decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Another Lawyer Would Like to Pick Your Brain, Please
Friday, December 29 2006 @ 05:17 PM EST

PickYourBrain Another lawyer would like to pick your brain. Ray Beckerman, the attorney for Marie Lindor in UMG v. Lindor, would like to make sure he understands a tech issue, and he'd like your input on it. He's had input from other tech sites as well, but folks there told him to ask Groklaw, and so he is. You'll need to read some reports in order to help, and he includes links to them in his request.

I think you can sum up his viewpoint on the overview like this: the music industry is targeting end users, who are simple folk who lack the resources and sophistication to defend themselves adequately, even when they are innocent, and thus important legal issues are being decided on an uneven playing field. He's trying to do something about that, so we don't end up with lop-sided case law. This isn't at all about condoning copyright infringement. You all know where I stand on that. But he raises a real issue.

When you find yourself on an uneven field, one weapon that can help is to use what you have skillfully, as in David and Goliath. What he knows you have is technical expertise, and he'd appreciate it very much if you'd share that knowledge with him here, so he can prepare for an upcoming deposition. He asks for questions to ask an expert witness for the other side, but in addition, if you can point out flaws in the MediaSentry's investigations methods and/or Dr. Jacobson's materials, I think he'll be able to figure out the right questions from that.

Here's his request:

***********************

As many of you may already know, the courts of the Netherlands and of Canada have rejected the "investigations" conducted by the RIAA's "investigator", Tom Mizzone of MediaSentry. See, e.g. BMG v. Doe and Foundation v. UPC Nederland , based largely on the type of reasoning set forth in the indendent experts' report of Prof. Sips and Dr. Pouwelse of the Parallel and Distributed Systems research group of Delft University. Their report critiqued the "overly simplistic" nature of MediaSentry's work, in that it had omitted a number of procedures which would have been thought necessary to a sound online 'p2p filesharing piracy' investigation.

It should therefore come as no surprise that in the United States, more particularly in UMG v. Lindor, in Brooklyn federal court, the RIAA is trying to prevent disclosure of the "instructions", "parameters", and "processes" of MediaSentry's investigation. In fact, at the oral argument of its protective order motion, the RIAA took the positions that (a) MediaSentry and its investigators are not experts at all; (b) MediaSentry will not testify as to any copyright infringement, but will merely testify as to what it did, and (c) the only witness who will actually be testifying that there was a copyright infringement will be a Dr. Doug Jacobson of Iowa State University, the founder and co-owner of Palisade Systems, Inc., who supposedly will connect the dots based on what MediaSentry will testify that it did.

They have submitted the following materials from Dr. Jacobson: an April 2006 boilerplate report, a December 19th declaration in support of a motion, and a 26-page, single spaced, curriculum vitae, which goes into such detail as identifying some of Dr. Jacobson's students.

Ms. Lindor has noticed Dr. Jacobson's deposition and requested documents from him; the deposition is presently scheduled for February.

We are the attorneys for Ms. Lindor, the defendant in this law suit, a middle-aged Brooklyn woman who works as a home health aide, and -- believe it or not -- has never even used a computer in her life, much less been an "online distributor". In view of the great pool of technical talent out there among Groklaw's readers, we thought it appropriate to reach out to the technical community through the good offices of Groklaw to vet Dr. Jacobson's "report" and "declaration" and his voluminous curriculum vitae, and request input as to appropriate questions to put to this expert witness.


  


Another Lawyer Would Like to Pick Your Brain, Please | 819 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Errors and Corrections
Authored by: gbl on Friday, December 29 2006 @ 05:37 PM EST
If any.


---
If you love some code, set it free.

[ Reply to This | # ]

Off Topic
Authored by: gbl on Friday, December 29 2006 @ 05:38 PM EST
Anything interesting happening?


---
If you love some code, set it free.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: tknarr on Friday, December 29 2006 @ 05:47 PM EST

My immediate thought is that MediaSentry's instructions processes and procedures are the majority of "what they did". If MediaSentry's going to testify at trial about what they did, then isn't what they did exactly what's supposed to be handed over during discovery so the defense can prepare for cross-examination? I'm not a lawyer, but isn't what the RIAA's claiming here "We're going to have them testify about what results they got, but we're asking to not let the defense look at how they got those results."? I don't think that'd fly in any court in any other area, would it? Tech aside, the RIAA's position should be attackable based on bog-standard law and rules.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: pointym5 on Friday, December 29 2006 @ 05:52 PM EST
It'd be awfully helpful to at least summarize the situation of the case. The linked page is hard to digest, to say the least. If the defendant has "never used a computer", then somebody must have had a computer somewhere such that the case could make it this far. In other words, I think it'd be pretty unlikely that the RIAA could push a case this far against a defendant who was not in any way associated with a computer connected to the Internet. Thus, at least, how is the defendant associated with the computer or computers identified as instrumental in the alleged misdeeds?

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: gbl on Friday, December 29 2006 @ 05:54 PM EST
Two obvious problems with the expert evidence are the screen shots which can be trivially faked and the person actually operating the computer.

The second, is the more interesting. No matter who bought the computer, where the computer is located or who pays the internet connection bills, unless there is evidence that the accused actually performed the alledged actions then I would have thought that the case was fatally flawed.

With a Windows PC, it is entirely possible that the computer was under the control of a third party. Unless this can be demonstrated to be impossible there is no knowing who had access to the PC.

---
If you love some code, set it free.

[ Reply to This | # ]

I think it is very stupid for Mr. Beckerman to seek help on a public forum
Authored by: Anonymous on Friday, December 29 2006 @ 05:54 PM EST
Just a thought.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: tknarr on Friday, December 29 2006 @ 05:59 PM EST

OK, tech hat on. The first thing I notice is that he's using screenshots and logs provided by MediaSentry. Given a text editor and Photoshop I can make screenshots and logs that'll show any file you want being downloaded from any IP address you want, including addresses like 987.654.321.0 that can't physically exist. I can make the electronic forms so absolutely accurate that there's no way for the good Doctor to tell they were faked just from the logs and screenshots themselves. It probably wouldn't take me more than an afternoon to do it by hand, and if I'm going to do it for a living I'll spend a few weeks writing some scripts and programs to do it automatically. It's maybe a half-hour's work to write a small Perl script that'll take the IP address, hostname and such obtained from checking the target user's info from Verizon and edit a logfile template to make it appear that that IP address downloaded the files I want to show it downloaded. Heck, it's the same kind of script I use routinely to do things like take a template .profile and customize it for a specific username when creating a new user. So the first thing you want to do is look at chain of custody: how were the logs and screenshots handled from the point where they were recorded to the point where they were handed over to the good Doctor for analysis. If MediaSentry can't show at every step how they were secured against tampering, how can they prove the logs and screenshots weren't in fact tampered with? I'm sure one of the Perl geeks around can, given a sample logfile, give you a Perl script that'll edit the logfile on-the-fly in front of the court to produce a log showing that the judge was sharing the file from his office machine. Extra points for having the Perl geek write the script in front of the judge, to drive home just how trivial it is. :)

[ Reply to This | # ]

One thing that caught my eye
Authored by: jmc on Friday, December 29 2006 @ 05:59 PM EST

One thing that caught my eye in the declaration was the statement (paragraph 5)

Based on how IP addresses are defined, it is not difficult to determine whether a computer was connected to the internet via a wireless router

This, of course, is complete rubbish. He ought to be challenged on that point.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 06:20 PM EST
Mankind has built an earth-wide 'computer' consisting of some 600 million 'nodes', nominally belonging to individuals, and interconnected by this Internet thing.

Very few people, perhaps no-one, understands how it all works. 600 million people, with mutually-incompatible agendas, represents significant complexity. Most of the time it sort-of works, but (like sailing in the North Atlantic) sometimes storms blow up and change the rules without warning.

Now, the 'complaint' is that some sequence of 0's and 1's (in this case representing a song), have been transferred from one part of this 600-million-element computer to another part of it, without the permission of someone who needed to give permission.

So, a few questions to ask might be

  • Do you know how the Internet is supposed to work ? Please explain how it works.
  • Do you know that on the date in question it was working in the way it is supposed to work ? What is your evidence for this ?
  • What makes you think that the individual from whose part the 0's and 1's were sucked, was in control of the process of allowing them to be so taken ?

    It is likely that a 'defence' expert witness could be found to disagree with the explanations.

    [ Reply to This | # ]

Isn't the Kazaa case already settled?
Authored by: Anonymous on Friday, December 29 2006 @ 06:20 PM EST
I thought Sharman Networks already paid 100 billion USD to settle the case. Is
this an attempt to double-charge?

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 06:26 PM EST
... on the data from the hard drive I reviewed, that this hard drive was not the same hard drive that was used to share copyrighted sound recordings as shown by then MediaSentry materials.
So where did the hard drive of the suspect machine go? Perhaps they have the wrong machine? the wrong person? Are they changing the charges to obstruction of justice? Was the apartment searched for the "other hard drive"?

And, good Dr., when you were in college, did you not borrow albums from fellow students and record them on tape? Did you not share you record collection with others? (he did go to ISU and there is hearsay albums sharing evidence available)

Or is this another case of if we say it loud and long enough, it will come true and we will win?

Happy New Year Everyone
wb

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 06:31 PM EST
I am not a computer expert much less a MS Windows but it is
my understanding that all MS computers are configured with
a public file that is open to the internet.

It is also my understanding that MS computer a noterous
buggy with most MS computer's which are connected to the
inter security compromised and not protected with a fire
wall compromised in about 30 minutes.

It is also my understanding that there exist bog networks
which consists of thousands of computers used to send
untraceable e-mail commonly called spam.

If the above is true then is it not as likely that the poor
lady has a compromised computer that is being used to
fordward untraceable mp3 files as it is that her son whic
does not live with her download copyrighted music.

From another point I thought that it was improper for the
suee to demand some surrender their HD to them so that the
suee could examine the HD and/or place whatever the suee
deem appropriate on the HD. If this is what happened it
seems to me there is just as high a probability that the
suee is dishonest as it is that the lady's son is.

[ Reply to This | # ]

Some questions for the defence
Authored by: Anonymous on Friday, December 29 2006 @ 06:31 PM EST
I agree that if Jacobson is going to testify as to the procedures that
MediaSentry used, they should have to provide you with that information during
discovery.

However, there are some inconsistencies here with Ms. Lindor that should
probably be put to bed in order to form a proper defense.

First of all, if the defendent has never owned nor operated a computer, how is
it that Verizon Internet Services can identify her as the subscriber of record?
Is this a case of missing identity? Why would someone without a computer
subscribe to an internet connection. When looking at this, I would request
specifics from Verizon - exactly when the DHCP lease was granted, and when it
was released. I would confirm that the internet connection was DSL (I don't
think Verizon has any other subscription info), and if so, they may be able to
identify the phyiscal loop that was connected. Some more technical folks here
can address that.

The second think I would look at is the Kazaa user name they provide - jrlindor.
Do the initials JR mean anything of substance to the defendent? Siblings,
Parents, Cousins, etc. Ruling all of them out may serve to put a bit of doubt on
linking the user to the defendent.

[ Reply to This | # ]

624 files, how many are fakes?
Authored by: Kilz on Friday, December 29 2006 @ 06:32 PM EST
Looking at the "April 2006 boilerplate report" In #18 it states that
the IP address shared 624 files, "most of them are copyrighted music
files". But the MediaSentry system log and download log shows them only
downloading 11 files. Exactly how did they tell the files were copyrighted
songs? It is a known fact that Kazaa is flooded with fake music files,
http://news.bbc.co.uk/2/hi/technology/2962475.stm . How dose Media sentry know
the 624 songs are not fakes if they didnt download them?

[ Reply to This | # ]

Fake screenshots probably not? Faulty screenshots - possibly?
Authored by: Anonymous on Friday, December 29 2006 @ 06:36 PM EST
I see that there are a number of comments already that maybe the screenshots are
faked.

While, anything is possible, I think it very unlikely, and in any case virtually
impossible to prove, that the screenshots were faked. The RIAA presumably has a
witness who will make a sworn declaration that the screenshots accurately
represent what they saw on screen. I assume that witness will not tell lies.
And more importantly, I assume that the court will not think that witness is
telling lies, unless the witness contradicts himself in some fundamental way.

So for the sake of this discussion, while it is theoretically possible to fake
screenshots, I think it best to assume the screenshots are genuine
representations of what was displayed on the screens in question.

However, there is a more fundamental question:

How could anybody know whether what was displayed on the screen by the media
sentry software, accurately represented what was happening on the Internet??

Everybody knows that nearly all software has many bugs.

Everybody who has used a computer has encountered situations where a computer
display inaccurate or incorrect information as a result of a hig.

The only way to determine whether the Media Sentry was likely to have displayed
correct or incorrect information, is for experts to examine the software (both
source code and testing of it in a live environment), and to testify as to their
opinion on whether the media sentry software accurately collects and displays
the information that it is supposed to.

If the plaintiff has an expert who will testify as to the accuracy of the Media
Sentry software, the defendant's expert should have access to the same
underlying information for assessing the accuracy of the Media Sentry software.

If the plaintiff does not have an expert who will testify as to the accuracy of
the Media Sentry software, then how does anybody (including the court) know
whether the Media Sentry software is accurate? For all we know, it could be
displaying screens of random errors. It would seem to me blatantly unfair to
simple assume the Media Sentry software perfectly does what one side claims it
does with no supporting evidence.

As to this deposition, I would ask the RIAA's expert these questions:

Q1: So you came to your conclusions by examining the screenshots and other data
from Media Sentry?

Expected Answer: Yes

Q2: Would you have come to different conclusions if the Media Sentry displayed
different information, for example a different IP number?

Expected Answer: Yes

Q3: Did you personally verify the data, such as IP numbers, that Media Sentry
supplied, were accurate

Expected Answer: No [if he says Yes to this one - this opens a whole new line of
questioning], but I verified that their procedures of what they did would
produce accurate results.

Q4: Is your understanding that the process that Media Sentry used is, and the
data that they generated, such as IP addresses, came from a computer program?

Expected Answer: Yes [if he says no - ask him how come there are screenshots??
Eventually he must conclude data on the computer screen comes from a program]

Q5: Have you ever experienced bugs, problems, incorrect output from computer
programs?

Expected Answer: Yes

Q6: Is it possible that the data from media sentry, such as IP addresses, which
came as output from Media Sentry's process, may not contain errors, for example,
because of computer program bugs.

Expected Answer: At this point, he will either say yes, or start explaining why
it's unlikely. Get him to answer whether it is _possible_.


Quatermass
IANAL IMHO etc.

[ Reply to This | # ]

In order to prove copyright infringement
Authored by: Anonymous on Friday, December 29 2006 @ 06:38 PM EST
Seems to me the RIAA has to prove several things:

1) defendant knowingly offered files for public download

2) said files are in fact copyrighted by the RIAA or groups which they
represent

3) somebody somewhere downloaded one or more of the files, in their entirety,
from defendants computer (the way I understand it, with most filesharing, only a
small portion of a file is download from each peer.) Would downloading 1
second's worth of music still constitute infringement ? What about 10 seconds ?
Where is the limit drawn ?

4) supposed downloaders were not authorised to download said files *

5) downloaders still have possesion of copies of these files (else if they just
listened and deleted them, how does this differ from the defendant inviting them
to her house to listen to a CD, or indeed, lending the CD to a friend ?)

6) downloaders listened to the files as music. For example, if I download a
music file, and instead of listening to it as music, I simply look at a hex dump
of the file, am I still in breach of copyright ?


* Part 4 is particularly interesting to me. I own various music on old vinyl
records, and since I don't currently have a record player, I will occasionally
download a playable copy to listen to. Am I infringing copyright when I do so ?
I could equally well buy a new record player and listen to the same music that
way.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 06:46 PM EST
She claims to never even have used a computer, which could be true.

However, they continue to refer to the Defendant's ISP, internet account, and
computer.

The Defendant's name is Marie Lindor.

Verizon identifies Marie Lindor as the subscriber of an IP address on the
internet.

The hard drive of the Defendants computer was mirrored in the process of
collecting evidence, and was found to have 700 music clips that were in a folder
to be shared with other internet users.

The KaZaA account refered to was jrlindor@KaZaA.

Who is jrlindor? An alternate name that she uses? A relative?

First, I would say that mirroring a hard drive is collecting information very
far beyond any possible discovery request.

Second, I can't believe that they made her pay for the hard drives so they could
mirror her computer.

Third, the Plaintiff is claiming that the files were in a directory made
available for sharing. Can they prove that any of the files were actually
copied by other KaZaA users?

Fourth, They are claiming that she was distributing music. Even if another
KaZaA user copies music from her shared folder, who is really making the illegal
copy? The one who owns the copy, or the one who copied it?

Fifth (don't throw rocks at me), people being cought on an unlevel playing field
can still be guilty.

[ Reply to This | # ]

False Assertions about HDD
Authored by: Anonymous on Friday, December 29 2006 @ 06:46 PM EST
I would go after him about the Hard Drive pretty thoroughly. He says "The
correct hard drive would have shown" and "This is not the same hard
drive used to share..."

He is basically stating that the hard drive that he looked at is the wrong hard
drive.

However, the only proof that he has that this is the wrong hard drive is that it
must be the wrong hard drive because it doesn't prove his case.

More appropriately, the state of the hard drive - with very few files or
information on it - more supports the defendents claims.

I really think it's quite funny actually - he's basically saying "The hard
drive didn't have the evidence I was looking for, so it must have been the wrong
hard drive".

Translation: "The grooves in the barrel of the 9mm pistol recovered from
the defendent did not match those of the bullet recovered from the deceased.
Therefore, it is our conclusion that the wrong 9mm pistol was recovered from the
defendent"

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: zip1 on Friday, December 29 2006 @ 06:57 PM EST
"MediaSentry and its investigators are not experts at all";
Then why is the evidence they collected being allowed to be used?

To tell the truth what they have collected sound like some kind of forensic
evidence. if it's not, should it not be considered third party hearsay and not
be allowed?

I don't think any court would allow the results of any DNA test that I
preformed in any court room. If they are allowed to present such evidence the
the people meathods, procedures must be allowed to be reviewed and challenged.

If they did not document there methods of obtaining this evidence in a forensic
manner the example of how such evidence can be faked should be present. This
should case a large doubt in the authenticity of there evidence.

When it come to electronic evidence the methods used to obtain are very
critical to it's authenticity. if there not willing to stand behind there
methods for there collection of evidence then I would attack this by showing
what the proper standards for collecting electronic evidence is. If they are not
willing to show those methods then all of the evidence they are presenting is
not valid. Especially in showing how such evidence can be faked.

You also need to know there procedure, methods and instruction, to insure there
aledge evidence was collecting in a legal manner. By duplicating in test cases
of trying to
obtain the same information they are claiming. If they don't will be a way to
have all such evidence removed from the case since the defendant won't have any
way to verify the authenticity of the evidence.

with no evidence then no case.

They are not a government organization so the can't hide behind the veil of
protecting there methods of collecting the evidence to protecting future
investigation. In fact
some of the possible methods used may actually not be legal for a private
investigator to use.

The HP scandal is an example of what some of these private investigators may do
and the people who gave them instructions.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: nuthead on Friday, December 29 2006 @ 07:08 PM EST
I notice in the boilerplate report that he never ties the kazza account to the
defendant's computer, it just simply says "a computer". Only the user
ID remotely connects the two. That's THIN. Further, he only attests to the IP
addresses being reigstered to the defendant by the ISP and not any other
evidence to actually prove it was the defendant and not someone logged in using
her credentials. There's no definite tie between the those three items (the
kazaa account, the IP and the PC). It's very circumstantial and should be pretty
easily picked apart. It's like saying a car was involved in a hit and run; there
was a car on the road at the time that was the same unique colour as the
defendant's, therefore it was the defendant's car that did the hit and run.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Cringa on Friday, December 29 2006 @ 07:09 PM EST
Long time enjoyer of Groklaw, first time responder. But this time I just had to
share.
Having read the declaration I do find it odd how he can make the claim that the
pc was on a wireless connection. This really made me chuckle as ip addresses
that are assigned to a pc are usually of the default 192.169.***.*** variety
tied to the MAC address (hard address on the internet card). This in turn is
usually nat'd to the mac address of the router which in turn is then tied to the
verizon address of the subscriber.
With that thought...if it was a wireless router the question begs to be answered
is..."was the wireless access point secured?' And even if it was secured
thru WEP or password, anyone with a laptop and a sniffer can usually crack the
authentication as long as they are within range.

Next up, even if it wasn't a wireless router, and someone already mentioned
this...how do we know that the music on the machine wasn't there legitimately
and the pc was in fact acting as drone (hijacked).
Next point, I have un-installed KaZaa from my kids pc and the uninstall process
still leaves indication of its presence...so the question is how do you know
that the Kazaa was a full install? (dlls, registry settings, file count etc).
If it wasn't a full install or wasn't completely removed in the process, what
evidence is the Dr. saying it was installed and working?

Point - raise of hands, how many of you have clicked on a link only to be
inundated with popups etc? I had to rebuild a few machines because of pc's
being hijacked by spy ware from someone downloading the 'Ask Jeeves' tool bar
extension for IE5. Hijacking on Windows pc's happens to the best of us and
there are times when the only result is to rebuild to correct the issue (sony
rootkit anyone?)
One last item to chew one - my kids were told to not install Kazaa and they were
told to not use it because it is illegal to file share music....but unbeknownst
to me they had installed it and didn't use it.
But low and behold, Kazaa had been inadvertently set up to use our pc as a file
share device and in the middle of night the pc was being re-activated to the net
after being put to sleep...yep, someone had liked my kids itunes or ripped music
and was accessing it.

Another item of interest, how does one make the assessment, based on a hdd
showing little use, that it isn't the original? If the person hardly uses that
pc...then the less amount of fragmented files will show...if he is basing this
decision on his experience then I would ask him the number of times he has
looked at minimal use pcs. Has he done a comparative analysis so he has a
baseline based on usage, hdd size etc to make this a valid decision?
Well, good luck to you and your client!

[ Reply to This | # ]

IP Hijacking
Authored by: Anonymous on Friday, December 29 2006 @ 07:11 PM EST
As in the static case, two devices cannot effectively function if they are directly connected to the Internet simultaneously with the same IP address.
While this is true, a possible defense would be to point out that there is a technique call IP hijacking. Basically, an attacker performs some kind of denial of service attack on the victim computer, effectively knocking them of the network. The attacker then spoofs his/her IP and MAC addresses to be the same as the victim computer's IP and MAC addresses. The router, not knowing that the victim computer is no longer able to access the network, sends all packets to the attacker's computer which now looks just like the victim's computer. This technique allows a person wishing to commit a crime to easily frame someone else for their illegal activity. This is also why most criminal computer crime cases are so difficult to prosecute. Not only do they have to prove that the person sitting at the computer is the person that committed the crime, they also have to prove that the IP address was actually assigned to that computer.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 07:13 PM EST
How do we get in contact with Ray on questions for Dr J ? Will he provide an
email address.

[ Reply to This | # ]

Statement (5) in Jacobson Declaration
Authored by: Anonymous on Friday, December 29 2006 @ 07:16 PM EST
In statement 5, Jacobsen claims that "Defendant's computer had a public
Internet Prodocol ("IP") address and was not connected to the internet
via a wireless router. I base this data mentioned above, as well as on the
registry entries recovered and the fact that there was no internal IP address
here".

This statement in extremely thin IMHO:

a) He claims in (6) that he doesn't have the "right" harddrive, so how
does he know what is in the registry of the "right" hard-drive and how
it assignes IP. He doesn't.

b) Even if he did have the right hard-drive, I assume the police didn't
confiscate the computer right away and someone might have removed the router and
reconfigured the PC before the police took it. Just because it is setup to go
directly to the internet directly and not through a router does not mean it was
doing that at the time of the alleged misused downloads. He cannot possibly say
with certainty that the system, at the time of the offense was configured the
way he says the "wrong" harddrive indicates it is now.

c) Since he cannot prove that the machine was directly connected and it wasn't a
router connected (using NAT and port forwarding).

Verizon Internet Services might be able to show what MAC addresses was used in
the DHCP requests. If they happen to be the same as the computer doesn't prove
anything (since most routers can "spoof" MAC addresses for valid
reasons), but if their different (or change) that indicates that equipment
changed, router used etc.


And even if it was directly attached to the internet, without a firewall, that
just means there are almost a certainty that someone had hacked into the machine
(trojan, hacker etc) since statistically that happens very fast.



[ Reply to This | # ]

chain of custody
Authored by: Anonymous on Friday, December 29 2006 @ 07:32 PM EST
You might not be able to accuse them of falsifying data - but it seems like you
you can make them prove that there was not an opportunity for someone else to
do so between the time the image was taken and when it was shown to you.

[ Reply to This | # ]

  • chain of custody - Authored by: Anonymous on Friday, December 29 2006 @ 07:40 PM EST
Hacked
Authored by: Anonymous on Friday, December 29 2006 @ 07:34 PM EST
I have looked over this stuff, but not very deeply. But, as part owner of a
small ISP that has just spent a few days cleaning up phising scams placed in
accounts of users with weak passwords, let me suggest you get someone to look at
the hard drive for the possibilty of viruses and scripts that could have been
placed there without the owners knowledge. The attacks these days to 'own'
machines is relentless. Law enforcemnt really needs to step up to the plate on
this issue. They seem oblivious to how much crime is going on, or just don't
care. :( Of course, if it is profitable to go after it, as in the case of the
RIAA......

[ Reply to This | # ]

My List of Questions
Authored by: Anonymous on Friday, December 29 2006 @ 07:35 PM EST
He didn't even look at the songs / files themselves

11 songs were downloaded, and is testifying that of the 624 songs, most are protected by copyright???

a) Check if the "Copyright" applies to the songs title or the music therein.

b) If the copyright applies to the title, then this suit may not be filed correctly.

c) If the copyright applies to the music, then how does he know what was in those files???

How does he know that the files were audio and music files? Again, by the filename? Just because a file ends in MP3, doesn't mean it is an audio file.

Did MediaSentry even keep the 11 songs (files) they downloaded? Was a secure chain of custody kept? The expert even says in Point 14 that he didn't even *look* at the 11 songs (files). As such, how can he possibly testify that even these 11 songs are infringing copyright, or that these were the songs that actually were downloaded?

Fake Songs

The RIAA was in the practice of distributing fake song files with obvious blemishes. How do we know that she wasn't redistributing the freely distributed fakes?

Isn't there a rule in law that Company A can't sue Company C for using Company B's services, if a contract exists between Company A and Company B allowing Company B to do what it is doing?

Professional Licensing

This expert is not a Professional Engineer, and does not belong to a professional regulating body (like Doctors, Lawyers, Accountants, and Engineers). In Canada, a P.Eng. is held to a code of conduct when involved in legal proceedings. Computer science professors aren't.

Technical Correctness

This individual isn't offering entirely correct testimony. He is quoting truisms from the manuals that say how this technology is supposed to work. He is not actually saying how it can work. As such, he misses key details. Like two computers can share the same IP address and function on the network. This function has been exploited many ways:

1. Two computers sitting behind a firewall.

2. Fail-over clustering. When one computer goes down, the other continues with the same IP address as if nothing happened.

3. Industrial networks. Two computers co-exist at the same IP address. They just aren't both active simultaneously. This can be done deliberately for technical reasons, however it is also a big source of DHCP problems. Industrial networks tend to operate computers separated for long periods of time. If one gets disconnected, another can reuse the IP address of the former. In certain conditions, the former can decide it likes its old IP address, and when it is reconnected reuse it. The problem happens when both computers simultaneously use the same IP address. In DHCP, this problem happens so often that there are special protocols and notifiers to notify the system administrator of this. Did anyone check to see if these protocols were triggerred in this case? The situation in industrial networks is analogous to home networking, as in home networks many people leave their computers off much of the time.

4. Deliberate Spoofing:

a) Network monitoring (for engineering purposes)

b) Network attacks

5. This guy is simply wrong. Two computers can function on a network with the same IP address. Back in 95, I did this to someones server for 6 months. The network didn't fail. (It did generate a pile of IP errors, but that was another story.) I think he is forgetting:

a) Not all communication requires correct IP addresses (ex: NetBEUI or IPX protocol stacks)

b) If I want to be an ass, I won't use the IP address given by the cable company. In fact, I should steal someone elses IP address, so the DHCP tables can't identify my computer. Sometimes, this will work and I get my internet connection. If it doesn't, I randomly pick another IP address and try again. If two computers are using a duplicate IP address the default behaviours are:

i) DHCP client bugs off

ii) Newest computer using that IP address bugs off

iii) Oldest computer using that IP address bugs off

Any way you look at it, the result is non-obvious.

c) If I want to be a really annoying hacker, I monitor the network for existing IP pair, MAC address combos. When the computer switches off, I set my computer to reuse the same addresses. The DHCP server never knows any different. No one even knows what I am up to until the RIAA goes and knocks on my neighbours house!

