How To Frame a Printer For Copyright Infringement

An anonymous reader writes "Have you ever wondered what it takes to get 'caught' for copyright infringement on the Internet? Surprisingly, actual infringement is not required. The New York Times reports that researchers from the computer science department at the University of Washington have just released a study that examines how enforcement agencies monitor P2P networks and what it takes to receive a complaint today. Without downloading or sharing a single file, their study attracted more than 400 copyright infringement complaints. Even more disturbing is their discovery that illegal P2P participation can be easily spoofed; the researchers managed to frame innocent desktop machines and even several university printers, all of which received bogus complaints."

Re:PC LOAD MUSIC

[conteXXt]

it's an old printer error message

PC (Paper Cartridge) Load LETTER

(out of letter sized paper)

Re:Glad it's in a reputable media source

[Hyppy]

Somewhat offtopic, but related to your post. The EFF maintains a mailing list for technologists who would be willing to assist as witnesses or in other ways for cases such as this. When an attorney needs an expert witness for, say, a defense case against the RIAA, the EFF happily forwards it to this list. http://www.eff.org/about/opportunities/volunteer [eff.org]

Re:Too flimsy

[Anonymous Coward]

Did you miss the part where any malicious client can send an alternate client IP address to a tracker which supports the appropriate protocol extensions; the tracker will then report that IP address as participating in the swarm?

Also, consider this: As commonly compressed, each reported peer takes up essentially 6 bytes; 4 for the IPv4 address, 2 for the port, because the less data the trackers have to push out during a scrape, the better.

That gives a two-third chance that any corruption (undetected by the embarrassingly small IP checksum) of any single byte in that packet would falsely implicate an IP address.

Look at how often your client gets bad data owing to something corrupting it on the way or faulty network gear; corruption that BT itself detects through piecewise SHA-1 hashing.

But the scrape is not protected against this, and given the number of automated requests issued, it's highly likely that many innocent IP addresses have been targeted (and indeed, ask around; all the anecdotal evidence strongly supports that hypothesis).

Further, this is solid evidence that the same enforcement companies providing data used for RIAA and MPAA lawsuits have a methodology which is not only flawed, but falls far short of what might be considered due diligence; they are believing the responses of servers which could very well detect that these are so-called "Judas nodes", and deliberately provide responses seeded with bogus requests... ...or servers set up by other monitoring organisations as malicious trackers, which are, amongst other things, deliberately reporting non-existent clients to attempt to frustrate their malicious torrents.

Even worse if they're believing peer exchange or DHT inserts. This is actually pretty damning evidence against their reliability.

It also contains easily enough information for just about anyone with enough resources (for example, The Pirate Bay) to identify with a high probability all of the IP addresses currently used by reporting agencies. And block them, and maybe even tell us what they are, because the agencies are rapidly running out of blocks (especially if they're going to launch synfloods from them and risk getting their transit cut off).

Thanks, guys. Nice work there. I hope one of you springs for the printer's bail bonds. :-)

Re:Too flimsy

[Anonymous Coward]

Connecting to the tracker does not violate any laws, period. Actually downloading or uploading might.

What this exposes is that the *IAA are basing their take down letters on you simply connecting to a tracker. They are not doing any investigation to see if you ARE file sharing, just assuming you are and sending letters, lawsuits, etc.

Re:Sweet!

[despe666]

Ding ding ding! You figured it out. I'm guessing these guys will be very busy being expert witnesses in upcoming trials.

Re:Too flimsy

[assassinator42]

The IP spoofing described in this paper wouldn't allow for that. It involves telling a tracker another IP address to use instead of the one you're connecting from. Thus he couldn't actually download the illegal content.
The article does talk about mistaken identification based on a shorter DHCP timeout than tracker timeout, which might be closer to what you're talking about. That could be extended by manually setting your IP address to one authenticated by someone else. This is especially possible in a dorm setting where you're on the same LAN. Just copy the MAC an IP addresses of someone who's already authenticated but has since disconnected.

Re:PC LOAD MUSIC

[Anonymous Coward]

From God^H^H^HWikipedia:

The term was popularized by the comedy cult film Office Space. Michael Bolton (David Herman), one of the three main characters, reads the error message from the LCD status display on a fax machine, after which he asks, "'PC Load Letter'? What the fuck does that mean?"

Re:has the mafiaa ever fought an IT guy?YES

[beegle]

At a previous job, I had to spend some time processing the DMCA notices. They were obviously auto-generated, and it was pretty common for them to just not make sense. IP address but no timestamp (very handy for dynamic address ranges), indecipherable protocol in the url (really. When even Google's no help, you need to at least provide a -hint-.), etc. When I'd respond with simple questions, it would take them weeks to respond. Meanwhile, they expected people to jump on their requests within hours.

I have been getting these five years ago

[guacamole]

I used to work as a sysadmin in academia and we used to get such false infringement notices on a regular basis. Here is a typical story. Some professor, let's call him Smith, puts some tar and zip files on this webpage or on his ftp site, which naturally has a URL like ftp:somehost.edu/pub/users/smith/bundle.zip [somehost.edu]

Eventually we get emails some trade association: "We are asking you in good faith to remove the material that infringes on out IP rights. The site in question is such and such and it contains a copy of a Nintendo game "Mr. Smith's Day Out"" or some other non-sense like that. I found those amusing.

