TorrentFreak

• Enigmax & Ernesto
• September 15, 2007
• 286
• email,
  leak,
  mediadefender
• Print

When TorrentFreak reported that Media Defender (MD) was behind the video site MiiVi, they cast doubt on us. Now, in what is surely the biggest BitTorrent leak ever, nearly 700mb of MD’s emails have gone public. When MD’s Randy Saaf found out we rumbled MiiVi he said, “This is really fucked.” This is too, but much more so.

When we reported in July that an Anti-Piracy Gang Launches their own Video Download Site to Trap People and that the company was called Media Defender and, as anyone who aims to be a credible news resource would, we checked and double checked our sources. We said, with some confidence:

Media Defender, a notorious anti piracy gang working for the MPAA, RIAA and several independent media production companies, just launched their very own video upload service called “miivi.com”. The sole purpose of the site is to trap people into uploading copyrighted material, and bust them for doing so.

However, in comments made to Ars technica, Media Defender’s Randy Saaf chose to rubbish our claims, calling it an ‘accidentally un-secured internal project’.

From the emails we cannot be sure that it’s an entrapment site or that it is related to the MPAA (perhaps it’s a legit a P2P video client?), but it does look suspicious.

Unfortunately for Media Defender – a company dedicated to mitigating the effects of internet leaks – they can do nothing about being the subject of the biggest BitTorrent leak of all time. Over 700mb of their own internal emails, dating back over 6 months have been leaked to the internet in what will be a devastating blow to the company. Many are very recent, having September 2007 dates and the majority involve the most senior people in the company. Apparently this is not the first time that a MediaDefender email leaked onto the Internet.

According to the .nfo file posted with the Mbox file the emails were obtained by a group called “MediaDefender-Defenders”. It states: “By releasing these emails we hope to secure the privacy and personal integrity of all peer-to-peer users. The emails contains information about the various tactics and technical solutions for tracking p2p users, and disrupt p2p services,” and “A special thanks to Jay Maris, for circumventing there entire email-security by forwarding all your emails to your gmail account”

Note: The mbox formatted file is circulating publicly on BitTorrent, completely unedited. However, for publication here we have removed the username and password logins for Media Defender’s servers, and replaced them with asterisks and avoided publishing emails of a personal nature, e.g pay negotiations etc. We believe that the emails are the real deal and all the info posted here serves the public interest.

At first we couldn’t believe that it was real, but after we scanned through the e-mails it became clear that it was indeed the real deal. Hundreds of IPs and logins to their servers, lists of their decoy/entrapment trackers, decoy strategies, the effectiveness of their fake torrents (in many cases with a breakdown of success, title specific), high and low priority sites, .torrent watchlists, information on their monitoring of competitors, pictures of their weekend trips and even the anti-piracy strategy for dealing with The Simpsons Movie leak:

# REMINDER: “The Simpson’s Movie” premieres this Friday (to Torrents).

* Decoy files are available in torrents MDfile server.
* Use Public Trackers for pre-Leak releases.
* Create two new trackers for this project.
o Ebert to inform Torrents of these new machines.
* Send a list of 5 release names from each torrent team member to Ebert.
* REMEMBER to input torrent file into interdiction if a real Leak is available this weekend.

It’s impossible to sum up all the juicy details in one post as the amount of information is staggering, so as much as we’d like to tell you about the custom Media Defender software (called ProxyMaster) included in the leak, we’ll focus mainly on the MiiVi case.

Let’s start off with their response to our story about MiiVi.com.

From: Ben Grodsky
Sent: Tue 03-Jul-07 20:19
To: MIIVI; Randy Saaf; Octavio Herrera; Steve Lyons
Subject: MiiVi got Dugg

Looks like the domain transfer has screwed us over:

http://torrentfreak.com/anti-piracy-gang-launches-their-own

-video-download-site-to-trap-people/

http://digg.com/users/AcePup/news/dugg

-Ben

And the response from Randy Saaf himself.

