Forgot your password?
typodupeerror
Software Technology

Forensic Investigator Outlines BitTorrent Detection Technology 193

Posted by timothy
from the vee-simply-attach-ziss-collar-to-each-bit dept.
NewYorkCountryLawyer writes "In one of the many BitTorrent download cases brought by pornographic film makers, the plaintiff — faced with a motion to quash brought by a "John Doe" defendant — has filed its opposition papers. Interestingly, these included a declaration by its 'forensic investigator' (PDF), employed by a German company, IPP, Limited, in which he makes claims about what his technology detects, and about how BitTorrent works, and attaches, as an exhibit, a 'functional description' of his IPTracker software (PDF)."
This discussion has been archived. No new comments can be posted.

Forensic Investigator Outlines BitTorrent Detection Technology

Comments Filter:
  • Track me (Score:2, Funny)

    by Anonymous Coward
    Posted from 127.0.0.1
  • by Anonymous Coward on Saturday July 07, 2012 @03:38PM (#40577467)

    Wouldn't that mean that it is subject to the GPL since it is derived from a GPL based product? So, let's see the source.

  • I2P/Freenet (Score:5, Insightful)

    by nurb432 (527695) on Saturday July 07, 2012 @03:41PM (#40577493) Homepage Journal

    Try tracking us there.

    Good luck.

    • Re:I2P/Freenet (Score:5, Informative)

      by girlintraining (1395911) on Saturday July 07, 2012 @03:53PM (#40577603)

      Try tracking us there.

      Encrypt all you want. Traffic analysis still screws you every time. The network tries to keep latencies low, so it forwards whatever it receives onto the next hop as soon as it gets it. If you're monitoring the source and the destination, then when it gets decrypted at the destination, you can correlate that with the traversal time through the 'black box' of Tor, Freenet, or whatever... and viola, you know who sent it, when, and what it was.

      This is a known problem. It's discussed at length on EFF's website. If your connections are made in bulk, at regular intervals, instead of interactively, then it's a lot harder to do traffic analysis if all the other nodes exhibit the same behavior. But as long as you're trying to be anonymous by simply using a series of proxies that are set to store-and-forward... you're still screwed.

      • Re:I2P/Freenet (Score:5, Informative)

        by nurb432 (527695) on Saturday July 07, 2012 @04:00PM (#40577665) Homepage Journal

        Read up on how Freenet works and you will see its not just about data encryption. Due to how it routes, and that data chunks are scattered about It also hides the source and requestors to the point that even if you are on the same LAN and sniffing packets directly you wont know for sure. Sure you can be caught using it which could be a legal problem for you depending on where you live, but they wont know if you are doing the requesting of file parts or you are just passing requests along.

        I2P i believe has something similar in place but i'm still learning how their stuff works.

        • Re: (Score:3, Insightful)

          It's still just extra obfusciation. You can't hide the fact that data leaves and arrives at certain times, and each node forwards data as it receives it... if you can monitor the traffic, you can derive from that who's talking to who, whether you know what the traffic is or not. And somewhere, either at the source, or the destination, is a decrypted copy. Since the US government already monitors all traffic that occurs domestically, this kind of analysis is already practical and being used right now.

          Don't

          • by PopeRatzo (965947) on Saturday July 07, 2012 @04:49PM (#40577933) Homepage Journal

            Since the US government already monitors all traffic that occurs domestically

            I saw someone on Facebook complaining about the government tracking them online.

            • by murdocj (543661)

              What's even worse is the government is tracking sales of tin foil so they know who has their hats ready.

          • Re:I2P/Freenet (Score:5, Interesting)

            by Znork (31774) on Saturday July 07, 2012 @05:04PM (#40578041)

            Which is why some p2p software, such as WASTE, has modes where it will always load links wether or not there is real traffic.

            If the arms race goes on, we'll end up with a constantly saturated internet with only random connections sending apparent random data, leaving any actual signal indistinguishable and drowned out by the massive amounts of random noise.

