Oklahoma Security Expert Attacks RIAA Claims

← Back to Stories (view on slashdot.org)

Oklahoma Security Expert Attacks RIAA Claims

Posted by kdawson on Tuesday August 7, 2007 @12:50PM from the resting-on-shifting-sands dept.

NewYorkCountryLawyer writes "A group of Oklahoma University students has made a motion to vacate the ex parte order the RIAA had obtained compelling the university to turn over their names and addresses. In support of their motion was the expert witness declaration (PDF) of a computer security and forensics expert who essentially attacked the entire premise of the RIAA's lawsuit, characterizing the declaration upon which the RIAA based its motion as 'factually erroneous' and 'misleading.' Among other things he pointed out that 'An individual cannot be uniquely identified by an IP address,' and that 'Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points.' The students are represented by the same Oklahoma lawyer who recently obtained a award for $68,000-plus in attorneys fees against the RIAA in Capitol v. Foster."

29 of 280 comments (clear)

Min score:

Reason:

Sort:

Heard in an RIAA conference room ... by ScrewMaster · 2007-08-07 12:56 · Score: 5, Funny

"Oh SHIT ... not this guy again."

--
The higher the technology, the sharper that two-edged sword.
1. Re:Heard in an RIAA conference room ... by Wavicle · 2007-08-07 13:19 · Score: 4, Funny
  
  Other thing heard in an RIAA conference room...
  
  "Hey, didn't the whole slashdot community say the exact same thing last month?"
  
  We could have at least gotten credit for it.
  
  --
  Education is a better safeguard of liberty than a standing army.
  Edward Everett (1794 - 1865)
2. Re:Heard in an RIAA conference room ... by NewYorkCountryLawyer · 2007-08-07 13:41 · Score: 4, Interesting
  
  Other thing heard in an RIAA conference room... "Hey, didn't the whole slashdot community say the exact same thing [slashdot.org] last month?" We could have at least gotten credit for it. Indeed it has. And on more than one occasion.
  
  And I got news for you, that was heard in an RIAA conference room.
  
  Only thing, they're not good listeners, as you may have noticed already.
  
  --
  Ray Beckerman +5 Insightful
3. Re:Heard in an RIAA conference room ... by morgan_greywolf · 2007-08-07 14:15 · Score: 5, Insightful
  
  And it's not just us, there have been many experts who've said the same. I think it's about time that someone with like this guy offer expert testimony to those who have been victimized by the MAFIAA.
  
  I don't hold out any hopes that the MAFIAA will listen or even care. The aim here is to establish legal precedent in a court of law that says the MAFIAA, when they use spurious technical evidence to try to extort thousands of dollars from people, doesn't have a legal leg to stand on. It doesn't matter whether they agree or not. All that matters is that judges know the truth and that truth gets added to the patchwork quilt of established law that is legal precedence.
  
  --
  My blog
4. Re:Heard in an RIAA conference room ... by RTofPA · 2007-08-07 14:33 · Score: 5, Funny
  
  Only thing, they're not good listeners, as you may have noticed already.
  Kinda ironic, considering they represent the music industry (supposedly). Or, maybe not, considering they (supposedly) represent the music industry, and anyone who willingly does that can't have good hearing.
Sad thing is... by Hsensei · 2007-08-07 12:57 · Score: 4, Insightful

No matter who comes out on top only the lawyers win. :/

--
~
1. Re:Sad thing is... by couchslug · 2007-08-07 13:24 · Score: 4, Insightful
  
  It is to be hoped that some of those students are going to BE lawyers one day, and all this lawyer hatin' conveniently ignores that many lawyers are idealists and work pro bono for good causes.
  
  I delight in seeing young people use the system to fight for their freedoms.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
2. Re:Sad thing is... by Anonymous Coward · 2007-08-07 15:34 · Score: 4, Informative
  
  No matter who comes out on top only the lawyers win. :/
  
  Mmm.. I doubt it. I'd be surprised if most of the lawyers defending RIAA "victims" (for lack of a better word) are charging their full rates, considering they're mostly defending poor college students.
  
