DanielRoth.net

MediaDefender's main stalking grounds are the destinations that help people find and download movies and music for free. Sites such as the Pirate Bay and networks like Lime Wire rely on peer-to-peer, or P2P, software, which allows users to connect with one another and easily share files. MediaDefender monitors this traffic and employs a handful of tricks to sabotage it, including planting booby-trapped versions of songs and films to frustrate downloaders. When the company's tactics work, someone trying to download a pirated copy of Spider-Man 3 might find the process interminable, or someone grabbing Knocked Up might discover it's nothing but static. Other MediaDefender programs interfere with the process pirates use to upload authentic copies. When Ethan hacked into the company, at the end of 2006, MediaDefender was finishing an exceptional year: Its revenue had more than doubled, to $15.8 million, and profit margins were hovering at about 50 percent.

Ethan and I had first started talking over an untraceable prepaid phone that he carried with him. He eventually agrees to speak in person, as long as I protect his identity. (Ethan is a pseudonym.) We meet after school, in a bookstore that he says is near his house. He hands me a flash drive containing documents that I was later able to independently verify as internal, unpublished information belonging to MediaDefender. He also pulls out a well-creased sheet of paper bearing my name, the first five digits of my Social Security number, a few pictures of me, and addresses going back 10 years. "I had to check," he says. Then he asks me about another Roth he has been researching; it turns out to be my brother. "I was just starting to dig in to him," he says. "There's a lot there." Ethan is a handsome kid, with broad shoulders and a preppy style, and is unfailingly polite, cleaning up the table after I buy him a coffee and patiently walking me through the intricate details of Microsoft security procedures.

Ethan explains to me that the Christmastime break-in didn't proceed very far. While logged into MediaDefender on one computer, he chatted on another with some hacker friends to see if they knew anything about the firm. But the conversation quickly shifted to other exploits the group wanted to pull off on that cold evening—cell-phone hacks, fake pizza deliveries, denial-of-service attacks—and Ethan moved on.

In the spring, however, he decided to explore the company again. Over the next few months, Ethan says, he figured out how to read MediaDefender's email, listen to its phone calls, and access just about any of the company's computers he wanted to browse. He uncovered the salaries of the top engineers as well as names and contact information kept by C.E.O. and co-founder Randy Saaf (with notations of who in the videogame industry is an "asshole" and which venture capitalists didn't come through with financing). Ethan also figured out how the firm's pirate-fighting software works. He passed on his expertise to a fellow hacker, who broke into one of MediaDefender's servers and commandeered it so that it could be used for denial-of-service attacks.

Ethan continued to log in to MediaDefender about twice a week throughout the summer of 2007. Usually, he'd head down to the basement office after his S.A.T. prep classes. After a while, his friends grew tired of hearing about his stunts inside Monkey Defenders, as he began to call the company. And eventually, he himself got bored. So in September, he decided to give the entire thing up, but not before he and a few fellow hackers pulled a prank: They grabbed a half-year's worth of internal emails and published them on the same file-sharing sites prowled by MediaDefender. A comment posted with the messages read, "By releasing these emails we hope to secure the privacy and personal integrity of all peer-to-peer users. The emails contains [sic] information about the various tactics and technical solutions for tracking P2P users, and disrupt P2P services.... We hope this is enough to create a viable defense to the tactics used by these companies." It was signed MediaDefender-Defenders.

A few days later, Ethan and his friends put more material online. One file contained the source code for MediaDefender's antipiracy system. Another demonstrated just how deep inside the company they had gone. This file featured a tense 30-minute phone call between employees of MediaDefender and the New York State attorney general's office discussing an investigation into child porn that the firm was assisting with. (MediaDefender refused to comment for this story.) The phone call makes clear that the hackers had left a few footprints while prowling MediaDefender's computers. The government officials had detected someone trying to access one of its servers, and the hacker seemed to know all the right log-in information. "How comfortable are you guys that your email server is free of, uh, other eyes?" an investigator with the attorney general asked during the call.

"Oh, yeah, yeah, we've checked out our email server, and our email server itself has not been compromised," the MediaDefender executive said.

But, of course, it had.

"In the beginning, I had no motivation against Monkey Defenders," Ethan tells me. "It wasn't like, 'I want to hack those bastards.' But then I found something, and the good nature in me said, These guys are not right. I'm going to destroy them."