MAC Addresses

Did anyone get the MAC addresses of the computers involved in these connections? If they don't match, it is extremely likely someone was spoofing the IP address. If the MAC address is available, it is still possible that some hacker faked both the TCP/IP address, and the MAC address simultaneously. If this was a good hacker, they would do this. Then you could ghost a PC to someone else's cable connection and the authorities could never trace it back to you.

Could the MAC address of the cable modem (I am assuming this is a cable connection) be changed? If so, what is to stop someone from spoofing the MAC address with the hardware shipped from Verizon, as is? If not, what is to stop someone from changing the MAC address on some other piece of hardware?

The MediaSentry info may not have the Mac address, but the Verizon info should have it.

Kazaa as a Background service

Does Kazaa operate as a background service? Is it possible that the person using the computer might not know if it is running? If this is the case, what would stop someone from remotely controlling the computer and using it as a drone in file sharing activity?

Could some person at a past point have set up Kazaa on the computer, and this was unknown to the person charged?

Also ask if the expert can distinguish between Kazaa and Kazaa Lite, and if so, how? Can he accurately identify even which program was used to share the data?

Possibly Related Historical Failure

You might want to look up the router failure that caused them to start encrypting (checksum) routing tables. The story goes into how in the early days of the internet, a router on the west coast decided it was actually the router on the east coast. It triggered a massive internet failure. The result was that routers received encrypted (checksum) routing tables, that were periodically checked to ensure validity. Thus if a router failed, it could not cause a cascade failure to the entire Internet.

I bring the router failure up, because it is an historic and well documented example of duplicate IP addresses.

Known Hackers

Did anyone check to see if any know hackers were operating from the cable companies system? Specifically, with a company the size of Verizon, one would have to assume that multiple customers were doing misdeeds simultaneously, many times a day. Verizon might even have numbers on this, like complaint rates, e-mail spam rates, suspected zombie computers, etc.

[ Reply to This | # ]

Points
Authored by: div_2n on Friday, December 29 2006 @ 07:38 PM EST
Background on Kazaa

*When someone installs Kazaa, it creates a shared folder that begins sharing files in that folder

*If someone's computer is set to start Kazaa automatically when their computer is turned on, those files are being shared without further interaction on the user's part

*If someone unwittingly stores files of their own creation and usage in that folder, it can be shared without them being aware. See:

http://www.hpl.hp.com/ news/2002/apr-jun/kazaa.html

http://www.p cworld.com/article/id,101726-page,1/article.html

Discussion on Security

*If someone operates a wireless network without encryption, it is trivial for a cracker (common media terminology is hacker) to grab personal information "out of the air" and go to great lengths to hide their own identity and use that of people legitimately using the wireless network. This includes cloning MAC addresses of wireless cards, creating email address and/or P2P accounts using names found in unencrypted communications.

*Even if someone uses wireless encryption, it is not guaranteed that someone can't compromise the network. This is especially true if WEP 64 bit is used and somewhat true if WEP 128 bit is used. Other encryption schemes such as WPA and WPA2 are better, but not a panacea.

*Microsoft Windows operating systems are notoriously susceptible to all flavors of malware which could allow a cracker to either "funnel" data through an innocent person's computer without their knowledge (including music) or even be able to steal login and passwords to various accounts. This could include a Kazaa account that might have been created (but never used).

*While not as likely as other possibilities, it is not impossible for a cracker to steal the login and password to a high speed account such as DSL. Many providers allow the possibility to login with one account to multiple places. So in the case of someone that rarely uses their DSL and shuts their computer and/or network off at night, a cracker could login as them and use their account for illegal activity. Bellsouth is an example of one company that allows this in many (if not all) of their DSL markets. Further, in the case of Bellsouth, if someone were to obtain the email address of the account holder, the password could likely be derived from the phone number corresponding to the account. Verizon may or may not have similar practices.

Background on TCP/IP forensics

*If an ISP keeps accurate logs, it is possible to determine what account was using an IP address. It is not guaranteed that someone could determine for certain what device was actually using the account at the time. MAC addresses can be cloned. Passwords can be stolen. Wireless networks can be hacked. Computers can be remotely controlled without the owner's knowledge.

*It is impossible to be 100% certain what computer is performing any action behind a common home router due to all of the above issues. Furthermore, it is also completely impossible to determine who is actually using the computer at the time due to the above issues.

Bottom Line

If the question really is "Was Ms. Lindor guilty of sharing files based on the evidence at hand?" then from a technological perspective, there is no way any expert on the planet can assert the answer with complete confidence. There is an intrinsic level of uncertainty that cannot be reconciled technologically. Period. End of discussion.

If the question becomes "Is an internet account holder liable for activity that is conducted using that account carried out in a manner so clandestine that it is outside the technical ability of the account holder to detect and/or prevent?" then that opens up a legal discussion I am completely unqualified to cover.

Questions to ask the other side

1) How can you be certain exactly what computer was performing the file sharing services of the IP address in question?

2) How can you be certain that an authorized computer using that account was not compromised by a cracker/hacker that was then performing the sharing?

3) Is it possible that an authorized computer had Kazaa installed on it but never actively used where the files being shared were placed there by the owner of legitimate content who used legal means of "ripping" their music off for personal use?

4) How can you be certain that the screen shots you have were not tampered with in any way?

5) How can you be certain that the home network of the internet account in question was not compromised and being used without permission?

I sincerely hope this information helps.

[ Reply to This | # ]

Kiddy Porn Monitor
Authored by: Anonymous on Friday, December 29 2006 @ 07:39 PM EST
Dr Doug Jacobson's prior experience:
One of my graduate students, under my supervision and guidance, developed a system that monitors peer-to-peer networks and other forms of file sharing for child pornography.

These things tend to work by scanning p2p chunks for something that looks like a JPEG file and then matching the colors against some "typical porn" color dictionary. I'd be very interested to know how he thinks this can determine the ages of the actors involved when even a human looking at the picture can't get a reliable estimate.

I know that pornography now requires registration in the USA (can't have amateurs doing it for fun and bringing down profit margins) so maybe there is a watermark that can distinguish between registered and unregistered photographs.

After a bit of a google search, I found this: http://j udiciary.senate.gov/testimony.cfm?id=902&wit_id=2564 where he explains the mechanisims behind Palisade products and it would seem that they only monitor the network for queries that seem related to child pornography which is then presumed to be a reliable estimate of how much is actually out there.

I also note his comment:

You don’t have to look for pornography on peer-to-peer networks; it will find you. There are no effective controls regarding content provided on a peer-to-peer network, the only information you are given is a file name. A good example of this problem hit home this spring when I was teaching my information warfare class. To give students an opportunity to study the security problems associated with peer-to-peer networks, I set up a peer-to-peer node. I searched for a file that I had created and placed on the peer-to-peer network. I received several matches to my search request, but when I downloaded and viewed the files, they contained embedded links to pornography sites.

This seems like blatent scare-mongering given that the problem of spam has crept into every communications medium (even the telephone) so the same scare-factor should apply to email, web browsing, usenet news, irc, and the list goes on.

Both of the above are examples of half-truths that Doug Jacobson uses to make his testimony sound more impressive than it really it. Quite likely there will be other similar weak points in his arguments.

Anyhow, the above link is worth a read if you want to see where this guy is coming from.

Digging around a bit more, this turned up: http://deseretnew s.com/dn/view/0,1249,510053167,00.html, which contains yet another half-truth:

Pornography is just one of several problems with P2P technology Hatch's committee has been examining as it weighs how and whether to regulate it. Other problems have included embedded "Trojan horse" commands in some files that have led some people to inadvertently give others access to their tax returns, medical files, e-mail and other data.

Of course, trojan horse files are a problem for email, ftp, www and everything else. They have always been a problem and it is a general issue for system security (don't give the standard desktop user a pathway to root access for example, like Win95, WinXP-home and Ubuntu-Linux all do). Bashing peer-to-peer will not protect us against the trojan horse.

[ Reply to This | # ]

A Groklaw observation
Authored by: Anonymous on Friday, December 29 2006 @ 07:40 PM EST
The 'expert' testimony put up by SCO was not always of the highest quality. For
instance, the evidence of Marc Rochkind was lame even though he has excellent
Unix experience.

Dr. Jacobson seems to have good credentials but that doesn't mean his evidence
is unassailable.

He admits that the hard drive he examined had nothing to do with any file
sharing. Does he contend that it is a fake? What about the dates on the files?
(In other words, is there any evidence that someone formatted the hard drive
and re-installed the system?) Is it the same hard drive that came with the
computer? Is there evidence that there was ever another hard drive installed in
the computer? What evidence does he have that this particular computer was
involved in file sharing? He does not mention a MAC address. He doesn't think
there was a wireless router involved but he can't connect the hard drive he was
given with the file sharing. Is he supposing that there must have been another
computer?

When I worked for her majesty I was responsible for a lot of equipment that was
connected to Bell Canada landlines. For very important circuits, there were
little red caps on the punch block connections. Other than that, things might
get a little wild and wooly. I bet they have no proof that the consumer's line
was the only one with access to that telco circuit. I will also bet that the
telco punch blocks are located in places that aren't particularly secure.
Another question would be about who in the telco has access to user IDs and
passwords. The original installer would have such access and I'll bet the
customer never changed their password. In other words, just because there was
no wireless connection doesn't mean there was no other connection. Just because
the customer had the user ID and password doesn't mean that no one else had
access to it.

Depending on the telco involved, the record keeping might be somewhat spotty and
therefore not very good evidence.

[ Reply to This | # ]

possible questions
Authored by: rsmith on Friday, December 29 2006 @ 07:50 PM EST
Things you should ask your client:

If she doesn't have a computer, who in her house does? Children, tenants?

Is there a DSL connection to her house? [modem is slow for file sharing]

If so, does the DSL router have wireless capability?

[If true, then someone else could be using the DSL connection without her
knowledge; wireless access points can be easily cracked if the access point is
not well configured to keep out unauthorized access. And that requires quite a
lot of knowledge]

Is the connection shared with others?

Some things you could ask the "experts":

Did the investigation yield IP (internet protocol) addresses? If so, what
is/are the adress(es)

[You need an IP address to trace a computer]

If so, specify how was this linked to the defendant?

[First, they'd have to find the ISP (internet service provider). (You'd have to
check that the IP addresses in question really belong to the ISP they thought it
belonged to.) Then they'd have to ask the ISP which customer was using the IP
address in question at the time. (most ISP dynamically allocate IP addresses. So
the IP address of a computer can change over time.)]

How were records from the ISP obtained.

[Were the records obtained legally? (do you need a warrant for that?)]

Can you prove that it is her computer?

Can you prove that the computer in question wasn't a zombie? (i.e. taken over by
another without the user's knowledge or consent)

Can you prove that the files you found in the shared files folder actually
contained copyrighted material, and especially that it contained the material
implied by the filename?

[According to the testimony from the TU Delft experts, 50--90% of the files on
KaZaa are not what they pretend to be.]

Did you download the files? If so, how can you prove that they actually came
from the computer allegedly owned by defendant?

[The protocol used by KaZaa (fasttrack) can and will download from several
sources if possible. See the Wikipedia article:
http://en.wikipedia.org/wiki/FastTrack]

Can you prove that the files in the shared files folder on what is alleged to be
defendant's computer were actually downloaded (from that computer) by anyone?

If so, provide specifics on the alleged copyright violations. What copyighted
content was downloaded from the computer in question at which dates and time?

[If the copyrighted content was never downloaded from the machine in question,
then the plaintiffs have suffered no injury.]

Can you prove that the computer in question was switched on and connected to the
internet when the alleged copyright violations took place?

---
Intellectual Property is an oxymoron.

[ Reply to This | # ]

One Possible Chain of Evidence (and ways to counter it)
Authored by: CondorDes on Friday, December 29 2006 @ 07:52 PM EST
Standard disclaimer: I'm not a lawyer, I'm a geek. My
thoughts on the subject may or may not be correct, or
worth anything.

But here are my general thoughts. I'll try to look more
specifically at the documents a bit later.

In order to prove their case, it seems to me they would
have to establish a strong chain of evidence. That chain
might look something like this:

First, they might show that one or more copyrighted songs
were made available for download.

Second, they might present evidence linking the song to
the IP address of the computer that shared it (that is,
the computer that made it available for distribution).
Others have already explored the potential weaknesses
here, so I'll leave it at that.

They must map this IP address to an Internet Service
Provider (ISP). This can be done fairly reliably using
the ARIN database. (see http://www.arin.net)

Once they know which ISP is involved, they might show that
the file-sharer's IP address was in use by a specific
account at the ISP, *at the time the file-sharing took
place*. This usually involves asking the ISP to share
that information (much like asking a phone company for the
call log of a particular phone number). Time is important
here, because an IP address may be used by many different
customers.

ISPs usually maintain one big pool of IP addresses, which
they give out at random to customers when they connect to
the Internet. When a customer disconnects (e.g. shuts
down his/her computer for the night), that IP is now free,
and can be assigned to another customer. The ISP usually
maintains a log describing which customers were using
which IP addresses, and when.

In the simple case, the customer has one computer which is
directly connected to the Internet. The IP address would
then identify that specific computer. But perhaps the
customer has multiple computers in the house, and is
sharing his/her Internet connection. The IP address would
also be shared by all of those computers. Internet
traffic to/from that IP address could be for any of them,
and there's no way to tell after the fact which computer
it's actually for.

So now let's assume the opposition has linked the
file-sharing to an IP address, and the IP address to a
specific account at an ISP.

Finally--and IMHO this is the hard part--they might show
that the defendant was the person using the computer that
held the IP address in question. Aside from all the
real-life doubts that may be raised (Perhaps the account
holder was on vacation at the time, and had a friend
house-sit?), there is also the issue of which computer was
responsible.

If the customer had more than one computer on the
Internet, he or she most likely has a router that is
responsible for sharing the connection amongst all the
computers.

Maybe it's a wireless router. If it's a wireless router,
is it properly secured using WEP or WPA? If not, it's
possible for John Doe to come by and use the Internet
through the customer's wireless. The traffic to/from John
Doe's wireless laptop will pass through the customer's
Internet connection, so it will all use the customer's IP
address.

Can the opposition demonstrate this *didn't* happen? If
the customer has an open wireless network, how can the
opposition show that the copyrighted song was shared from
one of the customer's computers, and not from J. Random
Wireless User's? (I'm not aware of any conclusive way to
demonstrate this after the fact. I suppose it would be
possible to show circumstantial evidence -- such as the
presence of file-sharing software and the song in question
on the customer's computer, but just because it's there
doesn't mean it was used.)

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: mashmorgan on Friday, December 29 2006 @ 07:55 PM EST
Case falls apart on the first point Para 12.

Each computer has an unique address like a postal system. Ie send an mail to a
company and therefore all users in that company are defendants.

In my capacity as a forensic investigator, we would demolish the case on that
that argument alone. They cannot prove it.

Glad UK courts would not allow this stuff to go further than a rebuttal report
which the authorities (the CPS/Police in my case) would drop.

Its pathetic to be honest.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 08:01 PM EST
Haven't read anything but the intro yet, but this stuff comes to mind.

1. From the introduction one is startled to read the following:


----------------- "--[The Defendant] has never even used a computer in her
life, much less been an "online distributor." -------



This is a fact that UMG can not technically contradict against Defendant's
declaration. This immediatly makes others in her household suspect. Since it
may be a crime, they can take the fifth and make it impossible for UMG to prove
that the Defendant did anything with her computer. Might she be civilly liable,
after notice, as the owner of the computer, maybe. The important thing here is
not to provide evidence against yourself. Make the plaintiff prove it if they
can.



Some questions in this area for Media Sentry:



?????????????? On the first date of your tests, who was online during your first
procedure?



???????????? On the second procedure? Third? etc? {all the answers should be
I don't know.}



????????????? Is it not true that your procedures can't determine who is
online?



?????On the second day of your tests who was on during the first procedure?
.......



.................Continue with the same line of questining so that for every day
and every procedure they say "I Don't know" and "the user can't
be determined." Spend a lot of time establishing this and it diminishes
the value of what they have determined.



Demonstration: One can also attempt a demonstration if you are sure how things
will operate. At deposition or in the courtroom have computers A and B both
connected to the internet. Have the plaintiff on A monitor computer B and
conduct suspect activity. Show the limits of Plaintiffs procedures in that it
can not tell who is on the computer.






[ Reply to This | # ]

Jacksons Comments on Wifi and Hard Disks (or is it images)
Authored by: yorkshireman on Friday, December 29 2006 @ 08:04 PM EST
Two things strike me as being very odd about Jackson's 19 Dec declaration.


1) Wifi
=======
He makes a statement that "the defendant's computer .... was not connected
to the Internet via a wireless router".

This statement is either made based on information that we haven't seen on
Groklaw or it is simply untrue. I have a DSL connection at home which goes into
a wired router/firewall and then the wired router is connected to a second
wireless router/firewall which protects the computers on the inside.

It would be impossible for someone on the Internet to know what happens on the
inside of my network without (illegally) breaking through the outer firewall.

The lawyer should explore this point in detail and particlularly why Jaskson
felt it necessary to include it in the first place. It seems to me an admission
that their case is weakened (or lost) if a wireless connection is involved.

This is presumably because many users setup wireless connections with no
security or WEP security which can be cracked easily.


2) The Hard Drive (or is it image?)

Mr Jacksons statements regarding the hard drive are confusing - perhaps
deliberately? He is either saying that someone deleted the incriminating data
in a way which Media Sentry's imaging software was unable to detect - Or he is
agreeing that the defendant is not guilty.

Perhaps he is obliquely accusing MediaSentry of incompetence in imaging the
disk. Media sentry could have used Forensic disk imaging software that would
have told Jackson eveything that the original disk would have. If they chose
not to use it then it is their fault.

Of course the defendants windows computer could have been infected by a Trojan
and remotely used to share the files via Kazaa also. This could be difficult to
detect for an inexperienced computer user.

For the sake of argument, (even if) the logs prove the Internet connection was
used to share these files. I can't see any evidence that they know which
computer was used (wired or wireless and with/without the defendants
permission). Let alone who the user was.


Any more Info on the case would be useful to help form an technical opinion.
IANAL.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 08:05 PM EST
What been observe (other people already catch it)
IP address and deposition from Verizon is not enough
to claim that the defendant's computer (physically) was
operated on 8/72004 between 6:12:45 AM EDT
and 7:08:30 AM EDT.

The expert build only one part of the chain:

WWW -> KaZaA -> IP

The missing link is IP -> Defendent's computer.
As usual the foggy/doubt part been skiped in expert deposition. That where
defence should take a carefull look.

Yes, Verizon tell that IP 141.155.57.198 were assign to
Defendant. But that is not enough.

!!! The fake is possible through MAC address.
The routers/cable_modem (device throug which Internet connection made) can be
re-porgram to a different MAC address.

I am sure that the MAC address from defendent's cable modem been abused by
somebody. Remeber MAC address is printed on the package box of cable_modem.
Anybody can pick it and use.
Verizon don't care unless collision happen (the same MAC from two different
physical locations). Because, defence claim that person almost never use
computer that is possible.

The abuse scheme is easy. Pick a trashed box. Get info about defendent' MAC
address and internet operator. Re-program the MAC address and go ahead. The
Verizon will see that defendent serf through Internet when actually defendent is
innocent.

That version is supported by expert deposition (see paragrah 6). Expert confirm
that hard drive is not the same as been used for illegal sharing the copyright
content.

I suggest the following strategy:
- Pull up the questions abou MAC address and lead to conclusion that Verizon
testimony is not enough to claim that defendent's computer been used (fake
possible because MAC address can be re-programed). If expert will refuse to
confirm search in Google You will find precise instruction for any operation
system.
- Pull up the expert opinion about hard drive in support of previous statment.

Additional discovery:
- Pull the log from Verizon about how frequently (in their record) defendent use
computer. It is also possible that after computer been collect by police sombody
still abuse the MAC address. In this case Verizon record will show that abuse
happen even after defendent was physically inable to do it.
- Ask Verizon to provide log with specific details of connection. Usually it is
impossible to identify the region/city/street where the request come from.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 08:05 PM EST
Hard to say anything definitive. Paper of Prof. Sips and Dr. Pouwelse is
self-explanatory.

Probable questions are stated there.

0. [As was noted by others] How can you guarantee that provided screen shot is
authentic?

1. [By the paper] How did you ensured that identified file name wasn't fake?

2. [By the paper] How did you ensured that IP address wasn't hijacked? Wasn't
faked? Can ISP testify to the IP address validity?

3. [From my head] How can you ensure that works found on client's hard drive
were not legally acquired? Broken CD, ripped from friend's CD, etc may lead to
mp3s w/o any identifiable source. Files on P2P networks use checksum for
validation. OMG. the checksums by themselves may not be properly validated: even
little alteration to the file (e.g. correction of artist name) leads to
different checksum. Does the checksum of the files match the checksum of the
files found on P2P network? (If one cannot prove that somebody actually
downloaded the file in question - one cannot claim that "distribution"
right was infringed).

4. [From my head/paper] How did you verified that somebody actually downloaded
the works in question from clients computer? How can you test that the works in
question came from clients hard drive? Did the works were actually available
from client's computer - not just some file names??

[ Gosh. We are about convicting person. How can one rely on unreliable evidence
for that sake??? You U.S people really surprise me. ]

IOW I can hardly add anything to the list of what the guys already have put on
the paper. Internet is P2P by its nature - applications like Kazaa are just
advancement of such model.

Summary:

IP address may not be equaled to unique identifier - due to all technical
obstacles normal internet connection has to workaround (NAT, firewalls, proxies,
etc). Add here now practiced address hijacking, zombie proxies, etc - there is
no mean definitive mean to identify person behind IP address. (e.g. classical
SYN-flood attack
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
uses precisely the fact that IP address may not be properly validated. The
attack may be fended off only by attacked hosts themselves - and only passively.
Host cannot actually detect that it is under attack.) The paper covers that.

Filename as seen on P2P Networks like Kazaa are not definitive. (I by myself was
on receiving end of the problem: knoppix.iso often turns up being some random
pr0n somebody tries to download from corporate computer under fake name.) There
is no guarantee whatsoever that file with particular name actually contains the
copyrighted material in question. The paper explains that.

Checksum which is often used as alternative to file names for download
identification may be faked. Both MD5 and RC4 were proven to be suspectible to
easy (~ linear time) attack (iow file of the same size but with different
content).
RC4: http://en.wikipedia.org/wiki/RC4#Fluhrer.2C_Mantin_and_Shamir_attack
MD5: http://en.wikipedia.org/wiki/MD5CRK
Shortly: even widely used checksum algorithms cannot be taken for granted when
comparing copyrighted work to file found on P2P network. And the paper mentions
that.

P.S. I programmed networks. I programmed Unices. I know many architectures and
studied many system designs. I know some P2P (mostly BitTorrent, eDonkey,
Gnutella) technologies. (Kazaa uses FastTrack. I can try to dig up tech info on
it too, but the network is largely undocumented - by all means proprietary one).
If you have concrete questions - try thephilipsNO@SPAMgmail.com (NO SPAM
removed) contacting me directly. I'm techi - not best legal conversation
partner, but yet. I am not a genius - but engineer. If I can help - I would
gladly do. Especially while on xmas vacations ;)

[ Reply to This | # ]

Some Questions to think about
Authored by: Anonymous on Friday, December 29 2006 @ 08:05 PM EST
How did MediaSentry get this information on the P2P network ? i.e sit in the
background and sniff out traffic based on p2p or would it install itś
self on any PC connected to the internet that was not secure ? Like a virus ?

In the description on TCP/IP Dr J has no comment about email spoofing or IP
spoofing which is highlighted by the fact as stated by Dr J that the hard drive
sample given was not the one that had was using Kazza. It is very easy to phish
email account and passwords from users and even send infected emails without you
even knowing, to your email list. Dr J should know about this as a owner of a
security networking company. Basically he can say it went to this IP address
however, he can not prove it was this computer or person in question !

Dr J also stated that a wireless network was not involved. How can he back that
up ? NATing in routers is one why you can great your own shared netwrk at home
to many. The ISP has you listed as only one user or destination / source address
however the router knows there are many behind it that are connected. So it is
not that clear cut. Does your client have a router or WiFi ? Or does Ms Lindor
have Bluetooth or WiFi laptop turned on ? These can be hacked and access by
third person through Ms Lindorś PC.

What security does Ms Lindor have on this PC is any ? If there is none, what
trojans were on this HD ? Dr J has had a look at this HD however he did not say
he did forensic test only spoke about it. He is making all the right noises
however there seems to be little action to prove this was done. It would appear
he only looked for Kazaa installation files and share locations. Very basic
search ! Based on the fact he has very little time as he is doing book reviews,
committees and teaching. He has spent very little time ( lack off techincal info
)in proving what he is saying other than using his heavy CV to back himself. i.e
what tools did Dr J use to come to the conclusion this HD was not the one used
in the great file sharing scam ?

What type of music is download / Dr J stated header files are sent. Is ths type
of music Ms Lindor listens too ? If its Pink I would doubt a middle aged woman
would be listening to. My parents are middle aged and they like the 50s 60s
music. Elvis, Beatles, Everly Brothers, Platters, Diana Ross etc etc. Do they
match what was downloaded ?

Dr J can not prove by MediaSentry data that Ms Lindor was the person at the PC.
They are pointing in that direction. Yes Officer the robber ran that way.
However Dr J even stated the HD given was not the used to download files. Sorry
wrong machine. Your Honor I have an IP address though ! Is that all you got ?

[ Reply to This | # ]

Some questions and observations that spring to my mind
Authored by: cybervegan on Friday, December 29 2006 @ 08:10 PM EST
About the defendant's internet connection:

How did the defendant's computer connect to the internet? Cable modem? DSL
modem? Dialup modem?

Does the ISP log any identifying information such as the MAC address if the
connection is cable or dsl?

If so, do they match those in the defendant's computer?

Was another computer's MAC address ever associated with the defendant's
account?

Did the defendant's computer have more than one network device - wireless or
wired?

If so, was "internet connection sharing" enabled?

If wireless, was the network secured with WEP?

If wired, was there another computer on the defendant's premises to which this
one could have been networked and sharing its internet connection?


About the defendant's computer:

Has a "friendly neighbour" or relative ever offered to help her out
with her computer? May they have tampered with it's configuration to allow them
to attach to the internet through it without her knowledge?

Can the investigators prove that the defendant's computer was not infected with
a backdoor trojan or rootkit that could have allowed a cracker to remotely use
her computer without her knowledge?

If the hard disk image doesn't contain any of the files the investigators
allegedly downloaded, did they in fact find the disk that they downloaded them
from? Was this disk ever in the possession of the defendant?

---

They must be able to prove every link in the chain:

That the files were downloaded by the investigators.
The IP address of the computer to which they were downloaded.
A disk image of this computer, with the files on it.
The connection details of this computer - IP address, means of connection,
configuration or log files to support this.
Log files of the TCP/IP conversation between the defendant's computer and this
computer.
The IP address of the computer from whence they were downloaded.
That the IP address was assigned to the defendant's account.
That the defendant's computer was attached to the internet via this account at
the time the evidence was gathered.
That the files downloaded were found on the defendant's computer (even if they
had been deleted).
That the defendant's computer actually had a kazaa-family p2p program installed
on it.
That the files were located in a folder that was or had been shared by the
sharing program.
That the files were put into the shared folder by the defendant.
That the defendant knew that putting the files into the shared folder was likely
to lead to them being illegally downloaded.

To summarise:
files downloaded including MD5 and SHA hashes
disk image of investigator's machine after downloading files, including MD5 and
SHA hashes
investigator's MAC address
investigator's IP address
DHCP server logs or IP configuration details from investogator's PC
investigator's ISP logs showing that they had a connection at the time
defendant's ISP's DHCP server logs, including time, IP and MAC address
defendant's computer's MAC address
sharing software installed on defendant's PC
image file of defendant's computer hard disk, incl MD5 and SHA hashes, showing
that the files were present, the hashes match, and were in a shared directory,
and that a sharing program was installed

That would be a reasonable start, but is not all-inclusive.

DHCP servers invariably keep details of the nodes (network cards) that they dole
out addresses to.

MD5 and SHA hashes show whether or not files have been tampered with or were
different.

The downloaded files and the files from the defendant's computer should be
played to the court to prove that they are what the prosecutors say they are.

I wouldn't consider myself an expert, but that's how i'd go about it, and then
i'd look for more holes in my reasoning, and go over it again.

regards,
-cybervegan

---
Software source code is a bit like underwear - you only want to show it off in
public if it's clean and tidy. Refusal could be due to embarrassment or shame...

[ Reply to This | # ]

Occam's Razor
Authored by: Anonymous on Friday, December 29 2006 @ 08:13 PM EST
If I understand all of this correctly, the simplest explanation is that her
computer got taken over by somebody who turned it into a music server, and
eventually she decided that the computer was acting funny/running slow/crashing
too often, and had it fixed. In the process of fixing it, the hard drive was
wiped by the fixer, leading to the drive with very little on it (just what she
put on it since the fix).

