Transcript for MediaDefender.Phonecall-MDD
Certainly not errorfree. :)
----
MD - Hello.
AT - Yes?
MD - Hi, this is Ben Grodsky(?), MediaDefender.
AT - Alright, Mike McCartney, Bret Bartrum(?) and Jim Dummers(?).
MD - Hi there, guys.
AT - How are we doin'?
MD - Alright.
AT - Alright, uhm..
MD - I'm sorry, go ahead.
AT - Well, have you guys had an opportunity to kinda look to see where this may have, uhm, may have stem from?
MD - Yeah, it seems, I mean, from our telephone call yesterday it seems that, ah, we all pretty much came to the conclusion that it probably was, ah, caught
in the email transmission, because the, ah, attacker, I guess we should call the swedish IP the attacker, knew the login and the IP adress and port, but they
weren't able to get in, because we had changed the password on our end, you know, following our normal security protocol, ahm, when we're making secure
transactions like these, on the first login we'll change the password. So..
AT - Right.
MD - Obviously, well, not obviously, but it seems that, ah, the most likely scenario is that at some point that, you know, was, ahm, intercepted, you know,
just because there's probably, it was going through the public internet and there wasn't any sort of encryption key used to, ahm, protect the data and that
email.
AT - But what kind of, what you guys are saying, on our end, uhm, so, I mean, we have RSA authentication though our Exchange-server, uhm, to get into our
stuff.
MD - Right. But then it's going from your mail-server to our mail-server, it's going through all the routers and hubs on the way and we don't have, we didn't
make any kind of, ah, you know, key between our servers to make sure that the internet(?) would, would, ah, would only be viewable by people with that key.
AT - Right, no, I understand that, we could certainly add PGP-encryption or some other email-encryption so that it's encrypted in transit, but what I'm
saying is that how comfortable are you guys that your email-server is free of other eyes?
MD - I'm not sure what you mean, our email-server isn't free of other eyes. There is nothing to say that this email was intercepted on our end as opposed to
it being intercepted on your end.
AT - That is true. I mean, obviously...
AT2 - Are you comfortable that it was not intercepted on your ....
AT - I mean, (?), theoretically, hyperthetically it could be grabbed anywhere along the way as it transmits through routers and different protocols from my
end to your end, but I guess we're asking: are you comfortable that you guys don't have anybody in your email-server?
MD - Oh yeah, yeah, we checked out our email-server and our email-server itself is not compromised. I think that was your question.
AT - Ok, yeah, I guess that wasn't clear, I just, I mean you guys know as well as we know that you guys are a major target of hackers.
MD - Right, yeah, we are a major target of hackers, and, you know, you guys are part of the government and the government is always a major target of hackers
and people trying to sneak around for information. So I mean both of us are pretty big targets.
AT - Yeah, yeah, absolutely. And that's why I guess, you know, and obviously the content of this operation that we're doing is extremely sensitive and that's
why, you know, we're, we take very extra caution and security measures when we're talking about any of these secure inside-networks that we're dealing with,
so we just need, you know, let's make sure that we add whatever security and functionalty we need to, so not only our data-communications and protocols are
secure and maybe we should wrap'em in a PPN-Tunnel, uhm, public private key for the data that is transmitted between us but also for our
email-communications, uhm, making sure that, you know, we can talk to each other through email using, uhm, another layer of communication so that, you know,
nobody can understand or read what the hell we're talking about with each other.
MD - (long silence) Yeah. Yeah, I mean, we can certainly, uhm, setup a PGP-key for the email, uhm, as far as the using of a PPN-Tunnel or something like
that, uhm, you know, I can look into that with Jay when he comes back on Tuesday.
AT - OK. Uhm, I don't wanna slow down performance either, I mean, if that's gonna really dog our communication link between each other.
MD - You know, I think that really right now what we could do if you wanted, is, as we discussed yesterday, we could change the port, that we're doing things
on your server
AT - (?) a process of that.
MD - OK, so we can do that, we can change the login, obviously the password, you know, if you guys need to know what password we're using we could just
communicate that by phone, and I think the email isn't really an issue as long as we don't really say anything particulary sensitivy in the emails.
