DrunkenBlog

Deconstructing Maui X-Stream

Not too long ago I received a letter from a William P. Kealy of Stuart & Branigin, LLP which you can see to the right, but for readability I've copied the contents into the text below:

"Re: drunkenblog.com

Dear Mr. Bell,

Stuart & Branigin represents Maui X-Stream, Inc. (MXS)

On Thursday, April 14, you phoned me. You refused to disclose your business address.

MXS customers report that you have contacted them. Those customers attribute to you statements about MXS and its products that are false. Speaking untruths to a third party is slander. A slanderer is liable for damages resulting from the slander. MXS's investigation to date gives MXS cause to believe that slanders by you have caused MXS to lose sales. MXS has authorized me to investigate legal action against you for those damages.

Please provide me immediately a list of MXS customers contacted by you and the dates on which the contacts occurred. Please also supply me the name of your counsel.

Very truly yours,

William P. Kealy"

It often takes me awhile to get stuff at the addy in my WHOIS, but I get it eventually just because of occassions like this. We'll get to my specific response to it in a bit, but for now let's just say one benefit to a video blog is that rude gestures don't translate in quite the same way via text.

Now, you may be curious as to why a company named Maui X-Stream (MXS) has a problem with me to the point where they're essentially telling me they're trying to figure out how to sue me, they happen to be the company that birthed CherryOS upon the world. CherryOS is the PowerPC emulator specifically geared for running Mac OS X on Windows machines, and detailing the claims regarding it by it's creator -- along with the CEO -- would take an entire chapter by itself.

If you'll recall, awhile back I wrote The Pits in CherryOS, and several follow-ups, detailing and explaining the evidence that CherryOS was really code from the open-sourced PowerPC emulator PearPC, along with infringing code from numerous other open-sourced projects.

Readers, I can tell you that I have never contacted an MXS customer that I'm remotely aware of, especially before I got this letter. It's completely bogus, but oh yes I've been digging, and the problems seemed to have arised when they realized just how deeply I and others were going. In this post, we'll go through exactly what I have done in the last while regarding Maui X-Stream, along with:

• Their legal threats against those finding the evidence, and why DrunkenBlog had to get a lawyer.

• The evidence of infringing GPL and LGPL programs within their VX30 products. Programs like XviD, LAME, Media Player Classic, phpAdsNew, and more.

• How the evidence was gathered, and how you can verify it for yourself.

• My three hour chat with Arben Kryeziu regarding VX30, CherryOS, the evidence of infringing code in their other commercial product called VX30, and a whole bunch of other goofy behavior.

• Much, much more.

This isn't a Mac, Linux or Windows thing. This is an OSS thing, along with a liberal sprinkling of 'what the hell were they thinking'. Open Source is becoming increasingly important across all platforms and all types of software, and chances are the computer allowing you to read this has some floating around inside it.

When people often give their all to create the software we work on, play on, and more and more frequently practically live on, the fruits of those efforts should be respected and -- if it comes to it -- protected. This isn't zealotry, it is just becoming fundamental.

Because the length and scope of this post demands it, this is the first post on the site with anchored chapter-thingies for when you need to find your way back:

1. A quick primer of licenses and copyrights

2. The licenses we'll be specifically dealing with

3. Laying out VX30

4. The cost and customers of VX30

5. A note regarding Maui Online

6. The VX30 patents

7. Getting to know Mr. Kartes

8. The evidence in VX30

9. The XviD code

10. The Media Player Classic code

11. The LAME code

12. The SHOUTcast code

13. The CFileDropListCtrl code

14. The JPEG code

15. More weird leftovers

16. VX30 Ad-Stats and phpAdsNew

17. Finding the code in VX30

18. A Cease and Desist

19. Verify for yourself, with mirrors

20. My representation

21. Questioning playerless-streaming.org

22. Arben and Crystal Kryeziu

23. Making friends

24. My 3 hour chat with Arben

25. Jim Kartes needs a blankey

26. Pinging Arben

27. The Comsdev connection

28. Do not taunt Happy Khalid Farooq

29. That PowerPC Emulator

30. They can penetrate our borders, but they cannot reach Baghdad

31. PDFConv and PDF2HTML

32. Recent events

33. Wrapping up

Recently, I read an article about Maui X-Stream and CherryOS that quoted someone from Wired as saying:

"If the code similarities are borne out, it is unlikely PearPC's developers could sue Maui X-Stream for a cut of any profits since open-source codes are protected more by an honor system than any legal basis, says Wired.com senior writer Leander Kahney"

After I finished beating my head against my desk, I realized it's probably a really good idea to touch on this and assume Leander was just horribly misquoted. 'Open-source codes' are protected by copyright, and with the way things are starting to go in this country, if forced to choose between being caught with a van full of pirated DVDs or heroin you'd actually have to pause and think about it. Basically, copyright law is pretty damn solid and pretty damn scary, depending on which side of it you happen to be on.

Software source code is actually registered at the copyright as a 'literary work'. The same thing that stops Will Smith from dropping in a Marvin Gaye loop into one of his tracks without licensing the music stops someone from dropping open-source software (OSS) into their proprietary app without acquiring a separate license from the author if they don't want to abide by the terms the copyrighted code has been released under.

