Slashdot Mirror

← Back to Stories (view on slashdot.org)

Forensic Investigator Outlines BitTorrent Detection Technology

Posted by timothy on from the vee-simply-attach-ziss-collar-to-each-bit dept.

NewYorkCountryLawyer writes "In one of the many BitTorrent download cases brought by pornographic film makers, the plaintiff — faced with a motion to quash brought by a "John Doe" defendant — has filed its opposition papers. Interestingly, these included a declaration by its 'forensic investigator' (PDF), employed by a German company, IPP, Limited, in which he makes claims about what his technology detects, and about how BitTorrent works, and attaches, as an exhibit, a 'functional description' of his IPTracker software (PDF)."

20 of 193 comments (clear)

  1. Re:IPTracker Based on Shareaza 2.4.0.0 by JoshuaZ · · Score: 5, Informative

    My understanding is that one is only required to give the source if one is distributing the product to other people. As long as the individual keeps the software for themselves, there's no requirement to make the source available.

  2. I2P/Freenet by nurb432 · · Score: 5, Insightful

    Try tracking us there.

    Good luck.

    --
    ---- Booth was a patriot ----
    1. Re:I2P/Freenet by girlintraining · · Score: 4, Informative

      Try tracking us there.

      Encrypt all you want. Traffic analysis still screws you every time. The network tries to keep latencies low, so it forwards whatever it receives onto the next hop as soon as it gets it. If you're monitoring the source and the destination, then when it gets decrypted at the destination, you can correlate that with the traversal time through the 'black box' of Tor, Freenet, or whatever... and viola, you know who sent it, when, and what it was.

      This is a known problem. It's discussed at length on EFF's website. If your connections are made in bulk, at regular intervals, instead of interactively, then it's a lot harder to do traffic analysis if all the other nodes exhibit the same behavior. But as long as you're trying to be anonymous by simply using a series of proxies that are set to store-and-forward... you're still screwed.

      --
      #fuckbeta #iamslashdot #dicemustdie
    2. Re:I2P/Freenet by nurb432 · · Score: 5, Informative

      Read up on how Freenet works and you will see its not just about data encryption. Due to how it routes, and that data chunks are scattered about It also hides the source and requestors to the point that even if you are on the same LAN and sniffing packets directly you wont know for sure. Sure you can be caught using it which could be a legal problem for you depending on where you live, but they wont know if you are doing the requesting of file parts or you are just passing requests along.

      I2P i believe has something similar in place but i'm still learning how their stuff works.

      --
      ---- Booth was a patriot ----
    3. Re:I2P/Freenet by lister+king+of+smeg · · Score: 5, Informative

      that is why there is garlic routing. garlic routing is a modification of onion routing used by tor, what it does is bundle packets together so as to make traffic analysis useless. it does have greater latency but should not be a problem unless you are streaming

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    4. Re:I2P/Freenet by Idbar · · Score: 4, Funny

      Hey! They have the technology now. They can write a GUI interface using visual basic to track your IPs!

    5. Re:I2P/Freenet by PopeRatzo · · Score: 4, Funny

      Since the US government already monitors all traffic that occurs domestically

      I saw someone on Facebook complaining about the government tracking them online.

      --
      You are welcome on my lawn.
    6. Re:I2P/Freenet by Znork · · Score: 5, Interesting

      Which is why some p2p software, such as WASTE, has modes where it will always load links wether or not there is real traffic.

      If the arms race goes on, we'll end up with a constantly saturated internet with only random connections sending apparent random data, leaving any actual signal indistinguishable and drowned out by the massive amounts of random noise.

    7. Re:I2P/Freenet by EllisDees · · Score: 4, Interesting

      No, it really, really isn't. You apparently don't know the first thing about freenet, yet feel that you somehow know enough to spout off about it. If I insert a file into freenet, it is split into many parts and distributed randomly to other freenet nodes. When someone requests that content, there is a reasonable chance that they won't get even one chunk of data from my computer. Monitoring all of the traffic between nodes buys you almost exactly nothing.

      --
      -- Give me ambiguity or give me something else!
    8. Re:I2P/Freenet by Registered+Coward+v2 · · Score: 4, Funny

      Which is why some p2p software, such as WASTE, has modes where it will always load links wether or not there is real traffic.

      If the arms race goes on, we'll end up with a constantly saturated internet with only random connections sending apparent random data, leaving any actual signal indistinguishable and drowned out by the massive amounts of random noise.

      It's called /.

      --
      I'm a consultant - I convert gibberish into cash-flow.
  3. Read their software specs by Anonymous Coward · · Score: 5, Interesting

    I've read their software specs. Seems they have some typo,

    The data can only be decoded and used by the responsible lawyer, only his software contains the deciphering method and this one one in this case also secret (called "public") key.

    Seems at least that one typo. At least I *hope* that's a typo.

    ... it is not possible that an allocated GUID is allocated to another user again.

    Same could be said about MACs, and cell phone ID numbers. No one ever clones those!!!

    So it seems, by their reasoning, if you go on a P2P network and clone someone else's GUID, well, then I guess the other party must be guilty, no?

    Seems that even if you use Bittorrent or similar to only download Linux distros or even WoW patches, someone can just clone that and use it and then they will just send the innocent the bill?

  4. Re:private trackers solved this long ago by nurb432 · · Score: 5, Insightful

    Only takes one person to sell out an entire private tracker.