AT - Right.
MD - You know, and, we're pretty available by phone, so, if guys are comfortable with just communicating with us by phone and anything that's really really
sensitive we could just communicate in this fashion. I know it's a little bit cumbersome...
AT - Yeah, it can be sometimes, I mean, email's so easy, and (background mumbling) yeah, I mean, this is obviously a very sensitive investigation, as you
know, and we, i'm just nervous now going back through old emails and we knowing we didnt really say too much in in our earlier communications but if anybody
was successful sniffing out communication between each other over the last month, I mean, that obviously could (?) that you guys were helping the state of
New York and the Attorney General's office in a childporn-investigation of global scale, based on some of the childporn-keyword-list-textfiles we attached
and sent back and forth to each other, some of the results that you guys have sent in, the preliminary results of the keyword-crawling...
MD - Yeah, yeah, but, you know, (?) by the same token obviously people are always aware that childporn is a, is something that they need to be, you know, not
transmitting in the first place. So anyone transmitting is, per se, infringing on the wha, committing crimes.
AT - And as such they go through extra ways to try make and find out what law enforcement is doing so they can avoid being caught.
MD - Right. One thing to keep in mind, is, you know, Peer-to-Peer-networks are global and for this particular initiative we have decided, just from a
techical standpoint on our end, we have just decided to use a particular Peer-to-Peer-network, we could always switch to a different Peer-to-Peer-network if
that became an issue in the future, but, you know, we are still seeing that there would be a good amounts of data coming through to you, so I don't think
this is going to have the effect of, you know, somehow squashing all the data that you would even be able to collect from us.
AT - No, I don't think so either. I think that the Peer-to-Peer-network as a whole is a target-rich enviroment, but I also know through 15 years of doing
this, is that if a pedophile is in the Peer-to-Peer-network, he's in newsgroups, he's on websites, he's in chatrooms, he's everwhere else, I mean, they're
not generally isolated to one technology and they also go to great lengths to try to proxy and cover themselves and, you know, view hacker-blogs and logs,
looking for what law enforcement's doing and it wouldn't be outside the realm of a hacker-group, many of which we've taken down in the past, big organized
crime-groups of pedophiles, to pay hackers for information about what law enforcement is doing.
MD - Yeah.
AT - And then, that's all, I'm not saying that this particular small little piece of a global childporn investigation is compromised, we will get lots and
lots of bad guys in this, I'm convinced, and I don't have any concern of that.
MD - Ok.
AT - (?) all scheme of being able to keep, you know, what we do in law enforcement a secret and protected as special we can, so we that can continue to being
successful.
MD - Right.
AT - So, ok, uhm, more thought on exactly what we're going institute as far as communication-protocols here
AT2 - Yeah, at this point, what I've done is, I've change the port for access on that, I haven't opened it up yet, so what I want to do is, I'd like to setup
a password authentication initially, give you guys a chance(?) of a public key authentication mechanism on that.
MD - So, ok, you've already changed the port and you're gonna setup, you already have or you are about to setup authentication for the password?
AT2 - No, I've already setup a new username and password (?) that you can use for general access to the server itself, and what I'd like to do is probably
(?) disable password authentication on that server all together and exclusivly reserve it the public key.
MD - Ok, so you're gonna disable password authentication and enable a public key
AT2 - Yeah.
MD - Ok.
AT2 - And, ah, from there we can we can communicate so we (?)
AT - Here's the problem, a potention problem, and again, from the law-enforcement-perspective: The intelligence information that you guys are gathering,
that's being sent to our systems and then our evidence-collection-process here, it needs to be able to stand up in court, and in order for us, I think, to do
that from a legal standpoint, we have to be able to get on a stand and say that the data that we get from you, is, pristine, it's validated, it's verified,
there's no chance that, or there's a very limited chance that the data that came from you to us, was in any way compromised, edited, modified, or goofed
with, so that the information that we get from you, that we rely upon, we can go out and connect to the IP-machine, the IPs and the machines in New York that
have the contraband files that we're pulling down, are all wrapped together in one nice little bundle,
MD - That part has not been compromised in any way, I mean, the communication between our offices in Santa Monica and datacenters in Los Angeles and
Alsagundo(?) have not been compromised in any way and all those communications to New York, to your offices, are secured. The only part, that was in any way
compromised was the email-communications about these things. But...