And so he set out to do just that: a teenager, operating on a dated computer, taking on—when his schedule allowed—one of the entertainment world's best technological defenses against downloading. The U.S. movie industry estimates that it loses more than $2 billion a year to file sharers; the record industry, another $3.7 billion. "Piracy," intoned Dan Glickman, the head of the Motion Picture Association of America trade group, to Congress in late 2006, "is the greatest obstacle the film industry currently faces." Instead of figuring out whether there is a way to make online distribution work—to profit from downloading—the industry has obsessed for years with battling it. Yet it took only a few months for Ethan to expose just how quixotic that fight has become.
                     
--
 From: Randy Saaf
Sent: Wednesday, April 11, 2007 9:24 p.m.
To: [various MediaDefender employees]
Subject: Fw: .edu filtering
                     
Team Universal is curiouse [sic] if we have any historical data over the last 3 months that show whether .edu IP addresses on p2p have gone down. They want to see if their lawsuits are getting students to stop using p2p (take a moment to laugh to yourself). Let me know if anyone has any ideas.

When Saaf co-founded MediaDefender in 2000, Napster was at the height of its popularity. The file-sharing service was wildly popular on college campuses, where students used speedy broadband lines to amass huge music collections. The Recording Industry Association of America, the music-business trade group, considered Napster to be its No. 1 problem. Saaf thought he had a way to contain it. He invited Cary Sherman, then an R.I.A.A. executive and now its president, to drop by the startup's cramped Claremont, California, offices. As soon as Sherman walked in, he heard a yet-to-be-released Madonna track blaring from a set of speakers. "He was shocked," says Ron Paxson, one of the company's co-founders. "We showed him how we could block it from getting out onto the internet."

Over the next few years, the firm grew as downloading flourished and terrified entertainment execs turned to it for help. The content-wants-to-be-free chant of the internet generation began reverberating in the nightmares of music moguls—and then of executives further and further up the entertainment industry food chain. As broadband speeds increased and data storage got cheaper, it became easier and faster for anyone with a passing interest in pop culture to trade larger files like TV shows, movies, and software.

The technology for trading them also kept improving. When the record industry shut down Napster in 2001, a drove of oddly named services took its place: Ares, eDonkey, Grokster, Kazaa. In 2002, a lone programmer working at a table in his dining room invented BitTorrent, a technology that made file sharing even faster and more efficient. Within a few years of its creation, BitTorrent activity accounted for nearly 20 percent of all internet traffic. Between 2002 and 2006, the file-trading audience nearly doubled, with an average of more than 9 million people sharing files at any given time, according to BigChampagne, a company that monitors P2P traffic. The firm estimates that more than 1 billion songs are traded each month, a number that has more or less remained constant as the trading of feature films and TV shows has exploded.

Yet it has been difficult to quantify the damage supposedly wreaked by downloading. In mid-2007, economists Felix Oberholzer-Gee, from Harvard, and Koleman Strumpf, from the University of Kansas, published the results of their study analyzing the effect of file sharing on retail music sales in the U.S. They found no correlation between the two. "While downloads occur on a vast scale," they wrote, "most users are likely individuals who in the absence of file sharing would not have bought the music they downloaded." Another study published around the same time, however, found there was, in fact, a positive impact on retail sales, at least in Canada: University of London researchers Birgitte Andersen and Marion Frenz reported that the more people downloaded songs from P2P networks, the more CDs they bought. "Roughly half of all P2P tracks were downloaded because individuals wanted to hear songs before buying them or because they wanted to avoid purchasing the whole bundle of songs on the associated CDs, and roughly one-quarter were downloaded because they were not available for purchase."

Still, the entertainment industry believes it knows a bad guy when it sees one and has reacted to file sharing exactly as a character in one of its thrillers or shoot-'em-up games would: with a full-frontal, guns-a-blazing assault. For the past few years, the R.I.A.A. has employed MediaDefender's competitor, MediaSentry, to trace people uploading music so that the trade group can sue them. The R.I.A.A. and the M.P.A.A. have worked to get government on their side: In 2007, the organizations lobbied to water down a California bill designed to crack down on pretexting—the practice of using false pretenses to get personal information about someone. The M.P.A.A. argued that laws against pretexting would cripple its antipiracy efforts by imperiling "certain long-employed techniques to obtain information." In November, the groups lobbied the House of Representatives in support of a bill to make federal funding for universities partially contingent on how effectively they rid their campuses of file sharing.

