Leaked MediaDefender E-mails

This story is poised to become a bigger deal:

Peer-to-peer (P2P) poisoning company MediaDefender suffered an embarrassing leak this weekend, when almost 700MB of internal company e-mail was distributed on the Internet via BitTorrent. The e-mails reveal many aspects of MediaDefender's elaborate P2P disruption strategies, illuminate previously undisclosed details about the MiiVi scandal, and bring to light details regarding MediaDefender's collaboration with the New York Attorney General's office on a secret law enforcement project. We have been reviewing the data for days and will have multiple reports on the topic.

More info here.

And now, phone calls were leaked. Here's a teaser -- Ben Grodsky of Media Defender talking to the New York State General Attorney's office:

Ben Grodsky: "Yeah it seems...I mean, from our telephone call yesterday it seems that uhm... we all pretty much came to the conclusion that probably was ehm... caught in the email transmission because the attacker, I guess what you call, the Swedish IP, the attacker uhm... knew the login and the IP address and port uhm... but they weren't able to get in because we had changed the password on our end, you know, following our normal security protocols uhm... when we are making secure transactions like these on the first login we'll change the password so, obviously, well not obviously but, it seems that, most likely scenario is that, at some point that email was ehm... intercepted.

You know just because it is,.. probably it was going through the public Internet and there wasn't any sort of encryption key used to ehm... protect the data in that email."

Ben Grodsky: "...if you guys are comfortable just communicating with us by phone, anything that is really really sensitive we can just communicate in this fashion..."

Ben Grodsky: "OK [confused, taking notes]. So, you are gonna disable password authentication and enable public key?"

Ben Grodsky: "...that part has... has not been compromised in any way. I mean, the communications between our offices in Santa Monica and our data centers have not been compromised in any way and all those communications to NY, to your offices, are secured. The only part that was compromised was...was the email communications about these things."

Ben Grodsky: "...All we can say for sure Media Defender's mail server has not been hacked or compromised..."

[Answering to the question "What kind of IDS you guys are running?"]
Ben Grodsky: "Ehm...I don't know. Let me look into that."

EDITED TO ADD (9/20): Media Defender’s source code is now available on P2P networks. Actually, I’m feeling sorry for them.

Posted on September 18, 2007 at 12:03 PM • 32 Comments

Comments

guvn'rSeptember 18, 2007 12:33 PM

"MediaDefender accomplishes this task by using its array of 2,000 servers and a 9GBps dedicated connection to propagate fake files and launch denial of service attacks against distributors."

Is it legal to DOS distributors?

Or do we have the NY Attorney General's office doing business with and thus supporting a company engaged in illegal activities?

blahbobSeptember 18, 2007 12:41 PM

And really, what is the NY Attorney General's office doing *outsourcing* law enforcement to a private company? Where is the mainstream media in all of this? This *should* become a bigger deal.

Jay LevittSeptember 18, 2007 12:48 PM

Fascinating. Someone posted a transcript of the phone call on one of those links. It doesn't give very much information at all, but one thing is very clear:

The MediaDefender person on that phone call knows absolutely nothing about computer security.

The AG is explaining how, if there's an intrusion, you don't know how far it's spread until you know exactly where the intrusion occurred. And how you need to encrypt all traffic going over the public Internet, but that that won't help if your machine is insecure. And how people can transmit files in different ways. He is spelling out basic technology in such detailed, layman-friendly exposition, it could be coming from a "Law and Order" script.

And MediaDefender just repeats their talking points:

- We don't know that it was our server that was compromised; it could have been your [the government's] server. You're big targets too.

- We changed the password, so we should be OK.

- We know for a fact that our server wasn't compromised.

Other than that, all MD does is parrot back key phrases the AG feeds them: PGP, password authentication, public key. And then they set up another meeting.

Raise your hand if you feel like you've *been* on a conference call like that.

Simon WillisonSeptember 18, 2007 1:52 PM

I heard (from an unverified source) that the e-mail compromise was caused by one of MediaDefender's employees forwarding all of their corporate e-mail to a Gmail account, then using that Gmail address to signup for one of the torrent sites they were investigating and using that same Gmail password as the signup for the torrent site.

