Analysis of MediaSentry Wins Music-Download Suit

An anonymous reader writes "A Dartmouth professor's analysis of MediaSentry problems helped win a New Hampshire woman's RIAA music-download lawsuit. 'Since all of Plaintiffs' claims are based on the assumption that MediaSentry's software and computer configuration are trustworthy and free of errors, and this log clearly represents a failure of the MediaSentry software to perform the operation it claims to describe, the reliability and validity of the MediaSentry method should be questioned,' wrote professor Sergey Bratus in his report, dated May 30. 'In my opinion, these materials leave critical aspects of MediaSentry's evidence collection process undocumented. In my opinion, they express unwarranted assumptions regarding both software and network technologies involved, and attempt to create an illusion of evidence-supported certainty where it does not exist.'" The full report (PDF) is available online. It's worth noting that this victory was not the outcome of a court ruling; rather, a settlement was reached that did not require the defendant, Mavis Roy, to pay anything to the RIAA.

No computer, no crime!

[Geoffrey.landis]

Interesting, In this one, unlike the Misisippi case, apparently the person sued by the RIAA "said she didn't have a computer in the house at the time."

Whereas in the other case, the computer itself was not an issue.

Legalese shenanigans always a mess

[h00manist]

Well, so now either the RIAA starts arguments that it needs to gain access to the address where the IP is registered to search the computer before the case, or everyone starts arguing they never had a computer, or that they had an open wifi access point, or other legal hairsplitting on either side. I'm all for beating the riaa in court, but I'd prefer that it _somehow_ led to a debate of the copyright and patent laws themselves, like the Pirate Party winning a seat on the European Parliament [cnet.com], or a debate on proper amount of punitive damages [zdnet.com] the US law allows for, the RIAA reputation, etc. The Jammie Thomas-Rasset [google.com] case is being pretty helpful.

Re:Legalese shenanigans always a mess

[the_humeister]

The Jammie Thomas-Rasset [google.com] case is being pretty helpful.

It's helpful for everyone but Jammie Thomas-Rasset. Seriously, when you get a case brought upon you by the RIAA, you'd rather win and get on with your life rather than have to pay those bastards $1.9 million in installments until you die.

The Bands need to be asked..

[ImNotAtWork]

I would like to get the bands comments on whether they thought the Thomas-Rasset judgment was fair. The RIAA is apparently representing them and going after citizens for as much as the law allows.. even if it were 150K per song. Do these bands (other than Metallica who has chosen their side already when speaking to congress) really want to be associated with the financial ruin of people who might like their songs?

I will draw a correlation to Kathy Lee Gifford http://www1.american.edu/ted/kathylee.htm [american.edu] an

Re:

[Sabriel]

It's helpful for everyone but Jammie Thomas-Rasset. Seriously, when you get a case brought upon you by the RIAA, you'd rather win and get on with your life rather than have to pay those bastards $1.9 million in installments until you die.

Is the debt passed to her estate when she dies? I wouldn't want to "inherit" that...

Re:

[sabt-pestnu]

IANAL. Let's say that first, shall we?

Assuming she didn't declare bankruptcy, the estate would be reduced by the amount of the debt. If the estate could not cover the debt, it would be declared insolvent. Here's one answer [answers.com] with respect to credit card debt.

Beyond that, the reasonable extension is "the estate declares bankrupcy". Not even moths-in-the-wallet. Unless there was some contract specifically including the inheritors (as in the case of credit card debt on a joint account), I believe the debt is

Re:Legalese shenanigans always a mess

[Runaway1956]

I tend to agree with you. But, it is necessary to destroy the credibility that RIAA enjoys in court, as well as arguing the more fundamental aspects of "fair use" and "First sale", and more. I read the PDF, and it thoroughly destroys Media Sentry as a "forensics" tool, or even as a data gathering tool. More, the paper demonstrates that the people using Media Sentry to gather data don't even understand the data they are gathering, nor how to verify that data. In short, it makes idiots of everyone at RIAA, starting with the talking suits who brag their software up, right down to the "technicians" who are busting people on the web. Credibility and/or the lack thereof, means an awful lot in any court. When was the last time a judge took your word over that of a cop? This is the problem we have right now. RIAA presents itself in court as a freind of the court, and as an enforcer. It's all entirely improper, of course, but they currently get away with it.