"This is not Napster," says Harvey Weinstein, the movie mogul who heads the Weinstein Co., a MediaDefender client. "Online piracy has got to be stopped. The biggest spear in the neck of the pirates will be (a) being vigilant, (b) prosecuting, and (c) in a way, making fun of them, finding a way to say, 'That's not cool—that's anything but cool.' If you had people who the young people respect in this industry—Brad Pitt, George Clooney, Shia LaBeouf—if these guys did public service announcements that said, 'Don't steal, stealing's not cool,' I think you can go a long way toward stopping this." Weinstein says that if Democrats maintain control of Congress and gain the White House, he'll flex whatever political muscle he has acquired by being a major donor to achieve one thing: "Tougher, more stringent piracy laws." Does he see any use for P2P systems? "No."

Certainly, the few attempts that entertainment companies have made to accommodate downloaders have come across as halfhearted and have turned out dismally. Five major movie studios—Sony, MGM, Paramount, Warner Bros., and Universal—sank $150 million into a cumbersome film-downloading service called Movielink, rolled out in 2002. In August, they unloaded the unit to Blockbuster for $6.6 million, after concluding that few consumers had the patience to master a technology that didn't match the ease or quality of that being offered by the pirates. NBC and News Corp. are optimistic about Hulu, a site that offers new and archived TV fare, but the shows contain unskippable ads and can't be downloaded, a disadvantage in this era of DVRs and iPods. All this comes after years of the music industry's blundering around for solutions. "The music companies were put on earth to make the video companies seem like visionaries," says Michael Gartenberg, research director of analysis firm JupiterResearch.

So the entertainment business lives by the motto "If you can't join them, beat them." As with all wars, of course, escalation most benefits the arms merchants. In 2005, the music portal ArtistDirect purchased MediaDefender for $42.5 million, making Saaf and his remaining co-founder, Octavio Herrera, multimillionaires at age 29. To retain the two men, ArtistDirect paid them an additional $525,000 each and gave them easy-to-hit bonuses that would keep their income at about $700,000 a year each. And the clients continued to come, even though those inside MediaDefender could see they were losing ground.

--
From: Jonathan Perez [MediaDefender]
Sent: Friday, June 22, 2007 6:33 p.m.
To: [various MediaDefender employees]
Subject: Sicko Torrents Results 6/22
                     
Attached are today's internal testing results for Sicko. Our overall effectiveness did improve. However, we still have no presence on Pirate bay which is a site they are likely watching as it was mentioned in the AdAge article they referenced.

>From: Ethan Noble [Weinstein Co.]
>Sent: Friday, June 15, 2007 10:41 a.m.
>To: [various Weinstein employees]
>Subject: Re: Piracy—this is a real problem
>
>This is AdAge's main story today and
>they talk about ThePirateBay.org
>having [Michael Moore's Sicko] so I
>did a quick search and there are a
>couple of copies of the film on there
>right now. MAYBE and HOPEFULLY
>those are our guy's 'fake' versions…

 
Before Ethan started toying with MediaDefender, the company's biggest problem was a tall 29-year-old Swede named Peter Sunde. He and two partners run the most popular file-sharing site, the Pirate Bay. It draws about 25 million unique visitors every month; dozens of new movies, games, and TV shows pop up each hour. The R.I.A.A.'s international counterpart refers to the site as the "international engine of illegal file sharing." The Pirate Bay doesn't host any of the actual content; it just lists it and supplies the BitTorrent files that let people connect with each other in order to share their libraries.

Sunde lives in a tranquil suburb of Malmö, Sweden, once the country's shipbuilding capital. Today, he's dressed in jeans and a sweatshirt embroidered with a mushroom from the videogame Super Mario Bros. He opens the MacBook Pro in his living room and starts reading a recent email from an attorney representing Prince and the Village People: " 'The owners of the Pirate Bay willfully and unlawfully exploit and misappropriate both Prince's and the Village People's intellectual property and infringe on their rights of publicity,' blah, blah, blah. 'Regardless of Pirate Bay's wishful thinking and erroneous public-relations position on its website that U.S. intellectual property laws are inapplicable,' blah, blah, blah, 'the Swedish government may not be able to protect you.'

