Thursday, March 01, 2007

Deposition of RIAA's Expert Available Online

The transcript of the deposition of the RIAA's expert, Dr. Doug Jacobson of Iowa State University, taken in UMG v. Lindor on February 23, 2007, is now available online:

Transcript of February 23, 2007, Deposition of RIAA Expert Witness, Dr. Doug Jacobson, in UMG v. Lindor (Condensed format) (pdf)

ASCII text version of transcript

Deposition Exhibits:

Exhibit 1 (Press Release)*
Exhibit 2 (Press Release 4/21/04)*
Exhibit 3 (Article 4/19/04)*
Exhibit 4 (Article 4/21/04)*
Exhibit 5 (Article 3/3/04)*
Exhibit 6 ("DownloadData" text file from MediaSentry)*
Exhibit 7 ("Kazaa Overlay" Study by Ross, Kumar, and Liang)*
Exhibit 8 (Diagram LAN router NAT)*
Exhibit 9 (Pollution in P2P File Sharing Systems" Study by Ross, Kumar, Liang, and Xi)*
Exhibit 10 ("SystemLog" text file from MediaSentry)*
Exhibit 11 ("UserLog" text file from MediaSentry)*
Exhibit 12 (Screenshot from MediaSentry)*
Exhibit 13 ("Traceroute" text file from MediaSentry)*
Exhibit 14 ("UserLog (Compressed)" text file from MediaSentry)*
Exhibit 15 (Unsigned undated October 25, 2006, draft report)*
Exhibit 16 (April 7, 2006, report)*
Exhibit 17 (Handwritten notes, page DJ0067)*
Exhibit 18 (Handwritten notes on form)*
Exhibit 19 (November 17, 2004, Letter of Patrick M. Flahterty, "Designated Agent")*
Exhibit 20 (Resume)*
Exhibit 21 (Page from Encase web site)*
Jacobson 2003 Senate Testimony (Used for Questioning but not marked as exhibit)*

* Document published online at Internet Law & Regulation

Commentary & discussion:
boing boing
Daily Irrelevant
Privacy Digest
Tech Republic
McGrew Security

The above donation button links to a PayPal account established by Marie Lindor's family for people who may wish to make financial contributions to Ms. Lindor's legal defense in UMG v. Lindor. Contributions are not tax deductible.

Keywords: digital copyright online download upload peer to peer p2p file sharing filesharing music movies indie label freeculture creative commons pop/rock artists riaa independent mp3 cd favorite songs


Alter_Fritz said...

so what do I as a layman get from this deposition?

1) this by RIAA designated expert is just a "wannebe engineer" without any formal qualification to hold a title of Engineer.

2) he has no knowledge with regards to many things or can't recall if he had in the past

3) even though he has a higher education then me, his english vocabulary is as limited as mine (I needed to look up too what (to) inculpated and/or exculpate means)*

4) Although his vocabulary seems to be limited, it seems he likes to answer simple yes or no questions in lenghty details to obfuscate the plain answer

5) in all those ~20000 cases from RIAA so far their expert has never seen a judge before!

6) New York is not Denver! ;-)

7) even in his profession as an "HDD-expert" outside of the RIAA framework, this guy NEVER EVER testified in front of a judge or a jury. (I like to refer to him from now on as the "Trial-virgin")

8) Trial-virgin did not use the latest software from the IMO leading forensic software manufacturer that is available. His knowledge in doing this kind of work might be very limited since he did not even has analysed more then half a dozend HDD's

9) He knows effectively nothing personly about the actual "catching" of alledged copyright infringers. His whole analysis and declarations are more or less therefore based on hearsay information from the third party MediaSentry.

10) While he did use that forensic examination software with which he found NO evidence of any filsharing at all, he did NOT created ANY kind of report with that software at all!

11) on page 116 in his answer line 6 to the question line 3 he did not tell here the truth or he did not tell the truth back in front of this comitee back some years when he described that he put up a file on a p2pnetwork and while searching for it back, he found pornography under the filename he searched for. So in my layman understanding one of those 2 must be a lie or a madeup of a story if you like to call it with such limited english vocabulary like mine or his ;-)

12) He still don't know anything about anything in connection with the association of an IP address to an subscriber on the ISP part or on MediaSentry's part in the "investigation" he will testify about at trial.

13) He knows about Solitaire and has a believing about the functionality of that program.

and last (but probably not the least of this "expert")

14) he states that a professional in the field of computer forensics would agree with him that it is OK how he conducted his forensic examination without ANY record keeping of what the examination software produced while he used it! (and EnCase is extremely powerfull in record creation if I understand the companies sales information and adverts corectly)


Ray, please correct me if any of the above stated inpressions I got from reading this transcript would differ from impressions I would have got if I could have watched that deposition in person.

Ray Beckerman said...

Dear alter_fritz,
Remember (1) the RIAA reads this blog and (2) the case is still ongoing. So I can't engage in a 2-way dialogue with you about details.
All I can say is that the deposition is basically the same in the transcript as it was in person, and it corroborates the fact that the RIAA has no case.

Igor said...

What's the point of all the foundation objections? Can they be used later on?

It seems weird that he would say: "The computer whose IP address who has been identified as belonging to Marie Lindor made copyrighted material available through peer-to-peer software -- made the material available through peer-to-peer software."
Since it's more likely that multiple computers share an IP these days rather than just one. This seems like perfect fodder to cross this guy on in a trial.

