there, without both of them knowing it.
I have seen networks collapsing due to this, just one "external"
computer conected to the local network, and it performed the attacks, while the
network was fully protected from the outside... sad.
Is her computer a laptop? Has she used it somewhere outside her home.
Now... all the above asuming she _owns_ a computer, but you said she _does_not_
?!?!?! Well if that is the case, how is there an ISP related in all this? What
for Ms Lindor would have an intenet service without computer? For her
refrigerator??? Don't think so. Does she pay for the service but she didn't
'have it at home'? What for? Did she knew? If not, this is a credit card
fraud or some other type of fraud.
Some years ago, my credit card was charged by an ISP in the US, and I didn't
lived there... cool. The charge was easily removed, but someone tried it.
Ivan
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 02:14 AM EST |
He talks about how the computer had a public IP address and how it means it
wasn't connected to a router.
How does he know if it wasn't connected to a router in the past and had a public
IP address when the Image was turned over?
In both cases, the system would be pulling (most likely) ip addresses via DHCP.
No "tampering" with the registry would have been necessesary, just the
removal of the router.
[ Reply to This | # ]
|
|
Authored by: ikocher on Sunday, December 31 2006 @ 03:53 AM EST |
Ask for network logs of media sentry internal network while downloanding the
files. If they used a kazaa client, and from there they infer the IPs and files
content, I think that is not very strong. They only trust _that_ program. So
what with bugs, troyans, etc?
If they have a network sniffing (tcpdump does it) of all the packets, headers
and payload, of the actual transfers of those files, that is rock solid for
riaa; but if they don't have it, they only have what the kazaa client showed
them, lets says make them believe. A network sniff of the local network is much
more solid, and will show clearly the ip address of all computers involved in
the transfers, showing if it was only Lindor alleged one, or more.
The log will have the contents of the files, so if those files had a copyrighted
material, it will be there, solid. If not, again, is what the kazaa client
shows, only that.
These 'experts' should have done that. A video can't help, but a log I think is
more solid. It is always easily fakeable, at the end is only a text file,
pretty easy to setup, but at least can show that they did their work, not a guy
looking at the kazaa client now claiming to be an 'expert'.
This is part of the methods used to get those screenshots and blah-blah.
From the logs, an expert can check if at least hey are valid or real logs. The
content of the files verified.
Also, it might be used to identify the alleged Lindor computer, due to
fingerprinting of the packets, so riaa can make a stronger case, identifying the
alleged computer.
It seems these logs don't exists at all. Happy case riaa!
Ivan
[ Reply to This | # ]
|
|
Authored by: bloggsie on Sunday, December 31 2006 @ 04:04 AM EST |
My academically unqualified opinion after 35 years in the
computer business is
that the use of Internet Addresses and
Network Interface Card MAC numbers is
only rather poor
circumstantial evidence at best.
In order to produce
'smoking gun' level of evidence imho
that the 'enforcers' would have to:-
- Covertly install a root-kit which:-
- Locates the executable
which is doing the deed.
- Accurately records the time and logs the
traffic,
and the ports used, to an external recording server.
- Hashes
the files in the directory which is being
shared. Reports the file names and
their hashes to the
external server.
- Monitors the IP traffic for a fair
while to see if
the machine is receiving orders remotely from a botnet, or
a
human, taskmaster.
- Positively identifies the disk the shared files are
being stored on. Disks do have manufacturers model and
serial numbers embedded
in the firmware.
- Reports all these details to the recording server.
- Get a search warrent to seize the disk while the
copyright
infringer is busy at the computer. Take
photograph of Mr. or Ms. X so they can
be properly
identified subsequently.
- Make a certified copy of the disk,
and give it back
to its owner.
- Analyse the copy to demonstrate to the
court that it
is identical in every respect - including the serial number
and
the hashes - to the disk discovered by the root-kit.
- Play a selection of
the copyright music off the disk
to the Court.
- Say to the Court: "We have
proven beyond all doubt
that the computer being operated by X was sharing
copyright
material. We seek $UVW,XYZ.00 in damages from X for losses
incurred due to X's activities".
- Demonstrate that $UVW,XYZ.00 is a
realistic
estimation of actual losses.
IMHO, Anything less does not
provide 'smoking gun' proof,
and if any society wants to stop copyright
infringement
using P2P filesharing, then it has to prescribe that the
above
procedure, or something very similar, is both legal
and adhered to before
seeking convictions. It would be
sensible to have different penalties for
private people
sharing material and commercial entities generating revenue
streams at copyright holders expense.[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 05:06 AM EST |
An area that no-one seems to have addressed is physical security of the
connection. Since the ISP is a telephone company, we have assumed that the
connection is either DSL or dialup. This seems valid, although DOCSIS (cable)
is still possible. Since Groklegians tend to be techies, the focus has been on
technological areas. However, simple, old-fashioned wiretapping needs to be
checked out.
1. Has anyone investigated the security of the physical
connection between Verizon and Mrs Lindor's MPoE, including the MPoE itself?
This should be in the plaintiff's case, unless this essential step was
(a)overlooked or (b)exculpatory.
We know that Mr Lindor, the owner of the
computer in question, passed away, leaving Mrs Lindor to take care of his
useless (to her) PC and its ISP connection, among all the other things a newly
minted widow has to take care of. Was the PC normally left on or off, during Mr
Lindor's life and later?
Was Mr Lindor's death lingering or sudden? If
it were lingering, it would have given ample opportunity for someone to make
(ahem) illicit access to the Verizon wiring, to use Mr Lindor's account for some
other purpose. As long as Mr Lindor wasn't using his PC, an intruder would have
little chance of detection. After Mr Lindor died, detection likelihood became
nil.
During the time Mr Lindor owned the PC, did he in fact use it
much? What sort of things did he use it for? Was this usage consistent with
the low usage found on the disk image?
