Degban's last set of listings on Chilling Effects is dated February 5, 2012. There are 80 DMCA takedown notices from them on that date. That is a rather sudden dropoff. Chilling Effects regularly receives a copy of DMCA complaints filed with Google and so the database has listings (none in the last month from Degban) up to March 5.
One example of a DMCA takedown notice that lists the copyright holder as Wasteland Inc. is for a TorrentHound listing for "Tony Hawk's American Wasteland" which is an Xbox 360 video game. The copyright holder is clearly not Wasteland Inc. nor any of the other Phoenix Group holdings.
Wasteland Inc. is run by Colin and Angie Rowntree. Colin posted a comment on Dave Gorman's website, which I am re-posting here"
Colin Rowntree said...
One of my colleagues sent me the link to this post as a heads up and I am pretty baffled by the entire thing. We do have Degban handle our DMCAs, but only for torrents and fileshare sites, and on those only videos with a duration of longer than 5 minutes. They do a very good job on this for a very very reasonable monthly fee, so all of this pretty much comes out of the blue at me.
Something seems to have gone terribly wrong somewhere as we don't touch the tubes (we have lots of affiliates uploading our clips to those) and certainly not photos on blogs or Flickr featuring artistic photography (yours is very nice, btw, Dave!).
I'm checking in with Ella at Degban to see what may have happened here and will report back on this asap. Dave: please do feel free to contact me about this mess. Happy to try to assist in any way possible. rowntree2007 @ gmail.com
Stand by for news on this,
CEO, Wasteland, Inc
March 5, 2012 8:26 PM
I would tend to believe Mr. Rowntree about this issue. Wasteland would have no interest or advantage in sending bogus DMCA takedowns to any site that just had the word "wasteland", another keyword related to their films, or most likely a combination of keywords. The Tony Hawk video game points to an algorithm that has false positives that are not vetted. I imagine that Gorman's Flickr post reached a threshold where comments ended up including multiple, Degban selected, keywords. Considering that Wasteland's copyright interests should only be limited to actual video files containing entire films or portions thereof, Degban's algorithm is atrocious. They should suffer the penalties applicable for filing false DMCA takedown requests.
The following is from an article in the Adult Video News (AVN) that appeared yesterday:
Late Monday, AVN sent Degban, which is located in London, an email requesting further details on the alleged breach. This comment was waiting in the inbox this morning:
"On February 29th, our SMTP server was accessed by an outsider through a password phishing scam," the company said. "The intruder then used our SMTP server to report legitimate content as piracy, using our own Take-Down notice templates. This was done to reduce our credibility with hosting companies. Degban, however, employs digital signature for all emails, except for those that do not accept it. A part of the attack failed, as only those who processed the fake emails, without digital signature, were affected. Since the attack, we have changed all passwords, and implemented an extra layer of security to ensure our SMTP server is only accessible through trusted devices, much like Facebook does.
"As the attack rested solely on an human error, it does not seem to have been initiated by any known 'hacktivists,' but rather by a disgruntled file-locker owner or pirate. Our system is set up so that the STMP is actually separate from the Degban core; the service provided to our clients is run and developed by Degban. We have set up our system so that any security breach cannot penetrate to the core. Obviously, we regret that this particular event occurred, and where the protective layers were lacking, we have already implemented extra security.
"In terms of damages, only those whose files cannot be retrieved have been affected. We are still contacting hosts, attempting to get their content reinstated. Clients, employees and the rest of the public are unaffected on a technical level. For any clients that experienced downtime during their service, we will refund them the service fees for that time."
Well, it's conceivable that bogus DMCA notices were sent because of a hacker. After all, that is the excuse that Techdirt commenters use when they are caught with kiddie porn (/s). Why shouldn't we believe Degban at their word?
