Came home this afternoon to a rather threatening message from my ISP (Comcast) stating that I had violated their acceptable use policy by allegedly trading something copyrighted on K-Lite. According to the message, the Business Software Alliance alleged that I was trading a copyrighted file over the network. Listed a file name, my K-Lite username, my WAN IP, and the alleged port. (1214 though I actually run K-Lite on another port?!)

My big question is, after using K-Lite for more than 6 months and keeping my machine on basically 24/7 with 8 upload slots, why is this happening to me now? Especially since K-Lite 2.4 now has the Peer Guardian list of blocked IPs (which includes the BSA) and I have checked "User's can't get a list of your shared files" which I thought would give me an added level of protection (though I'm aware PG list is not perfect.)

I should note a couple of other recent changes in my use:
1) I was on ATT which fully switched to comcast at the beginning of this month.
2) I recently started using KaNAT (because I'm behind a router) which propogates my WAN IP rather than my LAN IP. I am concerned about this because I worry it has made me more "identifiable". Also, to use KaNAT you have to "uncheck" "Don't save local IP's in DAT files" in the K-Lite options menu. Could this have made me more vulnerable?

Does anyone who has been through this have suggetsions about how to handle this with the ISP?
Anyone with more knowledge than I about K-Lite (or perhaps KaNAT) have suggestions about how to protect myself in the future?

I want to play nice and share but I can't lose my ISP over this....

Another thought...

Does anyone know what the reason for the "Disable port 1214" option is and whether this might be relevant to my problem (above)? I have K-Lite set to use an alternate port for incoming connections (you have to to use KaNAT) so should I check this?

I can't help you out with your router problems but they might have spotted you the old fashioned way, just by searching for sone copyright protected file and you came up as one source.


dr_gibberish Posted on 17 July 2003 - 20:32

According to the message, the Business Software Alliance alleged that I was trading a copyrighted file over the network. Listed a file name, my K-Lite username, my WAN IP, and the alleged port. (1214 though I actually run K-Lite on another port?!)

You mean they listed only one single file that was copyrighted or like a list of files? It they listed only one that probably means that they found you through a simple search but were not able to bring up the list of all your shared files, which is good and you know the new feature works.

Just because you are behind a router doesn't mean its harder for them to track you down, nor does it make you any safer, at least in this case.


dr_gibberish Posted on 17 July 2003 - 19:22

Also, to use KaNAT you have to "uncheck" "Don't save local IP's in DAT files" in the K-Lite options menu. Could this have made me more vulnerable?

No, DAT files and IP numbers are not transfered to them, that information resides on your machine only but they are able to get your IP number without any problems.


dr_gibberish Posted on 17 July 2003 - 20:32

Does anyone know what the reason for the "Disable port 1214" option is and whether this might be relevant to my problem (above)?

Port 1214 (aka Kazaa's port) is disabled so no-one can scan your computer to see if you're using Kazaa K++.

Just because they scanned you, have your IP number and know that you are sharing a file they think is copyrighted doesn't mean you actually do. The file they found on your HD could be a fake or just some random file, renamed to something that looks copyrighted. The only way they can be 100% sure is if they download that file from you and see if it really is what it appears to be.

Anyway, I suggest you stay low for the next time and unshare your music or other copyrighted files. Just share programs (even warez if you like, since RIAA and MPAA have no jurisdiction over that), eBookz, movie trailers or something like that and get (and share) your music on a minor networks like Blubster or Gnutella. Those networks are not monitored (or not as heavily) by the RIAA and MPAA. Try some alternatives, at least for music and movies. Try BitTorrent, you can download full CD albums and movies but there is no effective way of tracking you because of its structure and protocol.

Does Kazaa not work without KaNat? How many machines are connected to your router? I'm guessing your router uses NAT (network address translation)?

I think it wouldnt make much difference to the RIAA/similar whether they can see your WAN IP or your LAN IP, becuase they can trace it either way.

