Slashdot Mirror
Innocent File-Sharers Could Appear Guilty?
daveo0331 writes " New Scientist has an article about what could be a promising defense strategy for people targeted by the RIAA. Basically, anyone on the Gnutella network can frame other users by making it look like someone is hosting RIAA music, even though they're not. Therefore, the RIAA's "evidence" against file sharers is theoretically unreliable and wouldn't stand as good a chance of holding up in court. No mention of whether this has anything to do with the RIAA's eagerness to settle the lawsuits out of court. The article is based on a research paper (PDF link, HTML version) posted anonymously to a web hosting service in Australia."
can you say those 2 words in the same sentence?
Je t'aime Stéphanie
How about an entire computer shared to the internet?, like this crazy guy did...
A number of people say they were wrongly accused by the RIAA, or that their children swapped music without their knowledge. The RIAA dropped one suit, against retired Boston teacher Sarah Ward, 66, when it was discovered she couldn't be sharing songs on pirate service Kazaa because she uses an incompatible Apple computer.
Thanks to google, here's the HTML version of the PDF.
Sure, karma whoring, but who wants to load a PDF? At least I didn't post a MS Word version of it!
-ted
Can't they just sue you because you helped transmit the files by being part of the network? Plus they are only prosecuting people that use kazaa right now.
That dropped suit is referenced in the paper.
I think most people will either be scared into settling, or not have enough money to pay for litigation and court costs. Although it's nice that there is a way around the RIAA's mass suing, how often will this technique really be used...
Will this really stop them from doing anything? Like the poster said, they like to settle out of court, and they'll probably pull something like "Well, you should've been more protected against this kind of identity theft. Give us $10,000 in amnesty, and we'll go catch the _real_ theif."
- Sherman
How many of the people being sued by the RIAA actually use Gnutella? I would bet few to none. The vast majority are getting nabbed for Kazaa and other more popular, less geeky p2p clients.
When using a modem, or even Cable/DSL one is typically dynamically assigned an address. Many times these can change. It was stated in numerous articles that the RIAA found IP addresses for people, then subpoenaed ISPs for the users using those addresses.
Either due to ISP incomprehension, or RIAA non-specific requests, they most likely received a lot of information based on who was using that address after subpoena, not during copyright infringement.
Shawn's Tech Articles
help 'guilty' filesharers appear innocent.
the most mysterious thing you'll see today
Just leave America. I'm so lucky that I don't have to. The Recording Industry Association where I live doesn't scare me in the slightest!
Just because they've pointed out theoritical weaknesses in P2P apps doesn't necessarily raise a "reasonable doubt" about any defendant's activities. Is there any evidence that these vulnerabilities are actually being exploited out there? If not, I don't think this would hold much weight in court...
Oh yeah, and IANAL.
Stop by my site where I write about ERP systems & more
I was wondering if this kind of Gnutella spoofing (Gnoofing? Spootella?) could be used by the RIAA to DOS Gnutella networks by gumming it up with unreliable information?
I also wonder if this technique could be used to trick the RIAA into subpoenaing itself?
Not that such I would ever suggest doing such a thing.
AC
While it's interesting that apparently Gnutella can in theory be spoofed, I can't believe that this could form much of a legal defense since the spoofs are specific to Gnutella, so this has nothing to do with the vast majority of p2p usage.
Enable 3D printed prosthetics!
This is no "strategy", it's a cop-out. If people are sharing files, and they *really* believe they should be allowed to do so, they should fight on the merits of their position, and live or die on said merits. To cook up a tenuous argument that someone might have framed you, is a tacit admission that the arguments people have mostly been using to justify file-sharing are worthless, and that file-sharing itself is indefensible. Show some backbone, people.
If I was ever brought in on copyright infringement charges and there was evidence, I'd feel more secure arguing that I didn't know I was doing anything wrong, not that the evidence was suspect (someone spoofed my clipart search into one for metallica, changed my IP address, hop count, etc. resulting in 10 gigs of copyrighted files on my computer which I somehow didn't notice/delete).
Occam's Razor will cut off the weasel's tail!
Someone write a lightweight gnutella client that "frames" everyone within reach on the network. This way, the RIAA will have no clue....
Furthermore, a worm/trojan could be released that secretly installs a Gnutella client and ACTUALLY downloads some tunes. Would ignorance be an excuse, when suddenly every computer in the world is filesharing? Tell you what, if I did fileshare copyrighted material, I would put up a fight.
Someone already sort of asked this but they are modded at 0 and thus might not get heard that easily. I was wondering if anyone had a breakdown of just what P2P networking the RIAA is targetting. If you read the headlines all you would think is that this is between the RIAA and Kazaa. I remember when recently when we all joked about the actual kazaa names people were using and how many "kazaalite" users there would be.
So what's the deal? Any WinMX, EDonkey, Bittorrent users being attacked in this recent spat of 700 cases by the RIAA. Or is it just those Kazaa users?
If you wanna get rich, you know that payback is a bitch
BitTorrent has many legitimate uses. In fact, I'm using it right now....legitmately.
No more Micro$oft bashing from me. Its like bashing at the special olympics.
i suggest that all /.'ers make it look like we're sharing contraband, then counter sue the RIAA when they sue us. sound like a plan? who's with me!
Perhaps he's referring to the "Your All Gay" website.
Or, more likely, he's just an idiot.
Contact Me (got tired of viruses emailing me).
Make sure EFF and other lawyers see this stuff!!!
At least in the ways described in the document. They're describing potential attacks that just don't seem like they'd be worthwhile to pull off. A jury would be silly to use this as the reason to let file sharers off the hook, unless their only concern is getting the file sharers off the hook, regardless of whether they're guilty.
That's the thing about innocence until proof of guilt. One has to show evidence that the presumed innocent logically has to be guilty. Not that they COULD be guilty. Not that they might as well be guilty. Not if they have the tools that would allow them to be guilty. Not even if the prosecution can't find anyone else that they think might be guilty.
It's things like these that can make harrassing people a real bummer for a litigious group in the long run. Still - fear and respectful loathing may still "work" in the short term. But again, that short-term respect and fear will die down if cases are ruled against them.
