From lyger at attrition.org Sun Apr 2 12:15:37 2006 From: lyger at attrition.org (lyger) Date: Sun, 2 Apr 2006 12:15:37 -0400 (EDT) Subject: [attrition] postal: march of the assclowns Message-ID: http://attrition.org/postal/p0011.html twin brothers from different mothers have a drink on me shock therapy (a moral imperative) well, anyway... so we're nosy since we just met luuuuuke kindly do the needful save the koembolas! conspiracy theory From jericho at attrition.org Fri Apr 7 04:31:31 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 7 Apr 2006 04:31:31 -0400 (EDT) Subject: [attrition] How the RIAA Litigation Process Works Message-ID: Wednesday, April 05, 2006 http://recordingindustryvspeople.blogspot.com/2006/04/how-riaa-litigation-process-works.html How the RIAA Litigation Process Works The RIAA lawsuits pit a small number of very large recording companies against individuals who have paid for an internet access account. On the plaintiff's end, the owners of the underlying copyrights in the musical compositions are not involved in the case; neither are many smaller record companies. As to the defendants, since no investigation is made to ascertain that the defendant is actually someone who engaged in peer to peer file sharing of copyrighted music without authorization, there are many defendants who have no idea why they are being sued and who did nothing even arguably violative of anyone's copyright. Defendants have included people who have never even used a computer, and many people who although they have used a computer, have never engaged in any peer to peer file sharing. Sometimes the cases are misleadingly referred to as cases against 'downloaders'; in fact the RIAA knows nothing of any downloading when it commences suit, and in many instances no downloading ever took place. It is more accurate to refer to the cases as cases against persons who paid for internet access which the RIAA has reason to believe was used by some person -- possibly the defendant, possibly someone else -- to engage in peer to peer file sharing. Ex parte discovery cases. At the core of the RIAA lawsuit process, is its initial lawsuit against a group of "John Does". Here is how it works: A lawsuit is brought against a group of "John Does". The location of the lawsuit is where the corporate headquarters of the internet service provider (ISP) is located. All the RIAA knows about the people it is suing is that they are the people who paid for an internet access acount for a particular dynamic IP address. The "John Does" may live -- and usually do live -- hundreds or thousands of miles away from the City where the lawsuit is pending, and are not even aware that they have been sued. The RIAA is aware that most of the defendants do not live in the state, and are not subject to the jurisdiction of the Court, but bring the case anyway. They are also aware that under the Federal Rules of Civil Procedure there is no basis for joining all these defendants in a single lawsuit, but do indeed join them in one case, sometimes as many as several hundred in a single "litigation". The only "notice" the "John Does" get is a vague letter from their ISP, along with copies of an ex parte discovery order and a subpoena. They are not given copies of (i) the summons and complaint, (ii) the papers upon which the Court granted the ex parte discovery order, or (iii) the court rules needed to defend themselves. Most recipients of this "notice" do not even realize that it means that there is a lawsuit against them. None of the recipients of the "notice" have any idea what they are being sued for, or what basis the Court had for granting the ex parte discovery order and for allowing the RIAA to obtain a subpoena. They are told they have a few days, or maybe a week or two, to make a motion to quash the subpoena. But if they were to talk to a lawyer they could not give the lawyer an iota of information as to what the case is about, what the basis for the subpoena is, or any other details that would permit a lawyer to make an informed decision as to whether a motion to quash the subpoena could, or could not, be made. What is more, the lawyer would have to be admitted to practice in the jurisdiction in which the ex parte case is pending, in order to do anything at all. In other words, except for lawyers who are knowledgeable about the RIAA tactics, no lawyer could possibly have any suggestions that would enable "John Doe" to fight back. So "John Doe" of course defaults. Then the John Doe "case" may drag on for months or even years, with the RIAA being the only party that has lawyers in court to talk to the judges and other judicial personnel. The RIAA -- without notice to the defendants -- makes a motion for an "ex parte" order permitting immediate discovery. ("Ex parte" means that one side has communicated to the Court without the knowledge of the other parties to the suit. It is very rarely