  On the other hand RIAA lawyers aren't paid by the hour, and whether they win or lose their salary is the same (you think they're working for a percentage of a $10,000 settlement?)
  
  They've created a climate of fear, which is all this has been about from the beginning. If they win a case the reward is a pittance to them, if they lose, well, they can afford it. Either way, considering the press it's still generating a lawsuit costs much less and is much more effective than a prime time television ad campaign. Unless there's some way to assign a penalty that really hurts or put a stop to their abuse of the legal system altogether they will continue to sue even if they lose almost every case.
3. Re:Sad thing is... by NewYorkCountryLawyer · 2007-08-07 22:12 · Score: 4, Insightful
  
  Countersuits are one way to deal with this. Though, I imagine most people just want to get everything over than enter another legal battle. Litigation is never a good solution to anything. It should always be a last resort. Unfortunately the RIAA doesn't see things that way.
  
  --
  Ray Beckerman +5 Insightful
Oh come on by Token_Internet_Girl · 2007-08-07 13:09 · Score: 4, Insightful

"Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points" Did the MAFIAA really think someone would overlook this point? Anyone with a class in Internet 101 knows that routers assign one IP address to represent whatever computers are attached to it. I'm glad their having their asanine package of BS handed right back to them.

--
Sure baby, I'll give you my phone number...in Hex
1. Re:Oh come on by fredklein · 2007-08-07 13:36 · Score: 4, Interesting
  
  I think the RIAAs point is that whoever runs that router (and, presumably, the network connection) is responsible for the traffic it passes.
  
  Like a Red-light camera: they send the ticket to the owner of the car, not necessarily the driver. (Of course, in that case, the owner can simply prove it was not them, and provide the name of the driver, and the ticket will be re-assigned.)
  
  I don't necessarily agree with this, but most ISP's have similar clauses in their TOS: You are responsible for whatever your equipment puts out/takes in over the network connection. I'm not sure what makes Starbucks (for instance) not liable if a wifi customer downloads kiddy porn, but a person who owns an open WAP gets their PCs confiscated by the cops. But I wish the 'immunity' applied to anyone.
2. Re:Oh come on by ScrewMaster · 2007-08-07 13:36 · Score: 4, Interesting
  
  The problem seems to be growing the awareness of these basic facts among the judiciary: cases like this can only help in that regard, I'd think. Those of the legal mind are fond of informing laymen that the law is complex and ever-changing and that only one who is properly trained could possibly comprehend its intricacies. I personally believe that the law is often more complex than it needs to be (and that is certainly no accident) but, okay, I'll buy that argument. As an engineer I cheerfully admit that the law is an arcane mystery, and I would certainly never set foot in court without proper representation.
  
  However, the truth is that the global network and the technologies behind it are pretty goddamn complex as well, and change more often than the average trial lawyer changes his boxers. Gross oversimplifications and prevarifications regarding network technology, such as those pulled out of thin air by the RIAA's so-called "expert witness", have so far resulted in several severe miscarriages of justice. Unfortunately, while it is a necessity to have legal representation in a technical case, there seems to be no corresponding requirement that the legal beagles involved have a clue about technological underpinnings of said case. Given how successful the RIAA has been with the testimony of Mr. Linares, it's apparent that expert witnesses are of no help when the people making the legal decisions don't have the mental knowledge base to tell the wheat from the chaff.
  
  --
  The higher the technology, the sharper that two-edged sword.
3. Re:Oh come on by russ1337 · 2007-08-07 13:51 · Score: 3, Funny
  
  >>> There are a few routers out there that assign different IP adresses to different 'computers.'
  
