Pastebin launched a little side project called HostCabi.net, check it out ;-)Don't like ads? PRO users don't see any ads ;-)
Guest

MediaDefenderPhonecall-

By: a guest on Sep 16th, 2007  |  syntax: None  |  size: 19.77 KB  |  hits: 847  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Transcript for MediaDefender.Phonecall-MDD
  2.  
  3. Certainly not errorfree. :)
  4.  
  5. ----
  6. MD - Hello.
  7.  
  8. AT - Yes?
  9.  
  10. MD - Hi, this is Ben Grodsky(?), MediaDefender.
  11.  
  12. AT - Alright, Mike McCartney, Bret Bartrum(?) and Jim Dummers(?).
  13.  
  14. MD - Hi there, guys.
  15.  
  16. AT - How are we doin'?
  17.  
  18. MD - Alright.
  19.  
  20. AT - Alright, uhm..
  21.  
  22. MD - I'm sorry, go ahead.
  23.  
  24. AT - Well, have you guys had an opportunity to kinda look to see where this may have, uhm, may have stem from?
  25.  
  26. MD - Yeah, it seems, I mean, from our telephone call yesterday it seems that, ah, we all pretty much came to the conclusion that it probably was, ah, caught
  27.  
  28. in the email transmission, because the, ah, attacker, I guess we should call the swedish IP the attacker, knew the login and the IP adress and port, but they
  29.  
  30. weren't able to get in, because we had changed the password on our end, you know, following our normal security protocol, ahm, when we're making secure
  31.  
  32. transactions like these, on the first login we'll change the password. So..
  33.  
  34. AT - Right.
  35.  
  36. MD - Obviously, well, not obviously, but it seems that, ah, the most likely scenario is that at some point that, you know, was, ahm, intercepted, you know,
  37.  
  38. just because there's probably, it was going through the public internet and there wasn't any sort of encryption key used to, ahm, protect the data and that
  39.  
  40. email.
  41.  
  42. AT - But what kind of, what you guys are saying, on our end, uhm, so, I mean, we have RSA authentication though our Exchange-server, uhm, to get into our
  43.  
  44. stuff.
  45.  
  46. MD - Right. But then it's going from your mail-server to our mail-server, it's going through all the routers and hubs on the way and we don't have, we didn't
  47.  
  48. make any kind of, ah, you know, key between our servers to make sure that the internet(?) would, would, ah, would only be viewable by people with that key.
  49.  
  50. AT - Right, no, I understand that, we could certainly add PGP-encryption or some other email-encryption so that it's encrypted in transit, but what I'm
  51.  
  52. saying is that how comfortable are you guys that your email-server is free of other eyes?
  53.  
  54. MD - I'm not sure what you mean, our email-server isn't free of other eyes. There is nothing to say that this email was intercepted on our end as opposed to
  55.  
  56. it being intercepted on your end.
  57.  
  58. AT - That is true. I mean, obviously...
  59.  
  60. AT2 - Are you comfortable that it was not intercepted on your ....
  61.  
  62. AT - I mean, (?), theoretically, hyperthetically it could be grabbed anywhere along the way as it transmits through routers and different protocols from my
  63.  
  64. end to your end, but I guess we're asking: are you comfortable that you guys don't have anybody in your email-server?
  65.  
  66. MD - Oh yeah, yeah, we checked out our email-server and our email-server itself is not compromised. I think that was your question.
  67.  
  68. AT - Ok, yeah, I guess that wasn't clear, I just, I mean you guys know as well as we know that you guys are a major target of hackers.
  69.  
  70. MD - Right, yeah, we are a major target of hackers, and, you know, you guys are part of the government and the government is always a major target of hackers
  71.  
  72. and people trying to sneak around for information. So I mean both of us are pretty big targets.
  73.  
  74. AT - Yeah, yeah, absolutely. And that's why I guess, you know, and obviously the content of this operation that we're doing is extremely sensitive and that's
  75.  
  76. why, you know, we're, we take very extra caution and security measures when we're talking about any of these secure inside-networks that we're dealing with,
  77.  
