MediaDefender leaked emails and utorrent (long, and vague)

[Aim Here]

I haven't found a bug in utorrent - I use another torrent client (for your marketing droids, that's because I'm a non-Windows user, and I'd prefer to use open source software where possible).

However, MediaDefender have found a bug, but obviously they're not going to post it here, since they actively exploit it to disrupt the operation of torrents, as revealed by their internal emails which were leaked to the net just a day or two ago.

Their emails make numerous references to interdiction, which is apparently the practice of swarming an uploader with connections so that the file is effectively undownloadable. However, from the emails, MediaDefender also seem to prefer it when the downloaders use utorrent, so you seem to be doing something wrong, compared to other clients. Here's the most relevant mails, so that you can maybe work out what they're talking about:

Changes to your 'bt.ban_ratio' field did slow them down:

Subject: RE: utorrent

From: Tabish Hasan <tabish@mediadefender.com>

To: qa <qa@mediadefender.com>

Cc: torrents <torrents@mediadefender.com>

After more in-depth analysis...we've determined that the new version

DOES affect our interdiction in a negative way. They've added a new

"bt.ban_ratio" field that takes into consideration how many good pieces

a client has uploaded. On the older version, they would just kick any

peer that uploaded bad data 5+ times.

This post gives some more explanation about the bad ratio field:

http://forum.utorrent.com/viewtopic.php?pid=249190#p249190

We still see a lot of hash_check fails...but now the only peers getting

banned are ours. This also affects MediaSentry's interdicted torrents.

They are no longer effective on the newest version either.

-TH

________________________________

From: Tabish Hasan

Sent: Monday, May 07, 2007 6:45 PM

To: Randy Saaf; qa

Subject: RE: utorrent

Sure.

We've tested this newest version (1.7 beta) before...but apparently

there was a new build released yesterday (build 1703)...so we'll check

that tomorrow morning against torrents in our interdiction system.

-TH

________________________________

From: Randy Saaf

Sent: Monday, May 07, 2007 6:42 PM

To: qa

Subject: utorrent

Can you test the new version of utorrent to see if it affects us?

They have been looking for exploits in utorrent dna, but the emails don't say if they found any

Subject: Re: utorrent

From: Randy Saaf <randy@mediadefender.com>

To: Daniel Lee <dlee@mediadefender.com>,

Ben Grodsky <grodsky@mediadefender.com>,

Ty Heath <heath@mediadefender.com>

Cc: Ben Ebert <ben@mediadefender.com>, Benny Mao <bmao@mediadefender.com>,

Jay Mairs <jay@mediadefender.com>

Ty

Are there any new exploits with this utorrent dna junk?

R

----- Original Message -----

From: Daniel Lee

To: Ben Grodsky; qa

Cc: Ben Ebert; Benny Mao

Sent: Fri Aug 10 16:18:28 2007

Subject: RE: utorrent

The Bittorrent client is almost identical to uTorrent 1.7. Both our interdiction as

+well as MediaSentry's still works on Bittorrent 6.0. We were having some problems

+getting our interdiction to show up on our local machines, but with Ty's help we

+figured out that the problem was due to port conflict and firewall issues.

The only difference between uTorrent and Bittorrent was that the Bittorrent client

+came with an additional app called "Bittorrent DNA" (Delivery Network Accelerator),

+which acts as a local proxy. Overall, we saw similar speeds/performance on both

+clients.

________________________________

Something you guys did in 1.7 seems to have slowed them down a bit - that might clue you in to what the bug was

Subject: RE: UMG Interdiction results - Ne-Yo

From: Tabish Hasan <tabish@mediadefender.com>

To: Ty Heath <heath@mediadefender.com>

Cc: Ivan Kwok <ivan@mediadefender.com>, Ben Ebert <ben@mediadefender.com>,

Randy Saaf <randy@mediadefender.com>,

Jay Mairs <jay@mediadefender.com>,

Ben Grodsky <grodsky@mediadefender.com>,

qateam <qateam@mediadefender.com>

So you're saying the release of the new version (1.7) has an effect on

our effectiveness on the old version (1.6.1)? (All our testing was done

on the old version)

________________________________

From: Ty Heath

Sent: Thursday, May 17, 2007 6:23 PM

To: Tabish Hasan

Cc: Ivan Kwok; Ben Ebert; Randy Saaf; Jay Mairs; Ben Grodsky; qateam

Subject: Re: UMG Interdiction results - Ne-Yo

The new version of utorrent will hurt interdiction. I am working on a

patch to help alleviate that. But it has a very serious impact, even if

testing with an older version.

