Guardaley | X-Art

X-Art/Malibu Media’s response to defendant’s motion to compel: technical analysis

A community member, who prefers not to reveal his name at this time, wrote this thorough analysis of a recent pseudo-technical Malibu’s missive. I think it is very good and will help defense attorneys.

Sentence-by-sentence analysis of Nicoletti on IPP

On February 6 Paul Nicoletti filed a response to a defendant’s motion to compel (embedded below). The defendant in this case (Malibu Media v Hind, et al, INSD 12-cv-01117) demanded that Malibu hand over, among other things, the PCAP files that IPP collected. The section at III(A)(1), “The Nature of IPP’s Evidence” (starting at page 4) is possibly the most detailed description yet of precisely what IPP does — and what they have to hide. Here I go through sentence by sentence, explaining what the significance of each sentence is.

IPP establishes a direct TCP/IP connection with a computer that is distributing a “piece” of Plaintiff’s copyrighted work.

Nothing terribly controversial here. The use of the term “direct” is somewhat odd — the IPP servers most certainly do not have a direct physical connection to the defendant in question. On the networking front, assuming that Nicoletti isn’t just an attorney far out of his element and making stuff up, we are apparently to conclude that IPP does not make use of proxies or VPNs. (This will be important later.) TCP/IP is only mentioned to lend the sentence a false air of technical gravitas.

Note that it is never mentioned precisely how IPP finds this computer…

The “piece” is a packet of data. The packet of data correlates to Plaintiff’s copyrighted work because it has a unique cryptographic hash value.

Here Nicoletti trips up. Yes, each BitTorrent piece is accompanied by a cryptographic hash. (In traditional BitTorrent, these hashes are in the .torrent file.) However the only thing that can be calculated is whether the downloaded piece is what the .torrent file describes.

There is no way any investigator could a priori say that because the piece corresponds to its hash that it corresponds to a portion of an X-Art movie. In fact, downloading the entire torrent from the defendant and hashing it would not help; the video file spread on BitTorrent would generally not be identical to the file sold by X-Art¹. This is why Tobias Fieser declared in 2012 — in what I can only assume was a poor attempt at a joke — that after the torrent was downloaded from a host he would sit down and watch the whole thing side-by-side with a copy of the movie provided courtesy of X-Art.

Again, Nicoletti uses big technical-sounding words to mask the fact that he has no idea what he’s saying. Spoiler alert: this will be a recurring theme going forward.

Cryptographic hash values act as digital fingerprints. They are long alpha-numeric codes.

They’re binary (hexadecimal when displayed), Nicoletti, not alphanumeric.

Via the algorithms governing the hash system, hash values are capable of being calculated with the type of mathematical certainty and precision as 2 plus 2 equals 4.

This is largely meaningless chest-pounding. He is trying to convince a non-technical audience that the existence of cryptographic hashes is incontrovertible (“mathematical”, even!) evidence of infringement. The argument does not hold water. In fact, there is no argument there, just rhetoric and fluff.

Next paragraph.

IPP servers are synchronized to both an atomic clock and GPS clock.

This just refers to NTP; Tobi Fieser has said so before. It means that their servers’ clocks can be considered somewhat accurate (in Fieser’s own words, to about 1/10 s). This is so the logs have the correct time. This is standard practice for pretty much every server in the world.

Now we finally get to the meat of the matter: the PCAP files. Nicoletti:

IPP logs transactions between its servers and a person distributing a piece of a copyrighted work on a log file. Each transaction is saved in what is called a PCAP. A PCAP is an electronic recording of the transaction. It is analogous to a video recording. The software that IPP uses to create PCAPs is called TCPDump. TCPDump is one of a handful of widely recognized forensically sound Packet Analyzers. It is an open source free software program.

A “PCAP”, i.e. packet capture, is not analogous to a video recording. It would be more like the results of a wiretap. (In fact, a packet capture is precisely that: a recording of every packet of internet traffic going in and out of a computer.) Regarding tcpdump (properly all lowercase), yes, it is a venerable piece of software whose reliability is beyond reproach, but there’s nothing “forensically sound” about it. Not sure what it being open source has to do with anything.

It turns out that Nicoletti’s exposition is also bad, so let’s skip ahead a bit…

PCAP files can be read by anyone with the equipment to read them. The information contained in them can also be converted to word documents. The PCAPs speak for themselves and conclusively establish that the infringing transaction occurred. IPP charges Plaintiff to produce PCAP files. At trial, Plaintiff intends to introduce one PCAP file for each copyrighted work as well as the log files associated with the Defendant. Put another way, Plaintiff does not intend to introduce the thousands of PCAP files that evidence each infringing transaction committed by Defendant. That evidence is contained in the log file which, as previously stated, is also simultaneously created and saved in the same way that the PCAPs are created. To be clear, Plaintiff will produce to Defendant everything that it intends to introduce at trial. And, Defendant can subpoena IPP to produce any other evidence that Defendant wants from IPP.