Could Mr Lindor, himself, have been
a music 'collector'? If Mr Lindor had downloaded some music, with or
without knowledge that it was being made available for sharing, the dynamics
would seem to change. Depending on who held the Verizon account at the time,
Mrs Lindor might not be liable for the actions of her dead husband, after his
death. The actions would be the downloading, leaving the PC turned on and
connected to the ISP. --- --Bill P, not a lawyer. Question the answers,
especially if I give some. [ Reply to This | # ]
|
|
Authored by: PeteS on Sunday, December 31 2006 @ 07:13 AM EST |
I was musing on the 'never used a computer in her life' phrase and this comes
up:
It is possible others in the local apartments / homes *knew* this and registered
a Verizon account in your client's name - ID theft is quite common and would be
a very slick way of avoiding attention (at least for a while) in this sort of
case.
This also would account for the reason the hard drive has no traces of Kazaa,
files etc., for the simple reason it was *not* the computer used in the alleged
maldeeds.
This would require questioning of the Verizon accounts and technical people, but
it certainly might be a line to follow up:
Q: Does the hard disk that was examined have any evidence of the violations?
A: (Expect NO)
Q: Was the hard disk the only one in the computer?
A: (Expect YES)
Q: Where is your physical evidence this computer was used to commit the alleged
violations?
A: (Should make the expert squirm a bit)
Q: Have you, or have you required, the ISP to be questioned on the full account
details of the defendant?
A: (Probably NO)
I am sure you can think of more questions.
Now methodology.
There have been threads in the past on the futility of trying to erase data
completely from hard disks. Indeed, even a defrag doesn't get rid of latent
traces.
So (not necessarily in this order):
Q: What tests were performed to extract the data from the hard disk?
A: [I would expect a detailed answer of scanning and recovery here. If not, then
perhaps it was sent to a professional data recovery house. If neither, then they
are grossly negligent]
Q: Please explain your qualifications in Computer Forensics in detail (courses
attended, time, qualifications obtained)
Q: Did you personally gather the information in this case?
A: [NO, the boilerplate say he will testify as to what other people's data
mean]
A bottom line on that, incidentally, is to get non-expert testimony admitted as
expert testimony by the artifice of using an expert to testify it - not sure the
Judge will let that one fly, but that's up to you to introduce of course :)
PeteS
---
Only the truly mediocre are always at their best[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 08:11 AM EST |
MAC ADDRESS
Did they verify the IP to MAC address of the device using the
IP?
Was the MAC address verified against the hardware installed in the
computer?
From DUX
Computer Digest - MAC Address
Q. What is an Ethernet MAC
address?
A. MAC = Media Access Control. Each and every Ethernet
device interface to the network media (e.g., network adapter, port on a hub) has
a unique MAC address, which is "burned" into the hardware when it is
manufactured. MAC addresses uniquely identify each node in a network at the
Media Access Control layer, the lowest network layer, the one that directly
interfaces with the media, such as the actual wires in a twisted-pair Ethernet.
In modern Ethernets the MAC address consists of six bytes which are usually
displayed in hexadecimal; e.g.,
00-0A-CC-32-FO-FD
The first
three bytes (e.g., 00-0A-CC) are the manufacturer's code and can be used to
identify the manufacturer. The last three are the unique station ID or serial
number for the interface. One can determine the MAC address of an operating
Network Interface Card (NIC or network adapter) in Windows 9X/Me with Start,
Run, enter winipcfg, and select the adapter. In Windows NT, 2000, and XP it can
be determined by opening a DOS Window/Prompt (Start, Programs, Accessories...)
and typing:
C:>ipconfig /all
The MAC address/station ID may
be printed on the NIC.
Many broadband routers can clone a NIC MAC
address. That is, make the Wide Area Network (WAN) Ethernet interface going to
a cable or DSL MODEM look like a NIC in a PC. This is useful in that many
MODEMs marry themselves to a specific MAC address when they are first installed
and it can be rather difficult to get them to marry themselves to a new MAC
address. The WAN port MAC address on some routers can be manually changed
(e.g., the SMC7004ABR).
It is possible to change/override the MAC
address with Windows, etc.
A vendor/Ethernet MAC address lookup service
is available at
or go straight to the source
href="http://standards.ieee.org/regauth/oui/index.shtml
This BASIC
NETWORKING INFORMATION would identify the Hardware Manufacturer of the DEVICE
(Computer Network Interface Card or Router) that was attached the the CABLE or
DSL modem. YES THE INFORMATION CAN BE SPOOFED. Assuming the technical level of
the average user this information would be unknown to most of them and therefore
unlikely to be manipulated.
I use this information frequently at work
to locate machines on the network, (some times the computer name in the records
do not match the name configured in the machine). The mac address is also used
to turn on the machines remotely using WOL (Wake-On-Lan) in order to perform
administration duties on the equipment without having to physically visit the
location to turn on the machine.
Cable modems.
The
Cable providers here in Canada only allow Registered Devices to attache to the
network. This is also done by Wireless Internet Providers (Wireless to the
customer premise), its the same modem. At least one cable provider tries to
charge there customers for EACH pc that attemptsto connect through the
modem.
The most common method to circumvent this restriction is to
install a router and configure the router to spoof the MACaddress of the
registered P.C.
This is necessary even if you only want to install a
router as a firewall for a single computer!
DSL.
The
DSL service in the town I live in is provide through the local Telco. there are
AT LEAST 3 "ISPs" and at least one of them has customers on 2 different backend
resellers. The resellers contract DSL throught he local telco and reroute the
customers to the ISPs network.
ALL OF THE TRAFFIC starts at the
telco!
You CAN and I HAVE logged in to my account belonging to one
provider in order to test the access of a customer of A DIFFERENT ISP AT A
DIFFERENT LOCATION! The access is authenticated based on the username and
password. The system doesn't give a damn where I am.
I usually use this
method to identify a customer account that has been disabled because the bill
has not been paid in a timely manner.