If this is the true situation, what is her liability for the stuff put on her
machine without her knowledge or consent? Under current law, I think the answer
is, zero. A decision otherwise would make life very expensive for a lot of
clueless PC users. It might be a net positive change, but it would certainly be
a huge change from the current situation.

MSS2

[ Reply to This | # ]

Thoughts on the Declaration
Authored by: CondorDes on Friday, December 29 2006 @ 08:27 PM EST

5. Based upon my review of the foregoing materials, as well as on my education and experience, it is my opinion and belief that the defendant's computer had a public Internet Protocol ("IP") address and was not connected to the Internet via a wireless router.

But he does not say which IP address, or whether that IP address matched the one found by MediaSentry. Indeed, he doesn't link the computer he examined with the infringing computer discovered by MediaSentry at all.

I base this on the data mentioned above, as well as on the registry entries recovered from the computer and the fact that there was no internal IP address here.

What techniques did he use to recover the computer's IP? Can he demonstrate that the lack of an internal IP address conclusively indicates the computer was not used behind a router? Can he present the logs on which his statement was based? How can he be sure the logs are comprehensive? Perhaps the computer failed to log its IP.

Based on how IP addresses are assigned, it is not difficult to determine whether a computer was connected to the Internet via a wireless router. This computer was not.

This is, at best, a half-truth. It is possible to distinguish between public and private IP addresses, which can determine whether a computer was behind any type of router (wired or wireless) with high probability. (See RFC 1918.)

However, most wired and wireless routers use the same scheme for assigning IP addresses. Also, wireless routers often do not distinguish between computers that are plugged in via Ethernet and computers connected via wireless. (On some, but not all, wireless routers, it is possible to tell the router to make the distinction, but this is not the default.)

Most wired and wireless routers in their default configuration (for example, Linksys and D-Link routers, both of which I have personal experience with) assign IP addresses in the 192.168.x.x range. The Linksys router at work assigns these addresses without regard to whether I am connected via wireless or via Ethernet cable. I could, for example, plug in via Ethernet, and receive the IP address 192.168.1.104. But when I come in tomorrow and connect via wireless, it's quite possible I will be assigned the same IP address.

6. ... this hard drive was not the same hard drive that was used to share copyrighted sound recordings as shown by the MediaSentry materials.

That's like taking fingerprints off of some random Honda Accord and trying to use them to show the defendant drove the getaway car (which was a Jeep Cherokee).

The hard drive that was provided and that I inspected, showed little usage at all, as evidenced by the lack of user created files and e-mails, and did not reveal the evidence noted above, which I believe the correct hard drive would certainly have shown.

So there was no evidence whatsoever that the computer he examined was used for copyright infringement. He assumes the drive he examined was not "the correct hard drive", but (a) how can he demonstrate that it's not, and (b) if it wasn't the right drive, why did he examine it in the first place?

7. The hard drive that was provided did contain the resume of Gustave Lindor, Jr., and that document indicates that he was living and working in Brooklyn, New York during the dates that the copyrighted music was being shared.

That seems awfully circumstantial to me. If anything, given the aforementioned lack of evidence, isn't that an argument for his innocence?

[ Reply to This | # ]

important: The hard disk
Authored by: rsmith on Friday, December 29 2006 @ 08:29 PM EST
Dr. Jacobsen's report contains something that might sink the plaintiff's case.

He states that the harddisk (or image, his declaration is ambivalent here) that
he received from the defendant's computer doesn't contain the Kazaa software or
copyrighted files.

His conclusion that he therefore wasn't given the correct harddrive (image?) is
the tail wagging the dog. It's an assertion without any evidence whatsoever.

---
Intellectual Property is an oxymoron.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 08:33 PM EST
How can any expert, anywhere in the world, reasonably claim that they can
associate an IP address with a specific user of a P-2-P network? IP Addresses
can be spoofed. It would be necessary to show that the IP address is tied to a
specific MAC address of a Network Card or port of a firewall, switch or router
owned by the defendant. Even then a MAC address can be spoofed. It would be easy
to use a packet sniffer to obtain the IP address and MAC address. The user name
could be made up by someone who knows her referentially. If I was on a jury and
you asked me to determine whether Miss Lindor was guilty of using a P-2-P
network just because an IP address was associated to an account owned by Miss
Lindor I would find her not guilty. Even given that copy righted files were
present on her computer and it appears that she had a P-2-P software application
installed and that software was offering files, how can you prove to me as a
jurist that she knowingly or should have known that this violation was taking
place? If my nephew comes to my home and uses illegal drugs in the bathroom does
that make me guilty of a crime? Yes it is my responsibility to supervise him as
a minor but I can't prevent him from illegal activities.

I read in one of the documents that the computer was owned by another, now
deceased person. Is it possible that the former owner was sharing files and left
this software on the computer? Assuming that it was someone else who was using
the computer in her home, how could I find her guilty when she apparently does
not even know how to use a computer? In the testimony of the two technical
experts they conclude that the methods used by the investigating company were
neither scientific nor discrete. One last observation, I am curious if there is
a body of case law wherein a court has found that the act of offering files over
a file sharing network constitutes a legal offense or do you have to show that
files were actually downloaded?

Finally, the R.I.A.A. appears to be using this and other cases to make examples
of people. This is tantamount to creating enough fear of criminal prosecution to
prevent file sharing activities. Asking someone to pay $750.00 per song in
penalty is ludicrous. The nominal value of a song these days is generally .99
cents. How can the R.I.A.A. and the music companies claim that this is a fair
and reasonable penalty without "proving" the actual loss?

[ Reply to This | # ]

Have the DSL line traced
Authored by: rsmith on Friday, December 29 2006 @ 08:37 PM EST
Ask the plaintiff if they can prove that the IP traffic linked to the
defendant's account was actually transmitted over to the telephone line running
to the defendant's house.

Because it might be another Verizon customer using defendant's loginname and
password. If she wasn't using the computer, she'd never know.

---
Intellectual Property is an oxymoron.

[ Reply to This | # ]

Another Lawyer Would Like to Pick Your Brain, Please
Authored by: Anonymous on Friday, December 29 2006 @ 09:02 PM EST
Just a couple of quick observations about the curriculum vitae: there are no
refereed-journal articles pertaining to computer forensics, which implies he is
not a recognized expert in that specialty; also, there is nothing I noticed in
the entire CV that indicates any detailed knowledge of the specific P2P
programs, or investigative programs, that allegedly are involved. Of course, the
CV is so verbose I certainly may have missed the needle in the haystack.

A background check of his overall character might be useful. For example, has he
ever been accused by his students of sexual harrasment, grades for a fee, etc.?
Are there ex-wives, and what do they have to say about him?

Also, it would be interesting to poke into the finances of his entrepreneurial
activities. For example, have there been discussions about future consulting
work contingent on the outcome of this lawsuit?

[ Reply to This | # ]

    Timestamp accuracy
    Authored by: Anonymous on Friday, December 29 2006 @ 09:03 PM EST
    In my opinion the key flaw in their argument is the procedure used to establish
    the IP address and identity of the computer and its user.

    This process has to have the following attributes:

    1. The information needed to establish the sequence of events must originate
    with different people/organisations (ISP, MediaSentry, cable company, etc.)

    2. The data used to establish copyright infringement must involve a sequence of
    events, each at a different time (connection, assignment of IP address,
    down/upload of file, disconnection, de/re-allocation of IP address, etc.)

    The differing data sources in (1) will have provided timestamped logs purporting
    to show those events in (2) which are then presented in such a way that they
    match at particular times (as in this computer had that IP address when file x
    was downloaded from it). Unless they can also provide a way to attest to the
    accuracy of the timestamps in their logs no such link can be applied.

    They must either have synchronised their differing systems to each other or,
    more likely, to a known accuracy data source (as in an ntp server). In which
    case they should both be able to provide their ntp synchronisation logs as
    backup to their evidence. If not how does one know the times are accurate, or
    sequence of the events exists?

    In my experience large ISP's and companies in general have a quite cavalier
    attitude to time accuracy on their systems. I've seen servers which were minutes
    out, and hours out is not unusual, also sometimes with an incorrect timezone to
    confuse things even more.

    That's something to watch out for when comparing logs -- different timezones
    because systems were in different locations. It's best to insist everything is
    converted to GMT.

    Hope this is helpful.

    [ Reply to This | # ]

    tongue in cheek
    Authored by: Anonymous on Friday, December 29 2006 @ 09:03 PM EST
    (think the above comment is rather astute wrt computer taken over - there's
    no reason that a hijacker couldn't read her name from other files and create a
    kazaa account based on her name)

    but, (ducking)

    qualifications

    2) What distinguishes your company as a "high-tech" computer security

    company as opposed to other computer security companies?

    IV - does Palisade have anything to do with your D&D experience?

    from the declaration:

    Did they give you a USB thumb drive to inspect?

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Witness on Friday, December 29 2006 @ 09:16 PM EST
    It would seem to me that the music industry in an effort to preserve an ageing
    market paradym had is in effect been using a form of blackmail or
    "protection" scheme. While technically it may all be legal to
    frighten people into paying up for "crimes" they did not commit, I
    feel the music industry's actions should be carefully examined under both
    Federal and State RICO laws. Certainly a pattern of gross miss application of
    lawsuits can be easily discerned.


    ---
    Witness

    [ Reply to This | # ]

    My Only Q: Are you sure you're a witness for the prosecution?
    Authored by: Anonymous on Friday, December 29 2006 @ 09:23 PM EST

    Dr. Jacobson's declaration states:

    ... this hard drive was not the same hard drive that was used to share the copyrighted sound recordings ...

    Thus the RIAA's expert appears to be challenging the chain of evidence presented by MediaSentry: the evidence provided to him does not support their analysis.

    The remaining questions are along the lines of:

    • Did you witness the collection of the evidence?
    • Are the results provided by MediaSentry consistent with the evidence found on hard drive which you examined?
    • Is it possible to conceal the trace evidence you expected to find?
    • What technical skills would be required to conceal this evidence?

    [ Reply to This | # ]

    Conclusions
    Authored by: webster on Friday, December 29 2006 @ 09:24 PM EST
    Jacobson's Declaration



    One can have a lot of fun with his $5 million dollars in grants. Ask how much
    went inot his pocket. Ask him how much of his business relies on the perception
    or reality of sending copyrighted material over the internet.



    His tone and diction are negative. He talks about peer to peer as something
    negative, that is sending improper unpermitted copyrighted files over the net.
    Actually there is far more legal peer to peer such as email, chat, data, voice
    and other legitimate content. He threw porn in but much of that is legal. An
    estimate of total content, illegal content, legal copyrighted content, and
    illegal copyrighted content might help diminish his claims. You can't ask this
    stuff unless you know the answers.



    From Jacobson's conclusions:



    15) The materials can not disclose who was using the computer?? The materials
    will not disclose whether the sights granted permission to download the
    copyrighted material? The materials will not diclose whether the purported
    permission was legitimate or not? The materials will not disclose whether or
    not the copyright notice was on the site or not? The copyright notice itself
    that is in the downloaded material does not say itself whether it is legitimate
    to download the particular copy or not? Kazaa is just a tool that downloads
    files? It has no copyright sensor?



    16) Screenshots could mean several things depending what stage of the search
    and download process is involved. Also files can be deleted and never used.
    The expert can bring this out. The expert can also establish that anyone can
    use the Kazaa user ID with just the password. So one or many different people
    may have done the downloading.



    17) He concludes that media Sentry downloaded 11 songs. From where? Is this
    relevant? Where did they come from? Did they have permission? Was permission
    noted on the site?



    19) He concludes that for a while copyrighted songs were offered for
    distribution. How were they offered? What action did the user take to offer
    them? {None, it was involuntary and probably ignorant.} Have the expert
    explain how this works for you. He can give your client an innocent and
    unknowing explanation.



    20) He says above that 624 sings were "offered for distribution."
    Here he concludes they "were being distributed." Make him retract, or
    explain and retract, to impeach these conclusions. Have him explain what a
    subscriber is. Have him explain internet address. Have him explain that anyone
    can use the computer, subscription, and internet address other than Ms Lindor.



    21) He concludes the computer distributed material. Have him explain how that
    happened without any intervention by the Defendant or anyone else. Have him
    describe the "ignorant distributor."



    22) He concludes music on the computer was downloaded from other computers on
    the internet. Did the other computers pay? Did the other computers pay for the
    right to make a gift? Can people make a gift of itunes tunes? How is an
    ignorant to know the difference?



    In general you can't mess with the expert. But get him to be your witness for
    the simple stuff suggested above. Look for bias, money and plaintiff's or law
    enforcement tendencies in the past and who fills his wallet. He has also
    provided a wealth of background of his writings and experience. Contradictions
    and puffery if any could effectively impeach him.






    ---
    webster

    [ Reply to This | # ]

    Comments from Holland
    Authored by: Joris on Friday, December 29 2006 @ 09:25 PM EST
    From the dutch case, this is something that weighed pretty heavily on the decision of the dutch court:

    Mr. Millin also testified that his company provided a service called MediaDecoy which distributes bogus or inoperative files over the internet. People downloading these files think incorrectly that they are music files. The files are made to look like real music files, but they are inoperative. When he was asked whether he could tell whether any of the files allegedly copied from the alleged infringers were MediaDecoy files, Mr. Millin stated that he had not listened to any of the files copied from the alleged in-fringers and that listening to the files was not work that his firm was contracted to do (…). There is, thus, no evidence before the Court as to whether or not the files offered for uploading are infringed files of the plaintiffs.

    In other words there is no way to determine from log files whether it is actual music you downloaded or just decoys. You have to listen to the files to determine whether these are really the copyrighted materials.

    This is from the expert's testimony:

    I will testify that, based on the MediaSentry Userlog, the music found on the Defendant's computer was downloaded from other users on the Internet.

    I wonder what is in that Userlog because how does he know these are not "decoy" files ? Did someone listen to all the songs ? Does the Userlog show all 624 files being downloaded ?

    Another thing the expert states:

    Distributing files first requires that the user must put the file into a shared folder.

    Maybe Kazaa changed since I last used it but back then you automatically shared everything you are downloading. So distributing files also starts by downloading, the user does not have to put the file in the shared folder, Kazaa places it there automatically.

    There is another little pearl in the dutch case although probably not appropriate in an American court:

    [...] it has been established that Brein employed the services of MediaSentry, a third party, when gathering IP addresses, thus Brein failed to meet the conditions under which gathering IP addresses is lawful, according to the CBP. The Preliminary Injunction Court also considered the fact that MediaSentry is an American company and that the United States of America could not be considered to be a country that has an appropriate protection level for personal data. Furthermore, MediaSentry – by means of the software it employs - investigates the contents of the IP addresses’ ‘shared folders’, and these ‘shared folders’ can also include files that do not infringe on the rights of third parties, or files which are of a private nature.

    [ Reply to This | # ]

    Am I missing something?
    Authored by: Anonymous on Friday, December 29 2006 @ 09:26 PM EST
    In the expert report, point #14, Dr. Jacobson does not list the files downloaded
    by MediaSentry amongst the articles he examined.

    In the Motion to Compel, they say the hard drive is the wrong hard drive.

    Do they actually have any evidence that any hard drive was used to download any
    actual copyrighted files? How can they argue it was the wrong hard drive
    without any evidence that anyone had files?

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Friday, December 29 2006 @ 09:33 PM EST
    Sorry a bit long.

    As the RIAA is using the court system instead of cricket
    bats to perform basic thuggay it is my belief that the
    court system should be putting those abusing the system
    behind bars and this should not be needed.

    Looking at the documents I can't see any documents telling
    me how the source documents are obtained. So the following
    is speculations.

    Assume we have two sorts of source documents
    1) Screen shots are of some application that is taking
    packets off the wire and then attempting to work out what
    is going on.
    2) Document from an ISP provider stating that the IP
    address was being routed to a particular account.

    Prof. Sips and Dr. Pouwelse pretty much summed it up. To
    put it another way; Dr. Jacobson may be one bright cooky
    but:

    1) Is he being honest, is he independent? As has been
    pointed out, screen shots are easy to create.
    2) Did he make a fundamental mistake in understanding how
    the protocol works?
    3) Is his code correct?

    Surely the court would require that enough information be
    provided so your experts can come to some conclusion.

    Two courts have said; you can't get past here; one would
    have to be surprised if things go further.

    But lets assume that he can prove he is honest,
    independent, you get hold of his methods and they look
    good, and you get the code, get an independent expert and
    your experts conclusion is the code looks good how can
    things go wrong for the good doctor.

    I assume his system downloads a file from the P2P network,
    records the IP address of the sender and then he finds out
    where the packet is routed using ICMP. The service
    provider then associates the IP address with an account
    and bingo someone ends up in court.

    I think it is safe to assume that bright people that are
    fed up with the RIAA have put some effort into file
    sharing without getting caught.

    1) Have any of the computers along the way been
    compromised?

    You need to find the actual route taken by the packets.
    That I would think is a valid discovery question.

    The best way to cover your tracks is to be part of the
    route and lie about how the packets are routed. That is
    the computer doing the sharing is in the route list
    discovered by the good doctor but the basic protocols used
    to discover routes have been compromised. ( the packets
    have to get to the compromised computer and be returned
    but the story in between that can be completely bogus).
    When the computer doing the sharing is asked about routing
    it returns a story instead of the desired info. As the
    ICMP protocol is standard this is a trivial program to
    write if you have access to the TCP/IP stack

    To put it another way, the truth can be hidden by any hop
    along the way, to prove they have the right final
    destination they need to prove no hop has been
    compromised, including the victims ( see my introduction)
    service provider.

    One has to assume that the service provider logs show that
    the packets arrived at the service provider. You have to
    get the logs to make sure.

    2)What has the good doctor done to prove that the routing
    tabels of all the computers along the way have not been
    compromised?

    To compromise the ARP table entries all you need is the
    desire and access to the network segment that you desire
    to compromise. Once again if this happens on any of the
    computers in the route the info the good doctor has is
    rubbish.

    Does the good doctor have the arp table entries from the
    service provider, if they don't have that then all the
    service provider can say for sure is this account and this
    password was given this IP address.

    You need to get hold of the logs so your expert can look
    at them and come to some conclusion as to why the info can
    be wrong.

    As I point out in another post, it is trivial to change
    your MAC address. So having the MAC address of the final
    machine doesn't prove that someone who wanted to share
    without the RIAA knowedge isn't involved.

    3) "Account names and passwords" and arp table can be
    compromised?

    If your sure of your ground. Time to go after the service
    provider. Perhaps they will fight the RIAA a little harder
    if the path of least resistance is to fight their thuggay.

    i) How are they sure that the user in question is the
    right user for that IP address.

    ii) What has the service provider done to prevent ARP
    table corruption.

    iii) What makes them so sure their computers haven't been
    compromised?

    The last one will make any network provider squirm, there
    is no right answer.

    4) The user's computer wasn't being used as a zombie.

    Lets assume whats on the hard disk is the one they asked
    for and that ISP has a secure network.

    You need to get the OS version and patch level. You then
    need a declaration from an expert that details how to turn
    that OS version into a zombie and how to cover his/her
    tracks so the good doctor see nothing.

    Ask the good doctor why he assumed the victims was sharing
    files instead of assuming that the machine was being used
    as a relay by someone else. His answer will give you the
    material needed by your expert to make a fool of him.

    5) Now we come to point 5 and 6 of the December 19th
    declaration

    Point 5 says that this hard disk is from a computer that
    is connected to the network ( I will come back to that)
    and point 6 says this is not the hard disk we are after.

    If point 6 is correct then point 5 is just wasted words.

    Ask the good doctor why he made point 5 if this is not the
    hard disk he is after.

    Back to point 5.

    As he is claiming this is not the disk he is after point 5
    is wasted words however I'd be interested n why he came to
    that conclusion. As the packet can be routed through a
    wireless link with no knowedge of the sender/receiver I'd
    be interested as to how he came to that conclusion.

    In summary what has been provided.

    A declaration that states I am a very clever person and I,
    as the very clever person think this. I would have thought
    the court needed a little more; when you get the little
    more you will have what you need to shoot him down because
    there are many ways for someone to hide there file sharing
    from the likes of good Dr Jacobson.

    [ Reply to This | # ]

    DSL can be hacked
    Authored by: Anonymous on Friday, December 29 2006 @ 09:43 PM EST
    Apparently (according to what I have just Googled) you can see the traffic of people connected to the same DSLAM as you.

    "Key point: DSL typically uses ATM, a layer-2 cell-switching fabric. The DSL provider typically providers no Internet services, a layer-3 service. Instead, it connects you to an ISP of your choice. The layer-2 ATM service is vulnerable to being hacked. Also, you will see traffic such as broadcasts from your layer-2 neighbors." link

    Here's a link to a guy who says he's hacked his neighbors' dsl. hacker In particular, the hacker says he was able to obtain and use the user ID and unencrypted passwords of another user.

    Given that criminal file sharers might be expected to hide their tracks and given that the directions for hacking dsl are easily googled, it would seem that the RIAA should have to make better efforts to prove that the internet traffic did indeed come from the accused persons premises.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: philc on Friday, December 29 2006 @ 09:47 PM EST
    I am curious. How do you know that the files in question actually contain
    copyrighted material? How do you know its not a performance by a different group
    that has a different owner. A lot of groups record the same material. They
    license the sheet music and interpret it themselves their performance can be
    copy right.

    Have they proven that they own the copyright to the material in question? Just
    because its in their catalog doesn't mean they own it. Have they proven that it
    is an authentic copy of their material?

    How do you know the material in question is your copyrighed material?

    How do you know that your victim has not paid you for a license to that work? Is
    your record keeping accurate enough to assert that? For example if I buy a CD
    from a music store and rip it so I can listen on my computer is that the same as
    sharing? Do you have a record that I bought that CD?

    How do you know I didn't pay for that material from a different source and just
    duplicated the material by sharing?

    It is very hard to prove that an individual did a particular thing with a
    computer. Computers just don't track the information carefully enough.

    How do you know that your victim and not someone else made the copy?

    Actually, do you know that the material is actually on the victim's computer as
    the result of the sharing? Some visitor can download to a memory stick and walk
    away with the downloaded copy.

    Paying and ISP for an internet connection doesn't mean you know who is using it.
    If you have a Wireless setup anyone within range can use your connection. Even
    if you don't have wireless, anyone in your household both residents and guests
    can access the computer.

    If you have a laptop that you use on multiple networks and maybe share with
    friends it is even more difficult to pin down who did what to the system.

    People break into computers and take over operation. These Bots can do pretty
    much whatever the controller of the bot wants. How do you know that the system
    was not compromised at the time of the download?

    How do prove that people that buy software online from your partners are using
    what they bought? How many years do to maintain records?


    There is a matter of fairness. Sharing is part of our culture. We are taught
    from an early age that sharing is good. You can buy a song for $1.00 at a RIAA
    partner on-line store. You can "share" a $1.00USD song and its worth 5
    years in federal prison a criminal record and $750.00-100,000.00 fine. You steal
    the CD from a store and its a shop lifting.

    You can listen to the song for free on the radio at no risk. You can load your
    1.00USD song into your MP3 player and loan the player to a friend. However, if
    you copy the song for your friend you are a federal criminal that hasn't been
    caught yet.

    How do you avoid becoming a victim of the RIAA? Its not easy. If you have a
    computer connected to the internet make sure it is very secure. You may go to
    Linux for added security. Use strong passwords and don't ever let anyone use it.
    Second, don't have music around that you can't prove ownership to. Never have
    music on a computer. Its just too dangerous.

    I don't personally buy and download music or video because over time I lose my
    receipts and I can't prove that I bought it. I don't buy music from music stores
    for much the same reasons. Just because I have a CD doesn't mean I have license
    to listen to it. I have some 30 years of purchased records and many old CDs that
    I have lost the purchase reciepts. That doesn't even count the music that has
    been given to me over the years. There is no hope of proving that a 5 year old
    down loaded song is paid for.

    When the RIAA and MPAA give up this piracy campaign I may start buying music and
    video again. When I feel it is safe to do so.

    In the meantime there are concerts, movies, theater, radio, tv, rented DVDs and
    the music and video collection at the public library. I am well entertained.

    [ Reply to This | # ]

    • Well put - Authored by: Anonymous on Saturday, December 30 2006 @ 01:13 AM EST
    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Friday, December 29 2006 @ 09:50 PM EST
    Everything rests upon the Verizon records. Can Verizon prove that the records
    are accurate?

    Questions to ask:

    Has Verizon billing & IP recording software ever had errors in it. (The
    answer is yes: there has not yet been software written without bugs.)

    Has Verizon ever charged customers based on records that could have been
    incorrect. (The answer is Yes. If you have records that are not provably
    correct, and you charge people...)

    Could the Verizon records regarding this be incorrect?

    Has RIAA proved the correctness of the records? (Ans - No, since they haven't
    investigated the Verzon recording software.)

    (What's the level of proof required? Balance of probabilities or beyond
    reasonable doubt?)

    Ask for a copy of the billing and IP recording software, both binaries and
    source code, and test data, to verify it. (It's unreasonable to convict someone
    on evidence that they lack tools to challenge.) Ask for evidence that it is
    exactly this version of the software that was in use. You are looking for
    matching MD5 checksum fingerprints, verified by an independent expert to be
    sure.

    Repeat this with the software RIAA use.

    Now submit both software for testing and bug checking. Your expert may be able
    to find bugs.

    Is a Verizon record alone, enough to prove that the defendant had a computer
    connected? (Ans: No. You require some non-reproducible item introduced by RIAA
    onto a computer, to be present when the computer is later independently
    examined.

    Ask him how you would be able to prove irrefutably, that a file had originated
    on the defendants computer. (To do this you would need to uniquely identify a
    computer - GUID might be good enough - and the file would need to be
    watermarked, in a non-reproducible way, with this information. This is not the
    case here.) Ask whether the files are uniquely identified, if so, how. (Ans:
    [Check this] Kazaa does not uniquely identify file.]

    Given that there is doubt that the defendant had a computer attached to the
    internet, and given that the file is not uniquely identified, is there some
    doubt that the file originated on the defendants computer?

    These questions should introduce reasonable doubt.



    [ Reply to This | # ]

    I really don't get it.
    Authored by: Icicle Spider on Friday, December 29 2006 @ 10:06 PM EST
    Dr. Jacobson in his disposition concludes:
    The hard drive that was provided and that I inspected, showed little usage at all, as evidenced by the lack of user created files and e-mails, and did not reveal the evidence noted above, which I believe the correct hard drive would certainly have shown.
    Case closed, no?

    [ Reply to This | # ]

    Random thoughts
    Authored by: sk43 on Friday, December 29 2006 @ 10:07 PM EST
    Just for fun, I'll poke at the curriculum vitae, since that is likely a bit
    unfamiliar to most readers here.

    His curriculum vitae is 26 pages long, which means it is padded with fluff, even
    without reading it. Such fluff is not necessarily bad - I know some extremely
    distinguished people who do the same - but it means one must trim away the fluff
    to find the true merits of the person.

    He has spent his entire academic career (undergraduate to Associate professor)
    at one institution. In my experience this type of total "inbreeding"
    is unusual, and when it occurs, it is detrimental both to the individual and to
    the institution. Not always bad, but it raises a "red flag".

    He appears to be very successful at raising funding (~$5 million). I would like
    to be responsible for as little as he is.

    What is his connection to "MS & ME non-thesis degree Graduate
    Students"? I can't recall ever seeing such a list on a CV before. Fluff.

    He is first author or primary co-author of only 5 refereed publications, the
    last of which appeared 16 years ago. Ouch!!! I have postdocs with more
    substantial credentials.

    In his declaration, he states "I also have an appointment with the Iowa
    State University police department, where I aid in computer forensics". OK,
    this appointment is with the ISU Campus Patrol. He says nothing about what he
    has accomplished in this position. It's worth asking about.

    His expertise is in networking. Nevertheless, on p. 4 of his deposition, he
    offers an opinion about data recovered from a hard drive. Furthermore he states
    "A forensic inspection of a computer hard drive ...". What is his
    expertise and/or experience in forensic inspection of computer hard drives?

    [ Reply to This | # ]

    • Good point - Authored by: Anonymous on Friday, December 29 2006 @ 11:03 PM EST
    • Random thoughts - Authored by: Anonymous on Saturday, December 30 2006 @ 11:23 AM EST
    No evidence on HD...
    Authored by: Willu on Friday, December 29 2006 @ 10:19 PM EST
    Hi,

    Like some others here, I think that arguing the "not 100% certain"
    parts is tricky. The fact that it is possible to fake screenshots doesn't make
    such fakery likely - especially when someone will testify that they weren't
    faked. I still think you should push on a) finding out as much about
    MediaSentry as possible, and b) get an admission that it isn't 100% foolproof.
    (e.g. Can the witness guarantee that media sentry has no bugs? Are they even
    willing to quantify how many bugs it might have and the severity of those bugs?)
    I just don't think they're likely to help you too much.

