IFPI Employee Describes P2P Sabotage Activities

Maxwell'sSilverLART writes "From The Reg: Matt Warne, an employee of the international version of the RIAA, admitted that he helped the organization spread garbage and random noise on the P2P networks. Apparently, they used multiple DSL connections to present the appearance of separate users, disguising the origins of the files. His group has stopped, but he claims several of the big record companies are still doing it themselves. And here I thought all of their garbage came on CD."

Just block 'em at the firewall.

[Anonymous Coward]

Here is a list of P2P Unfriendly IP's you can block.

OverPeer:65.174.255.255
OverPeer:65.160.0.0-65. 160.127.255
Ranger:216.122.0.0-216.122.255.255
R anger:204.92.244.0-204.92.244.255
MediaForce:65.1 92.0.0-65.192.0.255
MediaForce:65.223.0.0-65.223. 255.255
MediaForce:4.43.96.0-4.43.96.255
MediaDe fender:66.79.0.0-66.79.255.255
RIAA:208.225.90.0- 208.225.90.255
RIAA:12.150.191.0-12.150.191.255
MPAA:63.199.57.96-63.199.57.128
MPAA:64.166.187.1 28-64.166.187.192
MPAA:198.70.114.0-198.70.114.25 5
MPAA:209.67.0.0-209.67.255.255
NetPD:207.155.1 28.0-207.155.255.255
NetPD:128.241.0.0-128.241.25 5.255
UnknownC&DCop:64.106.170.128-64.106.170.192
BayTSP:209.204.128.0-209.204.191.255
Vidius:207 .155.128.0-207.155.255.255
GAIN(spyware):64.94.89 .0-64.94.89.255
GAINCME(spyware):66.35.247.0-66.3 5.247.255
GAINCME(spyware):66.35.229.0-66.35.229. 255
MediaDefender:64.225.292.0-64.225.292.127
RI AA:208.192.0.0-208.192.255.255
Xupiter.com:63.236 .32.50
Xupiter.com(mirror):63.208.235.30

I get dozens of hits to each IPchains rule everyday when I am using P2P.

Re:Just block 'em at the firewall.

[DrPsycho]

MediaDefender:64.225.292.0-64.225.292.127

Um. 292?

I presume that's a typographical error, but you might want to double check those numbers... especially with the hordes of people incorporating them into their IPChains/IPTables rulesets right now. :^)

Re:Just block 'em at the firewall.

[don_carnage]

How can I verify its legitimacy?

nslookup

Re:Just block 'em at the firewall.

[Anonymous Coward]

I got the list from http://www.shareaza.com 's security forums. Shareaza is a modern Gnutella client with integrated security features. I do not personally use the built in firewalling stuff though. I wrote Iptables rules to block them all. If you would like to verify the authenticity you can just use a tool like Sam Spade for your windows box. Although you will have to be warned that several of the above listed IP's are listed as belonging to some holding compay or another. I would not know where to begin in writing a tool to automate this, but if you have the skills than by all means please do so:) In the mean time you can just read shareaza's forum.

Re:EULA?

[zipoff]

I really don't understand how the parent is modded up to +5.

The RIAA/MPAA/xxAA could just write their own client that connects to the network. They are not bound under any EULA, as it is their software.

As the companies releasing P2P lean towards, there is no owner of the network, and as such, there is no EULA to enforce for the network.

Re:YES!!. Virus also, i think.

[meringuoid]

No matter what you put in, you get a file back instantly, some of which are some kind of pornbots or something, and i have had a few where they are a virus, i believe. It seems to change the names of its files on the fly. Its kinda neat, in a way, i wonder who it is.

The dummy results always come from the same few machins; they say they're running Gnucleus, and I believe it - access to the source code helps if you mean to screw with Gnutella in this way.

The .exe files in the !!_YEEHAA_!! zip files probably hijack Internet Explorer - going by what comes out of running 'strings' on them, they also add a whole lot of porno bookmarks - venusseek.com in particular. This is just a guess as I'm not planning to actually run this thing on Windows :-) The images and mpgs just show an ad for some porno site.

The .vbs viruses... they seem to have come from Columbia. A look at the source of one of them reveals

rem "Plan Colombia" virus v1.0
rem by Sand Ja9e Gr0w (www.colombia.com)

rem Dedicated to all the people that want to be hackers or crackers, in Colombia
rem This program is also a protest act against the violence and corruption that Colombia lives...
rem I always wanting that all this finishes, I have said...

rem Santa fe de Bogotá 2000/09
rem I dedicate to all you the song "GoodBye" of Andreas Bochelli

It relies on user stupidity and Windows' habit of hiding file extensions. Instead of 'virus.mp3.vbs' the user sees 'virus.mp3' and thinking all is well doubleclicks to play it. VB script promptly scans the whole hard disk and creates a copy of itself under the name of every MP3 it finds. That's why you tend to get double results - maybe Quadrophenia.mp3 and Quadrophenia.mp3.vbs from the same user. It also seems to redirect IE's start page to a FortuneCity site, and has a bunch of other stuff going on related to script kiddie life and Colombian politics.

Compared to this sort of malevolence, a Coral song that craps out after five seconds and continues in silence is positively benign.

What I want to know, though, is why I keep getting back 'Free Bird' by Lynyrd Skynyrd no matter what I search for?

Re:This reminds me..

[theLOUDroom]

I use limewire and I've noticed the same thing. Here's what I do about it:

1. Start Limewire and let it get connected.
2. Search one something weird like "frobittzly."
3. Open up the settings and add any computer that replies to my list of blocked ips.
4. Repeat the two steps above until I get no search results for things which shouldn't exist.
5. Use Limewire as usual.

Re:Yeah

[questionlp]

Not when using Constant Bitrate (CBR) MP3 encoding, or Average Bitrate (ABR) encoding with a forced minimum bitrate level. Both ABR, without a forced minimum bitrate, and Variable Bitrate (VBR) should be able to encode silence at the lowest possible bitrate for MP3 (16 or 32kbps I think).

So a one minute 128kbps MP3 file will still soak up 1MB of space after compression.

Re:Just block 'em at the firewall.

[Anonymous Coward]

Hold on there a minute little buddy.

Everyone might want to look at those ranges a little closer.

> MediaForce:65.223.0.0-65.223.255.255

That is a whole class B

PeerGuardian has this list too.

[antdude]

Here [methlabs.org]. Good program to block these IP addresses and will work for any Windows P2P clients. :)

Re:Yawn... MD5 Checksums

[anewsome]

Anyone who thinks checksums for encoded music files would work has no idea what they are talking about. A checksum for two music files, ripped and encoded by different people would only work if both files were ripped, without error and encoded with the same identical encoder with the same exact options, id3 tags and all. Anything less would produce two files with different checksums. You could encode the same file at the same rate with the same encoder, options and everything else. 1 character different in an id3 tag and you have a different checksum.

Fuzzy checksums would detect this but now we are getting off track. This supposed checksum database would have literally hundreds or thousands of valid checksums for each ripped file.

So,.. yawn. Learn what you are talking about before posting.

--Aaron