[NYTr] Get Out of Jail Free - Public Negligence in NY State
All the News That Doesn't Fit
nytr at blythe-systems.com
Tue Sep 18 17:06:51 EDT 2007
Begin forwarded message:
Date: Tue, 18 Sep 2007 14:40:21 -0400
From: NY Transfer News <nyt at viola.tamara-b.org>
To: NYTr <nytr at blythe-systems.com>
Subject: Get Out of Jail Free - Public Negligence in NY State
Get out of jail free - public negligence in NY
by Peter Bell
Wow. Anyone who's been involved in a range of NY State AG
investigations and who has a competent lawyer can probably get charges
dismissed.
The NY State AG's office and a company in California have set a new high
water mark for computer security exposure. The company, called Media
Defender, is known primarily for helping the MPAA and RIAA prosecute
file traders.
The NY AG's office hired Media Defender to do some snooping, purportedly
to assist in prosecution of child pornography.
Hiring a company in the crosshairs of hackers with little else to do is
probably not the wisest of ideas. Continuing to do business with them
after a system compromise of unknown origin has occurred is a worse
idea.
The net result? This week close to 700M of Media Defender emails, a
Media Defender tracking database, and the grand prize, a 25 minute audio
recording from a conference call between the NY AG's office and Media
Defender are in circulation on the internet.
It's the grand prize because - unlike most computer security evidence -
it can be played for jurors and they can hear with their own ears what a
lousy fucking idea it is to hire a bottomfeeding company. The audio
will acquit defendants.
The conference call was held to discuss a security breach. The
conference call goes into a fair amount of operational detail about
internal security at the NY AGs office as well as a discussion of
evidence contamination in upcoming prosecutions. The NY AGs people
sound like rocket scientists in comparison with their counterparts at
the "high tech" firm they've hired:
AG: "what kind of [intrusion detection system] are you guys running?"
MD "Ah, I don't know. let me look into that."
[...]
Media Defender's comms have been compromised for months at some level,
and any competent defense attorney is going to be able to get an
acquittal of any client whose prosecution relies on evidence furnished
by Media Defender going forward.
Once you've been popped this badly, there's no way to prove that you're
secure, ever again. The AG even recognizes the risk in a question, not
understanding just how deep the damage already is:
AT - Here's the problem, a potention problem, and again, from the
law- enforcement-perspective: The intelligence information that you guys
are gathering, that's being sent to our systems and then our
evidence- collection-process here, it needs to be able to stand up in
court, and in order for us, I think, to do that from a legal
standpoint, we have to be able to get on a stand and say that the data
that we get from you, is, pristine, it's validated, it's verified,
there's no chance that, or there's a very limited chance that the data
that came from you to us, was in any way compromised, edited, modified,
or goofed with, so that the information that we get from you, that we
rely upon, we can go out and connect to the IP-machine, the IPs and the
machines in New York that have the contraband files that we're pulling
down, are all wrapped together in one nice little bundle,
MD - That part has not been compromised in any way, I mean, the
communication between our offices in Santa Monica and datacenters in
Los Angeles and Alsagundo(?) have not been compromised in any way and
all those communications to New York, to your offices, are secured. The
only part, that was in any way compromised was the email-communications
about these things.
Quite obviously, Media Defender is lying through its teeth at this
point; they have no way of knowing the scale of the breach. As of this
morning, they probably still have not finished coming to terms with the
scale and it will likely be months at a minimum before a Federal
prosecution is initiated.
[NY Transfer Editor's note: This appears to have occurred in August,
2007 -- so our sterling almost-squeaky-clean Governor Spitzer (with
only one fairly minor scandal so far, involving a staffer who had to
resign) was no longer the AG when this occurred.
Here's a draft transcript of the entire call: (first URL no longer
works.)
http://pastebin.com/f5ae055cf [No longer has transcript]
http://blogs.law.harvard.edu/zeroday/files/2007/09/transcript.txt
The first URL above produces nothing except one line that
says: "/home/pastebin/public_html/../posts/ needs to be a writable dir
to use file storage engine" Perhaps the AG's office is responsible.
The 2nd URL works and has the draft transcript as of 17:01 on Sept 18.