    I'm also going to assume your client is innocent, and that she's not trying to
    cover things up.

    The Verizon logs show that the person logged in had a particular IP. Some
    ISPs assign IPs by ID/password, and some by physical line - you need to check
    what Verizon was using in that area. Is there any evidence that the
    infringement wasn't some third party with a stolen ISP password? i.e. The logs
    may have tied the infringement to the Verizon account. Can they tie it back to
    the a particular phone line (for DSL), or cable segment (for cable modem)? If
    not, how can they tie it back to a particular computer? If you have someone
    else's DSL/Cable password, is it possible to log in as them and so obtain a
    dynamic IP address as them without using a router or even being in the same
    building? (Note, this behaviour would knock your client's connection out while
    her account is being borrowed, but if she didn't use her connection she wouldn't
    notice.) Does Verizon have any log of the modem ID (not sure about this, but
    there may be one, and if it is different from your client's modem then you've
    shown it was someone borrowing the account).

    The HD being 'clean' is interesting. This suggests that either the verizon
    account was being 'borrowed' and a different computer used, or that the computer
    was re-formatted after use. So one question is: was there evidence that the
    drive was re-formatted after the sharing took place? Or the inverse question -
    was their evidence that the drive had NOT been re-formatted since the file
    sharing took place? (or can you find such evidence or testify that it wasn't.)
    I'm going to assume that someone can testify that it was your client's actual
    HD. If the drive hadn't been re-formatted, then the Verizon account must have
    been stolen/borrowed, or the logs were otherwise incorrect. If the drive had
    been re-formatted since the alleged infringement then things are trickier for
    your client - you're now in the position of trying to prove a negative. You
    could fall back on the 'my machine was hacked and I re-formatted it to clean it
    up' defence. That is a good question to ask the security expert: "If a
    machine is hacked, is re-formatting and re-installing a common way of recovering
    the machine?".

    If another computer had been used, then all your client is guilty of is having
    her password stolen. How responsible she is for behaviour that took place with
    a stolen (or lent) password is a legal question I'm not qualified to answer.

    It is also a little strange that the Kazaa account was for jrlindor and the
    defendant is M Lindor. Does that bit of evidence point at a family member...
    say a son who brought over his computer, unplugged his mom's and plugged his own
    in? Although Gustave doesn't begin with j either. Are there multiple Lindors
    in the area? Is it possible that Verizon got their logs confused?

    Assuming that jrlindor was someone not related to Marie, are there any logs
    from Kazaa showing what IP addresses jrlindor logged in from apart from ones
    linked to Marie? Where do they lead? Does UMG have any MediaSentry logs of
    jrlindor sharing files from an address that doesn't point to Marie? (i.e. if
    you can track down jrlindor then you have a way to show mlindor innocent.) Does
    Kazaa have any contact information for jrlindor? Where does that lead?

    Be well,

    Will :-}

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Friday, December 29 2006 @ 10:41 PM EST
    1. Logs are only useful to the person who owns (or manages) the hardware that
    created the logs. No administrator can do anything but <i>guess</i>
    about logs that didn't come from their machine. This is because the activity
    displayed in a log (or not displayed in a log) is highly subject to the device
    making the log in the first place; as an analog: who can say what happened on a
    particular day just by looking at a single page in someone's diary?

    2. IP Addresses aren't as unique as the affidavit suggests. For example, there
    are literally <i>millions</i> of hosts having addresses in the
    192.168/16 range- a range of addresses where there only could be 65,535 possible
    hosts. I guarantee there is overlap. Apple computer corp. used a set of
    addresses already used on the Internet for the longest time and simply resorted
    to address translation to delay renumbering. It's better to say two hosts can't
    talk to <i>each other</i> if they have the same IP address, which
    I'm sure you'll agree isn't the same thing at all.

    3. There is nothing about an IP address that says what kind of equipment the IP
    address was assigned to. An IP address has a lot more in common with a
    <i>name tag</i> on a person at a party than it does with a
    <i>street address</i> on someones home. IP addresses move, and
    change, and get swapped all the time. Moreover, the name tag doesn't say
    anything about what color shirt someone is wearing.

    4. Hard drives do not get cleaned. Almost every single hard drive has a feature
    called SMART which is a counter that says how many revolutions the disk has
    before it is likely to fail. This is the only effective way of determining
    <i>conclusively</i> if a disk had data on it or not (using the disk
    itself)- but doesn't appear to now.

    5. Experts don't say they are. The only person who should testify is Verizon,
    and all they can state (certainly) is that her account was used to do this
    downloading. Nobody else can state this <i>except</i> Verizon, and
    nobody can state any better with any certainty.

    [ Reply to This | # ]

    Lamblaw
    Authored by: Anonymous on Friday, December 29 2006 @ 10:55 PM EST
    He might try asking Lewis A. Mettler who is a lawyer and knows quite a bit about
    computers and such.

    [ Reply to This | # ]

    IP address spoofing
    Authored by: Bill The Cat on Friday, December 29 2006 @ 11:50 PM EST
    I own a web site that gets attacks all the time and they almost all indicate
    they are from a European country. The give away is that the referrer and the
    URL added script indicate that everything is in Russia. I started performing
    traceroutes whenever an IP came in to see where it really was and, whenever
    possible, I tried to capture the MAC address of the network card of the
    originating host (not really usable to determine location). The bottom line is
    that IP address spoofing is common and popular. How is it being proven that the
    IP address logged was actually on the computer being identified?

    Hard Drive recovery is a very specialized field and there are specialists that
    do only this kind of work. If I wanted forensic evidence regarding a hard drive
    and contents/previous contents and recovery methods, I would contact DriveSavers
    or some similar professional to perform independent 3rd party analysis. The
    companies that do this kind of work are Very Good at what they do.

    In today's environment of hacking, spoofing and computer crimes, I wouldn't
    accept that what appears to be obvious is really the truth without first doing
    additional work. Just because a drive appears to be empty and a network address
    appears to be used doesn't mean it is necessarily so. The drive could be well
    used and the IP address may be a phoney.


    ---
    Bill The Cat

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: hAckz0r on Saturday, December 30 2006 @ 12:07 AM EST
    Mr Jacobson states that there are just two ways to allocate an IP address, however that leaves out yet another layer of complexity which can easily be exploited by anyone who wants to keep their true identity a secret. Hint: anyone sharing on p2p that does not want to be caught might do this! One can use an easily obtainable utility to change their own network cards Ethernet/MAC address to some other persons unique value (e.g Ms Lindor) that is configured for that ISP's subnet, and then when the local DHCP server assigns the IP address the DHCP logs will show not the hacker logging on but that person whose address is being exploited. If Ms Lindor is not logged on at the time this will work, and if she was rarely logged in then the probability of the hacker being successful is greatly improved. All the hacker needs is to snoop the network record the Ethernet addresses seen for a while and then use one that is currently not on line and he will be assigned that persons IP address.

    Another thing not mentioned by Mr Jacobson is that the IP address assigned is very likely to be different each time Ms Lindor were to login to the network. DHCP has a timeout where the address is merely “leased” for a while and the address can actually change from time to time. This means the network logs can show her logging in at one point and the program can show the IP address being used to share copyrighted materials, but unless they can prove that the DHCP lease had not expired in that interim then they have no case. The lease can last just hours, or weeks. Someone else could have been reassigned that same address at a later point. Why does this happen? Because the ISP's do not want you running servers on your home computer like a business, and if they make your IP address keep changing out from under you then connections for downloading things go to somewhere else, and you wind up paying more money for a business class “fixed/static IP address”. This kind of policy can significantly increases the ISP's profit margin if they can force you to pay for keeping the same address. Ask the ISP how they do it, this could be important!

    If Ms Lindor left her machine online for any period of time, or even left it turned on, then it was likely connected to the Internet even if she were not using it. If she did not have the automatic updates for OS patches turned on then she was most likely running with several BOT's installed on her machine with other people controlling it from afar. Many hackers seek out machines to install file sharing programs with the intent of doing copyright infringement, and the owner will never know other than the disk making noise of the network or computer seeming slow. I have heard that when installing a bran new Windows XP OS from the CD it will take up to several hours of patch downloads and several reboots to complete their installations, however the average time for the machine to be taken by a hacker is in the statistical order of only five or so minutes! By the time you are patched you machine is already toast. If she did not have a firewall enabled then other people were likely using her machine for their own purposes. BTW – Kazaa is not the only application that uses the FastTrack p2p protocol . Once a hacker has your machine its easy to remotely install a non-Kazaa p2p server application and run it using a back door without the owner knowing it.

    Kazaa/FastTrack uses encryption over the Internet. The best that Mr Jacobson could do is to see that connections were made to and from an IP address or get a listing of the contents. He can not tell what data flowed between two other nodes on the network. Only if Dr Jacobson downloaded copyrighted materials (yes actually breaking the law) and checked the files MD5 or SHA-1 values of the downloaded materials against a database for copyrighted materials then there is proof that someones machine had that data available, but whose? Again, addresses can change. If the files were not physically found on the disk drive then they still need proof that they were on that machine sometime before. If you erase files on a Windows system the data does not disappear so quickly and can still be recovered by any competent computer forensic expert. If the Disk was wiped with a military grade utility then you can prove that statistically by looking at the empty space on the disk. If they did not do any of that then they did not do their homework and still have no case. They still need proof, not conjecture or hypotheses.

    I could go on, but I have rambled enough and its getting late. Feel free to contact me off line if you would like more discussion on any of this, or have any other questions I can help with.

    ---
    DRM - As a "solution", it solves the wrong problem; As a technology its technically infeasible.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 01:08 AM EST
    Document 114. Paragraph 5 contradicts Paragraph 6.

    He's attempting to use information (registry entries) from the hard drive in
    Paragraph 5 to prove the computer was directly internet connected. In Paragraph
    6, he says it's not the same hard drive that shared files.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: rjh on Saturday, December 30 2006 @ 01:34 AM EST
    Not a lawyer, but it seems that discovery would be less than thorough without
    requesting and rceiving the source code for MediaSentry and any other software
    that has been relied upon to gather "evidence" for the RIAA's
    investigation.

    I've read that some jurisdictions throw out DUI charges if there is a request
    for breathalyzer source code, because the manufacturers consider it a trade
    secret and won't provide it. This case might offer a similar offensive defence
    opportunity.

    ---
    Stop the car! My head just blew out the window!

    [ Reply to This | # ]

    The good Dr. is not an expert
    Authored by: Anonymous on Saturday, December 30 2006 @ 02:39 AM EST
    This my opinion, based upon thirty years in the telecommunication industry,
    including participation in the IETF, NIST, ANSI/ ISO/IEC, CCITT, ACM and IEEE.

    While the good Dr. may know something about Computer and or Network
    Security, he is not qualified to testify in this area for the reason listed
    below.

    First, he is not a Professional Engineer!

    Second he has no association with the IEEE and or ABET.

    Third, he is not an electrical or electronic engineer.

    Fourth, he not a communications engineer or telecommunications engineer,
    or any record of design, testing, or deployment of any telecommunications
    systems or equipment.

    Fifth, no employment history in the telecommunications industry or
    telecommunications equipment / services provider.

    His reliance on an IP address is simply bad science at best, or intentional
    fraud at worst. He has made statements not supportable by science or
    practice.

    Six, no mention of work with NSA, DOD, or NIST.

    I haven't found a single article published by the good Dr. in the following
    association journals IEEE, ITU, IEC, ISO, ANSI, NIST.

    As best as I can ascertain, the good Dr. has never been involve at either the
    national or the international level in any telecommunications standard setting
    activity.

    My very first question of the good Dr. would be. " Dr. -----, would please

    explain your formal and informal telecommunication training and
    experience?"

    My second question would be, "Dr. ----, can you tell if and when you be
    came a member of the IEEE?"

    My third question would be, "Dr. ----, can you tell what work experience
    you
    have in telecommunication equipment / services?"

    Then I would, to have the good DR.'s evidence struck from the record as he is
    not qualified to testify in this area.

    One last comment ---

    This is to PJ --- I'm reluctant to describe the science and details of what is

    wrong with the good Dr.s evidence, as this can be used as a how to manual
    for those who don't "need to know"! Is there an email address where
    we can
    send report outlines and how much time before reports need to be
    submitted?

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Wesley_Parish on Saturday, December 30 2006 @ 03:52 AM EST

    Firstly, I don't have any brains, so picking them is likely to be not a very fruitful exercise.

    Secondly, there are some very strict guidelines in the average Law of Evidence that I strongly suspect the RIAA is blithely trampling under foot.

    Thirdly, insofar as we can talk about a science of law, we connect the practice of law to the practice of the natural sciences, and they are nothing if not strict in their requirements of reproduceability in experiments and data gathering, so that they can be reproduced. Indeed, insofar as computer science is a natural science, it also abides by those strict requirements of reproduceability. Your local friendly philosopher of science should be more informative in that respect.

    Thus, if the RIAA is refusing to divulge its methods of acquiring data,

    It should therefore come as no surprise that in the United States, more particularly in UMG v. Lindor, in Brooklyn federal court, the RIAA is trying to prevent disclosure of the "instructions", "parameters", and "processes" of MediaSentry's investigation.
    my natural assumption is that the RIAA is attempting to gain legal acquiescence in the RIAA's public contempt of court.

    Precisely why this contempt of court should be tolerated by judge and jury, I am at a loss to imagine.

    Have fun!

    ---
    finagement: The Vampire's veins and Pacific torturers stretching back through his own season. Well, cutting like a child on one of these states of view, I duck

    [ Reply to This | # ]

    Tick tock timers!
    Authored by: Peter Baker on Saturday, December 30 2006 @ 04:40 AM EST
    Actually, having worked on sync issues across large networks, another thought
    just struck me (ouch :-).

    Three conditions MUST be met before the log of the IP address has any value:

    1. Verizons' servers must use time synchronisation (an absolute /must/ to follow
    an event chain, usually done with NTP which also calibrates the system clock).
    The problem is that (AFAIK) (x)ntp doesn't produce a continuous log unless
    specifically set up to do so (it normally only logs on bootup) so even if (x)ntp
    is running it may be hard to prove that it was running at the time the logs were
    obtained other than by getting a statement of server build and bootup/service
    configuration. That would not PROVE time was accurate but make the assumption
    that it was accurate more acceptable.

    2. The home computer must also use some form of time sync. However, few Windows
    home users know the possibility even exists (and/or how to use it), in Linux
    distros I've seen NTP setups appear (now using the 'pool.ntp.org' NTP server
    approach as a way to distribute load). How accurate was the system time? Did
    anyone check when gathering evidence?

    3. The DHCP lease was valid at the time the IP address was logged. If it
    wasn't, the lease had expired and one cannot assure the machine was actually
    online at the time. In effect, the IP address would not be conclusive, and the
    end user identification by means of IP address would thus be impaired.

    However, caveat: if you have a home system log of at least 3 different IP
    addresses that match Verizon's record you can work out with a degree of
    certainty how accurate the logs are. But not just from a single instance, and
    it would merely reduce the uncertainty, not remove it altogether.


    ---

    = PB =

    "Only a man can suffer ignorance and smile" - Sting
    (Englishman in New York)

    [ Reply to This | # ]

    Non Technical Summary
    Authored by: davcefai on Saturday, December 30 2006 @ 06:02 AM EST
    Looking at this case as something to be presented to a mostly non-technical
    committee I would first summarise the case along these lines:

    1. The RIAA claim that the defendant illegally shared copyrighted files to which
    they hold the copyright.

    2. The RIAA have not identified the files in question or demonstrated that they
    do own the copyright.

    3. The only possibly significant evidence presented is in the form of logs from
    MediaSentry.

    4. The RIAA have refused to present evidence regarding the method used to
    generate these logs.

    5. No evidence to show that the files were indeed present on the defendant's
    computer has been presented. On the other hand the plaintiff's expert witness
    has categorically stated that he found no infringing files on the Hard Disc he
    was requested to examine.


    Frankly I think that this is enough to blow the case out of the water without
    confusing the judge!

    [ Reply to This | # ]

    Was this the only machine that the IP add. was assigned to?
    Authored by: Anonymous on Saturday, December 30 2006 @ 06:07 AM EST
    The lightly used machine and the wrong HDD give us the answer. NO, when the
    lease for a machine expires the router will assign the IP to another. Will there
    be a record of the IP on the first machine, YES does that prove anything NO.

    [ Reply to This | # ]

    Someone might have mentioned - but a true story is this... It all depends on what is, is...!
    Authored by: Anonymous on Saturday, December 30 2006 @ 06:32 AM EST
    What is... COMPUTER SECURITY anyway?  All questions of guilt on a computer can be looked at from this point of view.

    ----  Someone above, might have mentioned something like what is written below, so if so this might be redundant- but a true story is this...  

    Here is a story of a friend of mine that is an extreme techie that for free fixes other friends Windows computers all the time...

    One day when I was hanging out at this fellows house, and this other friend of his brings by his computer and says that it is very slow and that he leaves it on all the time on line (Cable or DSL) and that he comes home from work and sometimes finds that it is rebooted (all by it'self).

    Upon examination of the computer a Trojan and other files were found deep in the system in areas that the average computer user NEVER goes to (not the Documents or Music folder).  There was an backdoor put in and the computer was being used as a server for video files... the name of the computer on this backdoor network (if you will) was "video_(profanity redacted due to PJ's policy on bad language)".  The innocent user was clueless.

    I have seen the same situation at a relative I know of where their kids computer was being used in a similar way!

    With the security of Windows, and the fact that computer security is an oxymoron (see:

    Are yo u aware of experts say that computer security is an oxymoron (here is who says this)?

     Authored by: Anonymous on Friday, July 28 2006 @ 08:40 AM EDT)

     ...one can only conclude that any system can be taken hostage and the RIAA's methods of accusing folks of doing something does not take under account that even if certain files exist on a computer, or are identified as being shared, the question remains if the actual computer owner or user of ANY COMPUTER CONNECTED TO THE INTERNET AT ALL can be found to be guilty beyond a shadow of a doubt of illegal copyright sharing activity as it is not beyond the reality of computer science imaginations to see where it can be easily proven in a courtroom demonstration, in front of a jury or a judge, that a trojan remote control program could easily, without the user or computer owner's knowlege, set up a computer on any internet sharing network that you can also imagine (and there is more than one) and the average computer user on a high speed connection (or even dial up as a long time ago I once tracked a remote control session being created live, by someone else on the internet that I did not know, on a computer over a dial up connection where a RAM drive was created in RAM and the idea was that this "cracker" would most likely then run programs remotely to do other stuff on this comptuer, all from those files that were created on the new drive)... anyway, the moral of the story is this, NO WAY would any user be able to know this was happening and in fact there is a a good chance that the anti virus software and any intrusion detection software that an average user would be using,  would not have a clue that the computer is set up in such a way, and the person (or computer) that is controlling the other computer from afar could, if they wanted to be a real joker, then remove all traces of the trojan on the host system and just leave it set up to do it's thing in the sharing mode to whoever that they wanted it to share with (again without any way to detect or know of the fact that the system had at one time been controled from afar by a remote user that did not have the computer owner's permission to be using that computer)!

    In the case described... then why is this person not innocent until proven guilty... and the RIAA can not ever prove that the WINDOWS system was NOT a Trojan invaded computer and that the user or owner NEVER knew it, it just can not be proven.

    The CIA can not even be confident with any computer hooked to the internet that it can not be compromised!
    Read this and the following comments in the string that are important as well:
    I read an article about the CIA & we have done the same for years too.
    Authored by: Anonymous on Tuesday, August 22 2006 @ 01:23 PM EDT

    With all this in mind... if you had someone who was an expert in computer security on the stand (for any operating system that exists) you really can not "BEYOND a SHADOW OF A DOUBT" for the average user's system that is hooked up via DSL or Cable high speed internet, say that the system was not compromised and that the system was not at one time controled from another computer somewhere else on the internet.  And without being in the room and witnessing that actual person settting up the computer for illegal file sharing, also keeping in mind that even  WITH such a witness (that would have to be there 100% of the time to also testify that in the next minute that the person felt guilty and ceased the ativity), that you can't prove the level of guilt that the RIAA is charing the average user of...!  Just ask the CIA if a computer connected to the internet can be secured!  Or ask the NSA!  As if the CIA could protect a system they would see no need to have 2 networks running (one inside that is not connected to the internet, and one that can be connected to the internet)!

    I have not read one article by any security expert that says that any computer system can be secured 100%.   If such a computer system were able to be secured then Microsoft would have bought them up as the higher bidder and you would be seeing non-stop Microsoft ads on every available media outlet to buy ad time on (including bill boards) proclaiming that this level of security is for sale.  

    DRM and other such content security schemes even are not 100% -  so look for the lowest common denominator, and ask youself if "beyond the shadow of a doubt, or even based on some circumstance situation," can a court prove guilt - without risking the chance that the penalty is being applied to being applied to someone who is truely innocent.      The state of the art regarding DNA of computer science and security just is one big gray area... and according to the REAL computer experts - it looks to remain a gray area for the rest of time, period.

    Also read this:  
    Are yo u ready for your patent AUDIT? & that security salesperson who sold security with EULA?
    Authored by: Anonymous on Wednesday, August 23 2006 @ 08:19 AM EDT
    Read all the comments and following comments to understand this as well...!

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: ausage on Saturday, December 30 2006 @ 06:38 AM EST
    First a note about BMG vs Doe in Canada.

    The subpoena request by the music
    industry require 5 ISP's
    to identify the names and addresses of 29 John / Jane
    Does
    was denied for the most part because the only evidence
    presented, the
    affidavit of the president of MediaSentry,
    was classified as hearsay since he
    did not have any
    personal first hand knowledge, but rather reported what
    his
    employees did. Secondly, the ISP's and the court also
    doubted the accuracy of
    the information that could be
    retrieve from the ip address assignment log files
    several
    months after the alleged infringements. I believe that
    both of these
    items are relevant to the Lindor case.

    I have the following observations about
    Dr Jacobson's
    reports.

    Dr Jacobson's curriculum vitae could be very
    important. It
    appears to be very bloated and filled with a great deal of
    inconsequential detail. It is the first time that I have
    ever seen an academic
    curriculum vitae listing the work of
    students. Looking though the list of
    "Honors and Awards",
    none of them are recognizable, and many are questionable
    (Phi Kappa Phi as an award ??). There is so much trivial
    data in the document
    (technical presentations to the Lions
    Club ??) that it is hard to separate the
    wheat from the
    chaff.

    If I were one of the Nazgul and wished to challenge his
    credibility, I would use this to rattle his cage,
    referencing papers written
    by others and forcing him to
    admit that was not his work, why is he taking
    credit for
    papers submitted and never published, why is he inflating
    himself..
    what is he trying to hide.. etc.

    OTH, I have know doubt that Dr Jacobson does
    poses some
    technical expertise and perhaps that can be used to
    support the
    Lindor case. From his resume, I get the
    impression that he needs to make
    himself more important
    than he knows he is and if he can be led into believing
    that this is a case is mistaken ip identify, he may
    provide the expert
    testimony to back that conclusion up.
    Especially after his Dec 19th forensic
    report.

    If his first affidate, Dr Jacobson provided what could be
    called a
    good simplification for the layman of ip address
    assignment. I suggest that
    during the deposition, to
    stipulate that Ms Lindor's internet account with
    Verizon
    was either dial-up or DSL with dynamic address assignment,
    as the case
    may be, and then concentrate on the
    information that is missing from his
    report.

    What is important in a case of mistaken IP address
    identify is how the
    internet address is assigned and how
    and where the assignment is recorded.

    1)
    How does Verizon in Brooklyn (location is important as
    this can vary from one
    neighborhood to another) assign IP
    addresses? Is the IP address assigned to a
    circuit
    identifier (telephone line), to a MAC (hardware ethernet
    card)
    address, or simply to a user account?

    2) How much information about the address
    assignment does
    Verizon store in their log files and is it on the same
    equipment that assigned the address, or is the information
    transferred from
    one piece of equipment to another.

    3) How long is the raw information stored?
    Is it
    summarized and stored for longer periods? How accurate is
    this process?

    4) How accurate is the information in the log files (raw
    and processed?) Has
    anyone ever done any analysis for
    this? Ask him to comment on the quotes from
    the Canadian
    ISP's in BMG vs Doe, where they stated that they were
    uncertain
    if the information was available and that it
    would be difficult to obtain and
    were unsure of the
    accuracy. Both Rogers and Sympatico are ISP's similar in
    size to Verizon (i.e. hundreds of thousands of
    subscribers).

    5) Suggest the
    possibility that Ms Lindor's account was
    hi-jacked by an unknown third party
    and ask him to list
    ways that this could happen, given that it is an account
    that is rarely used. Could someone use her userid and
    password? Would it be
    possible to spoof a router? Could
    someone install a trojan to forward traffic
    through her
    computer? What happens if two separate computers use the
    same
    userid at the same time? (Many ISP's do NOT detect
    this condition. i.e. Cogeco
    and Sympatico in Canada)

    6) Ask him how would an expert detect if a little used
    ip
    address identity was stolen. Did anyone examine this
    possibility seriously
    for the Lindor case? Does Verizon
    have the information to identify if the IP
    address
    assigned was actually routed to Ms Lindor's residence? Was
    this
    information examined at any time?
    Under the heading "Descriptions of
    Technologies Involved"
    he provides a description in lay man's term of the
    technologies involved. Although his descriptions are quite
    lengthy, they over
    simply, sometimes misrepresent the
    truth, and leave out many important
    details.


    7) What kind of records and logs does Verizon maintain
    about IP
    address assignments. How are they generated? By
    what program running on what
    equipment? How are they kept?
    How long are they kept? What information exactly
    do they
    contain? How does he know this?

    8) Give the time span between the
    Media Sentry discovery
    of the alleged copyright infringement and the request to
    Verizon to identify her, were the raw data logs available,
    or was the
    information Verizon provided based on some form
    of summary of the raw data? Is
    the raw data still for
    analysis available? How does he know this?

    9) In many
    cable and DSL systems it is often possible to
    have multiple computers connect
    to the system, each
    obtaining a different IP address, simultaneously. (I have
    personally observed this with Cogeco Cable and
    Sympatico.ca DSL in Canada). Is
    this possible with Ms
    Lindor's ISP. How does he know this?

    10) Are there any
    records indicating that Ms's
    Lindor's account was ever used by multiple
    computers
    (different MAC addresses, circuit id's, multiple
    concurrent IP
    address assignments, etc.) Was a search done
    for such records? If not, wny not?
    How does he know this?

    11) Can he testify to the accuracy of the information
    contained is Verizon's subpoena response?

    12) Does he know how Verizon
    matched the ip address to the
    user account? What log files were used? Were they
    raw or
    processed data? What data they contained? The equipment
    and programs
    that created them?

    13) Can he describe how a user's computer connects to the
    internet in Ms. Lindor's location. What equipment is used?
    Which piece of
    equipment assigns the ip address? Where is
    the log record created? If it is not
    on the same piece of
    equipment how does the information get there? How many
    pieces of equipment are located between the the user's
    computer and the
    location where the logs a kept?

    14) Is it possible for another person to
    connect to the
    Verizon network at Ms Lindor's location using the account
    assigned to her? What security measures does Verizon have
    to prevent this from
    happening?

    15) If as stated on Groklaw it is true that the Verizon
    account was
    cancelled in July 2004 and the alleged
    infringement occurred in Aug 2004, how
    is it that the
    account was still in use. Is it possible or even likely
    that
    some third party (an Verizon employee or
    contractor) "converted" -- in a legal
    sense -- the account
    for their own illicit activities. If this happened, as an
    expert how would this be detected?

    16) Has any examined the records of use of
    this account --
    hours connected and bandwidth consumption -- to determine
    it
    the account was hi-jacked? Would this be possible?

    17) Since the account was
    cancelled is it possible that
    Verizon made a mistake tracing the IP address
    back to this
    account? What information would be necessary to detect
    this? Does
    that information exist? Has it been checked?

    18) Given that Ms Lindor had an
    internet account that was
    basically unused, was this not an ideal account for
    some
    third party to "convert" [used in legal sense] to their
    own use for
    illicit purposes.

    19) Given that Ms Lindor has submitted her hard drive to
    examination with the result that no evidence of infringing
    music files or P2P
    file sharing software was found, is
    paragraph 22 of his April 12th declaration,
    "I will
    testify that, based on the MediaSentry UserLog, the music
    found on the
    Defendant's computer was downloaded from
    other user on the Internet",
    incorrect.

    20) Given the previous question, is paragraph 21 of his
    April 12th
    declaration, "I will testify based on all the
    information provided that the
    computer that had the IP
    address 141.155.57.198 on 8/7/2004 at 6:12:45 AM EDT
    was
    registered to the Defendant and that the said computer was
    used to
    distribute copyrighted music" also incorrect.

