declaration of bradley witteman“windows 10 update threshold 1” released november 12, 2015 could...
TRANSCRIPT
Page 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
J. Curtis Edmondson (CASB # 236105) Law Offices of J. Curtis Edmondson Venture Commerce Center 3699 NW John Olsen Place Hillsboro, OR 97124 Phone: 503-336-3749 Fax: 503-482-7418 Email: [email protected] Robert Robinson (CASB # 131461) Law Office of Robert S. Robinson 2400 Camino Ramon Ste 185 San Ramon, CA 94583 Phone: 925-830-2702 Fax: 925-830-2104 Email: [email protected] Attorneys for Defendant JOHN DOE IP address 76.126.99.126
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA
MALIBU MEDIA, LLC, Plaintiff, vs. JOHN DOE subscriber assigned IP address 76.126.99.126, Defendant.
and related cross actions
) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) )
Case No.: 3:15-cv-04441-WHA DECLARATION OF EXPERT BRADLEY WITTEMAN IN SUPPORT OF THE OPPOSITION TO THE PLAINTIFF’S MOTIONS FOR TERMINATING SANCTIONS
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 1 of 20
Page 2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
DECLARATION OF BRADLEY WITTEMAN
I, Bradley Witteman, declare the following facts to be true pursuant to 28 U.S.C. § 1746, on the date set forth beside my signature hereinbelow:
I am a designated expert in this dispute, my CV is included in my Expert Report dated
December 15, 2016. My background includes working for BitTorrent Inc. as well as other
Internet and digital media companies for more than 20 years. I have studied the output of the
NARS system and have found several flaws in their system. During my work I have become
very familiar with the various personal computer operating systems used on the Internet
including Windows, Linux and Macintosh computers.
1. In the motion for terminating sanctions plaintiff claims that defendant installed Windows
10 on December 10th, 2015. It is just as likely that Microsoft’s aggressive Windows 10
update policy in Windows 10 “Update Threshold 1” could be the cause. My detailed
analysis is attached as Exhibit A.
2. It is my opinion, from the test results files I was provided, that the deceased principal of
Computer Forensics LLC, Dave Kleiman, was the person who conducted the NARS
system test that produced the provided test results files, and not Patrick Paige. I describe
why this is my belief below in Exhibit B.
3. The testing dates are inconsistent with the file creation dates of the provided test results
files. I describe my findings in Exhibit C.
4. The Dave Kleiman system test in 2013 was not performed on the version of the NARS
system that was active during the complaint in 2015. My findings are below in Exhibit D.
I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct and that this declaration was executed on February 16, 2017, in Vancouver, Washington.
Respectfully Submitted, By: ______________________ Declarant
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 2 of 20
Page 3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
EXHIBIT A “Windows 10 Update Threshold 1” released November 12, 2015 could
be responsible for the December 10, 2015 upgrade of the Windows operating system on
defendant’s PC.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 3 of 20
Page 4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
1. Microsoft Aggressive Windows 10 Upgrade Policies
The Microsoft Windows operating system was upgraded to Windows 10 in July of 2015,
then updated with the public release of “Threshold 1” November 12, 2015.1 Microsoft offered
users a free upgrade to Windows 10 from Windows 7 and Windows 8. Between July and
November, the “Get Windows 10” application, changed its behavior multiple times. In mid-
November 2015, concurrent with the release of “Threshold 1,” Microsoft changed the opt-out
screen to only have the options to “Upgrade Now” or “Start Download, Upgrade Later” –
replacing the text and behavior of the “Do not upgrade” button with “Start Download, Upgrade
Later”.