AT - We are not exactly sure, exactly, where this breakdown was, as of yet, right?
MD - Right. And you might not ever know. I mean, all we can say for sure, MediaDefender's mailserver has not been hacked or compromised, and you guys are
basically reporting the same on your side. So, then there's just the public internet between.
AT - Yeah, yeah, I mean, what kind of IDS are you guys running?
MD - Ah, I don't know. let me look into that.
AT - Because, you know, when was the last update, when was the last time you guys checked any alerts, I mean, I have our people already working on it on our
end. We're looking that our mail and our mailserver is all encrypted. Our entire authentication process is RSA. But you're right if plain text comes from us
to you
MD - Hello, are you guys still on the call?
AT - Are you there?
MD - Yeah I'm here, can you hear me? - Can you hear me? - Are you on a cell phone? - Should we try restarting the phone call? - Is it possible for you to
call from a landline?
AT - Can you hear on what they're doing? Yeah are you there?
MD - Yeah I'm here. - Can you hear me? - Hey bladder_mike, can you hear me?
AT - Yeah we can hear you, can you hear us?
MD - Yeah occasionally. - Hello?
AT - How about now?
MD - Now I can hear you. Now it's totally silent I don't hear anything.
AT - Are there any connections or something, check your processor.
MD - I can hear a little bit of the chatter between you guys, but I can't make out anything that you're saying.
AT - Here's the deal can you hear me now?
MD - Yes.
AT - Problem of it is, we're on a VoIP connection, a VoIP phone.
MD - All I got was you guys were on a voip phone.
AT - Right and I think at this moment, you're application is calling you're machine back in California and it's chewing up our bandwith.
MD - Got it. Ok. At least now I understand what the phone situation is. Now I understand a little better the limitations of voip.
AT - Yeah it's eh, we're only on a cable right now, we've got two T1's coming in, once they are in we should be able to turn spend bandwith om a little
better. Is it better now?
MD - Yeah. It's better. Well, it was for a moment.
AT - How about now, it's probably going to be better now.
MD - Yeah I can.. Yeah.
AT - We'll talk about, we'll keep our e-mail content to a dull roar.
MD - Yeah.
AT - We'll talk by phone unless we can share some PGP-keys for email and if you can check on your end again. Just, I'm checking on my end too, I'm not
accusing you guys. But I think we need to, under the sensitivity of this thing, we both need to make sure that both of our systems are secure on both ends.
Both our mail servers and our networks to make sure that, you know, whoever saw that email didn't see it on either of our mail servers or on the inside of
either of our networks.
MD - Right.
AT - You know, if somebody got acces to the mailserver, they might have got acces to other machines on the network. And the argument goes that, you know,
even though the data that has been send from us to you in a secure fashion is secure, if there's somebody sniffing around on your network or on our network
it's not secure on either end. Before it gets into the tunnel.
MD - Okay.
AT - So, em, I think we're good. Some public private key authentication, right and set a password, right, so that we've got a whitelist of IPs that are going
to be only allowed acces.
MD - Yeah we already (sent) you that whitelist
AT - Exactly, so we'll go from there. Then, going forward, how much more testing do you guys need to do, and can we set up a *beep* early next week when we
can, can go over exactly what this thing is doing.
MD - Yeah, we can go over things as soon as you like next week. Tuesday, Wednesday, whenever you'd want. We're basicly done testing, we deployed, I guess
yesterday or the day before, to your system.
AT - Right.
MD - So at this point, you know, it's just, if you want to review how the data is appearing on your end, there is one thing that Brad has brought up
yesterday as far as making the actual mediafiles more easily viewable and more easily connecting them to the database.
AT - Yes exactly we're going to need to do that.
