Oklahoma Security Expert Attacks RIAA Claims 280
NewYorkCountryLawyer writes "A group of Oklahoma University students has made a motion to vacate the ex parte order the RIAA had obtained compelling the university to turn over their names and addresses. In support of their motion was the expert witness declaration (PDF) of a computer security and forensics expert who essentially attacked the entire premise of the RIAA's lawsuit, characterizing the declaration upon which the RIAA based its motion as 'factually erroneous' and 'misleading.' Among other things he pointed out that 'An individual cannot be uniquely identified by an IP address,' and that 'Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points.' The students are represented by the same Oklahoma lawyer who recently obtained a award for $68,000-plus in attorneys fees against the RIAA in Capitol v. Foster."
Heard in an RIAA conference room ... (Score:5, Funny)
Re: (Score:2)
Re:Heard in an RIAA conference room ... (Score:5, Funny)
"Hey, didn't the whole slashdot community say the exact same thing [slashdot.org] last month?"
We could have at least gotten credit for it.
Re:Heard in an RIAA conference room ... (Score:5, Interesting)
And I got news for you, that was heard in an RIAA conference room.
Only thing, they're not good listeners, as you may have noticed already.
Re:Heard in an RIAA conference room ... (Score:5, Funny)
Re:Heard in an RIAA conference room ... (Score:5, Insightful)
I don't hold out any hopes that the MAFIAA will listen or even care. The aim here is to establish legal precedent in a court of law that says the MAFIAA, when they use spurious technical evidence to try to extort thousands of dollars from people, doesn't have a legal leg to stand on. It doesn't matter whether they agree or not. All that matters is that judges know the truth and that truth gets added to the patchwork quilt of established law that is legal precedence.
Sad thing is... (Score:4, Insightful)
Re:Sad thing is... (Score:5, Insightful)
I delight in seeing young people use the system to fight for their freedoms.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Sad thing is... (Score:4, Informative)
Mmm.. I doubt it. I'd be surprised if most of the lawyers defending RIAA "victims" (for lack of a better word) are charging their full rates, considering they're mostly defending poor college students.
On the other hand RIAA lawyers aren't paid by the hour, and whether they win or lose their salary is the same (you think they're working for a percentage of a $10,000 settlement?)
They've created a climate of fear, which is all this has been about from the beginning. If they win a case the reward is a pittance to them, if they lose, well, they can afford it. Either way, considering the press it's still generating a lawsuit costs much less and is much more effective than a prime time television ad campaign. Unless there's some way to assign a penalty that really hurts or put a stop to their abuse of the legal system altogether they will continue to sue even if they lose almost every case.
Re:Sad thing is... (Score:5, Insightful)
Re: (Score:3, Informative)
Oh come on (Score:4, Insightful)
Re: (Score:3, Insightful)
Re:Oh come on (Score:4, Funny)
I guess I'm only safe when my local Starbucks has had 4,294,967,296 unique wi-fi visitors and has to start over...
Re: (Score:3)
Just to give you the (raw) calculation: you would need
(IP + MAC + newspace + (2* blank space)) * available hosts in the subnet to get it in any readable format
(12+ 16 + 1 + 2) * 65534 bytes (the average subnet) would cost you 2MB of raw space.
It is possible and probable for a full-fledged server system for an ISP (and even they don't keep track of it longer than a number of
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You're responding to folks that said "not all routers are NAT devices" by pointing out that SOME routers are NAT devices. So what?
Re:Oh come on (Score:5, Interesting)
Like a Red-light camera: they send the ticket to the owner of the car, not necessarily the driver. (Of course, in that case, the owner can simply prove it was not them, and provide the name of the driver, and the ticket will be re-assigned.)
I don't necessarily agree with this, but most ISP's have similar clauses in their TOS: You are responsible for whatever your equipment puts out/takes in over the network connection. I'm not sure what makes Starbucks (for instance) not liable if a wifi customer downloads kiddy porn, but a person who owns an open WAP gets their PCs confiscated by the cops. But I wish the 'immunity' applied to anyone.
