[LINK] Leaked Media Defender e-mails reveal ... lots

[Roger Clarke]

[Is it *only* because I'm preparing a seminar that Google iniquities 
are everywhere this week?

["MediaDefender employee Jay Mairs forwarded all of his company 
e-mails to a Gmail account"

[And BTW, the article is a great read.]


>Subject: Leaked Media Defender e-mails reveal secret government 
>project [SEC=UNOFFICIAL]
>Date: Tue, 18 Sep 2007 16:41:28 +1000
>Thread-Topic: Leaked Media Defender e-mails reveal secret government 
>project [SEC=UNOFFICIAL]
>Thread-Index: Acf5vvP+Buq4nAQRT2SVF2fp8wALNA==
>From: <Russell.CLARKE at Dest.gov.au>
>To: <Roger.Clarke at xamax.com.au>
>
>
>http://arstechnica.com/news.ars/post/20070916-leaked-media-defender-e-ma
>ils-reveal-secret-government-project.html
>
>Leaked Media Defender e-mails reveal secret government project
>By Ryan Paul | Published: September 16, 2007 - 10:01PM CT
>
>Peer-to-peer (P2P) poisoning company MediaDefender suffered an
>embarrassing leak this weekend, when almost 700MB of internal company
>e-mail was distributed on the Internet via BitTorrent. The e-mails
>reveal many aspects of MediaDefender's elaborate P2P disruption
>strategies, illuminate previously undisclosed details about the MiiVi
>scandal, and bring to light details regarding MediaDefender's
>collaboration with the New York Attorney General's office on a secret
>law enforcement project. We have been reviewing the data for days and
>will have multiple reports on the topic.
>
>MediaDefender specializes in file-sharing mitigation-practices that
>disrupt and deter infringing uses of P2P file-sharing networks. Music
>labels and movie studios pay the company millions of dollars to
>temporarily impede the propagation of new releases in order to compel
>consumers to pursue legitimate commercial distribution channels.
>MediaDefender accomplishes this task by using its array of 2,000 servers
>and a 9GBps dedicated connection to propagate fake files and launch
>denial of service attacks against distributors.
>
>The e-mail was leaked to the public by a group that calls itself
>MediaDefender-Defenders. In a text file distributed with the mail, the
>group explains how the e-mails were obtained and why they are being
>distributed. Apparently, MediaDefender employee Jay Mairs forwarded all
>of his company e-mails to a Gmail account, which was eventually
>infiltrated. "By releasing these e-mails we hope to secure the privacy
>and personal integrity of all peer-to-peer users," writes the group
>behind the disclosure. "So here it is; we hope this is enough to create
>a viable defense to the tactics used by these companies."
>
>It's not surprising that MediaDefender was targeted in this manner. The
>company was accused of using shady tactics earlier this year when
>BitTorrent community site TorrentFreak revealed that the anti-piracy
>company was surreptitiously operating a video upload service called
>MiiVi that offered high speed downloads of copyright-protected content.
>Critics accused MediaDefender of using the site to perpetrate an
>entrapment scheme, an allegation that the company has vigorously denied.
>MediaDefender founder Randy Saaf personally assured Ars that MiiVi was
>an internal project that was never intended for public use. Back in July
>when we covered the MiiVi scandal, we knew Saaf's story didn't quite add
>up, and now the general public has evidence that blows holes in Saaf's
>claims.
>
>The MediaDefender e-mails leaked this weekend confirm beyond doubt that
>the company intentionally attempted to draw traffic to MiiVi while
>obscuring its own affiliation with the site. The e-mails also show that
>MediaDefender immediately began to recreate the site under a different
>name and corporate identity soon after the original plan was exposed.
>
>The rise of MiiVi
>Shortly after the public launch of MiiVi in June, developer Ben Grodsky
>e-mailed Saaf and his colleagues to inform them that the site was
>beginning to receive traffic. "We have some success! 12 people have
>signed up on [the] page. 7 have installed [the] app," wrote Grodsky.
