Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Frame a Printer For Copyright Infringement

Posted by timothy on from the point-the-finger-point-it-well dept.

An anonymous reader writes "Have you ever wondered what it takes to get 'caught' for copyright infringement on the Internet? Surprisingly, actual infringement is not required. The New York Times reports that researchers from the computer science department at the University of Washington have just released a study that examines how enforcement agencies monitor P2P networks and what it takes to receive a complaint today. Without downloading or sharing a single file, their study attracted more than 400 copyright infringement complaints. Even more disturbing is their discovery that illegal P2P participation can be easily spoofed; the researchers managed to frame innocent desktop machines and even several university printers, all of which received bogus complaints."

23 of 325 comments (clear)

  1. If the right people get framed... by the_womble · · Score: 4, Interesting

    ....it might change things. Legislators in the US and EU, for example.

  2. Re:Glad it's in a reputable media source by TheRedSeven · · Score: 5, Interesting

    Yes, but will this sort of study ever make it to trial in any shape or form that is likely to put the kibosh on the MAFIAAs strongarm tactics?

    Unless the little guys can pony up the cash to get these guys as expert witnesses, the MAFIAA will simply commission their own, contradictory study in order to discredit this one.

    I hope at some point (and some point SOON) we get a critical mass of people and evidence against the big industry players so that they'll stop this crap. I don't think it'll happen though--there's just too many dollars at stake for them to give up.

  3. Re:Glad it's in a reputable media source by PhreakOfTime · · Score: 4, Interesting

    The other favored method these days seems to be sending out non-sensical Cease and Desist Letters claiming all sorts of things, including copyright infringement, and CRIMINAL charges because someone has a domain that you want.

    Caton Commercial engages in this, and seems to find this practice acceptable.

  4. Re:Sweet! by McFly69 · · Score: 5, Interesting

    1. Download movies 2. Pin it on RIAA's website IP address (76.74.24.143) 3. Let the cops arrest RIAA 4. Peace and Quiet 5. Profit! But seriously... if you can spoof using any IP address (Printer, Website, etc), then everyone can claim it was not them downloading anything and there is not sure way to prove it. Just food for Thought.

    --



    NO! NO! Please don't mod me, I'm too young to die a troll. *click* Oh the pain, the pain...
  5. Re:Too flimsy...not really by Fallen+Kell · · Score: 5, Interesting

    Yes, anyone in IT understands these issues. But the fact remains that no one in IT is being listened to when they are calling this same information proof of infringement. This study is to show that their "proof" which is being used in these same cases is as worthless as all the IT people have said it was from the beginning, and that the checks the **AA investigators are using to confirm that they are not accusing the wrong people are as worthless as well in terms of verifying/screening false positives. This study shows for a FACT that false positives are occurring and occurring ALL THE TIME.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  6. Re:As I said by davburns · · Score: 2, Interesting

    Good catch. One missing 'n' makes a lot of difference. I *did* preview. And spell-checked. A grammar checker would not have helped.

    Oh, well. Have fun.

  7. has the mafiaa ever fought an IT guy? by TheGratefulNet · · Score: 3, Interesting

    I have not read about this - has anyone heard any anecdotes on this subject?

    I'm curious if the 'industry monitoring groups' have ever sent a C/D letter to a clueful sysadmin? we know that most laymen will simply cave in when they receive the 'fact' that their IP address was somehow connected to 'bad traffic'; but I wonder if anyone who knows networking ever called their bluff and really had a court case where he asked for MORE info than simply IP addrs. it would seem that if you can defend yourself in IP networking theory that they really have no firm case on you, especially if you run an 'open wireless AP' and that, itself, could create enough doubt as to who the real 'infringer' really is. they might be able to say its your network but they can't prove its YOU. it could be spyware that somehow got installed on your system. spyware does do 'strange things' as well all know and its not outside the realm of possibility that some virus is connecting to trackers while sitting inside your network. is that really your fault? should you be called 'an infringer' for that?

    so I'm really curious if there are any examples of a tech-strong defendant really calling their bluff and demaning fine-grained specific evidence while at court or at some plea bargaining procedure.

    --

    --
    "It is now safe to switch off your computer."
  8. The New Way To Evade Detection by Nom+du+Keyboard · · Score: 2, Interesting

    1: Find a network printer assigned an IP address.
    2: Set your NATting wireless router to mimic that printer's MAC address.
    3: Insert your NATting router between the printer and the LAN and steal its IP address.
    4: Connect to router and fileshare to your heart's content.
    5: Watch printer be arrested for your piracy.
    6: PROFIT!