Re:Oh come on (Score:4, Interesting)
Or, as in the case of Minneapolis' red-light cameras, the entire process is deemed unconstitutional because it presumes guilt rather than innocence.
Re: (Score:2, Offtopic)
*unless it was stolen.
Re: (Score:3, Informative)
Re: (Score:2)
It's reasonable to assume that, since it's YOUR car, YOU are the driver.
Just like, if YOUR specially autographed baseball bat was used to beat someone to death, it's reasonable for the cops to assume YOU did it. It's YOUR bat.
If you have evidence to the contrary (like you know who was really driving the car, or you lent your bat to a friend), then you can present it.
You can't accuse anyone of doing something illegal and prosecute them unless you can pr
Re: (Score:3, Insightful)
the driver (the guilty party) can't be identified
It's reasonable to assume that, since it's YOUR car, YOU are the driver.
Just like, if YOUR specially autographed baseball bat was used to beat someone to death, it's reasonable for the cops to assume YOU did it. It's YOUR bat.
If you have evidence to the contrary (like you know who was really driving the car, or you lent your bat to a friend), then you can present it.
You can't accuse anyone of doing something illegal and prosecute them u
Re: (Score:2)
So you've never had roommates, aren't married, and never left your keys anywhere for more than 30 minutes without direct supervision. Oh, and everyone KNOWS that you need the keys to steal a car. My best friend's wife had her car stolen while she was on vacation. She didn't even know it was gone until two weeks after it was stolen.
It's a reasonable assumption -- but it's just that, an assumption. It is not reasonable *proof*. In the cas
Re: (Score:2)
It is not in fact reasonable to automatically assume that the owner of an object is guilty of a crime committed with that object. All you have proof of is that something owned by a particular individual was used in the commission of a crime. You do not have proof that that individual was the guilty party.
Yo
Re: (Score:3, Interesting)
But that is enough for the police to arrest (or at LEAST question) you. It's enough to get you put on trial.
If the item is a common item (a Yellow #2 pencil), then there is loads of doubt. Was it MY Yellow #2 pencil, or one of the MILLIONS of others that are made each year? Even if it was mine, anyone could have taken one from by de
Re: (Score:2)
I think my daughter was driving it.
But I'm not sure. It may have been my son.
Or one of their friends.
They were moving that night and lots of different people used the car.
Car Person.
Lots of different people drive the same car in some circles.
Re: (Score:2)
Puh-leaze. Do you really think the cops would let you go if you told them that? Of course not.
Then why should they 'let you go' from paying the Traffic Fine?
Now, IF you had evidence that showed you were not guilty*... then that's a different story.
*like the name of person who actually drove the car/carried the gun that d
Re: (Score:2)
"Now, IF you had evidence that showed you were not guilty*... then that's a different story."
What you are describing is "guilty until proven innocent"
Re: (Score:2)
You try telling that to the cops when they show up to arrest you, and see what happens.
Hint: they'll still arrest you.
Re: (Score:2)
Father: "Okay, who ran a red light last Saturday at 11:30 pm?" Kid1: "not me" Kid2: "not me" Kid3: "not me" Father: "Sorry, officer, I don't know who was driving"
The situation gets even worse if you have a large extended family that allows each other to borrow vehicles. Either way, there is no way for law enforcement to know who was driving...
Re: (Score:2)
"Well, Sir, since it is Your car, it is Your responsibility. Will you pay by cash or check?"
Either way, there is no way for law enforcement to know who was driving...
But they know who the car is registered to. Who is responsible for the use of the car.
Re: (Score:2)
Re: (Score:2)
If they thought you guilty of a homicide (I mean, what else can they think- it's your gun!), they'd do more than 'come see you'. They'd burst in the door, guns drawn, throw you on the ground, and arrest you. If you can prove your alibi, then they'll let you go.
Just like, if your car is photo'd running a red light, they send the ticket to you, and if you can prove it was not you, they'll 'let you go'.