  78. so we just need, you know, let's make sure that we add whatever security and functionalty we need to, so not only our data-communications and protocols are
  79.  
  80. secure and maybe we should wrap'em in a PPN-Tunnel, uhm, public private key for the data that is transmitted between us but also for our
  81.  
  82. email-communications, uhm, making sure that, you know, we can talk to each other through email using, uhm, another layer of communication so that, you know,
  83.  
  84. nobody can understand or read what the hell we're talking about with each other.
  85.  
  86. MD - (long silence) Yeah. Yeah, I mean, we can certainly, uhm, setup a PGP-key for the email, uhm, as far as the using of a PPN-Tunnel or something like
  87.  
  88. that, uhm, you know, I can look into that with Jay when he comes back on Tuesday.
  89.  
  90. AT - OK. Uhm, I don't wanna slow down performance either, I mean, if that's gonna really dog our communication link between each other.
  91.  
  92. MD - You know, I think that really right now what we could do if you wanted, is, as we discussed yesterday, we could change the port, that we're doing things
  93.  
  94. on your server
  95.  
  96. AT - (?) a process of that.
  97.  
  98. MD - OK, so we can do that, we can change the login, obviously the password, you know, if you guys need to know what password we're using we could just
  99.  
  100. communicate that by phone, and I think the email isn't really an issue as long as we don't really say anything particulary sensitivy in the emails.
  101.  
  102. AT - Right.
  103.  
  104. MD - You know, and, we're pretty available by phone, so, if guys are comfortable with just communicating with us by phone and anything that's really really
  105.  
  106. sensitive we could just communicate in this fashion. I know it's a little bit cumbersome...
  107.  
  108. AT - Yeah, it can be sometimes, I mean, email's so easy, and (background mumbling) yeah, I mean, this is obviously a very sensitive investigation, as you
  109.  
  110. know, and we, i'm just nervous now going back through old emails and we knowing we didnt really say too much in in our earlier communications but if anybody
  111.  
  112. was successful sniffing out communication between each other over the last month, I mean, that obviously could (?) that you guys were helping the state of
  113.  
  114. New York and the Attorney General's office in a childporn-investigation of global scale, based on some of the childporn-keyword-list-textfiles we attached
  115.  
  116. and sent back and forth to each other, some of the results that you guys have sent in, the preliminary results of the keyword-crawling...
  117.  
  118. MD - Yeah, yeah, but, you know, (?) by the same token obviously people are always aware that childporn is a, is something that they need to be, you know, not
  119.  
  120. transmitting in the first place. So anyone transmitting is, per se, infringing on the wha, committing crimes.
  121.  
  122. AT - And as such they go through extra ways to try make and find out what law enforcement is doing so they can avoid being caught.
  123.  
  124. MD - Right. One thing to keep in mind, is, you know, Peer-to-Peer-networks are global and for this particular initiative we have decided, just from a
  125.  
  126. techical standpoint on our end, we have just decided to use a particular Peer-to-Peer-network, we could always switch to a different Peer-to-Peer-network if
  127.  
  128. that became an issue in the future, but, you know, we are still seeing that there would be a good amounts of data coming through to you, so I don't think
  129.  
  130. this is going to have the effect of, you know, somehow squashing all the data that you would even be able to collect from us.
  131.  
  132. AT - No, I don't think so either. I think that the Peer-to-Peer-network as a whole is a target-rich enviroment, but I also know through 15 years of doing
  133.  
  134. this, is that if a pedophile is in the Peer-to-Peer-network, he's in newsgroups, he's on websites, he's in chatrooms, he's everwhere else, I mean, they're
  135.  
  136. not generally isolated to one technology and they also go to great lengths to try to proxy and cover themselves and, you know, view hacker-blogs and logs,
  137.  
  138. looking for what law enforcement's doing and it wouldn't be outside the realm of a hacker-group, many of which we've taken down in the past, big organized
  139.  
  140. crime-groups of pedophiles, to pay hackers for information about what law enforcement is doing.
  141.  
  142. MD - Yeah.
  143.  
  144. AT - And then, that's all, I'm not saying that this particular small little piece of a global childporn investigation is compromised, we will get lots and
  145.  