Re:

[TapeCutter]

"When was the last time a judge took your word over that of a cop?"

1979 - But that was only because I was bullshitting and the cop honestly answered the question "Was I wearing sunglasses?" with "I don't recall".

Re:

[Wowsers]

Interesting, In this one, unlike the Mississippi case, apparently the person sued by the RIAA "said she didn't have a computer in the house at the time."

Ah ha, so she had a radio and not a computer? The RIAA will sue anyone for listening to music "for free"!

Re:

[Hurricane78]

Wait for the MediaSentry ProtectionSquad to invade the house and plant a computer in there. Some tiny laptop.

And wait for the following lawsuit needing a professor, before it comes clear that the laptop was built after the start of the original lawsuit. ;)

Re:

[sabt-pestnu]

Don't be silly. There are plenty of un-wiped laptops on Ebay!

Re:

[fishbowl]

>Corporate banks have more weight than record companies.

In matters of copyright infringement, banks and record companies enjoy equal protection even though they have different risks.

In matters of theft, banks and record companies enjoy equal protection even though they have different risks.

Theft and Copyright Infringement are protected by different laws. Banks and record companies are protected by the same laws.

Of course a settlement was reached

[RichMan]

Do you think the RIAA wants to get a Judge to rule on that evidence?

What would happen to the other cases/business model if media sentry's data collection was ruled not a secure chain of evidence path?

Cockroaches fear the light.

Re:

[Brian Gordon]

Well the defendant didn't have to accept the settlement. Not that I blame her; the legal battling hasn't exactly worked out for Thomas.

Re:

[rhizome]

Not that I blame her; the legal battling hasn't exactly worked out for Thomas.

Bit of a generalization don't you think, based on one piece of data?

Re:

[Brian Gordon]

Like someone staring down the barrel of a multi-million-dollar judgment cares..

Re:

[e9th]

It depends on the judge. I remember a case where a judge ruled that data that was "stored" only in volatile RAM, no matter how short the time, and never never making it to any backing store, was "stored data" and had to be retained. Think routers. The case didn't depend on that ruling, but it goes to show how that where technology is concerned, judges can make foolish decisions.

Re:

[Hurricane78]

Well, I would certainly counter-sue. With a ton of charges, including being a mafia, Internet terrorism, and being an enemy of the state. Something will stick. :D

Me?

[arizwebfoot]

that did not require the defendant, Mavis Roy, to pay anything to the RIAA

Sometimes, life is good and all is right in the heavens.

Fighting fire with dynamite

[TitusC3v5]

Is there any chance that MediaSentry's practices are a violation of some provision within the DMCA?

Re:

[bertoelcon]

I would like to think that it might have some loophole somewhere that its running around, but it may be blatantly breaking the DMCA and none have challenged it.

It kinda seems a cop speeding to pull someone over, the cop is breaking the law by speeding, but has a duty to fulfill in catching someone else.

Re:

[The Angry Mick]

It kinda seems a cop speeding to pull someone over, the cop is breaking the law by speeding, but has a duty to fulfill in catching someone else.

A cop is lawful representative appointed by a governing authority. MediaSentry is a corporation; unelected, unregulated, and, in quite a few states, banned from operation. It should have no enforcement capabilities at all.