>"This is from about 3,000 uniques from limewire redirects." Grodksy sent
>another user count status update a week later revealing that the site
>had drawn 19,000 unique visitors from LimeWire redirects. He also
>informed Saaf that his team was "working on putting Google Analytics all
>over MiiVi" in order to "better track what people are doing on the
>site."
>
>MediaDefender went to great lengths to obscure its affiliation with
>MiiVi. "I don't want MediaDefender anywhere in your e-mail replies to
>people contacting Miivi," Saaf instructed company employees. "Make sure
>MediaDefender can not be seen in any of the hidden email data crap that
>smart people can look in." Grodsky and Saaf also began discussing new
>ways to drive traffic to the MiiVi site. "If we want more users, Dylan's
>eDonkey messages would get us a lot of Europeans that are a little bit
>older crowd," Grodsky wrote. "I would like it if our pictures were
>indexed with goggle [sic]. We need to get as much search traffic as we
>can," Saaf replied.
>
>Developer Dylan Douglas also suggested some Google ranking improvement
>strategies. "We should come up with a bunch of keywords and a
>description for the hidden metadata entries to increase traffic,"
>Douglas told the MiiVi developers.
>
>In late June, Grodsky began considering ways to leverage the MiiVi
>client application infrastructure. "Do you think it would break a lot
>and take more time than its [sic] worth for the MiiVi
>application/installer also to act like Serge's Proxy client and spoof on
>eMule?" Grodsky asked Saaf. "We don't want to do this at this time,"
>Saaf replied. "Good idea, but we don't want to give it a spyware
>stigma."
>
>The disclosure
>Chaos ensued at the company when TorrentFreak disclosed MediaDefender's
>affiliation with MiiVi in early July. "Looks like the domain transfer
>screwed us over," Grodsky wrote in an e-mail which also contained a link
>to TorrentFreak's article. "What needs to happen?! Do you want the
>server pulled?" he asked Saaf. "This is really fucked," Saaf replied.
>"Let's pull miivi offline." Shortly after the server was shut down
>completely, Grodsky sent a follow-up e-mail noting that the story was
>beginning to spread. He dutifully requested "damage control"
>instructions from Saaf and discontinued the LimeWire redirect campaign.
>
>MediaDefender's damage control program went into full swing shortly
>after that. When Douglas pointed out that information about MiiVi had
>been added to the MediaDefender Wikipedia page, Saaf decided that he
>wanted it taken down. "Can you please do what you can to eliminate the
>entry? Let me know if you have any success," Saaf wrote. "I will attempt
>to get all references to miivi removed from wiki," developer Ben Ebert
>replied. "We'll see if I can get rid of it."
>
>After a statement Saaf sent to Digital Daily was included in a blog
>entry, Saaf sent an e-mail to a handful of MediaDefender employees
>asking if it would be a good idea to post it to the Digg.com news site.
>He also suggested possibly having MediaDefender employees post comments.
>Referring to the Digg community, MediaDefender co-founder Octavio
>Herrera replied, "They aren't going to believe you."
>
>MediaDefender developers also discussed ways to downplay the story or
>spin it to dull the impact. "If the major news outlets aren't interested
>in the story, I would take that as an indication that the VAST majority
>of people don't give a shit about this story," Mairs wrote. "However, if
>they do think it's worth writing about, we definitely want to get our
>side of the story in the mainstream media, so I think Randy's plan of
>going to the big tech media outlets is a good one. So far the story has
>only been on techie, geek web sites where everybody already hates us. If
>the story stays on these sites, we should let it die."
>
>Saaf sent Mairs a private reply in response, expressing his personal
>opinion about the media backlash surrounding the spyware allegations.
>"Truth is I don't give a crap about most of this shit," Saaf wrote.
>
>The resurrection
>Despite the serious failure of MiiVi, MediaDefender decided to try
>again. "Looks like we'll just have to take 2-3 weeks of downtime and do
>some cosmetic work and relaunch," wrote MediaDefender employee Ty Heath
>in an e-mail to the MiiVi development team. "Plus creating another DBA
>(or better yet incorporating under a new name), getting a new domain,
>getting another Verisign certificate, getting a new IP range, etc.,"
>Grosdky replied. In an e-mail titled "MiiVi redux," Grodsky asks Saaf if
>he wanted to "do the incorporating from scratch idea for the MiiVi
>replacement" instead of the doing-business-as arrangement used for
>MiiVi. "If so," wrote Grodsky, "I have no idea what the turn-around is
>on creating a complete corporate entity and we would need a name for the
>new corp."