A login ID - MIGHT NOT -
accuratley identify the originating source.
HDD FORMAT SERIAL
NUMBER
Dos drives used to encode the current date into a digital serial
number assigned to the disk when it was formatted. This was done on Floppy disks
as well as hard disk drives.
Can it be determined when the drive that
WAS beeing examined was formatted?
If it was formatted any length of
time before the alleged violations then it is likely what it appears to be and
WAS NOT the machine identified by the original investigation.
Anonymous
GrokLurker Since Week ONE. R.A.G.
[ Reply to This | # ]
|
|
Authored by: tyche on Sunday, December 31 2006 @ 10:41 AM EST |
Just out of curiosity, I did a Google search for Media Sentry. Below is the
Google link, followed by some interesting views on the services and integrity of
the company (actually spelled MediaSentry, come to find out) that may lead to
other interesting questions this attorney might like to pursue.
Original Google link that I
used
This is the original link that I used
(http://www.google.com/search?q=media+sentry&ie=utf-8&oe=utf-8&rls=c
om.ubuntu:en-US:official&client=firefox-a). Your mileage may differ on
actually clicking on it, which is why I also placed it in plain text. Better
would be for you to just go to Google and enter "media sentry" (without the
quotes).
Wikipedia entry
for MediaSentry
Wikipedia has an entry for MediaSentry with some
generalized background on their "methods and procedures" (my GOSH, this is
beginning to sound like TSCOG, isn't it?). This site also mentions the UMG v.
Lindor case, and has various references at the bottom including a link to the
litigation documents and others of useful note for those interested in this
case.
"Recording Industry vs The People" blog-spot
I
found this to be an interesting site, full of potential. The creation of Ty
Rogers and Ray Beckerman (Hm, that name sounds familiar), who practice law at
Vandenberg & Feliu, LLP., in New York City. The particular article listed
is the "Deposition of Media Sentry representative in BMG v. Doe explaining Media
Sentry 'investigative' technique". It would appear that somebody is doing their
homework. :-)
Slyck News link
This link is included simply to show that there are various opinion
pieces on the net regarding MediaSentry. It would appear that opinions run
AGAINST veracity of MediaSentry's results.
This is NOT meant to be a
definitive examination of all the material available on the web - simply an
alternative direction to look for further resources, and to see what other
questions may have been raised concerning MediaSentry's and RIAA's "methods and
concepts".
Craig
Tyche --- "The Truth shall Make Ye Fret"
"TRUTH", Terry Pratchett [ Reply to This | # ]
|
|
Authored by: pauljhamm on Sunday, December 31 2006 @ 11:45 AM EST |
Verizon Internet service hardware
Initially Verizon supplied a Westel DSL bridge sometimes referred to as a DSL or
Broadband modem. This device acted as a bridge between the incoming DSL signal
over RJ-11 (phone cable) to RJ-45 (Ethernet cable) and required PPPOE wrapper to
generate Internet access. The PPPOE wrapper functionality was supplied by a
Verizon software utility that installed on a Windows OS PC. Other PPPOE wrapper
utilities where available most notably RASPPPOE a much lighter weight utility
that was not supported by Verizon.
Later Verizon began suppling a more sophisticated connection product in the form
of a Westel DSL router firewall. This device removed the need for a PPPOE
utility installed on the PC. The current product supplies connection, routing,
forwarding, firewall, NAT, DHCP, DNS, NTP and I believe proxy utilities. All
functions are configurable through a web based utility.
Verizon is now offering FIOS (Fiber Optic) connections. The Internet connection
is supplied with a FIOS to RJ-45 bridge (a big grey box attached to the side of
the house) and a D-Link DI-624 wired/wireless router/switch. The DI-624
supplies similar services to the Westel DSL router firewall above.
The connection via Westel DSL router firewall would preclude external (WLAN)
observation of the workings of the LAN (internal network) making any statements
about the internal topology moot. Connecting a device such as the DI-624
between the Westel DSL router firewall and the PC is trivial. The DI-624 and
many other similar devices supply both wired and wireless connections. These
devices are commonly used in home networks to share Internet connections. These
devices are easily attainable and inexpensive. Such a device could also be
connected between the older Westel DSL bridge and PC to supply security and
connection sharing.
In the older DSL bridge configuration, installation of the PPPOE utility
software onto a PC would not be unusual. Indeed you would expect this to be the
norm. The initial connection is often made by a service technician or by the
end user to verify connectivity using the providers utilities. Once function of
the connection is verified. Insertion of a dedicated router/firewall between
the DSL bridge and the PC would be accomplished and the utility software on the
PC would simply not be used. Leaving the software utilities on the PC is easily
argued. It supplies a backup in the case of hardware failure. It supplies a
second connection ability for testing, when the provider breaks something.
I am personally familiar with all 3 of the above supplied Verizon products. I
was an early adopter of DSL in my area and had the Westel DSL bridge connected
to a GNULinux machine which acted as the router/firewall for several years. Two
of my brothers currently have Verizon supplied DSL that use the Westel DSL
router/firewall. One Brother uses a DI-624, functioning as a switch, between
the Westel and his 2 computers, one wired the second wireless. The second
Brother uses a similar setup but I am not sure which brand of device he
currently uses. I have recently upgraded my DSL to FIOS, though I still use my
GNULinux machine for routing and security. The Verizon supplied DI-624
functions purely as a switch.
Interestingly the FIOS installer used a wireless laptop and connected to a
neighbors wireless connection to complete the final hookup of my new FIOS
connection. The installer stated that he does this all the time and never has a
problem finding a connection. I don't believe I will comment on the legality of
the phone company, or its agents, stealing Internet access.
Just another PJ
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 12:24 PM EST |
These lawsuits seem to be about 'intimidation'. In civil cases, the judge (or
jury) is asked to decide 'on the balance of probabilities' who is most likely to
be right. So, the question is, 'by what right did the RIAA obtain their
evidence' ?
