An anti-piracy company cited as the sender of a DMCA notice targeting an entirely legal copy of Ubuntu says that its notice sending system was spoofed. The notice was reportedly sent via Comcast to warn a Reddit user that he'd breached copyright law but the explanation from OpSec Security only raises even more questions as to how something like this could possibly happen.

Yesterday we reported that Reddit user NateNate60 had received a DMCA notice, apparently from Comcast, declaring that he’d breached copyright law by downloading and sharing a legal copy of Ubuntu.

“We have received a notification by a copyright owner, or its authorized agent, reporting an alleged infringement of one or more copyrighted works made on or over your Xfinity Internet service,” the posted notice reads.

“The copyright owner has identified the IP address associated with your Xfinity Internet account at the time as the source of the infringing works,” it continues, adding that NateNate60 should search all of his devices connected to his network and delete the files mentioned in the complaint.

According to the Xfinity notice, the sender was OpSec Security so to find out more we contacted the anti-piracy company for an explanation. That came in late last night and while it provides some answers, it also raises even more questions.

OpSec: Our Anti-Piracy System Was “Spoofed”
In a response from OpSec Marketing Communications Manager Amanda Hershey, the company explained that the notice was malicious and was sent to damage its reputation.

“OpSec Security’s DCMA [sic] notice sending program was spoofed on Wednesday, May 26, 2021 by unknown parties across multiple streaming platforms,” Hershey explains.

“The content in question all appears to be Ubuntu Linux ISO. We have incontrovertible evidence that proves these DMCA notices were not perpetrated by or originated with OpSec Security.”

Why OpSec references “multiple streaming platforms” is unclear. People do not ‘stream’ Ubuntu packages, they download them – in this case via torrents distributed by Ubuntu’s own tracker. And while OpSec says it has “incontrovertible evidence” that shows the DMCA notices were not sent by the company, it is yet to reveal details in public.

“OpSec’s enforcement efforts are occasionally spoofed by a third party in an attempt to damage OpSec’s reputation. These attempts are easily identifiable, and easily disproven,” the company explains.

While the security company says that third parties are “spoofing” its system, it does not explain how that was possible. And, at least in this case, the bad DMCA notice was apparently not “easily identifiable”, since it clearly managed to cause confusion. So how did this happen?

Inside Information Acquired?
In our initial report we noted that it’s not impossible for someone to fake a DMCA notice. In this case, however, it is difficult to dovetail events on the ground and the statement from OpSec because a certain amount of more difficult-to-acquire information would be needed to be this targeted.

Firstly, NateNate60 says he did download the content in question after obtaining a torrent directly from Ubuntu’s own tracker. That would, of course, expose his IP address both to the tracker and everyone else sharing the content. However, in order to send the DMCA notice via email (whether that was from Comcast or a spoofed email address purporting to be Comcast), anyone obtaining NateNate60’s IP address would necessarily need his email address too.

This raises the question of how that email address was obtained. OpSec Security wouldn’t ordinarily have it, neither would the alleged malicious party, but Comcast clearly would. That’s how DMCA notices sent to ISPs work. The sender doesn’t know the contact details of the alleged infringer so they ask someone who does to forward the notice, in this case, Comcast.

So, if we take OpSec’s statement at face value, at least in theory a third-party could’ve tricked Comcast into sending the notice after “spoofing” OpSec’s “notice sending program”. This raises more questions.

If these allegedly malicious efforts to undermine OpSec’s reputation are “easily identifiable, and easily disproven”, how was Comcast not put on alert? And if this has happened before as the company claims, why hasn’t the loophole been closed?

In any case, the allegedly malicious third-party would also need to know how to contact Comcast in a convincing manner, in order to masquerade as OpSec. It’s not easy to determine how that could be achieved without knowing how OpSec usually communicates with Comcast. This could be explained if OpSec’s system had been hacked or illegally accessed in some way, but the company does not use that terminology, instead going with the term “spoofed”, i.e imitated, not compromised.

Furthermore, even if we adopt the scenario that Comcast didn’t send the email and it was a spoofed fake, how did the sender a) discover NateNate60’s IP address, b) the exact time he downloaded the torrent, and c) manage to match that IP address to his email address? It sounds like a lot of effort simply to tarnish OpSec’s name, especially since there was no guarantee that NateNate60 would ever publish the notice online.

Both OpSec and Canonical Say They Are Taking Action
While OpSec’s statement is helpful to an extent, it clearly raises even more questions. We have put these questions to the security company and will publish an update when it responds. In the meantime, OpSec says the matter is now being escalated.

“We are notifying the appropriate authorities about this incident,” OpSec says.

Ubuntu owner Canonical says it has launched its own investigation.