Ryan Fenton
But I am also very much against anything that perverts justice, obfusciates the truth, and in general destroys respect for the law.
This one is ridiculous, because 99% of the people who say "no, it wasn't me, someone set me up" based upon this will be perjuring themselves.
Quite honestly, isn't that the claim that most criminals make?
I, for one, if set up, would have a different answer: "I never installed Kazaa or other P2P software, nor did I pay the Kazaa fee." Come to think of it, that would be my defense if accused of stealing cable channels too: "I never bought one of those cable-selection-hiding filters; indeed, I never bought cable TV."
Come off it, people. Stop trying to make a case for yourself why maybe it perhaps isn't so bad, and perverting your consciences.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
ignorant troll alert
Either you're trolling, or you don't understand the post you're replying to. Gtk-Gnutella does have an option to "force" your local IP to something other than what your box detects it as. In fact, here's a screenshot of where this setting is in Gtk-Gnutella. Please get a clue before you post.
But he notes that there are other ways to incriminate an innocent party: "Most Windows users will run any old attachment you send them, so if you want to implicate someone you can just send them a Trojan."
Is that a low blow, or is it just me? I mean, seriously, I used to use Windows before I became a convert to FreeBSD. I don't recall ever opening a trojan or any other executable file from anyone, whether I knew them or not.
And the muscular cyborg German dudes dance with sexy French Canadians
Let us Mac users have our fun by playing dumb.
It's been working for years!!!
Mwaaaahahahahaha!
Dude, if I had you as a parent, I'd watch your back. How is your lesson any better than a thug breaking a gambler's legs for not paying on time? I hope you don't own any guns... you just may become a statistic.
today is spelling optional day.
No, he is not going to learn a lesson about the moral implications of file-sharing. He's just going to learn to hate you for something, I'm assuming, he worked to buy himself. You fucking dolt.
The RIAA has an amazing similarity to OJ Simpson. Still in search of 'The Real Filesharers'
That is a seriously fucking harsh cop.
Maybe his blankie was run over by a speeding car or something....
Anyway, this guy's problem is that he must be upset that people are stealing money from Yanni or that ET guy.
See topic.
So to punish your son for downloading music, which really doesn't have any value anyway, you destroyed a computer worth over 1000 dollars of your son's money? What would you do if he simply shoplifted the cd's, cut off his hands? Would you have destroyed his car for speeding?
I suppose you've never copied a video tape, or a cd, or a casette, or recorded something off the radio or tv.
I don't get why people treat downloading music as worse than stealing the cd. It's not even close to being like physicly stealing, you're not depriving anyone of their property.
You're probably just a troll anyway, no sane person would do that.
Am I the only one who is dumbfounded that, not only did someone register "yourallgay.com", but that they even made their own flash cartoon showcasing their complete lack of comprehension of the English language?
"Most Windows users will run any old attachment you send them . . ."
BURN! Hee hee.
hmmm, let's see. I've used P2P apps to:
*Remotely administer files on a computer
*Access files on my PC while at class
*Back up data
*Aquire legal distributions of applications
*Aquire legal distributions of media
*Aquire quick information about a song or artist
*Communicate and (legaly) share files between friends and co-workers
seems like legitimate uses to me.
T Money
World Domination with a plastic spoon since 1984
The article points out how p2p query and response packets can be forged, owing to the routing used by p2p systems. But when a download starts, it's between one peer and another (hence "P2P" or peer-to-peer). Downloads are invariably over tcp for reliability. So if the music industry downloads a song from you--well, you gave it to them over a specific IP that is not masked by the p2p query routing. One might object that the people being sued by the RIAA are not actually sharing files, and they there are simply bogus query response packets being sent by mischiefful hackers. But surely the music industry actually actually downloads the shared file, and makes sure it's copyrighted material. (If they don't, then all we'd have to do is share /dev/random
as "madonna.mp3" or some such.) So,
if the music industry is downloading
a file from a known IP, how does a
spoofed search packet make for reasonable
doubt? There's been one recent account
of the wrong person being sued. This
appears to be clerical error when the RIAA
requested the identity of certain IP--
It's all but certain that after that little
snafu (much touted by anti-RIAA folks),
the RIAA corrected their mistake and went
after the right person, this time making sure
the secretary typed the right IP number on
the subpoena.
The only situation where the 'spoof share' defense raised in the paper might be plausible is if the person sharing the music had their machine hacked. That is, if their IP was being used as a reflector to bounce a TCP stream off of another person.
Usually only hackers (well, script kiddies too) use reflectors and tcp proxies to help mask their trail. But you'd think that if someone where good enough to use open proxies/reflectors (even if they're just script kiddies), they *at least* know enough to not use kazaa/gnutella, and instead use IRC, xdcc, bittorrent, and other technologies that the RIAA has not cracked into (yet?) To make an analogy: gnutella/kazaa are like Walmart. Everyone can come in an after some delay and trouble, finally find what they're looking for. But even script kiddies who know about IRC are like the mafia types who stop the delivery truck behind the Walmart, and make off with what they want. Look, if you're really into xdcc and/or IRC transfers, you can get whatever you want. You probably have a few ftp upload sites (perhaps some temporarily 'volunteered') by viruses and worms) to trade files. There's no need to rub shoulders with the masses in Kazaa and not find what you're looking for.
It's an interesting paper, but the contribution amounts to saying "Well, if you're accused of violating copyright by the RIAA, perhaps you can claim your computer was hacked by someone else. Yea... that's it 'I was hacked and didn't share those files myself.'".
That's an interesting defense. Perhaps it will work on a judge or two. BUT remember this: Usually when you make a defense, you have an affirmative burden to meet. You have to support your defense with evidence.... So if you claim you were hacked, you'll have to prove it.
So, your computer better have been hacked by someone, *for real*, or else you'll be in trouble with the court. Downloading mp3s and getting caught is one thing. Perpetrating a fraud on the court or manufacturing evidence is another.
First, as some have mentioned previously, all of the RIAA legal actions required that the ISP's map date + IP correctly to the right user. This has shown to be problematic, as a number of Mac users have been caught up in the lawsuits.