  I guess I'm only safe when my local Starbucks has had 4,294,967,296 unique wi-fi visitors and has to start over...
4. Re:Oh come on by NewYorkCountryLawyer · 2007-08-07 13:52 · Score: 5, Informative
  
  The problem seems to be growing the awareness of these basic facts among the judiciary: cases like this can only help in that regard, I'd think. Those of the legal mind are fond of informing laymen that the law is complex and ever-changing and that only one who is properly trained could possibly comprehend its intricacies. I personally believe that the law is often more complex than it needs to be (and that is certainly no accident) but, okay, I'll buy that argument. As an engineer I cheerfully admit that the law is an arcane mystery, and I would certainly never set foot in court without proper representation. However, the truth is that the global network and the technologies behind it are pretty goddamn complex as well, and change more often than the average trial lawyer changes his boxers. Gross oversimplifications and prevarifications regarding network technology, such as those pulled out of thin air by the RIAA's so-called "expert witness", have so far resulted in several severe miscarriages of justice. Unfortunately, while it is a necessity to have legal representation in a technical case, there seems to be no corresponding requirement that the legal beagles involved have a clue about technological underpinnings of said case. Given how successful the RIAA has been with the testimony of Mr. Linares, it's apparent that expert witnesses are of no help when the people making the legal decisions don't have the mental knowledge base to tell the wheat from the chaff. The Linares dribble -- like the Whitehead dribble which preceded it -- "succeeded" only because it was used only in ex parte cases, where there was no opposition. Now that opposition is starting to form, and now that judges are starting to reject even the ex parte motions, awareness may be growing among members of the judiciary.
  
  --
  Ray Beckerman +5 Insightful
5. Re:Oh come on by proverbialcow · 2007-08-07 14:25 · Score: 3, Interesting
  
  Like a Red-light camera: they send the ticket to the owner of the car, not necessarily the driver. (Of course, in that case, the owner can simply prove it was not them, and provide the name of the driver, and the ticket will be re-assigned.)
  
  Or, as in the case of Minneapolis' red-light cameras, the entire process is deemed unconstitutional because it presumes guilt rather than innocence.
  
  --
  The only surefire protection against Microsoft infections is abstinence. - The Onion
6. Re:Oh come on by TooMuchToDo · 2007-08-07 16:12 · Score: 3, Insightful
  
  I've got a Cisco 2600 series router that begs to differ with you.
What's taken so long? by willow · 2007-08-07 13:11 · Score: 5, Informative

I'm wondering why it's taken other lawyers so long to realize the RIAA is ripe for fleecing with their undefendable suits. Surely the lawyer vs. lawyer guys would have figured out by now that the RIAA, with so much $$$, is ripe for plucking...

I'm actually ashamed of this, BTW :)

--
Moderation in everything, including moderation.
OSU, not OU by epmos · 2007-08-07 13:12 · Score: 3, Informative

Nitpick:
TFA says the 11 students are at Oklahoma State University (OSU), not that Other University to the south (OU).

[ Yes, I am an alumni of OSU. ]
As a matter of curiousity... by PhysicsPhil · 2007-08-07 13:17 · Score: 4, Interesting

...how big is the school in question? I've been wondering recently whether the RIAA has ever gone after schools with big legal programs. Have they been avoiding a fight with students who might have a large number of friends training to be lawyers? I have visions of some professor who gets sufficiently aggravated that he assigns his entire class to bury the RIAA in legal briefs.
1. Re:As a matter of curiousity... by NewYorkCountryLawyer · 2007-08-07 14:00 · Score: 4, Informative
  
  You missed the one a week or two ago where they were about to start going after Harvard - and Harvard's response was, in effect, "get bent"? Not so. They've never gone after Harvard and probably never will.
  
  That's because it's not in the RIAA's playbook to pick on someone who can fight back.
  
  The articles you're thinking of, by Harvard Law School profs, "Universities to RIAA: Take a Hike" and "Protect Harvard from the RIAA", urged Harvard and other universities to fight back if the RIAA were to come knocking.... but so far it hasn't come knocking at Harvard.
  
  And don't hold your breath waiting for it to do so.
  
  --
  Ray Beckerman +5 Insightful
2. Re:As a matter of curiousity... by BalanceOfJudgement · 2007-08-07 14:32 · Score: 4, Interesting
  
  Not so. They've never gone after Harvard and probably never will.
  
  That's because it's not in the RIAA's playbook to pick on someone who can fight back.
  
  Not to be pedantic but some of those 'good ol boys' probably went to Harvard as well, and so aren't inclined to embroil their Alma Mater in legal battles when there are so many other available targets.
  