Echo NolanSeptember 18, 2007 2:28 PM

Simon, I believe you (or your unverified source) are thinking of the third paragraph of mediadefender.mail.200612.200709.nfo, which I have reproduced below:


-={ MediaDefender-Defenders }=-

Date: 2007-09-15

MediaDefender-Defenders proudly presents 9 months worth of
internal MediaDefender emails

By releasing these emails we hope to secure the privacy and
personal integrity of all peer-to-peer users. The emails
contains information about the various tactics and technical
solutions for tracking p2p users, and disrupt p2p services.

A special thanks to Jay Maris, for circumventing there entire
email-security by forwarding all your emails to your gmail
account, and using the really highly secure password: blahbob


So here it is, we hope this is enough to create a viable
defense to the tactics used by these companies, also there
should be enough fuel to keep the p2p bloggers busy for
quite some time.

-={ MediaDefender-Defenders }=-

RijilVSeptember 18, 2007 2:55 PM

Media Defender also had data from their MySQL database of gnutella users/ips/filenames/servers posted. Over 10gigs uncompressed...

The media coverage has been pretty minimal on this. The torrents for all of this were out this past weekend. The WSJ ran a story online, but I haven't seen another other major news organization picking this up - and it even took till Tuesday for Bruce to run with it.


The emails are terrible - tons of attachments with payroll information, root logins in the clear text, IP addresses for all of their servers, home phone numbers for just about everyone.

It looked to me that this was a fairly simple entry - one person forwarded all of his mail to Gmail, then proceeded to use the same password for his Gmail account everywhere else. Once someone gained access to the emails, it was trivial to compromise the rest of their system - from the phone call its obvious MD isn't running IDS, the audio reveals it better than the transcript does - its obvious the MD guy knows his pants are down.

The phone call recording is interesting though - in that the audio really makes me think it was recorded from a POTS line - you can hear the hum of the carrier in the background. Also, when the conversation goes from MD to the AGoNY, there is a few second pause before the audio is picked up. 'Feels' like a physical device to me - possibly one that MD installed as to have a record of the phone conversation.

DASeptember 18, 2007 3:50 PM

I'm curious if the NY Attorney General's office knew the phone call was being recorded. I have a feeling it was MD that recorded the call (and then the attackers got access to that recording).

If they didn't know, I would imagine that would be illegal (depends on the state, I know, in this case NY & CA are involved).

The emails also imply that the efforts to curtail piracy are ineffective, as well as insulting attitudes towards their customers.

Finally, its understood that in email attachments the companies employees social security numbers (as well as payroll data) were present.

With all due respect, Bruce, this story has been well publicized (WSJ, Slashdot, boingboing), I (and I imagine others here) am very curious if you have any commentary or analysis to add to the story.

Kadin2048September 18, 2007 4:15 PM

I think the phone call is the most interesting part of this.

The emails, there I believe that it could have just been some MediaDefender employee being boneheaded and forwarding everything to their GMail account.

But to get a tape of a phone conversation like that? Unless MD had a phone-taping device, and was really loose about the tapes (either physical tapes or computer files) -- which does not really match up with the kind of clueless-but-paranoid organization that would record phone conversations in the first place as executive CMA material -- I think there's somebody on the inside leaking this stuff. (And if it turns out that neither the AG nor MD taped the call, then someone bugged their phones as well; almost certainly an inside job.)

Can't wait to see whether MediaDefender tears itself apart in a "mole hunt" or what.

Tom ASeptember 18, 2007 6:51 PM

> I heard (from an unverified source) that the e-mail compromise was caused by one of MediaDefender's employees forwarding all of their corporate e-mail to a Gmail account, then using that Gmail address to signup for one of the torrent sites they were investigating and using that same Gmail password as the signup for the torrent site.

The implication being that the site operators use the username/password information from their signup database to test other likely targets like gmail, yahoo, etc? Who knows how many other accounts they have logged into that have not been shared with the world.

sty@sty.stySeptember 18, 2007 10:49 PM

This response from the guy hosting the email database to a cease and desist letter from MD's lawyer at Sheppard Mullin amuses me.