Who knows for how long... -NYTr]
Transcript for MediaDefender.Phonecall-MDD
Certainly not errorfree. :)
----
MD - Hello.
AT - Yes?
MD - Hi, this is Ben Grodsky(?), MediaDefender.
AT - Alright, Mike McCartney, Bret Bartrum(?) and Jim Dummers(?).
MD - Hi there, guys.
AT - How are we doin'?
MD - Alright.
AT - Alright, uhm..
MD - I'm sorry, go ahead.
AT - Well, have you guys had an opportunity to kinda look to see where
this may have, uhm, may have stem from?
MD - Yeah, it seems, I mean, from our telephone call yesterday it seems
that, ah, we all pretty much came to the conclusion that it probably
was, ah, caught in the email transmission, because the, ah, attacker, I
guess we should call the swedish IP the attacker, knew the login and
the IP adress and port, but they weren't able to get in, because we had
changed the password on our end, you know, following our normal
security protocol, ahm, when we're making secure transactions like
these, on the first login we'll change the password. So..
AT - Right.
MD - Obviously, well, not obviously, but it seems that, ah, the most
likely scenario is that at some point that, you know, was, ahm,
intercepted, you know,
just because there's probably, it was going through the public internet
and there wasn't any sort of encryption key used to, ahm, protect the
data and that email.
AT - But what kind of, what you guys are saying, on our end, uhm, so, I
mean, we have RSA authentication though our Exchange-server, uhm, to get
into our stuff.
MD - Right. But then it's going from your mail-server to our
mail-server, it's going through all the routers and hubs on the way and
we don't have, we didn't make any kind of, ah, you know, key between
our servers to make sure that the internet(?) would, would, ah, would
only be viewable by people with that key.
AT - Right, no, I understand that, we could certainly add PGP-encryption
or some other email-encryption so that it's encrypted in transit, but
what I'm saying is that how comfortable are you guys that your
email-server is free of other eyes?
MD - I'm not sure what you mean, our email-server isn't free of other
eyes. There is nothing to say that this email was intercepted on our end
as opposed to it being intercepted on your end.
AT - That is true. I mean, obviously...
AT2 - Are you comfortable that it was not intercepted on your ....
AT - I mean, (?), theoretically, hyperthetically it could be grabbed
anywhere along the way as it transmits through routers and different
protocols from my end to your end, but I guess we're asking: are you
comfortable that you guys don't have anybody in your email-server?
MD - Oh yeah, yeah, we checked out our email-server and our email-server
itself is not compromised. I think that was your question.
AT - Ok, yeah, I guess that wasn't clear, I just, I mean you guys know
as well as we know that you guys are a major target of hackers.
MD - Right, yeah, we are a major target of hackers, and, you know, you
guys are part of the government and the government is always a major
target of hackers and people trying to sneak around for information. So
I mean both of us are pretty big targets.
AT - Yeah, yeah, absolutely. And that's why I guess, you know, and
obviously the content of this operation that we're doing is extremely
sensitive and that's why, you know, we're, we take very extra caution
and security measures when we're talking about any of these secure
inside-networks that we're dealing with, so we just need, you know,
let's make sure that we add whatever security and functionalty we need
to, so not only our data-communications and protocols are secure and
maybe we should wrap'em in a PPN-Tunnel, uhm, public private key for
the data that is transmitted between us but also for our
email-communications, uhm, making sure that, you know, we can talk to
each other through email using, uhm, another layer of communication so
that, you know, nobody can understand or read what the hell we're
talking about with each other.
MD - (long silence) Yeah. Yeah, I mean, we can certainly, uhm, setup a
PGP-key for the email, uhm, as far as the using of a PPN-Tunnel or
something like that, uhm, you know, I can look into that with Jay when
he comes back on Tuesday.
AT - OK. Uhm, I don't wanna slow down performance either, I mean, if
that's gonna really dog our communication link between each other.
MD - You know, I think that really right now what we could do if you
wanted, is, as we discussed yesterday, we could change the port, that
we're doing things on your server
AT - (?) a process of that.
MD - OK, so we can do that, we can change the login, obviously the
password, you know, if you guys need to know what password we're using
we could just
communicate that by phone, and I think the email isn't really an issue
as long as we don't really say anything particulary sensitivy in the
emails.