  146. lots of bad guys in this, I'm convinced, and I don't have any concern of that.
  147.  
  148. MD - Ok.
  149.  
  150. AT - (?) all scheme of being able to keep, you know, what we do in law enforcement a secret and protected as special we can, so we that can continue to being
  151.  
  152. successful.
  153.  
  154. MD - Right.
  155.  
  156. AT - So, ok, uhm, more thought on exactly what we're going institute as far as communication-protocols here
  157.  
  158. AT2 - Yeah, at this point, what I've done is, I've change the port for access on that, I haven't opened it up yet, so what I want to do is, I'd like to setup
  159.  
  160. a password authentication initially, give you guys a chance(?) of a public key authentication mechanism on that.
  161.  
  162. MD - So, ok, you've already changed the port and you're gonna setup, you already have or you are about to setup authentication for the password?
  163.  
  164. AT2 - No, I've already setup a new username and password (?) that you can use for general access to the server itself, and what I'd like to do is probably
  165.  
  166. (?) disable password authentication on that server all together and exclusivly reserve it the public key.
  167.  
  168. MD - Ok, so you're gonna disable password authentication and enable a public key
  169.  
  170. AT2 - Yeah.
  171.  
  172. MD - Ok.
  173.  
  174. AT2 - And, ah, from there we can we can communicate so we (?)
  175.  
  176. AT - Here's the problem, a potention problem, and again, from the law-enforcement-perspective: The intelligence information that you guys are gathering,
  177.  
  178. that's being sent to our systems and then our evidence-collection-process here, it needs to be able to stand up in court, and in order for us, I think, to do
  179.  
  180. that from a legal standpoint, we have to be able to get on a stand and say that the data that we get from you, is, pristine, it's validated, it's verified,
  181.  
  182. there's no chance that, or there's a very limited chance that the data that came from you to us, was in any way compromised, edited, modified, or goofed
  183.  
  184. with, so that the information that we get from you, that we rely upon, we can go out and connect to the IP-machine, the IPs and the machines in New York that
  185.  
  186. have the contraband files that we're pulling down, are all wrapped together in one nice little bundle,
  187.  
  188. MD - That part has not been compromised in any way, I mean, the communication between our offices in Santa Monica and datacenters in Los Angeles and
  189.  
  190. Alsagundo(?) have not been compromised in any way and all those communications to New York, to your offices, are secured. The only part, that was in any way
  191.  
  192. compromised was the email-communications about these things. But...
  193.  
  194. AT - We are not exactly sure, exactly, where this breakdown was, as of yet, right?
  195.  
  196. MD - Right. And you might not ever know. I mean, all we can say for sure, MediaDefender's mailserver has not been hacked or compromised, and you guys are
  197.  
  198. basically reporting the same on your side. So, then there's just the public internet between.
  199.  
  200. AT - Yeah, yeah, I mean, what kind of IDS are you guys running?
  201.  
  202. MD - Ah, I don't know. let me look into that.
  203.  
  204. AT - Because, you know, when was the last update, when was the last time you guys checked any alerts, I mean, I have our people already working on it on our
  205.  
  206. end. We're looking that our mail and our mailserver is all encrypted. Our entire authentication process is RSA. But you're right if plain text comes from us
  207.  
  208. to you
  209.  
  210. MD - Hello, are you guys still on the call?
  211.  
  212. AT - Are you there?
  213.  
  214. MD - Yeah I'm here, can you hear me? - Can you hear me? - Are you on a cell phone? - Should we try restarting the phone call? - Is it possible for you to
  215.  
  216. call from a landline?
  217.  
  218. AT - Can you hear on what they're doing? Yeah are you there?
  219.  
  220. MD - Yeah I'm here. - Can you hear me? - Hey bladder_mike, can you hear me?
  221.  
  222. AT - Yeah we can hear you, can you hear us?
  223.  
  224. MD - Yeah occasionally. - Hello?
  225.  
  226. AT - How about now?
  227.  
  228. MD - Now I can hear you. Now it's totally silent I don't hear anything.
  229.  
  230. AT - Are there any connections or something, check your processor.
  231.  