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 01:59 PM EST |
A; some analysis from me that I was going to post on the linked Blog before I
realised that it requires registration.
The statement "two devices cannot effectively function if the are directly
connected to the internet with the same IP address" is both misleading and
wrong.
a) misleading.
Whilst it is true that normally a single address is not shared by multiple
devices, a very common form of connection to the internet is via a "Network
Address Translation" system. This multiplexes multiple devices onto the
same system.
b) wrong
There exists special software, e.g. ettercap, which allows a system to identify
the IP address of another system and send it's own traffic with that IP address.
This software requires no modification of the original systme and can be
applied to any system which is directly connected to the internet provided that
the "clone" system is on the same network segment as the original one.
B; a comment;
It's almost impossible for me to read through the entire set of comments here.
I can probably make serveral hundred comments myself. I'd really appreciate if
you could put the document up for analysis with a more suitable interface.
Please look at http://gplv3.fsf.org/comments/gplv3-draft-2.html for an example
that you can probably copy.
Also, personally, I'm not willing to contribute large amounts of work on
Groklaw. The reason for this is that the comments on Groklaw are not under a
consistent single copyleft license so other lawyers with a similar problem would
not be able to simply copy them and use them in their work. If you put up an
interface as I discussed before, please put comments under the GFDL license or
something similar. Others who want a different license could still use Groklaw.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 02:29 PM EST |
Below is an example of a lawsuit ( U2/Negativland ) in which the people who
did the song:
-were personally bothered by the legal approach of the suit
-weren't even informed by the "powers" what was going on
-did the same "illegal thing themselves"
"Negativland's next project was the infamous U2 record with samples from
"America's Top 40" host Casey Kasem. In 1991, Negativland released a
single with the title "U2" displayed in very large type on the front
of the packaging, and "Negativland" in a smaller typeface. An image of
the Lockheed U-2 spy plane was also on the single cover...
U2's label Island Records sued Negativland claiming that the "U2"
violated trademark law, and the song itself violated copyright law. Island
Records also contended that the single was an attempt to deliberately confuse U2
fans, then awaiting Achtung Baby...
...In June, 1992, R.U. Sirius, publisher of the magazine Mondo 2000 came up with
an interesting idea. Publicists from U2 had contacted him regarding the
possibility of interviewing Dave Evans (aka "The Edge") hoping to
promote U2's impending multi-million dollar Zoo TV Tour, which featured found
sounds and live sampling from mass media outlets (things for which Negativland
had been known for some time). Sirius, unbeknownst to the Edge, decided to have
his friends Joyce and Hosler of Negativland conduct the interview. Joyce and
Hosler, fresh from Island's lawsuit, peppered the Edge with questions regarding
his ideas about the use of sampling in their new tour, and the legality of using
copyrighted material without permission. Midway through the interview, Joyce and
Hosler revealed their identities as members of Negativland. An embarrassed Edge
reported that U2 were bothered by the sledgehammer legal approach Island Records
took in their lawsuit, and furthermore that much of the legal wrangling took
place without U2's knowledge: "by the time we (U2) realized what was going
on it was kinda too late, and we actually did approach the record company on
your (Negativland's) behalf and said, 'Look, c'mon, this is just, this is very
heavy...'" Island Records reported to Negativland that U2 never authorised
samples of their material; Evans response was, "that's complete bollocks,
there's like, there's at least six records out there that are direct samples
from our stuff."[2]
from :http://en.wikipedia.org/wiki/Negativeland
My thought might it be of use to supoena the artists who did some of the records
in question, and get it in the legal record how they feel about what the record
companies are doing .
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 03:26 PM EST |
A lot of people questioned the validity of evidence. I suggest what they are
really concerned about is the blatant conflict of interest here. MediaSentry is
under a tremendous amount of financial pressure to provide evidence that will
convict people of file sharing. I would point this out to the court. The
details of why the evidence is suspect is important but perhaps what is more
important is the presence of a conflict of interest. It is human nature to
change facts for financial gain.[ Reply to This | # ]
|
|
Authored by: archimerged on Sunday, December 31 2006 @ 05:49 PM EST |
I've read (or at least looked at) most of the PDF's in the case. They were hard
to access because of the frames around the PDF display, which doesn't work on my
setup anyway. (Firefox takes forever to load the page, then the pdf gets
downloaded to /tmp/ and opened in my pdf reader). So I did this:
1. saved http://info.riaalawsuits.us/documents.htm
2. Prepared a list of URLs for this case from the html file:
cat documents.htm | tr < \n | grep "^a href=" | grep lindor | tr
> \n | grep "^a href=" | sed 's/^a href="//; s/"$//'
> umg_lindor_URLS.txt
This produced a file of 114 lines with one URL per line, like so:
http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_firstamendedanswer
http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_060412expertwitnessrepo
rtplaintiff
http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_060425judgetrager
3. Downloaded all of those URLs with wget:
cat umg_lindor_URLS.txt | xargs wget
4. Extract the actual pdf URLs and fetch them with wget:
grep IFRAME *.asp* | sed 's|^[^"]*"|http://www.ilrweb.com|;
s/".*$//' | xargs wget
Of course I looked at the results of the pipeline before actually running it
with xargs wget. The first few lines of output were
http://www.ilrweb.com/ILRPDFs/umg_lindor_060412expertwitnessreportplaintiff.pdf
http://www.ilrweb.com/ILRPDFs/umg_lindor_060425judgetrager.pdf
http://www.ilrweb.com/ILRPDFs/umg_lindor_060502response.pdf
(In a different order because the shell expands *.asp* in alphabetical order,
not in the order found in documents.htm).
5. Opened the directory containing the pdf's with firefox file:///home/....
Then clicking on a pdf (which has the correct date beside the link because wget
sets the file date to match the server date upon download) opens it quite
quickly in my pdf reader.