What we are witnessing is a private industry adopting a vigilante approach to law enforcement, simply because it doesn't like what the law a

One thing to remember

[techno-vampire]

This is an out-of-court settlement, not a ruling by a judge. It doesn't set a precedent to be used in later cases. I'd almost bet money that as soon as the RIAA's landsharks found out what the professor's report said, they fell all over themselves offering a settlement to make sure it never came up in court. That means that they can continue to use the same type of "evidence" in other cases and hope the defendant caves.

Re:One thing to remember

[Xest]

It also means the word needs to be spread on this so that everyone can challenge the RIAA in the same way forcing them to either accept complete defeat or allow it to be tried in court and er, end up being forced into accepting defeat.

I've always wondered why this sort of defence hasn't been tested before. Effectively all MedaSentry are providing is a screenshot and/or text files showing that their IP was being used for downloading copyright material. Of course, generating such a screenshot in photoshop that is impossible to tell apart from an authentic screenshot is trivial, similarly any old joe can knock together a text file that suggests such and such an IP was downloading some data at a certain time.

Hell you don't even have to do that, you could create an offline network setup to mimic the IPs involved in the first place.

This is the problem I have with computer crime cases in general, and in fact, even computer forensics. Even if you confiscate a PC and do DNA analysis on the keyboard to see if person x is the guy who use this computer to commit crime y can you ever reall prove someone didn't just plug a different keyboard in the computer to commit the crime?

There's a need to catch criminals who use computers for sure, but I'm concerned in computer crime cases the level of evidence required is so rediculously weak, and so easily rigged or faked compared to normal crimes that if it continues I wouldn't be suprised if we end up with a plethora of wrongful convictions coming to light over the next few decades. Of course, companies like MediaSentry are only degrading the level of "evidence" that is apparently acceptable too - if we can't really, truly prove people guilty in many computer crime cases from forensic analysis when you have access to the physical machine what kind of joke is it if you're going on an IP address and nothing more?

I hope eventually as judges and politicians become more IT literate this trend reverses, if it doesn't then it's going to be a sad future for justice as the level of evidence becomes ever weaker yet the use of electronic devices and hence the amount of electronic crimes increases. We're going to end up with a lot of innocent people in jail.

Spy sappin' my MediaSentry

[The Mu]

You have a point; records can be falsified. But you always have to have some faith in the evidence. If the DNA lab says that the victim's blood was found on your clothing, you can't just cry out "the records were falsified" without good reason to believe so.

In this case, there's no reason a company like MediaSentry (even being the dicks that they are) would bully a poor woman arbitrarily. The focus of the lawyer was (rightly) to show that the MediaSentry records were not tampered with in bad faith, but w

Re:

[TheRaven64]

If the DNA lab says that the victim's blood was found on your clothing, you can't just cry out "the records were falsified" without good reason to believe so.

Actually, you can. It is the responsibility of the forensic expert to demonstrate that there is a proper evidence chain and that every piece of software and hardware employed is approved for use in gathering evidence and can be held to the required standard. This is part of the reason why computer forensics evidence is expensive to obtain. Every step of the procedure has to be documented. MediaSentry didn't do this, they just ran a proprietary, unreviewed, uncertified, program and said 'look, magic 8-ba

Re:

[sam0737]

The bar for civil case is much lower than criminal case. For civil case it is base on balance of probability.

Photoshop? Fake internal network? If that's the case it's simply equal to providing fake testimonial and evidence...everyone are supposes to not doing that because they have sworn-in, right? I mean, the professor is challenging about the accuracy of the evidence, not that they are created-out-of-nothing intentionally. These two are very different.

Re:One thing to rememberCALLING NYCLawyer

[Nom du Keyboard]

they fell all over themselves offering a settlement to make sure it never came up in court.

Well it's out in the wild now. Can New York County Lawyer's blog broadcasting this to the world be far behind?

Too bad this didn't get out a week earlier to help Jamie Thomas.

Who in their right mind would pirate these songs?