Re: (Score:3, Interesting)
Re: (Score:2)
If the sensors in the road determine that a car has entered the intersection during a red light, it takes a picture. Then that picture is looked at, and obvious exceptions (Police cars, ambulances, fire engines, etc) are thrown out. Then the license plates are captured off the remaining photos, and the address of the car owner looked up. The ticket is printed, and mailed to that address.
If wishes were horses (Score:4, Interesting)
Re: (Score:2)
That's their theory. To the best of my knowledge, no court has ever bought it.
I'm curious who YOU would hold responsible for the traffic coming out of YOUR router, which is hooked to YOUR broadband line in YOUR house. The Tooth Fairy?
I'm not sure what makes Starbucks (for instance) not liable if a wifi customer downloads kiddy porn, but a person who owns an open WAP g
Re: (Score:2)
If an employee misuses their computer and network connection, is the employer responsible for the crimes of the employee? If someone breaks into one of your computers at work and uses them to commit a crime, are you responsible because the equipment is yours?
As much as the RIAA may wish it so, holding someone responsible for the crimes of another just isn't going
Re: (Score:2)
No. They are ACCUSING the person who pays for the internet service of (mis-)using that service to commit Copyright violations.
If the person who pays for the connection can show they are not the ones who did it, then the RIAA will move on to the real perpetrators. Otherwise, it's completely reasonable to hold the 'owner' responsible for damage done by his property.
If an employee misuses their computer and netwo
Re: (Score:2)
Re:Oh come on (Score:5, Interesting)
However, the truth is that the global network and the technologies behind it are pretty goddamn complex as well, and change more often than the average trial lawyer changes his boxers. Gross oversimplifications and prevarifications regarding network technology, such as those pulled out of thin air by the RIAA's so-called "expert witness", have so far resulted in several severe miscarriages of justice. Unfortunately, while it is a necessity to have legal representation in a technical case, there seems to be no corresponding requirement that the legal beagles involved have a clue about technological underpinnings of said case. Given how successful the RIAA has been with the testimony of Mr. Linares, it's apparent that expert witnesses are of no help when the people making the legal decisions don't have the mental knowledge base to tell the wheat from the chaff.
Re:Oh come on (Score:5, Informative)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2)
Re:Oh come on (Score:4, Insightful)
Re: (Score:2)
That many routers happen to include a DHCP server does not mean that 'does DHCP' is one of the criteria that defines what a router is.
Re: (Score:2)
That ain't the case.
Re: (Score:2)
You just made my point for me. Most IP's in the world are given out by DHCP servers, but a router is not the same as a DHCP server.
Your dlink box is also an ADSL-modem. Doesn't mean that routers are ADSL-modems.
Your dlink box probably also has a 4-port switch. Doesn't mean that routers are switches.
Many consumer grade routers are also wireless network access points. Doesn't mean that routers are 802.11a/b/g APs.
Pretty much *all* consumer grade routers incl
What's taken so long? (Score:5, Informative)
I'm actually ashamed of this, BTW
Re: (Score:2)
OSU, not OU (Score:3, Informative)
TFA says the 11 students are at Oklahoma State University (OSU), not that Other University to the south (OU).
[ Yes, I am an alumni of OSU. ]
While we're nitpicking... (Score:4, Funny)
Are you an alumnUS? Or are you siamese twins?
Re: (Score:3, Funny)
Re: (Score:2)
heh (Score:2)
As a matter of curiousity... (Score:5, Interesting)
Re: (Score:3, Informative)
Re:As a matter of curiousity... (Score:5, Informative)
That's because it's not in the RIAA's playbook to pick on someone who can fight back.
The articles you're thinking of, by Harvard Law School profs, "Universities to RIAA: Take a Hike" [blogspot.com] and "Protect Harvard from the RIAA" [blogspot.com], urged Harvard and other universities to fight back if the RIAA were to come knocking.... but so far it hasn't come knocking at Harvard.
And don't hold your breath waiting for it to do so.
Re:As a matter of curiousity... (Score:5, Interesting)
Not to be pedantic but some of those 'good ol boys' probably went to Harvard as well, and so aren't inclined to embroil their Alma Mater in legal battles when there are so many other available targets.
