One foot outside the law?

A few weeks ago, maybe even months, there was a summons sent
into a court apb3to find out who was using an IP adress at a certain time,
all according to the IPRED law that has hit the nation of Sweden.
All in all, this was not too bad and seemed OK.

According to the the Anti Piracy Bureau in Sweden, the server was
packed with pretty much every swedish audiobook ever realese, and
this was shared to the public, and so they acted on behalf of their
employers. Now, this is all well and good, but now, some new lights
has come into the light. You see, if I set up a server, that is totally
free to use, so that anyone could log into it without any password
verification, and then fill it with whatever copyrighted material I
can find, the APB can, and probably will go over the server and then
drag me into the court. However, If the server has any form of password
protection, a new problem rears itself and stares you in the face. Let me explain:

If the server was password protected, it was not made public to the
general populace. Hence, the subpoena is faulty in its initial phrasing.
Ok, so, you can rephrase that.

If the server was password protected, you need the permission from
the server owner to log on. In other words he, or someone he appointed,
have given you your own personal login details.

If the Anti Piracy Bureau did not have their own password and user,
they either A: used an informer who had a password who then sent
logs, screenshots and files downloaded to the Anti Piracy Bureau.
I want you to know that ANYONE who has the slightest interrest
in computers can write a log that makes it look like someone downloaded
whatever file from whereever, be it a log, or a screenshot.
Let me demonstrate.

Look at this image:
proof

Now, before someone decides to find that torrent tracker, let me tell you this: A short lookup
will tell you that there is none there. What in reality is there is http://www.aftonbladet.se

You want more “proof” ? Ok, how about a real FTP log, this log is what I actually did:

Status:    Ansluter till 192.168.1.103:21…
Status:    Anslutningen etablerad, väntar på välkomstmeddelande…
Svar:    220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.103]
Kommando:    USER zutgorak
Svar:    331 Password required for zutgorak
Kommando:    PASS ******
Svar:    230 User zutgorak logged in
Kommando:    SYST
Svar:    215 UNIX Type: L8
Kommando:    FEAT
Svar:    211-Features:
Svar:     MDTM
Svar:     REST STREAM
Svar:     SIZE
Svar:    211 End
Status:    Ansluten
Status:    Hämtar kataloglistning…
Kommando:    PWD
Svar:    257 “/home/zutgorak” is the current directory
Kommando:    TYPE I
Svar:    200 Type set to I
Kommando:    PORT 192,168,1,100,13,44
Svar:    200 PORT command successful
Kommando:    LIST
Svar:    150 Opening ASCII mode data connection for file list
Svar:    226 Transfer complete
Status:    Kataloglistningen lyckades
Status:    Hämtar kataloglistning…
Kommando:    CWD haven
Svar:    250 CWD command successful
Kommando:    PWD
Svar:    257 “/home/zutgorak/haven” is the current directory
Kommando:    PORT 192,168,1,100,13,47
Svar:    200 PORT command successful
Kommando:    LIST
Svar:    150 Opening ASCII mode data connection for file list
Svar:    226 Transfer complete
Status:    Beräknar serverns tidzonsskillnad…
Kommando:    MDTM blogs.html
Svar:    213 20090515222120
Status:    Tidszonsskillnader: Servern: 0 sekunder. Lokalt: 7200 sekunder. Skillnad: 7200 sekunder.
Status:    Kataloglistningen lyckades
Status:    Ansluter till 192.168.1.103:21…
Status:    Anslutningen etablerad, väntar på välkomstmeddelande…
Svar:    220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.103]
Kommando:    USER zutgorak
Svar:    331 Password required for zutgorak
Kommando:    PASS ******
Svar:    230 User zutgorak logged in
Status:    Ansluten
Status:    Påbörjar hämtning av /home/zutgorak/haven/blogs.html
Kommando:    CWD /home/zutgorak/haven
Svar:    250 CWD command successful
Kommando:    PWD
Svar:    257 “/home/zutgorak/haven” is the current directory
Kommando:    TYPE I
Svar:    200 Type set to I
Kommando:    PORT 192,168,1,100,13,52
Svar:    200 PORT command successful
Kommando:    RETR blogs.html
Svar:    150 Opening BINARY mode data connection for blogs.html (6350 bytes)
Svar:    226 Transfer complete
Status:    Filöverföringen lyckades

Now, this is in swedish, but still, its easy to understand if you read FTP logs on a fairly regular basis.
Lets change this a little. Note that I use the same “movie” again in this log just to keep it consistent:

