Viewing Category: Networking  [clear category selection]

External IP in Shell Script

I saw a tip from @linuxalive about obtaining the apparent public IP address from the current machine. In a blog post last month, Racker Hacker wrote about his frustration viewing the HTML returned by the service DynDNS offers at checkip.dyndns.org. He created a site at icanhazip.com that echos only the IP in the server response. (A commenter on that post mentioned whatismyip.org for the same result.)

With these HTTP services, it's possible to include the result in shell scripts or programs that do something useful. Here are two examples using Wget and cURL:

wget -O - -q icanhazip.com curl whatismyip.org

Using a system without HTTP aware apps, it's possible to get the same result with nc or Netcat

H=icanhazip.com echo -e 'GET / HTTP/1.0\nHost: '$H'\n' | nc $H 80

Of course, you'll see the HTTP response headers using the last method. To show only the IP address, pipe it through grep:

grep -o -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'

Surely that was more than you wanted to know. ;)

Somewhat Less Unacceptable

As all my loyal readers (both of you) know, I've been struggling with fraudulent copyright infringement and a response from my ISP that was entirely unacceptable. It appears that my service ticket (#2773177) was updated this afternoon by Speakeasy Network Security Department to replace the text I quoted previously with this:

Thank you for your attention to this issue.

Please be aware that Speakeasy Terms of Service does indicate that copyright violation reports must be acknowledged and appropriate action taken. This means, essentially, that the complaining party no longer has reason to complain, e.g. that the copyright violation no longer exist.

We do note that since your response, no further complaint has been received on this issue. If you have further question, please do not hesitate to ask.

This doesn't make any sense to me. I already understood that "notices received by Speakeasy indicating any activity suspected to infringe upon third party intellectual property rights will be re-routed to the primary account holder on file, accompanied by a request to verify and possibly cease and desist" (MSA §4.1). This reasoning assumes that the complaint was not a fabrication; it does not address false claims. I assert that all of the claims made by VPA were erroneous, whether they were maliciously crafted or the result of a bug in their IP harvesting software.

At the risk of turning this issue into a rambling rant, I must express how disturbing it is that Speakeasy deleted their previous response. Having a written record of communication is precisely why I avoid chatting on the phone for anything important.

I probably shouldn't have spent so much time on this issue. I felt compelled to defend myself, and I hope this information will be useful to others in a similar situation. My general rule is to keep a low profile, rather than draw attention -- maintain a minimal attack surface, if you will. These last three blog posts are pretty much the antithesis of that objective.

Entirely Unacceptable

This is an update to the post yesterday about the fraudulent copyright infringement letters I received from VPA. Guess what I received in my e-mail this morning -- three more alerts forwarded by Speakeasy! I've included the content of one of the auto-generated e-mails from VPA:

Dear Sir or Madam:

This notice is intended solely for the primary Speakeasy internet service account holder. Someone using this account has engaged in illegal copying or distribution (downloading or uploading) of pornographic movies. This notice may contain the titles of those movies, and therefore and may contain text that is offensive to some readers.

Video Protection Alliance Services, LLC ('We') represent and are agents for the following copyright owner(s) FILMCO PRODUCTIONS INC.. FILMCO PRODUCTIONS INC. are the exclusive owners of copyrights for the videos and/or other content listed below.

Evidence:
Infringement Source: BitTorrent
Infringement Timestamp: 2009-06-21 05:26:37 PST
Infringers IP Address: 64.81.35._
Infringers Port: 65433
Infringement Title: Lactating Lesbians
Infringement Filename: Lactating Lesbians.mpg
Infringement Hash: 0cffcb49197115f689a5f6c0bd892be5c75d03a7
Infringement Size: 150628388 Bytes

The information in this notification is accurate. We have a good faith belief that use of the material in the manner complained of herein is not authorized by the copyright owner, its agent, or by operation of law. We swear under penalty of perjury, that we are authorized to act on behalf of FILMCO PRODUCTIONS INC..

This unauthorized copying and/or distribution infringes the copyrights of FILMCO PRODUCTIONS INC. under the U.S. Copyright Act, 17 U.S.C. 106. By engaging in this infringement, you may face significant liability for monetary damages, the rights owners' attorneys fees, court costs for this infringement.

You and everyone using this computer must immediately and permanently cease and desist the unauthorized copying and/or distribution (including, but not limited to, downloading, uploading, file sharing, file 'swapping' or other similar activities) of the videos and/or other content owned by FILMCO PRODUCTIONS INC., including, but is not limited to, the copyrighted material listed above.

FILMCO PRODUCTIONS INC. is prepared to pursue every available remedy including damages, recovery of attorney's fees, costs and any and all other claims that may be available to it in a lawsuit filed against you.