Re: (Score:3, Interesting)
That they won't go after Harvard implies a lot. 1. They know Harvard will fight, and will win the fight 2. Why will Harvard win? Through sheer prowess of their legal expertise? No. Because Harvard has an angle, and unfair advantage like being owed a lot of "favors" from many judges? No. It's because Harvard is on the right side of this issue. I think the MAFIAA understands this. 3. But the MAFIAA does act as if they feel they are in the right, morally, if not legally. So they go on screeching abou
Just a motion (Score:2)
A little oversimplified... (Score:5, Interesting)
Yes, we all know this is true from a technical perspective. However, the RIAA is not as dumb as to ignore it. From the depositions in the Lindor case (posted earlier by NewYorkCountryLawyer) they are also relying on the fact that Kazaa (and workalikes) apparently include the local IP in the protocol. So if I'm behind my router, and my IP is 192.168.1.1, but my router's IP is 123.45.6.78, then the RIAA will see BOTH addresses and know whether there's some NATting going on with a pretty high degree of certainty. However, if Kazaa reports the local IP as 123.45.6.78 as well, then it's highly unlikely any more than a single computer is behind that IP.
Reading the report, the "expert" here appears to be completely ignorant of this fact.
Also, some of this is really atrocious. Early in the report it cites an example of someone downloading child pornography sitting in a car by "hacking" a wi-fi network. Only at the end of the report does it admit that the network was unsecured. If you connect to 'linksys' are you "hacking" that network? Would you use that term No. No "hacking" (in any reasonable sense) is going on.
Is the "expert" a native English speaker? "Botnet, Trojan, and Back Door are example of malicious codes..." Aside from the grammatical atrocities, I have never heard of my fellow software engineers referring to software programs as "codes." A back-door is not a "code" or a program, nor are botnets. Bots are, Trojan (Horses) are, and they can open back doors. Precision, please?
Do look at the expert's biography page [f0rb1dd3n.com] on the site shilling his book. Plenty of asserted qualifications and certifications, although I don't see any formal degrees listed anywhere. It also asserts that "One final note Jayson was chosen as one of Time's persons of the year for 2006." (hint: so were you). The grammar in the bio is even worse than in the expert brief. Do a search for his name and you'll find precious little at all.
I'm not saying that the RIAA is doing due diligence; the Lindor briefs leave a lot in question (although less than most slashdotters would like). However, fighting back with equally specious and unresearched information doesn't seem to be a much better strategy.
Re: (Score:2, Interesting)
**For the RIAA to have sufficent evidence the internal IP would have to be accompianined by the actual MAC Address of the physical computers NIC (this would also be the same for the externa
Re:A little oversimplified... (Score:5, Informative)
One thing, though, he could have mentioned - various IP spoofing methods. Imagine you are on a DHCP network (on campus, for example.) You ask for an IP and you will get it, and this will be logged: "00:f0:3e:45:33:66, authorized as belonging to John Doe, asked for an IP and got 10.0.15.213 for 6 hours". Nice. However what if you want to misrepresent yourself? An enterprising student can use ping and arp (if not some better tools) to find out what IP and MAC addresses are online, and once some of those computers go to class (or to sleep, for example,) take over the MAC address and ask for a new DHCP lease ... done, and you have a new shiny IP address, perfectly logged as belonging to John Doe whereas you are someone else entirely.
This would clearly demonstrate that the DHCP has no authentication beyond the MAC address, and that can be easily changed [nthelp.com] on many cards. Any judge, however technically illiterate, can understand that if you can get any identity by just asking then it's pointless to hold the identity owner responsible.
This text, as seen here [windowsecurity.com], would be relevant in the expert's refutation:
Unfortunately it's the very simplicity of DHCP that's actually the problem as far as security goes. No authentication or authorization takes place during an exchange between a DHCP server and DCHP client, so the server has no way of knowing if the client requesting the address is a legitimate client on the network, and the client has no way of knowing if the server that assigned the address is a legitimate DHCP server. The possibility of rogue clients and servers on your network can create all kinds of problems.