Re:Too flimsy...not really

[Anonymous Coward]

This study shows for a FACT that false positives are occurring and occurring ALL THE TIME.

Well, this study showed that false positives can occur and can be made to occur, but it doesn't say anything about how often they do occur. I know the folks who process these complaints at my school, and the false positive rate is a little less than 3%.

Re:Sweet!

[xappax]

From the report:

based on the inconclusive nature of the current monitoring methods, we find that it is possible for amalicious user (or buggy software) to implicate (frame) seemingly any network endpoint in the sharing of copyrighted materials
(emphasis added)

Re:Glad it's in a reputable media source

[jonbryce]

You have A4 paper in my tray. The computer has asked me to print on Letter sized paper. Please could you insert some Letter sized paper in the tray. (or fix MS Word to use A4 as the default paper size)

Re:Sweet!

[complete loony]

http://wiki.theory.org/BitTorrentSpecification#Tracker_Request_Parameters [theory.org]

# ip: Optional. The true IP address of the client machine, in dotted quad format or rfc3513 defined hexed IPv6 address. Notes: In general this parameter is not necessary as the address of the client can be determined from the IP address from which the HTTP request came. The parameter is only needed in the case where the IP address that the request came in on is not the IP address of the client. This happens if the client is communicating to the tracker through a proxy (or a transparent web proxy/cache.) It also is necessary when both the client and the tracker are on the same local side of a NAT gateway. The reason for this is that otherwise the tracker would give out the internal (RFC1918) address of the client, which is not routeable. Therefore the client must explicitly state its (external, routeable) IP address to be given out to external peers. Various trackers treat this parameter differently. Some only honor it only if the IP address that the request came in on is in RFC1918 space. Others honor it unconditionally, while others ignore it completely. In case of IPv6 address (e.g.: 2001:db8:1:2::100) it indicates only that client can communicate via IPv6.

Depending on the tracker, you may be able to impersonate anyone at all.

Re:Sweet!

[mysidia]

Sorry, I have to debunk the theory that it is only technically possible to spoof a source address on your local subnet, it's just not true.

First of all, you can send people in your local subnet messages with any fake outside source IP you want, and there are various techniques to convince your local subnet's router to send _you_ the response traffic instead of the rightful recipient, so you can have full socket connectivity in both directions.

(I.E. ICMP redirect packets sent to the default gateway, static routes, etc)

Also, there are methods to spoof source IPs outside your subnet, even when sending to destinations outside your subnet, unless your provider is specifically using techniques to block spoofed traffic (which possibly, some are now).

If you can guess the right sequence numbers and port numbers (very hard), then you can even inject data into someone else's live TCP connection, or just force that connection to close (by sending a RST)

Use of technologies such as SSL or TLS protect against sending unauthorized commands or allowing corrupt data to be transmitted, but don't protect against a third party forcibly closing the connection.

Spoofing outside the subnet is just extremely difficult, and fairly improbable for targets utilizing modern TCP stacks -- but theoretically possible; IRC networks used to have problems with script kiddies generating spoofed clone floods.

(This tactic was thwarted by taking advantage of the fact that spoofed users could effectively SEND spoofed traffic but not RECEIVE messages, so a CAPTCHA-style feature called "nospoof" was introduced into the connection process.)

Receiving traffic in both directions over a spoofed connection is also possible, but hard, I.E. requires hijacking the legitimate equipment's IP, and fooling network equipment into sending traffic to the wrong place (the spoofer's computer).

I'm not saying it's easy, safe, invisible, non-destructive, or you won't easily get caught, but I must say that such spoofing is 100% possible.

Re:Sweet!

[mysidia]

Actually no, they all use VLSM (Variable Length subnet masks), it is quite rare that you have direct IP communication with your neighbor.

VLSM alone isn't enough; your PC still needs a valid subnet mask, which can't be 255.255.255.255, and you _do_ still need to have (indirect) IP connectivity with your neighbors' IPs, to share files, or chat, for instance.

The ISP either NATs you, gives you a /30 (1 IP, 1 network id, 1 broadcast address), or utilizes equipment that does something more creative to conserve IPs.

On an old cable network, there is a faint possibility you have Layer 2 physical connectivity (or fall within the same broadcast domain) with your neighbor.

But it is more likely that the subnet you see is merely an illusion created by your provider's equipment. The other "local subnet" ips are actually ip addresses bound to the ISP equipment, I.E. Your ARP traffic received only by the ISP device. And for any IP you request an ARP binding for, the ISP equipment responds with the MAC address of your default gateway, and only the ISP equipment sees any of your Layer 2 (broadcast) messages.

Re:Sweet!

[Vancorps]

Yes, we agree exactly. Indirect IP connectivity is through the ISP's router and not a direct connection to your neighbor. Some cable providers don't do this well as you say, they are in the same broadcast domain with their immediate neighbor but there are never very many customers on a single pop.

A good number of ISPs use transparent proxies as you describe as well which further makes direct connection difficult. Of course most of the transparent proxies only function with HTTP traffic so anything with a different protocol bypasses the proxy and goes straight out but still has to go through a router before it hits another customer.