There is a reason. Notice that Dave Gormans's photo was removed on February 17th, 12 days before the supposed hack occurred. There are technical inconsistencies in this explanation as well. An email can contain a digital signature whether or not the receiver makes the effort to confirm it's authenticity. Surely Flickr, and Yahoo in general, would confirm digital signatures from such a prolific source of DMCA takedown notices. All in all, this explanation comes across as someone using technical terms as a way to snow the non-technical reader. I am calling bullshit on this one. What I would like to know how Degban explains using what looks like a very simplistic algorithm that matches some subset of keywords. I would also like to know if the program can automatically send out DMCA notices without any human intervention.
I don't think you should dismiss new technology, or a new mixture of old technologies, as something that is just redundant and unnecessary because a previous technology seems to get the job done. I sometimes listen to MP3 recordings on a conveniently portable player and earbuds when I'm traveling or outside. Ambient noise in those circumstances generally mask any potential difference in quality between MP3 recordings and analog or high quality digital recordings. At home, I have a decent stereo system and can tell the difference between standard audio cds and DVD Audio or SACD recordings. I stand by that despite claims that it is just the remixing during remastering that is responsible for a perceived improvement in quality. I would only play MP3 recordings at home to learn of new music. Those two formats have not become popular enough to be widely adopted so I would welcome any high quality digital recording format that would be accepted generally enough to enable both old and new music to be mastered, or remastered, in that format. I am pointing out that differences in features that alternate technologies offer can make both or several technologies attractive to even just a single person. It will probably pass, that in the future, a single very high quality audio format we be useful for everyone when flash devices become dense enough to store thousands of songs in the highest quality format and high, end-user, bandwidth to the internet makes downloading or streaming requirements inconsequential.
DMARC is different than PGP:
DMARC offers a subset of what PGP offers but PGP requires adoption by and key distribution to all the people you want to communicate with securely. DMARC is, essentially, use in sending email of the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). A critical point for DKIM and SPF is that an end-user receiving mail (and in some cases sending mail if the Mail Transfer Agent supports this) does not have to do anything for this to work, not even updating their email client. They can rely on their Mail Delivery Agent (MDA) to filter out spam and phishing emails, whether it be Yahoo mail, Gmail, or their own ISPs mail server. This is useful even if it only applies to email sent or hosted by just the current set of companies who have adopted DMARC. Ease of widespread implementation is an important feature. PGP has been available since 1991. I have used it since 1996, but is use is not widespread because too many people don't think it's worth the bother. PGP differs from DMARC in offering confidentiality, end-to-end integrity, authentication of both sender and receiver, and non-repudiation. DMARC is limited to verifying the senders IP address and the domain of the sender. This allows for filtering of a good percentage of spam or phishing emails. So, DMARC and PGP are different technologies with only some overlap in purpose. Both are useful.
Maybe News Channel 5 corrected it, but the article says "abate the concern" rather than abet.
I suspect that the "inspection" is similar to what happens at checkpoints set up to catch drunk drivers. In California, at least, those drunk driving checkpoints have to be set up so that a driver can see them and choose an alternate route, one that does not go through the checkpoint and does not cause a long detour. I take advantage of that rule, not that I ever drive drunk. I would like to know if VIPR checkpoints would also have to be avoidable in California, and other states with similar DUI checkpoint rules, as this would render the search for terrorists more than pointless (or is it less than pointless?).
This is the second article referenced by Techdirt dealing with VIPR stops on highways. In both cases the source article does not give enough details to tell whether the cars are actually searched, people are actually searched, and if searches ever take place without the permission of the driver. The authorities are undoubtedly looking (hoping?) for probable cause to do such a search. This bothers me enough, but it is not the wholesale dumping of 4th amendment protections that actual random searches entails.
This has been true since about 2001 and is applicable to drives that are larger than 15GB. It's all about density. There are no longer multiple paths possible for read/write heads on hard drives. The critical question is whether all sectors are being overwritten. The only software that guarantees this does it by triggering the ATA secure erase command, a command embedded in all hard disk controllers which are always integrated within the hard disk.
