Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oklahoma Security Expert Attacks RIAA Claims

Posted by kdawson on from the resting-on-shifting-sands dept.

NewYorkCountryLawyer writes "A group of Oklahoma University students has made a motion to vacate the ex parte order the RIAA had obtained compelling the university to turn over their names and addresses. In support of their motion was the expert witness declaration (PDF) of a computer security and forensics expert who essentially attacked the entire premise of the RIAA's lawsuit, characterizing the declaration upon which the RIAA based its motion as 'factually erroneous' and 'misleading.' Among other things he pointed out that 'An individual cannot be uniquely identified by an IP address,' and that 'Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points.' The students are represented by the same Oklahoma lawyer who recently obtained a award for $68,000-plus in attorneys fees against the RIAA in Capitol v. Foster."

13 of 280 comments (clear)

  1. What's taken so long? by willow · · Score: 5, Informative

    I'm wondering why it's taken other lawyers so long to realize the RIAA is ripe for fleecing with their undefendable suits. Surely the lawyer vs. lawyer guys would have figured out by now that the RIAA, with so much $$$, is ripe for plucking...

    I'm actually ashamed of this, BTW :)

    --
    Moderation in everything, including moderation.
  2. OSU, not OU by epmos · · Score: 3, Informative

    Nitpick:
    TFA says the 11 students are at Oklahoma State University (OSU), not that Other University to the south (OU).

    [ Yes, I am an alumni of OSU. ]

  3. Many computers, one IP address. by Farfnagel · · Score: 0, Informative
    I can have as many as 40 computers running on my very basic home network. They will each and every one have the same IP address.

    As usual, the RIAA is full of shit.

  4. Re:Oh come on by NewYorkCountryLawyer · · Score: 5, Informative

    The problem seems to be growing the awareness of these basic facts among the judiciary: cases like this can only help in that regard, I'd think. Those of the legal mind are fond of informing laymen that the law is complex and ever-changing and that only one who is properly trained could possibly comprehend its intricacies. I personally believe that the law is often more complex than it needs to be (and that is certainly no accident) but, okay, I'll buy that argument. As an engineer I cheerfully admit that the law is an arcane mystery, and I would certainly never set foot in court without proper representation. However, the truth is that the global network and the technologies behind it are pretty goddamn complex as well, and change more often than the average trial lawyer changes his boxers. Gross oversimplifications and prevarifications regarding network technology, such as those pulled out of thin air by the RIAA's so-called "expert witness", have so far resulted in several severe miscarriages of justice. Unfortunately, while it is a necessity to have legal representation in a technical case, there seems to be no corresponding requirement that the legal beagles involved have a clue about technological underpinnings of said case. Given how successful the RIAA has been with the testimony of Mr. Linares, it's apparent that expert witnesses are of no help when the people making the legal decisions don't have the mental knowledge base to tell the wheat from the chaff. The Linares dribble -- like the Whitehead dribble which preceded it -- "succeeded" only because it was used only in ex parte cases, where there was no opposition. Now that opposition is starting to form, and now that judges are starting to reject even the ex parte motions, awareness may be growing among members of the judiciary.
    --
    Ray Beckerman +5 Insightful
  5. Re:A little oversimplified... by tftp · · Score: 4, Informative
    Indeed, I read his deposition and basically all he does is state that you are anonymous behind a NAT. I am sure the logs do not indicate that 192.168.1.250 is the offender. There must be something more tangible. The expert probably just refuted literal RIAA's statements, ignoring the context (I haven't seen the logs so can't say for sure.)

    One thing, though, he could have mentioned - various IP spoofing methods. Imagine you are on a DHCP network (on campus, for example.) You ask for an IP and you will get it, and this will be logged: "00:f0:3e:45:33:66, authorized as belonging to John Doe, asked for an IP and got 10.0.15.213 for 6 hours". Nice. However what if you want to misrepresent yourself? An enterprising student can use ping and arp (if not some better tools) to find out what IP and MAC addresses are online, and once some of those computers go to class (or to sleep, for example,) take over the MAC address and ask for a new DHCP lease ... done, and you have a new shiny IP address, perfectly logged as belonging to John Doe whereas you are someone else entirely.

    This would clearly demonstrate that the DHCP has no authentication beyond the MAC address, and that can be easily changed on many cards. Any judge, however technically illiterate, can understand that if you can get any identity by just asking then it's pointless to hold the identity owner responsible.