Also, was he coached? It seem really odd that to this question:

"Q. Hypothetically, had you discovered KaZaA software and song files or remnants of KaZaA software or song files resembling those that had appeared in a screen shot, would that have tended to support a finding that she had downloaded or uploaded copyrighted files?"

He answered:
"That would have supported a claim that that computer was used to make files available."

"Make files available?" Seems like borrowed language.

Also, where can we find this traffic capture log that Jacobson used to determine that the private/public IP as he claims was the same.

I would also request a sample log where they are not the same just as proof that what Jacobson said is actually true (and maybe try to duplicate it)...I work in networking and that doesn't quite jive...though I don't know the specifics of how Kazaa works.

Also, if he testifies she owns two computers and no router, does she physically unplug each one from the internet when she wants to use another one?

In a trial, wouldn't RIAA have to call someone from Verizon to authenticate the document with the IP address?

Igor said...

One other deposition question: What does IPV6 have to do with this? IP addresses in the form are not IPV6.

Scott Ferguson said...

I'll leave the deep analysis to the rest of the community, but a couple things jumped out at me:

Dr. Johnson asserted that you could identify a router by its internal IP address beginning 192.168.nnn.nnn . It is true that this is the a router's default setting. However, any modern router can be easily configured to change the internal IP address to something else. In fact, when I set up a home network years ago, a friend who is an administrator at a local college told me to change this IP address so that it could not be identified by a hacker as a router.

Likewise, most modern routers for home use have a "MAC address spoofing" configuration, enabling multiple computers or other devices on the router to appear as if they have a single MAC address on the network. This feature is intended to circumvent the single-device requirement that some high speed internet providers used to have.

Dr Johnson's lack of professional certification is a BIG strike against his testimony. In my opinion, he should not be calling himself a software engineer.

He seems to have a strong interest in computer security, but it also seems to me that when it comes to forensics, he is out of his depth.

jaded said...

There are some aspects of Dr Jacobson's testimony that I find confusing and troubling.

A computer has no knowledge of public vs private IP addresses. Whether it received its IP address from a local DHCP server, a remote DHCP server or it was hard-wired, all it knows is that that is the IP address to use to communicate with others. If the computer is on a private network behind a firewall, it is likely that it will be using one of the designated private IP addresses. This doesn't have to be the case, however - the network administrator can use ANY IP range they want to on the private side (even ones that potentially conflict with other publicly used IP ranges) as the address never leaves the private network . In the case at hand, there is nothing to preclude me from setting up a firewall DHCP server to assign internal addresses in the 141.155.57.XXX range which could easily result in a computer behind that firewall having an address of Confusing? Yes. Doable? Yes. All that is important is that that computer be able to communicate with that firewall (i.e., NAT device). They can use WHATEVER IP address they want to as long as the right subnet mask is used and the address of the NAT Gateway/Firewall is known.

Regarding the existence of the same IP address in the registry as was in the Kazaa packet: all that one can say is that, on the day the hard drive was taken out of the computer, that was the IP address that it had been assigned by the DHCP server it queried. It says nothing about the configuration on the date that the alleged infringement occurred as that is information that I don't believe the registry keeps (i.e., all previous IP addressess assigned to the computer for any designated time period). This is essentially a log that OS's simply don't need or keep. There is no way of telling WHAT the configuration was on the day that MediaSentry made a screen-capture of whatever they did. That information would have long disappeared from the registry through daily use and possible network reconfiguration.

I've not used Kazaa, so I can't say for sure, but in a configuration where Kazaa is running on a computer behind a firewall, there is no purpose served for the Kazaa app to send out the local IP address. What it needs to send out is the IP address to get back to that computer (which in the case of a firewalled computer is the IP address of the network device functioning as the firewall). There is also a port address that is sent out in addition to the IP address. This information allows the firewall to be configured to forward a packet addressed to that port to the right computer on the private network (port forwarding). There are only two ways an app running on a computer behind a firewall can know what the firewall device IP address is: having it be manually entered into configuration data for that app or have the app send a msg to a know web address that will return the IP address of that private network. I know that on other P2P software that I have seen, one must manually enter the IP address that you want inbound traffic to use (it isn't dynamically determined).

Ray Beckerman said...

Good comments.

I will be posting links to the exhibits, too.

Igor said...

Actually jaded, the computer may have some information about past IP addresses in the event log under the category of DHCP (at least XP pro does). It would list the times it failed to renew or there was a problem with the network and list the IP addresses.

Ray Beckerman said...

There's something wrong with I'm having trouble making changes to posts. As soon as it gets straightened out I'll have the links to the exhibits posted.

Meanwhile, the exhibits are available online. Just follow this format:

Go here for exhibit 1: JacobsonEx1

Just change the exhibit number for any other exhibit.

Igor said...

Is the packet log (exhibit 6) edited? It looks like some of the text in the log was altered.

For example:
[MediaSentry IP Address] and [MediaSentry Username] appear instead of the actual Address and user name. This shows that the log has been altered and that it's really easy for them to alter it (since it's a text file after all).

Also this log is's much easier to append to the bottom of a log file than to the top (programatically speaking)...this tells me they cut and pasted to get the log into the shape it's in which means there's an original out there somewhere (with possibly more information). (And the fact that the spacing is irregular between entries means a human did this and not a script).

Also this is just them getting a file list from user jrlindor not actually downloading any songs (no cable or dsl connection can upload files that fast and I doubt kazaa sends this much information in each packet with the file). So the question is, is there any proof they actually downloaded the in can they produce the files they downloaded?

Also, I haven't read up much on how Kazaa works, but the fact that the supernode is different in many of the packets seems suspicious.