The law was amended in 1994 to get rid of the expectation of privacy clause because it had been ruled that the police had no expectation of privacy while on duty. There are three states with similar laws making it illegal to record a conversation with the police; Illinois, Massachusetts, and Maryland. In all the cases, a sound recorder was used, surreptitiously, to record either an arrest or discussion with the police. No one has yet been convicted under the amended law of eavesdropping on the police. Previous charges were used to plea bargain down to a reduced charge. There are currently 3 cases that are ongoing: Michael Allison, Christopher Drew, and Tiawanda Moore, with Christopher Drew's case being the oldest, his arrest dating from December, 2009. The most disturbing case is the one dealing with Moore however.
"The ACLU of Illinois is also challenging the law. But in January, U.S. District Court Judge Suzanne B. Conlon ruled against the organization. Conlon wrote that the First Amendment does not protect citizens who record the police. The ACLU has appealed and expects to participate in oral arguments before the U.S. Court of Appeals for the 7th Circuit sometime in the fall."
"n a hearing last December, Cook County Assistant State Attorney Jeff Allen invoked homeland security, arguing that Drew's recording could have picked up police discussing anti-terrorism tactics. Drew's case was suspended after he was diagnosed with lung cancer earlier this year."
The IP address is indeed evidence, but how the plaintiff acquires it is important. There are two general ways in which the IP address can be shown as invalid evidence in the course of proving infringement by a particular person. The IP address can be spoofed in certain situations or someone else has used your IP address to infringe and you shouldn't be liable for that use.
The easiest way to spoof the IP in a P2P context can occur when the plaintiff uses the indirect detection method and simply queries the tracker as to what IPs are acting as peers. There is an option which allows specifying your IP address separately from the source IP address in the packet used to talk to the tracker. This allows someone to introduce any arbitrary IP address into the list of peer IPs kept by the tracker. Effectively, this means someone can frame you. Not all P2P software running on trackers is configured to allow this option. In fact, the, often cited, 2008 study done at the University of Washington indicated that only 5% of the BitTorrent trackers allowed this option. However, because of the existence of this option, plaintiffs should be restricted to using a direct method of detection for acquiring IPs to include in their lawsuits. The direct method monitors IPs address belonging to peers that are part of a swarm. This means that the IP address in question is actively involved in downloading/uploading the infringing content. It is still possible to spoof an IP address in this scenario but this is now much harder and not possible in the most typical situation. This typical situation is where you gain access to the internet with an account from an ISP. Here, you can spoof the source IP in any packet you send, but you will not be receiving packets with that IP address in the destination. Additionally, ISPs filter outgoing packets with source IPs not in the ISP's range.
Another possibility for spoofing is when the owner of the tracker falsely injects an IP address to act as a peer. This reinforces the idea that only direct detection method should be allowed. One where the plaintiff has to monitor the ongoing traffic involved in a swarm. Also, it should go without saying that the plaintiff should not control the tracker and, for other reasons, should not be the initial seed, or act as a seed, period.
My understanding is that courts aren't requiring the method of collecting IPs be detailed by the plaintiff. They should, even at the initial stage of filing a lawsuit.
Others using your IP address to infringe:
There are many different situations where multiple computers can use the same IP or multiple people can use the same computer. How can one tell who the infringing party is? The plaintiff should be required to collect information in addition to a source IP address that can help to identify the actual infringer. Information in the HTTP header can be used to fingerprint the computer involved. In my mind, this is still not conclusive evidence, but should be enough to initiate a lawsuit.
The crux of the problem is that these are civil suits, not criminal complaints. There has been no forensics done on the computer associated with the alleged IP address. It would be too expensive for the plaintiff to acquire enough convincing evidence to convict if they are going after hundreds or thousands of infringers. On the other hand it is also too expensive for a defendant to defend themselves and any option to settle rather than fight because of the expense leads to extortion.