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  9. Re:Big surprise! by Sneftel · · Score: 2, Interesting

    If I go outside every night wearing overalls covered in blood stains, dig holes in my front yard, and bury body sized bundles wrapped in garbage bags every night for a couple of weeks, I'll probably be investigated for murder. Investigated, sure. They'll cordon off your yard, bring in body-sniffing dogs, dig everything up, search your garbage bags, find nothing, and conclude that you were just fucking with them. They would do this, rather than immediately strapping you to the electric chair, because "first degree hacking up of people into little bits" is a criminal matter, not a civil one, and circumstantial evidence is not sufficient for a criminal conviction. It's not "beyond a reasonable doubt". In the civil arena, though, the standards are much looser. The evidence that the **AA collected, and used to send threatening notices, are the beginning and the end of the investigation. They are the full extent of the evidence presented in court, and up until now that's often been good enough for the court to find in their favor. IOW, if you can get a takedown notice sent to your printer, you can get a thousands-of-real-money-dollars legal judgment levied against some random guy you don't like. That's what's a surprise. (Or not.)
    --
    The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
  10. Re:Big surprise! by Grym · · Score: 2, Interesting

    If I go outside every night wearing overalls covered in blood stains, dig holes in my front yard, and bury body sized bundles wrapped in garbage bags every night for a couple of weeks, I'll probably be investigated for murder. If I build a large enclosure in my backyard, and fill it with heating lamps which use a prodigious amount of electricity and generate a lot of heat, and I sit on my front porch smoking a leafy substance wrapped in paper, I'll probably be investigated for running a grow-op. If I show up at school carrying a fake, but real-looking machine gun, it will probably draw the attention of the authorities.

    In fact, isn't it a crime to try to fool the police into thinking you're committing a crime? Usually it gets a disorderly conduct charge or something like that.

    As much as the "copyright police" may like to pretend that they're law enforcement (complete with little .jpg images of copper badges--lol), they are not the police. Copyright infringement is a civil charge. As such, the content industries should not get any special treatment when it comes to these cases. If it can be shown that the content industry's methods of obtaining evidence is fundamentally flawed, it calls into question if the DMCA takedown notices and C&D letters are truly filed with good faith as to the validity of their contents. Without those, none of their lawsuits could go forth because they would not be able to request ISPs to release account records.

    If I as an individual can't sue random individuals on spurious grounds and demand legal-ransom (err.. "settlement"), why should the industries be able to?

    -Grym

  11. Re:Sweet! by gstoddart · · Score: 2, Interesting

    But seriously... if you can spoof using any IP address

    I don't think you can spoof any IP address. I think you'd still need to be on the same subnet/domain in order for routing to work.

    You can spoof your neighbor, but you can't spoof something in a different network range.

    At least, I don't think you could spoof an arbitrary IP address.

    Cheers
    --
    Lost at C:>. Found at C.
  12. Re:Big surprise! by TheRedSeven · · Score: 2, Interesting

    A better analogy (and a bit of a 'social experiment' I actually did once out of boredom):
    It's not illegal to destroy your own property when you're done with it. Say, to tear up old, out-of-date travel guide books about Spain. It's your property, you can do what you want with it. It's not even illegal to do so on public property. I could do that and throw out the pieces in a public park, for instance.

    However, if you try to do that in a public library, some old(er) ladies will have a fit...

    When I was in college, I took several old travel guides to the library and started shredding out pages in the main reading area. Several people noticed and, I assume, told the staff. They approached me quickly and freaked out, telling me to stop. I said, "It's OK. They're my books. No harm to your books at all." And they responded by demanding that I leave, which I quickly did.

    The point? Even if you're not committing any sort of crime, the appearance of doing so is likely to get you under close scrutiny. In the RIAA's case in this instance, they gave out Take Down Notices. In the situation given, they are ridiculous because no downloads had occurred. However, without actually filing suit against the authors of the study, this is just analogous to 'higher scrutiny'.

    If I had been actually destroying the public library's books, I would have not only been a bad citizen, but also in violation of some misdemeanor vandalism charges most likely. If the authors of the study had been actually illegally downloading copyrighted materials (over against not downloading anything, downloading materials under fair use, etc etc), they would have been making themselves liable for civil suit(s), and the RIAA would likely have gone after them with a lawsuit.

    The big difference is that the RIAA seems to be blanketing everyone who is mistreating the books in any way, shape, or form, rather than looking for people who are actually destroying actual library books. It's the throw-it-all-against-the-wall-and-see-what-sticks approach to filing suit. And it's about the least responsible way to do it (if not the least effective).

  13. Re:Too flimsy by Sloppy · · Score: 2, Interesting

    If you're connected to the tracker, odds are about 99,999,999,999 to 1 that you're uploading or downloading -- or at least trying to.

    Not anymore. Thanks to this paper, people are going to connect just to inject noise into the system.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  14. Re:Too flimsy by SBacks · · Score: 2, Interesting

    True, pirates don't connect to a tracker to observe, but the point being made is that an entity that was only observing (not doing anything illegal or warranting a takedown notice) is being pinned as a pirate. First off, I totally agree with what you're saying. Someone who was totally innocent got accused of doing something wrong, and that shouldn't happen.

    However, this is what court cases are for. They determine if you were actually doing something illegal, or if you were just an innocent bystander.