---------
“Hello, Mr. Bob Gerber,��? says Media Defender e-mail database representative Person Who Fakes His WHOIS Information:

First off, this e-mail may not be a complete statement of fact, fiction, and I fully reserve a right to change my mind if I feel like it.

Etc. Oh! Also, this e-mail addresses MD, not your law firm. I didn’t feel like digging through the database for an e-mail address, so here I am.

So! I’d like to make you aware of the following facts:

* You don’t have any jurisdiction in Norway.
* The server is located in Norway.
* I’m located in Norway.
* Norway is not the United States of America.

That appears to preclude you from pursuing anything but a pointless scenario of e-mailing me in the middle of the night.

However, fear not! The super-duper Server Admin From North may just yet save you. See, if you provide a server in the US, I can upload everything there and redirect the domains - then you can C&D that provider, and let the owner of the server put in another redirect. Soon, after about a couple hundred C&D’s, we’ll reacha state where any client (internet browser) will decide that it’s in a loop, and shut down.

You could also pay me a lot of money. That might help. That’d actually help immediately.

But as it stands, it appears that your legal grounds for throwing letters at me claiming this-or-that is shaky enough that you might want to relocate.

I look forward to your prompt reply. If no such reply is recieved within six hours, I consider this case null and void as I’m an impatient man.

Well, it’s already null and void, it’ll just get nuller and voider.

Best regards,PWFHWI

NeighborcatSeptember 18, 2007 11:06 PM

From the leaked emails...Ben Grodsky of Media Defender planning damage control:

"So far the story has only been on techie, geek web sites where everybody already hates us. If the story stays on these sites, we should let it die."

Hey! That's no way to talk about Bruce's site!

SudoNymSeptember 19, 2007 1:47 AM

“it’ll just get nuller and voider��? Ha!

Re the phone conversation, I just assumed someone had packet-sniffed a VoIP call. (Or even traffic through an internal VoIP PBX, like the company I work for has: external calls all go out over a few POTS lines but someone who compromised the right switch could trivially log all of our pizza orders and midday conversations with our wives/husbands... they might even get something business-related, but I doubt it...)

simon saysSeptember 19, 2007 8:59 AM

Mediadefender.com says, on their web site,:

"...In addition to anti-piracy solutions, MediaDefender also offers a Leak Alert service."

I wonder if they subscribe to this "Leak Alert" service themselves. ROFL, clowns.

Jim LippardSeptember 19, 2007 4:13 PM

The transcript of the phone call says that the MediaDefender end is using VoIP.

Ralph: There's no entrapment here unless MediaDefender is (a) acting as an agent of law enforcement to (b) induce people into doing something that they wouldn't have done at all without that inducement.

Law enforcement can run sting operations so long as they don't fall afoul of (b). Also note that entrapment is a *defense* to a criminal charge, not a crime in and of itself.

Terry ClothSeptember 19, 2007 7:45 PM

On a tangent:

I wonder when some P2P users will wake up and see that the Media Defender (and anyone else's) poisoning is a matter of identification and authentication solvable with public-key cryptography.

As with so much of the Internet's data, the problem is sorting the signal from the noise.

So, some (large) number of people start distributing public keys, then signing messages sent over the P2P network. It will quickly become easy to sort the signal, from folks who sign and send the real thing, versus the noise from Media Defender and their ilk.

At that point the only thing MD can do is try a DoS, pumping enough into the network to drown out the authentic infringers, or try to develop a reputation by sending the real goods, then capitalizing on it by starting to send signed noise. I suspect their customers would not care for method B, and the users can defend against method A by dropping any unsigned traffic, or any signed by proven unreliable sources.

Obviously, you want to drop the noise ASAP, when you only have a slice of the data. Methods to authenticate signatures under those circumstances need study, but it's certainly doable.

RogerSeptember 19, 2007 7:46 PM

Bizarre that MediaDefender is allowed to keep child porn on their PCs. How do they know they won't attract pedophiles on their payroll? Gives them the perfect excuse. Are the police too dumb to do their own police work?