"I was reading this yesterday, and I started laughing so hard," Sunde says, swiveling in his chair. "They're going to reach our company? We're not even a company." The partners run the site more as a hobby: There is no registered trademark and minimal overhead. The Pirate Bay is basically just the domain name and a website. Sunde then reads me the reply he is about to post. "For fuck's sake," it begins, "get your facts straight," and becomes more insulting from there.

Sunde is a bit of a philosopher when it comes to what his site does. As he sees it, the Pirate Bay is simply delivering a service to consumers, giving them the entertainment they want when they want it. He motions to the home theater he has rigged up: "Just look at this. I have my own cinema. When I watch a movie, I'd rather be here with a blanket and a girlfriend than at the cinema with a lot of people that are annoying. And that has nothing to do with file sharing. The technology is here for us, so why shouldn't we do it?" As far as Sunde is concerned, Hollywood should stop attacking him and start listening. According to him, consumers don't care about how Hollywood wants to schedule its releases—movie theaters first, then pay-per-view, and so on. They want the content when and where it's convenient and comfortable. Is that so hard to understand?

Sweden is a file sharer's heaven. Its laws protect internet service providers from being sued for what passes through their networks, which gives them little incentive to turn downloaders over to groups like the R.I.A.A. or the M.P.A.A. The country is one of the most wired in the world, with high-speed-internet penetration as high as 75 percent in some areas and an average broadband speed that's nearly five times faster than that of the U.S. And as a rule, Swedish authorities have never been that interested in going after a bunch of websites that didn't seem to be doing anyone any real harm.

Nonetheless, Hollywood tried lobbying Sweden to do something about the Pirate Bay. In May 2006, partly at the prodding of the M.P.A.A., 52 Swedish police barged into multiple locations, including the Stockholm offices of the I.S.P. run by Sunde's partners, Gottfrid Svartholm and Fredrik Neij. Police confiscated 186 pieces of computer equipment and hauled in Svartholm and Neij for questioning. Sunde, who was at home in Malmö, learned about the raid from an email. He quickly downloaded the entire site to his home computer—source code, images, everything—finishing just as the last server was shut down in Stockholm. Three days later, he had the site back up and running, and soon thousands of supporters were turning up at pro-Pirate Bay rallies throughout the country. (The Swedish police have yet to bring charges, though the lead investigator promised in the fall to do so by the end of January—nearly two years after the raid, a delay highly unusual in Sweden.)

Sunde could handle the cops—one of the country's top attorneys immediately signed on to defend the Pirate Bayers. MediaDefender and the rest of the antipiracy firms presented a trickier problem. Even as police officers were preparing their blitz, the Pirate Bay guys were trying to figure out who was already attacking them online. Users complained in message boards and chat rooms that certain files failed to download fully and some that did were pure garbage. Sunde and his partners eventually traced some of the files back to a few hundred IP addresses—the series of numbers assigned to any device connected to the internet in order to identify it.

First, Sunde started blocking IP addresses from servers that appeared to host fake or corrupted files—MediaDefender had thousands of such computers hidden in server farms around the world—and then he blocked all the IP addresses originating from MediaDefender's headquarters. If MediaDefender wanted to search to see whether a client's files were accessible through the Pirate Bay, well, they'd just have to do it from home. Finally, Sunde started messing with his enemy: When MediaDefender tried to upload a torrent—the vital file that coordinates the download process—to the Pirate Bay, MediaDefender would get a notice that there had been a database error, requiring it to start the process over again. As far as the folks at MediaDefender could tell, the problem was with the Pirate Bay and not with the fact that its IP addresses had been detected. It would spend the rest of the day trying and trying to complete the upload. Sunde had managed to turn one of MediaDefender's tricks back on itself.

  But for Saaf and Herrera, the Pirate Bay was just one of many problems. The two men had always been technically savvy, but now they were vastly outnumbered by the swarm of pirates and programmers collaborating to improve file-sharing technology. MediaDefender's IP addresses were exposed so quickly that the company was forced to buy new banks of numbers each month; at one point it considered using its employees' home connections to get fresh IP numbers. MediaDefender's year-over-year cost of doing business jumped 28 percent in the first quarter of 2007. Even worse, its parent company was dealing with the fallout from an S.E.C. inquiry into its accounting practices. To placate the government, ArtistDirect had restated its earnings, which triggered a clause that put into default the $46 million in debt the company had taken out to pay for MediaDefender.