AMD FanBoi said...

Even if Kazaa had been discovered on Ms. Lindor's computer, that is not evidence that anyone ever went on-line with it, which is a necessary component of any downloading, uploading, distribution, sharing, or anything else with *that* particular computer.

And this guy has clearly been either deposed before, or coached on how to respond to deposition questions.

By the way, just how is a computer "registered" to an IP address? And how is it "registered" to an account, and how is it "registered" to Marie Lindor? A hundred computers, at different times, can all use the same IP address. They just can't use them all at once. This term "registered" is *not* a normal term used in computer operations to my knowledge, and its usage here seems to imply that somehow one computer, and one computer only, is literally handcuffed to this IP address, and can be proven to be that computer afterwards. That's garbage. He's asked you to define several words, Ray. Next time ask him to define "registered". That's got to be different than "has used this IP address," which would be more accurate. And don't let him throw out the term "computer registry" in defense of using the word "registered". A Windows computer's "registry" has nothing to do with registering anything. It's simply a synonym for a simple database of settings and values that programs can set (store) and access (retrieve) later. We're not "registering" guns here, or anything.

One thing that's very curious here is how Audible Magic can detect and block a transfer of copyrighted material in its database. In order to determine that an entire song is in the file, as opposed to a fake file that may contain the same 30 second or shorter snipped looped (repeated) again and again to reach the proper length of the real song, I would think it would have to read the entire file. Yet this file is being transmitted from one computer to the other only once in the process. Does AM buffer the entire song and determine it it's in its database, or just look at a few seconds that would give false positives? This isn't explained. In a P2P system, in order to read and buffer the entire song, it would have to interpose itself between the sender and receiver, and hold that entire song until it verified its status, then pass it along. A P2P system user, expecting their downloads to start immediately and take from minutes to hours, would certainly not put up with such delays, so how can AM actually detect and block transfers?

Btw, how is this guy such an expert on Kazaa if he didn't use it extensively himself first? He says he researched Kazaa along the way. Since all use of Kazaa is illegal by fiat of the RIAA, is this guy an infringer too?

Also, since Media Sentry has already told him this "registered" computer is guilty, isn't there an obvious bias to believe evidence simply has to be there somewhere?

On page 83 (or 85, both numbers are present) you totally have the guy. He said: "coupoled with the information compiled by defendant's ISP to demonstrate the defendant's internet account and computer were used to download and upload copyrighted music..." This implies that IP address and computer are irrevocably bound (handcuffed) to each other. THIS IS NOT TRUE, and he cannot prove otherwise. Any number of computers could have been linked to that IP address, with none of them belonging to the defendant. You clearly have pointed that out a couple pages later. This guy has been making unwarranted conclusions and claiming them as immutable facts.

Then on page 88 (or 91) he maintains that the detected computer had to be "in the presence of the defendant." He can say there was a computer at the end of an IP address that led somewhere. But how can he claim that the defendant was actually present at the time detected? Obviously he can't, although he claims he can. Unless he was peeping on her...

On page 95 this Engineering professor is now an expert in probability and statistics. He states, with no facts that I can see to support it, that "there is a high probability that songs were actually uploaded from that computer." He know this how? He's not even found the proper computer to examine, but knows with high probability that it happened. Guys like this drive me nuts.

I see in page 96 you finally start questioning this issue of the computer itself being "registered".

Regarding his contention that IP addresses "prove" no wireless router was in use on this computer, you need to ask him what addresses would appear for a computer placed in a router's "DMZ". That exposes a computer to the Internet much more than computer behind a router, and are often done by users when they can't get their computer to connect otherwise. He might be claiming that a "Gateway Address" was missing that is necessary for being behind a router, but I'm not seeing that here.

Hs spends time several places claiming that he looked at things himself, used them to arrive at his conclusions, but because he didn't document them afterwards no one else is able to review them. The discussion of the computer registry falls into this category, among other things.

Interesting on page 115 (119) they tell you that they don't have the registry entries, and that you should "produce them yourself" from your own image of the hard drive. Unless you can follow what the expert did keystroke for keystroke, it is very possible – even likely – that you won't get the same results he did. In fact, if you don't have his same exact expertise in going through this, you are not likely to be able to reproduce his results since his is an Engineer with a PhD in the computer technology area, and you are a lawyer.

Btw, MAC addresses are changeable, often easily. Routers offer this ability so that they can be transparently inserted into the network chain. This was to defeat ISPs who tried to tie their service to a single computer by it's MAC address. By changing the router's MAC address to mimic that of the expected device, many devices could appear to have that single MAC address.

Around page 126 he claims that he can determine if a wireless (or wired, I presume) router was used based on the IP address the computer is using. HOWEVER, what was on the computer hard drive the day it was imaged for examination bears no relationship to how the computer was connected the day (night) Media Sentry claims to have discovered it. Months, or even years, passed since then.

On page 138 (142) there's a reference to IPV6. That's Internet Protocol Version 6. Hey! We're still using IPV4, and were using IPV4 back in 2004. IPV6 is a whole different kind of bestie, and if he's talking about IPV6 then he's not talking about these packets.

zi said...

a couple of facts:

1) Prof. Jacobson has no professional accreditation as an engineer

2) whatever forensics techniques he used, he did not follow proper procedure as per Guidance Software's website flowchart. He did not document his findings.

3) when asked how he was certain that the IP address purported to have belonged to Ms Lindor indicated that it was not a wireless router, Jacobson was unable to give an answer that made any technical sense.

