MD - Hello.
AT - Yes?
MD - Hi, this is Ben Grodsky (AT: Hello), MediaDefender.
AT - Alright, Mike McCartney, Brad Bartram and Jim Dommers
MD - Hi there, guys.
AT – Howdy, good; how are we doin'?
MD - Alright.
AT - Alright, uhm..
MD - I'm sorry, go ahead.
AT - Well, have you guys had an opportunity to kinda look to see where this may have, uhm, may have stem from?
MD - Yeah, it seems, I mean, from our telephone call yesterday it seems that, ah, we all pretty much came to the conclusion that it probably was, ah, caught in the email transmission, because the, ah, attacker, I guess let's just call the Swedish IP the attacker, umm, knew the login and the IP address and port, umm, but they weren't able to get in, because we had changed the password on our end, you know, following our normal security protocol, ahm, when we're making secure transactions like these, on the first login we'll change the password. So..
AT - Right.
MD - Obviously, well, not obviously, but it seems that, ah, the most likely scenario is that at some point that, you know, was, ahm, intercepted, you know, just because it's probably, it was going through the public internet and there wasn't any sort of encryption key used to, ahm, protect the data and email.
AT - But what kind of, well we use RSA on our end. Uhm, so I mean we have RSA authentication through our Exchange-server, uhm, to get (MD: ok) into our stuff.
MD - Right. (AT: And all our...) But then, but then, but then it's going from your mail-server to our mail-server, that it's going through all the routers and hubs on the way and we don't have, we didn't make any kind of, ah, you know, key between our servers to make sure that the Internet(AT: and it....) would, would, would, ah, only be viewable by people with that key.
AT - Right, no, I understand that, we could certainly add PGP-encryption or some other email-encryption so that it's encrypted in transit, but I guess what I'm saying is that how comfortable are you guys that your email-server is free of, uh, other eyes?
MD - I'm not sure what you mean, our email-server isn't free of other eyes. I mean there is nothing to say that this email was intercepted on our end as opposed to it being intercepted on your end.
AT – (AT2: True...) That is true. I mean, obviously somebody...
AT2 – The question is, are you comfortable that it was not intercepted on your end....
AT - I mean, I know it can grabbed, I mean theoretically, hypothetically it can get grabbed anywhere along the way as it transmits through routers and different protocols from our end to your end, but I guess we're asking: are you comfortable that you guys don't have anybody in your email-server?
MD - Oh yeah, yeah, we checked out our email-server and our email-server itself has not been compromised. I'm sorry I didn't (AT2: and then that...) I didn't think that was your question.
AT - Ok, yeah, that I guess I wasn't clear, I just, I mean you guys know as well as we know that you guys are a major target of hackers.
MD - Right, no, we're a major target of hackers, and then, you know, you guys are part of the government, the government is always a major target of hackers and people trying to sneak around for information. So I mean both of us are, are, are pretty big targets.
AT - Yeah, yeah, absolutely. And that's why I guess, you know, and obviously the content of this operation that we're doing is extremely sensitive and that's why, you know, we're, we take very extra caution and security measures when we're talking about access to any of these secure inside-networks that we're dealing with, so we just need, you know, let's make sure that we add whatever security and functionality we need to, so not only our data-communications and protocols are secure and maybe we should wrap'em in a VPN-Tunnel, uhm, public private key for the data that is transmitted between us but also for our email-communications, uhm, making sure that, you know, we can talk to each other through email using, uhm, you know, another layer of communication so that, you know, nobody can understand or read what the hell we're talking about with each other.
MD - (long silence) Yeah. Yeah, I mean, we can certainly, uhm, setup a PGP-key for the email, uhm, as far as the doing the VPN-Tunnel or something like that, uhm, you know, I can look into that with Jay when he comes back on Tuesday.
AT - OK. Uhm, I don't wanna slow down performance either, I mean, if that's gonna really dog our communication link between each other.
MD - You know, I think that really right now what we could do if you wanted, is, as we discussed yesterday, we could change the port, that we're doing things on your server
AT – We're already in the process of that.
MD - OK, so we can do that, we can change the login, obviously the password, you know, if you guys need to know what password we're using we could just communicate that by phone, and I think the email isn't really an issue as long as we don't really say anything particularly sensitive in the emails.