  232. MD - I can hear a little bit of the chatter between you guys, but I can't make out anything that you're saying.
  233.  
  234. AT - Here's the deal can you hear me now?
  235.  
  236. MD - Yes.
  237.  
  238. AT - Problem of it is, we're on a VoIP connection, a VoIP phone.
  239.  
  240. MD - All I got was you guys were on a voip phone.
  241.  
  242. AT - Right and I think at this moment, you're application is calling you're machine back in California and it's chewing up our bandwith.
  243.  
  244. MD - Got it. Ok. At least now I understand what the phone situation is. Now I understand a little better the limitations of voip.
  245.  
  246. AT - Yeah it's eh, we're only on a cable right now, we've got two T1's coming in, once they are in we should be able to turn spend bandwith om a little
  247.  
  248. better. Is it better now?
  249.  
  250. MD - Yeah. It's better. Well, it was for a moment.
  251.  
  252. AT - How about now, it's probably going to be better now.
  253.  
  254. MD - Yeah I can.. Yeah.
  255.  
  256. AT - We'll talk about, we'll keep our e-mail content to a dull roar.
  257.  
  258. MD - Yeah.
  259.  
  260. AT - We'll talk by phone unless we can share some PGP-keys for email and if you can check on your end again. Just, I'm checking on my end too, I'm not
  261.  
  262. accusing you guys. But I think we need to, under the sensitivity of this thing, we both need to make sure that both of our systems are secure on both ends.
  263.  
  264. Both our mail servers and our networks to make sure that, you know, whoever saw that email didn't see it on either of our mail servers or on the inside of
  265.  
  266. either of our networks.
  267.  
  268. MD - Right.
  269.  
  270. AT - You know, if somebody got acces to the mailserver, they might have got acces to other machines on the network. And the argument goes that, you know,
  271.  
  272. even though the data that has been send from us to you in a secure fashion is secure, if there's somebody sniffing around on your network or on our network
  273.  
  274. it's not secure on either end. Before it gets into the tunnel.
  275.  
  276. MD - Okay.
  277.  
  278. AT - So, em, I think we're good. Some public private key authentication, right and set a password, right, so that we've got a whitelist of IPs that are going
  279.  
  280. to be only allowed acces.
  281.  
  282. MD - Yeah we already (sent) you that whitelist
  283.  
  284. AT - Exactly, so we'll go from there. Then, going forward, how much more testing do you guys need to do, and can we set up a *beep* early next week when we
  285.  
  286. can, can go over exactly  what this thing is doing.
  287.  
  288. MD - Yeah, we can go over things as soon as you like next week. Tuesday, Wednesday, whenever you'd want. We're basicly done testing, we deployed, I guess
  289.  
  290. yesterday or the day before, to your system.
  291.  
  292. AT - Right.
  293.  
  294. MD - So at this point, you know, it's just, if you want to review how the data is appearing on your end, there is one thing that Brad has brought up
  295.  
  296. yesterday as far as making the actual mediafiles more easily viewable and more easily connecting them to the database.
  297.  
  298. AT - Yes exactly we're going to need to do that.
  299.  
  300. MD - Right, well the easiest thing for us to do. and, let me know your thoughts about this, how about if we prepend to the filenames, where they are
  301.  
  302. currently just hash in whatever the extension of the filename should be. How about we prepend to the filename, the real filename from our database?
  303.  
  304. AT - I mean, that's ok, I guess, at the end of the day what we're going to need to know is, other than the nuts and bolts of it exactly, what data we're
  305.  
  306. getting from you, what data we have on our end, what your application's doing on our end do with your data. To then go out and connect to the suspect IPs to
  307.  
  308. pull down the suspect file. I need to be able to testify that in court so I'm going to have to go over that with one of you guys, or all of you. Almost line
  309.  
  310. by line to say "Here's what happenend, this is how we get it, this is the structure we get the data in, this is what the application is doing on your end,
  311.  
  312. this is what it's trying to do, this is how it's making it's connections."
  313.  
  314. MD - Yeah, all of that is really straightforward and Jake can go over all of that with you on Tuesday.
  315.  