permitted, since the American system of justice is premised upon an open system in which, whenever one side wants to communicate with the Court, it has to give prior notice to the other side, so that they too will have an opportunity to be heard.). The "ex parte" order would give the RIAA permission to take "immediate discovery" -- before the defendants have been served or given notice -- which authorizes the issuance of subpoenas to the ISP's asking for the names and addresses and other information about their subscribers, which is information that would otherwise be confidential. In the United States the courts have been routinely granting these "ex parte" orders, it appears. (Not so in other countries. Both Canada and the Netherlands have found the RIAA's investigation too flimsy to warrant the invasion of subscriber privacy. Indeed the Netherlands court questioned the investigation's legality.). Once the ex parte order is granted, the RIAA issues a subpoena to the ISP, and gets the subscriber's name and address. The RIAA then discontinues its "John Doe" "ex parte" case, and sues the defendant in his own name in the district where he or she lives. Thus, at the core of the whole process are: (1) the mass lawsuit against a large number of "John Does"; (2) the "ex parte" order of discovery; and (3) the subpoenas demanding the names and addresses of the "John Does". This process is currently under attack in 3 cases that are pending in Manhattan federal court: Atlantic v. Does 1-25 pending before Judge Swain, Motown v. Does 1-99 pending before Judge Buchwald, and Warner v. Does 1-149, pending before Judge Owen. A motion to vacate the ex parte discovery order is pending in Atlantic. Motions to vacate the ex parte discovery order, quash the subpoena, and sever and dismiss as to all John Does from 2 to the end, are pending in Motown and in Warner. In Atlantic v. Does, the "John Doe" who attacked the process is a resident of the Midwest. The "John Doe" who moved to vacate the ex parte discovery order in Motown v. Does 1-99 is from the South. In Warner v. Does 1-149, there are two moving parties. One is from the Southwest, the other from the Greater New York area. The motions in Atlantic and Motown have been fully briefed, and are awaiting decision. The motion in Warner was filed March 31st. The RIAA's opposition papers have not yet been served. Settlement phase After getting the name and address of the person who paid for the internet access account, they then send him or her a letter demanding a "settlement". Their settlement is usually for $3750, non-negotiable, and contains numerous one-sided and unusual provisions, such as a representation that peer to peer file sharing of copyrighted music is a copyright infringement (a representation that is far too broad, undoubtedly there are 'sharing' behaviors with digital files, as there are with cd's, that are not copyright infringements). Even certain innocuous provisions, worded in a way to make them obligations of the defendant but not the RIAA, are deemed 'non-negotiable'. At bottom, the settlement is cold comfort to the defendant, because it does not speak for the other potential plaintiffs -- the owners of the copyrighted work, or the other record companies not represented by the RIAA litigation fund. Litigations against named defendants If there is no settlement, the RIAA then commences suit against the named defendant in the district in which he or she resides. A boilerplate complaint is used which accuses the defendant of "downloading, distributing, and/or making available for distribution" a list of songs. There are actually 2 lists, a long list (exhibit B) and a short list (exhibit A). No details as to how, when, or where the alleged "infringement" took place. If the defendant defaults, plaintiffs apply for, and apparently usually obtain, a default judgement for $750 per Exhibit A song -- a number which is 757 times the 99-cent amount for which the license to the song could have been purchased. There have been several challenges to the sufficiency of the boilerplate complaint, in the form of a motion to dismiss complaint, 2 in Texas, 1 in Minnesota, and a number in New York in which my firm has been involved. In Elektra v. Santangelo, in Westchester, the motion was denied. In Elektra v. Barker in Manhattan, Maverick v. Goldshteyn in Brooklyn, and Arista v. Greubel and Fonovisa v. Alverez in Dallas, Texas, the motions are pending. In Elektra v. Barker, amicus curiae briefs have been submitted by the Electronic Frontier Foundation, the Computer & Communications Industry Association, and the Internet Industry Association, in support of Ms. Barker's motion, and by the MPAA in opposition to it. Additionally the American Association of Publishers and the United States Department of Justice have indicated an interest in filing papers in opposition to the motion as well. In cases where the sufficiency