AT - Right. *someone's knee bumps a table*
MD - You know, and, we're pretty available by phone, so, if guys are comfortable with just communicating with us by phone then anything that's really really sensitive we could just communicate in this fashion. I know it's a little bit cumbersome...
AT - Yeah, it can be sometimes, I mean, email's so easy, and that's why it's (AT2: whatever it takes to get this done...) yeah, I mean, this is obviously a very sensitive investigation, as you know, and we, I'm just nervous now going back through old emails and we knowing we didn't really say too much in in our earlier communications but if anybody was successful sniffing our communication between each other over the last month, I mean, that obviously couldn't know that you guys were helping the state of New York and the Attorney General's office in a child porn-investigation of global scale, based on some of the child porn-keyword-list-text files we attached and sent back and forth to each other, some of the results that you guys have sent in, the preliminary results of the keyword-crawling...
MD - Yeah, yeah, but, you know, I mean by the same token obviously people are always aware that child porn is a, is something that they need to be, you know, not transmitting in the first place. So anyone transmitting is, per se, infringing on the wha, committing crimes.
AT - And as such they go through extra lengths to try make and find out what law enforcement is doing so they can avoid being caught.
MD - Right. Yup, yup, you know, one thing to keep in mind, is, that you know, Peer-to-Peer-networks are global and for this particular initiative we have decided, just from a technical standpoint on our end, we have just decided to use a particular Peer-to-Peer-network, we could always switch to a different Peer-to-Peer-network if that became an issue in the future, but, you know, we are still seeing, ummm, that there would be a good amounts of data coming through to you, so I don't think that this is going to have the effect of, you know, somehow quashing all the data that you would even be able to collect from us.
AT - No, I don't think so either. I think that the Peer-to-Peer-network as a whole is a target-rich environment, but I also know through 15 years of doing this, is that if a pedophile is in the Peer-to-Peer-network, he's in newsgroups, he's on websites, he's in chat rooms, he's everywhere else, I mean, they're not generally isolated to one technology and they also go to great lengths to try to proxy and cover themselves and, you know, view hacker-blogs and logs, looking for what law enforcement's doing and it wouldn't be outside the realm of a hacker-group, many of which we've taken down in the past, big organized crime-groups of pedophiles, to pay hackers for information about what law enforcement is doing.
MD - Yeah.
AT - And then, that's all, I'm not saying that this particular small little piece of a global child porn investigation is compromised, we will get lots and lots of bad guys in this, I'm convinced, and I don't have any concern of that.
MD – Alright, uh.
AT - All scheme of being able to keep, you know, what we do in law enforcement a secret and protected as best we can, so we that can continue to being successful. (AT2: thank you....)
MD - Right.
AT - So, ok, uhm, more thoughts on exactly what we're going institute as far as communication-protocols here
AT2 - Yeah, at this point, what I've done is uh, I've change the port for access on that, I haven't opened it up yet, so what I want to do is, I'd like to (AT: tell him it's ok to go ahead...) setup a password authentication initially, give you guys a chance to have a public key (AT: right..) authentication mechanism on that.
MD - Ok, so you've already changed the port and you're gonna setup, you already have or you are about to setup authentication for the password?
AT2 - No, I've already setup a new username and password (AT: right...) that you can use for general access to the server itself, (MD: OK) and what I'd like to do is next probably hour or two, disable password authentication on that server all together and exclusively reserve it to this public key.
MD - Ok, so you're gonna disable password authentication and enable a public key
AT2 - Yeah.
MD - Ok.
AT2 - And, ah, from there we can we can communicate until we come up with a little bit more of permanent more little feature or something, yeah
AT - Here's the problem, a potential problem, and again, from the law-enforcement-perspective: The intelligence information that you guys are gathering, that's being sent to our systems and then our evidence-collection-process here, we need to be able, it needs to be able to stand up in court, and in order for us, I think, to do that from a legal standpoint, we have to be able to get on a stand and say that the data that we get from you, is, pristine, it's validated, it's verified, there's no chance that, or there's a very limited chance that the data that came from you to us, was in any way compromised, edited, modified, or goofed with, so that the information that we get from you, that we rely upon, we can go out and connect to the IP-machine, the IPs and the machines in New York that have the contraband files that we're pulling down, are all wrapped together in one nice little bundle, and...