  316. AT - Ok, that's easy. Then what we're gonna need to do is once we get the file
  317.  
  318. MD - Right
  319.  
  320. AT - We have to be able to link them back to the suspect IP along with all your metadata in your database that's associated with that IP. So we get an IP in
  321.  
  322. Ney York that's got, according to you guys, a hundred and twenty-seven suspect files that you saw while you were crawling. We (?) connect to them on our end
  323.  
  324. using your application. It goes out, it connects, it pulls a file or multiple files presumably - hopefully. Gets all of the file or part of the file and it
  325.  
  326. saves it out to our directory here on our evidence collection array. We then need to look at it - you know - computers are great but they can't tell me what
  327.  
  328. is and what isn't childporn and illegal sex.
  329.  
  330. MD - Right
  331.  
  332. AT - So we need some sort of a viewer or review-viewer that could be web-based - that basically goes back - we can then make a selection whether or not it is
  333.  
  334. or it is not childporn that gets entered into the database of being childporn or not childporn. And then the dataase is updated to reflect the fact that from
  335.  
  336. this IP we got this picture, it is childporn. From these two IPs we got these two pictures, they are not childporn. From this IP we got these 4 pictures, 3
  337.  
  338. of them are childporn and one is not. So we can begin to make an investigative decisions as to who we're gonna subpoena and who we're gonna make as a target
  339.  
  340. and what evidence we have against this individual target.
  341.  
  342. MD - Ok.
  343.  
  344. AT - The thing we are working on that he maybe could give you some structure and (?) but we don't know the structure of the data in your database for him to
  345.  
  346. try to reverse-engineer those calls to the data in your database to put it into a viewer on our end. But he's done it before in other things so he could
  347.  
  348. probably help you at least with the web-based HTML template and sort out how the structure seems to work and what we're doing and what we've done in other
  349.  
  350. things and it's just a matter of, you know, working together on the backend data structure so that it's calling the right stuff and keeping tracking the
  351.  
  352. right stuff statistically.
  353.  
  354. MD - Ok.
  355.  
  356. AT - And what is not done -- same database structure that your data is
  357. coming to us in.
  358.  
  359. MD - Yeah.
  360.  
  361. AT - -- you could just browse it on a webbrowser on a internal network and look at the data across our internal network in the actual, you know, image files
  362.  
  363. locally and do the review. So that it's nothing internet-powered, it's all internal, to us here. Yes, we can deal with that next week, I think that will be
  364.  
  365. good. So we are ready to go other than being able to view the images, make a determination at the what is, what isn't childporn and then keeps statistical
  366.  
  367. counts and records and entries as to what IPs are associated with those contraband files and what IPs and metadata are associated with the non-contraband
  368.  
  369. files. You know, globally.
  370.  
  371. MD - Right.
  372.  
  373. AT - (?) IP adresses and then hopefully we'll have a warm breathing body behind the keyboard of these IP adresses. But that's up to our ... that's our work.
  374.  
  375. MD - Yeah, that's on you guys.
  376.  
  377. AT - Yeah, I'm impressed. I think we'll, I think this will be very good. Alright, I'll tell Jay, we set it all, adn why don't we plan something for Tuesday
  378.  
  379. afternoon or something?
  380.  
  381. MD - Ok, Tuesday afternoon your time?
  382.  
  383. AT - -- and we can try to finalize basically what this app is doing and we can finalize the last little pieces, some sort of a viewer and Brad can work with
  384.  
  385. you guys on the structure of the template, the frontend application of that and you guys can help him with the backend and together, I think we can put the
  386.  
  387. data and the pieces together cause like I say a lot of it has already been sort of been done. Knowing your dataset, where all your stuff is in your database.
  388.  
  389. Cool!
  390.  
  391. MD - Alright, sounds very good. Alright, so we'll setup a call for Tuesday afternoon your time.
  392.  
  393. AT - Sounds like a plan. Thank you very much and have a good long weekend.
  394.  
  395. MD - Thanks a lot and have a good weekend yourselves. Bye.
  396.  
  397. ---
  398.  
  399. Note: Thanks to MediaDefender-Defenders, #mediadefender and the people working on this, you know who you are.