FCC spanks Comcast for P2P blocking: no fine, full disclosure

The Federal Communications Commission has sanctioned Comcast for "secretly degrading peer-to-peer applications," as the agency put it today. The Commission has issued a decision arguing that its Internet Policy Statement gives it the power to regulate Internet network management, and that Comcast's management was unreasonable. The FCC's Order will require Comcast to "disclose the details of its discriminatory network management practices to the Commission," set up a compliance plan to fix the problem, and fully outline its new practices to the FCC and consumers by the end of this year. HangZhou Night Net

At today's Open Commission hearing, FCC Wireline Bureau chief Dana Schaffer announced the division's conclusions. Comcast network management practices "discriminate against network management protocols rather than treating them equally," Schaffer said. The company has deployed network management technology that "selectively terminates" P2P connections. Schaffer called Comcast's practices "invasive," charging that the firm essentially prioritizes digital mail, not based on the address on the envelope, "but on the type of letter."

"Will the Internet evolve out in the open?" asked FCC Commissioner Michael Copps. "Or will network operators bring it under their control for their own purposes?" A majority of three agency Commissioners voted today for an Order that they hope will preserve openness: Copps, his fellow Democrat Jonathan Adelstein, and, most significantly, FCC Chair Kevin Martin, who continued Shaffer's mail metaphor in his public comments.

"Would anyone here actually be OK if the Post Office was opening your mail and deciding that they didn't want to bother delivering it and hiding that fact by sending it back to you stamped 'address unknown, return to sender'?" Martin asked the audience. "Or would anyone here be OK if someone sent them a First Class letter, and the Post Office decided that they would open it, and deciding that because the mail truck was full sometimes, they would make the determination that your letter could wait, and then they would hide that fact from you, the fact that they had read your letter and opened it, and that they decided to delay it?"

"Unfortunately, this was exactly the practice that Comcast was engaging in with their own subscribers' Internet traffic," Martin declared.

Two of the agency's five members dissented: Republicans Robert M. McDowell and Deborah Taylor Tate. Tate argued that the matter would be better resolved via private negotiations. McDowell contended that the FCC lacks the authority to enforce the issue, and that "the truth is that the FCC does not know what Comcast did or did not do."

The agency responded to complaints filed last year from Free Press, Public Knowledge, and a petition from the Vuze Corporation, charging that Comcast has chronically interfered with P2P traffic. Through 2008 the Commission received well over 30,000 statements, comments, and studies on the matter. It also held two full hearings at Harvard Law School and Stanford University.

Comcast sent Ars a response to Martin's comments even before he finished making his public statement at today's hearing. The cable giant said it was grateful that the agency's decision did not include a fine. "On the other hand, we are disappointed in the Commission's divided conclusion because we believe that our network management choices were reasonable, wholly consistent with the industry practices and that we did not block access to Web sites or online applications, including peer-to-peer applications," declared Comcast Senior Director Sena Fitzmaurice.

Comcast also warned that it is pondering its legal options. Many observers expect the ISP provider to take this ruling to court.

Further reading

The FCC's news release on its decision

Reactions to FCC’s Comcast decision come fast and furious

Hope, indignation, and outrage greeted the Federal Communications Commission's enactment of sanctions against Comcast for throttling P2P applications. Much of the response came before today's ruling, following FCC Chair Kevin Martin's disclosure last week of the impending decision. HangZhou Night Net

A "historic test," complainant Free Press called the move. "If the commission decisively rules against Comcast, it will be a remarkable victory for organized people over organized money." Today's decision confirmed the advocacy group's hopes. "Defying every ounce of conventional wisdom in Washington, every-day people have taken on a major corporation and won an historic precedent for an open Internet."

Jay Monahan

Jay Monahan, General Counsel of Vuze, told Ars yesterday that when the hi-res video content company filed its net neutrality petition, he didn't expect the explosion of passionate support that followed. "When I saw the thousands of submissions to the Commission by consumers and the standing room only FCC field hearings that we attended and in some cases testified at, that part surprised me," Monahan confided in an interview. "That there were that many people paying this much attention to this."

The FCC's action may also be a global precedent. Ars asked Columbia law professor Tim Wu whether any other country has taken similar steps. It's a tricky call, he responded, because, unlike the United States, some countries have retained their common carrier powers over the Internet.

"However, in terms of enforcement, this is a first in the world as far as I know," Wu said.

Comcast and its allies

Meanwhile, Comcast, the recipient of today's punitive FCC Order, has been serving up a steady stream of clenched jaw rhetoric. "The Commission's order raises significant due process concerns and a variety of substantial legal questions," the company warned today. "We are considering all our legal options and are disappointed that the commission rejected our attempts to settle this issue without further delays."

The rest of the cable industry has resolutely stood by Comcast's side. On Tuesday, a senior VP of Time Warner cable met with the FCC, warning that "government intrusion into broadband providers' traffic management practices would have a chilling effect on investment and innovation." Four days earlier, the National Cable and Telecommunications Association sent the agency a chart of the network management practices of the nation's top colleges and universities. "If there is to be regulation, therefore, it must apply equally to all providers," NCTA's filing grimly advised.