MD - That part has not been compromised in any way, I mean, the communication between our offices in Santa Monica and data centers in Los Angeles and Al Sangendo have not been compromised in any way and all those communications to New York, to your offices, are secured. The only part, that was in any way compromised was the email-communications about these things. But exactly...
AT - We are not exactly sure, exactly, where this breakdown was, as of yet, right?
MD - Right. And you might not ever know. I mean, all we can say for sure, MediaDefender's mail server has not been hacked or compromised, and you guys are basically reporting the same on your side. So, then there's just the public Internet between.
AT2: I think, I think our communications need to be encrypted....
AT - Yeah, yeah, I mean, what kind of IDS are you guys running?
MD - Ah, I don't know. let me look into that.
AT - Because, you know, when was the last update, when was the last time you guys checked any alerts, I mean, I have our people already working on it on our end. Like I said, our mail and our mail server is all encrypted. Our entire authentication process is RSA. But you're right if plain text comes from us to you...
MD - Hello, are you guys still on the call?
AT - Are you there?
MD - Yeah I'm here, can you hear me? - Can you hear me? - Are you on a cell phone? - Should we try restarting the phone call? - Is it possible for you to call from a land line?
AT - Can you hear on what they're doing? Yeah are you there?
MD - Yeah I'm here. - Can you hear me? - Hey Brad or Mike, can you hear me?
AT - Yeah we can hear you, can you hear us?
MD - Yeah occasionally. - Hello?
AT - How about now?
MD - Now I can hear you. Now it's totally silent I don't hear anything.
AT - Are there any connections or something, check your processor.
MD - I can hear a little bit of the chatter between you guys, but I can't make out anything that you're saying.
AT – Alright, here's the deal can you hear me now?
MD - Yes.
AT – Par of it is, we're on a VoIP connection, a VoIP phone. (MD: Ok...)
MD - All I got was you guys were on a voip phone.
AT - Right and I think at this moment, you're application is calling you're machine back in California and it's chewing up our bandwidth.
MD - Got it. Ok. At least now I understand what the phone situation is. Now I understand a better limitations of voip. (*laughs*)
AT - Yeah it's eh, we're only on a cable right now, we've got two T1's coming in, once they are in we should be able to spread our bandwidth out a little better. Is it better now?
MD - Yeah. It's better. Well, it was for a moment. (*chuckle*)
AT - How about now, it's probably going to be better now.
MD - Yeah I can (AT: Uhmm...) Yeah.
AT - We'll talk about, we'll keep our e-mail content to a dull roar.
MD - Yeah.
AT - We'll talk by phone unless we can share some PGP-keys for email and if you can check on your end again. Just, I'm checking on my end too, I'm not accusing you guys. But I think we need to, under the sensitivity of this thing, we both need to make sure that both of our systems are secure on both ends. Both our mail servers and our networks to make sure that, you know, whoever saw that email didn't see it on either of our mail servers or on the inside of either of our networks.
MD - Right.
AT - You know, if somebody got access to the mail server, they might have access to other machines on the network. And the argument goes that, you know, even though the data that has been sent from us to you in a secure fashion is secure, if there's somebody sniffing around on your network or on our network it's not secure on either end. Before it gets into the tunnel.
MD - Okay.
AT - So, em, I think we're good. Some.......... public private key authentication, right and set a password, so that we've, so we got a white list of IPs that are going to be only allowed access.
MD - Yeah we already provided you that whitelist
AT - Exactly, so we'll go from there. Now, going forward, how much more testing do you guys need to do, and can we set up a time early next week where we can, we can go over exactly what this thing is doing.
MD - Yeah, we can go over things as soon as you like next week. Tuesday, Wednesday, whenever you'd want. We're basically done testing, we deployed, I guess yesterday or the day before, to your system.
AT - Right.
MD - So at this point, you know, it's just, if you want to review how the data is appearing on your end, and then there is one thing that Brad has brought up yesterday as far as making the actual media files more easily viewable and more easily connecting them to the database.
