When it comes to Tor, BitTorrent is a pain in the arse. The idea of BitTorrent is to distribute the overhead of Internet downloading across a wide number of machines. Unfortunately a lot of the usage for it is illegal content which makes Tor very attractive for hiding who does the downloading. This has two nasty side-effects; it swamps the Tor network with huge downloads and lays the Tor Operator open to DMCA takedown notices. The later of the two happened to me today, starting with the recipt of another Abuse-o-gram from Layered Technologies:
Ticket #CWY-14320-539
From: abuse@layeredtech.com
To: steve@bananasplit.infoSubject: Policy Enforcement of at 209.67.211.154 for Copyright
NOTES: REMOVE THE FOLLOWING:
———————————————-
Date Found: 22 Mar 2006 06:55:09 EST (GMT -0500)
Network: BTPeers
IP Address: 72.21.33.202
IP Port: 11111
Protocol: BitTorrent
UserName:Content being offered:
———————————————-
Filename: Final Cut Pro HD.dmg.torrentFinal Cut Pro HD.dmg
Filesize: 1,648,247kDear Client,
This is a Policy Enforcement Notice that your server has violated our Acceptable Use Policy available at http://www.layeredtech.com/aup.shtml. Please refer to the attached complaints and/or logs of abuse. If you believe we have traced this issue to you erroneously, our staff will investigate the issue further.
IT IS YOUR RESPONSIBILITY TO REMOVE ALL DOMAINS, USERS, AND CONTENT CAUSING THIS ABUSE ISSUE AND TO INVESTIGATE ANY MISCONFIGURED, INFECTED, OR UNAUTHORIZED USE OF SOFTWARE.
PENDING YOUR REQUIRED REPLY WITH YOUR COMMENTS, QUESTIONS, OR ACTIONS TO RESOLVE THIS ISSUE, THE SERVER IS:
[] Monitored for Additional Violations
[] Accessed for Investigation, Cleaning, Hardening, or Securing
[x] Disconnected in: [x] 24-Hours [] 12-Hours [] 6-Hours [] 1-Hour [] 0-Hours
[] Required Reload Request with: [] New Client Required [] No Data Recovery [] Data Recovery Allowed
at http://support.layeredtech.com under “Open a Ticket”
[] Hard Drives Seized for Investigation
[] Null-Routed
[] Port Shutdown
[] On 30-Day Probation
[] Reviewed for Possible Cancellation
[] CancelledFOR THE FOLLOWING REASONS:
[] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a Person Under Legal Age
[x] Copyright L Hosting, Distributing, or Linking to Copyright Infringed Materials
[] Cracking H Brute Force Access of Secured Network Devices
[] DoS H Denial of Service Attack of Network Devices
[] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
[] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
[] Hacking H Circumventing Security Systems of Network Devices
[] HYIP Site M Hosting or Linking to a Website of High Yield Investment Program, Ponzi Scheme, or Pyramid Scheme
[] ID Theft H Hosting, Distributing, or Linking to Stolen Account Identification Information
[] Infection H Hosting, Distributing, or Linking to Exploits, Trojans, Viruses, or Worms
[] IRC Malicious M Malicious Use of Internet Relay Chat
[] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered Technologies
[] Phishing H Identity Theft by Email Under False Pretense
[] ROKSO Spamhaus C ROKSO Blacklisting of an IP at www.spamhaus.org for Malicious Activity
[] Scanning H Probing for Vulnerabilities of Network Devices
[] Shells H Hosting Accounts Primarily for Shell Access
[] Spam Cannon E Sending High Volume Spam (UCE or UBE)
[] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE)
[] Spam List M Hosting, Distributing, or Linking to Email Address Lists for Spam
[] Spam Proxy C Hosting an Open Proxy Server Used for Spam
[] Spam Relay C Hosting an Open Mail Rely Used for Spam
[] Spam Hijack C Distributing Spam Through a Third Party Server Vulnerability
[] Spam Site L A Site Advertised by Spam Email or Spam Web
[] Spam Ware H Hosting, Distributing, or Linking to Software Designed for Spamming
[] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs, Forums, or Guestbooks
[] Terrorist Site C Hosting or Linking to a Site Advocating Terrorism
[] Toolz L Hosting, Distributing, or Linking to Cracking, DoS, Forgery, Infection, or Scanning Software or Instruction
[] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed Materials
[] Warez L Hosting, Distributing, or Linking to Crackz, Hackz, KeyGenz, Serialz, or Pirated Software[] OTHER:
Thank you for your cooperation,
Layered Technologies Abuse Team
I like the way that Layered Technologies always include the original abuse complaint. Here it is:
Layered Technologies, Inc.
