[LINK] technical question: security alert

Kim Holburn kim at holburn.net
Fri Mar 6 21:47:02 AEDT 2009 

On 2009/Mar/06, at 12:08 AM, Tom Koltai wrote:
>> Assuming you weren't using bittorrent then (and anyway from the fact
>> that it was logged rather than passed through) it's most likely that
>> mediasentry were responding to a previous inhabitant of that IP
>> address.  I don't know what they do exactly but possibilities spring
>> to mind:  maybe examining what torrents were being accessed by the
>> client or possibly offering a fake media file for download or even
>> surveying data for their clients about what is the most popular
>> download (it's very useful data).
>>
>
> Therefore Kim, I think you might be proposing that MediaDefender is
> possibly stepping through the IP ranges
> looking for live ports with which to further operate from as in
> http://www.dailybits.com/media-defender-attacks-revision3-with-a-ddos/

I can't really say from a single log entry from a single IP address.   
I'd have to see a subnet log for that although it definitely is  
possible.

> and had Jans computer responded positively - then her bandwidth would
> now be used without her permission to interogate other Torrent users.

While this is possible, it seems to me more likely that they were  
actually responding to someone else albeit belatedly.  Many home users  
now use a hardware router/firewall and externally initiated packets  
don't easily get through unless someone has turned on port  
forwarding.  The firewalls allow responses through though.  Too little  
data to tell.  It'd be nice to get more.  Anyone have that range in  
their logs?
MediaSentry ABOV-T694-209-249-45-0-24 (NET-209-249-45-0-1)
                                   209.249.45.0 - 209.249.45.255

It's still possible that they are crawling the bittorrent networks to  
gather data on downloaders.  Also that they are running scans for  
bittorrent users.  As I recall they have network connections with huge  
bandwidth so they could DoS p2p users if they wanted to.

> In
> this way - mediadefender can continue interdiction activities without
> being identified by ip blacklists - even though by doing so they are  
> in
> clear breach of the US wiretap Act and are in effect stealing  
> bandwidth
> from innocent users without offers of compensation.
> That's suprising - I actually thought they had stopped doing that sort
> of stuff.

Yeah, after they were caught out I thought they'd lost their contract  
but I assume they will continue to do what they were set up to do one  
way or another.

> (I just thought I would translate your (it's very useful data)  
> comment.)

I was actually thinking of something like this:
http://torrentfreak.com/top-10-most-pirated-movies-and-tv-shows-2007-080101/

There was a company I forget which (ah yes "Big Champagne") that was  
briefed by the US media companies to find out what people were  
pirating so as to determine what was popular.
http://www.wired.com/entertainment/hollywood/news/2007/12/YE_best_of_p2p

Of course MediaSentry is in a different area so it is just as likely  
to be somewhat more along the lines of your suggestion.  Maybe  
creating a database of bittorrent users and what they are doing.

It could also herald some kind of push to litigate in Australia which  
is a worrying thought.  We don't have protections like the bill of  
rights although that doesn't seem to have done the US much good just  
lately.

Also some of the things they were doing and certainly planning were  
illegal in the US.  If they are extending their net to other countries  
who knows what laws they may break.

-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list