UW Computer Security Research and Course Blog

Slashdot reports that an assistant professor of Delft University Technology in the Netherlands calls a recent investigation by the RIAA, “Borderline Incompetent”. A recent investigation by the RIAA was accusing the defendants of distributing copyright material over Kazaa. In the investigation, in order to obtain the IP address of the distributor, they used techniques that have not been tested or accepted in the scientific community, and that there has been no such degree of checking rate of error.

Many erroneous and misleading statements were said by the prosecutor about why their evidence was solid for the prosecution. In order to catch who is distributing copyright material, they would search or observe file transfers to capture the IP addresses of the distributor, and proceed to investigate the owner of the IP address. However, in this approach, they fail to check the validity of the IP address who is being investigated. If IP spoofing and BGP hijacking (http://en.wikipedia.org/wiki/IP_hijacking) were present, then the defendant may become falsely accused.

To Prevent being a victim of this type of attack would seem hard from a security stand point, you would have to belong to a specific address space that would be illegal for other networks to broadcast ownership of. However, I think the more important thing to address is for those leading investigations of possible piracy of copyright material to ensure that there is no tampering with address space and to ensure the validity of who is responsible.

The assistant professor at Delft suggests that in order to decrease the rate of a false positive of this attack the following precautions should be used:

• Establish that a specific file can be downloaded from a certain computer. File sharing applications often talk to numerous other computers at once. Sufficient hygiene precautions should be taken by blocking traffic from all possible other computers.
• Investigate if the computer is possibly highjacked or the internet connection is shared with others. Check if a computer is cracked, for instance running an open proxy or hacked Microsoft Internet connection sharing application. A measurement is needed to establish if there is no significant difference in traceroute timings, SYN responses and Kazaa protocol rendezvous times.
• Track the computer for several days, if it does not go offline for reliable IP-address translation by the ISP.
• Establish that no IP address spoofing, BGP hijacking or other tampering with IP addresses has taken place.