18816 Preston Road
Suite #100
Dallas, TX 75252 USRE: Unauthorized Distribution of the following copyrighted computer program(s):
Apple Final Cut
Dear Layered Tech Abuse:
The Business Software Alliance (BSA) has determined that the connection listed below, which appears to be using an Internet account under your control, is using a BitTorrent network to offer unlicensed copies of copyrighted computer programs published by the BSA’s member companies.
Site Details:
———————————————-
Date Found: 22 Mar 2006 06:55:09 EST (GMT -0500)
Network: BTPeers
IP Address: 72.21.33.202
IP Port: 11111
Protocol: BitTorrent
UserName:Content being offered:
———————————————-
Filename: Final Cut Pro HD.dmg.torrentFinal Cut Pro HD.dmg
Filesize: 1,648,247kThe above computer program(s) is/are being made available for copying, through downloading, at the above location without authorization from the copyright owner(s).
Based upon BSA’s representation of the copyright owners in anti-piracy matters, we have a good faith belief that none of the materials or activities listed above have been authorized by the rightholders, their agents, or the law. BSA represents that the information in this notification is accurate and states, under penalty of perjury, that it is authorized to act in this matter on behalf of the copyright owners listed above.
We are giving notice of these activities pursuant to Section 512 of Title 17 of the U.S. Code (as enacted by the ‘Online Copyright Infringement Liability Limitation Act’). We expect that you will take expeditious action to remove or disable access to the materials described above, and thereby prevent the illegal reproduction and distribution of pirated software via your company’s network. As you know, illegal on-line activities can result in 50 million people on the Internet accessing and downloading a copyrighted product worldwide without authorization – a highly damaging activity for the copyright holder.
We appreciate your cooperation in this matter. Please advise us regarding what actions you take.
Please include the following CaseID in any response you send: Case ID 93989436.
Yours sincerely,
John R. Wolfe
Director of Internet Enforcement
Business Software Alliance
1150 18th St NW Suite 700
Washington, DC 20036
URL: http://www.bsa.org
E-mail: copyright@bsa.org
Director of Internet Enforcement! Wow, you lucky man John, I bet that’s a cushy little number you have yourself there! You even have a org domain which strikes me as taking the piss when you undoubtedly represent a commercial organisation and command a fat salary.
I responded to this using the stock Tor dmca-takedown template:
Dear Layered Technologies:
Thank you for forwarding me the notice you received from The Business Software Alliance regarding “Final Cut Pro HD.dmg.torrentFinal Cut Pro HD.dmg”. I would like to assure you that, contrary to the assertions in the notice, 1) I am not hosting or making available the claimed infringing materials, and 2) you are already protected by the Digital Millennium Copyright Act’s (“DMCA”) safe harbor from any liability arising from this complaint. The notice is incorrect, probably based
upon misunderstandings about law and about some of the software I run.First, in terms of legal liability, this notice does not create any risk for you as a service provider. As you know, the DMCA creates four “safe harbors” for service providers to protect them from copyright liability for the acts of their users, when the ISPs fulfill certain requirements. (17 U.S.C. § 512) The DMCA’s requirements vary depending on the ISP’s role. You may be most familiar with the “notice and takedown” provisions of DMCA 512(c), but those apply only to content hosted on your servers, or to linking and caching activity. The “takedown notice” provisions do not apply when an ISP merely acts as a conduit. Instead, the “conduit” safe harbor of DMCA 512(a) has different and less burdensome requirements, as the D.C. Circuit Court of Appeals held in RIAA v. Verizon (see http://www.eff.org/legal/cases/RIAA_v_Verizon/opinion-20031219.pdf) and the Eighth Circuit Court of Appeals confirmed in RIAA v. Charter (see http://www.eff.org/IP/P2P/Charter/033802P.pdf).
Here, any content that came from or through my computers merely passed through your network, so DMCA 512(a) applies. Under DMCA 512(a), you are immune from money damages for copyright infringement claims if you maintain “a policy that provides for termination in appropriate circumstances of subscribers and account holders of the service provider’s system or network who are repeat infringers.” If you have and implement such a policy, you are free from fear of copyright damages, period.
As for what makes a reasonable policy, as the law says, it’s one that only terminates subscribers who are repeat infringers. A notice claiming infringement is not the same as a determination of infringement. The notification you received is not proof of any copyright infringement, and it certainly is not proof of the “repeat infringement” that is required under the law before you need to terminate my account. I have not infringed any copyrights and do not intend to do so. Therefore, you continue to be protected under the DMCA 512(a) safe harbor, without taking any further action.