            • by Registered Coward v2 (447531) on Saturday July 07, 2012 @09:54PM (#40579425)

              Which is why some p2p software, such as WASTE, has modes where it will always load links wether or not there is real traffic.

              If the arms race goes on, we'll end up with a constantly saturated internet with only random connections sending apparent random data, leaving any actual signal indistinguishable and drowned out by the massive amounts of random noise.

              It's called /.

          • by AmiMoJo (196126)

            Not true. Such analysis is foiled by the fact that each note re-encrypts each packet and bundles bunches of them together. Even if there are no other packets available at the time the node can simply add junk data to pad things out. You see some packets go, each one possibly a bundle of more than one that but there is no way for you to tell, and see a different and uncorrelated load go out.

            Tor already does this.

        • by hairyfeet (841228)

          The problem with freenet is it has yet to be tested in the courts and the way i had it explained to me you could possibly be looking at SERIOUS TIME depending on what state you are in and how fucked up their laws are.

          Let me explain: if i hand you a wall safe and tell you to deliver it for me and the cops stop you and they find dope and kiddie porn in it from what i was told it doesn't matter if you didn't have the combination because they can STILL get you for delivery. By that same token if they are hunti

          • by Cederic (9623)

            I think that same issue could apply in the UK, with added nastiness: Not only could you be prosecuted for having on your system, and/or producing/disseminating it, but you could also be thrown in prison for failing to decrypt any parts of it that are encrypted.

            Oddly that latter part is the more serious concern, as it's quite hard to prove that an encrypted blob is of whatever form, so it would be tough for the prosecution to demonstrate that you did indeed have nastiness on your system.

            Anyway, wouldn't th

      • Re:I2P/Freenet (Score:5, Informative)

        by lister king of smeg (2481612) on Saturday July 07, 2012 @04:08PM (#40577727)

        that is why there is garlic routing. garlic routing is a modification of onion routing used by tor, what it does is bundle packets together so as to make traffic analysis useless. it does have greater latency but should not be a problem unless you are streaming

      • by f3rret (1776822)

        Try tracking us there.

        Encrypt all you want. Traffic analysis still screws you every time. The network tries to keep latencies low, so it forwards whatever it receives onto the next hop as soon as it gets it. If you're monitoring the source and the destination, then when it gets decrypted at the destination, you can correlate that with the traversal time through the 'black box' of Tor, Freenet, or whatever... and viola, you know who sent it, when, and what it was.

        This is a known problem. It's discussed at length on EFF's website. If your connections are made in bulk, at regular intervals, instead of interactively, then it's a lot harder to do traffic analysis if all the other nodes exhibit the same behavior. But as long as you're trying to be anonymous by simply using a series of proxies that are set to store-and-forward... you're still screwed.

        TOR (and the rest of the darknets, I guess, I haven't tried them) really isn't intended for secure communication, it is intended for anonymous communication. In your example both destination and source of the messages are known which means that any hope of anonymity was lost from the start.

        If you want secure communication then you need a extra encryption like a public key based algorithm or something like that.

    • by Idbar (1034346) on Saturday July 07, 2012 @04:25PM (#40577805)
      Hey! They have the technology now. They can write a GUI interface using visual basic to track your IPs!
  • GUID (Score:3, Interesting)

    by Anonymous Coward on Saturday July 07, 2012 @03:44PM (#40577541)

    It is not possible that an allocated GUID is allocated to another user again.

    I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).

    • Re:GUID (Score:5, Informative)

      by Jahava (946858) on Saturday July 07, 2012 @04:26PM (#40577811)

      It is not possible that an allocated GUID is allocated to another user again.

      I would look into this. As it is written it sounds, at least, misleading. Even if it is true this GUID thing for all P2P protocols (which I sincerely doubt), I would say that it should be spoofable directly or indirectly (compromising the machine if public key cryptography is used).