    21) Does he have first hand,
    personal knowledge that the
    information provided by Verizon is correct?

    22)
    Has he had an communication with the person at Verizon
    who signed the subpoena
    response to determine if that
    person has first hand, personal knowledge of the
    accuracy
    of the information it contained.

    23) Does he have first hand,
    personal knowledge that the
    information provided by Media Sentry is
    correct?

    24) Is he aware of that courts in Canada and the
    Netherlands have
    rejected the investigations of
    MediaSentry for use as evidence.

    25) Is he
    aware of the "Independent Experts Reports" of
    Prof. Sips and Dr. Prowse
    critiquing the methodology of
    Media Sentry's "investigative" work? Would not
    such a
    report be relevant to his testimony?

    26) Has he had an communication
    with the individuals who
    did the investigative work for MediaSentry to verify
    the
    accuracy of the information provided to him.

    27) Is it true that the only
    information he has from
    personal, first hand experience is that the hard drive
    from Ms Lindor's computer shows no evidence at all of
    infringing files or P2P
    file sharing programs.

    28) Since the facts as he had personally determined,
    contradict his April declaration, does that not mean that
    the information he
    based the April declaration on must be
    flawed, incorrect or incomplete.

    29) Is
    not the most probable explanation of the facts that
    some third party used Ms
    Lindor's account from an unknown
    location using an unknown computer and that Ms
    Lindor is
    innocent of all the allegations against her.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 06:40 AM EST
    AC

    Waiting for the world the change...

    [ Reply to This | # ]

    Another Lawyer Who sounds like Rumpole For The Defence
    Authored by: talldad on Saturday, December 30 2006 @ 07:36 AM EST
    This man sounds like he could serve it up like IBM's lawyers to SCO - the RIAA
    may wish they had never commenced the action! :-)


    ---
    John Angelico
    Down Under fan &
    OS/2 SIG Co-Ordinator

    [ Reply to This | # ]

    Something missing
    Authored by: Anonymous on Saturday, December 30 2006 @ 07:45 AM EST
    There's something missing here.

    According to the Affidavit and Expert Report (which does
    not contain item (i) Disk drive from defendants computer
    he states (item 21)

    I will testify, based on all the information provided that
    the computer that had the IP address of 141.155.57.198 on
    8/7/2004 at 6:12:45 AM EDT was registered to the Defendant
    and that the said computer was used to distribute
    copyrighted music

    So the Plaintiffs have already accepted that it was Marie
    Lindor's computer that was used.

    But then in the Declaration he says that the harddrive
    supplied was not the one that was used.

    So unless Marie Lindor has more than one computer or
    changed her computer or harddrive since 8/7/2004 then this
    would appear to prove that something is wrong with their
    data collection from Media Sentry as the expert witness is
    saying in one report that he's prepared to testify that it
    was Marie Lindor's computer and then in another states
    that it wasn't her computer.

    Tim.

    [ Reply to This | # ]

    • Something missing - Authored by: Anonymous on Saturday, December 30 2006 @ 08:58 AM EST
    "April 2006 boilerplate report"
    Authored by: Simon G Best on Saturday, December 30 2006 @ 08:06 AM EST

    I've just read the "April 2006 boilerplate report" (though I didn't bother reading the CV appendix). There are some things I'd like to say. This is pretty rough, though, as I haven't really spent time digesting it.

    • On page 2, in the item numbered 12, there's the following paragraph:-

      Information is transported through the Internet in small chunks called packets. Each packet traverses the Internet and is reassembled by the destination machine. Each packet contains both the source and destination IP addresses. The source address is analogous to the return address on a letter and the destination IP address is analogous to the send to address on a letter.

      Some questions that came to my mind were:-

      • Can the sender give a fake source address?
      • If the sender gave a fake source address (meaning it would have really come from somewhere else, of course), could the recipient know?
      • How could it know?
      • Could it know where it really came from?
      • If so, how?
    • Also on page 2, in item 12, is the following:-

      Every computer or network device directly connected to the Internet must have a unique IP address. ...

      (Emphasis mine.) Computers (and the like) can be indirectly connected to the internet. For example, my PC is sitting behind a router that does Network Address Translation (NAT). So, my PC is not connected directly to the internet, but indirectly via my router. My router gets assigned an IP address by my ISP, but my PC has its own, private IP address assigned by me (and there are many other things out there with the same IP address). Indirect connectivity may be significant.

    • Page 3, in item 13:-

      This case involves illegal file distribution using peer-to-peer networks. Peer-to-peer networks are a method used to distribute files from a user's computer to other users on the internet. They can also be used to obtain files from other users. Peer-to-peer networks are often used to distribute copyrighted material like songs and movies. In addition, peer-to-peer networks are also used to distribute other file including pornography, child pornography, computer virus, and data files. A more detailed explanation of peer-to-peer network is included below.

      Well, that's just shocking. It's an ignorant, tabloid 'definition' of peer-to-peer networking. It reminds me of dihydrogen monoxide (DHMO).

      Firstly, as I understand it, 'peer-to-peer' is a kind of network topology. It's not specifically to do with so-called 'file-sharing'. The internet itself is an example of a peer-to-peer networked net. Unless I've got it horribly wrong (which I doubt), this is surely really basic stuff for a computer network expert - isn't it?

      Secondly, he's playing word association games - "pornography, child pornography, computer virus, and data files." (Oh, no! Not "data files"!) It's just like DHMO - water made to sound really scary and dangerous, as if it's a chemical that really ought to be banned (or, at least, very tightly regulated). He's parading his bias - blatantly.

      Thirdly, even when it comes to "copyrighted material like songs and movies", that doesn't mean there's any copyright infringement going on. After all, the copyright holders might have given permission for such distribution and redistribution. It might even be the copyright holders themselves who are doing the sharing! (Wasn't there a story recently about the BBC becoming a file-sharer?) Just look at the use of BitTorrent for (legally) distributing software (such as Linux-based operating systems). He's clearly trying to play on others' ignorance. Despicable.

    • Again on page 3, in item 13:-

      ... The users of the peer-to-peer network often think they are anonymous when they distribute files. In reality, they can be identified using the IP address. The IP address of the computer offering the files for distribution can be captured by a user during a search or a file transfer. That IP address can be associated with an organization such as, an ISP, business, college or university which can identify the user by the IP address.

      Firstly, users cannot directly be "identified using the IP address", as it's computers (and the like) that have IP addresses, not users. Users can move from computer to computer, but the computers' IP addresses stay where they are. Different users can use the same computer, without the IP address changing. More information would be needed than just an IP address.

      Secondly, there's also the issue of indirect connections of various kinds. As well as such things as routers that do NAT, there are things called 'proxies' on the internet. There are various kinds of proxies, and the like, for various things - including user anonymity. Add to that the question of fake source IP addresses, and it gets interesting.

    • On page 4, still in item 13:-

      With the decentralized peer-to-peer network, every computer that is part of the network has its own list of files that are offered for distribution, and each computer is connected to a small number of other computers (neighbors). Each neighbor is connected to a small number of computers and so on. When a user wishes to search for a file, a request is sent to each neighbor and each neighbor sends the request to the next neighbor and so on. If a computer gets the request and has a match, it will send a message back to the requester telling them it has the file(s) and providing them with information about the file(s).

      Note that this is going from neighbor to neighbor, not directly from one end to the other. Each 'hop' along that journey involves directly connected neighbors communicating with each other over the internet. The IP packets don't go all the way from one end to the other, but only from one neighbor to a directly connected neighbor. So, the source and destination IP addresses in those packets will only be for directly connected neighbors, not the two nodes at the ends of the whole thing. That gives plenty of opportunities for shennanigans - who knows what the intermediate nodes are really doing?

    • Still on page 4, and still in item 13:-

      Distributing files first requires that the user must put the file into a shared folder. Information about the files within these shared folders is uploaded to the index server and can be downloaded by other users of the KaZaA network. This is analogous to putting a list of copyrighted music you have available in a public place and telling everyone they are welcome to stop by your house and pick up a copy of the song.

      And here's what I wrote in my quick notes:-

      Pedantically correct, perhaps, but it's clearly making it sound illegal. After all, in the analogy, the user may well have the copyright holders' permission to do this, and may, of course, actually be the copyright holder.

      The point of that is that this 'expert' is again trying to associate peer-to-peer, file-sharing networks with illegal activities. It seems to be quite a theme he's got going in this report. Again, I refer to BitTorrent as a good example of why this is a misleading way to describe this technology.

    • On page 6, in item 18, he says:-

      ... IP address 141.155.57.198 offered 624 audio and music files, most of them are copyrighted music files, for distribution using the KaZaA program on 8/7/2004 starting at or around 6:12:45 AM EDT through at least 7:08:30 AM EDT.

      even though, in the preceding item, item 17, he says that MediaSentry only downloaded "11 songs". "11" is not "most" of "624". Without downloading the other 613 things, how could MediaSentry know what they were, or whether or not they were "copyrighted"?

    • Again on page 7, item 16 says the "KaZaA user id" is "jrlindor@KaZaA", while item 20 says that "Verizon Internet Services identifies Marie Lindor as the subscriber of record for the IP address 141.155.57.198 on 8/7/2004 at 6:15:34 AM EDT." Is "jr" short for "Marie"? How reliable are Verizon's records? Who else might have had access to Marie Lindor's account?

    Anyway, that's sort of my first impressions response to that report.

    ---
    NO SOFTWARE PATENTS - AT ALL!

    [ Reply to This | # ]

    MAC addresses
    Authored by: PeteS on Saturday, December 30 2006 @ 08:13 AM EST
    I design hardware for a living, although I've written a lot of code at all levels (direct hardware control to application) in my time.

    The MAC address of any device on a given network must be unique (for anything using an ARP based protocol, anyway), but what most don't know is how that number originally gets assigned and how it gets used.

    When a manufacturer wants to supply devices with MACS and MAC addresses (more properly known as an OUI, it gets a range of numbers from IEEE (previous link goes there) and assigns one of the numbers to each device.

    So far, so good.

    Now, that number is usually stored in a small EEPROM (if anyone desires a link to a typical MAC device datasheet, then ask, and I'll even throw in a typical design schematic), but even if the MAC loads this number, it is still ludicrously easy to tell the controller to use a different one. [Details on how to do this are easily available - again, if details are desired, ask]

    After all the writings here on how to sniff a valid MAC and wait until it gets switched off, it is a very simple matter to make any machine appear to be something it isn't.

    True story: When developing a next-gen video-on-demand system, we had to assign MAC addresses internally - we never hit the outside networks, so we simply re-used a few we had; 4 or 5 used on literally hundreds of pieces of equipment, which led to some interesting issues when we 'forgot' one and left it on a piece of running equipment and tried to assign it ;)

    In mass manufacturing, we don't assign MACs until the unit is completely tested, so a known single MAC is used at the initial tests. The reason is the MAC is a large part of the cost of the hardware to be shipped; we aren't going to assign one to a defective piece of equipment.

    Anyway - my point is that as it is so incredibly easy to change the MAC address on virtually any MAC device via software, it's not a reliable source of identifying a specific computer.

    Some companies use the onboard NIC information to tie a single computer licence for their design tools to that computer (amongst some other things), which gets really interesting when you have to change the NIC - I have seen some acquaintances spoof (by reloading) the MAC on a new card to get their tools operational until they could get a new key from the tool company involved; in two cases I personally know of this was their only option as the companies had gone out of business, so these skills are hardly ground breaking.

    PeteS

    ---
    Only the truly mediocre are always at their best

    [ Reply to This | # ]

    Looking up
    Authored by: Neurophys on Saturday, December 30 2006 @ 08:19 AM EST
    Reading through this case, I get more and more puzzled. Why do RIAA go after a
    lady who don't know anything about computers and where they suspect 11 illigally
    downloaded files.
    They must know they have a weak case. They are not stupid people so there must
    be something very important for them in this case. Did they expect the lady to
    be a push over? Do the try to get support for the notion that the house owner
    may be liable?


    Pål

    [ Reply to This | # ]

    • Looking up - Authored by: Anonymous on Saturday, December 30 2006 @ 08:55 AM EST
      • Looking up - Authored by: Anonymous on Sunday, December 31 2006 @ 01:53 PM EST
    • Looking up - Authored by: Anonymous on Saturday, December 30 2006 @ 10:11 AM EST
    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: julian on Saturday, December 30 2006 @ 08:38 AM EST
    Occasionally when I use a Windows computer and I use "Network
    Neighborhood" I find computers listed there that I know to have been off
    line for months.

    Most of us have also seen a web page that is supposed to be different than what
    we are seeing.

    So did Media Sentry allow for caching of data. Is the computer they think they
    see on line just in some cache? How about the data, did it come from the
    computer or a cache?

    This could make timestamps inaccurate also.

    ---
    John Julian

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 09:16 AM EST
    If the RIAA are trying to prove she was a distributor then given the ease of
    compromising a Windows box (and the likelihood of a fairly non-tech user not
    having proper AV protection) think they should also be proving it was done
    maually by someone actually sitting at the PC and not by some remotely
    controlled trojan.

    [ Reply to This | # ]

    MAC Cloning
    Authored by: jcaveman on Saturday, December 30 2006 @ 09:29 AM EST
    Almost every home router, wireless or otherwise, allows the arbitrary cloning of
    MAC addresses. They actually need to be able to do this because many ISPs will
    only allow the cable/DSL modem to sink with the MAC address of the machine the
    connection was originally installed on. As a result it is possible to have the
    router appear to have the same MAC as a PC behind the router/firewall, or any
    other PC for that matter.

    [ Reply to This | # ]

    Looking up
    Authored by: Neurophys on Saturday, December 30 2006 @ 10:05 AM EST
    Why didn't they attack a guy with one zillion up and downloads? Must be almost a
    certain win, at least if they find P2P-programs and music files on the disc(s).
    There must be some kind of strategy behind this.

    Pål

    [ Reply to This | # ]

    Possible line of questioning
    Authored by: KurtVon on Saturday, December 30 2006 @ 10:07 AM EST
    You say the hard drive image you were provided with showed that it was conected
    directly to the internet. Correct?

    And because of this, you claim no other computer that could have been connected
    to the defendant's IP address. Correct?

    You also say that the evidence provided by MediaSentry and Verizon points to
    this computer as the one sharing files. Correct?

    You want to confiscate another hard drive in a different computer, based solely
    on the fact that it was in the same city at some point.

    So how do you reconcile your claim that the computer you examined must be the
    computer that was sharing files and the computer you are asking for could be the
    correct one instead?

    At his point he must either claim the defendants are colluding to destroy
    evidence, or he must admit that he may be wrong about which computer was the one
    involved. I'm assuming he goes for the former (which is the only response that
    doesn't destroy his testimony).

    Did you collect the evidence provided by MediaSentry? Did you have anything to
    do with the authorship of MediaSentry? In your experience, have you ever used a
    complex software program that had no bugs? Do you know how Verizon collects and
    stores its user data? How much information do you estimate that database would
    hold? Do you know how the information they provided was computed? In your
    experience, have you used a very large database that contained no erroneous
    records, and whose access was not subject to human or machine error?

    Does the hard drive, by itself, indicate any evidence of collusion to destroy
    evidence beyond the lack of use?

    Given that the defendant admits she does not know how to use a computer, how
    much usage would you expect to see on the hard drive?

    So your accusation of criminal activity is based not on anything you have
    directly observed, but your trust of third party analysis of third party
    software combined with information supplied by a fourth party, any of which
    containing even one single error would result in a false accusation?

    Why would you trust this more than your own analysis of the hard drive?

    [ Reply to This | # ]

    • Screen shots - Authored by: Anonymous on Saturday, December 30 2006 @ 10:12 AM EST
    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 11:04 AM EST
    In reading "Description of Technologies Involved - The Internet and
    Addressing", there is an oversimplification that each computer has a unique
    IP address. The missing piece is that they are temporally unique (i.e., no
    other machine has that address at that time). The author does identify this a
    few paragraphs later though.

    Other possible directions:

    - what about the MAC address of the Lindor computer. Without actually
    temporally matching the IP address to the MAC address, the claim that it was
    assigned to the Lindor computer becomes a my-word-against-yours argument.
    - ask if IP addresses and MAC addresses can be forged. Using the zip code
    analogy, can envelopes be stolen out of your mailbox? (i.e., identity theft
    analogy?)
    - was the Lindor system on cable modem, DSL or dial-up? If the later, 58
    minutes to download 11 songs may be a tight squeeze (look at the file sizes),
    especially since they were also busy identifying that many of the 624 files were
    copyrighted. That's a lot of work to do if it wasn't automated. If it was
    automated, take a look at their methods. If it involves hashing, ask them to
    explain collisions.
    - If it was dial-up, the IP address assignment argument may be moot.
    - how did MediaSentry identify that most of 624 audio files were copyrighted
    without downloading them in that 56 minute window?
    - the good doctor can only offer opinion based on the data presented to him.
    This may or may not be the point of attack. We need to know how the data was
    collected and how the evidence was preserved between collection and presentation
    to Dr. Jacobson.
    - what is a MediaSentry Trace?
    - Verizon can vouch for the security/accuracy of their logs? (Who handles them?
    How are they gathered? Who has access to them prior to archiving? Are they
    digitally signed at some point?)
    - Uh, certificate of registration? With whom, for what?
    - MediaSentry is authorized to gather evidence by/for whom?
    - 16-22 looks a lot like hearsay. He can only testify to that based on what
    MediaSentry has "told" (given to) him. Doesn't "speech"
    also include printed text?

    [ Reply to This | # ]

    if its canada i can tell you from my own experience
    Authored by: Anonymous on Saturday, December 30 2006 @ 11:23 AM EST
    that as soon as htey label a witness NOT an expert his testimony is lessoned and
    in fact it might even become called harasy (did i spell that right?)
    And in my example because i had at one point done some time in jail they swore
    me in as a expert witness of a person in jail ( weird) and as i wouldnt say what
    they wanted just the truth they then labeled me a hostile witness. Wasn't very
    fun and i didn't care i would not lie. And i hardly think a mere 8 motnhs in
    jail could have me be called a expert. Which says a lot for media sentry having
    the term "non expert"
    you could easily get a true expert in to not only dispute there evidence but in
    fact becuase you are witness make hte non expert look even less usuable.
    note i am not a lawyer this was just some thoughts and soem opinions as well as
    an example of expert versus non expert in a canadian court a law.

    [ Reply to This | # ]

    What happened last night?
    Authored by: Anonymous on Saturday, December 30 2006 @ 11:45 AM EST
    I responded to this article with a few ideas. I thought of a couple more
    possibilities this morning, and when I came back to update my post, it has
    disappeared. Did I violate blog rules or something?

    confused, dadgervais

    [ Reply to This | # ]

    Same DSL/Cable Modem != same computer
    Authored by: UncleJosh on Saturday, December 30 2006 @ 12:02 PM EST
    I'm JR Lindor staying with my relative Marie. I log on her computer look at the
    PPOE setup, copy the userid/password information onto a sheet of paper. I go to
    my laptop, I put her PPOE information in my laptop PPOE setup. I plug the
    ethernet cable out of her computer and into mine. Voila.

    That's with PPOE. I have gone to my cousin's and brother's homes to visit,
    plugged out their computer and plugged in my laptop and used their broadband
    internet connection.

    As the subject says just because the ISP at the other end of the wire says that
    Marie Lindor owned that IP address at that time does not mean that Marie
    Lindor's computer was hooked to the internet at that time.

    Wireless or wired routers using NAT are not the only way to share a high speed
    internet connection, particularly one in a home which is idle most of the time.
    Unplugging ethernet cables is clumsier, but it certainly works.

    [ Reply to This | # ]

    Time for blockmediasentry.org?
    Authored by: rsmith on Saturday, December 30 2006 @ 12:02 PM EST
    Maybe we should start a collaborative effort to collect the IP addresses of
    mediasentry's computers, so that every p2p user can adapt their firewalls.

    Just a thought. :-)


    ---
    Intellectual Property is an oxymoron.

    [ Reply to This | # ]

    Got it!
    Authored by: sk43 on Saturday, December 30 2006 @ 12:12 PM EST
    The hardest part of his resume to counter is his appearance in front of a US
    Senate Judiciary committee. You need to hire Fyodor, from insecure.org, as an
    expert. He has a picture on his website of the President visiting the National
    Security Agency, and prominently displayed behind the President is Fyodor's
    "nmap" program. A president and the NSA trump a Senate committee any
    day.

    [ Reply to This | # ]

    Radar and other technology
    Authored by: cjames on Saturday, December 30 2006 @ 12:19 PM EST
    The RIAA's "equipment" is nothing more than hocus pocus until its
    validity is either 1) Attested to by an expert; or 2) The technology becomes
    established, widely accepted science and is accepted generally by courts.

    Isn't this all well established by legal precedent set back in the 1950's and
    1960's with police radars? Police couldn't use radars until/unless they either
    brought an expert on a case-by-case basis, or the technology became widely
    accepted as valid. And in the latter case, the police still have to show that
    their equipment meets industry standards for accuracy.

    The same is true for a host of other technologies: Lie detector tests, "red
    light cameras," various forensic techniques such as mass spectrometers and
    gas chromatographs, and so forth. You can't just jump in with some new gizmo
    and convict someone, unless you have an expert willing to attest to the
    results.

    If MediaSentry aren't willing to testify as experts, and nobody else is willing
    to testify as an expert that what MediaSentry did has any validity, then they
    shouldn't be testifying at all.

    And if they do testify as experts, the easy way to hit them is with controlled
    experiments. It's very easy to claim, "We did thus-and-such, and this is a
    valid way to prove the defendent guilty." But did they ever do a blind
    test, for example have 50 users download data, and 50 users who don't, and show
    that they can reliably identify, with 100% accuracy, the correct 50 violators?

    I'll bet they've never tried this. Most computer programmers don't understand
    scientific methodology.

    Craig

    [ Reply to This | # ]

    Does anyone know the exact network configuration?
    Authored by: Anonymous on Saturday, December 30 2006 @ 12:26 PM EST
    I am trying to understand exactly how this network is laid out. Specifically,
    can someone answer the following questions, please, please, please?

    a) Verizon appears to sell modems with built in wireless or wired routing
    capability. Do they sell plain modems, or only modems with built-in routers?
    Was Lindor using a plain modem, a combined modem/wireless unit, or a combined
    modem/wired line unit?

    b) Does Verizon (for Lindor) use PPPoE? use DSL?

    c) Can I login from anywhere in the U.S. inside Verizon's network, and reuse
    Lindor's user ID? ie Does Verizon essentially support traveling user IDs? (A
    traveling user ID permits the user to move to different phone lines. The user
    ID is used to identify the customer, not the telephone line.)

    d) Can Verizon link the user ID to a physical telephone circuit? (Circuit ID?)

    e) Can the Circuit ID be tied to a MAC address? DSL modem unit?

    f) Can the TCP/IP address be tied to anything physical? like the circuit ID, the
    MAC address, DSL modem unit, etc.? Can the TCP/IP address be tied to a region
    (like a state, city or street)? What region can the TCP/IP address be tied to?

    g) Given f, where is the modem and did anyone examine it?

    [ Reply to This | # ]

    Get some info from the Provider
    Authored by: rsmith on Saturday, December 30 2006 @ 12:34 PM EST
    Why didn't the provider terminate the account when asked to do so?

    In the period since her husband died, at which times was the account active?

    At what dates and times was Mrs. Lindor's account furnished with a new IP
    address? How long did those address leases last?

    Was there any traffic logged?

    Can the provider prove that the connection to it's network made from Mrs.
    Lindor's account actually came from her house?

    ---
    Intellectual Property is an oxymoron.

    [ Reply to This | # ]

    Generic Computer "evidence" issues
    Authored by: mlwmohawk on Saturday, December 30 2006 @ 12:50 PM EST
    This whole thing about going to user's computers bothers me for a number of
    reasons, especially when they are Windows computers.

    (1) Every computer has security exploits, there is no way you can ever be sure
    that the supposed actions a computer makes are not done by some 3rd party using
    an exploit.

    (2) Wireless networking is practically impossible for a novice to setup securely
    and get working. Thus, any accusation made against a computer by IP address
    can't be taken seriously because a hacker in close proximity can piggy back on
    someone else's wireless router.

    (3) The records an ISP provides are not "evidence grade," i.e. there
    is no proved accuracy. They are not tracking every packet and there is no
    facility to prove that any one packet came from any one location. It all
    "should" work that way, but doesn't always. That's why there is tech
    support. If someone hacked their cable modem or dsl router, it is possible to
    use a someone else's IP address if they are not on.

    (4) Most computers are configurted as "single user," especially
    windows, there is no proof that a guest or unknown third party did not commit
    said crime outside the control or knowledge of the accused.

    (5) The BIG issue is that NO ONE fully understands the inner workings of a
    modern P.C. The best expert can still be surprised by a behavior or a security
    violation. Because of this, NO ONE should be held responsible for what a
    computer is said to have done. It isn't like a dog or anything, where you can
    control the animal. It is a device that accepts commands and instructions from
    3rd parties all the time without the knowledge of the owner. M$ has admitted
    this in Windows.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: kberrien on Saturday, December 30 2006 @ 12:52 PM EST
    This research company hired by the RIAA used an internet connection in order to
    'inspect' the infringer. Just as the RIAA subpoenas ISP's for connection
    information of the 'infringer's', it might be helpful to seek the ISP records
    for the research company. Depending on what information is logged at their ISP,
    there might be some useful information to be gained regarding their actual
    activity online. Also, the logs of the investigator's firewall if detailed
    enough, would have a full records of the investigation. And given they are
    involved in forensics, they SHOULD be logging everything!

    Lacking any records from their ISP, or their firewall how can we say the
    investigation ever happened?

    Taking a note from the FLA breathalyser cases, call for the source code of any
    utilities used by the investigators, and review it's accuracy. Perhaps they
    will refuse as the FLA breathalyser company has...

    [ Reply to This | # ]

    Forensic analysis
    Authored by: rsmith on Saturday, December 30 2006 @ 01:11 PM EST
    You should have the computer in Mrs. Lindor's house analyzed by an independent
    expert.

    He could indirectly check if computer was used during the relevant period
    through file access and modification times.

    He could also check if your client is honest; Check if the Kazaa software and
    music- or other files are present or if have been erased.

    ---
    Intellectual Property is an oxymoron.

    [ Reply to This | # ]

    • I wouldn't - Authored by: Anonymous on Sunday, December 31 2006 @ 09:22 AM EST
    Methodology / disclosure of methods
    Authored by: PeteS on Saturday, December 30 2006 @ 01:36 PM EST
    On the subject where RIAA is attempting to prevent disclosure on the methods,
    techniques etc., that were used by Media Sentry - this is insane.

    All investigations have to use some method[s] to show that they are in fact
    *valid* investigations.

    Withholding the methodology used means that the techniques can not be checked or
    tested, nor subject to opposing expert witness review. Haven't we been seeing
    this type of conduct in SCOX v. World already?

    My plain argument would be that if the methodology is withheld, then any
    evidence gleaned from it should be struck *as I would not have an opportunity to
    challenge that evidence*.

    I could come up with a study that shows virtually anything I want, depending on
    the methods used for measurement. Another way to look at it is that the method
    used determines what results may be valid, and which are not. Not knowing the
    method blinds me to what results I may rely on.

    Now I am no lawyer, merely an engineer, but it certainly sounds equitable to me
    that 'no methodology , no evidence' might be requested.

    PeteS


    ---
    Only the truly mediocre are always at their best

    [ Reply to This | # ]

    I've managed software developers for years, here are some suggestions...
    Authored by: Anonymous on Saturday, December 30 2006 @ 02:10 PM EST
    I've been involved in formal large-scale systems development, implementation and
    operation for over 20 years, as a programmer, analyst, designer, project leader,
    and custom software shop manager.

    Here are some of my potential technical questions:

    Do you know who (company, individuals, who managed the project, etc) wrote the
    programs used by MediaSentry?

    Have you ever participated in a commercial softare development project which
    resulted in the implementation of or commercialization of a major software
    system? What role did you play in that development? Did you ever play a
    Quality Assurance management role in large-scale systems software development?

    Do you know what underlying OS the MediaSentry software is deployed on? Is that
    the same OS and version used for development?

    Do you know what OS-level fixes or patches were applied to the development
    machines? The operational machines? Was there a written plan for controlling OS
    patch management? Was the plan adhered to at all times? How do you know that?

    Do you know what OS-level errors existed in the development environment you have
    testified about that were (or should have been known) known to the development
    team or management but for which no manufacturer-provided fix was available?

    Do you know what OS-level errors existed in the environnment you have testified
    was used for which manufacturer-supplied fixes were available but were not
    applied to the hardware at the time it was in use for the MediaSentry
    development project?

    [Same questions for the development tool set, and database systems tool set(s)
    if relevant.]