The RIAA cannot expect the ISP's to provide 100% infallable information. This alone is a bigger threat than the attacks mentioned.
On to the paper. You can find it via google.
For the duration of these items im going to assume that the networks in question are either FastTrack/KaZaa or Gnutella. These appear to be the networks currently targeted by the RIAA.
Scenario 1: Modifying Search Requests and Search Results in Transit
This is a non starter, as the RIAA have mentioned before regarding their tactics that they rely on MD5 check sums of files that are downloaded from the peer. Simply modifying search results or requests will not incriminate anyone given the method the RIAA is using.
Scenario 2: Spoofing the Originator of Search Results and Search Requests
This falls into the same problem as #1. This will not get someone targeted by the RIAA.
Scenario 3: Renaming a Contraband File to Match Incoming Search Requests
This is a bit more troubling, as the MD5 sums would match the contraband, however, the title may be something completely innocuous - "Slashot Comment Archive" for example.
I find it unlikely that the RIAA would target someone based on MD5's alone. Their tactics appear to use a search to identify potential infringing uploaders, and then a download to confirm contraband via MD5 sum.
If this is the case, then the search for contraband would likely miss this type of file, as it would be renamed to something else (also popular) but unrelated to contraband content.
This does remain a viable risk and potentially exploitable entrapment attack
Scenario 4: Impersonating Another GP2P User
This is another non starter in the same lines as #1 and #2. The RIAA is not using randomly selected user GUID's to identify infringers.
Scenario 5: Tricking an Innocent User Into Downloading Contraband from an Authority
This is a very implausible attack. The RIAA is using custom software to track the network, and does not appear to be uploading the files they are downloading for evidence, as would normally be the case with a standard kazaa/morpheous client.
The chances of downloading a contraband file from the RIAA crawlers seems nil, regardless of how spoofed search resulsts could direct them in this fashion.
In short, there is a potential for abuse, but the methods used by the RIAA prevent a number of these from working effectively. They search keywords and titles, and then confirm contraband with MD5 checksums of the uploaded content.
This is very hard to spoof without actually deploying the contraband on a peer with malicious intent. You are still liable if someone puts contraband on your client!
The biggest danger is still the ISP's inability to properly account for times and dates for each user associated to each IP address. This will continue to target innocent individuals, although the RIAA does appear to drop cases that are blatantly without merit.
On the edonkey net, information about who has what files is collected and managed by edonkey servers. Since the server protocol is open, anyone could write a server that deliberately misinforms clients about the location of RIAA files.
I'm not sure how this works, but if your son bought the laptop then it belongs to him, so your destroying it without his consent may well have been illegal. Illegal !
I think you'd better hand over your laptop/PC to him along with a hammer or other suitable destructive device so that he can teach you a lesson.
Yes... apparently that's what happened.
I'm a little dumbfounded myself.
There's something that's bothered me about these lawsuits since the beginning: what proof does the RIAA have that a given person shared a file ? They're simply using logs of their software. But how is this being verified ? A log, afterall, is just a textfile; I can make one now that says Lars Ulrich was sharing my copyrighted works.
Not to mention they're also relying on the DHCP logs of the sharer's ISP. These were designed to aid admins, not to be 100% accurate. And, even if we assume that the RIAA's and the ISP's logs are accurate, most people these days have multiple machines on their home networks and often wireless access points. How can could one possibly prove that the internnet account holder did the sharing and not a neighbor sneaking on via wireless or a friend who stopped by with a laptop or a roommate ?
IANAL, but I don't see how any of these cases could possibly stand up in court, with or without security holes.
The "law" is no longer about the "truth", but who can spin the best "half-truths" (read: lies). And the best "lawyers" (read: lairs) cost $$$, so in short, he with the most money gets "justice" (read: their way). So anything the "little guy" (read: not much $$$) can win is to come up with a nice "open-source" "half-truth", of which this seems to be. That and all that framing stuff others mentioned ;)
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
YHBT. HTH. HAND.
It really makes no difference if these arguments can be used a a defense or not. THESE ARE NOT CRIMINAL CASES. There is NO JURY.
Basically, you can go before a Federal Judge and try to convince him you shouldn't pay $150,000 per song, or you can settle with the RIAA for ~$2000. To do the former, you'll need to hire a lawyer and be out more than $2000 anyway.
That's why it's so scary. These aren't criminal cases. Hardly anyone even goes to court to try and make a case at all.
"We shall show mercy, but we shall not ask for it" -- Winston Churchill
To publish something that relies on reverse engineering puts you open to charges under the DMCA. Reverse engineering PD software is easy (you have the source). Reverse engineering a closed source program isn't exactly impossible, look at Kazaa-lite, for example. However there are other PD clients to more popular networks such as eMule for ed2k (no disassembly required).
So you can still say that the RIAA's IP address is sharing movies and the MPAA's IP address is sharing MP3s for other networks.
About a year ago. There wasn't any punishment I'm aware of, but the network people didn't like the fact that they got quite a lot of those mails (big university, and obviously many people sharing).
If this is a defense strategy, the RIAA could turn it around into an attack strategy.
They could insist that now they need to confiscate all your computer equipment as evidence to confirm or deny the probable crime they detected, because the network 'evidence' is not longer trustworthy. This may sound unlikely from a legal perspective, but they've shown they have the power to make unlikely things happen (e.g. DMCA), and the arrogance to stomp on their potential customers. Instead of just getting a law suit delivered to you, you'd get a visit from enforcement officials to remove your equipment, along with a nice invitation to visit the courts in a year or two's time, at which point you may or may not get your gear back.
Not to mention that most home wireless networks are still running on their out-of-the-box (read no security) settings. How many people may have their IP hacked for filesharing through their wireless router?