Saaf and Herrera couldn't afford to have the wheels come off their division, which accounted for two-thirds of ArtistDirect's revenue. Worried about the efficacy of its piracy countermeasures, executives sent flurries of emails about how to stage-manage product demonstrations. In one instance, Universal Music Group was in the middle of negotiating a contract renewal worth more than $3.5 million with MediaDefender and wanted to test how effective the firm's tactics were. MediaDefender tried to persuade Universal to use a downloading program called µTorrent, which had been prone to falling for MediaDefender's tricks. In a note to Universal, Saaf hailed µTorrent as "the most popular" in the industry. A month earlier, when µTorrent developers appeared to be fixing the hole that MediaDefender had exploited, one of Saaf's underlings sent out an email asking if MediaDefender's engineers had come up with a plan B. "Randy will ask you very soon, so I'm just trying to preempt a shitstorm," he says.

--
From: Jonathan Lee [MediaDefender]
Sent: Wednesday, July 4, 2007 9:26 a.m.
To: Octavio Herrera, Randy Saaf, Ben Grodsky, Jay Mairs
Subject: Fw: hahahha
                     
We have such a lovely fan base.
                        
----- Original Message -----
>From: David White
>Sent: Wednesday, July 4, 2007 6:04 a.m.
>To: sales@mediadefender.com
>Subject: hahahha
>HAHAHAHAHAHA Digg got your site
>killed, thats what you guys get for
>trying to entrap people. MUSIC AND
>VIDEOS BELONG TO THE PEOPLE!!!!!
>quit trying to trap people downloading
>and suing then [sic], MEDIA
>DEFENDER SUCKS […]
>HAHAHAHAHAHAHAHAHAHAHA
>HAHAH

At some point, MediaDefender's clients were going to notice that Saaf was getting schooled by a bunch of amateur coders and by "the douche," as Saaf referred to Sunde in an email. The solutions devised by Saaf and his programmers were invariably ferreted out by the file-sharing community. In early July, a user at Digg, a heavily trafficked social-bookmarking site, put up a link to an item showing that MediaDefender was behind a new online video site called MiiVi. Bloggers accused the company of running a honeypot to trap pirates who were uploading protected content. Saaf quickly pounded out an email to his senior staff: "This is really fucked," he wrote. "Let's pull MiiVi offline." Ethan says he was behind the leak that led to the Digg post, and of course, he kept up his forays until that weekend in mid-September when he decided to show off his work.

After the company's internal affairs were made public, Saaf and Herrera spent the next few weeks trying to reassure everyone in the entertainment business that their antipiracy efforts were still effective. At a digital music conference held in L.A.'s Roosevelt hotel in early October, the men walked the halls, collaring colleagues and clients to explain what had happened and how they intended to bounce back from the hack. One way was with cash: Within weeks, the company shelled out $600,000 in service credits and another $225,000 to pay for legal advice.

  Reading the purloined MediaDefender emails on the computer screen in his Malmö living room, Sunde realized there might be another method he could use to fight back against MediaDefender. The messages made it clear that Saaf and Herrera had put considerable energy into trying to degrade his work. Sunde called a lawyer to ask whether MediaDefender's actions were legal in Sweden. Then Sunde emailed the Swedish inspector who had raided the Pirate Bay's office—who else knew the operation better?—and informed the inspector that he wanted to bring charges against MediaDefender's clients: Sony, Universal, Atari, and others. Not only had they paid a company to break the Pirate Bay's terms of service—which forbid companies from tracking usage, logging IP addresses, or doing anything disruptive—but MediaDefender had created code specifically for hacking into the Pirate Bay's system. "As long as what you're doing is legal, why should you be attacked by someone using illegal methods?" asks Sunde. The Swedish police have yet to press charges.