Ray Beckerman said...

OK Folks. got fixed. The links to deposition exhibits are now in there.

Anonymous said...

ray, computers are stupid. they don't understand if there are s p a c e s in URLs that are not masked like in Alter_Fritz with an _ for example
the first 9 exhibit links you made show that problem of unmasked spaces and therefore give error if user does not remove the spaces by hand in the URl.

Alter Fritz ;-)

Michael B said...

As a computer expert myself, my impression of this expert is that he did not answer impartially.

To conjecture, I would say they feared committing to an answer because a follow-up expert could either destroy his logic (quite easily because he was asserting things in the report not substantiated by any evidence shown) or he would have to fess up and admit his client has no actual case.

Alter_Fritz said...

maybe i didn't understand the lines correctly, but i read that the times stated in EX10 are the times between the downlaods. so how do you download for example an allegedly copyrighted complete mp3 file owned by plaintiffs in 42 seconds form only 1 computer back in 2004?
seems to me MediaSentry did NOT made sure to download only from 1 computer data?

StephenH said...

It Odvious that Richard Gabriel admits what was admitted by Gary Millian. His answers, many of them questions objected to, odviously admit that IP addresses and times don't prove indentity. The arguements about Routers, Wirless Devices, Decoy Files, etc are valid. I think he may be afraid of the judge ruling that spy bots could become useless, or possibly the defendant could win this case.

I am a computer Science major, and many of my professors, including the one who teaches Client / Server Programming, admit the real facts that IP Addresses do not prove one's identity.

I personally beleive that using Spy Bots should be stopped, and REAL FORENSIC EVIDENCE be used to determine if one is guilty. I personally think that they need to dust the keyboard for fingerprints, and see if there were any hairs by the computer and run them for DNA testing to prove who was in front of the computer in question.

I would only make CONTRIBUTORY liability for financial reasons a factor if the following occur:

* The person alleged is the Spouse or Doemstic Partner of the person paying the bills, or vice versa. This follows the law of marriage.

* The parents of a child accused of infringement could be held financially liable, if the state they are in holds parents liable for the actions of minor children.

In other cases, I beleive liability should follow the USER, not the internet connection, similar to how rental cars work in regard to accidents.

The cases below DO NOT PROVE MARRIAGE OR OR JOINT LIABILITY FOR INFRINGEMENT, and therefore should follow the user:

* NAT Translation

* Using a friends computer

* Computers with more than one user

* Anyonymus Strangers on Open Wireless

* Users Behind a Proxy Server

* Using a connection in a public or semi-private enviornment that is temporary use, such as:

- Connecting to a connection from a friend or co-workers house

- Using a docking port or wireless network in a classroom, airport, library, coffee shop, hotel, motel, conference room, school, or other place where no fee is charged.

Alter_Fritz said...

OK, I know you americans have a "strange" way to label dates. while we germans do it day/month/year, you do it differently.
Me now wonders. couldn't the reason that "Trial-virgin" did not find any KazaA traces simply be that they mixed up day and month and simply get totally wrong infos from the ISP?

The -oviously to obfuscate the MediaSentry IP (EX13) manipulated exhibit 10- shows the time in the form 8/7/2004 while exhibit 19 the ISP answer uses the form 2004-08-07. Maybe a misunderstanding what is month and what is date? Oviously "engineer's" handwritten exhibit 18 suffers the same error.
Maybe just some miscommunication, but why for example does the ISP has no records for alledged eight (8) other IP adresses/times then!

Ray Beckerman said...

1. igor, the "foundation" objections were totally bogus and just a waste of time... there is no basis for making those objections... either he doesn't know much about litigation, or he was being a wise guy... you be the judge...

2. there were a lot more interesting things about the answers than the 14 alter_fritz is pointing out....

3. scott, yes he is out of his depth...

4. jaded, just some you found confusing and troubling? i found hundreds...

5. igor please elaborate on how you can tell the packet log is edited?

Igor said...

The reason I say the packet log seems edited is:
a) anywhere it says "[MediaSentry IP Address]" it should be some number and anywhere it says "[MediaSentry Username]" it should actually be a username (like jrlindor except it would be the one they used.) If they were using any packet capture program (like tcpdump or more likely one for windows like windump) it would not edit those two things (or any other things). Instead it would report them either to the file they specified or to screen. I would find out which program they used for that so we can test it and see how it reports. Either way, unless they modified the source code of some packet dumper to automatically edit out those two fields in the packet they would have had to do post processing to edit this out. My guess is they have a post processing script that goes through the packet log to remove those two fields.

b) A raw packet log (from my limited experience with them) is no where near that formatted or pretty. You need a program like Ethereal to actually view and export the packets like that (or you could probably write a script to do it too, depending on how their capture program writes out the packets).

c) By default no packet capture program captures just Kazaa packets. It would capture all the packets unless they used and defined a filter to filter out all other traffic. Or they could have post processed all of the other packets out. If you can, you should request the original tcpdump/packetdump file and have someone take a look at it. Also if you can, request to find out program they used for that, what filter, what post processing tools?