RijilVSeptember 19, 2007 10:13 PM

@Roger

You know, the transcript of the phone call is avail online...you could read it before making wild claims...

Media defender was to supply AGoNY with the means to download files from gnutella, as well as a system that located files containing some secret list of terms. In the phone call AGoNY goes into great length explaining how they need a system to view this material to make the determination if it is illegal or not. AGoNY mentions their file server, and talks about how their process doesn't involve using the Internet..


@Jim

I think you're mistaken about who is on VoIP. At one point AGoNY cuts out because Media Defender's application is 'calling home' or some such thing. While the typical VoIP nonsense ensues MD asks if AGoNY can call from a landline. When AGoNY restores the quality of their call, MD says "Now I understand a little better the limitations of voip."

It is unclear what type of connection MD is on, but given MD's reaction and statements it is unlikely MD is on a VoIP line.

And for everyone who is thinking 'entrapment' about the Miivi.com thing...Entrapment is for criminal cases where the Government is the 'entrapping' party. The RIAA would likely just sue the 'copyright infringes'.

references:
http://pastebin.com/f5ae055cf
https://secure.wikileaks.org/wiki/Talk:Mediadefender-phonecall.mp3

ChrisSeptember 20, 2007 9:51 AM

This fiasco has to make MediaDefender's clients wonder just how well their money was spent. Even if we ignore the fact their lax security practices let this information get out in the first place -- they haven't been able to stop the spread of any of this on P2P networks. If you can't protect your own IP, how can you protect my $NEXT_BLOCKBUSTER_MOVIE or $SMASH_HIT_RECORD?

perianwyrSeptember 20, 2007 9:51 AM

One of the most significant advantages of private "law enforcement" is that entrapment is not possible.

X the UnknownSeptember 20, 2007 2:21 PM

"One of the most significant advantages of private "law enforcement" is that entrapment is not possible."

Of course, neither is resisting arrest, falsifying information to duly-appointed law-enforcement agents, etc.

RogerSeptember 20, 2007 9:30 PM

There is a rumor posted today that the MediaDefender's actual Anti-P2P software itself has been leaked.

@RijilV : If their security is that slack, they really shouldn't have anything to do with regulating child porn. Leave that to the police and the feds.

JimSeptember 21, 2007 12:44 PM

I don't know much about them (more than before) though. The site says,
"MediaDefender uses a range of non-invasive technological countermeasures employed on P2P networks to frustrate users’ attempts to steal/trade copyrighted content. We have a proven track record of adapting to challenges and successfully protecting our customers as new technologies and networks arise."

Don't mess with stuff you don't understand. I guess their understanding of security was limited. Stopping digital copying is like stopping the sunshine. The whole Internet is a big copying machine.

BobSeptember 25, 2007 9:36 PM

@RijilV Look in the e-mails. They did stuff like get a video of a woman having sex with a pig and posted it on BitTorrent. Has the NY AG given them immunity for bestiality too?

They've been doing random DDOS attacks too. That's illegal too.

ThatstoughOctober 7, 2007 4:51 AM

Hey, this is really cute (quote from http://thepiratebay.org/blog/86 comments) :

comment by:exiled_in_aeden

"After discussing this with a friend of mine who's both a law student and a pirate (isn't that the same?) I realized something very interesting.

The term "infrastructural sabotage" is very close to saying terrorism... and this, due to the fact that these local branches of multinational companies aren't allowed to do something like this without the go ahead from the main office, actually constitutes AN ACT OF WAR!

By willfully attacking a part of the Swedish infrastructure (the servers are located in Sweden so that makes it so), the country/countries have committed a crime against the swedish crown and that equals an act of war.

amusing isn't it."

Do the right thingOctober 21, 2007 6:23 PM

One of the most worrying parts of this whole affair is that major news networks like CNN, BBC et al are leaving this alone, while even worse, the authorities don't seem to be investigating MediaDefender despite a number of apparently illegal activties.

Why not?

I hope at least Grisoft make MD pay the maximum retail price + a hefty admin charge + legal fees for using unlicensed AV.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..