I realize that ilrweb wants everyone to be aware of their
contribution by framing the pdf's, but it slows down access
to them so much as to prevent access unless you avoid the frame.
[ Reply to This | # ]
|
|
Authored by: archimerged on Sunday, December 31 2006 @ 06:07 PM EST |
It is fairly obvious that UMG should not have sued Ms. Lindor but should have
continued discovery under the same John Doe case they used to obtain her name
from Verizon. They should have subpoenaed computers which might have been used
with her Verizon internet account and the names of anyone who might have used
it, and details of her computer and network equipment. Then it would have
become obvious who they should be suing.
But they don't seem to be interested in justice, only settlements without trial.
They didn't want to have to go to the expense of actually examining her
computer without first trying to get her to settle.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, December 31 2006 @ 09:27 PM EST |
I was just wondering whether it would be useful for Mr Beckerman to summarise
his understanding of the comments made so far and/or to ask more clarifying
questions as appropriate (providing they don't of course compromise legal
strategy to be used in court.) I would've thought it very important that any
discrepancies/problems with the prosecution's case be clearly and unambiguously
understood before the deposition and supporting links/evidence found, so as to
maximise the value that might be had from it, and to strengthen the defense's
case going forward. In particular, demonstrably false assertions (like the one
that a PC that uses a public IP addresss neccesarily must be directly connected
to the internet and can not be through a router) I would've thought need the
facts and counterexamples proving them documenting, either for use during the
deposition, or for use during trial? Or would this not be useful at this point?
(IANAL IMHO etc.)
ByteJuggler
[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, January 01 2007 @ 01:23 AM EST |
The only thing going for the persecution at this time is that they have a
Verizon user account associated with a Kazaa share at a particular point in
time. Is there any other evidence which can link the defendant to the file
sharing?
Her computer gives no evidence and even though the Doctor says that the disk
image showed evidence of a routeable IP address he does not assert that it is
the same IP address as did the file sharing. I would therefore guess that it is
not, but I might ask.
Actually it might be very interesting if the IP address from the registry WAS
the same especially if it was obtained at about the time in question. As there
is no evidence of the software or the data, if the IP address is the same and
was obtained at about that time it is evidence that the machine has not been
rebuilt since then to destroy incriminating evidence.
I'd also like to know what limitations there are preventing anyone in the world
from connecting to Verizon using her userID and password (which could be
obtained any number of ways) and being assigned that IP address.
I'd like to know if the screenshots or logs indicated the full directory path to
the shared files (e.g. c:kazaapublic or d:bigshare or something.) If it was
on the C: drive assuming a windows machine of course then it would have to be on
the primary disk and if other evidence shows that the primary disk in the
defendant's machine is the same one it has always been that is good evidence
that hers was not the machine used.
Q. How many different locations could someone using this users credentials
connect to the Verizon service from?
Q. Is there any information in the Verizon logs to indicate an origin for the
connection made using the defendants credentials on that occasion? e.g. dial-up
might show a phone number, ADSL or cable might indicate an exchange or DSLAM or
particular cable loop.
Q. How could you differentiate between the defendant connecting to Verizon and
someone else who might be using her userID and password?
Q. Is it not possible for someone to alter the IP address that their computer
announces to the network and even the MAC address to effectively take over
someone else's idle internet connection? (A. yes it is!)
Q. Does the MediaSentry information indicate the full path to the shared file
directory on the machine at IP address 141.155.57.198? If so on which disk does
it reside?
I would basically be trying to establish what exactly they have in all the
MediaSentry stuff and the hard drive image.[ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, January 01 2007 @ 01:23 PM EST |
Ok, let's assume that Ms. Lindor is telling the truth, and that MediaSentry's
report is accurate. There is another way that this could all be true.
Packet forwarding on Ms. Lindor's computer.
Let's say that Ms. Lindor is not knowledgeable about computers (this doesn't
have to be true, as I know people who even where running linux servers who got
owned at one point, but for simplicity let's assume that Ms. Lindor is an
average end user).
What happens is that a reasonably skilled person takes over control of Ms.
Lindor's computer and uses that to share files. Actually the files are never on
Ms. Lindor's machine, rather her machine is the gateway for the files to be
shared (similar to NAT). This isn't complex, in fact it's trivial. Sometimes
the Network administrator's get upset when I reroute open ports to different
protocols or when I have to create a new path between machines to show that
there is a problem with packets going one way or another. In other words, as
part of my work, I do this regularly on machines that I have the legal authority
to do so to.
This is common use of "zombie" machines in my opinion, to create a
black hole for the tracing the packets back. It's also common to remove traces
after the fact.
But heck what do I know? [ Reply to This | # ]
|
- Good Point - Authored by: Anonymous on Tuesday, January 02 2007 @ 04:02 AM EST
|
Authored by: Anonymous on Monday, January 01 2007 @ 02:28 PM EST |
The good dr.
1: Uses the word "Users" where the word "Node" should be
used.
2: While not checking the content of the file he will referrer to the hash;
Google for "hash collision" to rebut this.
For somebody with so many projects and side jobs i can't believe he found time
to go deep into any subject.
If he really know so much about internet, he will also know how easy info can be
spoofed or mis interpreted.
I did not found a word on this in his "boilerplate report"
/Arthur
[ Reply to This | # ]
|
|
Authored by: ausage on Monday, January 01 2007 @ 06:47 PM EST |
I just realized that we seem to have forgotton something
important here. We
know the RIAA is prone to submit hearsay
evidence and testimony. The red flag
for me is that in
neither of Dr Jacobson's Expert Reports does he give any
indication of the methodologies, procedures or test he used
to examine the
evidence.
I believe he should be asked:
- When examining the
media sentry logs, did you do all
the work yourself, or did you have an
assistant?
- Exactly what work did you do, and what did your
assistant
do?
- Who was your assistant?
- What methodologies did you use to test the
veracity of
the Media Sentry Logs?
- Why did you use these
methodologies?