d) When you write out a file using most (all that I know) programs/programming languages the most recent entry is always at the bottom. This is done because it's much easier to write to the bottom of the file than to the top (like easier to add pages to the end of the book than the front b/c then you'll have to renumber the pages). It's not too hard to append to top but it would take extra code to do it and most likely done in post processing. (Notice how in the download log the time stamps are increasing while in Exhibit 6 the timestamps are not in any particular sequence...this implies someone collating them to put similar items together).
e) The spacing between packets is not uniform. Sometimes there are more blank lines than in others. A computer would be consistent.
--On a separate note
a) Exhibit 10 log is cut off, is there an original somewhere?
b) I can write a script that generates that log, I think you should request the packet capture during the download. That will show every single packet from the files they claim they downloaded. Otherwise what proof is a file that says "download complete" if you can't even examine the program. A packet log of the file can still be faked but it's much, much harder since you could write code to reconstruct the file from the packets (likewise, you could probably write code to deconstruct the file into packets but I doubt at this exact point the RIAA has that, also they'd need the original file for that). If I were a lawyer though (hopefully one day I will be), I would argue that without a packet dump of the download and the downloaded file there is nothing showing they actually downloaded.
c)What exactly does compressed mean in Exhibit 14? Do they mean condensed? How was it condensed, what software did they use?

d)alter_fritz made an excellent point about the download speed. Both comcast and Verizon have limited upload speeds. For instance my home connection can upload 45k/s. I've heard Verizon can do 128k/s up (not sure if it's kilobytes or kilobits...bits would obviously be slower). If you can, ask Verizon what the upload speed in kilobytes was for your client was. But doing some quick math: Next - Butter Love.mp3 was downloaded in 42 seconds (compared to Clipse... which was downloaded in 18 minutes?) It's file size is 3,539,453 bytes. So 3,539,453/42 is 84,272.7 bytes. Which is just over 82kilobytes/second. That's really fast for a cheap consumer internet DSL connection...I really doubt it was that fast. Better example is Marriah and Boyz songs downloaded in zero time.

The problem with that log is it doesn't have start times so you assume the download started when the previous one finished though I bet they started much earlier (which is why you need the packet dump I mentioned earlier). I'm thinking the first line of 10 6:12 timestamps is when the download starts or is requested (which means it actually took about an hour to download them all together and they were going simultaneously). Then again, the file list was request at 6:12 (exhibit 11) so maybe the downloads started at the times the first packet is asked for in exhibit 6. (This again brings us to the question of what does 6 show? and who edited it).

I think I've rambled a little to much on these (IMO worthless) logs and I have 1 last question..what does the number 6190165 stand for? It's appended to every file name in the header of the logs. Can you find out what it means (probably not important but its too big to be an id number, or if it is have they really found 6 million unique people?) and Can you request the original text files and not the pdfs?

Anonymous said...

Some expert you have there, even nontechnical people could read it and see the way he dodged the questions or twisted them.

You know what he's saying is BS. He contradicted himself on so many occasions, not small slipups. And how does an "expert" not see a judge before now?

No documentation. Yikes.

Anonymous said...

a million computers can all be assigned the same IP address at the same time with the same ISP. the packets might not route properly, but it can happen.

I used to own a range of IP's reserved just for me by my ISP. I found other people using my IP's all the time. when they used my ips, it conflicted with my computer use... they'd get some of the packets until the mac address updated on the ISP's router / gateway. the only thing I could do is complain, because they can't force someone to change an IP.

I used to scan the available IP's for my ISP to see which ones were free, in case I needed an extra one, even though it might be assigned to someone else.

take any network, wired or wireless, dchp or static, and you can have multiple customers assigned and using the same ip at different houses / buildings. all the packets would get routed to the machine/router whose mac address was last updated in the caches.

Anonymous said...

You might want to check out this product before you even think anyone could tell anything about something being a router or being routed. I’m not saying they used it, but it says a great deal about his understanding of everything that one might do to “rout” the internet to other devices, and how likely it would be for anything to be able to pick up the router designed to get around such limitations as ISP’s have been known to arbitrarily concoct (like need a separate account for every computer – why I used it at my home for years until our cable company finally stopped being moronic and let us use the internet account for the whole house and the cable modem was mac-tied). While they don't make it anymore, and Symantec killed what was left of them, it was the popular solution prior to internet sharing being built into everything. We used it all the time back with NT4 and win9x. As it shared a computers internet to the rest of the network through any workstation\server, all the ISP ever saw was that computer - but every computer behind it was being routed through it. Only way to get internal DSL modems to be routable back when they wanted to sell IP’s instead of letting you rout. And most servers today are more then capable of routing, as is "windows internet sharing" - it's routing. I'd seriously question this mans understanding of what all of us techs do in the field - and that includes all our friends and families homes. Homes have the same issues as any small office that wants to have more then one person on the internet at a time.

In the end I'd just have a hard time believing him if I ran into him in the field and he tried to blow some of that thinking my way. I'd just go "dude, you really don't get this stuff very well" and go finish what I was working on.

Anonymous said...

Noticed this section about someone using the conection while they visited...

Pg 89

A. The scenario you laid out. If the
21 ISP allowed multiple IP addresses, then it would
22 have associated an IP address with that particular
23 device.

What multiple IP addresses? My Uncle unplugs my mother and plugs in his laptop every time he visits. Thy aren’t both on at once. I know several other houses that operate that way – especially a couple people I know who are still stuck on dial up – one gets on, then another. They all use the same account. My sister did that, and there where three computers connection over the course of the day.

By now I'd def. be telling him he's just way too funny and ought to go study some more.

booker said...

Dr. Jacobson ("DJ" to save typing) relies on the match between "KaZaa payload IP address" (aka "KaZaa IP") and "source IP address" (aka Verizon-assigned address) for several of his conclusions. Here are some things that would be interesting to look into:

(1) How do the two IP addresses differ under different network configurations? Can DJ specify the circumstances where the addresses would match, and where they wouldn't. Can he demonstrate that the addresses match under the network configuration he claims Ms. Lindor has, only under that configuration?