While FILMCO PRODUCTIONS INC. is entitled to monetary damages, attorneys' fees and court costs from the infringing party under 17 U.S.C. 504, FILMCO PRODUCTIONS INC. believes that it may be beneficial to settle this matter without the need of costly and time-consuming litigation. We have been authorized to offer a reasonable settlement to resolve the infringement of the works listed above. To access this settlement offer, please follow the directions below. Settlement Offer:

To access your settlement offer please copy and paste the address below into a browser and follow the instructions:
https://www.videoprotectionalliance.com/?n_id=XX-000000
Password: *******

Regards,
Bonnie Gadsby
Copyright Enforcement Agent

Video Protection Alliance Services, LLC
PO Box 322
Cream Ridge, NJ 08514-0322
United States
+1-866-251-2631

Obviously, their evidence is utterly unconvincing. (Sorry, couldn't help myself -- that pun was just hanging there.) I also received a response from Speakeasy, thus the title of this blog post.

Thank you for your detailed work on deconstructing the torrent protocol as well as some of the analysis of the enforcement process used.

We are indicating to you that received complaints, and that complaints need to cease in order to be compliant with Speakeasy Terms of Service.

This can be accomplished in a variety of ways, and we are not in a position to recommend one solution over another. If the solution used is to work out with the legitimate rights holder an amenable solution, then their contact information was included in the original 22 complaints we sent.

So, if I understand correctly, I need to prevent an organization from creating fraudulent complaints. That is not possible, and it's an unacceptable request. I've been a Speakeasy customer for more than three years, and I recall having a more customer-friendly relationship before they were purchased by Best Buy.

I also received a Google Alert this morning because "Video Protection Alliance" was mentioned in a blog post on TorrentFreak about the business of copyright infringement settlements. It turns out that VPA is another Nexicon franchise, along with GetAmnesty. It's not clear to me if Nexicon is using David Kurzman for his connections to the porn industry, or if he and Sam Schreiber have a new business model.

At this point, I believe the only solution is to cancel my business account with Speakeasy and shop for another provider. I might take this opportunity to get rid of my POTS phone too. Although I never enabled comments on this installation of MachBlog, I would appreciate your feedback: joseph at lamoree dot com. Thanks.

Copyright Infringement Settlement Offers

A few days ago I started receiving e-mails (22 in all) from my ISP, Speakeasy, warning of a possible violation of their Terms of Service policies. Included with their abuse template was an e-mail they had received from Video Protection Alliance. The gist of VPA's claim is that my IP address has participated in sharing copyrighted material using BitTorrent -- specifically, pornographic movies distributed by the companies with whom VPA has signed collection contracts. Within the body of VPA's rather threatening e-mail is a URL and password that would display the details of a settlement. I didn't even consider opening the link because a) I'm certain that their claim is bogus, b) I'm sure they consider viewing the settlement as an admission of guilt, and c) I don't want to trigger a follow-up event in their system.

However, before I could ignore the threat, I had to make certain that my network hadn't been subverted or compromised. I have two wireless access points on my network (one for 802.11b, one for 802.11n), both of which are secured with WPA2-PSK. It's possible the WiFi has been hacked, but not likely. I connected an Ethernet tap on the line between my firewall and my DSL modem. From a monitoring station listening to traffic on the public side of my network, I started a packet capture using Wireshark. I didn't see anything unusual (like, say 3 Mbps of BitTorrent traffic). ;) I looked at the RRD graphs on the firewall to see if there had been any historic peeks that I couldn't explain. Finally, I installed Snort and BASE on my monitoring station to detect any funny business.

So that I could prove that BitTorrent activity would actually be logged if it came from my network, I fired up Transmission and downloaded a Fedora 11 Live CD. That caused copious data to scroll down the screen. I wasn't entirely convinced that a BitTorrent client couldn't be operating in a covert mode, so I decided to do a bit of reading on the BitTorrent protocol. My goal was to be able to read the bencoded data within a metainfo file (.torrent file) and spy on communication between a client and the tracker. I found a Java library called Snark that proved to be a good starting point. I read through their source code line-by-line to see how they parsed the metadata file. I also studied a blog post on the topic at Code Commit by Daniel Spiewak.

I wrote three little command-line Java applications: a .torrent file parser that just displays the metadata, a utility that connects to the announce URL and pulls down a list of peers, and a utility that connects to the "scrape" URL of the tracker to get stats on a particular info_hash. Using the information included in the e-mails sent by VPA, I scrounged the net for the source BitTorrent files. Remarkably, I found all 22 of them. I opened each of the .torrent files and dumped the metadata to the console. Then I ran a fake announce connection on each tracker to collect a list of all the peers. I was hoping I'd find something obvious, like VPA running their own bogus tracker. Instead, I found an amusing way to cause BitTorrent traffic to start pouring on to my network. Of course, their packets went nowhere, but it was interesting to see the cause and effect.

At this point, I have a set of tools for doing more research, if needed. I've added three Java files to Subversion, if you'd like to take a look: Decoder, TrackerPeerList, and TrackerScraper. I now have a more complete understanding of the BitTorrent protocol, however I also learned that there are a whole mess of extensions and enhancements that add layers of complexity; peer exchange, distributed hash tables, and protocol encryption, just to mention a few ). I have yet to hear from Speakeasy, although I would imagine they cannot legally be straightforward and say "Yes, we know it's a scam. Just ignore it." I'll update the blog as I get more information. Congratulations for reading this far. :)