2
1 https://en.wikipedia.org/wiki/Windows_10_version_history 2 https://twitter.com/BradChacos/status/675122217940860928
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 4 of 20
Page 5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
From an article in Computerworld covering the Get Windows 10 application’s behavior3:
"Over Thanksgiving weekend I started getting reports that the Windows Update 'AllowOSUpgrade' setting was getting flipped back on on a number of peoples' PCs, and it keeps re-setting itself at least once a day if they switch it back off," said Josh Mayfield creator of GWX… "This is new behavior, and it does leave your PC vulnerable to unwanted Windows 10 upgrade behavior”. ...“Mayfield released GWX Control Panel 1.6 on Nov. 24 then began hearing from users that their PCs were being switched from a "do-not-upgrade-to-Windows-10" status to a "do-upgrade" state, often multiple times daily.”4
Then in early December 2015, press coverage noted the increased pressure to upgrade
and how difficult it was for users to opt out of being automatically updated to Windows 10:
“For users updating their systems to an upgraded version of Windows should be good news, but the tactics used by the technology giant are the same used by spammers ie. tricking users into a situation where they are forced to agree with something against their will...”5 “Microsoft is rolling out software changes which are making it increasingly difficult for mainstream users to avoid upgrading to Windows 10...”6
2. Windows.old Directory is Automatically Deleted After 30 days
In late 2015 I myself found my Windows 7 machine which was set to NOT upgrade
because of the age of the processor, low amount of RAM and underpowered video graphics card,
was upgraded to Windows 10 overnight. After the upgrade to Windows 10, a new folder named
Windows.old is created which includes the user’s items from the previous operating system.
After 30 days, the Windows.old folder was automatically deleted by Windows 10. I was
3 http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html as of 10/29/2016 4 http://www.computerworld.com/article/3012278/microsoft-windows/microsoft-sets-stage-for-massive-windows-10-upgrade-strategy.html as of 10/29/2016 5 https://www.hackread.com/microsoft-adopts-spam-trick-to-upgrade-to-win-10/ 6 http://www.forbes.com/sites/gordonkelly/2015/12/16/why-microsoft-said-windows-10-upgrades-cannot-be-stopped/#5b6eafb74fdf
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 5 of 20
Page 6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
fortunate to not have any critical files on that machine, as many users reported losing data when
the Windows.old directory was automatically cleaned up by Windows after 30 days.
“there were files on my desktop from the previous version of windows. I did not realize that windows 10 would delete those files after 30 days. Is there any way to recover the windows.old files that were automatically deleted after the 30 day period?”7
The plaintiff has asserted that the defendant was responsible for upgrading to Windows
10 and deleting the Windows.old directory, when in fact, this could have been the unexpected
result of the aggressive Microsoft upgrade process detailed above.
7 https://answers.microsoft.com/en-us/windows/forum/windows_10-update/recover-files-from-windowsold-after-auto-delete-30/fbf8d003-7ad7-4d66-a891-1f27bd1ae3b7
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 6 of 20
Page 7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
EXHIBIT B
From the records I was provided I believe the deceased principal of Computer Forensics LLC,
Dave Kleiman, was the person who conducted the tests, and not Patrick Paige.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 7 of 20
Page 8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
From Mr. Paige’s Report,
“Prior to October 2015, IPP used an infringement detection system from Excipio. I tested this infringement detection system. After performing the test, I concluded that the infringement detection system works. Specifically, the system accurately records the IP address of a person using BitTorrent to transmit data to Excipio’s computer servers.”8
However, based upon the test result files produced, Mr. Paige was not the individual who
planned, coordinated, conducted, nor documented the test. I believe Dave Kleiman, Patrick
Paige’s partner in “ComputerForensicsLLC,” conducted the test of the APMCLLC/Excipio/IPP
NARS system for ComputerForensicsLLC, not Patrick Paige for the following reasons:
1. The ZIP File Provided Includes Mr. Kleiman’s Name in the Filename.
The file with the captures of test files uploaded is named DAVEKLEIMAN_1448134.ZIP
8 SIGNED NCA70 FINAL Expert Report.pdf page 2
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 8 of 20
Page 9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Dave Kleiman was the one who compressed the .zip file containing the upload receipts of
sending the test files to their rented virtual servers.
3. Four Text Files Recorded Dave Kleiman as the Examiner
In the .zip file, DAVEKLEIMAN_1448134.ZIP, the files that accompany the upload logs are
each signed “Examiner: Dave Kleiman.”