    Actually getting arrested/sued doesn't require a massive amount of evidence, nor should we really expect that. Imagine a warehouse full of drug dealers dealing their drugs. You're there, but neither selling nor buying drugs, just watching it all. If the place gets raided, you certainly wouldn't be shocked if you were arrested along with everyone else.
  15. You're on to something there by Weaselmancer · · Score: 4, Interesting

    Apparently since a DDOS is a legal move in this game (if you'll recall the MediaDefender fiasco recently), maybe we could use this technique and flood P2P space with false positives.

    I'll bet once every single judge in the USA gets a "Cease and Desist" letter they'll eventually see that the RIAA's tactics aren't valid.

    --
    Weaselmancer
    rediculous.
  16. Re:Too flimsy by Necreia · · Score: 2, Interesting

    Imagine a warehouse full of drug dealers dealing their drugs. You're there, but neither selling nor buying drugs, just watching it all. If the place gets raided, you certainly wouldn't be shocked if you were arrested along with everyone else. Now imagine this same situation where you're not even home that day, and you get arrested. That's what's happening with these printers. They weren't connected to the tracker, but they got dinged because that IP was spoofed.
  17. Re:Too flimsy by tribaal · · Score: 2, Interesting

    If you're connected to the tracker, odds are about 99,999,999,999 to 1 that you're uploading or downloading -- or at least trying to. So all that tracker operators have to do, is include a few "legal" files (indie music, linux iso) to download/upload. There would be a valid reason to connect to that tracker, so without content inspection, there's no way of if it is legal or not.
  18. They won't be fazed... by Stanislav_J · · Score: 1, Interesting

    I think the way the **AAs would counter the argument would be the analogy: suppose there is a raid on the local whorehouse, and you are there, and you claim that you weren't actually doing anything illegal, but just "hanging around" or "doing research" or "visiting a friend." The odds are infinitely against that being the case, and while we acknowledge that there is a CHANCE you were actually innocent, if you hang out there you should not be surprised if you get swept up in the dragnet.

    And they might also counter the "but there are legitimate uses for p2p" argument with the same scenario. Maybe the madame of the whorehouse also occasionally sells a jar of her homemade chicken soup to someone, but we know 99% of the visitors to that house are seeking to satisfy a different kind of appetite.

    (Don't think all of this is farfetched -- after all, most prostitution busts do not rely on any actual proof that money was exchanged or that services were rendered -- the actual passing of bills or manipulation of body parts is rarely observed, but merely inferred. If you are driving at 3 am in a known prostitution area, and you are caught with a known prostitute in your car, you WILL be busted, and the judge will laugh off any "innocent" defense.)

    --
    "Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
  19. A New Plan by camperdave · · Score: 2, Interesting
    1. Install embedded processor and storage in printer
    2. Download stuff
    3. If RIAA come a'knocking, point to the printer
    4. Watch them go away embarrased
    5. Retrieve downloads from the printer
    6. Profit
    --
    When our name is on the back of your car, we're behind you all the way!
  20. Re:Is this safe? by jd · · Score: 3, Interesting

    British Nuclear Fuels Limited used to do that all the time, during lawsuits over dangerous levels of contamination in the environment.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  21. Why waste time on a printer? by Anonymous Coward · · Score: 1, Interesting
    I work in IT at a large state university. We have a zero-tolerance policy for P2P infractions in the workplace: if you get caught once, you are fired. I'd find it most amusing to implicate the IP of the workstation of the Provost that passed that resolution, just to see the wheels of injustice grind on that problem.

    Alternately, the workstations belonging to: student conduct, university legal affairs, or even our DMCA copyright officer all seem interesting targets to get this *AA blackmail scam exposed for what it really is.

  22. Blame everyone! by Bones3D_mac · · Score: 3, Interesting

    How difficult would it be to coordinate a spoofing system like this that is gradually directed at every used IP across the internet? If it's shown that the *entire* internet is somehow participating in acts of copyright infringement from every IP address across the board, maybe someone might actually begin questioning the current system used to identify those illegally download copyrighted material.

    Think of it... the most respected and powerful people in every community simultaneously getting bogus cease and desist letters. (Lawyers, judges, politicians, etc...) I'd be inclined to think *something* just might happen after that.

    --


    8==8 Bones 8==8
  23. Re:Sweet! by Vancorps · · Score: 2, Interesting

    Sorry, at some point when it's so extraordinarily difficult to do you just accept that it's impossible. Sending source-routed packets out is very difficult these days unless you have an old school ISP like an AT&T or a business pipe.

    Most of the problems of the 90s were indeed solved and much of the issues you describe went the way of the dodo then. At this point is so easy to secure against these types of attacks that any ISP would be negligent not too.

    Also most of your techniques involved compromised routers, once you have a router compromised anything is possible so the whole discussion is moot.

    Still, OSPF on the inside an BGP on the outside all use authentication if done properly so much of what you describe is exceedingly difficult to the point where it's not worth mentioning. Two-way traffic is pretty much impossible without compromising other systems first as as you said.

    It's like physical security, it's never 100% safe, but at a certain point you accept that it's not going ot be compromised. This behavior shouldn't prevent you from doing due diligence in the future to maintain security since it is a process but your focus is on other attack vectors.