Also, Ivan's source collector is having trouble getting banned from a

lot of trackers. So many torrents don't have any sources for me to

interdict.

Ty

On May 17, 2007, at 6:15 PM, Tabish Hasan wrote:

Ty,

Here are our interdiction results for the Ne-Yo UMG album. There's 2

days of testing....one from yesterday (before your patch) and one from

today. Seems like the patch helped a little bit, but not enough.

Yesterday 14 out 17 interdicted torrents completed w/in 2 hours and

today, there were 9 out of 17. So it still seems our interdiction is

really weak. Most of the times our IPs are just not getting into the

swarm, and sometimes even when our IPs get in, it doesn't stop the DL.

However, whatever their problems are, they seem to have worked them out

Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for

domain of dlee@mediadefender.com designates 65.120.42.14 as permitted

sender) smtp.mail=dlee@mediadefender.com

Subject: RE: utorrent

From: Daniel Lee <dlee@mediadefender.com>

To: Randy Saaf <randy@mediadefender.com>, qa <qa@mediadefender.com>,

torrents <torrents@mediadefender.com>

Cc: Ty Heath <heath@mediadefender.com>, Jay Mairs <jay@mediadefender.com>

Yep, we checked yesterday and interdiction still works on the latest

version.

________________________________

From: Randy Saaf

Sent: Friday, September 07, 2007 2:25 PM

To: qa; torrents

Cc: Ty Heath; Jay Mairs

Subject: utorrent

Dan:

There is a new version of utorrent out. Can you see if interdiction

still works?

R

Here is one where they discuss trying to get a record company executive to test their decoys with utorrent, apparently because downloading using utorrent, as opposed to other clients, makes their interdiction more effective.

Subject: Re: umgi

From: Ben Ebert <ben@mediadefender.com>

To: Randy Saaf <randy@mediadefender.com>,

Tabish Hasan <tabish@mediadefender.com>,

Ben Grodsky <grodsky@mediadefender.com>,

Jay Mairs <jay@mediadefender.com>

Cc: qateam <qateam@mediadefender.com>

Piratebay, mininove, etc. Will depend entirely on interdiction. Tabish let's start

+a download test on those sites since interdiction should be on and see what it

+looks like in 2 hours.

--------------------------

Sent from my BlackBerry Wireless Handheld

----- Original Message -----

From: Randy Saaf

To: Ben Ebert; Tabish Hasan; Ben Grodsky; Jay Mairs

Cc: qateam

Sent: Wed Jun 27 09:34:36 2007

Subject: Re: umgi

We can wait a couple hours if you think it will get better. What is your diagnosis?

What about pirate bay and other notables missing?

----- Original Message -----

From: Ben Ebert

To: Randy Saaf; Tabish Hasan; Ben Grodsky; Jay Mairs

Cc: qateam

Sent: Wed Jun 27 09:23:42 2007

Subject: Re: umgi

Neil is asking for this now, let's give him amy winehouse on the sites I listed

+below. We need to make sure they are usiny utorrent since our decoys are not as

+strong as they could be. If you can influence the methodology have them download

+the top 15 with a short time frame like 2 hours.

--------------------------

Here's them saying that whatever they do with utorrent, it's worth showing off to prospective customers

Subject: Re: Torrent Protection

From: Randy Saaf <randy@mediadefender.com>

To: Neil Saxby <nsaxby@mediadefender.com>,

Ben Grodsky <grodsky@mediadefender.com>,

torrents <torrents@mediadefender.com>

Cc: Octavio Herrera <octavio@mediadefender.com>

Neil:

Do you think you can get the germans to test this using uTorrent? I think that our interdiction on uTorrent

+is the most impressive display of our technology right now.

R

----- Original Message -----

From: Neil Saxby

To: Ben Grodsky; torrents

Cc: Octavio Herrera

Sent: Tue Jun 26 03:20:51 2007

Subject: FW: Torrent Protection

FYI, please see below.

Any projects you can recommend for the Germans to have a look at? A list of the sites we protect on would

+also be helpful.

Many thanks,

Neil

And, here MediaDefender complains because their customers were checking their effectiveness using Azureus as well as utorrent. These righteous upstanding upholders of copyright law know how to be a bunch of sneasky tricksters when they want to be...

Subject: RE: FOX Download Report 07.02.07

From: Randy Saaf <randy@mediadefender.com>

To: Ben Ebert <ben@mediadefender.com>, qa <qa@mediadefender.com>,

torrents <torrents@mediadefender.com>

Keep us informed if they keep doing this. We have flagged it with Fox

as a testing error we disagree with.