      He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question. That said, as you noted, it's remarkably easy to spoof such a GUID (in this case). His statement implies that a GUID positively identifies a user, which it does not, and is thus a misleading statement.

      • by julesh (229690)

        He is technically correct, assuming that the act of "GUID allocation" involves the correct use of a valid GUID generation algorithm by the software in question.

        The 'random' method is a valid GUID generation algorithm, defined by the relevant RFCs. It basically consists of picking random bits, and packing them with an indicator that the GUID was generated randomly. It is entirely possible (although extremely unlikely in absence of failures in the random number generation algorithm) for two identical GUIDs to be produced.

  • by Anonymous Coward on Saturday July 07, 2012 @03:45PM (#40577547)

    I've read their software specs. Seems they have some typo,

    The data can only be decoded and used by the responsible lawyer, only his software contains the deciphering method and this one one in this case also secret (called "public") key.

    Seems at least that one typo. At least I *hope* that's a typo.

    ... it is not possible that an allocated GUID is allocated to another user again.

    Same could be said about MACs, and cell phone ID numbers. No one ever clones those!!!

    So it seems, by their reasoning, if you go on a P2P network and clone someone else's GUID, well, then I guess the other party must be guilty, no?

    Seems that even if you use Bittorrent or similar to only download Linux distros or even WoW patches, someone can just clone that and use it and then they will just send the innocent the bill?

    • My GUID seems to be faulty, an I borrow yours for a bit?

    • by julesh (229690)

      No, I don't think it is a typo. The author doesn't understand public key cryptography, which is startling as the system appears to rely on it as its guarantee of the validity of the evidence chain.

      The document contains a number of dubious claims of the effects of its cryptography, including the notion that a key embedded in the software and used for signing the evidence as it is discovered is a secret key, and that the process of signing cannot be replicated without using the software because only the soft

  • Reading the description, his application claims to get a screenshot of the "offending" computer.

    How? I can't imagine that any of these P2P applications include such functionality.

    • by girlintraining (1395911) on Saturday July 07, 2012 @03:57PM (#40577639)

      How? I can't imagine that any of these P2P applications include such functionality.

      They don't. This guy might be a programmer, but he's got bricks for brains when it comes to proper terminology.

      • I get the impression english isn't his first language, so some errors of terminology are forgivable.
      • "They don't. This guy might be a programmer, but he's got bricks for brains when it comes to proper terminology."

        That's not what the description said. They capture a screenshot of the MONITORING computer, which is displaying data that is presumably evidence.

        That's why it goes on to say that data that is not relevant to a particular infringement is blocked from the screenshot.

  • "3.1 Protection of data privacy and data security: The rack-servers are stored in a room which is locked and protected with most current security mechanisms." But it doesn't go into what those"current security mechanisms" are. My guess is that it's in a locked closet in someone's apartment with a chihuahua sitting in front of the door.
    • They also have an RSA key, which is super secure at 4096-bit...except they include the raw key in a compiled library with the software. Gee, let's see how long it takes me to find this key with my trusty decompiler and a good CS education.

  • by nuckfuts (690967) on Saturday July 07, 2012 @04:02PM (#40577679)

    TFA states that BitTorrent uses "the so-called BiTH" hash alogorithm. Basically, his software doesn't look at filenames, it compares hash values to determine if a downloaded file is infringing.

    Perhaps a defence would be to argue that a hash collision had occurred.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Doubtful. It doesn't fly in normal court and it won't fly here.

  • by andersh (229403) on Saturday July 07, 2012 @04:17PM (#40577767)

    Does this so-called "IPP" company in fact exist at all? I've had a cursory glance on Google, but didn't find much of interest.

    German companies are not called Limited or Ltd. if they are indeed "governed by German law", as claimed in the court declaration. Under German law it should be called "IPP GmbH". I would normally assume a "Ltd." company was based in the UK, on one of their islands or somewhere far away from Europe in general.

    IPP seems to be a fairly common name in the German business register (Unternehmensregister), but none of them seem to be the company in question? Does anyone out there have further information?

