Framing Computers Under the DMCA

Researchers from the University of Washington have demonstrated how lousy the MPAA/RIAA/etc. tactics are by successfully framing printers on their network. These printers, which can’t download anything, received nine takedown notices:

The researchers rigged the software agents to implicate three laserjet printers, which were then accused in takedown letters by the M.P.A.A. of downloading copies of “Iron Man” and the latest Indiana Jones film.

Research, including the paper, here.

Posted on June 9, 2008 at 6:47 AM30 Comments


Clive Robinson June 9, 2008 7:20 AM

So the MPAA/RIAA/etc cannot do better thatn a “half a***” job, not realy surprising when you look at DRM or any other of their control systems…

But they will unfortunatly not give up as it is their way of life to accuse others of theft but excuse their own members of other activities which are legaly questionable.

Sejanus June 9, 2008 7:43 AM

Good job 😉 Respect. I don’t know much about USA, etc., but in my country (Lithuania) that copyright enforcement agency acts like yet another racket gang. It is hated even by people who are strongly against piracy or copyright violations

Tanuki June 9, 2008 8:55 AM

Now, I just wonder how long it’ll be before the MPAA/RIAA start trying to issue takedown-notices against the owner(s) of IP-address ??

Seth June 9, 2008 9:08 AM

Too bad they didn’t have an old Epson 9-pin printer they could have implicated. Laser printers are at least computers.

Next, I suppose, it’s time to get the takedown notices sent to and to get the RIAA and MPAA to start sending notices to each other.

I wonder what happens the next time the RIAA sues somebody and this paper is introduced by the defense.

Sejanus June 9, 2008 9:08 AM

The link Johannes posted is about this:

In May 2008, MediaDefender was publicly accused of being the source of a distributed-denial-of-service attack on Revision3. Jim Louderback, Revision3 CEO charged that these attacks violated the Economic Espionage Act and the Computer Fraud and Abuse Act. As of May 2008, the Federal Bureau of Investigations was investigating the incident.

It’s amazing how people who claim to be “good guys” can act.

Pascal Juergens June 9, 2008 9:31 AM

Just a sidenote: it’s nine DMCA notices to printers. “Over 400” is a figure from the NYT article and refers to all of the letters that they got. See page 3 of the paper for details.

Al June 9, 2008 9:38 AM

I wonder what would happen if someone ‘framed’ IP numbers belonging to the RIAA. Would the RIAA send itself a takedown notice?



Glenn June 9, 2008 9:41 AM

It’s too bad they just make a joke out of it with that “wanted” picture at the top of their page. I havn’t even paid attention to the EFF since they started that sort of thing–it’s impossible to take people seriously who try to grab attention using a picture of Barney in handcuffs, like a cheap tabloid.

Carlo Graziani June 9, 2008 10:02 AM

MPAA: Tell me your IP address RIGHT NOW, you copyright-violating evildoer!


MPAA: Right! We’re off to the courthouse to teach you a lesson! You’ll rue the day you stole from us!


MPAA: Evildoer! You hacked our firewall!! You tricked us into serving papers on ourselves!!! The judge was not amused. But we’ve beefed up our firewall, and vengeance will be ours. What was that IP address again?


MPAA: That’s right! Here it comes, buster! To the courthouse!!

[…Iterate ad infinitum. Modeled on the events described at

Sparky June 9, 2008 10:23 AM

Maybe something will change when they start suing some highly places people, like members of parliament, or maybe their own board of directors. I doubt the names and addresses are screened by anyone sufficiently intelligent to catch it in time.

Sparky June 9, 2008 10:24 AM

Maybe something will change when they start suing some highly placed people, like members of parliament, or maybe their own board of directors. I doubt the names and addresses are screened by anyone sufficiently intelligent to catch it in time.

Although I’d think that would also constitute computer fraud.

a. June 9, 2008 11:56 AM

And once they find out the huge amount of downloads at, they’ll sue the owner of that IP address….

Pete June 9, 2008 12:27 PM

They do seem to be quite restrictive in who they sue: if you take a look at who they send their settlement proposals etc to, they pick the people with little means to defend themselves in court. Of course – any sane person would. Pick out the weakest in the herd, avoid the ones that look like they can defend themselves.

Alpha Prime June 9, 2008 12:45 PM

I’m wondering… there are penalties for frivolous lawsuits. If someone hid their encrypted files by using the names of current films and popular songs in order to test ‘security by obscurity’, then got sued for making the materials available, could they not counter sue to recover costs and damages?

After all, these files would only be useful to the P2P user, or group, that had the key and their presence on the net as something other than ‘states-secrets.gpg’ would be an application of security by obscurity.

Davi Ottenheimer June 9, 2008 1:31 PM

“…University of Washington have demonstrated how lousy the MPAA/RIAA/etc. tactics are…”

I think a term like unfair or lazy might be a better way to describe the tactics.