Re:A little oversimplified... (Score:5, Insightful)
Did you read the same brief I did? Because your quotes don't match with what is in the PDF file.
Here's what I see in the PDF: "An example of the dangers of open networks is the case of Walter Nowakoski. Nowakoski connected to unsecured home networks and used the bandwidth via unencrypted wireless networks to download child pornography. This is an example of criminals using networks of others to commit crimes so that the innocent are victims twice - once for the theft of their own network resource and then when they are wrongly accused for the illegal activity."
Not to be picky, but if you're going to comment on the man's grammar, at least have the courtesy to quote him correctly. He conjugates the verb correctly, saying "... are examples of malicious codes..."
Re: (Score:2)
"Exhibit 6: Sci-Tech November 23, 2003 article from CTA News Staff reporting a driver of a motor vehicle engaged in internet child pornography utilizing a laptop computer and Wi-Fi (wireless fidelity) card to crack into a computer in a nearby home."
The text you cite is, as I explained, separate at the end of the article.
You're correct, 'example' was my typo. My bad.
Re: (Score:2)
Re: (Score:2)
Re:A little oversimplified... (Score:4, Informative)
Ok, now tell me how hard it is to hack a WEP-enabled wireless network? It takes all of what, 90 seconds?
Re: (Score:2)
Re: (Score:2)
2. you'd need the disc on hand already (i keep a copy of it in my laptop bag for such occasions)
3/4. yes. there was a guide somewhere on doing this (packet injection and IV collection on the same laptop using backtrack 2), but google is failing me at the moment.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
1) They only way that can be gotten is by the computer itself reporting it. What makes you think a computer couldn't just have changed that? I've never seen a cheap NAT-router that has ANY sort of enforcement on IPs, much less seen a user that'd turn it on.
2) Show me the consumer router that keeps logs after power off (if it keeps logs at all). I've again never seen it. Unless someone went out of their way to keep any sort of logs, the
Re: (Score:2)
If you look about half way down the page, there is a small light blue line that looks like part of the background. It is a hyperlink to a photo of him (I presume) (I think it's titled 'spot the geek'). Just from glancing at the rig he's got there, he looks like a pretty dedicated nerd!
Re: (Score:2, Informative)
Is the "expert" a native English speaker? "Botnet, Trojan, and Back Door are example of malicious codes..." Aside from the grammatical atrocities, I have never heard of my fellow software engineers referring to software programs as "codes." A back-door is not a "code" or a program, nor are botnets. Bots are, Trojan (Horses) are, and they can open back doors. Precision, please?
First, this is an ad hominem attack.
Second, it's not even a very good ad hominem attack. There are a lot of (native English speaking) people that use the plural form (i.e. "codes") instead of treating it as a mass noun (i.e. "code"). It seems to be more common among the older generations of programmers. (I personally think it should be a mass noun, but I'm just pointing out that a significant minority use the plural form. Sort of like "ketchup" vs "catsup".)
Re: (Score:2)
To give a
Re: (Score:2)
Re: (Score:2)
I don't see how not being a native English speaker would affect any of his reasoning, but I thought the declaration as a whole use
Lawyers and technology don't mix well.. (Score:2)
Universities have large IP blocks, and - for the most part - are in no danger of running out of IP addresses (negating the need - but not necessarily the use) of NAT technologies to get around this.
So while all of the assertions are true - there is still a reasonable (if not completely deterministic) chance that the IP addr
Re:Lawyers and technology don't mix well.. (Score:4, Insightful)
1) Where did you get the idea all universities have tons of IPs? Some do, some don't. Also, a class B might seem like a lot, but if you've got 50,000 students, 20,000 departmental computers and servers, and you dole the IPs out in subnets to different departments (so they aren't 100% utilized) you start feeling the crunch more than you might think. Where I work we've got two class Bs (as we were in on the Internet game fairly early) and network operations has already begun working on renumbering the network to try and reclaim unused IPs. We haven't had to implement NAT on any campus level (though there are tons of little ones that random people run) but it is not something out of the question. Take a larger university with less IP space, you'd have little choice.