- What tests did you apply?
- Where the logs on paper or in
machine readable format?
- If machine readable what systems and programs were
used
to analize them?
- What Operating System was the "infringing" system
using? [an expert could determine this from the raw packet
logs].
- Did you
examine the hard drive from Ms Lindor by
yourself, or did you have an
assistant?
- Exactly what work you do do, and what did your
assistant
do?
- Who was your assistant?
- What methodologies, procedures and tests
did you use.
- Why did you use these methods and procedures?
- Did you use
a system to examine the hard drive at the
raw sector level.
- Did you mount
the hard drive into a special forensic
computer for examination.
- What was
the apparent age of the hard drive (based on
date formatted, file timestamps,
etc.
- What was the public IP address you discovered in the
registry?
- When was it assigned?
I know that if I was submitting
an expert report into
what could very well become a precedent setting legal
case,
I would want all of these questions and more answered. And
I believe the
lawyers that hired me would want that
too.
Just the same as a judge
sets out his reasoning in a
judicial ruling, and expert should explain the
analysis and
reasoning that his conclusions are based on.
[ Reply to This | # ]
|
|
Authored by: Rollyk on Tuesday, January 02 2007 @ 12:20 AM EST |
We need a case like this to go to court. True public scrutiny is essential,
because as most everyone here knows the plaintiff's case, a "SLAP"
suit of the worst kind, is blatantly weak.
To start, buy a wireless router, set it up without following the instructions,
get it working, and note that anyone within 50 metres can access it. Many of us
here have done this.
RIAA has a lot of money to lose here, they won't give up easily, and, true, this
defendant is a weak example. Perhaps if "Grouch" were sued it would
make more sense.
To: R. Beckerman, buy a wireless router ($60) and try this.
---
pay now, or pay later, there's no free lunch.[ Reply to This | # ]
|
|
Authored by: jlueters on Tuesday, January 02 2007 @ 07:08 AM EST |
hi,
i am working in Germany and beeing a public certified expert, we (me and a
lawyer) where just dealing with a similar case here. The other side came up with
a expertise as well.
Our experience:
1. Weak legal side. The other side could not prove that they are legitimated to
run the case. The had no uninterrupted legal chain, which would have allowed
them to run the case. Thats why they have lost.
2. Technical
2.1. Ip addresses:
In order to identify a person or a computer on a dynamic line, the time is
absolutely critical, if you are 2 hours off its a total different user. This
raises the issue whether the timezones in question are alike. Esp. you can ask
if the system used to record the traffic has been on the right time zone during
recording and how they can prove tha now.
2.2 Software
You should ask if the recording software has been certified by a independent
test labaratory to make sure that the program really does what it promises.
You should ask if the expert has inspected the source code of the software and
can assure the correctens.
You should certainly (by means of an own invetigation) see if the logging
software violates the GPL. To our experience that might likely be the case.
You can ask if the expert can assure the the computer in question _has not_ been
a part of a bot network during that time.
Regards
Jürgen
[ Reply to This | # ]
|
|
Authored by: KnightRampant on Tuesday, January 02 2007 @ 08:56 AM EST |
I work for a living and therefore do not have time to compile a 20 page
Curriculum vitae, but I have worked on networks at a variety of companies. IP
Addresses have always struck me as a very poor way of establishing Identity.
The simple fact is that given access to any router between the Media Sentry
system and and the Lindor system, I could make it seem that any arbitrary
service was running on the Lindor system. Redirecting traffic from a few ports
for an IP address is trivial and common. The actual service could be running
anywhere on the internet. If I were a malicious person wanting to host such a
service and blame someone else, I would certainly think of using an address from
the dynamically assigned pool of a major ISP like Verizon, since it is unlikely
to have any real services running on the ports I borrow. Now I know routers
where such a redirection of traffic could be accomplished are supposed to be
locked down with very limited access, but the fact remains that such a
redirection could take place and the RAA would presumably have to address this
possibility as part of their burden of proof. I would think they would need
either a traffic capture from Verizon taken directly from the Lindor link, or a
configuration dump from every router in the possible communications path from
the Media Sentry System to the Lindor home.[ Reply to This | # ]
|
|
Authored by: hamstring on Tuesday, January 02 2007 @ 11:13 AM EST |
I work in IT, and have some experience with the governments own internal rules
of engagement. Some of these should be common sense, but seem to be ignored in
your case. Mostly, I deal with auditing systems, but these same rules pertain
to other types of logging as well.
RULE 1: Logs that can be modified in any way are not usable. This includes
images and text files. The only admissable evidence would be binary logs, which
require extraction tools. This prevents any tampering. Part of auditing system
is a kernel module which will audit and send alerts if anything attempts to
tamper with either the kernel module or the binary logs.
TEXT LOGS
---------
Here is an examples of why this is necessary: Simple Unix shell scripting.
#!/bin/sh
LOG="/tmp/log.txt"
I=1
while [ $I -le 254 ] ; do
echo "IP: 10.1.1.$I is downloading files" >>$LOG
I=`$I + 1`
done
#---end---
This script will creat a log which lists all addresses from 10.1.1.1 through
10.1.1.254 and flagged each with my message "is downloading files".
To change this, I simply do this.
cat /tmp/log.txt | sed -e s/10.1/213.1/g >>/tmp/newlog.txt
#---end
Now I have a new log which changed all the "10.1" entries to be
"213.1" entries. This new log will keep all the suffix IP numbers, so
my new list contains all IP addresses 213.1.1.1 through 213.1.1.254.
Please note that this is a rudimentary example, and that much more complex
changes can be made, allowing me to make any entry I want look however I want.
IMAGES
------
Images may not be as simple to bulk change, but any graphic program allowing
"copy" and "paste" as well as text input will be able to
modify an image. Time to make modifications will be based on the users
abilities with the graphics program being used.