You might have noticed that IPP really, really doesn’t want the PCAP files published. Why? Let us back up and cover what we skipped to find out:

Each PCAP covering each transaction is stored on a WORM tape drive. So too is the MySQL database log file to which the PCAP correlates. WORM stands for “write once, read many.” IPP uses a WORM drive because it is impossible to modify data after it is written onto a WORM drive. In addition, it is impossible to delete any data, outside of destroying the tape drive itself. Additionally, within twenty-four hours of a PCAP file’s creation, a German government-issued time stamp is placed on the WORM drive.

Now the reason is laid bare. The “German government-issued time stamp” is a requirement under the German Digital Signature Act. (There is no corresponding requirement under US law.) I have to correct Nicoletti once more—the timestamps (formally, Qualifizierte Zeitstempel, ”qualified timestamps”) are not issued by the German government, but by approved private “certifiers”. The function of the timestamp is to certify that some file existed at a particular time (the time of submission to the certifier).

Given a file and its qualified timestamp (in reality, a digital signature), you can confirm that the file you have been given is the same one that was submitted to the timestamper at the listed time. The problem is this: you cannot modify the file at all, even innocuously, otherwise this timestamp confirmation process will fail.

Why won’t they give up the PCAP files?

Note that they are willing to give up the logs, but not the PCAP files. This is because PCAP files contain everything. In particular, someone looking at the PCAP file (which IPP, because of the timestamp and WORM drive, would not be able to redact) would be able to ascertain the IP addresses used by IPP’s servers. This is of course something IPP would very much like to be secret, as if it were public infringers could simply block it. (The PCAP file might also reveal which BitTorrent trackers IPP is monitoring, another thing that would blow their cover.) The files would also detail how IPP goes about showing infringement — the sort of thing found in Delvan Neville’s famous analysis outing John Steele as sharkmp4.

IPP has so far given few details about its INTERNATIONAL IPTRACKER client and how it determines infringement; those that it has given sound technically questionable and legally unsound. The PCAP files would confirm this.

Nicoletti seems to say that he is willing to provide one PCAP file per claimed infringement at trial. This is complete BS and should not be accepted. Nor should the thousands of PCAP entries corresponding to the defendant demanding discovery be accepted. The only useful — the only meaningful — thing in this case is the entire WORM drive with the qualified timestamp (yes, all 3 terabytes of it). Any excerpt of the PCAP record can and will be selectively taken, redacted, modified, etc. in order to facilitate IPP’s continued unwillingness to transparently describe their monitoring process. The log files are worse; they record exactly what IPP wants them to (they are written to a database by the INTERNATIONAL IPTRACKER software itself) and provide zero transparency.

The next few pages are full of whining about how it would be difficult to provide the PCAP files that I won’t reproduce here. I must note, however, one thing…

Further, IPP charges Plaintiff a fee to extract information from its servers. Therefore, in this one request alone, Plaintiff would have to spend several if not tens of thousands of dollars to produce this information.


Soapbox time: a message to Doe defenders

Nicoletti’s response contains several potential lessons for Doe defenders.

First, familiarity with the technical side is crucial. Don’t be like Paul Nicoletti, and don’t be fooled by Paul Nicoletti. At least know what a cryptographic hash is, how the BitTorrent protocol works, and so forth. Discovery isn’t of much use if you don’t understand what you’re getting. It is much more useful if you have advanced technical knowledge. A great deal of BitTorrent copyright trolling, X-Art’s included, is based on extremely shoddy and fundamentally unsound technicals, but to date no Doe defenders have been able to take plaintiffs to task for it — and now a body of BitTorrent-trolling caselaw has formed which is highly unfavorable to Does.

Second, aggressive discovery works. Even in cases like this when all it gets is a bunch of whining, it can still be useful.

A more serious closing thought

There is one small aside nestled inside the response that I would like to draw attention to:

The WORM tape drives used by IPP contain three terabytes of storage. […] IPP goes through several of these tape drives each week.

That some company is keeping data — indefinitely — on Internet users’ activity to the tune of more than a terabyte a day is a sobering thought and should trouble everybody.