AT - Right.
MD - You know, and, we're pretty available by phone, so, if guys are
comfortable with just communicating with us by phone and anything that's
really really sensitive we could just communicate in this fashion. I
know it's a little bit cumbersome...
AT - Yeah, it can be sometimes, I mean, email's so easy, and (background
mumbling) yeah, I mean, this is obviously a very sensitive
investigation, as you know, and we, i'm just nervous now going back
through old emails and we knowing we didnt really say too much in in
our earlier communications but if anybody was successful sniffing out
communication between each other over the last month, I mean, that
obviously could (?) that you guys were helping the state of
New York and the Attorney General's office in a childporn-investigation
of global scale, based on some of the childporn-keyword-list-textfiles
we attached and sent back and forth to each other, some of the results
that you guys have sent in, the preliminary results of the
keyword-crawling...
MD - Yeah, yeah, but, you know, (?) by the same token obviously people
are always aware that childporn is a, is something that they need to
be, you know, not transmitting in the first place. So anyone
transmitting is, per se, infringing on the wha, committing crimes.
AT - And as such they go through extra ways to try make and find out
what law enforcement is doing so they can avoid being caught.
MD - Right. One thing to keep in mind, is, you know,
Peer-to-Peer-networks are global and for this particular initiative we
have decided, just from a techical standpoint on our end, we have just
decided to use a particular Peer-to-Peer-network, we could always
switch to a different Peer-to-Peer-network if that became an issue in
the future, but, you know, we are still seeing that there would be a
good amounts of data coming through to you, so I don't think this is
going to have the effect of, you know, somehow squashing all the data
that you would even be able to collect from us.
AT - No, I don't think so either. I think that the Peer-to-Peer-network
as a whole is a target-rich enviroment, but I also know through 15
years of doing this, is that if a pedophile is in the
Peer-to-Peer-network, he's in newsgroups, he's on websites, he's in
chatrooms, he's everwhere else, I mean, they're not generally isolated
to one technology and they also go to great lengths to try to proxy and
cover themselves and, you know, view hacker-blogs and logs, looking for
what law enforcement's doing and it wouldn't be outside the realm of a
hacker-group, many of which we've taken down in the past, big organized
crime-groups of pedophiles, to pay hackers for information about what
law enforcement is doing.
MD - Yeah.
AT - And then, that's all, I'm not saying that this particular small
little piece of a global childporn investigation is compromised, we will
get lots and lots of bad guys in this, I'm convinced, and I don't have
any concern of that.
MD - Ok.
AT - (?) all scheme of being able to keep, you know, what we do in law
enforcement a secret and protected as special we can, so we that can
continue to being successful.
MD - Right.
AT - So, ok, uhm, more thought on exactly what we're going institute as
far as communication-protocols here
AT2 - Yeah, at this point, what I've done is, I've change the port for
access on that, I haven't opened it up yet, so what I want to do is, I'd
like to setup a password authentication initially, give you guys a
chance(?) of a public key authentication mechanism on that.
MD - So, ok, you've already changed the port and you're gonna setup, you
already have or you are about to setup authentication for the password?
AT2 - No, I've already setup a new username and password (?) that you
can use for general access to the server itself, and what I'd like to
do is probably (?) disable password authentication on that server all
together and exclusivly reserve it the public key.
MD - Ok, so you're gonna disable password authentication and enable a
public key
AT2 - Yeah.
MD - Ok.
AT2 - And, ah, from there we can we can communicate so we (?)
AT - Here's the problem, a potention problem, and again, from the
law-enforcement-perspective: The intelligence information that you guys
are gathering, that's being sent to our systems and then our
evidence-collection-process here, it needs to be able to stand up in
court, and in order for us, I think, to do that from a legal
standpoint, we have to be able to get on a stand and say that the data
that we get from you, is, pristine, it's validated, it's verified,
there's no chance that, or there's a very limited chance that the data
that came from you to us, was in any way compromised, edited, modified,
or goofed with, so that the information that we get from you, that we
rely upon, we can go out and connect to the IP-machine, the IPs and the
machines in New York that have the contraband files that we're pulling
down, are all wrapped together in one nice little bundle,
MD - That part has not been compromised in any way, I mean, the
communication between our offices in Santa Monica and datacenters in Los
Angeles and Alsagundo(?) have not been compromised in any way and all
those communications to New York, to your offices, are secured. The
only part, that was in any way compromised was the email-communications
about these things. But...