It seems to me that even though one specifies a different port for Kazaa to use, it only uses these in addition to 1214. I specified 6699 and 80 for incoming connections yet in Zonealarm it says K-Lite is listening to 1214,6699,80. BTW this is only in Kazaa Lite 2.0.2 so it may be different for later versions.

There is no way they can tell you the name of the file that you transfered unless they actually watched you doing it. they could have detected you using kazaa but thats it. Sounds like a joke to me, one of ure m8s maybee.

Originally posted by Genesis-@21 July 2003 - 14:55
There is no way they can tell you the name of the file that you transfered unless they actually watched you doing it. they could have detected you using kazaa but thats it. Sounds like a joke to me, one of ure m8s maybee.
You are terribly misinformed and naive.

Thanks for all the responses, sorry for not getting back sooner but I wasn't aware the board was back up...

@Mad Dog-2000 - Appreciate all the advice. Yes it was one file. When you say warez is less of problem - this was the Business Software Alliance targetting me. The alleged file was software not music or movies. Regardless, your advice is really apprecaited and I have actually been exploring BitTorrent over the last few days (Though the problem seems to be it only works well for common, high demand files.) Another thing, how much of a problem do you think it is for me to download using K-Lite? (As opposed to sharing.) However, you feel pretty sure that using KaNAT did not increase my vulnerability?

@damnit182 - K-Lite works without behind a router without KaNAT but it works much better with it. Without it you cannot access anyone else who is also behind a router that use Network Address Translation (NAT) Since this includes a lot of broadband users, you are shut out from some of the fastest sources. For me, the program makes a big difference.

@Genesis - Defintely no joke. You only need to have seen the email. Went to every single one of my addresses, had every detail about me, my account, etc. (Things no one could have gotten simply by monitoring my traffic.)

No folks, this was serious and unfortunately is going to have the desired effect on my ability to share files with K-Lite. I really have no choice. It seems as if it's that or lose my broadband access... :(

UNLESS you check the do not use port 1214, Kazaa CAN still be detected by a port-scan of port 1214. This explains why the Cease and Desist notice reports Kazaa as running on port 1214.

Good thing it was only a warning, although it's useful info for others.

It seems if you have a real ip OR using KaNAT AND don't have port 1214 disabled that THEY can detect you. Whether they can detect you IF you disable port 1214 but still use KaNAT (with port-forwarding ONLY to the port KL++ is now using... not 1214 of course) then I do not know. If I had to guess, a "Kazaa detector" would scan ranges of ips looking for responses to its port 1214 messages. This should be TOTALLY BLOCKED if random nut's blocking of 1214 isn't just smoke-and-mirrors. And even if that wasn't 100% effective, your ROUTER could be set up to block incoming port 1214 traffic.

Unfortunately, RIAA/MPAA/BSA have tools just as powerful as WE do for use on Kazaa. They definitely have something much like Kazaa Search -- which allows them to do searches and link ips with shared files. Even K-Dat can link ips to shared files AND Kazaa names. I do not know if they can get someone's real WAN ip from it if they're behind a router but not using KaNAT -- they probably can, but it's more effort I bet.

And they may even have an automated way to LIST someone's shared files (if that person ALLOWS their shared files to be listed) -- which KL++ blocks easily. They may even be able to make a direct connection with a Kazaa machine and do a blanket "MP3" search just to it -- like they're that machine's supernode connection to the REST of Kazaa, which would return many matches even if browse host capabilites were disabled. (This 2nd type of file listing IMO crosses the vague line of 'just searching the network' to 'hacking computers' because while they're doing that they are intentially depriving that computer of normal access to the search portion of the network. It's a man-in-the-middle hack attack.)

I imagine they're putting a significant load on the entire network with their specialized searches. They probably have ways to do more than 1 search simultaneously from a single ip, and definitely have 'server farms' with broad ip ranges devoted to them.

One thing is for certain, they are running way more than regular Kazaa and probably aren't running regular Kazaa at all. Being that they (most probably) HAVEN'T paid network liscencing fees for their software to be allowed to connect to the network, they are hacking the network in that manner too! (Morpheus got booted off the network a long while back for not paying the fees.) But RIAA/MPAA/BSA probably feel copyright laws only apply to 'little people'.