  --
  
  We are the fire that lights our world.. and we are the fire that consumes it.
A little oversimplified... by edashofy · 2007-08-07 13:30 · Score: 5, Interesting

"Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points."

Yes, we all know this is true from a technical perspective. However, the RIAA is not as dumb as to ignore it. From the depositions in the Lindor case (posted earlier by NewYorkCountryLawyer) they are also relying on the fact that Kazaa (and workalikes) apparently include the local IP in the protocol. So if I'm behind my router, and my IP is 192.168.1.1, but my router's IP is 123.45.6.78, then the RIAA will see BOTH addresses and know whether there's some NATting going on with a pretty high degree of certainty. However, if Kazaa reports the local IP as 123.45.6.78 as well, then it's highly unlikely any more than a single computer is behind that IP.

Reading the report, the "expert" here appears to be completely ignorant of this fact.

Also, some of this is really atrocious. Early in the report it cites an example of someone downloading child pornography sitting in a car by "hacking" a wi-fi network. Only at the end of the report does it admit that the network was unsecured. If you connect to 'linksys' are you "hacking" that network? Would you use that term No. No "hacking" (in any reasonable sense) is going on.

Is the "expert" a native English speaker? "Botnet, Trojan, and Back Door are example of malicious codes..." Aside from the grammatical atrocities, I have never heard of my fellow software engineers referring to software programs as "codes." A back-door is not a "code" or a program, nor are botnets. Bots are, Trojan (Horses) are, and they can open back doors. Precision, please?

Do look at the expert's biography page on the site shilling his book. Plenty of asserted qualifications and certifications, although I don't see any formal degrees listed anywhere. It also asserts that "One final note Jayson was chosen as one of Time's persons of the year for 2006." (hint: so were you). The grammar in the bio is even worse than in the expert brief. Do a search for his name and you'll find precious little at all.

I'm not saying that the RIAA is doing due diligence; the Lindor briefs leave a lot in question (although less than most slashdotters would like). However, fighting back with equally specious and unresearched information doesn't seem to be a much better strategy.
1. Re:A little oversimplified... by tftp · 2007-08-07 13:54 · Score: 4, Informative
  
  Indeed, I read his deposition and basically all he does is state that you are anonymous behind a NAT. I am sure the logs do not indicate that 192.168.1.250 is the offender. There must be something more tangible. The expert probably just refuted literal RIAA's statements, ignoring the context (I haven't seen the logs so can't say for sure.)
  One thing, though, he could have mentioned - various IP spoofing methods. Imagine you are on a DHCP network (on campus, for example.) You ask for an IP and you will get it, and this will be logged: "00:f0:3e:45:33:66, authorized as belonging to John Doe, asked for an IP and got 10.0.15.213 for 6 hours". Nice. However what if you want to misrepresent yourself? An enterprising student can use ping and arp (if not some better tools) to find out what IP and MAC addresses are online, and once some of those computers go to class (or to sleep, for example,) take over the MAC address and ask for a new DHCP lease ... done, and you have a new shiny IP address, perfectly logged as belonging to John Doe whereas you are someone else entirely.
  This would clearly demonstrate that the DHCP has no authentication beyond the MAC address, and that can be easily changed on many cards. Any judge, however technically illiterate, can understand that if you can get any identity by just asking then it's pointless to hold the identity owner responsible.
  This text, as seen here, would be relevant in the expert's refutation:
  Unfortunately it's the very simplicity of DHCP that's actually the problem as far as security goes. No authentication or authorization takes place during an exchange between a DHCP server and DCHP client, so the server has no way of knowing if the client requesting the address is a legitimate client on the network, and the client has no way of knowing if the server that assigned the address is a legitimate DHCP server. The possibility of rogue clients and servers on your network can create all kinds of problems.
2. Re:A little oversimplified... by langelgjm · 2007-08-07 14:04 · Score: 4, Insightful
  
  Did you read the same brief I did? Because your quotes don't match with what is in the PDF file.
  