MD - Right, well the easiest thing for us to do. and, let me know your thoughts about this, how about if we prepend to the filenames, where they are
currently just hash in whatever the extension of the filename should be. How about we prepend to the filename, the real filename from our database?
AT - I mean, that's ok, I guess, at the end of the day what we're going to need to know is, other than the nuts and bolts of it exactly, what data we're
getting from you, what data we have on our end, what your application's doing on our end do with your data. To then go out and connect to the suspect IPs to
pull down the suspect file. I need to be able to testify that in court so I'm going to have to go over that with one of you guys, or all of you. Almost line
by line to say "Here's what happenend, this is how we get it, this is the structure we get the data in, this is what the application is doing on your end,
this is what it's trying to do, this is how it's making it's connections."
MD - Yeah, all of that is really straightforward and Jake can go over all of that with you on Tuesday.
AT - Ok, that's easy. Then what we're gonna need to do is once we get the file
MD - Right
AT - We have to be able to link them back to the suspect IP along with all your metadata in your database that's associated with that IP. So we get an IP in
Ney York that's got, according to you guys, a hundred and twenty-seven suspect files that you saw while you were crawling. We (?) connect to them on our end
using your application. It goes out, it connects, it pulls a file or multiple files presumably - hopefully. Gets all of the file or part of the file and it
saves it out to our directory here on our evidence collection array. We then need to look at it - you know - computers are great but they can't tell me what
is and what isn't childporn and illegal sex.
MD - Right
AT - So we need some sort of a viewer or review-viewer that could be web-based - that basically goes back - we can then make a selection whether or not it is
or it is not childporn that gets entered into the database of being childporn or not childporn. And then the dataase is updated to reflect the fact that from
this IP we got this picture, it is childporn. From these two IPs we got these two pictures, they are not childporn. From this IP we got these 4 pictures, 3
of them are childporn and one is not. So we can begin to make an investigative decisions as to who we're gonna subpoena and who we're gonna make as a target
and what evidence we have against this individual target.
MD - Ok.
AT - The thing we are working on that he maybe could give you some structure and (?) but we don't know the structure of the data in your database for him to
try to reverse-engineer those calls to the data in your database to put it into a viewer on our end. But he's done it before in other things so he could
probably help you at least with the web-based HTML template and sort out how the structure seems to work and what we're doing and what we've done in other
things and it's just a matter of, you know, working together on the backend data structure so that it's calling the right stuff and keeping tracking the
right stuff statistically.
MD - Ok.
AT - And what is not done -- same database structure that your data is
coming to us in.
MD - Yeah.
AT - -- you could just browse it on a webbrowser on a internal network and look at the data across our internal network in the actual, you know, image files
locally and do the review. So that it's nothing internet-powered, it's all internal, to us here. Yes, we can deal with that next week, I think that will be
good. So we are ready to go other than being able to view the images, make a determination at the what is, what isn't childporn and then keeps statistical
counts and records and entries as to what IPs are associated with those contraband files and what IPs and metadata are associated with the non-contraband
files. You know, globally.
MD - Right.
AT - (?) IP adresses and then hopefully we'll have a warm breathing body behind the keyboard of these IP adresses. But that's up to our ... that's our work.
MD - Yeah, that's on you guys.
AT - Yeah, I'm impressed. I think we'll, I think this will be very good. Alright, I'll tell Jay, we set it all, adn why don't we plan something for Tuesday
afternoon or something?
MD - Ok, Tuesday afternoon your time?
AT - -- and we can try to finalize basically what this app is doing and we can finalize the last little pieces, some sort of a viewer and Brad can work with
you guys on the structure of the template, the frontend application of that and you guys can help him with the backend and together, I think we can put the
data and the pieces together cause like I say a lot of it has already been sort of been done. Knowing your dataset, where all your stuff is in your database.
Cool!
MD - Alright, sounds very good. Alright, so we'll setup a call for Tuesday afternoon your time.
AT - Sounds like a plan. Thank you very much and have a good long weekend.
MD - Thanks a lot and have a good weekend yourselves. Bye.
---
Note: Thanks to MediaDefender-Defenders, #mediadefender and the people working on this, you know who you are.