2) NAT has other uses such as cloaking the activities of individual computers. You'll see places use NAT just for that, they don't want individual activity being traced based on IP. So they get a many-to-many NAT set up. You have say a couple hundred routable IPs with a couple thousand non-routable IPs behind them. The router picks out which public IP you get randomly, or round-robin, or whatever. Thus it ends up being impossible to figure out what is happening.
3) Who says the university runs the NAT? You telling me you don't think students stick routers in their dorms? You telling me that you don't think they do that, and turn on unsecured WiFi (especially since many universities have extremely poor or non existent WiFi)? I know for a fact they do, because we always have problems with this on our campus.
Re: (Score:2)
An IP/MAC address doesn't tell you who was operating a computer at the time. Bottom line. All it means is that at a particular time, a computer was in use. You can't even be for certain what computer, since MAC spoofing is fairly easy to anyone knowledgeable enough. Network accounts are meaningless, when a simple glance over a shoulder or 5 minutes of uninterrupted rummaging around a desk can allow me to
I hope he attacked his claims... (Score:2)
Reminds me of dolphins and sharks (Score:2)
By contrast, the defendents are starting to behave like dolphins, which individually will easily fall prey to sharks, but as a group may band together to rapidly ram the sharks in the gills or other sensitive organs until they break off, or eventually, due.
Give 'em another jab in the gills boys, and we'll see if the sharks wi
why hasn't a judge censured the RIAA for this? (Score:3, Insightful)
The law is not really in the RIAA's favor here.
The RIAA has shown a history of fradulent law suits.
Why aren't people countersuing for malicious prosecution?
Re: (Score:2)
When I lived at home with my parents, at its peak there were 6 licensed drivers, and 3 cars. My parents borrowed eachothers cars regularly, and us 'kids' borrowed their cars all the time too. While WE could probably deduce who was driving on a given day at a given time provided we received TIMELY notice:
1) Photo Enforcement Tickets were typically NOT timely.
2) It is not our responsibility to rat out our own family on violations that are frequently little more than thinly veiled
Re: (Score:2)
Holding the registered owner of the vehicle responsible for traffic infractions is efficient tax collection, but fundamentally unjust.
That's why, everywhere I've heard of, if you can show it was not you driving, they will go after the actual driver, and leave you alone.
Re: (Score:2)
Yes, a photo or two of the back of the vehicle. We don't actually have the ridiculous magical CSI tech that can reconstruct the drivers face by compositing the partial reflections in one side mirror with a partial reflection in the sunglasses of a nearby pedestrian. And god forbid you have tinted windows, or be driving at night...
That's why, everywhere I've heard of, if you can show it was not y
Re: (Score:2)
http://www.pedestrians.org/episodes/details31to60/ episode31.htm [pedestrians.org]
http://www.mrtraffic.com/lacieneg.jpg [mrtraffic.com]
Those don't look like the backs of cars to me.
Okay, to be honest, most of the pix I found did indeed show the back of the vehicles. And in those cases, I agree with you. They should have to have a clear view of the driver to be admissible.
The only acceptable way to 'show it was not you driving' is to identify the driver for them.
Have you ever tried a sworn affid
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
Red light cameras increase the accident rate as often as they decrease it. Also, the real dangerous drivers that actually run the middle of the red light and T-bone innocent drivers, aren't paying attention. Before red light cameras they weren't paying attention in a situation where their life was at stake, now they aren't paying attention in a situation where their life plus a $100 ticket is at stake. It isn't a deterrent to the real problem.
The people who actually get tic
Re: (Score:3, Interesting)
Or you can equip the intersection with a camera, but have i
Re: (Score:2)
Almost the same, except here, it's like when you reverse out of a driveway and onto a street, you change license plates. Drive to the end of the street and turn onto the main road and you change license plates to the same plates as everyone who drives out of your street.
Re: (Score:2)
You may wonder why a red light camera has a speed tolerance. That's because they double as speed traps too.
As an added bonus when you yack away on your cell phone while being photographed you get 100 Francs tucked on to the fine for good measures.
You can try to c