  Also, some of this is really atrocious. Early in the report it cites an example of someone downloading child pornography sitting in a car by "hacking" a wi-fi network. Only at the end of the report does it admit that the network was unsecured. If you connect to 'linksys' are you "hacking" that network? Would you use that term No. No "hacking" (in any reasonable sense) is going on.
  
  Here's what I see in the PDF: "An example of the dangers of open networks is the case of Walter Nowakoski. Nowakoski connected to unsecured home networks and used the bandwidth via unencrypted wireless networks to download child pornography. This is an example of criminals using networks of others to commit crimes so that the innocent are victims twice - once for the theft of their own network resource and then when they are wrongly accused for the illegal activity."
  
  Is the "expert" a native English speaker? "Botnet, Trojan, and Back Door are example of malicious codes..." Aside from the grammatical atrocities, I have never heard of my fellow software engineers referring to software programs as "codes."
  
  Not to be picky, but if you're going to comment on the man's grammar, at least have the courtesy to quote him correctly. He conjugates the verb correctly, saying "... are examples of malicious codes..."
  
  --
  "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
3. Re:A little oversimplified... by Dunbal · 2007-08-07 14:20 · Score: 3, Informative
  
  Early in the report it cites an example of someone downloading child pornography sitting in a car by "hacking" a wi-fi network. Only at the end of the report does it admit that the network was unsecured.
  
  Ok, now tell me how hard it is to hack a WEP-enabled wireless network? It takes all of what, 90 seconds?
  
  --
  Seven puppies were harmed during the making of this post.
While we're nitpicking... by Ungrounded+Lightning · 2007-08-07 14:39 · Score: 3, Funny

[ Yes, I am an alumni of OSU. ]

Are you an alumnUS? Or are you siamese twins?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If wishes were horses by Kaseijin · 2007-08-07 16:05 · Score: 3, Interesting

I think the RIAAs point is that whoever runs that router (and, presumably, the network connection) is responsible for the traffic it passes. That's their theory. To the best of my knowledge, no court has ever bought it.

...I don't necessarily agree with this, but most ISP's have similar clauses in their TOS: You are responsible for whatever your equipment puts out/takes in over the network connection. That's a contract between the ISP, the customer, and no one else.
I'm not sure what makes Starbucks (for instance) not liable if a wifi customer downloads kiddy porn, but a person who owns an open WAP gets their PCs confiscated by the cops. The person is, reasonably, a suspect.
why hasn't a judge censured the RIAA for this? by DragonTHC · 2007-08-07 16:30 · Score: 3, Insightful

why aren't judges protecting the people?

The law is not really in the RIAA's favor here.

The RIAA has shown a history of fradulent law suits.

Why aren't people countersuing for malicious prosecution?

--
They're using their grammar skills there.
Re:Lawyers and technology don't mix well.. by Sycraft-fu · 2007-08-07 16:50 · Score: 3, Insightful

Ummm few things:

1) Where did you get the idea all universities have tons of IPs? Some do, some don't. Also, a class B might seem like a lot, but if you've got 50,000 students, 20,000 departmental computers and servers, and you dole the IPs out in subnets to different departments (so they aren't 100% utilized) you start feeling the crunch more than you might think. Where I work we've got two class Bs (as we were in on the Internet game fairly early) and network operations has already begun working on renumbering the network to try and reclaim unused IPs. We haven't had to implement NAT on any campus level (though there are tons of little ones that random people run) but it is not something out of the question. Take a larger university with less IP space, you'd have little choice.

2) NAT has other uses such as cloaking the activities of individual computers. You'll see places use NAT just for that, they don't want individual activity being traced based on IP. So they get a many-to-many NAT set up. You have say a couple hundred routable IPs with a couple thousand non-routable IPs behind them. The router picks out which public IP you get randomly, or round-robin, or whatever. Thus it ends up being impossible to figure out what is happening.

3) Who says the university runs the NAT? You telling me you don't think students stick routers in their dorms? You telling me that you don't think they do that, and turn on unsecured WiFi (especially since many universities have extremely poor or non existent WiFi)? I know for a fact they do, because we always have problems with this on our campus.