I'm behind a router and use KaNAT only part of the time. Reason being -- if I use it constantly, too many people get my ip in their many download requests and I start getting hammered by their requests (which add up faster than I am uploading) for days/weeks/months. So I turn off KaNAT but leave on ip port-forwarding to 'drain off' the excessive requests. While not running KaNAT, previous connections to my computer that are firewalled can still connect because I have port-forwarding on -- but when I try to list their files the search fails even before it begins.

Could a firewall prevent the port scan?

Originally posted by theprisoner@23 July 2003 - 01:59
Could a firewall prevent the port scan?
Only if it blocked scans coming in on port 1214 and the scans were only on that port.

If they send you an e-mail - comcast that is - go here

http://eff.org/share/

There is a link there to click if you get an e-mail - supeona - etc. These are the people most heavily engaged in the fight against the RIAA.

Jesus this is scary shite.

@ Switeck Thanks for that incredibly detailed reply. I have to say it is reading a lot of your earlier posts that helped me figure out port forwarding and the whole need for KaNAT in the first place. Anyhow, that was very informative and especially the idea of using KaNAT intermittently which had not occured to me before. How does that effect when you do a search? For example, if I search with it running and then turn it off when I'm done, I will lose access to those sources that are firewalled right? Also, I have of course now checked the "do not use 1214" box. Maybe I should have done that a while ago.... :(

@ Faethe Thanks for that link. I went to the site but have not had time to look through it yet. Maybe later this evening...

Originally posted by dr_gibberish@23 July 2003 - 18:54
@ Switeck Thanks for that incredibly detailed reply. I have to say it is reading a lot of your earlier posts that helped me figure out port forwarding and the whole need for KaNAT in the first place. Anyhow, that was very informative and especially the idea of using KaNAT intermittently which had not occured to me before. How does that effect when you do a search? For example, if I search with it running and then turn it off when I'm done, I will lose access to those sources that are firewalled right? Also, I have of course now checked the "do not use 1214" box. Maybe I should have done that a while ago.... :(And when I first started talking about router problems, I was called nuts.

While not using KaNAT, you lose all access to firewalled/router users. BUT because of port-forwarding even firewalled/router users who got your real internet ip earlier can still download from you (assuming your internet ip hasn't changed) -- you just can't message them or list their shared files. However any NEW people that try to download from you get your LAN ip in their DAT file so when you log off they won't still be hammering your connection.

If you can log/monitor traffic at your router level, you'll see these download requests even when not running Kazaa.
Your new searches will show many/most people as firewalled, so this is basically something to do only occassionally.


I've been trying to keep up with many of the "I've been busted" message threads here, which are typically be new posters but from what I've seen ALL are real. The sheer number of lurkers here (people with 0 or very few posts) is very high. But the more intelligent posters that claim to be nabbed by their ISP give out enough information for me to get some clues to the limitations of the tools that the RIAA is using. I think we should all assume that they can at LEAST do what we can using just K-Dat and Kazaa Search alone.

On BearShare, (on the Gnutella network) I've personally seen some of the scanners in action scanning my computer. (BearShaer has excellent diagnostics and background monitoring.)

I'm reading on various p2p-related forums (KL++'s, Shareaza's, BearShare's, Zeropaid, Slashdot) for any info about what RIAA/MPAA/BSA is up to, but the most valuable info seems to be coming from Peer Guardian users.

Not to beat a dead topic here, Switeck, but your mentioning Peer Guardian returns me to the issue of why that didn't help in my case. I looked through the list of blocked IP's at one point and saw the BSA listed in there. (However I have to admit that I had already updated the file after being nabbed, so it may not have been in the IP list that came with K++ 2.40) Anyhow, why didn't it work? I assume it's because they are sophisticated enough to just go use other networks with other IP ranges or somehow change their IP range, no? But if it's that simple, what's the value of Peer Guardian at all????