Even the best security settings on most 802.11b boxes are hackable, often in 24 hours or less.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
what we need is someone to write a virus that installs inself on windows machines and honeypots the common various p2p protocols and gives results that the riaa hate like a few titles of briney, metallica, etc.
so when your ip address changes and your still listed as a valid source they get scanned and nailed with the legal mess.
that will put an end to this crap when they start suing innocent people in massive quantities.
members are seeing something, your seeing an ad
Downloading mp3 of music that you do not own is illegal. I taught my son a lesson by destroying his iBook. The lesson is that if you work hard and save your money to buy something, once you break the law with it, it will be taken away. By the time he saves enough to buy another laptop (which will be around two years based on his after school pay check) he will have learned that he was doing something bad and wont do it again.
So it's pretty obvious that you are a troll but you do inadvertently raise a good point about authoritarianism.
Destroying your son's personal property was an immature act. He knows it was a childish thing to do, and it caused him to lose respect for you as an authority figure and role model. You have eroded your ability to make moral judgments that he will respect.
If your child does not respect you, he will not listen to you. Because of the power you wield he will simply give the appearance of respect and obedience, but in reality will go behind your back and do whatever he wants. This is the behavior you are reinforcing. Why would he do any differently?
So in a way you are like the RIAA. The RIAA is destroying any respect the public had for it by suing its own customers for large damages, much like you destroyed your son's iBook. Now even if they had a valid moral position (e.g. sharing music is stealing from artists) people are disinclined to believe it, regardless of its veracity. Music sharing will go on - just behind the RIAA's back.
You and the RIAA both need to act like adults here and build trust by acting maturely. Then maybe you both will get the respect you desire.
That past was so trollish, Russ wants prosecute you for copyright violations.
m =2953758022&category=1206)
(If you don't understand my post, go here: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&ite
"No beer until you finish your tequila!" -Leela's Dad
yea someone send him a new ibook lol poor kid has a troll for a parent. ok my old man uses my computer and has downloaded mp3s a few times i dont keep them i just delete them so should i take a hammer to my dads fully resotred 79 commrow for downloading a mp3. shure its not a computer but its the same concept. well of course not me i simply told him to not to use kazza couse the riaa is on crack right now and suing the world. btw smashing the i book was relly stupid you could have simply restrecied his account so it couldent dl files but i guess your not that smart.
Second, on networks that allow search by signature - the searcher provides a signature so it is easy to fake a hit.
Lastly, are they really downloading? Unless they have downloaded from a peer that hosts the file (i.e., relaying networks can't be so targeted) they can't be certain that they have the copyrighted material.
See my journal, I write things there
Yes the RIAA has to make a good case for who they prosecute, but I think in order to use "someone could have framed me" as a defense, they'd have to provide a motive for why this person would have wanted to frame them.
In civil cases (for damages) I *think* judgement is by proponderance of the evidence which means this will probably not be a good defense at all. A lot of things in court are decided on which cannot be proven 100%.
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
from your sig:
Micro$oft bashing and complex sarcasm yeilds "Karma: Bad". Guess I'm a Flame Baiting Troll
Writing Microsoft with a $ exposes you as a basement-dwelling 16-year-old having the first opinion of his life that doesn't involve his nappie. THAT's why your karma is bad.
Don't give up though.
The same weakness in Gnutella could be used by RIAA to simply make it impossible for people to find any of their copyrighted material. They could answer every search for their material with bogus locations of where it is located resulting in nobody being able to find where valid files are actually located.
Wasn't one of the features of freenet that you didn't know where things came from because nodes lied to each other about who has what? Also, things are cached all over the place when they're popular.
In Gnutella, don't you connect directly to the person who has your file after you find it? If so, I don't think merely *searching* for a file will provide for damages! And in order to actually connect the sender must know your IP address... but I guess that's between you and the sender at that point.
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
On of the obvious ways to scale-up Gnutella was caching of search results, this would mean that even without framing there could be responses which are already irrelevant because the IP address was since reassigned, this could potentially produce the same effect. Without actually successfully starting the download, there is no way to know if the response is correct. Additionally, the original Gnutella protocol does not provide checksums, so even a correct response could point to the wrong file.
http://www.gnu.org/philosophy/words-to-avoid.html
How did they verify that she had a Mac??
;-).
The first thing I'd do if I got one of these letters is go out and buy the cheapest and crappest old mac that I could find and set it up with all my ISP details.
Would the ISP logs be able to verify that the mac you have now wasn't the machine you used previously??
Just a thought.
PS: If the server logs do differentiate between machines (Like MAC addresses for ethernet cards) then what if you used the same modem, somehow
That'll help to provide reasonable doubt! No... no, wait... these are civil cases, not criminal. There's no burden of proof, no assumption of innocence, no "reasonable doubt" defence.
All that the RIAA has to do is to show that the balance of probability is that the person on the other side of the courtroom is who the RIAA say they are and did what the RIAA say they did. Now, really, how probable is it that Kazaa users (which is who they are targetting) are likely to be the target of a malicious prank that's only been claimed (anonymously, and not yet independently verified) to be theoretically possible on Gnutella?
Sorry for the nasty little wake up call, but civil cases aren't like Twelve Angry Men . If you're relying on this as a defence, I'd suggest changing your story to "a wizard did it", because that's a more probable explanation.
If you were blocking sigs, you wouldn't have to read this.
That's your first 'old joke' I've seen that made me laugh out loud. Thanks!
This is a digital world. Evidence is easy to fake and destroy. Picture a scenario where I download a BO (back orifice) client to my machine. Then it's up to the attorney to prove that someone didn't use that BO client to download things, first to my computer and then FTP:ing them to their own.
Does everything include nothing?
I doubt it.
"I taught my son a lesson by destroying his iBook."
Just so you know, you're raising a rebel.
"In any event, no one here has anymore right to judge my parenting skills than I do."
Perhaps not. But when everybody tells you what an idiotic parent you are being, I'd advise you listen. You don't have to agree, but seriously, listen.
"Derp de derp."
So, if someone spots you speeding, they are allowed to smash up your car?
"Downloading mp3 of music that you do not own is illegal. I taught my son a lesson by destroying his iBook. The lesson is that if you work hard and save your money to buy something, once you break the law with it, it will be taken away. By the time he saves enough to buy another laptop (which will be around two years based on his after school pay check) he will have learned that he was doing something bad and wont do it again."