But the undisguised outrage has come from the hardcore right, which views with horror the spectacle of Republican FCC Chair Martin delivering what it sees as the broadband equivalent of the Fairness Doctrine. The Wall Street Journal's editorial writers—who must surely sign a pact never to read the newspaper's excellent articles about telecommunications—lambasted Martin on Wednesday as a self-appointed "Master of the Media Universe," a chump for Moveon.org, and worse.

"Mr. Martin is also greasing the skids for a potential Barack Obama Administration to take an Internet industrial policy who knows where," the Journal warned. Ditto, declared House Republican Minority leader John Boehner, who the next day sent an angry letter to Martin, denouncing his efforts to "hijack the evolution of the Internet to everyone's detriment."

One senses in these frantic protests legitimate fears that Martin's move represents yet another sign that these are the End Days of the Reagan Era. It is very unlikely that the FCC's 42-year-old chief parties with the Free Press crowd. But with today's ruling, he has clearly sided not just with the FCC's "two Democrats," as the Journal bitterly calls them, but with a younger, technology-loving generation that sees government as an ally rather than The Problem.

Net neutrality isn't a slippery slope

In Ars' interview with Jay Monahan, the attorney bristled at the Wall Street Journal's insistence that "net neutrality is a slippery slope toward interventions of all kinds." It is the opposite, he insisted. "What Martin has proposed, and what the Commission is about to do, is exactly designed to protect innovation, and to protect competition," Monahan argued. "If net neutrality means anything, it means not that each of us is made equal in the marketplace, but that at least we have an equal set of rules that are transparent to all of us in order to compete."

Nobody, least of all Vuze, thinks this fight is over. Monahan says he fully expects Comcast to "appeal the Commission's order"—which means a lawsuit against the FCC, a Congressional counterattack, or both. Still, he sees today as a day to celebrate.

"We do view this as a first step," Monahan concluded. "A first step towards helping to build an open and free Internet. And we're grateful to the Commission for having the courage to adopt this order so that we can move forward and go back to our Palo Alto office and continue to compete in this marketplace."

40 million stolen credit cards later, DoJ charges 11 hackers

A group of hackers who perpetrated numerous credit card and personal identification thefts are being charged with numerous crimes ranging from conspiracy, computer intrusion, fraud, and identity theft. Altogether, this constitutes the largest hacking and identity theft case ever prosecuted by the Department of Justice. HangZhou Night Net

Eleven perpetrators from around the world are being charged with the theft and illegal sales of credit card numbers and personal information stolen from retail stores like TJ Maxx, Office Max, Boston Market, Barnes & Noble, Sports, Authority, Forever 21, DSW, and more. After obtaining the data, the perpetrators stored it in an encrypted format (a step that others could learn from) on servers in Eastern Europe and the US, then sold the data to customers in those countries. Credit card numbers were typically imprinted onto blank cards, then used to withdraw tens of thousands of dollars from ATMs.

One perpetrator, Albert Gonzalez, had previously been arrested by the Secret Service in 2003 for access device fraud. Gonzalez was acting as a confidential informant for the agency during the course of this most recent investigation, but was found out to be criminally involved with another case of stealing credit card data from the Dave & Buster's chain. Because of this, he faces a maximum penalty of life in prison if he is convicted of all charges.

Courts in various cities will hear the charges brought against this retail hacking ring. For example, a San Diego indictment against Hung-Ming Chiu and Zhi Zhi Wang, both of the People's Republic of China, and a person known only by the online nickname "Delpiero" (a real name and origin are unknown) charges the three with conspiracy to possess unauthorized access devices, trafficking in unauthorized access devices, trafficking in counterfeit access devices, possession of unauthorized access devices, aggravated identity theft, and aiding and abetting.

With the help of Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak of Ukraine, these eight perpetrators are charged with operating an international stolen credit and debit card distribution ring, and selling these cards for personal gain. As an example, the indictment cites Yastremskly alone as receiving over $11 million from these activities. Suvorov and Yastremskiy were charged in May with accompanying Gonzalez when hacking the Dave & Buster's chain.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," said Attorney General Mukasey in the DoJ press release. "It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers." It also highlights the risk to consumers when retailers are lax with data they collect on consumers in the ordinary course of business.

Brazilian hackers stalk Twitter, try to wax the unwary

Social websites like Facebook and MySpace have attracted a great deal of attention as targets of opportunity for phishing scams, but they are scarcely the only two social networking sites. New information suggests that hackers have tuned in to the newfound popularity of microblogging, and are at the very least evaluating Twitter as a potential target. HangZhou Night Net

In a blog post at Kaspersky Labs' Viruslist, Dmitry Bestuzhev describes the attack and how it functions. The Twitter profile itself was created specifically for the attack; profile information is posted in Portuguese. There's nothing on the page but a link to a video promising hot girl action, actually clicking on the file redirects the browser and instructs the user to download a new version of Adobe Flash that's supposedly required to watch the "film."