¹ Careful readers may have noted that there is one way in which this hashing method could work, which is if X-Art made the torrent themselves. I think it is far more likely that Nicoletti has no idea what he’s talking about.

wordpress counter


23 responses to ‘X-Art/Malibu Media’s response to defendant’s motion to compel: technical analysis

  1. Good article and nice analysis. I agree that a copy of the Worm tape drive(s) corresponding to ALL the claimed incidents should be released to the Defense. As many of the Malibu Media/X-Art cases cover multiple dates, there is bound to be multiple tape. Just because IPP never thought the tapes would ever get released is no excuse for not releasing them. This is simply a cheapest way to run an operation – and now it is coming back to haunt them.

    Funny & Sad: The defendants are required to supply Plaintiff with a complete copy of all system hard drives, as well as there has been no limitations on what they can search for or where Plaintiff can look in the systems (Someone correct me if I’m wrong). The defense should be afforded that same chance to search the evidence (which Plaintiff claims it has) in a forensically sound copy. If IPP doesn’t like that possibility, they can easily change their evidence collection/PCAP recording to the specific case/IP address. Yes, I know that would be a royal pain for Troll Lipscomb, but I’m sure he already knew about the Federal Rules of Evidence – (Check out section “(3) Foreign Public Documents”)

    DTD 🙂

  2. To quote Shakespeare “something is rotten in the state of Denmark”. IPP is not a neutral third party as they would get a percentage of Plaintiff’s award. IPP is not a governmental body. Nothing they claim to be able to do, has been verified by governmental or academic or certified neutral party. IPP does not have a license to conduct investigative work in the US and is immune to US law.

    A 3.5T backup tape costs about $30. There is no conceivable way it would cost tens of thousands of dollars to make a duplicate tape. Alternatively all of the PCAP files for all of the alleged pirated videos in this case , by this defendant, would likely fit on one DVD. So I’m scratching my head wondering why IPP can not extract all the PCAP files? If they can’t handle this, then they may not be computer literate. It is a leap of faith to assume IPP’s MySQL log files prove PCAP files exist. It is reasonable for defendant to request all relevant PCAP files.

    A reassembly of the PCAP files would allow recreation of the video and could be examined to see if Plaintiff has inserted anything indicating to viewer that the video is copyright protected. Possibly some of Malibu Media/X-Art videos appear similar to promotional trailers that a reasonable person would not think or know are copyright protected (not properly protecting material, bad security practices by Plaintiff).

    The Plaintiff’s attorney doth protest too much, trying to make material very easily obtained for discovery impossible. It is incredulous that the defendant is to make a drive image of all hard drives and all computers that could be one or more terabytes of data, while at the same time the Plaintiff can not makie and provide a simple tape copy. I hope the Judge see how ridiculous this is.

    The Plaintiff’s attorney’s description of defendant connecting directly to IPP servers sounds as if they have a honeypot. But it is difficult to make sense of what the attorney states because it seems he is trying to confuse the Judge with nonsense about terabytes and gigabytes.

    Assume for a minute that a video tape was made of a bank robbery. That tape could hold one terabyte or more of analog or digitized information and a duplicate would be made as evidence. However it seems plaintiff is not willing to show the equivalent of even one frame of the video, perhaps only a part of a pixel. So what does this prove? That perhaps one millionth of the video was pirated? There seems to be a leap of faith required to assume IPP is legit and has what they claim they have.

    Plaintiff’s lawyer claims sending DMCA notices to “Google” and this singular lawsuit proves Plaintiff enforces it’s copyright protection. No this doesn’t prove it. “Google” is only one of many search engines. A DMCA notices to the ISP and subsequent notice to alleged pirate would likely be more affective in stopping distribution. At the same time, Plaintiff’s security is so incompetent that they do not even know or have records of who connects to their own servers and downloads their copyrighted material.

    Lacking a MAC address, Plaintiff does not know what router and/or computer was connected to the offending IP address. If a MAC address is manipulated, a third party could pirate the IP address assigned to the ISP subscriber and be the one who infringed. It is interesting that Plaintiff’s attorney admits “the MAC address can be easily altered and manipulated”.

    I don’t see how a Judge could allow the Plaintiff to claim they have evidence they will provide in the trial yet refuses to give to the defendant’s attorney in discovery.

  3. So I’m scratching my head wondering why IPP can not extract all the PCAP files? If they can’t handle this, then they may not be computer literate.

    I think this is the issue. When data is recorded onto a WORM drive given an authenticated time stamp, it is like a notarized copy of a document uploaded to PACER; it can’t be changed. If IPP is allowed to selectively extract PCAP files from the tape, the integrity of the data is no longer assured since the extracts can be tampered with in an undetectable way. So, if IPP wants to prove that anything is authentic they have to supply the entire WORM tape or a byte-by-byte copy of the entire tape. That is what checksums are all about; if the checksum is not identical then the copy is not either.