Not sure what you mean by lousy, but there is an economic angle to these tactics that make them fairly efficient (not lousy) for the attackers. They are able to spew frivolous and bogus litigation at little cost to themselves.

floodgate June 9, 2008 1:34 PM

we need more studies like this.

many, many more. i’m thinking tens of thousands, all running simultaneously.

if one study can generate 400 spurious takedown notices, imagine a massively networked effort designed to generate millions of worthless takedown notices a month…

Davi Ottenheimer June 9, 2008 1:36 PM

“Maybe something will change when they start suing some highly placed people, like members of parliament, or maybe their own board of directors.”

Actually, I was thinking the opposite. The more rabbit holes they are forced to run down the higher their cost of follow-up and even litigation will run.

A massively scaled “framing” campaign widely spread across the general population could drag down even the most efficient MPAA/RIAA war engines.

Pardon the comparison to common history and warfare, but this has been a typical tactic to defeat conventional armies that try to occupy and control civilian populations. Once they lose the ability to ID guerrillas/resistance an army faces conflict with a general body that they usually lack the resources to control.

Clive Robinson June 9, 2008 1:48 PM

There is one area of “attack” or “detection” against the likes of the MPAA/RIAA/etc that has not been mentioned.

Like a lot of organisations attempting to monitor the Internet for what they regard as “significant activity” they are resource constrained by amongst other things cost.

The side effect of this is the “efficient use” of resources is effectivly mandated. Which usually means using one computer to do many many tasks or computers. Often this is by the use of VM type software and faking multiple IP addresses etc.

The most comon place to see this is in Honey Nets where one machine pretends to be many. I fully expect these monitoring organisations to employe the same technology to hide their activities.

Unfortunatly it has a fatal flaw if you know how to exploit it and unlike Honey Nets these machines are active which means they can be “decloaked pasivly” it is just a mater of finding a workable method…

The fatal flaw is that the computer hardware only has a single hardware clock to which all of the computers actions are tied, including all the virtual machines and multiple network cards with multiple IP addresses.

There is an existing atack known as “Timestamp enumeration” whereby you can detect which VMs and multiple IP addresses are all using the same hardware clock.

Unfortunatly it uses the frequency delta of the hardware clock after it has effectivly been devided down by the base operating system so it can take an apreciable amount of time to establish that two VMs or IP addressess are using the same hardware clock (the greater the drift rate or frequency delta the faster the detection).

However the upside is that it uses very little in the way of resources to detect the timestamp delta so many many VMs and IP addressess can be checked in parallel by a single computer.

A little while ago a friend and I tested out “timestamp enumeration” against a number of software development networks and found that the real number of computers and the number of VMs running on each could be reliably determined by the use of simple techneiques that although active used packets spread out over a sufficiently large time period that the IDSs did not pick up on it. We then borowed a network and installed a typical honey net set up and low and behold it was easily detected without having to run anything that would have been treated as anything other than a fairly sedate slow scan.

So if you use the method described in the paper to get a list of “suspect” machines you can then fairly easily make the appropriate requests to assertain the corelation on timestamp deltas. It is very likley that any two matching timestamp deltas on systems pretending to be different are almost gaurented to be ones you want to qavoid having any contact with.

Further if you are acting as the refrence for the p2p network you can monitor all the time stamps of requesting computers again detecting comonality of timestamp deltas would be suspicious.

So the hard part determining the best method of implementation, then having detected the likley candidates what do you do with them?

The thought occurs to me that you could take a leaf out of the honey net project and make your own virtual “tar pit” to send them to…

IronGeek June 9, 2008 5:18 PM

@Seth wrote “Laser printers are at least computers.”

Right, you can change their display message with a PCL job, upload a hacked
firmware, have physical access to their disk, attack their unpatched base OS
(VxWorks, NetBSD), sniff the password and send rsh commands, or use them to
nmap the RIAA and the MPAA. Countermeasures are on

Mark Simon June 9, 2008 5:26 PM

The take down notices sound more like spam, not legitimate DMCA take-down notices that are entitled to legal effect.

Since no infringing material existed, the notices could not have identified,as required by 17 U.S.C. 512(c)(3), “material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.”

It appears the researchers did not give any consideration to whether the take-down notices were entitled to any legal effect.

In any event, legal recourse exists against parties who cause unwarranted take-down notices to issue. See 17 USC 512(f).

Tim June 9, 2008 5:32 PM

A simple tarpit is all that’s necessary to attract the RIAA/MPAA’s attention. I did it, just for kicks, about 4-5 years ago – a simple page listing various keywords in random order, some words made into links – using apache rewrites such that anything under the same directory just re-invoked the same script with yet another random output. (Hint: put a few delay/sleep commands in the script!) There were no “filez” stored anywhere, just links to URLs ending in .mp3, .m4a, .mpg, .torrent etc…. all of which had mime-type text/html and a few months later, the ISP phoned me… 😉

Stupid litigious yanks.

Alan June 10, 2008 3:29 PM

They do seem to be quite restrictive in who they sue

Ok then, frame the senators’ mothers, aunts, uncles, cousins… Or better yet, their mothers-in-law. That should do it.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.