Oh wow. I had no idea Dr. Laura visited Slashdot!
"Oh wow. I had no idea Dr. Laura visited Slashdot!"
Oh wow. I had no idea anybody that listened to Dr. Laura visits Slashdot!
"Derp de derp."
"Oh wow. I had no idea anybody that listened to Dr. Laura"
Oh wow. I had no idea that anybody listend to dr lara.
Ok i'm no computer expert, but that was interesting. I clicked on his link and it appeared that an attempt was made to telnet into my computer. When I clicked on the link in the lower left corner of my browser it said telnet://67.37.26.90:1234.
I do not think he succeed in telneting in or doing anything else but I am not totally sure. I use Red Hat 9 Linux and the security settings for the iptables firewall are set to reject incoming telnet connections but to allow outgoing connections. I quickly typed ps -A to see what process were running and did not see telnet listed. I also looked in a security log but did not see anything about a port 23 connection (not that I have much experience reading security logs or know what to look for). So did something get through? I have installed all the latest security patches.
I then went to the hackerwatch.org web page and had it scan all my ports and it said they were invisible. Does that mean that nothing was being shared or was open? I hope not. It was an interesting demonstration anyway about how easily an ordinary innocent computer user could be implicated! With telnet access I assume a cracker could could have downloaded whatever music he wanted and the innocent person would look like he or she had done it.
Can some more knowledgeable person better explain what all happened or was supposed to have happend. I recognize the telnet command, the class A ip address but what is the 1234? Was he mainly trying to telnet in? Was an attempt made to do anything else? I do not know much about hacking or security. I am still just learning about such things.
How could the RIAA proof someone is sharing? Do they show up in court with a print with my ip number on it? I can make a print of every ip number i can think of.
"So to punish your son for downloading music, which really doesn't have any value anyway, you destroyed a computer worth over 1000 dollars of your son's money?"
Sounds like some of that infamous RIAA math to me.
"Derp de derp."
How can they even show any evidence for which files actually exist on your hard drive? Kazaa and other P2P applications limit the number of returned results a user can retrieve for a query. Wouldn't they at least need a screen capture of a listing of all the files they claim are in violation? They couldn't just argue that since Kazaa told them Slashdot_Troll@Kazaa.com was online sharing 1,000.000 files that there were offering any music files among them. I can't think of any way they could enumerate the amount of music the files that any given user has without using an illegally modified client, which would be a violation of the DMCA. Would they just try random searches of file names for a given user? Or would they need to do something more sinister like misusing the IP address to actually gain access to the person's system. Does anyone know what kind of evidence they use to scare people into settling?
But I loved the comment at the end of the New Scientist article ".... Most Windows users will run any old attachment you send them, so if you want to implicate someone you can just send them a Trojan. says it all really, just have a ready to install trojan on your machine as a get out of jail free card
I like either PDF or HTML. PDF is platform independant and viewers are available for various operating systems. I use Red Hat Linux 9 as my main operating system and PDF files work perfectly well with it. The Linux version of the Mozilla browser automatically calls xpdf and displays the file for me. It works well with Windows, Linux and probably MACs too. My only slight criticism of PDF is that on a slow dial-up connection some PDF files take about a minute or so to download.
I do agree that posting an MS Word file would not be good. For one thing MS Word files sometimes have macro viruses in them. I do not know if that can happen with PDF or not.
> I taught my son a lesson by destroying his iBook.
You're an idiot, but the -1, Troll already says that. At least donate it to charity or something useful.
If you are using any version of windows NT, it is not always wise to open untrusted telnet links. By default windows will send the NTLM hash of the logged in user to the remote server, which could be auditted to recover the password in usually less than a day.
http://www.mtv.com/news/articles/1479466/20031001/ ll_cool_j.jhtml?headlines=true
This is a short article on the recent Senate hearing on P2P.
"Chuck D wasn't about to let online freedoms be curbed. "P2P to me means power to the people," he said. "I trust the consumer more than I trust the people at the helm of these [record] companies."
mlMac connects to the Kazaa and eDonkey networks on OSX.
Darl McBride
You can't judge a book by the way it wears its hair.
Let's see the bigger picture:
The RIAA can successfully sue almost every single Internet-user in the US, should they be really guilty or not. They are in a position to threaten and settle with millions of citizens. This could be you if you're a US resident.
When the Law says everyone is guilty, it's time to change the law. If breathing was illegal and one company held the rights to breathing, should people just comply / settle / asphyxiate ?
IMHO this situation just shows that it's more than time to change the whole Intellectual Property principle to something that actually works.
So let's see the RIAA crucify every single P2P user whether they're guilty or not. Altogether now - "I'm Spartacus!"
So you can make it appear that someone is sharing something they're not.
Unless the RIAA actually tries to download it from that person -- then they'll know if it's spoofed or not.
kazaa lite is merely kazaa minus the spyware installers and a hex edited binary repackaged with an installer, absolutly no RE involved, all the buttons still work (except the button text is now missing) these are just kiddies not assembler nerds
Why doesn't KaZaa just mod their program to make it appear that every user is sharing RIAA files? Then the RIAA would never be able to figure who is acutally sharing them.
© 2004 The SCO Group, Inc. All Rights Reserved.
Last time I got a letter from the **AA, I checked it out and they had downloaded the entire file from me before sending the letter. Simply masking the searches won't help anything; they download the file directly from you.
This paper is weak, at best.
RIAA isn't suing unless it actually connects and downloads at lease enough of the file to determine it. Merely saying you have a file doesn't mean you have successfuly shared it.
Also, the reason for setting the IP is that you may have your router/firewall port forwarding
The lesson is that if you work hard and save your money to buy something, once you break the law with it, it will be taken away.
This message brought to you by the Department of Justice and the Department of Homeland Security.
In any event, no one here has anymore right to judge my parenting skills than I do.
Yet you post on a public board, albeit anonymously. Wonderful.
Just remember, karma isn't just a modpoint, and she has a penchant for nice juicy asses.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
I didn't know I had Kazaa on my machine. A hacker must have put it there and used my machine for file sharing. Prove it was me and not a hacker. I run Windows.