    You are correct that copying a tape is not such an expensive job in this day and age. It is not the cost of the tape nor the cost of the equipment to duplicate it that is the problem. I leave it to the reader to speculate on what the true motive might be for refusing to produce a true copy of the evidence.

    • In other words, “Your Honor, I’ve got a notarized document, but I won’t present it here. Instead, I copied a paragraph from it by hand. But no worries, I’m trustworthy.”

  4. My guess is they are using Amazon cloud for storage and will not write to tape till then need to. It is the Hotel California of data you can put stuff in for cheap but to get it out it costs a lot. Also buying a LTO5 drive and tapes it costly if you don’t have them yet. You can say a lot of things they are not quite true (yet) If you are any where inconvenient to be checked up on. Say in Germany.

    PS It is against Germany law to make a backup of data as it violates their copyright law. How every most places ignore that in Germany. That was how it was explained to me in 09

  5. I don’t think that is really an issue. If a defendant got a copy and modified the PCAP data then it would be very easy for IPP to compare the data to the original tape and see if it has been modified.

    I think the bigger problem is that PCAP data appears to be just a raw packet dump from the tcpdump network monitoring tool which is not something that is easily read or interpreted. Also, I don’t think it’s very useful to really reconstruct a complete torrent download. It would very easy to use the data to tell that a a given host was exchanging packets with their server using the bittorrent protocol, but reconstructing the whole torrent download would be extremely difficult. You would have to be a serious expert in the bittorrent protocol to do that. Additionally, if the bittorrent client was using encryption they might not be able to even do that at all, in other words all they might be able to tell is that the two computers are talking to each other using the bittorrent protocol.

  6. Everyone is missing something important. Unless the German company tapped the ISP’s line, the Pcap files just show packets between the defendent’s IP address and IPP’s machine. Before even looking at the files, tell me what port you connect to on my machine. I’ll look at the files later to determine if what you said you saw my machine do is present in the traces.

    • This. The only way IPP can have packet data is if they either intercepted it, which is a crime if you aren’t the NSA or GCHQ, or they were the sender/receiver and were running a honeypot. Seeing as copyright trolls aren’t spooks, they are running a honeypot. That is the only way they could have this data.

      Every filing I’ve ever read dances around this with technical mumbo jumbo that doesn’t actually mean anything…

      • That’s not true, and they don’t need a honeypot in order to do it. If they can find a torrent on tracker site for one of their movies then all they need to do is use a bittorrent client to connect to that torrent. Once connected, the bittorrent client will set up direct connections to anyone in the swarm that is exchanging packets. This activity can be logged very easily and doesn’t require any NSA level snooping or wire tapping.

        • This is the definition of a honeypot… They don’t need to be the initial seeder, just part of the swarm. Their client will send block requests, and clients who have those blocks will send them, with all client to client communication logged – in other words, a honey pot. Since most users are leeches, the fact that they never share back won’t really trigger any warnings to the sharing clients.

  7. Given the non-centralized nature of a swarm, how can they capture all the packets in a swarm unless they have a honeypot? And perhaps it would even be impossible if they had a honeypot as uploads and downloads could occur between IP addresses via internet without going through their server.

    One of the videos probably could be downloaded in 15 minutes, so all of the PCAPs should be on one tape (two at most). A WORM tape is write once, read many times. So there is no reason, they can not furnish an exact duplicate of the tape for around $30 each.

    Where there is smoke, there is fire. For the Plaintiff’s attorney to claim this costs tens of thousand of dollars, is a whole bunch of smoke.

    I also wonder if the PCAPs might indicate whether IPP is hosting and seeding the movies?

    • They can’t get all transactions, period, and can’t get everyone’s IP within a swarm without some shenanigans. Eventually, once enough people have a complete copy, they may not receive any connections. However, if you are the seeder and the only person with a 100% copy, you can prevent everyone else in the swarm from having a complete copy, thus forcing them to connect to you at least once.

      Chances are, to maximize the number of IP addresses they captured – they were the original seeder in addition to it being a honeypot.

  8. If IPP is the former Guardley Ltd, they never hired a single person with a computer science degree, forensic background, etc. And the German Court found their technology/methods unreliable.

    If IPP can do as they or the Plaintiff’s attorney claims. Prove without a doubt that a film was copied via bittiorent, then why aren’t major players like Disney, Sony, MGM, etc in the movie and record industry using them?

  9. Keep in mind that Collette testified to Judge Baylson that she was finding it more and more difficult to make a profit and competitors were going out of business because of piracy. About a month later she buys a $16 million mansion.