By this point, alarm bells should've been ringing if they haven't already gone off; end-users who install the fake Flash update end up with what Dmitry describes as 10 banker Trojans, all disguised as MP3 files. Based on information in the profile, the location of the web servers, and the e-mail the malware program sends, he believes this attack originated in Brazil—though it's virtually impossible to be 100 percent sure.

The actual payload is nothing new, and delivery requires little more than a web server and some Trojans. The threat, as is typical with phishing schemes, lies within the attack vector itself. The current structure of Twitter, according to Bestuzhev, leaves the service vulnerable to abuse. Unprotected Twitter profiles are indexed by Google, which could allow an infected profile to bounce to the top of a search index, and Twitter is currently vulnerable to an exploit that allows an attacker to force his victim to follow him on Twitter. The more followers attached to an infected page, the better the chances that the infection could spread. As the infection spreads, the profile's number of followers on Twitter rises, which increases the chance of infection…you get the idea.

Dmitry notes that this type of attack hasn't surfaced as a full-blown assault in the wild—at least not yet—but hackers are obviously taking a proactive approach to new delivery systems. Today's viability test can become next week's viral explosion, making it all the more important to patch flaws as they are discovered. As for Twitter itself, the very nature of the service could make it amenable to certain attack vectors. The best way to discover if an e-mail or website is genuine or not is to read it; the vast majority of phishing lures are written in lousy English, and a little context goes a long way towards classifying an e-mail. Twitter, by definition, is all about removing that context and cutting straight to the point in 140 characters or less.

There are still plenty of ways to tell a real Twitter user from a fake one, and the company has committed to patching the auto-follow vulnerability I mentioned earlier, so these loopholes will hopefully be closed before anyone manages to take advantage of them. Phishers, however, will probably follow the money trail, keen to present their wares to anyone they can convince to click in just one sentence or less.

2 IP addresses, 40 matches: Tufts tries to cut RIAA driftnet

One of the problems with the RIAA's lawsuit campaign is that it's heavily reliant on the assumption that tying an IP address to a person sitting at a PC at a particular time is a trivial matter. The reality is much messier, as a case involving 11 students at Tufts University in Massachusetts demonstrates. A vice president at the school has written to a federal judge, pointing out the difficulty of tying the 11 IP addresses logged by MediaSentry to specific MAC addresses (and users). HangZhou Night Net

Under a March court order, Tufts (and other schools and ISPs in that particular district) are supposed to provide the court with a list of all possible matches when unable to determine the identity of the user sought by the RIAA to a "reasonable degree of technical certainty." The judge then reviews the list and makes a determination on how to proceed. In the case of Zomba Recording v. Does 1-11, Tufts argues that there are just too many possible users involved, which has implications for this particular RIAA fishing expedition.

While Tufts can tie three IP addresses to particular MAC addresses with reasonable certainty, two of the other IP addresses fingered by MediaSentry could have been used by as many as forty users during the time in question. "It is therefore difficult to conclude with any reasonable level of certainty that any one of those users was actually using the IP address in question at the relevant time," writes the university. "We believe, in these two instances, that it would be unfair to identify all possible individuals meeting the plaintiffs' criteria, given the low likelihood of identifying the guilty party."

Tufts keeps data on MAC addresses—all of which are registered to particular users—for a period of years. The IP addresses assigned to those MAC addresses via DHCP, however, are only kept for 10 days before being overwritten. The school also uses Address Resolution Protocol to grab entries from routers around the campus at various intervals, but as it only records the first and last times a particular user is assigned an IP address, it is an imprecise and incomplete record.

In other cases where a school is only able to narrow down the list of possible P2P users to a dorm room with two or more residents, the RIAA has typically sought to obtain the names of all possible infringers in an attempt to discover the identity of the P2P user in question. With 40 possible users for two IP addresses, such an approach is impractical. Moreover, there are privacy implications for the at least 38 innocent students involved. We asked the RIAA how it would handle the situation with the two Tufts IP addresses. "As we do in all of our cases when issues are presented, we will work with the school to determine the most reasonable course of action to prevent further abuse of its network," an RIAA spokesperson told Ars.

One way to solve this problem from the RIAA's perspective would be tighter record-keeping and networking monitoring by the schools themselves. Tufts even admits that it could do a better job with data retention: "We recognize the inherent limitations of the network data retention system that we are currently using, and are actively looking at possible adjustments." The RIAA has joined the MPAA in pushing for legislation on the federal and state level that would require colleges to crack down on P2P use on campus, which would presumably involve longer retention times for network data. The recently passed College Opportunity and Affordability Act will require colleges to start working on formal piracy deterrence plans, and Big Content has also been lobbying states to pass more stringent antipiracy laws.

Further readingTufts University's letter to Judge Nancy Gertner (PDF) Found via Recording Industry vs The People