I mean, really, it's windows. I could find plenty of windows machines out there to hijack and use for file sharing if I wanted to. Any script kiddie could. How improbable is the defense? Well, given Microsoft's security record, I think it's plausible enough that the RIAA couldn't stand up to it. Just my own thoughts, though.
It's different in that a gambler not paying his money on time has not broken a law, he merely has a debt. It's different in that destroying a possession of someone is quite, quite different to inflicting a crippling injury. It's different in that the man posting is the parent of the child, and has a duty to bring his child up morally and ethically, and is carrying out actions to do so, rather than in an attempt to scare someone into giving him money.
It's different in so many fundamental and critical ways that I hope *you* don't own any guns. Your twisted view of reality, and strange analogies could well turn you into a statistic.
I can't believe the parent got modded up
When I was a child, if I used a toy for something it shouldn't have been used for (example, firing a spud gun at other kids) my mother would take it away and BIN it, just like this man did to his sons iBook. It seemed harsh at the time, but I cannot deny that it was also fair.
How do you know? All evidence seems to be contrary to your belief. There's been more inventions and works of art coming from places/periods/individuals without any "IP" protection than the opposite. In fact, I dare you to mention a dozen inventors who got rich on their own inventions because of "IP protection".
What happens is often either of:
1: The creator works for a company, and gets nothing himself, and the company or company owner gets both the fame and the money (like Alexander G. Bell). This doesn't spur the creator to produce or disclose new creations.
2: The creator is already rich and able to fight for his "IP rights", making a fortune. In that case he's probably spent more time fighting than creating, but more important, he's become rich and has little incentive to continue creating.
What makes an creative person continue to create, then? Recognition is a good incentive. Being able to freely discuss with peers is another important factor, which both improves the end result, cuts down on time and expenses, and gives a true synergy effect, where people boost each other's work. Not being bound up in bureaucracy (like spending all your time with lawyers and courts) is also a plus.
Someone like W. A. Mozart created more than 70 symphonies, opera and concertos before he was 35. Without "IP protection". I bet had he lived in the US today, he would have produced less than a handful, while making big corporations and lawyers rich.
Regards,
--
*Art
Obviously this is a very harsh punishment, however it is also very effective. There are no costs to society for jailed thieves, and levels or robbery and similar crimes are almost ZERO in countries which employ such punishments.
It is not something I wish to see in my country, but your post appears to write it off as instantly wrong, but it's a very subjective area. Is the loss of hands to thieves really worth the incredible cost to society of thievery and robbery? I say it's not a clear cut issue.
Depending on how the RIAA is getting their lists, the article is at best fallacious and at worst deceptive.
Supposedly the RIAA is going after people who've been sharing more than a thousand titles. It is highly unlikely the RIAA would've gotten this information by sniffing the network or by putting out queries; it would just be too impractical. Gnutella hosts will very often put a list of what they're sharing up in the form of a web page, and if the RIAA were reading the page, they'd be retrieving it directly from the user's verifiable IP.
Similarly, other networks have the option to "browse this person's list". From what I understand none of these networks route the results of such requests through any sort of indirection; the data is also transferred via a direct connection to the "offender's" machine.
Any form of evidence can be fabricated. In determining whether a piece of evidence is admissible, a judge looks for a proper foundation. One of the necessary elements is a finding that a reasonable jury could find that the evidence is what its proponent says it is. This is referred to as "authenticating" the evidence.
A proper authentication might only require some testimony from an investigator showing how they got the ip address, and how they connected the ip address to the user. If they got it by monitoring Gnutella file requests, you could argue that that carries the same risks as hearsay. It is unreliable because it is not a message coming directly from the accused's computer. But it still would probably go to the jury.
You would have to hope that a jury would not find for the evil RIAA... but they will NOT be told what the penalty is, because that isn't relevant to determining the facts. The liability for copyright violation is specifically defined by statute, so the jury doesn't need to know that to determine whether a copyright violation occurred.
(I am a 3rd year law student)
I was under the impression that freenet did something like that.
Forgive me, but I have no idea what point you're trying to make. Could you restate?
Enable 3D printed prosthetics!
What would happen if there existed a piece of malicious code (virus, worm) whose sole purpose was to install an automated gnutella client? What if this client "logged in" and uploaded/downloaded files at random intervals (so as not to flood the network)?
The user would see no adverse effects and would not be aware that his/her machine was a fully qualified "file sharing" host. The internet would be populated with gnutella "mirrors" that automatically store and forward files. And, the RIAA would have a very difficult time proving in a civil court that the user was intentionally downloading their music files. Any defendant could simply claim that their machine was compromised by the malicious code and that the file sharing traffic observed by the RIAA was created by that code. If the code was successful in propagating itself, its existence would be reported by the media and the average user would be aware of its existence. Of course, a user could still download files with a real gnutella client, perhaps even from himself! It would seem to me that this hypothetical code would give anyone a plausible benefit of the doubt in a civil court and the RIAA wouldn't be able to sue anybody.
Or are actually innocent.
Someone already brought up the preponderance of evidence "guilty" qualifier of civil case.
But there's also the nice little fact about self-incrimination, you have no 5th ammendment protection in civil court. So unless you're innocent, you'd have to be willing to ad perjury(an actual crime) in defense of a civil complaint.(which should be ridiculus... but almost seems appropriate since the civil courts are being used as a corporate 20 lashes)
Listen to a bunch of whiny little brats on slashdot for parenting advice ? bwahahahaha ... that's a good one.
I taught my son a lesson by destroying his iBook...By the time he saves enough to buy another laptop
Note to your son: save your money to move out instead.
P.S. Don't grow up to be a troll
What we should do, then, is modify the Gnutella client to automatically send lots of spoofed requests. Then my legal defense isn't just theoretical.
Heck, lets go further, and use the spoofing when we actually retrieve files. If I can spoof someone else's address, and have that person forward the file to me, I'd be pretty safe on requests.
I'm still screwed if they request a file from me, though. So what I'll do is, whenever someone asks me for a file, if I don't have it I'll go get it, and just forward it to them. That way they won't be able to tell what files I actually have.