AT - Yes exactly we're going to need to do that.
MD - Right, well the easiest thing for us to do. and, let me know what your thoughts are about this, how about if we prepend to the filenames, where they currently are just a hash in whatever extension the filename should be. How about we prepend to the filename, the real filename from our database?
AT - (*cough*) I mean, that's ok, I guess, at the end of the day what we're going to need to know is, other than the nuts and bolts of it exactly how, what data we're getting from you, what data we have on our end, what your application's doing on our end do with your data. To then go out and connect to the suspect IPs to pull down the suspect file. I need to be able to testify that in court so I'm going to have to go over that with one of you guys, or all of you. Almost line by line to say "Here's what happened, this is how we get it, this is the structure we get the data in, this is what the application is doing on your end, this is what it's trying to do, this is how it's making it's connections."
MD - Yeah, all of that is really straightforward and Jake can go over all of that with you on Tuesday.
AT - Ok, that's easy. Then what we're gonna need to do is once we get the file
MD - Right
AT - We have to be able to link them back to the suspect IP along with all your meta data in your database that's associated with that IP. So we get an IP in New York that's got, according to you guys, a hundred and twenty-seven suspect files that you saw while you were crawling. We bluntly connect to them on our end using your application. It goes out, it connects, it pulls a file or multiple files presumably - hopefully. Gets all of the file or part of the file and it saves it out to our directory here on our evidence collection array. We then need to look at it - you know - computers are great but they can't tell me what is and what isn't child porn and illegal sex.
MD - Right
AT - So we need some sort of a viewer or review-viewer that could be web-based - that basically goes back - we can then make a selection whether or not it is or it is not child porn that gets entered into the database of being child porn or not child porn. And then the database is updated to reflect the fact that from this IP we got this picture, it is child porn. From these two IPs we got these two pictures, they are not child porn. From this IP we got these 4 pictures, 3 of them are child porn and one is not. So we can begin to make an investigative decisions as to who we're gonna subpoena and who we're gonna make as a target and what evidence we have against this individual target.
MD - Ok.
AT - The thing we are working on that he maybe could give you some structure and template to but we don't know the structure of the data in your database for him to try to reverse-engineer those calls to the data in your database to put it into a viewer on our end. But he's done it before in other things so he could probably help you at least with the web-based HTML template and sort out how the structure seems to work and what we're doing and what we've done in other things and it's just a matter of, you know, working together on the back end data structure so that it's calling the right stuff and keeping tracking the right stuff statistically.
MD - Ok.
AT - And what is not done -- same database structure that your data is coming to us in.
MD - Yeah.
AT - -- you could just browse it on a web browser on a internal network and look at the data across our internal network in the actual, you know, image files locally and do the review. So that it's nothing Internet-powered, it's all internal, to us here. Yes, we can deal with that next week, I think that will be good. So we are ready to go other than being able to view the images, make a determination at the what is, what isn't child porn and then keeps statistical counts and records and entries as to what IPs are associated with those contraband files and what IPs and metadata are associated with the non-contraband files. You know, globally.
MD - Right.
AT - (*coffee mug set on table*) IP addresses and then hopefully we'll have a warm breathing body behind the keyboard of these IP addresses. But that's up to our ... that's our work.
MD - Yeah, that's on you guys.
AT - Yeah, I'm impressed. I think we'll, I think this will be very good. Alright, I'll tell Jay, we set it all, and why don't we plan something for Tuesday afternoon or something?
MD - Ok, Tuesday afternoon your time?
AT - -- and we can try to finalize basically what this app is doing and we can finalize the last little pieces, some sort of a viewer and Brad can work with you guys on the structure of the template, the front end application of that and you guys can help him with the back end and together, I don't think it would take more than a day or two to piece it together cause like I say a lot of it has already been sort of been done. Knowing your dataset, where all your stuff is in your database.
Cool!
MD - Alright, sounds very good. Alright, so we'll setup a call for Tuesday afternoon your time.
AT - Sounds like a plan. Thank you very much and have a good long weekend.
MD - Thanks a lot and have a good weekend yourselves. Bye.
---
Note: Thanks to MediaDefender-Defenders, #mediadefender-defenders and the people working on this, you know who you are.