>
>Grodksy's first step was establishing a new mailing address using a mail
>service in Las Vegas. "I called the place (www.maillinkplus.com) and
>verified the name(s) on the box and the name(s) that receive the mail
>can be different from the name of the company that's paying by check.
>They also e-mail nightly if there's mail and someone on their staff
>inputs the FROM address on the envelope to a database that will show us
>when we login who we got mail from and then we can pick to have those
>article [sic] forwarded to us per item," wrote Grodsky. "Worst case
>scenario paranoia craziness, does anyone have objections with this mail
>box place being the foundation for all the materials that would have to
>do with the to-be-named MiiVi?"
>
>One point that came up during MiiVi resurrection planning was the
>potential value of the traffic generated by the negative publicity. "We
>are leaning toward dumping the URL and just re-launching with a new URL?
>Are we being too hasty because you can't buy 1,000,000 pages linking to
>you in Google returns." Michael Potts, who works for MediaDefender
>parent company ARTISTDirect, suggested putting a link to the new site on
>a page at the MiiVi domain so that the new site benefits from MiiVi's
>high Google rank.
>
>After an extensive naming discussion, MediaDefender finally decided to
>bring back MiiVi under the name Viide. In an e-mail to Potts, Grodsky
>wrote, "When you get a chance, we would love you to start taking a look
>at www.viide.com. That is the current home of our MiiVi site. We have
>totally locked-down the site, while we improve the look and feel from
>[what] the blogosphere saw."
>
>The next step was purging Viide of all references to MiiVi before the
>official launch. "I'm not sure if you guys are planning on going live
>with the Viide domain name... but in case you are... you might want to
>remove all references of Miivi on the homepage of viide.com before it
>gets Googled or someone public comes across it," wrote former
>MediaDefender developer Tabish Hasan in an e-mail sent to the MiiVi
>development team. Development on Viide was ongoing in the most recent
>e-mails included in the leaked collection.
>
>Providing data for use by law enforcement agencies
>In the collection of leaked e-mails, there are several discussions with
>representatives of the New York Attorney General's office, including
>intelligence analyst Bradley J. Bartram and senior special investigator
>Michael G. McCartney. MediaDefender is in the process of devising a
>system that will enable the Attorney General's office to remotely access
>MediaDefender's data about P2P users. In an e-mail that McCartney sent
>to Mairs last month, the investigator explained that the matter was
>"being overseen by the highest members of [the] agency" and was
>considered somewhat urgent.
>
>Although the full scope of the project cannot be extrapolated from the
>e-mails, the information available indicates that MediaDefender intends
>to provide the Attorney General's office with information about users
>accessing pornographic content. Other kinds of information could be
>involved as well. The e-mails clearly indicate that the data provided by
>MediaDefender was intended to be used for law enforcement purposes. In
>an e-mail to Mairs, Bartram says that the system must be specifically
>designed "to satisfy the legal and evidentiary requirements" before use.
>
>
>"On your end, the peer-to-peer crawler will be identifying files
>matching the established search criteria from various hosts," wrote
>Bartram. "This data will then be collected, filtered for New York
>resident ip addresses (to the accuracy limits imposed by geo-query
>tech). The data will then be transferred to us where; on our end, a
>separate piece of software will use that data to connect into the
>network and download the file from a host and store it on our servers
>for evidence retention and further analysis."
>
>It is not clear whether or not the project with the Attorney General's
>Office has any connection with the MiiVi project. At this time, we have
>not uncovered any substantial evidence to indicate that such a
>connection exists.
>
>Some evidence in the e-mails indicates that the system devised by
>MediaDefender in collaboration with the Attorney General's Office was
>targeted by a hacker. "[A]n ip from, what appears to be sweden,
>connected to the server using your username, made two failed password
>entries and then disconnected 4 seconds after the initial connection,"
>Bartram informed MediaDefender. "Considering the nature of the
>information being collected, I would like to restrict access as much as
>possible." McCartney followed up soon after with an e-mail to Grodsky
>and Mairs. "Is this one of your engineers? Because if not, this is very
>disturbing! Who ever [sic] this was obviously had the non standard port
>as well as your user name to attempt these logins," wrote McCartney.