of the complaint is not being challenged, the RIAA serves a number of pretrial discovery requests, calling for examination of the hard drive and numerous other items, and discovery is being litigated. In Priority Records v. Brittany Chan, a Michigan case, the litigation was brought against a 14 year old girl who allegedly engaged in file sharing when she was 13. The RIAA made a motion to have a guardian ad litem appointed so that their case might proceed against the minor, but the Judge rejected the motion because it did not ensure payment of the guardian ad litem's fees. From jericho at attrition.org Fri Apr 7 16:39:54 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 7 Apr 2006 16:39:54 -0400 (EDT) Subject: [attrition] Bad week for government officials.. Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401973.html The deputy press secretary for the Department of Homeland Security was arrested last night on charges that he used the Internet to seduce an undercover Florida sheriff's detective who he thought was a 14-year-old girl, the Polk County Sheriff's Office said. Brian J. Doyle, 55, was arrested at his Silver Spring home at 7:45 p.m. and charged with seven counts of using a computer to seduce a child and 16 counts of transmitting harmful materials to a minor, according to a sheriff's office statement. [..] http://www.gcn.com/online/vol1_no1/40341-1.html A high-ranking Defense Department IT official has been arrested and indicted on child pornography charges. Charles Lynch, director of the Defense Information Systems Agency's Internet Protocol version 6 transition program, was arrested March 8 and indicted in the U.S. District Court for the Eastern District of Virginia the next day on one count of possessing child pornography. [..] From lyger at attrition.org Mon Apr 24 20:03:15 2006 From: lyger at attrition.org (lyger) Date: Mon, 24 Apr 2006 20:03:15 -0400 (EDT) Subject: [attrition] Book Review: Security Log Management Message-ID: http://attrition.org/~lyger/works/reviews/SLMreview.html Security Log Management Identifying Patterns in the Chaos Multiple Authors - Amazon.com ISBN: 1-59749-042-3 Syngress Publishing, Inc, Copyright 2006 I have to admit, this book wasn't entirely what I expected. For several chapters, I was introduced to more shell scripting, PHP scripting, and poorly printed screen shots than what I would generally expect from a book that at first appeared to have been directed towards security analysts instead of system administrators and web developers. However, despite its flaws, "Security Log Management" does have its merits during its middle chapters which aren't based on excessive code snippets and blatant endorsements for Microsoft's Log Parser. [...] From lyger at attrition.org Tue Apr 25 17:02:47 2006 From: lyger at attrition.org (lyger) Date: Tue, 25 Apr 2006 17:02:47 -0400 (EDT) Subject: [attrition] Errata Update: Security Companies Message-ID: http://attrition.org/errata/irony.html [06.04.25] - Computer Associates' Sanjay Kumar pleads guilty to fraud [06.04.11] - Oracle accidentally discloses unpatched vulnerability to customer web site [06.04.03] - Trend Micro data revealed due to virus [06.03.29] - Fred Cohen endorses book plug spam from Chet Uber (SecurityPosture.com) [06.03.16] - Norton security software updates blocks AOL users' internet access From jericho at attrition.org Thu Apr 27 06:03:05 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 27 Apr 2006 06:03:05 -0400 (EDT) Subject: [attrition] Piracy penalties WORSE than child porn under DMCA 2.0 Message-ID: Courtesy of Infowarrior: ---------- Forwarded message ---------- Piracy worse than child pornography http://www.theinquirer.net/?article=31256 By Nick Farrell: Wednesday 26 April 2006, 06:44 THE NEW look Digital Millenium Copyright Act (DMCA) seems to be giving the world an unusual moral code. Details of the upgraded act, which has the blessing of the music and film industry and the Bush administration, are now coming to light. It appears that the DMCA will have a maximum sentence of ten years inside for the crime of software and music piracy. It will also give the FBI the powers to wiretap suspected pirates. Although sentencing varies in the US, the new law does send a very strange message as to what the government considers 'bad' in the 21st century. For example assaulting a police officer will get you five years, downloading child porn will get you seven years, assaulting without a weapon will get you ten years and aggravated assault six years. So in other words if you copy a Disney CD and sell it you will be in the same league as a paedophile who is distributing pictures of sexual attacks on children. If you copy Craig David's CD you get ten years, but if you punch him in the face and pummel him into a seven day coma you will only get six. You are more likely to get the respect of the prison population with your six year sentence as well.