    What a wonderful opportunity for IPP to advertise their abilities. One would think they would provide the conclusive evidence free of charge with the expectation that every film producer would beat a path to their door. Why settle any of these cases for chump change when they can win everyone. Yet haven’t gone to a single full trial with jury.

  10. The honeypot was admitted to in the 2011 cases. Also, even if they are joining a swarm, they are also seeding while leaching, so therefore honeypot. Not illegal, as neither is a cop dropping a wallet and busting you for picking it up, despite intention.

    • Might not be illegal but, an agent of Malibu Media distributing copyright material means it is no longer protected by copyright law.

  11. Take note everyone:

    Excipio’s Contact Info:

    Excipio GmbH
    Karlstrasse 49
    76133 Karlsruhe

    Phone.: +49 (721) 354 801 – 00
    Fax: +49 (721) 354 801 – 10

    IPP Job Posting: **Note this posting has now been deleted by I do have a copy of the .html page and source code.**

    Linux Administrator/ Programmierer in Vollzeit Arbeitsort: Karlsruhe, Baden
    IPP Int. / Systemplaner und systemanalytiker / Baden-Württemberg
    Bitte beachten Sie, dass die Bewerbungsfrist abgelaufen ist.

    Alle Jobs für systemplaner und systemanalytiker in Baden-Württemberg
    Alle Jobs bei IPP Int. in Baden-Württemberg

    IPP Int. ist abgestimmt auf die Bedürfnisse von Unternehmen aus den Bereichen der Software- und Unterhaltungsindustrie. Die Basis unseres Portfolios sind Software Eigenentwicklungen sowie unsere globale Internet-Infrastruktur. Wir sind der perfekte Partner für ganzheitlichen Schutz digitaler Inhalte jeglicher Art. Durch die Kombination verschiedener Methoden und Techniken erreichen wir eine nie dagewesene Abdeckung und ganzheitlichen Schutz von Software, Filmen, Musik, Bildern und Texten. Von Downloads bis hin zu illegalen Verkäufen – unsere Ermittlungen decken jeden Bereich ab. Die Effektivität, mit der wir unsere Produkte betreiben und kombinieren, ermöglicht unsere Dienstleistungen besonders kosteneffizient anzubieten. Unser Angebot: Einen zukunftssicheren Arbeitsplatz in einem hochmotivierten Team und ein interessantes Aufgabenfeld. Ihre Aufgabe: Serveradministration und Skriptprogrammierung Mysql Datenbank und VMware ESX Server Ihr Profil Sie verfügen über umfangreiche Kenntnisse folgenden Bereich: ¿ Umgang mit Linux-Betriebssystemen ¿ Administration von MySQL Datenbanken ¿ SQL ¿ PC- und Netzwerktechnik ¿ Skriptprogrammierung (wenn möglich Pearl) Optionale Kenntnisse: ¿ Webprogrammierung (PHP, HTML. ) ¿ Windows Programmiersprachen (C++, VB) – Geforderte Anlagen: Lebenslauf, Zeugnisse; Kenntnisse und Fertigkeiten: Betriebssystem LINUX; Datenbank MySQL; Datenbank SQL; PC-Technik

    Veröffentlicht am

    E-Mail<——-Guardaley sound familiar?

    +49 721 66800093

    Am Hubengut 8, D-76149 Karlsruhe, Baden, Deutschland

    Weitere Informationen
    Jennifer Cindori

    Wie bewirbt man sich
    per Email

    Bitte beachten Sie, dass die Bewerbungsfrist abgelaufen ist.

    Jennifer Cindori: Linked In Profile

    Title: Assistant Guardaley

    Some sort of lookup site: Jennifer Cindori

    Notice the IPP Ug, and IPP int.

  12. Click to access gov-uscourts-ilnd-287310-40-0.pdf

    I want my field day with this total lie, but I have to go to work tomorrow.

    I’ll start with Section II.”Factual Background” Subsection A: “The data evidencing infringement is not capable of being manipulated by humans” Hint: if you believe that, I have a bridge you might want to purchase, in Brooklyn, NY! Anybody can make up one or more CD-Rs or DVD-Rs with a bit pattern on it showing that Collete Field has been bit-torrenting illegal copies of her supposed favorite movie (probably “Total Recall”), but that doesn’t mean it ever actually happened anywhere except in my computer’s overly fertile imagination.

    And the longer that data stays only in IPP’s possession, the more likely it has been “scrubbed” to remove evidence implicating the guilty or adulterated with extra “facts” to implicate the innocent.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s