>"This leads me to believe that your system is compromised and/or our
>communications were either sniffed or accessed providing this fella with
>much of the relevant information to attempt access. As of now, all out
>side [sic] access has been disabled until we can figure this out
>further."
>
>It is possible that the individual who attempted to infiltrate the
>server is associated with the organization behind the MediaDefender
>e-mail leak. McCartney's concerns represent the only instance in the
>MediaDefender e-mails where anyone expresses suspicion that the messages
>are being intercepted and obtained by a third party.
>
>Universal Music Group contract
>One of the most informative documents included in the leaked e-mails is
>a draft of MediaDefender's confidential contract with Universal Music
>Group. The contract reveals exact details of MediaDefender's pricing
>structure and services and provides insight into which P2P networks the
>company is targeting. MediaDefender charges $4,000 for one month of
>protection for an album, and $2,000 for one month of protection for a
>track. Clients are also given access to MediaDefender's reports and
>statistical analysis. In the contract, the company claims that it "will
>perform Services against approximately twelve million" file-sharing
>users at any given time and will target the fifteen most popular P2P
>networks. Targeted networks include FastTrack, Gnutella, IRC, Usenet,
>DirectConnect, eDonkey, MP2P, Kademlia, Overnet, BitTorrent, SoulSeek,
>and Shareaza. The contract also provides detailed explanations of
>MediaDefender's efficacy testing practices.
>
>Other odds and ends
>There is simply too much information in the MediaDefender e-mails for us
>to cover in detail. We leave further analysis of the data as an exercise
>to the reader. We did encounter, however, a few other things worthy of
>note. There are detailed statistics that illuminate the efficacy of
>MediaDefender's file-sharing mitigation tactics and an extensive
>discussion of new techniques used by the company. The e-mails,
>unfortunately, also contain some highly sensitive financial information,
>including a spreadsheet with the salaries, Social Security numbers, and
>home addresses of individual MediaDefender software developers. There
>are also e-mails that discuss MediaDefender's competition intelligence
>activities, where they attempt to discover file-sharing mitigation
>tactics used by competitors like MediaSentry.
>
>The e-mails contain information about the personal life of MediaDefender
>employees as well. One particularly ironic example can be found in an
>e-mail sent by Mairs, the MediaDefender employee whose technical
>ineptitude was ultimately responsible for the leak. "I was out of the
>office yesterday because my son stuck something up his nose and I had to
>take him to urgent care. I guess we know where he gets his smarts from
>;)" The NBC Universal representative who received that e-mail replied
>sympathetically, "Haha. I hope it wasn't a crayon."
>
>Conclusion
>The cold war being waged between MediaDefender and P2P copyright
>infringers is rife with mutual deception, but one fact shines through
>all of the layers of obfuscation: MediaDefender consistently
>underestimates the ingenuity, resourcefulness, and dedication of its
>adversaries. In this case, it could cost the company everything.
>
>Internet users are beginning to demand a higher level of transparency
>and accountability from companies that operate within the Internet
>ecosystem. Companies like MediaDefender that rely on secrecy and
>discretion unintentionally invite scrutiny by attempting to hide.
>
>Although many of MediaDefender's innermost secrets have been laid bare
>by this leak, there are many aspects of the company that remain shrouded
>in mystery. The ultimate purpose of the MiiVi site, for instance, is
>still an enigma. In some ways, the information in these e-mails raises
>more questions about MiiVi than it answers. It is likely that many
>additional details about MediaDefender's operations will be disclosed to
>the public as new secrets are uncovered in the e-mails. The rate at
>which these e-mails propagate across the Internet may also stand as a
>testament to the difficulty of trying to stand between consumers and
>their torrents.
>
>
>Related Stories
>Peer-to-peer poisoners: A tour of MediaDefender
>MediaDefender denies entrapment accusations with fake torrent site

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW