RE: file hashes

From: Markham, Aaron \(NBC Universal\) <>
Date: Mon, 21 May 2007 10:57:13 -0700

Heh... we shouldn't presume to tell them how to network their protection
system... that shit has to be difficult... anyway, Jay, since the
"supply" numbers are typically pretty low per project - say 2-5k on
average - why can't you collect those file hashes?

Keep in mind that we're looking at doing some direct measurement on
countermeasures effectiveness such that we're monitoring particular
swarms and watching individual peers as they collect up to 100% of the
file and then drop off. We'll monitor these individuals across multiple
swarms if they happed to try to download more than one version of a
file. That way we can have a more accurate picture of effectiveness.
Just because 9 out 10 files where fake most of the time doesn't mean we
were effective. If 50% of the user population defeats us by downloading
multiple files at once then we have a problem... if this is only 10% of
the population then it's not so bad.

So, if we do this kind of analytics it would be good to know that in
swarms where it appears that many of the users are getting the full file
versus swarms where everyone seems to be very slow at getting the full
file that countermeasures were involved. The only way to know this if
Mediadefender can tell us if they've interdicted a particular swarm. If
we find swarms that you didn't interdict (or aren't currently
interdicting) then we'd feed that info back to you automatically.

-----Original Message-----
From: Skinner, Andrew (NBC Universal)
Sent: Monday, May 21, 2007 10:38 AM
To: Jay Mairs; Markham, Aaron (NBC Universal)
Subject: RE: file hashes

If logging can't be enabled on the countermeasure servers, how about
routing all those machines through an internal proxy and then tracking
the connections that way?

-----Original Message-----
From: Jay Mairs []
Sent: Thursday, May 17, 2007 10:32 AM
To: Markham, Aaron (NBC Universal)
Cc: Skinner, Andrew (NBC Universal)
Subject: RE: file hashes

We don't keep a history of individual file hashes/IP addresses in our
protection system because the computers in our protection system are
already pushed close to their limits. Any deep data collection (file
hashes, IP addresses, etc.) on our protection system would negatively
affect our protection effectiveness. Because of this problem, we
created a separate data collection system in order to collect more raw

The data feed files from our data collection system contain raw data for
supply and demand (including IP address) on the respective networks.
The data collection system only collects supply and demand, it is not
connected or related to our protection system in any way, so there is no
spoof, decoy, or interdiction data associated with the data feed files
for each network.

-----Original Message-----
From: Markham, Aaron (NBC Universal) []
Sent: Wednesday, May 16, 2007 1:49 PM
To: Jay Mairs
Cc: Skinner, Andrew (NBC Universal)
Subject: file hashes

Do you record the file hashes (for edonkey in particular) for every
swarm you interdict? Is that in the supply feed?
Received on Fri Sep 14 2007 - 10:55:54 BST

This archive was generated by hypermail 2.2.0 : Sun Sep 16 2007 - 22:19:46 BST