    • Re: (Score:3, Informative)

      by eruza (2679307)

      Found their website for you: IPP International Unternehmensgesellschaft [ippint.de]

      • Thanks, after looking it up in the business register I see it's formally "IPP Int UG" (i.e. haftungsbeschränkt or almost the equiv. of Ltd/LLC).

        In other words this is the "light version" or less serious company form, founded with €1 in capital, i.e. not a very serious business [in my and the bank's opinion].

  • Truth be told, the private copyright cops have no reason to lie or cheat. What they are doing is quite easy and straightforward. All they have to do is hit a major torrent site like TPB, click a tracker with their hacked version of an open source bittorrent client, and save all the IP addresses in the swarm. The rest is just meaningless fluff that costs stupendous sums of money. The IP addresses they record are by PREPONDERANCE OF EVIDENCE (meaning at least a 51% chance) guilty of infringement. 51% cha

    • Re:Well (Score:5, Insightful)

      by j00r0m4nc3r (959816) on Saturday July 07, 2012 @04:39PM (#40577869)
      the private copyright cops have no reason to lie or cheat

      Sure they do. Since this is really just an elaborate extortion racket, the more IPs they deliver to their clients, the more they get paid. Their clients just file a bunch of John Doe lawsuits and hope for settlements. The more IPs they have, the more possible settlements -- false positives be damned.
      • Re:Well (Score:5, Informative)

        by Grumbleduke (789126) on Saturday July 07, 2012 @05:00PM (#40578015) Journal

        Indeed. My understanding of the situation (having followed some of these cases etc., including attending court hearings) is that the tech companies get paid by the IP. Most other parties involved (the copyright owner, the legal team, the holding company that brings the case) get either a percentage of net profit, or a fixed fee. As such, it's in the tech. groups interests to provide as many IPs as they can, as cheaply as possible.

        This is why they have been known to cut corners (such as just scraping a list of IPs from a tracker, rather than checking that any given IP is actually sharing the file at the particular time), or spend too much time actually looking into the technology. Interestingly, an "expert witness" in a recent English case noted that he"did not have [the software he was testifying with regard to] installed on his computer, and did not concern himself with how it worked").

        In the ACSLaw leaked emails, one thing that was noted was that around 1 in 4 IP addresses that had been identified as infringing weren't even assigned by the ISP at the time when the alleged infringement occurred. That statistic, to me, suggests that something is pretty screwed up is going on with data gathering.

        • by julesh (229690)

          Suggests ACS were just scraping IPs from the tracker without validating they actually had the data. Trackers often have large proportions of stale addresses.

      • This assumes that false positives are costless. They aren't. Think: attorney's fees.

        • This assumes that false positives are costless. They aren't. Think: attorney's fees.

          Then obviously the only solution to this problem is to make all attorney's free of charge. We have a large population of convicts that instead of stamping license plates, we can force them to be free attorney's to pay for their crimes, and they already have experience in the courtroom!

    • "The IP addresses they record are by PREPONDERANCE OF EVIDENCE (meaning at least a 51% chance) guilty of infringement. 51% chance is a pretty darn low threshold to reach, and we know that millions of people occasionally pirate, so legally it's an open and shut case."

      Not true. Since the courts have ruled that an IP address does not identify an individual -- and in some cases not even a household -- then your 51% gets cut down to more like 25% or possibly even less.

  • To guarantee the immutability of the data, IP, date and time is signed with a private 4096 bit RSA key. The RSA key is included internally in the IPTRACKER program using a precompiled library and cannot be read or used elsewhere.

    Challenge accepted. Now where do I pirate IPTRACKER from?

    • by julesh (229690)

      From their truecrypt-encrypted hard disk on a single machine in a secure location. Internet-connected, of course, but one presumes it's firewalled. Still, you may get lucky trying to exploit bugs in their network handling code when they randomly connect to your machine to see if it has data they're looking for. They don't sound competent from their description of how the system works.