(2) How does KaZaa identify and report the computer IP address? Does this change from version to version of KaZaa software? Has DJ verified that KaZaa correctly identifies and reports the computer address under various network configurations? Can DJ verify that the KaZaa client in this case correctly identified and reported the computer address?

(3) DJ states that the "X-KaZaa-IP:" address reported by MediaSentry is the computer IP address extracted from the KaZaa payload. How did he determine that? Has he verified that MediaSentry correctly reports the computer address under various network configurations, specifically the one he claims Ms. Lindor has.

Michael B said...

I've had some time to digest this deposition since it was posted. Since then, my impression of this expert has become even more negative.

Even though I am uncertified in my field, I cannot imagine a time or place where I could be convinced to testify that the evidence plaintiffs present in this case clearly establish that defendant has violated plaintiff's intellectual property rights.

For Jacobson to call himself an expert and state under oath that the evidence supports the claim is mind boggling. I have to chalk it up to incompetence, because the alternative is just too troubling to even consider.

Ray, is it even necessary for defendant to bring in their own expert to rebut his testimony?

Going by my years of experience watching Law & Order, I would think the court can be moved to dismiss simply because of the way he conducts himself (e.g. decidedly non-expert, evasive, oblivious to scientific method, etc.) in the deposition.

Michael B said...

I'd like to address some questions raised in the comments as well:

"Also, if he testifies she owns two computers and no router, does she physically unplug each one from the internet when she wants to use another one?"

There's an endless amount of customization that can be done here. Multiple computers can use one IP address. One computer can use multiple IP addresses. Computers can SHARE a single IP address. One computer can act as a router for another computer. You could have computer A route for one set of IPs, computer B for a different set of IPs.

You simply cannot rely on IP addresses when you're looking from the outside in to tell you anything.

"In a trial, wouldn't RIAA have to call someone from Verizon to authenticate the document with the IP address?"

This is not reliable either.

When I worked at an ISP, my first job, we got law enforcement subpoenas probably once a month. They'd come in by fax. My boss did not want to bother the sys admin with these inquiries since they didn't earn us any money and his time was expensive, so he'd hand them to me, a spare tech support staff member. The subpoenas would list an IP address and a date. An approximate time if we were lucky.

When our software handed out IP addresses, it would record log entries that looked like this:

USERNAME has been assigned IP address 123.456.789.123 on DATE/TIME.

USERNAME has released IP address 123.456.789.123 on DATE/TIME.

There would be millions of lines like these across several hundred log files. What made this even worse to deal with was that for various obnoxious technical reasons, there would occasionally be no "release" record, and every so often if conditions were right, an IP address that was already in use would get re-assigned to someone else (chaos would ensue, most people solved the problem by rebooting, without being aware of what exactly was wrong).

Finding which account was using an IP address on a given date and time was a tedious, frustrating task. I'd be looking at multiple accounts for a single date/time window with no real way of telling them apart. If law enforcement was off by even a few seconds in the provided timestamp, we could theoretically identify the wrong person, and the odds only get worse if you go by minutes or hours. Sometimes the assign/release records would appear in different log files. Sometimes the logging software cut off the last few entries of a file it was rotating due to technical race conditions.

I could have also made legitimate mistakes. I did my best because I understood how serious it was, and I expressed reservations to my boss about my answers. I have no idea what he ultimately told law enforcement.

I don't imagine this process being better in a larger ISP like Verizon. It might be much worse.

Anonymous said...

I have not read all the exhibits, nor an expert, but here are 2 good questions:

1) Looking at the logs, can someone verify that the file size, song length and Quality (Bit Rate) match up.

2) If the RIAA really downloaded the music files from the defendant’s computer, if asked, they should be able to verify the type of MP3 encoder used and Bit Rate type.?

Here are some:

Constant Bit Rate Encoding
Average Bit Rate Encoding
Variable Bit Rate Encoding


Constant Bit Rate Encoding

Constant bit rate encoding is the standard method used by most encoders. With CBR encoding, the same number of bits are added to each frame of the audio data regardless if there is silence or a wailing guitar solo. This method is good to use if you need to predict the size of the encoded file. It is simply calculated by whatever bit rate you have chosen to encode with multiplied by the length of the song.

Average Bit Rate Encoding

Average bit rate encoding (ABR) lets you choose an average bit rate and the encoder adds bits where necessary.

Variable Bit Rate Encoding

Variable bit rate encoding (VBR) is a method that seeks to keep the quality of the sound file high throughout the encoding process. Software with this technology makes a decision when to add bits to the file if the stereo separation is ever too far apart, producing a much clearer sound. The end file size will vary after encoding depending on what decisions the software has made. Simple parts of songs, including moments of silence, will not need the same amount of bits as more difficult parts and VBR encoding is able to make an intelligent decision regarding where the bits are needed most. Use this method in encoding if you want the best quality possible and are not real concerned about the file size (usually pretty close to that of regular CBR encoding, sometimes smaller) .

Anonymous said...

I think that the first defense to verify that the *music file* in question actually contains the copyrighted music. Has this been done or at least attempted?

The data seen in the logs are mostly from the header of the MP3 file. Anyone can modify it or spoof it. Here is the MP3 header format.
Simple. There are also thousands of MP3 header writer tools out there any dummy can use.

If you can’t prove that the alleged copyright *music file* in question actually contains the copyrighted music, excluding header info, then you have no case.

