While the initial emails implied ES5 had an impressive workforce, it appeared that only three individuals ran the show. They were: Ras Kabir, President, “File Hoover”, lead programmer, and SharePro, forum administrator.
The EarthStation 5 client was a busy affair. Never-the-less, the plethora of options did not stop many people from giving this application a try. The client had many extra features not related to file-sharing, such as a dating service and audio/visual chat services.
ES5’s biggest claimed
attribute was its anonymity feature. This indeed seemed like a promising idea, considering the Recording Industry of Association of America (RIAA) was gearing up for its lawsuit campaign. According to ES5’s developers, this program was virtually immune from an RIAA lawsuit.
The ES5 program used several innovative features to hide or protect one’s IP (Internet Protocol) address from the music industry. If the RIAA happened to obtain your IP address and found evidence in your shared folder, it was then a matter of submitting your IP address to your Internet Service Provider. At the time, under the Digital Millennium Copyright Act (DMCA), the ISP would then have to give up the name of the corresponding IP address.
ES5 used SSL Encryption (Secure Socket Layer), which in theory would prevent the RIAA from monitoring one’s file-sharing activity. To prevent the RIAA from obtaining your IP address, ES5 would transfer files through a proxy server. In addition, the client would take advantage of a “gatling proxy” feature that would change proxy servers at a given interval. By transferring files through a proxy server, the RIAA or other suspicious eyes would see only the IP address of the server, not the individual sharing music.
According to Ras Kabir
, a Linux version was to be released in the latter part of 2003. This never came to fruition. You can read Michael Ingram’s in depth review of ES5 here
Kinks in the armor
The first signs of trouble began shortly after the client was released. Bizarre claims regarding the size of the network and its resourcefulness quickly began circulating in various P2P forums, especially Zeropaid.com. Zeropaid’s forums would set the stage for damaging evidence against ES5’s public image.
As stated earlier, many incredible rumors were heavily pressed on the Zeropaid forums. Ras Kabir, President of ES5 publicly stated
in an interview that ES5 had 15 million users – an amazing claim for such a young network.
Another claim made was that Zeropaid administrators were selling the IP addresses of its userbase to the RIAA. How did this claim come about?
Initially, the relationship between Zeropaid and ES5 was an amicable one. The two entered a business relationship where Zeropaid advertised ES5 banner ads and created a sub-forum for this network’s users.
While things seemed pleasant enough, the relationship turned sour. When Zeropaid created the ES5 sub-forum, it was flooded with outrageous network performance claims and bitter flame wars took place. In response, the advertising was dropped, effectively ending the relationship. When the relationship no longer functioned, the aforementioned accusations were made as a form of retaliation.
Ras was questioned about the rumor that Zeropaid was disclosing its member’s personal information in a subsequent interview
“I am aware of the facts relating to Zeropaid presented to us by one of our employees. Indeed, due to my duties with Earthstation 5, I have not had the time to personally peruse the information in great detail and therefore will not comment at this time.”
Both these heavily pressed rumors were never substantiated by ES5.
The third assertion ES5 made was that its traffic was untraceable. According the ES5 administration, one could use the ES5 software, say on a college campus, and its use would never be detected. However, this would prove untrue.
MesoCom is a software company that develops P2P Watchdog. P2P Watchdog is a tool for network administrators who wish to detect evasive protocols such as ES5. Although ES5 claimed it could not be detected, MesoCom’s research
found this to be untrue. As it turned out, ES5 has a unique signature that allows network administrators to identify and block this traffic.
While many eventually brushed these rumors aside, something much larger was brewing in the horizon.
A damaging blow came to ES5 on month later (October 3rd, 2003.) It was delivered by an individual named Random Nut. Random Nut was well known in the file-sharing world for being the original author of Kazaa Lite. His second great work was his discovery
of a “malicious code” hidden in the ES5 executable. According to Random Nut, the “malicious code” allowed remote deletion of any file.
There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP:Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "..\..\..\WINDOWS\NOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windows\system32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C:\BOOT.INI file which is a required boot file used by ntldr.
IMPORTANT: This is not a bug! They intentionally added this code to ES5.
EarthStation 5’s lead programmer “FileHoover” vehemently defended
his program and stated it was not a malicious code, rather an “automatic software update” function.
We at Earthstation 5 are not perfect, but we acknowledge that Shaun Garriok might be and thank him for helping us root out bugs.
The problem with the Earthstation 5 software that Shaun Garriok found truly exists; however, the sordid motives he attributes to Earthstation 5 are incorrect. The following functions were put into Earthstation 5 to allow automatic, remote upgrade of the Earthstation 5 software.
We are glad he found this bug and pointed it out. We completely removed the automatic software upgrade code because as it turns out automatic upgrade is no longer popular as it once was because it gives people an uneasy feeling and rightly so.
Kinks turn to cracks
After these incidents, the ES5 world was that of general calm. Although its public image was greatly tarnished, ES5’s forum was busy and its population seemed content – for the time being.
In February 2004, the Washington Post investigated
the anonymity of ES5. Not only did they question this, they actually traveled to Jenin in the West Bank to look for ES5’s headquarters. The result?