I still might be liable just for forwarding, if I know about it. So I'll use an encryption protocol that keeps me from knowing what's on my own machine. I'll base the key on the filename, so anybody with the name can find the file and decrypt it, but since I just have the files I would have to randomly try keys to figure out what they are.
And I'll wrap the whole thing in a bunch of free-speech-for-chinese-dissidents rhetoric so I have a legitimate noninfringing use.
Oh, wait. I just described Freenet.
I'm not familiar with American law, but surely the issue of copyright is that it is illegal only to DUPLICATE copyrighted work...?
Here's what I'm getting at. If the RIAA search through P2P networks and find you have copyrighted files available for download, they must still prove that you knowingly duplicated them illegally. Right?
On the other hand, if someone downloads a copyright file from your computer, then the crime is theirs, not yours.
Furthermore, assuming you are caught downloading copyright files. Would it be a reasonable defence that you weren't aware the material was copyright? Normally, copyright stuff comes with all sorts of labels and warnings etc, and on P2P networks, these warnings are non existent. Could you build a defence on grounds that, without the copyright warning, you assumed the material was public domain - pushing blame back to the last guy who did the copying and who failed to attach the copyright warning.
cheers,
f.
Here's an example of precedent, only it was with kiddie pr0n ... not MP3s.
The poster doesn't understand the burden of proof. In most civil cases, the burden of proof is that the plaintiff (RIAA) has to prove their case by a "preponderance of the evidence". What this really means is that they have to show that their claim is more likely to be true than not.
/.
It isn't the much more difficult "beyond a reasonable doubt" burden of proof in criminal cases.
So, in one of these RIAA cases, a defendant's lawyer can argue that the defendant could have been the victim of this sort of hacking, but it's up to the trier of fact to decide whether or this was actually likely to occur. And frankly, RIAA could get an expert witness to testify that while this loophole may exist, there isn't any likelihood that it was ever exploited prior to, say, today when this story was posted on
Even in a criminal case, the jury would not have to come to the conclusion that the possibility of this sort of hacking creates a reasonable doubt preventing the jury from issuing a guilty verdict.
It's a defense, and it'll help, but don't expect it to be the magic pill that will throw RIAA cases out of court.
144l. ph34r my 133t l3g4l 5k1lz!
Not keeping the records for when the feds come looking for a terrorist may be in violation of that stupid act.. and invite criminal charges against the ISP for destroying evidence.
---- Booth was a patriot ----
...find out which accounts on filesharing systems are really RIAA spies, we could frame them for sharing illegal files.
Eternal vigilance only works if you look in every direction.
I'm surprised nobody considered this before. If the RIAA is hunting you down for FILENAMES, then who knows. I could take a 3 meg text file full of 1's and 0's and name it metallica-unforgiven.mp3, and get sued. I say they have to download every file, and listen to it. Lets see how many lawsuits they have then.
I'd be mending some fences, my AC friend.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
http://www.iss.net/security_center/advice/Intrusio ns/2000905/default.htm
The UFSDF was setup to help fight the RIAA
smile, it makes everyone else wonder what you're up to
In the article posted, the author stated that ALL of the major P2P clients out in the wild are succeptible to one or more of the attacks he listed. He only used Gnutella as an example since apparently the protocol is open, hence easier to sift through the code and provide specific examples of vulnerable code. According to the author though, KaZaa, iMesh, etc. are all open to attacks like these.
"Hell hath no fury like a woman scorned for SEGA. ..."
Here is a good strategy: Install an access point at your house if you already don't have one. Then claim that people other than your family have access to your connection and it could have been them that downloaded the material. There is a shadow of a doubt.
Khurram Khan
Really, a lot of it depends on whether or not the parent purchased the original iBook, but beyond that:
Actually "destroying" the iBook is an extreme measure. Confiscating it, perhaps selling it, would be more productive. Destruction is indicating a certain amount of unstable anger coming from the part of the parent.
Now, if the kid paid for the ibook himself, as the parent semi-indicates:
By the time he saves enough to buy another laptop
Now if you've destroyed the iBook that the kid bought himself, you've destroyed the property of another person. I don't know how property laws work in the states (I know there are some legal niggles about ownership if you are under a certain age), but this is still basically an act of vandalism. Even if the laptop were a gift it would still fall in the this category.
It seemed harsh at the time, but I cannot deny that it was also fair.
How about if I see you riding your bike late without proper reflectors, or a helmet. In some places that's illegal too... should that give me the right to dismantle your bicycle... should it give a parent that right?
How about your car. I know you've been speeding with it. Rather than taking away your keys, I'm going to drop a match in your gas-filled engine. How does that sound? Not very fair either... even if I were your parent.
(no, I'm not going to do the above but) hasty actions taken based on "anger-impulses" are rarely fair. Destructive tendencies run parallel to these actions: why destroy when you can remove, or disable? This is a case of venting one's own idiocy and frustration, not fair in the least. The parent who wrote the initial comment should probably seek some counselling.
I'm sure some of the jailbait vids also have jailbait music :p
Kjella
Live today, because you never know what tomorrow brings
of a math class where we studied Ven diagrams briefly: A intersects B, C encircles A an B, D intersects C and so on. It is endless. With the internet just when someone says "gotcha" someone else says "no, I got you".This situation with the recording industry only showa what the internet should not be used for..sticking it to some person on the (web) street because someone else needs ot make a house payment or is just plain greedy.
I eat my grapes at room temperature, cuz the cold ones hurt my teeth
there is no p2p service in which files pass through nodes. The bandwidth cost would be prohibitive. If user A sends file to user C what advantage is it to send through user B, apart from eating his b/w?
Not only A->B->C, but more like A->B->C->D->E.... and you don't know where the chain starts nor ends. Since there's no central server, no specific node is overloaded (well, IMO the entire network is overloaded, but that's another story).
But yeah, it sucks for bandwidth. I got 256kbit upstream, imagine that a 10 node request average (i.e. I'm node 1 on some requests, node 10 on others) will have an average of 25,6kbit/s each. Welcome to modem land. Throw in the inefficiencies of the system, even slower.