Also, could someone point me to a document where the actual copyrighted music file was verified?

Stephen said...

No one knows what "inculpate" means -- it's a lawyer word. Why are people so antagonistic about higher education?

Anonymous said...

This guy wouldn't be allowed in court in Texas.

Computer forensics "expert witness" in Texas have to be licensed Private Investigators as well, and there are only about 12 of these people in Texas. The Professor wouldn't qualify--not even close, IMO.

I wonder if any of the Professor's "Rubber Stamp For Hire" reports have been used in any legal actions in Texas and if there use was legal?

Although it is obvious to all who have read the report, the Professor's appalling logic is too much to leave unmentioned. When faced with the fact that the hard drive does not contain the incriminating evidence he presupposed he would find he posits that it must not be the right hard drive, clearly indicating that all of his conclusions are based on the complete presumption of guilt of the defendant rather than any objective standard. It doesn't enter his mind (or at least his mouth or typing fingers) that the RIAA could be wrong and all of his conclusions reflect his total cognitive dissonance. He is a veritable "hanging judge" of an expert witness.

Imagine the Professor in a CSI lab:

"Professor, the DNA results are in. The bloodstains exclude the defendant and the news video shows her having lunch with the Pope at the time of the murder."

"Ah ha! Just as I suspected, you've brought me the wrong evidence! Now I'll go write my report indicating the defendant's guilt!"

--Well, he may not be that bad, but he certainly isn't in any way, shape or form objective.

Some may also have noticed that Mr. Beckerman clearly established via the Professor that the Media Sentry investigator clearly must testify as an "expert witness" because the techniques Media Sentry uses fall completely outside the scope of an ordinary user. (No ordinary user does packet dumps, etc.)

It is also especially interesting how long it took the RIAA to furnish the report considering the fact that it took only a few hours to make. I wonder how Mr. Gabriel justifies this delay, seeing as how his specific instructions to produce a "draft" report left him able to technically claim that the report was not finished, when in fact it actually was since there was no further research to do or analysis to be made.

Anonymous said...

Hi Ray, good to see you're getting into some of the meatier questions.

TBH, I really don't know why this Jacobson guy is even being called as a witness because he simply can't state anything with any kind of certainty. E.g.:

Q: If I gave you a piece of paper with the words "Marie Lindor was using Kazaa" written on it, would you say that Marie Lindor was using Kazaa?

A: Uh, based on the information provided to me, yes.

Seriously, sit down with all the crap that MediaSentry generated and a copy of Windows Networking For Complete Morons and in a few hours you could come up with roughly the same answers this guy did.

And the answers would still be as completely useless as Jacobson's.

Anonymous said...

Just thought up an example for explaining to a lay person (ie. the RIAA's expert) that an ip address doesn't equal a computer. If someone is found murdered on my front lawn, do the cops just arrest me and throw me in jail without any proof because it is my lawn so therefore I did the crime? That is almost the exact same thing as saying that illegal downloads coming from my ip address means that I am infringing.

Now for some general comments:
Whoever said that just because the software saw that it was possible to download the file doesn't mean that anyone had actually downloaded a copy is wrong. The Supreme court has ruled that even making copy written files available over p2p is infringement.

Igor is right about the censored logs and it is obviously done so people won't be able to block MediaSentry by ip or username, but I have to believe that they did turn over the unedited version (along with the raw dumps) of the logs to the defendants. If they didn't even I could knock that evidence out in a day.

It is great to see this transcript. I was starting to think that no one was ever going to win one of these lawsuits, in fact I was actually thinking of moving to a country with laws that make sense (unfortunately there isn't really anywhere to go). But seeing an "expert" get knocked out of orbit so completely by a lawyer who actually knows his stuff has restored my hope. Maybe once your done with this case you can keep the RIAA from extorting collage students.

virtualchoirboy said...

I've been reading through the comments and, like others here, question the download times. Igor was on the right track, but may have one point confused. Typically, speeds as reported by an ISP are in kiloBITS per second, not kiloBYTES (8 bits = 1 byte).

Using Igor's math of 84,272.7 bytes per second, that would mean that Ms. Lindor would have had to have an ISP upload rate of over 674kb/sec. I pay extra for a 3Mb/sec service and am capped at 512kb/sec upload. Either Ms. Lindor is paying for top tier DSL or there is a problem with the download.

Igor said...

Yeah, sorry at work we always deal with virtualchoirboy kilobytes/second and I don't spend a lot of time looking at exactly which units Internet providers use. As I said, 82kilobytes per second is awfully high for a commercial provider...I was judging it against speeds I record on my connection at home when uploading.

Ryan said...

Well above and beyond the points raised here there was one point that bothers me. The MediaSentry folks aren't going to testify as experts because Dr. Jacobson was the expert and he would be testifying. He even notes in exhibit 16 under conclusions paragraph 15 (I couldn’t find the link to the document handed to the court quickly but I believe it used the same language):

"I will testify to the procedures used and results obtained by MediaSentry coupled with the information supplied by Defendants ISP, to demonstrate the Defendant's Internet account and computer were used to download and upload Copyrighted music from the Internet using the KaZaA peer-to-peer network." (Emphasis mine)

However in the deposition he frequently states that he has no knowledge of the procedures used by MediaSentry. So nominally if I understand this the RIAA wants to enter evidence that no one will testify to the validity of. Specifically the procedure which has not (to the best of my knowledge) been approved by any US court. My actual knowledge of court rules etc being limited (although I’m well armed w/ hearsay and speculation :P) it seems a bit odd. I would expect that if no one will sit up there and even claim in any form of expert way that the evidence is valid, that would make it invalid by default? In another way if no expert can / will claim the procedures used are valid then they are at best rumor and hearsay and thus inadmissible with out even needing another expert to refute the validity. Then of course the RIAA would need to have a MediaSentry expert come in which of course they have already claimed they aren’t going to do, because if I understand it right that would give the Defense the right to see said procedures before hand and dispose the expert.

