Two days later a recorded phone conversation between a New-York attorney and Media Defender discussing the security of the Media Defender email server. The question that should have been asked at this point was why they were not able to fix the leak that they thought was only affecting the email server.

There are no details on how the conversation was recorded but apparently one of the parties used VOIP. Today, four days later, the source code of software that was used to trap and decoy users was released on the Internet. This software was said to be used to spread those fake files on the p2p networks.

Media Defender Defenders, that is the name of the group making all those releases, promised to release more information in the coming days. I think we are in for some interesting days to come.

FileWarper is a German freeware which is fortunately not difficulty to use. I took the liberty and translated all buttons and explanations into English. You need to configure the tool once and keep it running in the background. Let me explain the various settings, don’t worry, it is not much.

You can add new folders that you want to observe by clicking on the button Hinzufügen. Just browse to a folder that you want to add and select Wählen to add it. The default dir where the files are moved is C:\Program Files\FileWarper\data\ – you probably want to change that dir to another one, just click and enter another dir.

The program checks every 10 seconds if new files are found in the observed directories. You can change that figure easily. The * entry means that all files that are in that folder are moved to another directory and the *.dat excludes files with the .dat extension from being moved.

It is possible to move only *.jpg for instance or *.mp3 or add more extensions that should be excluded.

Logistep uses a software called File Sharing Monitor that targets E-Donkey and Gnutella users. Here is how it works:

• The software connects to a p2p server and requests a filename recording all IP addresses that offer that name
• They request to download the file and if the download is permitted record the following information into a database
• Filename, file size, IP of the distributor, P2P protocol, P2P application, the time and the username
• When this is inserted the application does a automatic whois and is able to send an infringement letter to the ISP

I think it is interesting to note that this is almost an automatic process which leads to some questions. How do they know which archive has the correct size and is actually their product and not a broken archive ? Is not it only possible to know the exact file size if they downloaded it at least once to verify that is is indeed their product ?

Let us assume that they are not stupid and that they filter out every file below a certain size to prevent that users who do share mods or patches get sued. Let us further assume that a file that is labeled a certain way (with group tags) and shared among many users is the right program. Does this mean that the user that they are suing is responsible ? They will always sue the account holder which could or could not be the person who shared the files.

What possible solutions can I think of that make the Logistep file monitor useless ? Please note that this is hypothetic, I’m not advising anyone to actually use the methods listed below.

• don’t share files
• share only files with no plausible filename (3dpd)
• use encryption to share the files
• use vpns like Relakks
  to share them
• switch to Usenet
• buy the game ;)

Can you think of anything else left to say ?

According to heise online only the houses of users with more than 500 files in their share have been raided. About 14 gigabytes of data was saved in logfiles during the two month observation. About 800.000 file transfers have been logged as well. Rumors that emerged at the slyck forums point to dark-force-elite.org 85.25.134.173:4661 as the server which has been logged and probably is still logged.