[Sirusjr]

The article states that she was sued for downloading 218 songs from Lionel Ritchie, Jay-Z, the Ruff Ryders and other artists. Talk about music that no person in their right mind would bother pirating. I guess as long as I stick to downloading heavy metal, J-pop, Movie soundtracks, and other things I won't have to worry about a suit.

Re:

[Anonymous Coward]

I guess as long as I stick to downloading heavy metal, J-pop, Movie soundtracks, and other things I won't have to worry about a suit.

.. or friends ..

(tiptoes away quietly)

Re:

[Sirusjr]

What the hell is wrong with you? Do you seriously choose your music based on popularity? The important thing is that you are enjoying what you listen to.

Re:

[91degrees]

Talk about music that no person in their right mind would bother pirating.

Why not? I mean if you have taste that means that you enjoy music by these people, then it makes a lot of sense to download them. Or are you passing judgemtn on someone because their music tastes happen to be different from your own?

Rate

[Anonymous Coward]

Holy shit, 100$/hour for writing that, 200$/hour for being in court!

RoyMNH0977 post

[Windrip]

Re: traceroute logs:

It is apparent from the log that the operation has failed for the MediaSentry software, as the log shows neither the addresses nor names of the intermediary hosts nor realistic timings of packet round-trips between them and the MediaSentry computer. The fact that this standard operation has failed suggests flaws, or "bugs", in either the MediaSentry software, or in its system or network congurations, or both.

Karma for the post of this log. That should provide a few minutes of fun. I can only image what Dr. Bratus thought when he saw it.

Re:

[MojoRilla]

I did a bunch of searching and couldn't find the actual traceroute, so I don't totally understand what was bad about it.

However, it is not at all surprising that the trace failed. Routing ICMP (which is the protocol traceroute uses) isn't required, and is a security concern.

And, given this was for evidence, Media Sentry should have used a tool like tcptraceroute [wikipedia.org].

Re:

[whoever57]

However, it is not at all surprising that the trace failed. Routing ICMP (which is the protocol traceroute uses) isn't required, and is a security concern.

Uh, NO! The normal implementation of traceroute uses UDP.

Re:

[TheRaven64]

Routing ICMP (which is the protocol traceroute uses) isn't required, and is a security concern

You are confusing traceroute with ping. A typical traceroute implementation sends a UDP packet with a time to live of 1 to a host. It then gets a 'TTL exceeded' error reply from a host one hop away and resends the packet with a TTL of 2. Eventually, it gets a reply from the destination address, and stops. You can do the same with TCP ACK packets, which helps for some firewalls configured by idiots which drop all UDP packets, but I don't know of any consumer-grade equipment which does this by default.

Re:

[TheRaven64]

And, when I say ACK, I mean SYN. Not awake yet today...

Re:

[MojoRilla]

traceroute sometimes uses UDP, but always uses ICMP. Read up on traceroute [wikipedia.org]. While it gets kicked off with a UDP packet (although sometimes it uses a ICMP ECHO instead), the error packets that return come back via ICMP, which is often not routed for security reasons. tcptraceroute does use SYN packets instead, and should have been used in this case.

Bad PR?

[missileman]

Maybe the RIAA don't want the PR?

I don't think it would look good for them winning a settlement of *quick maths*.. 214 songs by $80000 equals 17.4 million dollars so soon after the Jamie Thomas-Rassett verdict.

court

[benicillin]

they wont be bringing suit in that court again...

Finally!

[rahvin112]

The professor brings up the clear point I advocated in the first question to slashdot. There is no evidence whatsoever that Mediasentry had atomic calibrated clock information and the ISP did as well. All this evidence is based on a time stamp that could be anything, not to mention the role of Timezones. Without calibrated times at both the ISP and MediaSentry there is no validity to the evidence.

Re:

[TheRaven64]

Depends on the ISP. Mine doesn't reassign IP addresses very often; I've had the same one for two years no. If they get an IP address and a timestamp synchronised to the nearest year then it's sufficiently valid.