Status:    Ansluter till 192.168.1.103:21…
Status:    Anslutningen etablerad, väntar på välkomstmeddelande…
Svar:    220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.103]
Kommando:    USER zutgorak
Svar:    331 Password required for zutgorak
Kommando:    PASS ******
Svar:    230 User zutgorak logged in
Kommando:    SYST
Svar:    215 UNIX Type: L8
Kommando:    FEAT
Svar:    211-Features:
Svar:     MDTM
Svar:     REST STREAM
Svar:     SIZE
Svar:    211 End
Status:    Ansluten
Status:    Hämtar kataloglistning…
Kommando:    PWD
Svar:    257 “/home/zutgorak” is the current directory
Kommando:    TYPE I
Svar:    200 Type set to I
Kommando:    PORT 192,168,1,100,13,44
Svar:    200 PORT command successful
Kommando:    LIST
Svar:    150 Opening ASCII mode data connection for file list
Svar:    226 Transfer complete
Status:    Kataloglistningen lyckades
Status:    Hämtar kataloglistning…
Kommando:    CWD moviez
Svar:    250 CWD command successful
Kommando:    PWD
Svar:    257 “/home/zutgorak/moviez” is the current directory
Kommando:    PORT 192,168,1,100,13,47
Svar:    200 PORT command successful
Kommando:    LIST
Svar:    150 Opening ASCII mode data connection for file list
Svar:    226 Transfer complete
Status:    Beräknar serverns tidzonsskillnad…
Kommando:    MDTM moviez
Svar:    213 20090515222120
Status:    Tidszonsskillnader: Servern: 0 sekunder. Lokalt: 7200 sekunder. Skillnad: 7200 sekunder.
Status:    Kataloglistningen lyckades
Status:    Ansluter till 192.168.1.103:21…
Status:    Anslutningen etablerad, väntar på välkomstmeddelande…
Svar:    220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.1.103]
Kommando:    USER zutgorak
Svar:    331 Password required for zutgorak
Kommando:    PASS ******
Svar:    230 User zutgorak logged in
Status:    Ansluten
Status:    Påbörjar hämtning av /home/zutgorak/moviez/Tropic Thunder [2008 DVD5 Retail].iso
Kommando:    CWD /home/zutgorak/moviez
Svar:    250 CWD command successful
Kommando:    PWD
Svar:    257 “/home/zutgorak/haven” is the current directory
Kommando:    TYPE I
Svar:    200 Type set to I
Kommando:    PORT 192,168,1,100,13,52
Svar:    200 PORT command successful
Kommando:    RETR Tropic Thunder [2008 DVD5 Retail].iso
Svar:    150 Opening BINARY mode data connection for Tropic Thunder [2008 DVD5 Retail].iso (41237278 kilobytes)
Svar:    226 Transfer complete
Status:    Filöverföringen lyckades

ponten

Henrik Ponte´n

What can we deduce of this then. Well, we can
deduce that digital evidence is wayto easy to
manipulate, and in my opinion should not be
valid in a court of law.
Back to the track, dont let me wander off now 🙂

What they could have done, and this could be
a possibility if the server owner was sloppy
and careless enough not to set maximum
errouneous tries to log on, but, just brute force
your way in using dictionaries and random keys.
It takes a while, a looong while, but hey, with
mulitple computers trying, you reduce the time
needed.

So, lets sum up a little, either they paid someone to get digital evidence
wich as I have shown you, are very easy to conterfeit, or they broke
into the server. Now, breaking into a server is also breaking the law.

Here is a little kicker. Henrik Ponte´n, the lawyer for
the swedish APB denies any allegations regarding
illegal methods of obtaining evidence, but refuses to
state how the actual gathering of proof has been conducted.
This in itself is really suspicious in my book but hey, I am not
a lawyer, so I am not really sure what to say about this.

andre

Andre´Rickardsson

However, when this case was known to the public,
a complaint was made stating that APB had hacked
their way into the system and the complaint was filed
by Andre´Rickardsson, a former cybercrime
investigator for the swedish security police.

Henril Ponte´n responded that those accusations was
groundless, but of course, refused to make it official on
how the evidence had been gathered.

Now, in an addition to the summons, from the 8th of
may, it is confirmed that the server in question was,
in fact password protected. Lending more credibility
to Rickardssons accusations. The same information
came from another addition from the Internet Service
Provider “Ephone” who had the server owner as a customer.

How far can a company go to gather evidence for their
own cause? Have companies overstepped the law repeatedly in gathering evidence in the matter of filesharing?

Well, I think so, but sofar, this is only speculation on my part and not hard facts.

Everyone is entitled to their own opinions and by Pete, you should be allowed to voice
them as long as they are not aimed to intentionally hurt anyone.

I will be following this case a little with a large interrest though.