58.158/50.63.58.158-EXOCannibalismFootage2012.ad1.txt
176.61/50.63.176.61-2012nudestcamp.ad1.txt
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 9 of 20
Page 10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
184.230/50.63.184.230-alienhumanprobing.ad1.txt
188.154/50.63.188.154-Classichowtosex.ad1.txt
Mr. Kleiman was the one who was preparing and documenting the test.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 10 of 20
Page 11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
4. Dave Kleiman Rented the GoDaddy Servers with his Credit Card
Mr. Kleiman produced GoDaddy Receipts in his name with his credit card information for the
rental of the virtual servers used for the test.
Mr. Kleiman was the one planning and setting up the test environment.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 11 of 20
Page 12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
5. Mr. Kleiman is Directing The Test in the Included E-mail Conversation
Dave Kleiman is the one conducting the test and leading the communication with apmcllc’s Ben
<[email protected]> in the email exchange from the file “IPP Communication.pdf”.
February 25th
February 26th
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 12 of 20
Page 13
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
February 26th, #2
February 26th, #3
Mr. Kleiman is the one coordinating and conducting the test of the system. In fact in the
entire produced e-mail conversation, Mr. Patrick Paige does not say anything at all – he is simply
a carbon copy recipient of the e-mail thread – which appears to be in direct conflict with his
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 13 of 20
Page 14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
statement that he ”tested this infringement detection system. After performing the test, I
concluded that the infringement detection system works.”
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 14 of 20
Page 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Exhibit C
APMCLLC/Excipio/IPP NARS System testing dates are
inconsistent with the file creation dates of the provided test results files.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 15 of 20
Page 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
The files provided for the test have dates that don’t make any sense, calling into question
the timing of the test.
1. PCAPs are Dated Before the End of the Test
The PCAPs provided do not cover the day recorded in the e-mail conversation above –
ending a full day before Mr. Kleiman and Ben at APMCLLC/Excipio/IPP are coordinating the
download of the fourth file. The conversation above ends on February 26th at 12:57pm EST,
however, the PCAPs provided are all dated February 25th as you can see in this image:
2. The Test Was in February of 2013, however, the majority of files are dated August 2014
The test was being set up and run by Mr. Kleiman starting in February, 2013 and
completing February 26th as noted in the e-mail thread above, however, the files in the folder
have dates long after the end of the test (Note: February 2017 dates are when I was provided this
data and uncompressed the .zip files).
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 16 of 20
Page 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 17 of 20
Page 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
3. The Encase File “CFLLC Pcap Log Files.L01” is Dated Aug 22, 2014
The file “CFLLC Pcap Log Files.L01” is dated Aug 22, 2014 – more than a full year after
the test completed. I would expect that the Encase file that is showing the recording of the test
would be written at the conclusion of the test, in late February or early March, 2013 – not 16
months later in August of 2014.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 18 of 20
Page 19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
EXHIBIT D
The Dave Kleiman NARS System test was not performed on the version of
the NARS system that was active during the complaint.
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 19 of 20
Page 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
1. The Dave Kleiman Test was of a Different Version of the NARS System Than Was in Use During the Complaint
The test, if conducted in February 2013, was not testing the version of the NARS system
in use during the complaint. From Mr. Patzer’s Deposition October 13, 2016:
“Q. Okay, For example, when was the last time you had to recompile the code? Would guess about a year, last year.”9 Which indicates that the code running the APMCLLC/Excipio/IPP NARS system was updated at least once in 2015. “Q. In 2014 do you recall how may times you had to recompile the code? A. I don't know. A few times. If there were improvements on the code, we did a lot of improvements to get more performance out of the software.”
The testing of the system should have been conducted on the version of the system that
was in operation during the period of the complaint not 4 or 5, or more, iterations removed from
the version that was in operation during the period of the complaint.
9 3:15-cv-0441-WHA – Deposition of Michael Patzer – 13 October, 2016, page 85 line 3
Case 3:15-cv-04441-WHA Document 156-3 Filed 02/16/17 Page 20 of 20