    Do you know what QA/QC standards were in place during the development, testing
    and implementation of MediaSentry?

    Do you know if there was a written set of QA/QC standards in place for guidance
    of the QA team? Have you reviewed those standards?

    Have you ever written and implemented a set of QA/QC standards used by a
    commercial development team? How well did it work? In other words, was that
    QA/QC team you managed successful in their work so as to provide bug-free
    softare tools to management or the customers?

    Do you know who was in charge of testing MediaSentry software during
    development? What are their professional qualifications for managing Quality
    Assurance? Who else was on that part of the development team?

    Can you identify the testing methodologies they used to assure the software
    worked properly in all circumstances?

    Do you know what software development tools were used in the development of
    MediaSentry tools? Are you aware of written development standards adopted by
    the development team? Can you judge whether or not these standards were adhered
    to by all developers during the projects?

    Do you know if development programmers were allowed to participate in the QA/QC
    testing, or was QA/QC handled seperately by an independent team?

    What level of initial coding errors are thought to occur routinely in the
    environment you have testified was used in the development of MediaSentry?

    What level of program errors would be expected in a deployed (implemented)
    system developed in this environment given the QA/QC procedures in place during
    development and implmentation?

    How is data gathered by MediaSentry stored?

    Does the team using MediaSentry have a written set of standards for managing
    data created by the MediaSentry tool?

    Does the data management standard in place meet the minimum requirements of the
    vendor of the tools being used for data management? [in other words, if they're
    using Oracle, do they adhere to Oracle DBA standards?] Are staff managing data
    certified by the vendor? Do they follow the written data management standards?
    How do you know that?

    Are changes to data generated and tracked by the system tracked as to date-time
    stamp, the before-and-after condition of the data, the user-id of the individual
    who changed the data, the tool used to change the data, etc?

    Is it possible for an authorized user of the system to use tools not built into
    MediaSentry to view the data generated and tracked by MediaSentry? Here I'm
    suggesting that many systems can be touched by ODBC-capable tools like MS Access
    or Excel, and data can be hacked by authorized users through these kinds of
    back-dor tools...is this possible for MediaSentry data stores? Why not? [this
    set of questions addresses the chain-of-control in the computer.]

    How is the source code for MediaSentry managed? How is it protected? How are
    code changes propagated into production?

    Do they maintain a standard set of Development, Testing and Production systems?
    Do programmers and other software team members have access to the production
    code base? Why would you allow coders to change production code in an
    uncontrolled manner?

    How is the process of changing the production code base controlled? Is code
    migrated from the development environment to the testing environment in a
    controlled manner? Does the QA/QC team have access to the code itself or just to
    the system generated from the source code? How is that access controlled?

    When a new release is generated from the production source code base, who does
    this? How is this process controlled and recorded?

    There are more of these kinds of questions, but where I'm going here is that
    without this kind of control of systems development, the system wouldn't be
    qualified to track money, of health care records, or anything like evidence to
    be used in real court cases.

    These are some of the issues I deal with on a daily basis. I don't see much
    real, commercial software development in this guy's resume.

    As an acedemic, his relationship with the real world of software development
    seems real scant. I doubt that there is a ton of major software development in
    the mainly rural area he lives in.

    These are the kinds of questions asked about our own systems, which support
    folks who have to take people into criminal court. Obviously, I had a great
    learning experience thinking about ways to improve our systems environment's
    defensability.

    Hope this helps. I'll be happy to discuss this at length if you want. PJ, you
    have my email address if you need me. Best of luck to the legal team!

    JR

    [ Reply to This | # ]

    Strange timestamps
    Authored by: BsAtHome on Saturday, December 30 2006 @ 02:54 PM EST
    Compare this:
    • at 18: The sharing started at or around 8/7/2004 6:12:45 AM EDT through at least 7:08:30 AM EDT
    • at 20: Verizon identifies the defendant at 8/7/2004 at 6:15:34 AM EDT as the assigned recipient of the IP address.
    There is a near 3 minute discrepancy between the start of sharing and the assignment. That means that either the clocks are wrong while measuring, or that the IP address tracked did not belong to the defendant at the time.
    One would expect the IP address to be assigned before the sharing starts. Otherwise, you cannot connect to the internet at all. I.e. if the timestamps are correct, then the defendant cannot be the one who has been sharing at all.
    If the clocks are off, then this is very sloppy work because any network tech will tell you that timesyncronisation is of paramount importance. The whole world is and has been using NTP for many years (see RFC958 from 1985). Basically, if your clock is not correct within a small fraction of a second, then you are at a near impossible task tracking events on the internet correctly (unless you are the only one using it).
    Even if the expert will testify that he believes that the IP address was assigned to the defendant, it would be nothing less than speculation. The timestamps are normally authoritative of what happened.

    ---
    SCOop of the day

    [ Reply to This | # ]

    Distractions
    Authored by: Anonymous on Saturday, December 30 2006 @ 03:23 PM EST
    There's a lot of inflated distracting irrelevant (but interesting) waffle here
    about NAT | DHCP | wireless | cable modems | etc. Courts prefer facts.
    1: stuff moves on the internet between public IP addresses;
    2: Plaintiff has knowledge of a public address from which the
    alleged infringement took place;
    3: Plaintiff has information from an ISP linking the public address
    to the defendant;

    Plaintiff's next step is to
    a) specify which physical device used that address at the time of
    the alleged infringement;
    b) specify the geographic location of that device at the time
    (hint: this may not be easy, and defence has no obligation to show how)
    c) nail these to the defendant.

    This ignores the questions of the alleged infringing content, which was
    i. not found on the defendant's HD, and no evidence offered as to erasure;
    ii. not identified with specificity, ie. was the file named eg.
    Madonna_For_the_first_time.mp3 really a soundfile of that material, or
    one of the dummy files thrown into the mix by **AA spooks, or
    some other perfectly legitimate file of defendant's renamed for
    a personal bizzarre purpose.

    When I download dodgy stuff the first thing I do is rename it,
    and put it somewhere away from the download|shared folder.
    OT ob: it irks me how iTunes always keeps everything so neatly
    organised and labelled ...

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 03:29 PM EST
    Since there are so many fake files on the fasttrack network, what I'd do is take
    the list of songs alleged to have been shared and put it into another client
    utilizing the fasttrack protocol. (I'd use giFT)
    Download the songlist and see how many were real and how many were fakes. If
    there are file hashes as well as filenames then you could pick the same file and
    see what it was...

    [ Reply to This | # ]

    Zune?
    Authored by: Ninthwave on Saturday, December 30 2006 @ 03:41 PM EST
    How does the industry letting Microsoft Zune share files fit in with these
    lawsuits. Is Zune not use a monopoly in two industries to limit consumer
    choice.

    ---
    I was, I am, I will be.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 05:39 PM EST
    I would firstly ignore the advice about IP and MAC spoofing. MAC addresses are
    barely relevant to this issue (they're used by computers attached to the same
    network to talk to each other, not across networks like the internet).

    IP spoofing/hijack is a. difficult at the best of times, b. generally an attack
    against a person not the IP holder. Difficult to describe, but usually it's
    about masquerading as a specific IP to a victim: unless you can show the
    investigators were being victimised by an IP hoaxer, routing tables alone would
    mean a very limited range of people (Verizon, or a nearby subscriber) would be
    the only ones who could perpetrate such a job.

    A few things seem to be worth concentrating on. First - the hard drive mismatch.
    That seems to really indicate the computer that they analysed wasn't the one
    that was used to share the files. Given the 'lindor' kazaa username, it seem
    fairly improbable to me that it was a computer unconnected with Mrs. Lindor, I'm
    afraid. You ought to be able to figure out what that other computer was.

    Second, are Verizon sure about the IP being hers? The kazaa username again
    suggests strongly it is, so this possibly isn't that strong a line of thinking.
    I would think it's worth checking, though: especially ask how they can be
    confident about the timestamps on the logs, I suppose.

    Lastly, could there have been a security issue with her cable modem? Many of
    them come with default passwords, and if you know the make/model of the modem
    you can gain admin access. It's possible someone could set up port forwarding,
    which would (from the outside) look a lot like an IP hijack. Did the
    investigators fingerprint the remote operating system at all, or do any other
    kind of analysis at the time? There could be other data there which makes it
    further unlikely that Mrs. Lindor's computer was the one in use - modem hijack
    would be an obvious way of casting doubt on it being something in Mrs Lindor's
    control.

    Personally, though, I would be looking at Gustave - "jr lindor" is a
    bit too close to home for it to be chance, and while their technical case isn't
    watertight by any means, it's still pretty reasonable.

    [ Reply to This | # ]

    A few comments ...
    Authored by: Anonymous on Saturday, December 30 2006 @ 05:55 PM EST
    Hi all. After tracking Groklaw since all the SCOX mess started, I'm posting a
    first comment and hope I'll help :-)

    I tried to look through the linked site but I don't have the time to look
    through all the documents and those I though relevant did not contain any data I
    could use for analysis (or not enough). I am base this comment on the few things
    mentioned and on prior commentc by other users.

    1. The report from Dr. Jacobson is I fear accurate from the little data I've
    seen. I'd need more data about organisation of the Verizon service and details
    of Ms. Lindon connection. Based on prior comments: If an integrated wireles
    router/dsl modem device was used by Ms. Lindon, there is a probability that the
    default configuration leaves the wireles part open for anybody within reach to
    connect to internet. I have many times connected to the internet by
    "using" such open devices. It is very common in urban areas that you
    only need a wireless device (laptop with wifi card f.e.) and with a bit of luck
    you can connect to the internet using sombody's else paid connection UNDER HIS
    IP. This is not tracable further as the original subscriber, the devices lack
    the loging capabilities. This is not even detectable by the ISP, as they only
    see the front end MAC registered by the router/modem and the router provides
    internal DHCP and NAT.

    2. The HD examination looks suspicios. As was pointed out in previous comments,
    if the data does not match, and there is no evidence of tampering then you have
    the wrong person (HD). Dr. Jacobson concludes that the HD examined is different
    to the HD content observed by MediaSentry.

    3. The methods used by MediaSentry are one critical part in the defense. As
    stated in prior comments, it is imperative that they can prove their own
    accuracy and reliability. Also you should be able to cross examine their methods
    by an independent expert. As any programmer will tell you, the computer does
    always what you tell it to do and NOT what you WANT it to do. Thus they (or your
    expert) should prove their methods used are accurate.

    4. That no Kazaa installation/remnants were found on the HD is irelevant, there
    is plenty of 3rd party software using the same protocol that can be used and can
    be cleaned without trace.

    5. Kazaa creates hashes of files that are unique for each file, so they can be
    identified for more convenient downloading (resume or split downloads). Now
    MediaSentry should have these hashes recorded in their logs (I guess. If they
    don't they are grossly incompetent). It should be possible to create hashes with
    same function from all the files on the HD and compare them. If no match is
    found, you have a solid ground for one part.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 06:56 PM EST
    I read Dr. Jacobson's reports and it looks to me like the technical information
    is *solid*, and that a copyright infringement probably took place. What isn't
    clear at all is whether the *defendant* is the person who performed the alleged
    copyright infringement.

    As to the specific request, for questions to pose during the deposition of the
    witness, I don't have the expertise to do that. And I'm not sure that's a viable
    strategy in this case, given the level of technical detail in the evidence
    presented by the plaintiff. I would focus on defending the *client* on the basis
    of the *law*, rather than trying to attack what I think is solid evidence.

    [ Reply to This | # ]

    non-smoking hard drive
    Authored by: tz on Saturday, December 30 2006 @ 07:30 PM EST
    It appears that the hard drive neither contains Kazaa, the downloaded files, nor
    traces (old fragments, registry entries, etc.) of said files.

    All they seem to have proven is someone using her account ID or MAC address
    (assuming Verizon properly records such things) had a computer with a Kazaa
    program and folder which Media Sentry could pull files from.

    But the hard drive is the key - their expert says he can't find any evidence of
    Kazaa on the drive.

    I've had my credit card number used to charge things I've not bought. I have no
    idea how it was obtained, but what is happening would be analogous to someone
    using such a fake credit card to buy a gun which was then used to shoot a
    person, and of course I have to be the shooter because my credit card number
    appears on the transaction for the gun.

    I think they have solved cloned cell phones, and some similar things, but it
    wouldn't be that hard to hijack an account or connection.

    There are at least 5 open access points my computers can see in my apartment
    building. I could use any of those without the owner's knowledge (and some of
    the protected ones are using WEP which could be cracked by next morning, if that
    long).

    If they found a hard drive or iPod or something with the files MediaSentry
    found, it would be one thing. Instead they have an account registered to
    someone who has never used a computer, and the hard drive indicates it never had
    the files in question on it.

    As far as methods, I assume MediaSentry uses Kazaa to pull files from various IP
    addresses, then after verifying they are copyrighted, goes after the ISP to get
    the account information, then relies on others to go the rest of the way. But
    an IP address and account is only a pointer. It doesn't indicate what is at the
    far end. That would need to be the actual computer, and they have not found
    that computer.

    (Note that really, really, expensive hard drive analysis can find deeper traces
    in the very slight magnetic variations - cryptographers are generally the only
    ones concerned with such methodd, and it would require millions to test which I
    don't think the RIAA would spend).

    [ Reply to This | # ]

    Major Issues
    Authored by: The Mad Hatter r on Saturday, December 30 2006 @ 07:34 PM EST


    I spent most of the day thinking about this after reading all the files:

    1) The RIAA is trying to hide something by not letting the MediaSentry contract
    or instructions be shown. Possibly MediaSentry is being paid a bonus for every
    "file sharer" sued, if so it is in their interest to find as many file
    sharers as possible. This could lead to criminal actions on the part of
    MediaSentry - possibly the RIAA has just realized this and does not want to be
    held accountable for flawed directions? I don't know, but when someone wants to
    hide something there's generally something wrong, so I suspect that this
    information could kill the case.

    2) MediaSentry is using unknown hardware and software in their efforts for the
    RIAA. We have no reason to trust the hardware and software. Both hardware and
    software bugs are common. Unless the software and hardware has been inspected by
    competent outside staff we have no assurance that it is operating correctly.

    3) The RIAA expert has testified that the hard drive in question was not used
    for file sharing. This is very interesting. The expert does not seem to have the
    knowledge to be declared an expert in these matters. In fact the wording of the
    report makes it seem that the expert is a hired gun - who will say whatever
    he/she is paid to say. Note the continued harping on "this is not the
    correct hard drive as I cannot find the infringing files which have to be
    here", and the fact that he does not allow for the fact that the correct
    computer could have shared this address with the Lindor computer, possibly due
    to an address reassignment by the ISP, or other unknown factors is interesting.

    4) MediaSentry is not an expert? In that case why did the RIAA hire them? If
    they are not an expert in what they are doing their evidence should be stricken
    - they obviously do not have the knowledge to have developed the evidence.

    5) Where is the list of files that were shared/downloaded? This is exceptionally
    important - what if the file sharer that was detected was sharing 10 gigs of
    files, and the computer only had a 5 gig hard drive? What if the sharer
    specialized on Lois and Brahm, and the Lindor have no small children?

    Hope this helps.







    ---
    Wayne

    http://urbanterrorist.blogspot.com/

    [ Reply to This | # ]

    Did anyone look at the location of the IP Address?
    Authored by: Anonymous on Saturday, December 30 2006 @ 07:40 PM EST
    I'm not sure if this helps or it hurts. It appears that the ip address
    corresponds to a location in Manhattan that has about 2000 addresses, of which
    about 500 are set up in a dynamic pool.

    This would correspond to a fairly small number of customers. Does anyone have
    any idea where these customers might be located? vs the location of Mrs.
    Lindor?

    http://www.trustedsource.org/query.php?q=141.155.57.198

    Google Earth helps in looking up the provided longitude and latitude of 40.75 N,
    73.997 W.

    You can also type at the command line:

    tracert 141.155.57.198

    This will tell you how close you are to Mrs. Lindor's old IP address, in terms
    of network separation.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Ray Beckerman on Saturday, December 30 2006 @ 10:02 PM EST
    Just want to thank all of you who have given us the benefit of your thinking.
    Lots of good ideas for us to explore.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 10:33 PM EST
    > and -- believe it or not -- has never even used a
    > computer in her life

    In the absolute terms in which it is stated (never...
    any...) I personally don't believe it. A judge/jury will
    find it hard to believe it too.
    If I was Ms. Lindor's attorney, I'd be less worried with
    trying to refute the expert witness' testimony, and more
    worried about anything in the computer's hd that might
    indicate that she has indeed used it, at least once, since
    it was bought. Or proof/testimony that she has used some
    other computer in the past.
    IANAL, does the law require evidence in direct
    rebuttal to a defendant's testimony to be disclosed by the
    plaintiff's attorney, or can he/she pull a 'Perry Mason'
    (*) and surprise the defense?

    (*) Admittedly, not the best analogy, since PM was usually
    a defense lawyer.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, December 30 2006 @ 11:14 PM EST
    I would add a few things.

    As Sips and Pouwelse have said, pollution and lying are very common P2P
    behaviors. I will elaborate a bit on why this is important. The only evidence
    MediaSentry appears to have is that a file-search turned up a file with a name
    of a copyrighted work. There have been numerous instances in the past where
    people have had innocuous files with suspicious-sounding names and been sued.

    In 2001 someone got into trouble over a file named "Harry Potter Book
    Report". See about halfway down:
    http://www.pacificresearch.org/pub/ecp/2003/epolicy02-07.html

    There are a number of issues&#12288;(some related):

    1) How has MediaCenter determined the file infringes ANYTHING, much less the
    particular item in the complaint? They do not download the whole file.

    2) Do they sue just because a file shows up in the listing? Many people use
    'upload blocking' tools, to prevent their computer from uploading content. The
    content will show up when others search, but no distribution is possible. (E.g.
    Bob has an upload blocker. Alice searches. Alice sees files on Bob's computer.
    Alice can try to download from Bob, but will never get anything.) Reasons for
    this are all variants on freeloading: Bob wants to get things from the P2P
    network without contributing to it.

    3) Even if they DO download the file and they DO know it is infringing, there
    are serious questions about backtracking by IP address. It only gets to a
    particular computer. The computer may have been compromised. People who run
    illegal downloading sites oftentimes do not operate them legitimately. By which
    I mean they don't run them on equipment they own, with utility accounts in their
    name. They will often find existing poorly-secured machines that have high
    availability and bandwidth, take them over remotely, then use them to warehouse
    files. Any machine identified will need to be foresically examined for evidence
    of such skulduggery.
    Furthermore it is very common for personal computers to be used by more than
    one person, but this is probably familiar territory.

    4) Even assuming that the owner of the machine is the user of (say) Kazaa, AND
    that MediaCenter downloaded the file to examine it, this STILL does not prove
    that particular PC ever uploaded the file to *anyone else*.
    You're the attorney, but I feel qualified as an armchair attorney at least :)
    and I must point out that MediaCenter is the recording industry's agent. If
    they invite Bob to give him a copy of a file owned by them, and he does -- they
    cannot then sue him for copyright infringement, for they authorized it. If a
    store hires someone to tell me that it's OK for me to take something without
    paying for it, then tried to sue me for conversion, I can think of three or four
    good reasons they cannot sue me for *that act*. You probably can too, so I
    won't elaborate.
    You may be able to argue that instead they need to show that either 1) Bob
    uploaded the file to someone who was NOT an agent of the copyright owners, or 2)
    Bob's mere possession of the file is itself a copyright violation. (Personally,
    I feel that downloading is simply the act of RECEIVING an illegal copy someone
    ELSE made (as part of an offer on the UPLOADER's part to give copies to anyone
    who wants one, not because of a request the DOWNLOADER made), making downloading
    (only) not direct infringement.)

    5) Factual inaccuracy in "April 2006 boilerplate report" items 15 and
    16(first items under Conclusions): Even if all 700 files actually exist, and
    are what they appear to be, the fact a KaZaA search turned them up does NOT --
    in ANY WAY -- prove where those files came from. KaZaA is NOT the only P2P
    network, and there ARE legitimate ways the defendant could have come by those
    files (she could have created them herself). How was it determined the files
    were downloaded at all, much less from KaZaa?

    6) The statements about not finding KaZaa on the hard drive he examined is very
    strange. He appears to be claiming the machine was wiped before it was turned
    over (that is, the defendant or someone else tried to destroy the evidence). I
    interpret this as possible evidence of innocence, but lacking more details am
    unable to come to any conclusion. I would want to know:
    A) He said the hard drive was very sparse, due to "lack of user created
    files", but he found files reference on Gustave Lindor, Jr. How many 'user
    created files' would indicate the machine had been used? What was he looking
    for, which he did not find?
    B) In what context was the name of Gustave Lindor, Jr. found? "that
    document indicates he was living and working ..." -- "that
    document?" What document? You want to see that document. Was it personal
    correspondence Mr. Lindor wrote and sent to the owner of the machine? Was it
    (say) a document in progress (which tens to indicate he owned it)?
    C) Did he conclude it was a new hard drive, or one which used to contain data
    but had been erased? It is well known erased data can often be partially
    recovered, and indeed securely deleting (meaning, making unrecoverable) things
    is very difficult. How did he arrive at this determination?
    D) There is a discrepancy. MediaSentry's data indicates the machine had KaZaa
    installed? Then why does the machine itself contain no trace of it? How does
    he reconcile this apparent contradiction, and more importantly how did he
    exclude other potential explanations -- specifically the possibility
    MediaCenter's data might be&#12288;unreliable?
    E) He apparently concludes the provided hard drive is a phony hard drive,
    because he concluded the hard drive had been barely used. This implies he
    believes the hard drive was purchased brand new, and Windows installed on it,
    and this hard drive was then turned over instead of the real hard drive.
    There are other signs of usage. If different programs were installed on
    different dates over a period of some time, this would imply the machine was
    used. What was installed, and when? Under Windows XP, the system event log
    contains dated logging information for things the system finds important. If
    this log contains entries over a lengthy period of time, this is a sign that
    hard drive was in fact used. Was this log examined? If so, what was found? If
    not, why not? (Its location is Control Panel - Adminstrative Tools - Event
    Viewer)

    7) You have claimed in the Groklaw article that "Ms. Lindor, the defendant
    in this law suit, a middle-aged Brooklyn woman who works as a home health aide,
    and -- believe it or not -- has never even used a computer in her life, much
    less been an "online distributor".
    This is very confusing, because it would appear the RIAA's expert has
    forensically examined SOME hard drive. Yet if someone "has never even used
    a computer", they certainly don't own one. Where did he get the hard
    drive? What did he examine? Something doesn't add up.
    If she has never even used a computer, how did she get fingered? My
    understanding of the RIAA's process is they find an IP address which they think
    shares files, then subpoena the subscriber info from the ISP.
    How did the ISP come to conclude that someone who doesn't own a computer has
    internet access? I see only a reference to Verizon's response, not the response
    itself. I can only speculate. Is Verizon's database polluted? Did they make a
    typographical error in their response? Was the account in her name, for a
    computer in her home but owned by someone else? Has Ms. Lindor been the victim
    of identity theft?
    IP addresses do not remain constant, they change over time as customers come
    and ago, and for many reasons. Who used that IP before and after the defendant?
    How many times did that IP change hands around the time plaintiffs charge the
    infringement occurred?
    You will probably need to speak to Verizon. The RIAA's expert likely cannot
    answer these questions. But he CAN answer what makes him so sure the defendant
    is the right person, given she likely doesn't own a computer and can't even
    operate one.

    8) How is MediaSentry's evidence generated? Screenshots are trivial to
    falsify. Is there a chain of custody? Has their software been audited to
    ensure it isn't fraudulently manufacturing evidence? Has their software been
    audited to ensure it does not accidentally misrepresent material facts? Are the
    images produced cryptographically signed? (In short, cryptographic signatures
    are a sort of tamper-proof seal; a block of data generated so that, if the data
    is altered, it won't match the signature -- and the signature cannot be
    falsified without a secret key.) Do they still have the downloads they claim
    the defendant transmitted to them? (Whether it's a complete or a partial
    download, they should still have it for examination.)

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Sunday, December 31 2006 @ 12:13 AM EST
    Lots of stuff covered above, but some more points I'd bring up. I'll mostly
    stick to things I didn't see posted earlier when I skimmed through.

    In his earlier, April 12, testimony, he claims two computer security patents.
    I've looked at them, and am not impressed. In combination with the other
    fluffing he's done on his background, it certainly makes it seem to me like he's
    a puffer-fish for hire rather than an actual expert, especially when combined
    with the (largely pointed out) deficiencies in his descriptions of the actual
    technology involved.
    Patent #6,044,402 is registered to the university, with his name included. This
    is an insanely trivial and obvious patent that appears to cover a remotely
    administered packet filter (which has only been around since the late 60's, if
    not earlier).
    The other appears to be #5,548,649 and is another insanely trivial,
    prior-arted-to-death, never-should-have-been-granted one. This one just looks
    like the same thing any VPN concentrator does. This is another trivial BSD/UNIX
    hack that was around in the 70's, if not earlier.
    He mentions a third, but does not give a patent number. Searching on
    combinations of names given is not showing anything. As for clarification on
    this one.

    Important addition to this is his claim to be a "Certified Forensics
    Computer Examiner". I found a certification with this title at
    http://www.iacis.info/iacisv2/pages/training.php
    Based on a quick look over, this seems like an incredibly basic certification.
    It requires only a two week course with no prior computer experience. Judging
    by the statements on that webpage, this certification is essentially worthless.
    A notable example, from their recertification requirements page:
    "For example, a proficiency test may consist of a Linux disk, in which you
    are asked to look for images. You do not need to be an expert in Linux to work
    this case. If you can image the disk successfully, identify it is some form of
    Linux OS, and maybe even retrieve some images from the disk, then you have
    successfully passed the test. Failing would be simply look at the disk in DOS
    and determined there was nothing of apparent evidentiary value."
    It could be worth comparing this certification to the GIAC Certified Forensics
    Analyst certification.
    I do notice that his CV lists no other certifications at all.

    As an aside, I've looked briefly over the Palisade Systems products pages. I'll
    state upfront that I work for a network security company that might be
    considered a competitor, so my opinion is biased here, but I wasn't very
    impressed. Any network security product that _requires_ Windows machines to
    function (for the management, in this case) probably shouldn't pass the sniff
    test.

    Something I don't recall seeing mentioned in the comments, his description of
    Peer-to-Peer protocols is decidedly deficient. He doesn't seem to recognize
    that http and ftp (among others) are peer-to-peer.

    On to his "Conclusions" section.

    15) How is he testifying to procedures used by MediaSentry? Nothing listed in
    the "Materials Considered" section addresses their procedures. Given
    just this testimony, he can have no knowledge of them. How can he testify to
    them?

    20) This has been pointed out, but needs reinforcing. How is he testifying that
    the sharing ocurred before the IP address was assigned? This directly
    contradicts his own testimony about what is required to connect a computer to
    the internet.

    On to his CV.

    It's interesting how many introductary classes he's teaching given the length of
    time he's been a professor at this university. No idea how this compares to
    others, but it caught my eye.

    Some of his grant descriptions are a bit vague, saying things like "7
    companies". Would be interesting to find out if any of his grant funds had
    RIAA/MPAA ties.

    I find it interesting that none of his journal publications has anything to do
    with security. Two are on mosquito monitoring, of all things, and one is a
    student paper about a cheap ski jump timer (I call it a stopwatch myself, but
    that wouldn't be a paper).

    Even his "Proceeding" publications show nothing past 2004 except a few
    "submitted" that apparently haven't seen actual publication. Most of
    the earlier ones seem to be about teaching rather than computer security per se,
    which is probably fine for a teaching professor, but isn't going to help his
    computer forensics credentials any. Oddly enough, it looks like the
    publications are getting steadily _less_ technical as time goes by. It appears
    the bulk of his technical work was early '90s or prior.

    His "Technical Presentations" section seems to have the most computer
    related security listings, but several of those are presentations to political
    groups and the like (2005 Midwest Election officials Confrerence, for instance),
    and politicans are hardly known for their technical acumen.

    Patents mentioned above.

    Under "Other", he includes attending three-day conferences. Is this
    the kind of thing people normally put on their CVs?

    This guy is definitely no Bruce Schneier. If you can get an actual computer
    security expert in, he'll probably get torn to shreds. He does seem to have
    some decent technical grounding, but I'm less sure of his security experience.
    How he's supposed to evaluate MediaSentry's forensics with so little information
    is beyond me.

    Unfortunately, what there is from him so far is simply too vague. Aside from
    the blatant self-contradictions (not the right hard drive, no evidence, timing,
    methods) he hasn't said much of anything relevant. I would recommend getting in
    touch with a real expert, like Bruce Schneier. Assuming you don't have the
    funding for his time, he may be able to suggest someone expert who's interested
    enough in this kind of case to work cheap or pro-bono. Then let the expert tear
    apart the second-hand hearsay. At the least, post again here when the testimony
    is available, and there's plenty who'll be willing to go over it.