The problem with your analogy is that it assumes that everyone knows that P2P protocols are only used to download files illegally. There are a lot of cases where files are offered for legal distribution using P2P protocols. If legal downloading exists and the copyright owners themselves make the file available for downloading it's not just a question of whether it is entrapment or not. There is a real question as to whether downloading is illegal at all in this scenario. This is quite different from your bait car scenario.
It is not clear at all from your first link that CEG is setting up honeypots. Their statement about operations is ambiguous. They could just be participating in a swarm and not setting up a tracker or acting as the initial seed. Do you have any other information that clearly shows they are setting up honeypots like GuardaLey?
Re: I wish I could commit crimes, just give money back when caught and have idiots defend me
Google not only had to pay back the money they received from the ads they had to pay the estimated gross revenue made by the Canadian pharmacies from sales to customers in the US. I don't know how those two numbers compare but it is certainly a penalty.
The solution for fake drugs and pharmacies that hide their illegal activity should not be on Google as their is a simple solution already in place. You can call a number to confirm the legitimacy of a pharmacy either in Canada or the U.S.. That should be a required step for anyone to buy drugs on-line. Even if you don't have a prescription you would be crazy not to make sure your source was reliable.
I am not saying I agree with U.S. law which bans ordering legitimate drugs from Canada, even with a prescription. I don't! Google was clearly aware and taking a risk in continuing to accept ads. Were they being altruistic in enabling U.S. citizens to easily find cheaper alternatives to buying expensive prescription drugs in the U.S. or were they being greedy, gambling that the U.S. would not initiate a case while they were making lots of money from Adwords from Canadian pharmacies?
"Since 2010, after Google became aware of the investigation, it has required that all Canadian online pharmacy advertisers be certified by the Canadian International Pharmacy Association and has specified that they can advertise only to Canadian customers."
"Until early 2010, Google required that all online pharmacies be verified by PharmacyChecker.com, which says it checks the credentials of online pharmacies. But many of the rogue pharmacies that advertised on Google during that period never applied to PharmacyChecker.com, according to Gabriel Levitt, vice president of the verification site."
My impression from this is that Google is being penalized for allowing such ads before February 2010 and that they were rather lax about checking. What surprises me the most is that Google doesn't appear to be fighting this judgement, in particular the high amount, very hard. $500 million is not chump change even for them. Instead, they seem to be trying to minimize publicity about it
Please don't read into my comment any support for the administration's pursuit of this case. I am just pointing out that Google was not exercising due diligence in accepting ads before February 2010.
Re: Re: pedantic observation - convoluted but accurate
This is not convoluted at all. I will spell it out for you.
When an IQ test is first constructed, some representative sample of the population takes that test. The median score from that test is assigned an IQ value of 100. The distribution of scores from that test should have a normal distribution (bell curve) with a standard deviation of 15. If the actual distribution didn't match this, the test would be changed so that the result would show this distribution. Revisions of any particular test are re-normalized to match this distribution and thus take into account the Flynn effect.
Any particular person's IQ score is found by taking their score on that particular IQ test and calculating where that score would place them on the above distribution. The standard deviation of 15 means that 95% of all IQ scores fall within 70-130 (2 standard deviations from either side of 100)
Your comment assumes that IQ scores are a "ratio IQ" based on William Stern's method. This was used for children and gives a kind of mental age. This type of test was replaced, starting about 1950, with a test that results in a score reflecting distribution (as described above) rather than mental age. This type of test wasn't useful for adults who have always been given intelligence tests where the score represents a statistical distribution of intelligence rather than a ratio of mental age.
I don't think a tech would have asked you to reset the router configuration. It would be correct for him to ask you to reset (i.e reboot) the router. This would clear the routing table and, in particular, the arp table. I am guessing there was a miscommunication about what your router's reset button did. Then again, I have a habit of underestimating people's stupidity. Since the button was recessed, (done commonly for making the configuration reset harder) the tech guy is confused and you should complain to the ISP.