    This text, as seen here, would be relevant in the expert's refutation:

    Unfortunately it's the very simplicity of DHCP that's actually the problem as far as security goes. No authentication or authorization takes place during an exchange between a DHCP server and DCHP client, so the server has no way of knowing if the client requesting the address is a legitimate client on the network, and the client has no way of knowing if the server that assigned the address is a legitimate DHCP server. The possibility of rogue clients and servers on your network can create all kinds of problems.

  6. Re:As a matter of curiousity... by NewYorkCountryLawyer · · Score: 4, Informative

    You missed the one a week or two ago where they were about to start going after Harvard - and Harvard's response was, in effect, "get bent"? Not so. They've never gone after Harvard and probably never will.

    That's because it's not in the RIAA's playbook to pick on someone who can fight back.

    The articles you're thinking of, by Harvard Law School profs, "Universities to RIAA: Take a Hike" and "Protect Harvard from the RIAA", urged Harvard and other universities to fight back if the RIAA were to come knocking.... but so far it hasn't come knocking at Harvard.

    And don't hold your breath waiting for it to do so.
    --
    Ray Beckerman +5 Insightful
  7. Re:Sad thing is... by zippthorne · · Score: 2, Informative

    geez, this meme is almost a decade old. enough, already.

    --
    Can you be Even More Awesome?!
  8. Re:A little oversimplified... by Dunbal · · Score: 3, Informative

    Early in the report it cites an example of someone downloading child pornography sitting in a car by "hacking" a wi-fi network. Only at the end of the report does it admit that the network was unsecured.

          Ok, now tell me how hard it is to hack a WEP-enabled wireless network? It takes all of what, 90 seconds?

    --
    Seven puppies were harmed during the making of this post.
  9. Re:Sad thing is... by Anonymous Coward · · Score: 4, Informative

    No matter who comes out on top only the lawyers win. :/


    Mmm.. I doubt it. I'd be surprised if most of the lawyers defending RIAA "victims" (for lack of a better word) are charging their full rates, considering they're mostly defending poor college students.

    On the other hand RIAA lawyers aren't paid by the hour, and whether they win or lose their salary is the same (you think they're working for a percentage of a $10,000 settlement?)

    They've created a climate of fear, which is all this has been about from the beginning. If they win a case the reward is a pittance to them, if they lose, well, they can afford it. Either way, considering the press it's still generating a lawsuit costs much less and is much more effective than a prime time television ad campaign. Unless there's some way to assign a penalty that really hurts or put a stop to their abuse of the legal system altogether they will continue to sue even if they lose almost every case.

  10. Re:As a matter of curiousity... by i)ave · · Score: 2, Informative

    As some have pointed out, this legal attack involves students from Oklahoma State University, about 15,000-20,000 students. For the record, OSU does not have a school of law. The University of Oklahoma has a school of law, as does the University of Tulsa, and Oklahoma City Univesity. One wonders if the RIAA is focusing its efforts on big universities and the publicity they generate, but avoiding those universities that have a school of law (and the professors of law that accompany them) to avoid the scenario you mention.

    --Dave

    --
    -- I'd give my right arm to be ambidextrous
  11. Re:Oh come on by Buran · · Score: 2, Informative

    Wow, did you miss the point. You yourself admitted that the driver (the guilty party) can't be identified. You can't accuse anyone of doing something illegal and prosecute them unless you can prove beyond a reasonable doubt that the individual is guilty. And the accused has a right to face their accuser in court.

    --
    i am a soviet space shuttle
  12. Re:A little oversimplified... by mdmkolbe · · Score: 2, Informative

    Is the "expert" a native English speaker? "Botnet, Trojan, and Back Door are example of malicious codes..." Aside from the grammatical atrocities, I have never heard of my fellow software engineers referring to software programs as "codes." A back-door is not a "code" or a program, nor are botnets. Bots are, Trojan (Horses) are, and they can open back doors. Precision, please?

    First, this is an ad hominem attack.

    Second, it's not even a very good ad hominem attack. There are a lot of (native English speaking) people that use the plural form (i.e. "codes") instead of treating it as a mass noun (i.e. "code"). It seems to be more common among the older generations of programmers. (I personally think it should be a mass noun, but I'm just pointing out that a significant minority use the plural form. Sort of like "ketchup" vs "catsup".)

  13. Re:As a matter of curiousity... by okjeff · · Score: 2, Informative

    "The campus had a total enrollment of 20,834 students for the 2005-06 academic year, 18,909 of which were undergraduates." See: http://en.wikipedia.org/wiki/Oklahoma_State_Univer sity