-----Original Message-----

From: Ben Ebert

Sent: Wednesday, July 11, 2007 11:37 AM

To: Randy Saaf; qa; torrents

Subject: RE: FOX Download Report 07.02.07

Having them use different clients seems to have backfired, they counted

the same torrents from the same site with different clients as fails.

However, it did show that interdiction is working, a file that they

downloaded in 3 hours with Azureus took 80 hours in uTorrent.

I know this is all short on technical details, but even if it doesn't help you fix whatever this exploit is, at least you know there some sort of a problem.

[Switeck]

My guess is they're talking about µTorrent using default settings.

...or at least without an ipfilter.dat blocklist that contains the majority of hostiles used on those torrents.

Another thing to watch out for is they may be feeding Peer Exchange LOTS of fake ip addresses for peers and seeds. One REALLY nasty thing they could do with fake ip addresses is supply ip addresses of known pinging virus-infected nodes on the internet that will see a connection attempt to them as an "invitation" to auto-infect the connecting ip. Or it could just cause the virus-infected nodes to try to reconnect later...and pass on the ip that tried to connect to them to other virus-infected nodes as well, acting as a Distributed Denial of Service attack.

Even if they don't give out bad ips with Peer Exchange, they could "stack the deck" using Peer Exchange and *ONLY* report other poisoner seed/peer ips. I've heard they're ALREADY doing this to try to isolate each good peer/seed from each other.

Funny thing is, even "good" torrents with a very high churn rate ALREADY have this problem due to firewall and time-delay issues -- the tracker gets a list of every ip that's connected to it in the last day, and gives out those ips typically in random lots of up to 50 at a time (to prevent overloads). Many if not most of the ips are firewalled, and cannot connect to each other. And the unfirewalled peers and seeds seldom stick around for long because not only can they download alot faster, they have "innumerable" firewalled peers to upload to -- so they exceed a 1:1 ratio reasonably fast too so long as they have a decent upload rate. So of the 50 ips the tracker is handing out, 30+ are firewalled (and cannot connect to each other), 10+ are no longer connected (having finished downloading and stopped the torrent), and 5 or fewer are unfirewalled.

Another possible exploit the poisoners are using against µTorrent...I've seen numerous times where µTorrent cannot hold onto TCP ip-to-ip connections. I'd connect to a seed or peer, be downloading and/or uploading to them, and lose connection often within 5-10 minutes. Then it might be minutes (longer on torrents with LOTS of dead connections as mentioned above!) before I reestablish a link to them. ...then 5-10 minutes later, they'd disconnect again! It doesn't help that I'm on ComCast ISP, and the problem may be injected RST packets as mentioned in other threads (on ComCast messing with BitTorrent.) The torrents I am trying to download are in no way being messed with by MediaDefender, BayTSP, or other poisoners. Those torrents seldom have more than 20 ips total as far as the tracker is concerned, of which typically half or less ever connect, of them typically half are firewalled and I must wait for them to connect to me as incoming connections.

The THING to do is to get some more µTorrent + other BitTorrent client testing done on interdicted torrents. (Preferably legal ones -- and yes, they ARE interdicting even legal ones too!) With µTorrent logging all kinds of traffic in logger to a text file and maybe even wireshark as well, we can probably determine if the interdiction is also doing any kind of disconnect attempts like ComCast is doing.

[system]

the tracker gets a list of every ip that's connected to it in the last day, and gives out those ips typically in random lots of up to 50 at a time (to prevent overloads). Many if not most of the ips are firewalled, and cannot connect to each other.

Not sure where that info is from.

All tbsource based trackers use a "connectable" test by default, and this query for returning peers:

"SELECT $fields FROM peers WHERE torrent = $torrentid AND connectable = 'yes' $limit"

They only return the peers who at least seem connectable (have the port open).

They also drop peers who announce with a "stopped" event, or peers who have not announced within a set timeout period.

Other tracker sources might not use a "connectable" test, but they should at least use a timeout for dead peers.

No peer should be in the announce returns for a full day unless they are announcing regularly throughout the day (not even the bitcomet versions that don't send stopped events).

[Switeck]

Maybe so, but on numerous torrents I get...6+ ips out of 10 are unconnectible.

[ICleolion]

Nice to see the bt.ban_ratio that a few of us came up with in IRC pissed em off a bit

[amc1]

Next UT version should have further improvements related to banning bad peers. As well as an appropriate changelog message.

[funchords]

The tracker that I use most (which is XBT-based) has the option for the connection test but the administrator turned it off to keep the load down.

About a third of my peers are firewalled.