How To Frame a Printer For Copyright Infringement 325
An anonymous reader writes "Have you ever wondered what it takes to get 'caught' for copyright infringement on the Internet? Surprisingly, actual infringement is not required. The New York Times reports that researchers from the computer science department at the University of Washington have just released a study that examines how enforcement agencies monitor P2P networks and what it takes to receive a complaint today. Without downloading or sharing a single file, their study attracted more than 400 copyright infringement complaints. Even more disturbing is their discovery that illegal P2P participation can be easily spoofed; the researchers managed to frame innocent desktop machines and even several university printers, all of which received bogus complaints."
Re:PC LOAD MUSIC (Score:2, Informative)
PC (Paper Cartridge) Load LETTER
(out of letter sized paper)
Re:Glad it's in a reputable media source (Score:5, Informative)
Re:Too flimsy (Score:3, Informative)
Also, consider this: As commonly compressed, each reported peer takes up essentially 6 bytes; 4 for the IPv4 address, 2 for the port, because the less data the trackers have to push out during a scrape, the better.
That gives a two-third chance that any corruption (undetected by the embarrassingly small IP checksum) of any single byte in that packet would falsely implicate an IP address.
Look at how often your client gets bad data owing to something corrupting it on the way or faulty network gear; corruption that BT itself detects through piecewise SHA-1 hashing.
But the scrape is not protected against this, and given the number of automated requests issued, it's highly likely that many innocent IP addresses have been targeted (and indeed, ask around; all the anecdotal evidence strongly supports that hypothesis).
Further, this is solid evidence that the same enforcement companies providing data used for RIAA and MPAA lawsuits have a methodology which is not only flawed, but falls far short of what might be considered due diligence; they are believing the responses of servers which could very well detect that these are so-called "Judas nodes", and deliberately provide responses seeded with bogus requests...
Even worse if they're believing peer exchange or DHT inserts. This is actually pretty damning evidence against their reliability.
It also contains easily enough information for just about anyone with enough resources (for example, The Pirate Bay) to identify with a high probability all of the IP addresses currently used by reporting agencies. And block them, and maybe even tell us what they are, because the agencies are rapidly running out of blocks (especially if they're going to launch synfloods from them and risk getting their transit cut off).
Thanks, guys. Nice work there. I hope one of you springs for the printer's bail bonds.
Re:Too flimsy (Score:1, Informative)
What this exposes is that the *IAA are basing their take down letters on you simply connecting to a tracker. They are not doing any investigation to see if you ARE file sharing, just assuming you are and sending letters, lawsuits, etc.
Re:Sweet! (Score:3, Informative)
Re:Too flimsy (Score:3, Informative)
The article does talk about mistaken identification based on a shorter DHCP timeout than tracker timeout, which might be closer to what you're talking about. That could be extended by manually setting your IP address to one authenticated by someone else. This is especially possible in a dorm setting where you're on the same LAN. Just copy the MAC an IP addresses of someone who's already authenticated but has since disconnected.
Re:PC LOAD MUSIC (Score:4, Informative)
The term was popularized by the comedy cult film Office Space. Michael Bolton (David Herman), one of the three main characters, reads the error message from the LCD status display on a fax machine, after which he asks, "'PC Load Letter'? What the fuck does that mean?"
Re:has the mafiaa ever fought an IT guy?YES (Score:3, Informative)
I have been getting these five years ago (Score:4, Informative)
Eventually we get emails some trade association: "We are asking you in good faith to remove the material that infringes on out IP rights. The site in question is such and such and it contains a copy of a Nintendo game "Mr. Smith's Day Out"" or some other non-sense like that. I found those amusing.
Re:Too flimsy...not really (Score:1, Informative)
Well, this study showed that false positives can occur and can be made to occur, but it doesn't say anything about how often they do occur. I know the folks who process these complaints at my school, and the false positive rate is a little less than 3%.
Re:Sweet! (Score:3, Informative)
based on the inconclusive nature of the current monitoring methods, we find that it is possible for amalicious user (or buggy software) to implicate (frame) seemingly any network endpoint in the sharing of copyrighted materials
(emphasis added)
Re:Glad it's in a reputable media source (Score:3, Informative)
Re:Sweet! (Score:3, Informative)
Re:Sweet! (Score:5, Informative)
Sorry, I have to debunk the theory that it is only technically possible to spoof a source address on your local subnet, it's just not true.
First of all, you can send people in your local subnet messages with any fake outside source IP you want, and there are various techniques to convince your local subnet's router to send _you_ the response traffic instead of the rightful recipient, so you can have full socket connectivity in both directions.
(I.E. ICMP redirect packets sent to the default gateway, static routes, etc)
Also, there are methods to spoof source IPs outside your subnet, even when sending to destinations outside your subnet, unless your provider is specifically using techniques to block spoofed traffic (which possibly, some are now).
If you can guess the right sequence numbers and port numbers (very hard), then you can even inject data into someone else's live TCP connection, or just force that connection to close (by sending a RST)
Use of technologies such as SSL or TLS protect against sending unauthorized commands or allowing corrupt data to be transmitted, but don't protect against a third party forcibly closing the connection.
Spoofing outside the subnet is just extremely difficult, and fairly improbable for targets utilizing modern TCP stacks -- but theoretically possible; IRC networks used to have problems with script kiddies generating spoofed clone floods.
(This tactic was thwarted by taking advantage of the fact that spoofed users could effectively SEND spoofed traffic but not RECEIVE messages, so a CAPTCHA-style feature called "nospoof" was introduced into the connection process.)
Receiving traffic in both directions over a spoofed connection is also possible, but hard, I.E. requires hijacking the legitimate equipment's IP, and fooling network equipment into sending traffic to the wrong place (the spoofer's computer).
I'm not saying it's easy, safe, invisible, non-destructive, or you won't easily get caught, but I must say that such spoofing is 100% possible.
Re:Sweet! (Score:2, Informative)
Actually no, they all use VLSM (Variable Length subnet masks), it is quite rare that you have direct IP communication with your neighbor.
VLSM alone isn't enough; your PC still needs a valid subnet mask, which can't be 255.255.255.255, and you _do_ still need to have (indirect) IP connectivity with your neighbors' IPs, to share files, or chat, for instance.
The ISP either NATs you, gives you a /30
(1 IP, 1 network id, 1 broadcast address), or
utilizes equipment that does something more creative to conserve IPs.
On an old cable network, there is a faint possibility you have Layer 2 physical connectivity (or fall within the same broadcast domain) with your neighbor.
But it is more likely that the subnet you see is merely an illusion created by your provider's equipment. The other "local subnet" ips are actually ip addresses bound to the ISP equipment, I.E. Your ARP traffic received only by the ISP device. And for any IP you request an ARP binding for, the ISP equipment responds with the MAC address of your default gateway, and only the ISP equipment sees any of your Layer 2 (broadcast) messages.
Re:Sweet! (Score:3, Informative)
Yes, we agree exactly. Indirect IP connectivity is through the ISP's router and not a direct connection to your neighbor. Some cable providers don't do this well as you say, they are in the same broadcast domain with their immediate neighbor but there are never very many customers on a single pop.
A good number of ISPs use transparent proxies as you describe as well which further makes direct connection difficult. Of course most of the transparent proxies only function with HTTP traffic so anything with a different protocol bypasses the proxy and goes straight out but still has to go through a router before it hits another customer.