With peer guardian you really have to keep updated. Just today i think they added another 30 or so ip ranges. You have to almost update it everyday. And for anyone who hasnt heard, an update to peer guardian was released the 20th. I use the actual peer guadian program b/c that way i can see if i am being probed or not.

To get the latest update for peer guardian, click here (http://www.simply-click.org/uploadertest/guarding.p2p.update.asp) and read below if you have never updated the regular peer guardian program before.

You have to save the file as "Guarding.p2p" when the download save as windows comes up and make sure you have the file type set to "All Types". Then it is just as simple as replacing the old Guarding.p2p file in the Peer Guardian folder and restarting the application.

Originally posted by dr_gibberish@24 July 2003 - 11:33
Not to beat a dead topic here, Switeck, but your mentioning Peer Guardian returns me to the issue of why that didn't help in my case. I looked through the list of blocked IP's at one point and saw the BSA listed in there. (However I have to admit that I had already updated the file after being nabbed, so it may not have been in the IP list that came with K++ 2.40) Anyhow, why didn't it work? I assume it's because they are sophisticated enough to just go use other networks with other IP ranges or somehow change their IP range, no? But if it's that simple, what's the value of Peer Guardian at all????
Peer Guardian's list can only block TCP traffic -- Kazaa non-firewalled (IE: router+KaNAT) connections also use UDP for SEARCH traffic. Therefore, there's no way for Peer Guardian to block that traffic.

Browse host searches (to list your files) create a direct connection between your computer and possible hostiles, but other searches may not. If they're running their searches in such a way that supernodes are doing the search requests locally for them, there's no direct TCP header link to their addresses. Your replies would go back to the supernodes which then forward the replies to them.

Kazaa Lite K++'s blocking method according to random nut has some UDP-blocking capabilities -- at least for sending from you to a hostile address. It may even sniff out search routes and not send if hostile ips are on the final destination. r.nut will hve to elaborate further on this, because I only know a little in that regard.

how would you lose your broadband internet? if you really had to, couldnt you get another broadband service?

Switeck - so that suggests that using KaNAT may in fact increase my vulnerability at some level? (Because it leaves me open to the UDP connections?) This is all somewhat academic at this point as I have now removed anything someone might allege to be copyrighted from my shared files.

Ninjamonkey - Yes I suppose I could get DSL, but cable is a monopoly and it's way faster and cheaper here than DSL would be. Besides which, we all know the hassles associated with having to switch ISPs...

Originally posted by MadDog-2000@18 July 2003 - 05:41
Try BitTorrent, you can download full CD albums and movies but there is no effective way of tracking you because of its structure and protocol.
The new bit torrent experimental client gives them all the info they need. It lists out in a nice neat collumn all the users you are connected to, their ip address, speed of connection and data transfered both ways.

TD

First 1214 is only blocked inthe new version thanks to RN. In previous version even when using a different port Zone Alarm still showed "listening" on port 1214 by KaZaa.

Also as of recent I have noticed Super Nodes that ARE hostile IP's.

In addition I truly suggest everone use a good fw and import the IP's from the PG Database in their fw, this provides much better protection and understanding of what is actually happening compared to PG. I personally use ZA 4.0 which can import xml files with the IP's.

Also if you get a letter read http://www.subpoenadefense.org/.

According to the RIAA, which seems to have become quite powerful as of late, you can pay about 15K per song, or some bullsh*t like that. I do wonder though, if some prankster is behind a lot of these messages.
WRITE Comcast before doing anything else. Calls are difficult to maintain legal documents of. WRITE to Comcast, using certified mail so you have records of sending the document, and have its sending affirmed by a notary official or two. Also have him/her verify its context.
Ask Comcast ONLY if "they sent you a warning about file-sharing, and about sharing copyrighted files."
Do not ADMIT to sharing them at all. Do not say "the files I was sharing."
By doing these things, you can A) verify it was actually them, and B) avoid being made an ass of in court for admitting you share copyrighted materials.