Unless, this is being misreported by the media, a false positive rate is a percentage of all passengers screened and is independent of the rate of terrorists bringing weapons or explosives on board. There should be very very few true positives and unless they are an intentional test, the discovery will be publicized.
There is no legal definition for the terms "hacking" and "hacker". In fact, there is no agreed upon definition for hacking. I, as an aging software engineer, have my own preference, which corresponds closely to the original meaning of a skilled programmers actions. I have given up on that preference as I have recognized I cannot fight the direction that our language is going. Mike is using "hacking" in a very broad way. A way that reflects it's very general use nowadays. Yes, there is no reference to "hacking" in the court case, but that does not mean he is lying about the law.
None of Pulte's employees were members of LIUNA. LIUNA argued that the call and email campaign was part of their normal organizing efforts. That does not ring true and the appeals court pointed out that the sales office and 3 executives were the target and not potential union recruits. However, there should be a freedom of speech argument in allowing union members (500,000 of them) to voice their displeasure with a company seen as anti-union. The court is saying that collective campaign, organized by LIUNA, could be intended by them just as a form of harassment against Pulte. Since the form of harassment here affected Pulte's computers negatively, that is a (civil, at least here) violation of the CFAA. Even a slowdown of the computer or forced discarding of incoming email is considered damage.
The cease and desist letter from Pulte said, vaguely, that the calls and emails "prevented Pulte’s employees from doing their jobs". LIUNA, in fact, claimed in a court filing that they were not informed that their conduct was harmful to Pulte's computer systems. The appeals court did not argue that LIUNA was informed. Their argument was that knowledge of damage was the wrong standard to show intent. The appeals court said that the proper standard was just to show that LIUNA intended to cause damage. The case has been remanded to the District Court, so the question of intent is still to be decided.
It is possible that LIUNA intended to harass Pulte with a limited DOS attack. It is also possible that DOS wasn't their goal. You have to take a closer look at what was done.
LIUNA put out a call on their website to make calls to Pulte and to email them. They set up a pre-written letter which any member could click on and cause a separate email to be sent. LIUNA has 500,000 members. Even if all 500,000 sent an email this way, it would be hard to argue that that action was illegal. Such mass, topic oriented, email campaigns are done elsewhere, and should be protected under first amendment freedom of speech. Now, if a single person had caused hundreds, or thousands of emails to be sent, that would be a scenario accurately described as a DOS attack.
The use of an autodialer sounds suspicious. I do not know how it was used. It is possible that the autodialer was used similarly to the emails. The website could have allowed a member to click on a button that caused the autodialer to send a pre-recorded voice message to a Pulte phone number. That would not be much different than the email scenario and should also be protected under the first amendment. On the other hand, if the autodialer was programmed to just automatically, and continuously, call and leave messages, that would be a DOS attack.
An interesting aspect of this case is that even if this was a kind of DOS attack, the capabilities of the computer to resist such damage is taken into account. Pulte claims they had to "shut down their email in boxes". I am sure what really happens is that once the box is full new incoming emails are automatically discarded. What if the email in-boxes were capable of handling 200,000 messages, would there still be a case? Pulte claimed they could not send emails. That is most certainly wrong. I suspect they were being intentionally vague in describing that they could not respond to emails because it took too much time to filter through the spam or were automatically discarded. If they could still send emails, would there still be a case? finally, any email client or server created in the last decade (at least) is capable of filtering out some spam. The easiest thing to filter out are identical messages all coming from the same address. Most of the emails were from the LIUNA server via their website trigger. If Pulte could have easily filtered out all those emails, why didn't they and would there still be a case?
My suspicion is that both LIUNA and Pulte are harassing each other in anyway they can. The fact that Pulte is using the court system for a case that shouldn't really exist may be legal but is unethical.