This is really fucked.
Let’s pull miivi offline.

Apparently our reports about MiiVi made them really paranoid. They are worried that reporters will apply for jobs just to find out more about their secret project.

From Ben Grodsky, Media Defender

Subject: care in interviewing

Given all the recent Digg, SlashDot and derivative online articles about MD, be careful what you say in job interviews. Specifically, I’m concerned about giving any information BEYOND what’s already on the mediadefender.com website. I’m worried about someone interviewing for a position just for the purpose of getting more info to post online. For example, if anyone asks anything about MiiVi, just reiterate what Randy has said online (it was an internal video project that we probably should have password protected; we were in no way directed to, or working with, the MPAA on that project; NO part of the project was a honeypot designed to trap downloaders).

Seemingly every last detail of the MiiVi preparations are laid bare for all to see, such as these attempts to deal with some unexpected content. Interestingly, if MiiVi was only an internal operation, where on earth did this content come from?:

From Ben Grodsky, Media Defender

Dylan,

I wouldn’t normally e-mail you directly about MiiVi stuff, because a lot of what I say about this is total crap (so keep that in mind) and Jay filters the crap from the important stuff for you. Is there a way to add this hash/title to the porn filter explicitly?

hash=30755326A4E4B28E678BFF8CB2AF5FC4A4FBF710&i=3 (the title is Celebrity deathmatch: Korn vs slipknot and the exact URL is http://129.47.9.160/zonie/media.php?hash=30755326A)

I just flagged it as Other Terms of Use violation. It’s a warthog (or maybe it’s a big bushy dog, I can’t tell) having sex with a woman and NOT a Korn vs. Slipknot mash-up video.

If this is a big deal, don’t worry about it for now.

And, If MiiVi was an internal project only, how does that sit with these attempts to generate lots of traffic?

Dylan,

Another thing we can do to increase Google and other search engine traffic is to get more link-ins. At the next MiiVi meeting, I’m going to ask Randy for permission to incentivize people to link-in a MiiVi video on their MySpace. Colin is already doing this and it helps the word-of-mouth spread, even if the link-ins are nominal. I’m not sure what we could do in the link-in regard early on, but getting the cumulative ~1000+ MySpace friends of MediaDefender employees to see MiiVi link-ins can’t hurt….

Colin — start coming up with a list the list of keywords and descriptors for hidden metadata entries, per Dylan’s e-mail below.

Thanks,
Ben

One can only speculate what the MiiVi client might’ve been capable of, should it have gotten off the ground:

From: Ben Grodsky
To: Jay Mairs
Cc: Randy Saaf
Sent: Wed Jun 20 23:36:54 2007
Subject: miivi emule spoof

Jay,

Do you think it would break a lot and take more time than its worth for the MiiVi application/installer also to act like Serge’s Proxy client and spoof on eMule?

-Ben

Just about every aspect of the company’s operations on every file sharing network is revealed in the emails, including their fake eDonkey server and Soulseek activities, not to mention payroll issues and discussions about what to eat for lunch.

Of course, Mr Saaf was always very keen to distance MediaDefender from MiiVi, as this email shows:

From: Randy Saaf
Sent: Wed 6/13/2007 12:54 AM
To: Colin Keller
Cc: Ben Grodsky; Steve Lyons; Jay Mairs
Subject: miivi emails

Colin:

Set up your email so that you always reply with a ckeller@miivi.com, dmca@miivi.com, or an info@miivi.com address respectively. I don’t want MediaDefender anywhere in your email replies to people contacting Miivi. Steve and Ben can help you set up your email for this. Make sure MediaDefender can not be seen in any of the hidden email data crap that smart people can look in.

I am setting up ckeller@miivi.com to forward to ckeller@mediadefender.com.

R

They made up fake company (MiiVi Inc.), edited their own Wikipedia entries and hosted Miivi on IPs that couldn’t be traced back to MediaDefender.