  • by Jahava (946858) on Saturday July 07, 2012 @04:48PM (#40577929)

    So in all of these cases, as a technical person, I can't help but wonder how they're connecting an IP address to positive evidence of a specific person's deliberate action. There are countless plausible scenarios where a person can own a number (IP address) involved in a crime and yet not themselves be aware of or involved in said crime. Some examples are:

    • The defendant has (or had) an open WiFi access point at the time. The crime was committed by someone who used that connection.
    • The defendant has (or had) a secure WiFi access point with bad credentials at the time. The crime was committed by someone who guessed those credentials.
    • The defendant has (or had) a secure WiFi access point with secure credentials. The crime was committed by someone who obtained those credentials (overheard them, password reuse, friend-of-a-friend, etc.).
    • One of the defendant's computers is (or was) infected by malware at the time, and the malware performed the crime on behalf of someone else.
    • The defendant's IP address was spoofed by an employee at the defendant's ISP who was the actual party committing the crime.
    • The defendant was tricked into executing commands resulting in the crime on their system without knowing what those commands were doing (jerk tech-support guy, etc.).
    • The defendant's system performed the crime without the defendant's knowledge during routine execution of third-party content (Flash, Javascript) laced with malicious code.
    • A friend or associate of the defendant performed the crime using the defendant's systems without the defendant's knowledge or permission.

    In all of these scenarios, the crime could have been committed without any knowledge of the defendant. In some of these scenarios, the defendant has little-to-no chance to detect or thwart the crime. How does any lawyer convince any judge or jury that the person on trial committed a crime in light of this?

    From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?

    • Can you prove I didn't have an open WiFi enabled at the time, or that my password was bad? What if I reset my router's logs daily?
    • Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?
    • Can you prove someone didn't use my computer without my permission? What if I didn't have a password on it and frequently left it lying around work?

    Furthermore, from an activist's point of view, imagine someone built a malware variant that monitored browser usage (Google, Facebook, etc.) for movie names and automatically downloads movie titles that were mentioned to a secret directory? I've now got a piece of malware that automatically, without any user knowledge or intervention, downloads illegal files that that user is interested in. What if the malware downloads new movie releases instead by monitoring public release knowledge bases [wikipedia.org] for titles? Is being infected by such a malware enough for innocence? If enough people are thusly infected would the entire concept of using IP subpoenas for prosecution fall apart?

    Just food for thought. I'd really like to know how someone can be held criminally-liable unless the prosecution caught them using the illegal file or captured an attributable confession.

    • by Jahava (946858)

      As a quick follow-on regarding "preponderance of evidence" (and legal burdens of proof [wikipedia.org] in general) mentioned in another post: If I'm infected with a downloader malware, or if I have an open WiFi point, I could argue that this points to the likely scenario being that I didn't download anything illegally.

      In the case of downloader malware, if someone finds stolen art in my basement, and, upon further investigation, discovers that someone else has built a hidden tunnel into my basement and used that area to sto

    • by cdrguru (88047)

      So far my understanding of the sequence of events is:

      1. Find an IP address that is associated with uploading materials that are not public domain. Log this as an "event" with the date and time.
      2. File a lawsuit and use discovery for the lawsuit to get the owner of the IP address to disclose the account holder using the IP address at that date and time.
      3. Again using a discovery motion, have the account holder's computer(s) examined for pirated materials.
      4. If such pirated materials are found, lawsuit moves forward -
      • You are simply muddying the waters here, by getting the procedure wrong, and conflating several things that are actually quite separate.

        (A) First, the procedure. You have items (1) and (2) right, but it has almost never gotten to (3), and that will probably happen even less in the future. Why? Because the courts have finally realized (and so ruled) that an IP address does not identify an individual. You can't prosecute a neighborhood or a house or even a family. You can only prosecute individuals.