After speaking with the marketing director of Paltel, the telephone company of the Palestinian territories, it was discovered that no voice or Internet services was ever provided to a company named ES5. In addition, the Washington Post spoke with the Palestinian Information Technology Association about ES5’s whereabouts.
"I've never heard of the company, and I should have heard of it," said Yahya Salqan, general secretary of the Palestinian Information Technology Association. He said he sent e-mails to the 75 members of his association asking if any knew of Earth Station V, and "nobody had."
In addition, none of the locals knew or heard about any company named ES5. The name “Ras Kabir” drew little more than laughter, as the name means “big head” in Arabic.
At this time, ES5 was a very isolated company. The consistent outrageous claims and building distrust, coupled by the bombardment of various P2P forums, placed this company at odds with virtually every file-sharing community. Other than ES5’s own forums, support for this network was on a rapid decline.
Just when things could not seem to get any more bizarre on the ES5 front, they did. ES5’s reputation was further damaged by its integration of giFT. While this alone does not mean much, it questioned the claims of its vast resourcefulness. If ES5 was such a good file-sharing network, why would one need giFT? In addition, when someone uses giFT to access FastTrack or Gnutella, they are no longer protected by the anonymity or protection that ES5 provided.
As ES5 began to slowly fade, news began circulating that ex-felon Stephen Cohen was now involved with this P2P network. On January 3, 2004, Ras Kabir released
a statement that ES5 was hiring Stephen Michael Cohen.
Let me make something very clear. We offered Mr. Cohen an executive job with our company. He initially turned us down, however after several telephone calls, he finally gave in and agreed to help us in the capacity of a consultant. We now have Mr. Cohen permission to disclose his identity.
Stephen Cohen was known for hijacking the domain “Sex.com.” When the 9th circuit court levied a $65 million judgment against Stephen, he skipped out of the United States and reportedly ended up in Tijuana Mexico. Already an ex-felon for bankruptcy fraud and impersonating a lawyer, Stephen Cohen is now a fugitive from United States law.
"It now appears that Cohen simply picked up the phone, asked for and was granted the Sex.com domain name immediately," Kremen said. "This was at a time when the queue for domain names was over four weeks. VeriSign made no attempt to verify Stephen Cohen's connection to Sex.com."
Kremen has since settled with VeriSign
Things finally came to a head in April 2004. After the Random Nut incident occurred, anti-ES5 sentiment began to grow rapidly. In addition, many of the promised features never came to fruition. It became apparent that a new version would never be released, nor would any of the streaming audio/video features be repaired. The lack of any progress on the ES5 project added fuel to the growing fire of discontent.
To quell the growing rebellion within the ES5 forums, it had long been suspected the forum administrator, SharePro, had been clamping down on any criticisms regarding ES5. Initially, the changes were subtle; however over time more individuals began to notice postings were being deleted at an accelerated pace.
Eventually, all statements that expressed disapproval of ES5 were eliminated from the forums. In addition, there was a growing opposition of SharePro’s handling of ES5's public relations. At this time, SharePro had assembled a small core of individuals that would “spam” and incite flame wars on other file-sharing sites when the ES5 client was condemned.
When the criticism heated up, forum members who spoke out against ES5 were banned – including many senor members who had been loyal since the beginning. In addition, an entire years worth of posts belonging to an individual who spoke against ES5 was reported to have been deleted.
In the last few desperate months that SharePro had authority on the ES5 forums, news began to circulate that several user passwords were compromised. Apparently, SharePro had given out several passwords of users that heavily criticized ES5 – or those who had repeatedly called SharePro a liar. Those in possession of the user passwords could then alter the corresponding user’s posts to reflect the will of the ES5 administration.
The lack of upgrades, the degradation of the forums, the non-functioning ES5 radio and other features rapidly facilitated ES5’s demise. At this point, most of the veteran forum members departed to form their own P2P forum
, leaving the ES5 landscape barren.
These bizarre events simply pushed ES5 into further isolation. By mid-2004, the client had not been updated for a substantial period of time. SharePro/FileHoover had since departed the ES5 forums.
It is not known how long Stephen Cohen was at the helm of ES5, or whether “Ras Kabir” was an actual person, or simply his front. Interestingly, his consulting job over time seemed to migrate to outright ownership. Read this interesting thread on Dionysians.org
regarding other bizarre occurrences within the ES5 organization. As one of his final acts at the helm of ES5, this message was posted to their forums on January 24, 2005:
After spending hours and hours with the programmers, I have decided to SCRAP the ES5 software and start all over again. This board in the meantime will remain open to everyone.
Anyone interested in a SUPER NOVA type thing? Anyone else have any good opinions on what we should do? Who wants to help?
While many questions will most likely remain unanswered, what is known is that EarthStation 5 is no more. Its forums have been discontinued, the client is no longer available for download, and the homepage, save for the occasional P2P news update, remains unchanged. Perhaps offering the most intriguing episode of file-sharing history, ES5 came roaring into the P2P world. When it was all over, it was like it never happened.