Ben E:

Can you please do what you can to eliminate this entry? Let me know if you have any success.

R

From: Jay Mairs
Sent: Tue 7/3/2007 9:59 PM
To: Steve Lyons; Randy Saaf; Octavio Herrera
Cc: Ty Heath; Dylan Douglas; Ben Grodsky; Ivan Kwok (gmail)
Subject: Re: MiiVi got Dugg

Steve, please redirect miivi.com to point to an ip that’s not one of ours (random ip or whatever).

Dylan, if there’s nothing critical running on the miivi server, please shut the computer down. If there is something critical on there, please let us know ASAP.

MediaDefender took down MiiVi.com but it seems they aren’t ditching the project but instead looking for a new name because domain names are really important for internal projects:

From: Randy Saaf
Sent: Friday, July 13, 2007 4:44 PM
To: Jay Mairs; Colin Keller
Subject: FW: New miivi name.

Do you like vidber.com or bivvid.com or vidorama.com?
——————————————————-
Reply from: Colin Keller

Vidorama would be my first choice (though it is a bit 70′s, kind of like a bad video rental store). Vidber doesn’t spark much interest (kind of ends too abruptly), and bivvid I’m not really feeling.

Or maybe they’ll just change the domain name to something similar, and move things round a little?

Subject: MiiVi (currently on www.viide.com)
From: grodsky@mediadefender.com
Date: 23/07/2007 18:05
To: michael.potts@artistdirect.com

Michael,

When you get a chance, we would love you to start taking a look at www.viide.com. That is the current home of our MiiVi site. We have totally locked-down the site, while we improve the look and feel from the blogosphere saw. Accordingly, to access the site you will need to login using the following login/password *****/**** (we have also made a login/password for Bobby, in case you think we could use some help with our graphics :) — *****/*****).

Once you log on the site, surf over to www.viide.com/download.php to get our application. The website currently acts a GUI for the application. When we go live with the site for the general public, there will also be a java applet that also minimal/one-off type use of MiiVi (but this feature is inaccessible with the current locked-down version of the site).

From: tabish@mediadefender.com
Date: 27/07/2007 23:56
To: MIIVI@mediadefender.com

I’m not sure if you guys are planning on going live with the Viide domain name….but in case you are….you might want to remove all references of Miivi on the homepage of viide.com before it gets Googled or someone public comes across it. For example, at the bottom under terms of service and on the HTML Title where it says “MiiVi, Inc”, and probably the default image of the skyscrapers (which are the same as Miivi).

Also, the WHOIS information is still linked to MediaDefender, Inc.

-TH

Yes, they need to get on top of the WHOIS situation before someone sees it.

After the MiiVi incident, we later reported that Media Defender owned the p2p.net domain name. A little later, our claims were proven correct when they made the p2p.net domain link back to our own article, which it still does to this day. We took this as a compliment and this is what the guys had to say about it:

From: Ben Grodsky
To: Jay Mairs; Ben Ebert; Octavio Herrera
Sent: Fri Jul 13 12:18:02 2007
Subject: FW: p2p.net on digg and torrentfreak

this is too funny. torrentfreak accused us of buying p2p.net on ebay earlier this year. Randy found out and redirected it to that vary article on torrentfreak. now there’s an article about the redirected p2p.net!

We admit it, it was quite funny at the time and proved that even anti-piracy guys have a sense of humor but sadly, it’s doubtful that the comedy will extend through this latest episode, as it’s expected that thousands of file-sharers will dissect and disseminate their commercially sensitive data into every corner of internet.

For a business model that gets its life-blood from piracy, in a twisted way this leak is likely to help generate even more business and develop the market. Funny old world.

Update: MediaDefender Phone Call and Gnutella Tracking Database Leaked

When we reported in July that an Anti-Piracy Gang Launches their own Video Download Site to Trap People and that the company was called Media Defender and, as anyone who...