    [ Reply to This | # ]

    • CV spelunking - Authored by: Anonymous on Tuesday, January 09 2007 @ 06:56 PM EST
    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Sunday, December 31 2006 @ 01:15 AM EST
    for those that didn't read, he's a certified forensic guy, and at least
    professionally appears to have patented (and supervised another project)
    specializing in p2p detection.

    concur that it appears as though they want the actual hd or maybe it's common to
    cya for forensic guys by saying they need it...unknown. to have anything less
    than the actual thing and a solid chain would seem more of a Wish than evidence.
    this needs to be All About media sentry's investigative process...but then
    again we already knew that, and the good doctor appears to be available to make
    representations on behalf of their methods. with Zero legal background, even I
    can ask how that does not absolutely entitle Mr. Beckerman to discovery on
    it--either that, or anything resultant from their process gets tossed, no?

    also appears as though they are also concluding that some other person was
    living and working in NY during the period _according_to_a_resume_ found on the
    image. well, of course that must be factual--it's on a resume. okay,
    tech-tech-tech, i know.

    if i have the pdfs straight, the professor is reporting that there were 700
    songs on the box (all downloaded), 624 of which were "being
    distributed" & 11 of which were downloaded from 6:12:45 AM to 7:08:30
    AM eastern 8/7/04.

    o anyone who can comment on whether this is even physically possible by whatever
    bandwidth connection means ms. lindor uses? so that's what 53:45 or 3225 sec,
    and 624 songs => ~5.2 sec/song? or do kazaa transfers happen as some
    parallel, distributed thing? actually 624 upped + 11 downed gives ~5.1 sec.

    o not technical/rather legal, but what does "being distributed"
    mean--is being on the list as available the same as "being
    distributed" no technical help for Mr. Beckerman, just my personal
    question... the pdfs say a tuple with song hash and ip address are in the
    central server which is queried for availability. perhaps that's what he
    means--the hashes and an ip are upped and thus "being distributed"?
    Either way, that's legal stuff and I need to bow-out.

    o okay, another question--can all that hashing even be completed in about an
    hour on a box of the specifications which ms. lindor has? 700 songs hashed in
    an hour? i assume that the 'client' has to perform the hashing (because it
    could not be otherwise?)

    o some (unclear) reliance on system and user.dat (and da0) is used to
    establish/confirm the alleged activity--anyone knowledgeable wrt kazaa operation
    can comment? question: is it possible that something might appear in any of
    these files that the user has never used or might have no knowledge of? (A:
    duh).

    o the pdfs mention a string in the resume information and a permutation of the
    same string as an id in the kazaa stuff; might this string also correspond to
    the box name on the os image? and could this box name be viewed by the
    botmaster controlling the machine? rhetorical, however true, and
    retracted...but leading to question: did the good doctor look for, find, or
    otherwise consider existence of other malware on the image under review? if
    so... follow-up: is it conceivably technically Possible that any and all
    alleged illegal activity could occur without ms. lindor doing anything except
    leaving her machine run? (A: duh). i guess the other side's answer is simply
    to boot the image with a network connection and monitor attempts to establish
    outbound connections--presumably Mr. Beckerman has access to this image and
    might verify whether or not this is the case in deciding if this avenue is of
    use to him.

    concur that address uniqueness/assignment looks weakest in his report, but
    you'll need your ducks lined-up along the lines of what arker posts. report
    contents might be boilerplate he's been using for years (and even maybe 6 or 7
    years ago it would have looked more solid).

    also agree wrt faulty screenies and i note that the good dr. is part EE. imo,
    anyone prepared to represent authenticity wrt any s/w used by media sentry needs
    to address Dr. Thompson's Turing acceptance address:
    http://cm.bell-labs.com/who/ken/trust.html
    one bonus question for the EE in dr. jacobsen is "how many places might
    this apply in either Any machine of media sentry or in ms. lindor's
    machine?"

    google tells me that mr. beckerman knows far more than i do about media sentry,
    but the word "heuristics", i mean c'mon!



    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Sunday, December 31 2006 @ 01:25 AM EST
    To add the to comments of Teacher about Network Address Translation (NAT),
    reference the program to allow a computer connected to the internet to be used
    as a router.
    On a Windows XP machine, go to <Start><Control Panel><Network
    Connections><Share a Network Connection>. NAT builtin. Did the Ph.D.
    think to check for this setup on the operating system? Did the computer have a
    second ethernet connecton? Can this program be used via a USB port?

    For a Linux machine (unlikely for Ms. Linders), see the program ipmasq.
    Available on the Ubuntu repositories. The description says
    -------------------------------------------------
    securely initializes IP Masquerade forwarding/firewalling
    This package contains scripts to initialize IP Masquerade for use as a
    firewall. IP Masquerade is a feature of Linux that allows an entire network
    of computers to be connected to another network (usually the Internet) with
    only one network address on the other network. IP Masquerade is often
    referred to as NAT (Network Address Translation) on other platforms.
    By default, this package configures the system as a basic forwarding
    firewall, with IP spoofing and stuffed routing protection. The firewall
    will allow hosts behind the firewall to get to the Internet, but not allow
    connections from the Internet to reach the hosts behind the firewall.
    However, ipmasq now features a very flexible framework where you can
    override any of the predefined rules if you so choose. It also allows you
    to control if the rules are reinterpreted when pppd brings a link up or down.
    This package should be installed on the firewall host and not on the
    hosts behind the firewall.
    IP Masquerade requires the kernel to be compiled with masquerading support
    (please see documentation for specific kernel options required).
    ---------------------------------------------------
    A program such as this for Linux is very likely to have been ported to one of
    the BSD varieties and may have originated in the Unix community.

    How did the professor rule out the existence on one of the many ways the IP
    could have been spoofed or faked?
    I see this as a case of "The car ran the red light but no one saw who was
    driving so we will charge the registered owner." I also find the existence
    of a Gustave Lindor, Jr. resume on the machine somewhat suspicious.
    MSNTHRP
    BS/MS Electrical Engineering

    [ Reply to This | # ]

    Important: type of connection (ISP), computer, network equipment
    Authored by: ikocher on Sunday, December 31 2006 @ 02:05 AM EST
    Connection service (ISP):
    What kind of internet service does Ms Lindor has?

    If it is a cable modem service, riaa will be asuming that _nobody_ in the cable
    modem network modified their modem to use credentials of Ms Lindor, something
    that is not correct to think. Modifing a cable modem unit is against the
    contract with the provider, but it is not voodoo to do it. Reasons: spy (sniff)
    the network, because the docsis system the cable modem network uses, bases its
    security and authentication on the MAC address of the modem, not the one in the
    ethernet side of it, but the one in the docsis (cable) side.

    If the service is any type of xDSL, there are no MACs to get. In this kind of
    service, it is pretty dificult for someone else to steal your service, and the
    customer not noticing it. Also, implies heavy modification to cables in posts,
    etc.

    If the service is dial-up, the phone number from where it was called can be
    faked. Take a look at Vonage. There is a way using that service, and also
    applies to other providers, to "fake" from where the call comes. One
    can do this even with "simple" and open software as asterix pbx.

    Now, in case the service is a type of ppp other something, then the ppp
    credentials might be a strong point for riaa, because those can't be easily be
    stolen. PPP protocol uses challege-response for authentication, so the password
    doesn't go into the wire. PPPoverEthernet is a sort of popular service, and can
    be use with cable modem and xDSL. PPP (basic) is the one probably used for
    dial-up, as there are other protocols for dial-up: SLIP, aol, etc. Now if she
    handled the user/password to easy ... her fault!

    I'm not from the us, so I don't know about isp there.

    Can help more if you post a little bit more on the type of connection.


    Networking equipment:
    Also, if she has one of those wireless routers, in default configuration... no
    security, etc... anyone around (100meter at least, but maybe more using the
    right antenna) her home could have used it and she didn't noticed it. There is
    a whole problem on this, legal/moral/etc. I think some city in the US outlaw
    having an open system this way, don't remember now which and when exactly.


    Computer(s):
    Also, some posts have mentioned how easy it is to control a windows machine
    remotely, without the user ever knowing it happened. If this is the case, then
    this would have been used by the attacker for other purposes, or maybe even to
    make this case. Ever heard about botnets? just google it!
    Maybe an attacker wanted some song, and used one of the machines in his botnet
    to do the 'job'... maybe more obscure... but I doubt it was for that. Also
    botnets 'controllers' are for hire, you choose the 'job' and it gets done.

    Also, does she ever received a friend with some computer and connected it to her
    home network? Maybe the attack started there, without both of them knowing it.
    I have seen networks collapsing due to this, just one "external"
    computer conected to the local network, and it performed the attacks, while the
    network was fully protected from the outside... sad.

    Is her computer a laptop? Has she used it somewhere outside her home.


    Now... all the above asuming she _owns_ a computer, but you said she _does_not_
    ?!?!?! Well if that is the case, how is there an ISP related in all this? What
    for Ms Lindor would have an intenet service without computer? For her
    refrigerator??? Don't think so. Does she pay for the service but she didn't
    'have it at home'? What for? Did she knew? If not, this is a credit card
    fraud or some other type of fraud.
    Some years ago, my credit card was charged by an ISP in the US, and I didn't
    lived there... cool. The charge was easily removed, but someone tried it.



    Ivan

    [ Reply to This | # ]

    IP Addresses and routers and fishy stories
    Authored by: Anonymous on Sunday, December 31 2006 @ 02:14 AM EST
    He talks about how the computer had a public IP address and how it means it
    wasn't connected to a router.

    How does he know if it wasn't connected to a router in the past and had a public
    IP address when the Image was turned over?

    In both cases, the system would be pulling (most likely) ip addresses via DHCP.
    No "tampering" with the registry would have been necessesary, just the
    removal of the router.

    [ Reply to This | # ]

    Ask for network logs of the transfered files
    Authored by: ikocher on Sunday, December 31 2006 @ 03:53 AM EST
    Ask for network logs of media sentry internal network while downloanding the
    files. If they used a kazaa client, and from there they infer the IPs and files
    content, I think that is not very strong. They only trust _that_ program. So
    what with bugs, troyans, etc?

    If they have a network sniffing (tcpdump does it) of all the packets, headers
    and payload, of the actual transfers of those files, that is rock solid for
    riaa; but if they don't have it, they only have what the kazaa client showed
    them, lets says make them believe. A network sniff of the local network is much
    more solid, and will show clearly the ip address of all computers involved in
    the transfers, showing if it was only Lindor alleged one, or more.

    The log will have the contents of the files, so if those files had a copyrighted
    material, it will be there, solid. If not, again, is what the kazaa client
    shows, only that.

    These 'experts' should have done that. A video can't help, but a log I think is
    more solid. It is always easily fakeable, at the end is only a text file,
    pretty easy to setup, but at least can show that they did their work, not a guy
    looking at the kazaa client now claiming to be an 'expert'.

    This is part of the methods used to get those screenshots and blah-blah.

    From the logs, an expert can check if at least hey are valid or real logs. The
    content of the files verified.


    Also, it might be used to identify the alleged Lindor computer, due to
    fingerprinting of the packets, so riaa can make a stronger case, identifying the
    alleged computer.


    It seems these logs don't exists at all. Happy case riaa!


    Ivan

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: bloggsie on Sunday, December 31 2006 @ 04:04 AM EST
    My academically unqualified opinion after 35 years in the computer business is that the use of Internet Addresses and Network Interface Card MAC numbers is only rather poor circumstantial evidence at best.

    In order to produce 'smoking gun' level of evidence imho that the 'enforcers' would have to:-

    1. Covertly install a root-kit which:-
      • Locates the executable which is doing the deed.
      • Accurately records the time and logs the traffic, and the ports used, to an external recording server.
      • Hashes the files in the directory which is being shared. Reports the file names and their hashes to the external server.
      • Monitors the IP traffic for a fair while to see if the machine is receiving orders remotely from a botnet, or a human, taskmaster.
      • Positively identifies the disk the shared files are being stored on. Disks do have manufacturers model and serial numbers embedded in the firmware.
      • Reports all these details to the recording server.
    2. Get a search warrent to seize the disk while the copyright infringer is busy at the computer. Take photograph of Mr. or Ms. X so they can be properly identified subsequently.
    3. Make a certified copy of the disk, and give it back to its owner.
    4. Analyse the copy to demonstrate to the court that it is identical in every respect - including the serial number and the hashes - to the disk discovered by the root-kit.
    5. Play a selection of the copyright music off the disk to the Court.
    6. Say to the Court: "We have proven beyond all doubt that the computer being operated by X was sharing copyright material. We seek $UVW,XYZ.00 in damages from X for losses incurred due to X's activities".
    7. Demonstrate that $UVW,XYZ.00 is a realistic estimation of actual losses.
    IMHO, Anything less does not provide 'smoking gun' proof, and if any society wants to stop copyright infringement using P2P filesharing, then it has to prescribe that the above procedure, or something very similar, is both legal and adhered to before seeking convictions. It would be sensible to have different penalties for private people sharing material and commercial entities generating revenue streams at copyright holders expense.

    [ Reply to This | # ]

    Physical security
    Authored by: Anonymous on Sunday, December 31 2006 @ 05:06 AM EST
    An area that no-one seems to have addressed is physical security of the connection. Since the ISP is a telephone company, we have assumed that the connection is either DSL or dialup. This seems valid, although DOCSIS (cable) is still possible. Since Groklegians tend to be techies, the focus has been on technological areas. However, simple, old-fashioned wiretapping needs to be checked out.

    1. Has anyone investigated the security of the physical connection between Verizon and Mrs Lindor's MPoE, including the MPoE itself? This should be in the plaintiff's case, unless this essential step was (a)overlooked or (b)exculpatory.

    We know that Mr Lindor, the owner of the computer in question, passed away, leaving Mrs Lindor to take care of his useless (to her) PC and its ISP connection, among all the other things a newly minted widow has to take care of. Was the PC normally left on or off, during Mr Lindor's life and later?

    Was Mr Lindor's death lingering or sudden? If it were lingering, it would have given ample opportunity for someone to make (ahem) illicit access to the Verizon wiring, to use Mr Lindor's account for some other purpose. As long as Mr Lindor wasn't using his PC, an intruder would have little chance of detection. After Mr Lindor died, detection likelihood became nil.

    During the time Mr Lindor owned the PC, did he in fact use it much? What sort of things did he use it for? Was this usage consistent with the low usage found on the disk image?

    Could Mr Lindor, himself, have been a music 'collector'? If Mr Lindor had downloaded some music, with or without knowledge that it was being made available for sharing, the dynamics would seem to change. Depending on who held the Verizon account at the time, Mrs Lindor might not be liable for the actions of her dead husband, after his death. The actions would be the downloading, leaving the PC turned on and connected to the ISP.

    ---
    --Bill P, not a lawyer. Question the answers, especially if I give some.

    [ Reply to This | # ]

    Another couple of things to check
    Authored by: PeteS on Sunday, December 31 2006 @ 07:13 AM EST
    I was musing on the 'never used a computer in her life' phrase and this comes
    up:

    It is possible others in the local apartments / homes *knew* this and registered
    a Verizon account in your client's name - ID theft is quite common and would be
    a very slick way of avoiding attention (at least for a while) in this sort of
    case.

    This also would account for the reason the hard drive has no traces of Kazaa,
    files etc., for the simple reason it was *not* the computer used in the alleged
    maldeeds.

    This would require questioning of the Verizon accounts and technical people, but
    it certainly might be a line to follow up:

    Q: Does the hard disk that was examined have any evidence of the violations?
    A: (Expect NO)

    Q: Was the hard disk the only one in the computer?
    A: (Expect YES)

    Q: Where is your physical evidence this computer was used to commit the alleged
    violations?
    A: (Should make the expert squirm a bit)

    Q: Have you, or have you required, the ISP to be questioned on the full account
    details of the defendant?
    A: (Probably NO)

    I am sure you can think of more questions.

    Now methodology.

    There have been threads in the past on the futility of trying to erase data
    completely from hard disks. Indeed, even a defrag doesn't get rid of latent
    traces.

    So (not necessarily in this order):

    Q: What tests were performed to extract the data from the hard disk?
    A: [I would expect a detailed answer of scanning and recovery here. If not, then
    perhaps it was sent to a professional data recovery house. If neither, then they
    are grossly negligent]

    Q: Please explain your qualifications in Computer Forensics in detail (courses
    attended, time, qualifications obtained)

    Q: Did you personally gather the information in this case?
    A: [NO, the boilerplate say he will testify as to what other people's data
    mean]

    A bottom line on that, incidentally, is to get non-expert testimony admitted as
    expert testimony by the artifice of using an expert to testify it - not sure the
    Judge will let that one fly, but that's up to you to introduce of course :)

    PeteS


    ---
    Only the truly mediocre are always at their best

    [ Reply to This | # ]

    Mac Address identification. / Reformatted HDD?
    Authored by: Anonymous on Sunday, December 31 2006 @ 08:11 AM EST
    MAC ADDRESS Did they verify the IP to MAC address of the device using the IP?

    Was the MAC address verified against the hardware installed in the computer?

    From DUX Computer Digest - MAC Address

    Q. What is an Ethernet MAC address?

    A. MAC = Media Access Control. Each and every Ethernet device interface to the network media (e.g., network adapter, port on a hub) has a unique MAC address, which is "burned" into the hardware when it is manufactured. MAC addresses uniquely identify each node in a network at the Media Access Control layer, the lowest network layer, the one that directly interfaces with the media, such as the actual wires in a twisted-pair Ethernet. In modern Ethernets the MAC address consists of six bytes which are usually displayed in hexadecimal; e.g.,

    00-0A-CC-32-FO-FD

    The first three bytes (e.g., 00-0A-CC) are the manufacturer's code and can be used to identify the manufacturer. The last three are the unique station ID or serial number for the interface. One can determine the MAC address of an operating Network Interface Card (NIC or network adapter) in Windows 9X/Me with Start, Run, enter winipcfg, and select the adapter. In Windows NT, 2000, and XP it can be determined by opening a DOS Window/Prompt (Start, Programs, Accessories...) and typing:

    C:>ipconfig /all

    The MAC address/station ID may be printed on the NIC.

    Many broadband routers can clone a NIC MAC address. That is, make the Wide Area Network (WAN) Ethernet interface going to a cable or DSL MODEM look like a NIC in a PC. This is useful in that many MODEMs marry themselves to a specific MAC address when they are first installed and it can be rather difficult to get them to marry themselves to a new MAC address. The WAN port MAC address on some routers can be manually changed (e.g., the SMC7004ABR).

    It is possible to change/override the MAC address with Windows, etc.

    A vendor/Ethernet MAC address lookup service is available at
    or go straight to the source href="http://standards.ieee.org/regauth/oui/index.shtml

    This BASIC NETWORKING INFORMATION would identify the Hardware Manufacturer of the DEVICE (Computer Network Interface Card or Router) that was attached the the CABLE or DSL modem. YES THE INFORMATION CAN BE SPOOFED. Assuming the technical level of the average user this information would be unknown to most of them and therefore unlikely to be manipulated.

    I use this information frequently at work to locate machines on the network, (some times the computer name in the records do not match the name configured in the machine). The mac address is also used to turn on the machines remotely using WOL (Wake-On-Lan) in order to perform administration duties on the equipment without having to physically visit the location to turn on the machine.

    Cable modems.

    The Cable providers here in Canada only allow Registered Devices to attache to the network. This is also done by Wireless Internet Providers (Wireless to the customer premise), its the same modem. At least one cable provider tries to charge there customers for EACH pc that attemptsto connect through the modem.

    The most common method to circumvent this restriction is to install a router and configure the router to spoof the MACaddress of the registered P.C.

    This is necessary even if you only want to install a router as a firewall for a single computer!

    DSL.

    The DSL service in the town I live in is provide through the local Telco. there are AT LEAST 3 "ISPs" and at least one of them has customers on 2 different backend resellers. The resellers contract DSL throught he local telco and reroute the customers to the ISPs network.

    ALL OF THE TRAFFIC starts at the telco!

    You CAN and I HAVE logged in to my account belonging to one provider in order to test the access of a customer of A DIFFERENT ISP AT A DIFFERENT LOCATION! The access is authenticated based on the username and password. The system doesn't give a damn where I am.

    I usually use this method to identify a customer account that has been disabled because the bill has not been paid in a timely manner.

    A login ID - MIGHT NOT - accuratley identify the originating source.

    HDD FORMAT SERIAL NUMBER

    Dos drives used to encode the current date into a digital serial number assigned to the disk when it was formatted. This was done on Floppy disks as well as hard disk drives.

    Can it be determined when the drive that WAS beeing examined was formatted?

    If it was formatted any length of time before the alleged violations then it is likely what it appears to be and WAS NOT the machine identified by the original investigation.

    Anonymous GrokLurker Since Week ONE. R.A.G.

    [ Reply to This | # ]

    OUT OF THE BOX
    Authored by: tyche on Sunday, December 31 2006 @ 10:41 AM EST
    Just out of curiosity, I did a Google search for Media Sentry. Below is the Google link, followed by some interesting views on the services and integrity of the company (actually spelled MediaSentry, come to find out) that may lead to other interesting questions this attorney might like to pursue.

    Original Google link that I used
    This is the original link that I used (http://www.google.com/search?q=media+sentry&ie=utf-8&oe=utf-8&rls=c om.ubuntu:en-US:official&client=firefox-a). Your mileage may differ on actually clicking on it, which is why I also placed it in plain text. Better would be for you to just go to Google and enter "media sentry" (without the quotes).

    Wikipedia entry for MediaSentry
    Wikipedia has an entry for MediaSentry with some generalized background on their "methods and procedures" (my GOSH, this is beginning to sound like TSCOG, isn't it?). This site also mentions the UMG v. Lindor case, and has various references at the bottom including a link to the litigation documents and others of useful note for those interested in this case.

    "Recording Industry vs The People" blog-spot
    I found this to be an interesting site, full of potential. The creation of Ty Rogers and Ray Beckerman (Hm, that name sounds familiar), who practice law at Vandenberg & Feliu, LLP., in New York City. The particular article listed is the "Deposition of Media Sentry representative in BMG v. Doe explaining Media Sentry 'investigative' technique". It would appear that somebody is doing their homework. :-)

    Slyck News link
    This link is included simply to show that there are various opinion pieces on the net regarding MediaSentry. It would appear that opinions run AGAINST veracity of MediaSentry's results.

    This is NOT meant to be a definitive examination of all the material available on the web - simply an alternative direction to look for further resources, and to see what other questions may have been raised concerning MediaSentry's and RIAA's "methods and concepts".

    Craig
    Tyche

    ---
    "The Truth shall Make Ye Fret"
    "TRUTH", Terry Pratchett

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: pauljhamm on Sunday, December 31 2006 @ 11:45 AM EST
    Verizon Internet service hardware

    Initially Verizon supplied a Westel DSL bridge sometimes referred to as a DSL or
    Broadband modem. This device acted as a bridge between the incoming DSL signal
    over RJ-11 (phone cable) to RJ-45 (Ethernet cable) and required PPPOE wrapper to
    generate Internet access. The PPPOE wrapper functionality was supplied by a
    Verizon software utility that installed on a Windows OS PC. Other PPPOE wrapper
    utilities where available most notably RASPPPOE a much lighter weight utility
    that was not supported by Verizon.

    Later Verizon began suppling a more sophisticated connection product in the form
    of a Westel DSL router firewall. This device removed the need for a PPPOE
    utility installed on the PC. The current product supplies connection, routing,
    forwarding, firewall, NAT, DHCP, DNS, NTP and I believe proxy utilities. All
    functions are configurable through a web based utility.

    Verizon is now offering FIOS (Fiber Optic) connections. The Internet connection
    is supplied with a FIOS to RJ-45 bridge (a big grey box attached to the side of
    the house) and a D-Link DI-624 wired/wireless router/switch. The DI-624
    supplies similar services to the Westel DSL router firewall above.

    The connection via Westel DSL router firewall would preclude external (WLAN)
    observation of the workings of the LAN (internal network) making any statements
    about the internal topology moot. Connecting a device such as the DI-624
    between the Westel DSL router firewall and the PC is trivial. The DI-624 and
    many other similar devices supply both wired and wireless connections. These
    devices are commonly used in home networks to share Internet connections. These
    devices are easily attainable and inexpensive. Such a device could also be
    connected between the older Westel DSL bridge and PC to supply security and
    connection sharing.

    In the older DSL bridge configuration, installation of the PPPOE utility
    software onto a PC would not be unusual. Indeed you would expect this to be the
    norm. The initial connection is often made by a service technician or by the
    end user to verify connectivity using the providers utilities. Once function of
    the connection is verified. Insertion of a dedicated router/firewall between
    the DSL bridge and the PC would be accomplished and the utility software on the
    PC would simply not be used. Leaving the software utilities on the PC is easily
    argued. It supplies a backup in the case of hardware failure. It supplies a
    second connection ability for testing, when the provider breaks something.

    I am personally familiar with all 3 of the above supplied Verizon products. I
    was an early adopter of DSL in my area and had the Westel DSL bridge connected
    to a GNULinux machine which acted as the router/firewall for several years. Two
    of my brothers currently have Verizon supplied DSL that use the Westel DSL
    router/firewall. One Brother uses a DI-624, functioning as a switch, between
    the Westel and his 2 computers, one wired the second wireless. The second
    Brother uses a similar setup but I am not sure which brand of device he
    currently uses. I have recently upgraded my DSL to FIOS, though I still use my
    GNULinux machine for routing and security. The Verizon supplied DI-624
    functions purely as a switch.

    Interestingly the FIOS installer used a wireless laptop and connected to a
    neighbors wireless connection to complete the final hookup of my new FIOS
    connection. The installer stated that he does this all the time and never has a
    problem finding a connection. I don't believe I will comment on the legality of
    the phone company, or its agents, stealing Internet access.

    Just another PJ

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Sunday, December 31 2006 @ 12:24 PM EST
    These lawsuits seem to be about 'intimidation'. In civil cases, the judge (or jury) is asked to decide 'on the balance of probabilities' who is most likely to be right. So, the question is, 'by what right did the RIAA obtain their evidence' ?
    • Why did the ISP tell them anything ? I believe that in the UK, ISP logs are only searchable by police with a search warrant; you only get search warrants in criminal cases, not civil ones.
    • Why did the RIAA get a hard disk ? My hard disk may contain items confidential to me or to my employer. Again, I would only feel the need to give it up if presented with a search warrant in respect of a criminal case. I would do my best to give my hard disk to my employer, and tell him to duke it out with whoever wanted it.

      And if they don't have the right to get the evidence, then surely they do not have the evidence ?

      [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Sunday, December 31 2006 @ 01:59 PM EST
    A; some analysis from me that I was going to post on the linked Blog before I
    realised that it requires registration.

    The statement "two devices cannot effectively function if the are directly
    connected to the internet with the same IP address" is both misleading and
    wrong.

    a) misleading.

    Whilst it is true that normally a single address is not shared by multiple
    devices, a very common form of connection to the internet is via a "Network
    Address Translation" system. This multiplexes multiple devices onto the
    same system.

    b) wrong

    There exists special software, e.g. ettercap, which allows a system to identify
    the IP address of another system and send it's own traffic with that IP address.
    This software requires no modification of the original systme and can be
    applied to any system which is directly connected to the internet provided that
    the "clone" system is on the same network segment as the original one.


    B; a comment;

    It's almost impossible for me to read through the entire set of comments here.
    I can probably make serveral hundred comments myself. I'd really appreciate if
    you could put the document up for analysis with a more suitable interface.
    Please look at http://gplv3.fsf.org/comments/gplv3-draft-2.html for an example
    that you can probably copy.

    Also, personally, I'm not willing to contribute large amounts of work on
    Groklaw. The reason for this is that the comments on Groklaw are not under a
    consistent single copyleft license so other lawyers with a similar problem would
    not be able to simply copy them and use them in their work. If you put up an
    interface as I discussed before, please put comments under the GFDL license or
    something similar. Others who want a different license could still use Groklaw.

    [ Reply to This | # ]

    Some legal ammunition?
    Authored by: Anonymous on Sunday, December 31 2006 @ 02:29 PM EST
    Below is an example of a lawsuit ( U2/Negativland ) in which the people who
    did the song:
    -were personally bothered by the legal approach of the suit
    -weren't even informed by the "powers" what was going on
    -did the same "illegal thing themselves"

    "Negativland's next project was the infamous U2 record with samples from
    "America's Top 40" host Casey Kasem. In 1991, Negativland released a
    single with the title "U2" displayed in very large type on the front
    of the packaging, and "Negativland" in a smaller typeface. An image of
    the Lockheed U-2 spy plane was also on the single cover...

    U2's label Island Records sued Negativland claiming that the "U2"
    violated trademark law, and the song itself violated copyright law. Island
    Records also contended that the single was an attempt to deliberately confuse U2
    fans, then awaiting Achtung Baby...