You might be curious, though, about what did trigger the notice. The software that likely triggered the faulty notice is a program I run called Tor. Tor is network software that helps users to enhance their privacy, security, and safety online. It does not host or make available any content. Rather, it is part of a network of nodes on the Internet that simply pass packets among themselves before sending them to their destinations, just as any Internet host does. The difference is that Tor tunnels the connections such that no hop can learn both the source and destination of the packets, giving users protection from nefarious snooping on network traffic. Tor protects users against hazards such as harassment, spam, and identity theft. In fact, initial development of Tor, including deployment of a public-use Tor network, was a project of the U.S. Naval Research Laboratory, with funding from ONR and DARPA. (For more on Tor, see http://tor.eff.org/.) As an organization committed to protecting the privacy of its customers, I hope you’ll agree that this is a valuable technology.
Thank you for working with me on this matter. As a loyal subscriber, I appreciate your notifying me of this issue and hope that the complete protections of DMCA 512 put any concerns you may have at rest. If not, please contact me with any further questions.
Very truly yours,
Your customer,
Steven Crook
That’s a great template, but unfortunately Layered Technologies don’t really care about the legalities of the situation, they have an Acceptable Use Policy and I’m breaking it by allowing Tor to route Bit Torrent traffic. Here is their response:
I understand fully what Tor is and how it operates. However, we consider use of Tor (or similar software) as not releasing you from our Acceptable Use Policy. While this specific copyright issue, which we are required to issue upon receipt, may not apply since you do not host or directly link to the claimed material(s), I must warn you that per our policies we hold you accountable for all activity occuring on or through our network. Example, if your use of Tor to hide source/destination information of packet headers were involved in a more serious incident such as child pornography, we would require you to either discontinue use of Tor or we would have to shutdown the server. Our policy does not permit Acceptable Use Policy violation on or through our network and does not allow alteration of headers of any packet, email, or other service connection. In short, if an abuse occurs such that tracking the origin is modified then you are held responsible. I am not saying at this time that you cannot use Tor, but you are responsible for any/all abuse which occurs on your server or passes through your server regardless. Therefore, it is your responsibility to install, write, or otherwise place software on your server that would prevent abusive issues from being trafficed through the server to a 3rd party.
I will close this specific copyright issue, but you have been warned regarding Tor and your obligations to prevent abusive packets from passing through your server.
Thanks,
Terry
Layered Technologies
Abuse Department Manager
NOC EngineerACCEPTABLE USE POLICY at http://www.layeredtech.com/aup.shtml
Nice letter, but Terry knows as well as I do that I cannot enforce Layered Technologies AUP whilst running a Tor server. There is no way to block Torrent traffic as it doesn’t have dedicated ports; anyone can configure their Torrent client to listen on any port they chose and there’s nothing I can do to block it.
Terry is being pretty sneaky with his reply. If he actually stated that I couldn’t run Tor, then he would be going against the statement that Layered Technologies made when I took out the service. I would of course then demand the return of my setup charges from them. Not an inconsiderable amount of money. By saying that I’m allowed to run Tor, but responsible for everything that passes through it, there isn’t much I can do. It’s simply a matter of time before it seriously breeches their AUP and then it will be my fault and the service will likely be terminated.
The fat lady is tuning up.
|There is no way to block Torrent traffic as it doesn’t have
|dedicated ports; anyone can configure their Torrent client to
|listen on any port they chose and there’s nothing I can do to
|block it.
Any Linux user can block it. We use this on our corporate firewall. It doesn’t help against encrypted protocols, porn sites and identity theft, of course.
# restore packet mark from connection mark, skip already marked packets
iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark ! –mark 0 -j ACCEPT
# mark p2p packets
iptables -A INPUT -t mangle -m ipp2p –ipp2p –bit -j MARK –set-mark 3
iptables -A OUTPUT -t mangle -m ipp2p –ipp2p –bit -j MARK –set-mark 3
iptables -A FORWARD -t mangle -m ipp2p –ipp2p –bit -j MARK –set-mark 3
# save packet mark to connection mark
iptables -A OUTPUT -t mangle -j CONNMARK –save-mark
# reject identified p2p connections
iptables -A INPUT -t filter -m mark –mark 3 -j REJECT
iptables -A OUTPUT -t filter -m mark –mark 3 -j REJECT
iptables -A FORWARD -t filter -m mark –mark 3 -j REJECT
Thanks, that’s neat. Unfortunately ipp2p doesn’t appear to be packaged for Debian at this time. I’ll ask around some contacts and see if there are any plans to do so. I’m reluctant to patch/compile it into my kernel as I don’t have physical access to the server. One slip up and I’ve trashed it. :)
So, what ended up happening? Do you still have Tor running? Do you have a fancy set of ExitPolicies?