CONTROLLED SYSTEMS:
-------------------
In order to "prove" a user did anything, systems must be trusted and
audited. For this reason, we use special software and rule sets on all audited
systems, as well as deny uncontrolled access to any network (especially the
internet).
There are countless exploits for computer operating systems which allow for
remote control of the system without user knowledge. Simply search for
"root kit", "back door", or "trojan" on any
reputable anti-virus/anti-spyware company web site to get an idea of how many
exploits exist.
SPOOFING
--------
Last thing I will mention is IP spoofing. A simple explenation of this, is that
spoofing allows someone to appear as if they are using an IP address which they
are not actually using.
Software must be built with spoofing detection built in. Sniffing network
traffic from an external network (3rd party snooping) may not be able to detect
spoofing. There are several reasons for a failure in detection. What is
important, it "can" fail, which means that burden of proof may not be
met.
---
* Necessity is the mother of invention. Microsoft is
* result of greed[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, January 02 2007 @ 02:45 PM EST |
I have read the responses and they all seem to address the technical
circumstances where an account or address can possibly be hijacked or spoofed.
Also they address the lack of a custody of the information etc.
The problem as I see it is that this is not a criminal suit. It is civil, and
the plaintiff does not have to establish the circumstances of the case beyond a
shadow of a doubt. The plaintiff only has to show by the lesser standard of
preponderance of the evidence that the defendant has committed the acts alleged.
Therefore a plausible explanation to counter the accusations is necessary.
1. The denial of actual downloading is supported by the disk not having any of
the material present, IF AND ONLY IF the disk can be verified to not have been
cleaned up or modified after it supposedly had been used to download infringing
material.
2. Some of the explanation can be fleshed out by demonstrating how a non
computer literate person can be set up to appear to have done these actions by a
third party. But to be plausible the alternative explanation would include some
evidence of the third party at work.
3. How can the Defense show evidence of a third party acting on this computer?
4. The Plaintiff only has to show the normal activities for a person to download
the material. That is usually going to be accepted as what happened unless the
defense shows a plausible alternate to the Judge or Jury.
5. Who was actually driving the keyboard at the time of the download is a
defense.
6. Whether or not the download actually occurred is another
defense. This defense is fairly strong if the disk in ITEM #1 is verified to be
the disk in place when the violation supposedly occurred.
7. Otherwise an all out attack on the credibility of the RIAA and Media Sentry
is probably a good defense. The motivation of the RIAA is suspect and there are
judicial rulings (in other countries)concerning the type of evidence which Media
Sentry attempts to provide. Getting the Media Sentry Evidence thrown out based
on the prior court rulings AND having the evidence examined by a true forensic
expert with professional...not academic.....credentials is essential to the
case. Even if the judge does not rule that the evidence is excluded, there is
foundation laid to attack the evidence at trial and let the jury decide if the
evidence is faulty.
8. Any so-called "expert" who would list his students non-published
CLASS WORK as part of his cv is suspect as is someone who would list the local
campus police as a reference for forensic work concerning computers. It would
probably involve reading e-mails to see who was drinking beer in the dorm or
some such nonsense. The "expert" probably can be made to seem quite
pompous if his cv is any indication.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, January 02 2007 @ 09:12 PM EST |
1- every time you dial in or reset your router or lease expires (< then 24
hours), you get a different ip address from the isp(like aol).
2- The router provides a totally different address to the users computer and the
isp can only see the isp provided address.
ie isp provides 244.123.124.1, your computer 192.168.10.1,
your 2nd computer 192.168.10.2 from the router.
3- the isp can only see the cable modem / router and can not see any of the
other computers.
4- since the isp can only see the router and can not see the other computers,
the isp can not know whether they have a wired or wireless router. It's
impossible to know if the person has a wireless router.[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, January 02 2007 @ 09:24 PM EST |
As messages pass from router to router, the routers can and do alter the message
header mask which shows were the message came from depending on the router
protocol. ie. One company sending messages thought another companies router
without the routing company actually using the message (flying within a cloud).
Get a copy of a router manual for a router an isp would use, note your simple
$100 router but your $50,000 router, notice it's over a 1000 pages of text and
options. Foundry
It possible for an ISP router to perform almost anything which could make the
message appear to be from one location when it really came from another.
Vlans. see isp maskerading.[ Reply to This | # ]
|
|
Authored by: Anonymous on Tuesday, January 02 2007 @ 09:56 PM EST |
(I am not a lawyer - worse - I'm a EE)
Not sure without reading everything if this has been pointed out:
The MAC address is definitely not an absolute fingerprint.
I've had network cards that this number could be set to whatever value the user
wanted using a simple utility from the network interface card vendor.
I did see where it was pointed out that this can also be done via the router.
My Netgear WGT634U has that ability. It basically makes the router look like
the computer to the upstream DHCP server that assigns the IP address to the
connection. On my side of the router, I can set my local IP addresses to
whatever I want. I am basically setting up my own local network. That doesn't
prevent a program (like windows) from reading my MAC address from my PC and
passing it out via the connection.
The wireless connections can be spoofed. I've been told by some fairly
knowledgeable folks at work that your wireless connection can be broken into
even if it is setup correctly. You just have to be able to monitor the traffic
for a long enough period of time. That is probably the reason that the lack of
a wireless router was specified.
If I download something off the web that turns out to have been copyrighted
material, the copyright violator should be the one who originally created the
copy. How am I to know that the material I just downloaded was copyrighted
unless it was indicated to me somehow in advance? Ever read Wikipedia? There
is a >lot< of copyrighted material within it. Am I in violation of
copyrights because I downloaded and read this material? Even if it wasn't
indicated to me in advance that it was copyrighted material? What if I link to
it via my website? Is where the data is physically stored for redistribution
really matter? It's not on my drive, but I'm still providing its location?
That's not really different to my providing local storage.
If the original owner downloaded the file electronically, what dictates
ownership of that file? If he copies it to a CD, is that a new copy? Or is it
just fair usage? If he gives that CD to a friend, is it him or his friend that
is violation of the copyright? How do you prove damages?