    ...In June, 1992, R.U. Sirius, publisher of the magazine Mondo 2000 came up with
    an interesting idea. Publicists from U2 had contacted him regarding the
    possibility of interviewing Dave Evans (aka "The Edge") hoping to
    promote U2's impending multi-million dollar Zoo TV Tour, which featured found
    sounds and live sampling from mass media outlets (things for which Negativland
    had been known for some time). Sirius, unbeknownst to the Edge, decided to have
    his friends Joyce and Hosler of Negativland conduct the interview. Joyce and
    Hosler, fresh from Island's lawsuit, peppered the Edge with questions regarding
    his ideas about the use of sampling in their new tour, and the legality of using
    copyrighted material without permission. Midway through the interview, Joyce and
    Hosler revealed their identities as members of Negativland. An embarrassed Edge
    reported that U2 were bothered by the sledgehammer legal approach Island Records
    took in their lawsuit, and furthermore that much of the legal wrangling took
    place without U2's knowledge: "by the time we (U2) realized what was going
    on it was kinda too late, and we actually did approach the record company on
    your (Negativland's) behalf and said, 'Look, c'mon, this is just, this is very
    heavy...'" Island Records reported to Negativland that U2 never authorised
    samples of their material; Evans response was, "that's complete bollocks,
    there's like, there's at least six records out there that are direct samples
    from our stuff."[2]


    from :http://en.wikipedia.org/wiki/Negativeland

    My thought might it be of use to supoena the artists who did some of the records
    in question, and get it in the legal record how they feel about what the record
    companies are doing .


    [ Reply to This | # ]

    Conflict of Interest
    Authored by: Anonymous on Sunday, December 31 2006 @ 03:26 PM EST
    A lot of people questioned the validity of evidence. I suggest what they are
    really concerned about is the blatant conflict of interest here. MediaSentry is
    under a tremendous amount of financial pressure to provide evidence that will
    convict people of file sharing. I would point this out to the court. The
    details of why the evidence is suspect is important but perhaps what is more
    important is the presence of a conflict of interest. It is human nature to
    change facts for financial gain.

    [ Reply to This | # ]

    How to get the pdf files
    Authored by: archimerged on Sunday, December 31 2006 @ 05:49 PM EST
    I've read (or at least looked at) most of the PDF's in the case. They were hard
    to access because of the frames around the PDF display, which doesn't work on my
    setup anyway. (Firefox takes forever to load the page, then the pdf gets
    downloaded to /tmp/ and opened in my pdf reader). So I did this:

    1. saved http://info.riaalawsuits.us/documents.htm
    2. Prepared a list of URLs for this case from the html file:

    cat documents.htm | tr < \n | grep "^a href=" | grep lindor | tr
    > \n | grep "^a href=" | sed 's/^a href="//; s/"$//'
    > umg_lindor_URLS.txt

    This produced a file of 114 lines with one URL per line, like so:

    http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_firstamendedanswer
    http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_060412expertwitnessrepo
    rtplaintiff
    http://www.ilrweb.com/viewILRPDF.asp?filename=umg_lindor_060425judgetrager

    3. Downloaded all of those URLs with wget:

    cat umg_lindor_URLS.txt | xargs wget

    4. Extract the actual pdf URLs and fetch them with wget:

    grep IFRAME *.asp* | sed 's|^[^"]*"|http://www.ilrweb.com|;
    s/".*$//' | xargs wget

    Of course I looked at the results of the pipeline before actually running it
    with xargs wget. The first few lines of output were

    http://www.ilrweb.com/ILRPDFs/umg_lindor_060412expertwitnessreportplaintiff.pdf
    http://www.ilrweb.com/ILRPDFs/umg_lindor_060425judgetrager.pdf
    http://www.ilrweb.com/ILRPDFs/umg_lindor_060502response.pdf

    (In a different order because the shell expands *.asp* in alphabetical order,
    not in the order found in documents.htm).

    5. Opened the directory containing the pdf's with firefox file:///home/....
    Then clicking on a pdf (which has the correct date beside the link because wget
    sets the file date to match the server date upon download) opens it quite
    quickly in my pdf reader.

    I realize that ilrweb wants everyone to be aware of their
    contribution by framing the pdf's, but it slows down access
    to them so much as to prevent access unless you avoid the frame.

    [ Reply to This | # ]

    UMG should have treated Ms. Lindor just as they treated Verizon.
    Authored by: archimerged on Sunday, December 31 2006 @ 06:07 PM EST
    It is fairly obvious that UMG should not have sued Ms. Lindor but should have
    continued discovery under the same John Doe case they used to obtain her name
    from Verizon. They should have subpoenaed computers which might have been used
    with her Verizon internet account and the names of anyone who might have used
    it, and details of her computer and network equipment. Then it would have
    become obvious who they should be suing.

    But they don't seem to be interested in justice, only settlements without trial.
    They didn't want to have to go to the expense of actually examining her
    computer without first trying to get her to settle.

    [ Reply to This | # ]

    How about a summary and/or follow on questions
    Authored by: Anonymous on Sunday, December 31 2006 @ 09:27 PM EST
    I was just wondering whether it would be useful for Mr Beckerman to summarise
    his understanding of the comments made so far and/or to ask more clarifying
    questions as appropriate (providing they don't of course compromise legal
    strategy to be used in court.) I would've thought it very important that any
    discrepancies/problems with the prosecution's case be clearly and unambiguously
    understood before the deposition and supporting links/evidence found, so as to
    maximise the value that might be had from it, and to strengthen the defense's
    case going forward. In particular, demonstrably false assertions (like the one
    that a PC that uses a public IP addresss neccesarily must be directly connected
    to the internet and can not be through a router) I would've thought need the
    facts and counterexamples proving them documenting, either for use during the
    deposition, or for use during trial? Or would this not be useful at this point?
    (IANAL IMHO etc.)

    ByteJuggler

    [ Reply to This | # ]

    Questions for the good Doctor
    Authored by: Anonymous on Monday, January 01 2007 @ 01:23 AM EST
    The only thing going for the persecution at this time is that they have a
    Verizon user account associated with a Kazaa share at a particular point in
    time. Is there any other evidence which can link the defendant to the file
    sharing?

    Her computer gives no evidence and even though the Doctor says that the disk
    image showed evidence of a routeable IP address he does not assert that it is
    the same IP address as did the file sharing. I would therefore guess that it is
    not, but I might ask.

    Actually it might be very interesting if the IP address from the registry WAS
    the same especially if it was obtained at about the time in question. As there
    is no evidence of the software or the data, if the IP address is the same and
    was obtained at about that time it is evidence that the machine has not been
    rebuilt since then to destroy incriminating evidence.

    I'd also like to know what limitations there are preventing anyone in the world
    from connecting to Verizon using her userID and password (which could be
    obtained any number of ways) and being assigned that IP address.

    I'd like to know if the screenshots or logs indicated the full directory path to
    the shared files (e.g. c:kazaapublic or d:bigshare or something.) If it was
    on the C: drive assuming a windows machine of course then it would have to be on
    the primary disk and if other evidence shows that the primary disk in the
    defendant's machine is the same one it has always been that is good evidence
    that hers was not the machine used.

    Q. How many different locations could someone using this users credentials
    connect to the Verizon service from?

    Q. Is there any information in the Verizon logs to indicate an origin for the
    connection made using the defendants credentials on that occasion? e.g. dial-up
    might show a phone number, ADSL or cable might indicate an exchange or DSLAM or
    particular cable loop.

    Q. How could you differentiate between the defendant connecting to Verizon and
    someone else who might be using her userID and password?

    Q. Is it not possible for someone to alter the IP address that their computer
    announces to the network and even the MAC address to effectively take over
    someone else's idle internet connection? (A. yes it is!)

    Q. Does the MediaSentry information indicate the full path to the shared file
    directory on the machine at IP address 141.155.57.198? If so on which disk does
    it reside?

    I would basically be trying to establish what exactly they have in all the
    MediaSentry stuff and the hard drive image.

    [ Reply to This | # ]

    Not spoofing, but packet forwarding
    Authored by: Anonymous on Monday, January 01 2007 @ 01:23 PM EST
    Ok, let's assume that Ms. Lindor is telling the truth, and that MediaSentry's
    report is accurate. There is another way that this could all be true.

    Packet forwarding on Ms. Lindor's computer.

    Let's say that Ms. Lindor is not knowledgeable about computers (this doesn't
    have to be true, as I know people who even where running linux servers who got
    owned at one point, but for simplicity let's assume that Ms. Lindor is an
    average end user).

    What happens is that a reasonably skilled person takes over control of Ms.
    Lindor's computer and uses that to share files. Actually the files are never on
    Ms. Lindor's machine, rather her machine is the gateway for the files to be
    shared (similar to NAT). This isn't complex, in fact it's trivial. Sometimes
    the Network administrator's get upset when I reroute open ports to different
    protocols or when I have to create a new path between machines to show that
    there is a problem with packets going one way or another. In other words, as
    part of my work, I do this regularly on machines that I have the legal authority
    to do so to.

    This is common use of "zombie" machines in my opinion, to create a
    black hole for the tracing the packets back. It's also common to remove traces
    after the fact.

    But heck what do I know?

    [ Reply to This | # ]

    • Good Point - Authored by: Anonymous on Tuesday, January 02 2007 @ 04:02 AM EST
    yust some comments.
    Authored by: Anonymous on Monday, January 01 2007 @ 02:28 PM EST
    The good dr.
    1: Uses the word "Users" where the word "Node" should be
    used.
    2: While not checking the content of the file he will referrer to the hash;
    Google for "hash collision" to rebut this.

    For somebody with so many projects and side jobs i can't believe he found time
    to go deep into any subject.

    If he really know so much about internet, he will also know how easy info can be
    spoofed or mis interpreted.
    I did not found a word on this in his "boilerplate report"

    /Arthur

    [ Reply to This | # ]

    We seem to has missed something here!!!
    Authored by: ausage on Monday, January 01 2007 @ 06:47 PM EST

    I just realized that we seem to have forgotton something important here. We know the RIAA is prone to submit hearsay evidence and testimony. The red flag for me is that in neither of Dr Jacobson's Expert Reports does he give any indication of the methodologies, procedures or test he used to examine the evidence.

    I believe he should be asked:

    1. When examining the media sentry logs, did you do all the work yourself, or did you have an assistant?
    2. Exactly what work did you do, and what did your assistant do?
    3. Who was your assistant?
    4. What methodologies did you use to test the veracity of the Media Sentry Logs?
    5. Why did you use these methodologies?
    6. What tests did you apply?
    7. Where the logs on paper or in machine readable format?
    8. If machine readable what systems and programs were used to analize them?
    9. What Operating System was the "infringing" system using? [an expert could determine this from the raw packet logs].
    10. Did you examine the hard drive from Ms Lindor by yourself, or did you have an assistant?
    11. Exactly what work you do do, and what did your assistant do?
    12. Who was your assistant?
    13. What methodologies, procedures and tests did you use.
    14. Why did you use these methods and procedures?
    15. Did you use a system to examine the hard drive at the raw sector level.
    16. Did you mount the hard drive into a special forensic computer for examination.
    17. What was the apparent age of the hard drive (based on date formatted, file timestamps, etc.
    18. What was the public IP address you discovered in the registry?
    19. When was it assigned?

    I know that if I was submitting an expert report into what could very well become a precedent setting legal case, I would want all of these questions and more answered. And I believe the lawyers that hired me would want that too.

    Just the same as a judge sets out his reasoning in a judicial ruling, and expert should explain the analysis and reasoning that his conclusions are based on.

    [ Reply to This | # ]

    This case is important to all of us !
    Authored by: Rollyk on Tuesday, January 02 2007 @ 12:20 AM EST
    We need a case like this to go to court. True public scrutiny is essential,
    because as most everyone here knows the plaintiff's case, a "SLAP"
    suit of the worst kind, is blatantly weak.
    To start, buy a wireless router, set it up without following the instructions,
    get it working, and note that anyone within 50 metres can access it. Many of us
    here have done this.
    RIAA has a lot of money to lose here, they won't give up easily, and, true, this
    defendant is a weak example. Perhaps if "Grouch" were sued it would
    make more sense.
    To: R. Beckerman, buy a wireless router ($60) and try this.


    ---
    pay now, or pay later, there's no free lunch.

    [ Reply to This | # ]

    similar case here in germany
    Authored by: jlueters on Tuesday, January 02 2007 @ 07:08 AM EST
    hi,
    i am working in Germany and beeing a public certified expert, we (me and a
    lawyer) where just dealing with a similar case here. The other side came up with
    a expertise as well.

    Our experience:
    1. Weak legal side. The other side could not prove that they are legitimated to
    run the case. The had no uninterrupted legal chain, which would have allowed
    them to run the case. Thats why they have lost.

    2. Technical
    2.1. Ip addresses:
    In order to identify a person or a computer on a dynamic line, the time is
    absolutely critical, if you are 2 hours off its a total different user. This
    raises the issue whether the timezones in question are alike. Esp. you can ask
    if the system used to record the traffic has been on the right time zone during
    recording and how they can prove tha now.

    2.2 Software

    You should ask if the recording software has been certified by a independent
    test labaratory to make sure that the program really does what it promises.

    You should ask if the expert has inspected the source code of the software and
    can assure the correctens.

    You should certainly (by means of an own invetigation) see if the logging
    software violates the GPL. To our experience that might likely be the case.


    You can ask if the expert can assure the the computer in question _has not_ been
    a part of a bot network during that time.

    Regards
    Jürgen




    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: KnightRampant on Tuesday, January 02 2007 @ 08:56 AM EST
    I work for a living and therefore do not have time to compile a 20 page
    Curriculum vitae, but I have worked on networks at a variety of companies. IP
    Addresses have always struck me as a very poor way of establishing Identity.
    The simple fact is that given access to any router between the Media Sentry
    system and and the Lindor system, I could make it seem that any arbitrary
    service was running on the Lindor system. Redirecting traffic from a few ports
    for an IP address is trivial and common. The actual service could be running
    anywhere on the internet. If I were a malicious person wanting to host such a
    service and blame someone else, I would certainly think of using an address from
    the dynamically assigned pool of a major ISP like Verizon, since it is unlikely
    to have any real services running on the ports I borrow. Now I know routers
    where such a redirection of traffic could be accomplished are supposed to be
    locked down with very limited access, but the fact remains that such a
    redirection could take place and the RAA would presumably have to address this
    possibility as part of their burden of proof. I would think they would need
    either a traffic capture from Verizon taken directly from the Lindor link, or a
    configuration dump from every router in the possible communications path from
    the Media Sentry System to the Lindor home.

    [ Reply to This | # ]

    Editable Logs
    Authored by: hamstring on Tuesday, January 02 2007 @ 11:13 AM EST
    I work in IT, and have some experience with the governments own internal rules
    of engagement. Some of these should be common sense, but seem to be ignored in
    your case. Mostly, I deal with auditing systems, but these same rules pertain
    to other types of logging as well.

    RULE 1: Logs that can be modified in any way are not usable. This includes
    images and text files. The only admissable evidence would be binary logs, which
    require extraction tools. This prevents any tampering. Part of auditing system
    is a kernel module which will audit and send alerts if anything attempts to
    tamper with either the kernel module or the binary logs.

    TEXT LOGS
    ---------
    Here is an examples of why this is necessary: Simple Unix shell scripting.

    #!/bin/sh
    LOG="/tmp/log.txt"
    I=1
    while [ $I -le 254 ] ; do
    echo "IP: 10.1.1.$I is downloading files" >>$LOG
    I=`$I + 1`
    done
    #---end---

    This script will creat a log which lists all addresses from 10.1.1.1 through
    10.1.1.254 and flagged each with my message "is downloading files".

    To change this, I simply do this.

    cat /tmp/log.txt | sed -e s/10.1/213.1/g >>/tmp/newlog.txt
    #---end

    Now I have a new log which changed all the "10.1" entries to be
    "213.1" entries. This new log will keep all the suffix IP numbers, so
    my new list contains all IP addresses 213.1.1.1 through 213.1.1.254.

    Please note that this is a rudimentary example, and that much more complex
    changes can be made, allowing me to make any entry I want look however I want.

    IMAGES
    ------
    Images may not be as simple to bulk change, but any graphic program allowing
    "copy" and "paste" as well as text input will be able to
    modify an image. Time to make modifications will be based on the users
    abilities with the graphics program being used.


    CONTROLLED SYSTEMS:
    -------------------
    In order to "prove" a user did anything, systems must be trusted and
    audited. For this reason, we use special software and rule sets on all audited
    systems, as well as deny uncontrolled access to any network (especially the
    internet).

    There are countless exploits for computer operating systems which allow for
    remote control of the system without user knowledge. Simply search for
    "root kit", "back door", or "trojan" on any
    reputable anti-virus/anti-spyware company web site to get an idea of how many
    exploits exist.

    SPOOFING
    --------

    Last thing I will mention is IP spoofing. A simple explenation of this, is that
    spoofing allows someone to appear as if they are using an IP address which they
    are not actually using.

    Software must be built with spoofing detection built in. Sniffing network
    traffic from an external network (3rd party snooping) may not be able to detect
    spoofing. There are several reasons for a failure in detection. What is
    important, it "can" fail, which means that burden of proof may not be
    met.

    ---
    * Necessity is the mother of invention. Microsoft is
    * result of greed

    [ Reply to This | # ]

    What is necessary to win this case?
    Authored by: Anonymous on Tuesday, January 02 2007 @ 02:45 PM EST
    I have read the responses and they all seem to address the technical
    circumstances where an account or address can possibly be hijacked or spoofed.
    Also they address the lack of a custody of the information etc.

    The problem as I see it is that this is not a criminal suit. It is civil, and
    the plaintiff does not have to establish the circumstances of the case beyond a
    shadow of a doubt. The plaintiff only has to show by the lesser standard of
    preponderance of the evidence that the defendant has committed the acts alleged.
    Therefore a plausible explanation to counter the accusations is necessary.

    1. The denial of actual downloading is supported by the disk not having any of
    the material present, IF AND ONLY IF the disk can be verified to not have been
    cleaned up or modified after it supposedly had been used to download infringing
    material.

    2. Some of the explanation can be fleshed out by demonstrating how a non
    computer literate person can be set up to appear to have done these actions by a
    third party. But to be plausible the alternative explanation would include some
    evidence of the third party at work.

    3. How can the Defense show evidence of a third party acting on this computer?

    4. The Plaintiff only has to show the normal activities for a person to download
    the material. That is usually going to be accepted as what happened unless the
    defense shows a plausible alternate to the Judge or Jury.

    5. Who was actually driving the keyboard at the time of the download is a
    defense.

    6. Whether or not the download actually occurred is another
    defense. This defense is fairly strong if the disk in ITEM #1 is verified to be
    the disk in place when the violation supposedly occurred.

    7. Otherwise an all out attack on the credibility of the RIAA and Media Sentry
    is probably a good defense. The motivation of the RIAA is suspect and there are
    judicial rulings (in other countries)concerning the type of evidence which Media
    Sentry attempts to provide. Getting the Media Sentry Evidence thrown out based
    on the prior court rulings AND having the evidence examined by a true forensic
    expert with professional...not academic.....credentials is essential to the
    case. Even if the judge does not rule that the evidence is excluded, there is
    foundation laid to attack the evidence at trial and let the jury decide if the
    evidence is faulty.

    8. Any so-called "expert" who would list his students non-published
    CLASS WORK as part of his cv is suspect as is someone who would list the local
    campus police as a reference for forensic work concerning computers. It would
    probably involve reading e-mails to see who was drinking beer in the dorm or
    some such nonsense. The "expert" probably can be made to seem quite
    pompous if his cv is any indication.

    [ Reply to This | # ]

    routers or dial in.
    Authored by: Anonymous on Tuesday, January 02 2007 @ 09:12 PM EST
    1- every time you dial in or reset your router or lease expires (< then 24
    hours), you get a different ip address from the isp(like aol).

    2- The router provides a totally different address to the users computer and the
    isp can only see the isp provided address.

    ie isp provides 244.123.124.1, your computer 192.168.10.1,
    your 2nd computer 192.168.10.2 from the router.

    3- the isp can only see the cable modem / router and can not see any of the
    other computers.

    4- since the isp can only see the router and can not see the other computers,
    the isp can not know whether they have a wired or wireless router. It's
    impossible to know if the person has a wireless router.

    [ Reply to This | # ]

    isp routers
    Authored by: Anonymous on Tuesday, January 02 2007 @ 09:24 PM EST
    As messages pass from router to router, the routers can and do alter the message
    header mask which shows were the message came from depending on the router
    protocol. ie. One company sending messages thought another companies router
    without the routing company actually using the message (flying within a cloud).
    Get a copy of a router manual for a router an isp would use, note your simple
    $100 router but your $50,000 router, notice it's over a 1000 pages of text and
    options. Foundry

    It possible for an ISP router to perform almost anything which could make the
    message appear to be from one location when it really came from another.
    Vlans. see isp maskerading.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Tuesday, January 02 2007 @ 09:56 PM EST
    (I am not a lawyer - worse - I'm a EE)

    Not sure without reading everything if this has been pointed out:
    The MAC address is definitely not an absolute fingerprint.
    I've had network cards that this number could be set to whatever value the user
    wanted using a simple utility from the network interface card vendor.

    I did see where it was pointed out that this can also be done via the router.
    My Netgear WGT634U has that ability. It basically makes the router look like
    the computer to the upstream DHCP server that assigns the IP address to the
    connection. On my side of the router, I can set my local IP addresses to
    whatever I want. I am basically setting up my own local network. That doesn't
    prevent a program (like windows) from reading my MAC address from my PC and
    passing it out via the connection.

    The wireless connections can be spoofed. I've been told by some fairly
    knowledgeable folks at work that your wireless connection can be broken into
    even if it is setup correctly. You just have to be able to monitor the traffic
    for a long enough period of time. That is probably the reason that the lack of
    a wireless router was specified.

    If I download something off the web that turns out to have been copyrighted
    material, the copyright violator should be the one who originally created the
    copy. How am I to know that the material I just downloaded was copyrighted
    unless it was indicated to me somehow in advance? Ever read Wikipedia? There
    is a >lot< of copyrighted material within it. Am I in violation of
    copyrights because I downloaded and read this material? Even if it wasn't
    indicated to me in advance that it was copyrighted material? What if I link to
    it via my website? Is where the data is physically stored for redistribution
    really matter? It's not on my drive, but I'm still providing its location?
    That's not really different to my providing local storage.
    If the original owner downloaded the file electronically, what dictates
    ownership of that file? If he copies it to a CD, is that a new copy? Or is it
    just fair usage? If he gives that CD to a friend, is it him or his friend that
    is violation of the copyright? How do you prove damages?
    What if the CD was just on loan? Is that fair usage?
    There really isn't much of a difference between an electronic copy and a
    physical one like that CD. How do you prove intent?

    And there should have been criminal charges brought against SONY for that
    rootkit. I'm pretty sure if I wrote something like that and released it, I'd be
    in prison by now. They should have also been required to provide everyone who
    purchased the CD's with that rootkit with a replacement copy without the rootkit
    installed as well as a mechanism for removal of the rootkit.

    If the lady didn't do the filesharing, then maybe a relative did it. Does that
    make the lady culpable? Couldn't that be extended back to the internet service
    provider as well? They need to prosecute the individual that committed the
    crime, not the person/entity that unknowningly provided the connection.

    Was the lady given notice that she had copyrighted material being distributed
    from her system? And was she given some fair period of time to remove it?





    [ Reply to This | # ]

    Numbers don't match
    Authored by: Anonymous on Wednesday, January 03 2007 @ 10:27 AM EST
    In the "Affidavit and Expert Report" from Dr. Jacobson, in his
    conclusions, he has the following two items, and the numbers don't match:

    16)I will testify that Mediasentry found over 700 files shared on a computer
    using the KaZaA file sharing program based on the screenshots. The KaZaA user ID
    is jrlindor@KaZaA.

    18)I will testify that the information from Mediasentry (SystemLog, UserLog,
    UserLog (compressed), and the Download logs)indicates that the computer with IP
    address 141.155.57.198 offered 624 audio and music files, most of them are
    copyrighted music files, for distribution using the KaZaA program on 8/7/2004
    starting at or around 6:12:45 AM EDT through at least 7:08:30 AM EDT.

    Are the two computers mentioned in items 16 & 18 purported to be the same
    computer? If so, why the difference in the number fo files (624 vs. 700)? And
    why no mention of the IP address in item 16?

    Other things to ask Dr. Jacobson:

    Was he present or does he have direct knowledge of the actual physical methods
    employed by Mediasentry in gathering their screenshots and various log files?
    Was a network pacdket rrace taken at the time that the other Mediasentry
    information was gathered?

    If his answer to the 2 questions above are "No", then how could he
    possible be assured that tthe screenshots and logs from Mediasentry had anything
    to do with copmputers actually connected to the internet? Anyone can set up a
    router locally without conneecting it to the internet and configure any IP
    subnets and address ranges that they wish, and then run programs that would make
    screen shots and log files appear to incriminate anyon'e IP address that they
    wish.

    Another one, item number 19 says in part:

    "during which time the 624 files were being distributed"

    While the wording in item 18 says "offered for distribution".

    During the time period in question, is there any proof that any files other than
    the 11 files downloaded by Mediasentry were actually distributed to (downloaded
    by) anyone else? If he is lying about the number of files actually being
    distributed rather than being offered for distribution, then all of the rest of
    his testimony can be construed by the judge and/or jury as lies as well, and you
    should ask the judge to include that in his instructions to the jury.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Thursday, January 04 2007 @ 08:42 AM EST
    In addition to the issues of IP assignment, spoofing, and Network Address
    Translation, another potential question arrises in the following case;
    1. The defendant has a dynamically assigned 'public' IP address
    2. She is using a router which translates IP requests and responses to private
    IP addresses (termed Network Address Translation)
    3. She has a wireless access point in the private address space (WiFi point)
    4. She, or the vendor of the equipment, has left the access point in open access
    mode (this is often the 'out-of-the-box' configuration)
    5. A third party has connected to her access point using a WiFi connection
    6. The third party has used P2P software...

    This is NOT an unlikely scenario and I'm sure some research will turn up similar
    cases.

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: nick2000 on Thursday, January 04 2007 @ 04:14 PM EST
    After reading the linked documents, I would like to know:

    #1 how did they determine the IP address of the host? Did they install a client
    and "sniffed" what IP they were talking to? How do they know this was
    the target IP and not some gateway? There is a statement that it could not be
    the address of a router. How could they possibly know?

    #2 How is the MediaSentry information legally reliable? What was the chain of
    custody of that information? Can this Mediasentry information be considered
    valid instead of just hearsay? That does not look like legally tenable PROOF.
    There could be a mistake or it could have been altered.

    #3 They state that NO PROOF was found on the defendant's PC, therefore, they
    claim it's the wrong hard disk yet the hard disk was in use at the time? That
    cannot be right. So, it's the defendant's burden to prove that they do not have
    another hard disk? I do not see any proof that this is the wrong hard disk,
    only
    speculation.

    #4 Now, Ms Lindon has never used a computer, but yet she has an Internet
    account? Also there was obviously a computer since they searched it. Does this
    account belong to somebody else? Did this Lindon Jr live in the house and do
    this and they simply targeted the owner of the account instead of the person
    who
    was actually sharing the files?

    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Friday, January 05 2007 @ 02:57 AM EST
    An other angle... One that the RIAA will not like at all.

    Base on the fact that everything could be forged on Internet, it will be time to
    check if MediaSentry have a good hygiene.

    1) They ask you a copy of your HardDisk... Fine... Ask them a copy of the
    HardDisk use by MediaSentry...

    Have this check for Trojan, Root kit, etc...


    [ Reply to This | # ]

    Another Lawyer Would Like to Pick Your Brain, Please
    Authored by: Anonymous on Saturday, January 06 2007 @ 03:12 PM EST
    I think UMC is going to go broke suing it's potential customer base. Would a
    customer buy a product from a company that sues them? I wouldn't!

    Anyone with a windows PC can be and more than likely is being controlled by a
    third party.
    There is so much malware out there that the average computer user is clueless as
    to how to secure their PC and most of them just do not care as long as the PC
    does what they want it to.
    Then there are the DSL routers that people set up according to the instructions
    leaving them wide open to spoofing or Someone getting on the net for free.
    There are too many ways to get to the net and only a few people commiting the
    crime.

    So my advise to the end user is to get smart and secure your PC. Would you leave
    a loaded gun around for a 4 year old to play with? That is pretty much what your
    doing to your bank accounts and so forth if you do not secure your PC.

    And My advise to UMC is for them to stop suing their customer base!

    Draq Wraith

    [ Reply to This | # ]

    Groklaw © Copyright 2003-2013 Pamela Jones.
    All trademarks and copyrights on this page are owned by their respective owners.
    Comments are owned by the individual posters.

    PJ's articles are licensed under a Creative Commons License. ( Details )