    --
    ---- Booth was a patriot ----
  5. Does The IPP Company Exist? by andersh · · Score: 4, Interesting

    Does this so-called "IPP" company in fact exist at all? I've had a cursory glance on Google, but didn't find much of interest.

    German companies are not called Limited or Ltd. if they are indeed "governed by German law", as claimed in the court declaration. Under German law it should be called "IPP GmbH". I would normally assume a "Ltd." company was based in the UK, on one of their islands or somewhere far away from Europe in general.

    IPP seems to be a fairly common name in the German business register (Unternehmensregister), but none of them seem to be the company in question? Does anyone out there have further information?

  6. Re:GUID by Jahava · · Score: 4, Informative

    It is not possible that an allocated GUID is allocated to another user again.

    I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).

    He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question. That said, as you noted, it's remarkably easy to spoof such a GUID (in this case). His statement implies that a GUID positively identifies a user, which it does not, and is thus a misleading statement.

  7. Re:Well by j00r0m4nc3r · · Score: 5, Insightful

    the private copyright cops have no reason to lie or cheat

    Sure they do. Since this is really just an elaborate extortion racket, the more IPs they deliver to their clients, the more they get paid. Their clients just file a bunch of John Doe lawsuits and hope for settlements. The more IPs they have, the more possible settlements -- false positives be damned.

  8. Plausible Deniability... by Jahava · · Score: 4, Interesting

    So in all of these cases, as a technical person, I can't help but wonder how they're connecting an IP address to positive evidence of a specific person's deliberate action. There are countless plausible scenarios where a person can own a number (IP address) involved in a crime and yet not themselves be aware of or involved in said crime. Some examples are:

    • The defendant has (or had) an open WiFi access point at the time. The crime was committed by someone who used that connection.
    • The defendant has (or had) a secure WiFi access point with bad credentials at the time. The crime was committed by someone who guessed those credentials.
    • The defendant has (or had) a secure WiFi access point with secure credentials. The crime was committed by someone who obtained those credentials (overheard them, password reuse, friend-of-a-friend, etc.).
    • One of the defendant's computers is (or was) infected by malware at the time, and the malware performed the crime on behalf of someone else.
    • The defendant's IP address was spoofed by an employee at the defendant's ISP who was the actual party committing the crime.
    • The defendant was tricked into executing commands resulting in the crime on their system without knowing what those commands were doing (jerk tech-support guy, etc.).
    • The defendant's system performed the crime without the defendant's knowledge during routine execution of third-party content (Flash, Javascript) laced with malicious code.
    • A friend or associate of the defendant performed the crime using the defendant's systems without the defendant's knowledge or permission.

    In all of these scenarios, the crime could have been committed without any knowledge of the defendant. In some of these scenarios, the defendant has little-to-no chance to detect or thwart the crime. How does any lawyer convince any judge or jury that the person on trial committed a crime in light of this?

    From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?

    • Can you prove I didn't have an open WiFi enabled at the time, or that my password was bad? What if I reset my router's logs daily?
    • Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?
    • Can you prove someone didn't use my computer without my permission? What if I didn't have a password on it and frequently left it lying around work?

    Furthermore, from an activist's point of view, imagine someone built a malware variant that monitored browser usage (Google, Facebook, etc.) for movie names and automatically downloads movie titles that were mentioned to a secret directory? I've now got a piece of malware that automatically, without any user knowledge or intervention, downloads illegal files that that user is interested in. What if the malware downloads new movie releases instead by monitoring public release knowledge bases for titles? Is being infected by such a malware enough for innocence? If enough people are thusly infected would the entire concept of using IP subpoenas for prosecution fall apart?

    Just food for thought. I'd really like to know how someone can be held criminally-liable unless the prosecution caught them using the illegal file or captured an attributable confession.

  9. Re:IPTracker Based on Shareaza 2.4.0.0 by Mashiki · · Score: 5, Insightful

    I dunno about that. If something is GPL'd and being used in the courts to prosecute me, hell, even if it's closed source I want to see the source so I can tell whether or not it's tampered with.

    We already do this with other forms of evidence gathering tools, it should be the same with data gathering tools.

    --
    Om, nomnomnom...
  10. Re:Track me by Lumpy · · Score: 4, Funny

    Only the old farts....

    00:00:00:00:00:00 is where the hip anons lurk.

    --
    Do not look at laser with remaining good eye.
  11. Re:Well by Grumbleduke · · Score: 4, Informative

    Indeed. My understanding of the situation (having followed some of these cases etc., including attending court hearings) is that the tech companies get paid by the IP. Most other parties involved (the copyright owner, the legal team, the holding company that brings the case) get either a percentage of net profit, or a fixed fee. As such, it's in the tech. groups interests to provide as many IPs as they can, as cheaply as possible.

    This is why they have been known to cut corners (such as just scraping a list of IPs from a tracker, rather than checking that any given IP is actually sharing the file at the particular time), or spend too much time actually looking into the technology. Interestingly, an "expert witness" in a recent English case noted that he"did not have [the software he was testifying with regard to] installed on his computer, and did not concern himself with how it worked").

    In the ACSLaw leaked emails, one thing that was noted was that around 1 in 4 IP addresses that had been identified as infringing weren't even assigned by the ISP at the time when the alleged infringement occurred. That statistic, to me, suggests that something is pretty screwed up is going on with data gathering.

  12. Re:IPTracker Based on Shareaza 2.4.0.0 by Anonymous Coward · · Score: 4, Funny

    Coca-Cola made me sick. Let's see the recipe! Come on...