What if the CD was just on loan? Is that fair usage?
There really isn't much of a difference between an electronic copy and a
physical one like that CD. How do you prove intent?
And there should have been criminal charges brought against SONY for that
rootkit. I'm pretty sure if I wrote something like that and released it, I'd be
in prison by now. They should have also been required to provide everyone who
purchased the CD's with that rootkit with a replacement copy without the rootkit
installed as well as a mechanism for removal of the rootkit.
If the lady didn't do the filesharing, then maybe a relative did it. Does that
make the lady culpable? Couldn't that be extended back to the internet service
provider as well? They need to prosecute the individual that committed the
crime, not the person/entity that unknowningly provided the connection.
Was the lady given notice that she had copyrighted material being distributed
from her system? And was she given some fair period of time to remove it?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Wednesday, January 03 2007 @ 10:27 AM EST |
In the "Affidavit and Expert Report" from Dr. Jacobson, in his
conclusions, he has the following two items, and the numbers don't match:
16)I will testify that Mediasentry found over 700 files shared on a computer
using the KaZaA file sharing program based on the screenshots. The KaZaA user ID
is jrlindor@KaZaA.
18)I will testify that the information from Mediasentry (SystemLog, UserLog,
UserLog (compressed), and the Download logs)indicates that the computer with IP
address 141.155.57.198 offered 624 audio and music files, most of them are
copyrighted music files, for distribution using the KaZaA program on 8/7/2004
starting at or around 6:12:45 AM EDT through at least 7:08:30 AM EDT.
Are the two computers mentioned in items 16 & 18 purported to be the same
computer? If so, why the difference in the number fo files (624 vs. 700)? And
why no mention of the IP address in item 16?
Other things to ask Dr. Jacobson:
Was he present or does he have direct knowledge of the actual physical methods
employed by Mediasentry in gathering their screenshots and various log files?
Was a network pacdket rrace taken at the time that the other Mediasentry
information was gathered?
If his answer to the 2 questions above are "No", then how could he
possible be assured that tthe screenshots and logs from Mediasentry had anything
to do with copmputers actually connected to the internet? Anyone can set up a
router locally without conneecting it to the internet and configure any IP
subnets and address ranges that they wish, and then run programs that would make
screen shots and log files appear to incriminate anyon'e IP address that they
wish.
Another one, item number 19 says in part:
"during which time the 624 files were being distributed"
While the wording in item 18 says "offered for distribution".
During the time period in question, is there any proof that any files other than
the 11 files downloaded by Mediasentry were actually distributed to (downloaded
by) anyone else? If he is lying about the number of files actually being
distributed rather than being offered for distribution, then all of the rest of
his testimony can be construed by the judge and/or jury as lies as well, and you
should ask the judge to include that in his instructions to the jury.[ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, January 04 2007 @ 08:42 AM EST |
In addition to the issues of IP assignment, spoofing, and Network Address
Translation, another potential question arrises in the following case;
1. The defendant has a dynamically assigned 'public' IP address
2. She is using a router which translates IP requests and responses to private
IP addresses (termed Network Address Translation)
3. She has a wireless access point in the private address space (WiFi point)
4. She, or the vendor of the equipment, has left the access point in open access
mode (this is often the 'out-of-the-box' configuration)
5. A third party has connected to her access point using a WiFi connection
6. The third party has used P2P software...
This is NOT an unlikely scenario and I'm sure some research will turn up similar
cases.[ Reply to This | # ]
|
|
Authored by: nick2000 on Thursday, January 04 2007 @ 04:14 PM EST |
After reading the linked documents, I would like to know:
#1 how did they determine the IP address of the host? Did they install a client
and "sniffed" what IP they were talking to? How do they know this was
the target IP and not some gateway? There is a statement that it could not be
the address of a router. How could they possibly know?
#2 How is the MediaSentry information legally reliable? What was the chain of
custody of that information? Can this Mediasentry information be considered
valid instead of just hearsay? That does not look like legally tenable PROOF.
There could be a mistake or it could have been altered.
#3 They state that NO PROOF was found on the defendant's PC, therefore, they
claim it's the wrong hard disk yet the hard disk was in use at the time? That
cannot be right. So, it's the defendant's burden to prove that they do not have
another hard disk? I do not see any proof that this is the wrong hard disk,
only
speculation.
#4 Now, Ms Lindon has never used a computer, but yet she has an Internet
account? Also there was obviously a computer since they searched it. Does this
account belong to somebody else? Did this Lindon Jr live in the house and do
this and they simply targeted the owner of the account instead of the person
who
was actually sharing the files?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, January 05 2007 @ 02:57 AM EST |
An other angle... One that the RIAA will not like at all.
Base on the fact that everything could be forged on Internet, it will be time to
check if MediaSentry have a good hygiene.
1) They ask you a copy of your HardDisk... Fine... Ask them a copy of the
HardDisk use by MediaSentry...
Have this check for Trojan, Root kit, etc...
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, January 06 2007 @ 03:12 PM EST |
I think UMC is going to go broke suing it's potential customer base. Would a
customer buy a product from a company that sues them? I wouldn't!
Anyone with a windows PC can be and more than likely is being controlled by a
third party.
There is so much malware out there that the average computer user is clueless as
to how to secure their PC and most of them just do not care as long as the PC
does what they want it to.
Then there are the DSL routers that people set up according to the instructions
leaving them wide open to spoofing or Someone getting on the net for free.
There are too many ways to get to the net and only a few people commiting the
crime.
So my advise to the end user is to get smart and secure your PC. Would you leave
a loaded gun around for a 4 year old to play with? That is pretty much what your
doing to your bank accounts and so forth if you do not secure your PC.
And My advise to UMC is for them to stop suing their customer base!
Draq Wraith[ Reply to This | # ]
|
|
|
|
|