Of course, as with many a popular movie, the underdog always mounts a comeback. And recently, some other pirates have also chosen to fight instead of run. After the M.P.A.A. filed a lawsuit against several websites in 2006, the file-sharing portal TorrentSpy countersued for illegal wiretapping, saying the trade group had amassed evidence by hiring a hacker to obtain internal documents. (A judge dismissed the countersuit; TorrentSpy is considering an appeal.) And Sunde is heading up an initiative in the file-sharing community to develop a more secure, less traceable version of BitTorrent. The new protocol, tentatively called SecureP2P, got a boost through Ethan's work: Because programmers were able to view the blueprints for MediaDefender's technology, they will be able to design an even more effective countertechnology.
                     
--
From: Randy Saaf
Sent: Wednesday, May 2, 2007 1:11 p.m.
To: [various MediaDefender employees]
Subject: digg story on hd dvd crack
                     
Look how ape shit the digg community went over the hd dvd crack code post getting pulled from the site. http://digg.com/news/popular/24hours

People sure love their pirated movies

However Saaf and his crew intend to mount a comeback, it's clear that the war against downloading is escalating. "Hollywood is not burned out on silver-bullet technologies the way music is after years of defeat," says Eric Garland, C.E.O. of BigChampagne. "It's just 1999 for video, and the gold rush may be on now." In December, the ratings giant Nielsen announced its plans to enter the piracy-fighting business with a new service that would place traceable fingerprints on copyrighted media.

Perhaps, though, the entertainment business has it wrong. Downloaders aren't thieves; they're just rabid fans. But for the industry's perspective to change, it would have to trample long-held business practices. Hollywood would have to toss out its ability to stagger the opening of films across different media. It would also have to abandon technologies like the encryption used on HD-DVDs to prevent them from being copied or even played on certain machines. (A hacker cracked the encryption in January 2007.) And record labels would have to stop suing downloaders and continue to find other sources for revenue, like ringtones. But for the most part, the Weinsteins of the world see fighting as the only way forward.

"What should a police department do when it turns out there's been a burglary?" asks Rick Cotton, the general counsel of NBC Universal and the chairman of the U.S. Chamber of Commerce's Coalition Against Counterfeiting and Piracy. "Should the police department give up, close its doors, and say this is an impossible task? No. That's silly.

Still, a few months after the MediaDefender-Defenders played their prank, there was a sign that some in Hollywood might be shifting their thinking. A new independent movie called Jerome Bixby's The Man From Earth showed up on one of the file-sharing sites in November. The film's producers had no idea it had even been pirated; all they knew was that suddenly its popularity was skyrocketing. Their websites received 23,000 hits in less than two weeks, and the film's ranking among the most-searched-for movies on the internet movie-tracking site IMDB went from 11,235 to 15. Eric Wilkinson, the film's co-producer, wrote a fan letter to the site responsible for driving traffic to the pirated film: "Our independent movie had next to no advertising budget and very little going for it until somebody ripped one of the DVD screeners and put the movie online for all to download.... People like our movie and are talking about it, all thanks to piracy on the Net!" He requested that fans buy the DVD as well and added, "In the future, I will not complain about file sharing. you have helped put this little movie on the map!!!! When I make my next picture, I just may upload the movie on the Net myself!"
                     
When I try reaching Wilkinson, though, I'm told that the producer is not available. Instead, the movie's director, Richard Schenkman, returns the call. "Eric was clearly being sarcastic," Schenkman says about the offer to upload the film. "That's why he put in the exclamation points." I tell him his partner certainly sounded enthusiastic about file sharing. "Look, I have mixed feelings about this," Schenkman replies. "As a filmmaker, I love that people love the movie and have seen the movie. But as a person who literally has a hunk of his own life savings in the movie, I don't want to be ripped off by people illegally downloading the movie. Some of these downloaders want to believe they're fighting the man. But we're all just people who work for a living." He acknowledges, however, that DVD sales of the film increased after the leak, and that people have even been pledging money on a site the filmmaker set up to accept donations in markets where the DVD isn't for sale. "I'm not saying I have the answers," Schenkman says.
                     
Meanwhile, Ethan has moved on to other companies. He and his friends have a few targets in mind that don't happen to be in the entertainment industry. He told me he'd also like to quit the business altogether but hasn't been able to give up the rush it brings. No doubt, other kids are hunkering down over their keyboards to see if they can't replicate the MediaDefender-Defenders' work. And some pirate is finding new ways to disseminate the material. Eventually, Hollywood will no longer be able to continue fighting its enemies at the expense of its customers. If they can't beat them, they'll finally have to join them. That is, if they want to keep having customers.