How To Frame a Printer For Copyright Infringement 325
An anonymous reader writes "Have you ever wondered what it takes to get 'caught' for copyright infringement on the Internet? Surprisingly, actual infringement is not required. The New York Times reports that researchers from the computer science department at the University of Washington have just released a study that examines how enforcement agencies monitor P2P networks and what it takes to receive a complaint today. Without downloading or sharing a single file, their study attracted more than 400 copyright infringement complaints. Even more disturbing is their discovery that illegal P2P participation can be easily spoofed; the researchers managed to frame innocent desktop machines and even several university printers, all of which received bogus complaints."
If the right people get framed... (Score:5, Interesting)
Re:Glad it's in a reputable media source (Score:5, Interesting)
Unless the little guys can pony up the cash to get these guys as expert witnesses, the MAFIAA will simply commission their own, contradictory study in order to discredit this one.
I hope at some point (and some point SOON) we get a critical mass of people and evidence against the big industry players so that they'll stop this crap. I don't think it'll happen though--there's just too many dollars at stake for them to give up.
Re:Glad it's in a reputable media source (Score:5, Interesting)
The other favored method these days seems to be sending out non-sensical Cease and Desist [demystify.info] Letters claiming all sorts of things, including copyright infringement, and CRIMINAL charges because someone has a domain that you want.
Caton Commercial [willcounty...tcourt.com] engages in this, and seems to find this practice acceptable.
Re:Sweet! (Score:5, Interesting)
Re:Too flimsy...not really (Score:5, Interesting)
Re:As I said (Score:3, Interesting)
Good catch. One missing 'n' makes a lot of difference. I *did* preview. And spell-checked. A grammar checker would not have helped.
Oh, well. Have fun.
has the mafiaa ever fought an IT guy? (Score:4, Interesting)
I'm curious if the 'industry monitoring groups' have ever sent a C/D letter to a clueful sysadmin? we know that most laymen will simply cave in when they receive the 'fact' that their IP address was somehow connected to 'bad traffic'; but I wonder if anyone who knows networking ever called their bluff and really had a court case where he asked for MORE info than simply IP addrs. it would seem that if you can defend yourself in IP networking theory that they really have no firm case on you, especially if you run an 'open wireless AP' and that, itself, could create enough doubt as to who the real 'infringer' really is. they might be able to say its your network but they can't prove its YOU. it could be spyware that somehow got installed on your system. spyware does do 'strange things' as well all know and its not outside the realm of possibility that some virus is connecting to trackers while sitting inside your network. is that really your fault? should you be called 'an infringer' for that?
so I'm really curious if there are any examples of a tech-strong defendant really calling their bluff and demaning fine-grained specific evidence while at court or at some plea bargaining procedure.
The New Way To Evade Detection (Score:3, Interesting)
2: Set your NATting wireless router to mimic that printer's MAC address.
3: Insert your NATting router between the printer and the LAN and steal its IP address.
4: Connect to router and fileshare to your heart's content.
5: Watch printer be arrested for your piracy.
6: PROFIT!
Re:Big surprise! (Score:3, Interesting)
Re:Big surprise! (Score:3, Interesting)
As much as the "copyright police" may like to pretend that they're law enforcement (complete with little .jpg images of copper badges [websheriff.com]--lol), they are not the police. Copyright infringement is a civil charge. As such, the content industries should not get any special treatment when it comes to these cases. If it can be shown that the content industry's methods of obtaining evidence is fundamentally flawed, it calls into question if the DMCA takedown notices and C&D letters are truly filed with good faith as to the validity of their contents. Without those, none of their lawsuits could go forth because they would not be able to request ISPs to release account records.
If I as an individual can't sue random individuals on spurious grounds and demand legal-ransom (err.. "settlement"), why should the industries be able to?
-Grym
Re:Sweet! (Score:3, Interesting)
I don't think you can spoof any IP address. I think you'd still need to be on the same subnet/domain in order for routing to work.
You can spoof your neighbor, but you can't spoof something in a different network range.
At least, I don't think you could spoof an arbitrary IP address.
Cheers
Re:Big surprise! (Score:3, Interesting)
It's not illegal to destroy your own property when you're done with it. Say, to tear up old, out-of-date travel guide books about Spain. It's your property, you can do what you want with it. It's not even illegal to do so on public property. I could do that and throw out the pieces in a public park, for instance.
However, if you try to do that in a public library, some old(er) ladies will have a fit...
When I was in college, I took several old travel guides to the library and started shredding out pages in the main reading area. Several people noticed and, I assume, told the staff. They approached me quickly and freaked out, telling me to stop. I said, "It's OK. They're my books. No harm to your books at all." And they responded by demanding that I leave, which I quickly did.