Ray Beckerman said...

michael b, "law and order" aside, there are many things we can do with this... it remains to be seen what we will do... if they're smart they'll just discontinue the case at this point before they get themselves into any more trouble.... dr. jacobson's testimony directly contradicts what he has previously said under oath and what richard gabriel has represented to the court....

anonymous, it was extremely improper for mr. gabriel to be withholding the undated unsigned october 25th report, and for dr. jacobson to be waiting to make sure it met with mr. gabriel's approval... jacobson is supposed to be the expert, not gabriel...

anonymous, glad this transcript restores your faith... by the way, i know of no instance of the riaa winning any fully contested case...

ryan, it's not so complicated as you think... the answer to the conundrum is simple... they're screwed...

Alter_Fritz said...

Ok, I know, me is definitely not the right guy to criticise anyones typos or syntax errors, but this one is just funny ;-)

Ryan wrote: "[...]the right to see said procedures before hand and dispose the expert."

I guess the RIAA-"experts" dispose* themself pretty well with what they do, No need to depose** them if the judges that have to rule are not computer illiterate and more like the "ipod-Judge"-Karas that is not technology ignorant


Igor said...

Was my post about edited logs clear to you?

Wanted to add one thing about the's clear its a pdf of a picture of the log not the text of it based on the fact that I can't select lines in it and the fact that there's a blackish background fill to the text (not sure where that would come from)

Ray Beckerman said...

Yes I did, igor.

Ryan said...

lol well I usually over think things so when I see something that looks too simple I think I must have missed something. Honestly though if I was spending as much money as the RIAA was I would at least find an expert who even if wrong at least sounded like he was on the up and up.

(and as for the disposed well I hate that, it looked wrong when I typed it and I couldn't figure out why at the time :P)

booloo said...

In reference to Igor's comments about the logs (in particular exhibit 6) being edited, I should point out that sanitizing logs is a fairly common practice in the security realm (e.g. when I need to provide logs to another site, I may intentionally obfuscate some of the information in the logs that isn't relevant or needs to be removed for privacy reasons).

In the case of MediaSentry, I suspect the reason they elected to elide their IP address(es) is because, if the addresses from which they survey the P2P landscape became known, their view of the world would likely change very, very quickly, and not to their advantage.

As for the format of the log, I assume that MediaSentry has their own customized software for generating said logs.

Igor said...

booloo may very well be right but from my slight familiarity with Rules of Evidence from college mock trial it seems like an altered log would not be admissible. After all if they edited the log in one way without telling anyone, who knows what other ways they modified the log. Hence the need for them to turn over unaltered originals. Who knows, maybe the left out "exculpating" packets :).

I would think the proper foundation would need to be laid for this before it's all the questions I asked about it earlier.

Plus if the plaintiff admits these documents under that Jacobson used to base his opinion on, then the defense can attack the documents to discredit Jacobson's opinion. If the documents are invalid so is his opinion based on them. If my memory serves correctly, rule 703 or something close to it says that this may be admitted regardless of that if it's reasonably relied upon by experts in the field and would help the jury reach an opinion about the expert's testimony. If it's an altered, fake or misleading log it can't be reasonably relied upon. But I'm not a lawyer just a wannabe so someone who knows more than me in this should explain this.

recordjackethistorian said...

ISP's frequently use MAC numbers to identify a particular customer's computer so that a MAX Id which I have given my ISP as belonging to my computer is attached to my account record and to the DHCP server which will then assign an address. This assumes several things,

1.) MAC addresses are unique (mostly they are),

2.)that they cannot easily be changed or that that knowledge is not pervasive. This dispenses with the need for a ID and password when you log into the ISP's network.

Now, should I be interested in hiding my identity on the internet (I AM NOT such a person!), and perhaps stealing a bit of someone else's bandwidth, I might take my router and change the change the MAC address from the hard wired one to that of another customer thereby hiding my identity and charging my bandwidth usage to another persons account.

There may be other obstacles I do not know about which ISPs use to prevent this type of criminal behavior, but this is a feasible way in which Marie Lindor's computer could be implicated in downloading copyright files to which she was not authorized. There is no way for Media Sentry to know if this was the case or not.

I do NOT recommend that any one try this, and I myself have never attempted this. Its simply a feasible explanation which accounts for everyone's story being correct as they told it.

There is little we know for sure about in life and even less we can be sure of on hte Internet!

a.k.a. RecirdJacketHistorian

Emils said...

Technically speaking, a DHCP lease (IP address being used by a particular computer) theoretically lasts:

a) the DHCP server policy expires the lease;
b) or some malfunction requires restart of either DHCP server or client computer.

However, even in the latter case, if the IP address is not explicitly released, the DHCP server may in some cases re-use the previous address, when the client comes online again.

Depending on the particular DHCP server software, it may well be also that recently-leased IP addresses are not being reused even after a release sent by client computer.

A decent computer forensic expertise should definitely study the ISP's DHCP server software, its configuration and typical operation. Even that may not be conclusive, but still it would be a step in the right direction.