But yes, Freenet works. And since you "publish" files, not share them, you get the distributed download advantages of Bittorrent to offset some of the problem. It might not match Bittorrent speeds, but it does in fact work for quite large files. I know someone has dragged a Linux ISO through it just to prove that it can be done, though expect it to take a week....
Kjella
Live today, because you never know what tomorrow brings
[RIAA] Those ugly criminal filesharing programs are stealing the earnings of our poor, innocent artists who are just trying to make a living. [/RIAA]
If you want to try a mind twister, try realizing that RIAAs friends (their customers) are also their enemies (the pirates) and try to apply some "the enemy of my friend is also my enemy" logic.
Kjella
Live today, because you never know what tomorrow brings
Dude, you're a freaking psychopath. Destroying an iBook just becuase your son downloaded a couple of MP3s is just..... well, insane!
What next, you sellotape his mouth shut if he comes home drunk under-age?
"mp3 music is illegal"
Really? Even independent music that's intentionally up for download in order to get exposure? Or MP3s that are created by ripping the contents of one's legally purchased CDs to one's hard drive for the purposes of putting them into a larger playlist?
They used Gnutella, because they needed to use a protocol that could be extracted without legal problems from the source code. Kazaa have already shown themselves to be litigatious. Their code has been reverse engineered in the form of Kazaa-lite, but the authors wanted to use something that wouldn't open them up to problems under the DMCA (yes, ironic isn't it). ED2K would possibly have been a more popular protocol and also available throught the public domain clients like eMule.
Once again I sit at my desk in Canada and read about this RIAA fiasco. It seems like in America someone is always looking for a fight not a peacefull resolution. This only hurts society in the long run and creates division among the masses. Up here in the North we don't view our citizens as "the enemy". To view how Canada has managed to find a respectable solution to this issue click here. This is the official government decision.
:)
If anyone is interested we have lots of room up here. The winters are cold but the bandwidth is plentiful and cheap
I had an idea on how to turn the tables on the RIAA. I am just not sure how much time/money would go into my plan. Copyright a piece of music, anything will do just record yourself wailing away on a guitar, keyboard, 5 gallon bucket, etc then copyright it. Post it on Kazza under a name like Britney Spears/Metallica anything that will grab the RIAA's attention and other peoples attention so it gets downloaded. Then when the RIAA downloads it to to check it (MP5 Sum or whatever they use) they just violated the DMCA! Now you can sue the RIAA for violating the your copyright (you were going to sell your 5 gallon drum music for a bundle). Like I said I am not really sure if this is plausible (I am not a lawyer though I did get a 164 on the LSATs :)
To review:
Step 1: Copyright a piece of music
Step 3: Sue RIAA
Does KaZaA or Gnutella find the actual IP address the user is at, or simply the proxy IP they may be using?
What happens if they subpoena a proxy IP?
All someone has to do is run with a proxy of one of the 'high anonymity' found at this site, one of many, and really smooth people can probably create a chain of proxy servers to run through to hide their true IP.
...and that's the way the cookie crumbles.
hey Dad, what cha gonna do when that boy gets caught speeding in your car? More to the point, what are you gonna do when YOU get caught speeding? or running a red light? or feeding the parking meter past the time limit? Did you ever photocopy a magazine article? It's called copyright infringement, and it's illegal? Or instead of photocopying the magazine, maybe it just walked out of the library. That is called theft.
Does KaZaA or Gnutella find the actual IP address the user is at, or simply the proxy IP they may be using? What happens if they subpoena a proxy IP?
This is a good point. Right now the RIAA is only targeting US file sharers, and they do this by tracking the IP of the user they download the content from. If US filesharers used proxies in other countries, they would perform an end run around any potential RIAA threat.
The only problem is that proxies at least double the latency and bandwidth use for a given file transer or query. This usually means that you either cut the download rate significantly, or use high bandwidth dedicated proxies to handle this increased traffic.
Some of the newer file sharing networks, like the one out of the Palestinian refuge camp (dont remember the name) do use proxies in foreign countries in addition to other cryptographic techniques to keep communication private.
>Reverse engineering PD software is easy (you have the source). How is it "reverse engineering" if you have the source?
Avoid Missing Ball for High Score
I got this PDF a few days back on the full-disclosure mailing list...
is slashdot really this slow these days???????
the riaa went after major filesharers. they aren't going to sue someone with 5 tracks of Britney. bottomline: fuggedaboudit.
Is you have source code, reverse engineering is legal, but the idiots on the hill have forbidden us from doing this with binaries. Many issues are similar though.
I should qualify this by saying that I have been ekeing out a living trying to support a legacy ap the size of the Linux kernel but with much poorer structure and documentation.
how much of the moneies collected from these civil suit will actually make it back to the artist that actually did the works that have been infringed? I would say none, the logs and records the RIAA is keeping isn't specific enough to really make "ammends" to the artist. this is no different that direct tv sueing whommever for the possibility of whommever "stealing" signal...............posted as anonimous due to the fact that i am damn tired of keeping up with 37 passwords and user names and cant remember which one here.
Chopping off the hands is very effective in 3rd world countries. I'm not making a judgement about it, I'm just trying to demonstrate the extreme that this person went to.
I taught my son a lesson by destroying his iBook.
That's pretty screwed up. How would you like it if you got a speeding fine and your father destroyed your car? And instead of trashing the iBook, you could've put it to good use by donating it to someone else who could use it.
In any event, no one here has anymore right to judge my parenting skills than I do. I think I speak for the majority of Mac users by saying that we don't appreciate sarcasm and most of all being talked down to. good day.
Nice troll. I'm a Mac user and I'm glad you don't speak for me.
I don't doubt that the other protocols _could_ be vulnerable to this sort of spoofing. My point, though, was that since they actually did the analysis on a protocol that is used by only a fairly small percentage of file sharers, it probably can't form the basis of a legal defense of people getting subpoenad by the RIAA.
I wouldn't call Kazaa-Lite reverse engineering; all they did is take the Kazaa binaries and strip out the adware and spyware, leaving the core of the application untouched.
Enable 3D printed prosthetics!