The point? Even if you're not committing any sort of crime, the appearance of doing so is likely to get you under close scrutiny. In the RIAA's case in this instance, they gave out Take Down Notices. In the situation given, they are ridiculous because no downloads had occurred. However, without actually filing suit against the authors of the study, this is just analogous to 'higher scrutiny'.
If I had been actually destroying the public library's books, I would have not only been a bad citizen, but also in violation of some misdemeanor vandalism charges most likely. If the authors of the study had been actually illegally downloading copyrighted materials (over against not downloading anything, downloading materials under fair use, etc etc), they would have been making themselves liable for civil suit(s), and the RIAA would likely have gone after them with a lawsuit.
The big difference is that the RIAA seems to be blanketing everyone who is mistreating the books in any way, shape, or form, rather than looking for people who are actually destroying actual library books. It's the throw-it-all-against-the-wall-and-see-what-sticks approach to filing suit. And it's about the least responsible way to do it (if not the least effective).
Re:Too flimsy (Score:3, Interesting)
Not anymore. Thanks to this paper, people are going to connect just to inject noise into the system.
Re:Too flimsy (Score:2, Interesting)
However, this is what court cases are for. They determine if you were actually doing something illegal, or if you were just an innocent bystander.
Actually getting arrested/sued doesn't require a massive amount of evidence, nor should we really expect that. Imagine a warehouse full of drug dealers dealing their drugs. You're there, but neither selling nor buying drugs, just watching it all. If the place gets raided, you certainly wouldn't be shocked if you were arrested along with everyone else.
You're on to something there (Score:5, Interesting)
Apparently since a DDOS is a legal move in this game (if you'll recall the MediaDefender fiasco recently), [slashdot.org] maybe we could use this technique and flood P2P space with false positives.
I'll bet once every single judge in the USA gets a "Cease and Desist" letter they'll eventually see that the RIAA's tactics aren't valid.
Re:Too flimsy (Score:3, Interesting)
Re:Too flimsy (Score:2, Interesting)
They won't be fazed... (Score:2, Interesting)
I think the way the **AAs would counter the argument would be the analogy: suppose there is a raid on the local whorehouse, and you are there, and you claim that you weren't actually doing anything illegal, but just "hanging around" or "doing research" or "visiting a friend." The odds are infinitely against that being the case, and while we acknowledge that there is a CHANCE you were actually innocent, if you hang out there you should not be surprised if you get swept up in the dragnet.
And they might also counter the "but there are legitimate uses for p2p" argument with the same scenario. Maybe the madame of the whorehouse also occasionally sells a jar of her homemade chicken soup to someone, but we know 99% of the visitors to that house are seeking to satisfy a different kind of appetite.
(Don't think all of this is farfetched -- after all, most prostitution busts do not rely on any actual proof that money was exchanged or that services were rendered -- the actual passing of bills or manipulation of body parts is rarely observed, but merely inferred. If you are driving at 3 am in a known prostitution area, and you are caught with a known prostitute in your car, you WILL be busted, and the judge will laugh off any "innocent" defense.)
A New Plan (Score:3, Interesting)
Re:Is this safe? (Score:4, Interesting)
Why waste time on a printer? (Score:1, Interesting)
Alternately, the workstations belonging to: student conduct, university legal affairs, or even our DMCA copyright officer all seem interesting targets to get this *AA blackmail scam exposed for what it really is.
Blame everyone! (Score:4, Interesting)
Think of it... the most respected and powerful people in every community simultaneously getting bogus cease and desist letters. (Lawyers, judges, politicians, etc...) I'd be inclined to think *something* just might happen after that.
Re:Sweet! (Score:3, Interesting)
Sorry, at some point when it's so extraordinarily difficult to do you just accept that it's impossible. Sending source-routed packets out is very difficult these days unless you have an old school ISP like an AT&T or a business pipe.
Most of the problems of the 90s were indeed solved and much of the issues you describe went the way of the dodo then. At this point is so easy to secure against these types of attacks that any ISP would be negligent not too.
Also most of your techniques involved compromised routers, once you have a router compromised anything is possible so the whole discussion is moot.
Still, OSPF on the inside an BGP on the outside all use authentication if done properly so much of what you describe is exceedingly difficult to the point where it's not worth mentioning. Two-way traffic is pretty much impossible without compromising other systems first as as you said.
It's like physical security, it's never 100% safe, but at a certain point you accept that it's not going ot be compromised. This behavior shouldn't prevent you from doing due diligence in the future to maintain security since it is a process but your focus is on other attack vectors.