        (B)
        • by wrook (134116)

          Just want to chip in a bit with respect to "it is not a crime". A lot of people think that because it is illegal it is a crime. But there is an important distinction. In a crime, the *state* charges you, takes you to court, etc. Also you can go to jail. Civil infractions like copyright infringement are pursued by the party that was damaged, not the state. Your punishment, should you lose the court case, is financial -- You won't go to jail and you won't have a criminal record. This is also why it is

          • We are largely in agreement on this.

            But even if the statute allows "punitive damages", we still have the principle that the punishment should fit the crime.

            So... if the "damages" are $1, maybe a "reasonable" punitive measure would be to charge 10 times that: $10.

            Nowhere else in law are punitive damages set to such an outrageous multiplier of the actual damages. THAT is a crime.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Heh, I wrote your hypothetical "malware" for myself as a useful piece of software. Checks the Rotten Tomatoes new on DVD RSS feed, discards anything with a rotten score, uses Torrentz search API to search for a variety of strings, prioritizes blu-ray rip over DVD rip, more seeds over less seeds, user "verified" torrents over non-verified torrents, tries to weed out common strings that denote non-English languages "ITA", uses release year to resolve ambiguities, and then feeds the magnet link into uTorrent v

    • by AmiMoJo (196126)

      From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?

      Some ISPs provide this for the customers by giving them all secondary semi-open wifi networks. For example BT Broadband customers have their own private wifi network but the router also broadcasts a second BT OpenZone SSID that allows other BT subscribers to get internet access after logging in. Fon offers something similar. The deal is you provide free wifi to other subscribers in exchange of having use of the same service when you are out and about.

      Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?

      Can they confiscate your computers? In the UK they can't

      • by Jahava (946858)

        From a defensive point of view, what is the minimum number of compromises that one should run in their own network to provide themselves with sufficient plausible deniability from this type of thing?

        Some ISPs provide this for the customers by giving them all secondary semi-open wifi networks. For example BT Broadband customers have their own private wifi network but the router also broadcasts a second BT OpenZone SSID that allows other BT subscribers to get internet access after logging in. Fon offers something similar. The deal is you provide free wifi to other subscribers in exchange of having use of the same service when you are out and about.

        Can you prove I didn't have malware? What if I sold a computer recently - it must have been infected, since all of the ones you confiscated aren't - and wiped the disk prior?

        Can they confiscate your computers? In the UK they can't because copyright infringement is a civil matter. They can ask to examine it and you can tell them to fuck off because the burden of proof is on them and you are not required to aid them in any way, other than sharing evidence you yourself intend to rely on.

        Well here's the thing - assuming that they can, through some judicial voodoo, examine all of your computers and other systems, how could they ever hope to prove that you didn't have malware on your system at the time the alleged crime occurred that has since been removed (by itself or by you)? The burden of solid proof just seems impossible to meet.

        • by AmiMoJo (196126)

          The burden of solid proof just seems impossible to meet.

          If it is a civil matter than they don't need solid proof, only "balance of probabilities" which is much easier to prove. Still way beyond what they can show though.

    • You forgot one:

      The defendant has (or had) a secure WiFi access point with secure credentials, but the password was cracked by someone using commonly available, easy to use open source security tools.

      In one case it took me 20 minutes to crack somebody's WPA2. And no, the passphrase was not a common dictionary word.
    • by gmhowell (26755)

      Enough people will be found guilty/infringing/whatever to scare many others into compliance. This is worse than contempt of cop or contempt of court. This is contempt of big business. You have meddled with the primal forces of nature. And you will atone. [youtube.com]

      What is written on silly old pieces of parchment and civics texts matters not a whit.

  • So all the user would need to do is introduce a commented-out line within the code of any downloaded file, in order to change the hash value, and essentially tell RIAA/MPAA to shove it.

    • That would completely break the torrent though. In practice if you do that, the torrent client will see that a portion of the modified file doesn't match the hash for that portion specified in the .torrent file and "repair" the file by re-downloading the "damaged" piece.

The clearest way into the Universe is through a forest wilderness. -- John Muir

Working...