AT - We are not exactly sure, exactly, where this breakdown was, as of
yet, right?
MD - Right. And you might not ever know. I mean, all we can say for
sure, MediaDefender's mailserver has not been hacked or compromised,
and you guys are basically reporting the same on your side. So, then
there's just the public internet between.
AT - Yeah, yeah, I mean, what kind of IDS are you guys running?
MD - Ah, I don't know. let me look into that.
AT - Because, you know, when was the last update, when was the last time
you guys checked any alerts, I mean, I have our people already working
on it on our end. We're looking that our mail and our mailserver is all
encrypted. Our entire authentication process is RSA. But you're right
if plain text comes from us to you
MD - Hello, are you guys still on the call?
AT - Are you there?
MD - Yeah I'm here, can you hear me? - Can you hear me? - Are you on a
cell phone? - Should we try restarting the phone call? - Is it possible
for you to call from a landline?
AT - Can you hear on what they're doing? Yeah are you there?
MD - Yeah I'm here. - Can you hear me? - Hey bladder_mike, can you hear
me?
AT - Yeah we can hear you, can you hear us?
MD - Yeah occasionally. - Hello?
AT - How about now?
MD - Now I can hear you. Now it's totally silent I don't hear anything.
AT - Are there any connections or something, check your processor.
MD - I can hear a little bit of the chatter between you guys, but I
can't make out anything that you're saying.
AT - Here's the deal can you hear me now?
MD - Yes.
AT - Problem of it is, we're on a VoIP connection, a VoIP phone.
MD - All I got was you guys were on a voip phone.
AT - Right and I think at this moment, you're [sic] application is
calling you're machine back in California and it's chewing up our
bandwith.
MD - Got it. Ok. At least now I understand what the phone situation is.
Now I understand a little better the limitations of voip.
AT - Yeah it's eh, we're only on a cable right now, we've got two T1's
coming in, once they are in we should be able to turn spend bandwith om
a little better. Is it better now?
MD - Yeah. It's better. Well, it was for a moment.
AT - How about now, it's probably going to be better now.
MD - Yeah I can.. Yeah.
AT - We'll talk about, we'll keep our e-mail content to a dull roar.
MD - Yeah.
AT - We'll talk by phone unless we can share some PGP-keys for email and
if you can check on your end again. Just, I'm checking on my end too,
I'm not accusing you guys. But I think we need to, under the
sensitivity of this thing, we both need to make sure that both of our
systems are secure on both ends.
Both our mail servers and our networks to make sure that, you know,
whoever saw that email didn't see it on either of our mail servers or on
the inside of either of our networks.
MD - Right.
AT - You know, if somebody got acces to the mailserver, they might have
got acces to other machines on the network. And the argument goes that,
you know, even though the data that has been send from us to you in a
secure fashion is secure, if there's somebody sniffing around on your
network or on our network it's not secure on either end. Before it gets
into the tunnel.
MD - Okay.
AT - So, em, I think we're good. Some public private key authentication,
right and set a password, right, so that we've got a whitelist of IPs
that are going to be only allowed acces.
MD - Yeah we already (sent) you that whitelist
AT - Exactly, so we'll go from there. Then, going forward, how much more
testing do you guys need to do, and can we set up a *beep* early next
week when we can, can go over exactly what this thing is doing.
MD - Yeah, we can go over things as soon as you like next week. Tuesday,
Wednesday, whenever you'd want. We're basicly done testing, we
deployed, I guess yesterday or the day before, to your system.
AT - Right.
MD - So at this point, you know, it's just, if you want to review how
the data is appearing on your end, there is one thing that Brad has
brought up yesterday as far as making the actual mediafiles more easily
viewable and more easily connecting them to the database.
AT - Yes exactly we're going to need to do that.
MD - Right, well the easiest thing for us to do. and, let me know your
thoughts about this, how about if we prepend to the filenames, where
they are currently just hash in whatever the extension of the filename
should be. How about we prepend to the filename, the real filename from
our database?
AT - I mean, that's ok, I guess, at the end of the day what we're going
to need to know is, other than the nuts and bolts of it exactly, what
data we're getting from you, what data we have on our end, what your
application's doing on our end do with your data. To then go out and
connect to the suspect IPs to pull down the suspect file. I need to be
able to testify that in court so I'm going to have to go over that with
one of you guys, or all of you. Almost line by line to say "Here's what
happenend, this is how we get it, this is the structure we get the data
in, this is what the application is doing on your end, this is what
it's trying to do, this is how it's making it's connections."
MD - Yeah, all of that is really straightforward and Jake can go over
all of that with you on Tuesday.
AT - Ok, that's easy. Then what we're gonna need to do is once we get
the file
MD - Right
AT - We have to be able to link them back to the suspect IP along with
all your metadata in your database that's associated with that IP. So
we get an IP in Ney [sic] York that's got, according to you guys, a
hundred and twenty-seven suspect files that you saw while you were
crawling. We (?) connect to them on our end using your application. It
goes out, it connects, it pulls a file or multiple files presumably -
hopefully. Gets all of the file or part of the file and it saves it out
to our directory here on our evidence collection array. We then need to
look at it - you know - computers are great but they can't tell me what
is and what isn't childporn and illegal sex.
MD - Right
AT - So we need some sort of a viewer or review-viewer that could be
web-based - that basically goes back - we can then make a selection
whether or not it is or it is not childporn that gets entered into the
database of being childporn or not childporn. And then the dataase is
updated to reflect the fact that from this IP we got this picture, it
is childporn. From these two IPs we got these two pictures, they are
not childporn. From this IP we got these 4 pictures, 3 of them are
childporn and one is not. So we can begin to make an investigative
decisions as to who we're gonna subpoena and who we're gonna make as a
target and what evidence we have against this individual target.
MD - Ok.
AT - The thing we are working on that he maybe could give you some
structure and (?) but we don't know the structure of the data in your
database for him to try to reverse-engineer those calls to the data in
your database to put it into a viewer on our end. But he's done it
before in other things so he could probably help you at least with the
web-based HTML template and sort out how the structure seems to work
and what we're doing and what we've done in other things and it's just
a matter of, you know, working together on the backend data structure
so that it's calling the right stuff and keeping tracking the right
stuff statistically.
MD - Ok.
AT - And what is not done -- same database structure that your data is
coming to us in.
MD - Yeah.
AT - -- you could just browse it on a webbrowser on a internal network
and look at the data across our internal network in the actual, you
know, image files locally and do the review. So that it's nothing
internet-powered, it's all internal, to us here. Yes, we can deal with
that next week, I think that will be good. So we are ready to go other
than being able to view the images, make a determination at the what
is, what isn't childporn and then keeps statistical counts and records
and entries as to what IPs are associated with those contraband files
and what IPs and metadata are associated with the non-contraband files.
You know, globally.
MD - Right.
AT - (?) IP adresses and then hopefully we'll have a warm breathing body
behind the keyboard of these IP adresses. But that's up to our ...
that's our work.
MD - Yeah, that's on you guys.
AT - Yeah, I'm impressed. I think we'll, I think this will be very good.
Alright, I'll tell Jay, we set it all, adn why don't we plan something
for Tuesday afternoon or something?
MD - Ok, Tuesday afternoon your time?
AT - -- and we can try to finalize basically what this app is doing and
we can finalize the last little pieces, some sort of a viewer and Brad
can work with you guys on the structure of the template, the frontend
application of that and you guys can help him with the backend and
together, I think we can put the data and the pieces together cause
like I say a lot of it has already been sort of been done. Knowing your
dataset, where all your stuff is in your database.
Cool!
MD - Alright, sounds very good. Alright, so we'll setup a call for
Tuesday afternoon your time.
AT - Sounds like a plan. Thank you very much and have a good long
weekend.
MD - Thanks a lot and have a good weekend yourselves. Bye.
---
Note: Thanks to MediaDefender-Defenders, #mediadefender and the people
working on this, you know who you are.
More information about the NYTr
mailing list