By just dropping someone's music into one's own, or trivially modifying it, you create a derivative work which is generally fine if you keep it to yourself -- fair use -- but which you can't distribute unless you're given express permission by the copyright owner. Which brings us to a key point: by distributing one's code under an OSS license, one does not give up one's copyright even if the code is free (as in beer) to use.

It's actually entirely possible to go to an author of OSS code and request to use the software under a different license, although if it is released under something like the GPL they can't take it back. They are the owners of the copyright after all, and if they've released it as OSS software and a company comes along and pays them to be able to use it commercially, they can if the owner of the copyright is cool with that. In practice, this can be difficult with larger projects as they may well have large amounts of people from all over the world contributing code, who all own the copyrights to the code they've contributed to.

To go back to the quote, if the author(s) is having his copyrights infringed upon, they can very well choose to go after whoever is doing it legally. When OSS infringement occurs -- and it does -- it rarely makes it to the courts for a variety of reasons, but chief among them is the sheer expense.

The various lobbying groups have done a pretty good job of making something as simple as copyright infringement a federal offense -- criminal -- but only once the 'damages' pass a certain threshold. The FBI and various prosecutors have a habit of looking into whatever someone like Adobe or Apple want, but they aren't exactly great defenders of OSS. A major problem here is that the various OSS projects aren't selling anything, which means it generally falls straight into the civil category, which means no one is going to be picking up the case on the taxpayer's tab, which means it's going to be on your tab.

An individual's copyright is legally valid, but these types of suits are rarely within the means of an individual. IBM would not be pumping out reams of code into Linux and other OSS endeavors without knowing the license was sound and they'd have recourse to stop a competitor from infringing, but a corporation would have to be remarkably stupid to get into that with IBM or AOL or Apple.

Most infringement occurs on the edges, with smaller apps done by those without the knowledge or resources to take on such a large endeavor, and because the edges are where the shadows are.

There are a lot of different OSS licenses, but we'll be specifically mentioning two a bit later, so it's worth giving them a cursory overlook to tell you what you need to know if they're greek to you.

• The GNU GPL
  Also known as the 'General Public License', the GPL is easily the most popular open-source-software (OSS) license on the planet. What you need to know is that if you take OSS code and modify it but only use it for yourself or internally in your organization you're fine (for your own use).

  However, when you modify the code, you're creating a derivative work from it, and if you distribute it in any way you then have to make available the modified source code in its entirety. If you've incorporated it into another application, it's now a derivative work, and its source code must be published too.

• The GNU LGPL
  
  Also known as the Lesser General Public License, the LGPL was primarily intended for software libraries, and the L used to actually stand for 'library'. It's a more complex license than the full-on GPL, but if followed correctly it can be much more liberal.

  Under the LGPL, there are still requirements that have to be met:

  • You're required to give notice that the software is being used, and is covered by the LGPL

  • You must supply a copy of the LGPL

  • If you display copyright notices anywhere, you must also declare the LGPL's copyright notice with t hem.

  • If the LGPL source code has been modified in any way, that code needs to be given when requested and people have to be notified that things were changed and when.

  • A user has to be able to modify the LGPL code at will. What this means is if an application is dynamically linking to, say, the LAME library to encode/decode MP3s, you can substitute a new LAME library and it changes how the original app acts. You don't have to distribute the code you wrote under the LGPL then.

    However, if you have statically linked to the LGPL code, or incorporated it it into your app, the requirement to allow a user to modify the code/library (and your app, because it's a derived work) is still there, which means you're required to give them the source to the LGPL, the object files so they can mix things around, and to allow the user to reverse-engineer your app to make it work how they'd like.

  If you're confused about the LGPL, don't worry, just about everyone is, and even I probably have something wrong regarding it in my head. Lawyers do earn their pay.

There are licenses which are even more liberal -- like the BSD license -- which allow one to include someone's code in just about anything in any way you see fit, but even the BSD license requires you to keep the copyrights intact and to state in your app that you're using BSD code, as does the LGPL.

For the purposes of this article, this is what you have to keep in mind:

• Open-source code is tied to and protected by copyright.

• The copyright is tied to the specific license that the code is released under for use, and it's terms. If you don't agree, or abide by the terms, you can't use the code.

• While there are many OSS licenses, they all have different terms that may or may not be compatible with each other and you can't mix and match incompatible licenses. This is why you can't throw GPL-licensed code directly into Firefox without the express permission of the author, even though they are both open-source.

It's entirely possible to sell an open-sourced product, which is why you can walk into many stores and pick up a copy of a Linux distribution. There's nothing wrong with it, as the GPL and many other licenses allow for it, so that's not where the problem is.

Which brings us to Maui X-Stream's VX30, in which we'll detail some very, very big problems.

The VX30 suite of products, distributed by Maui X-Stream and also 'created' by Arben Kryeziu (Arben is the programmer who claimed to have created CherryOS from scratch in four months), is basically a proprietary streaming video solution for websites all centered around their 'VX30 codec'. From their marketing materials:

"X30 is a disruptive new codec in video technology. VX30 has a unique patent-pending compression algorithm which allows for higher compression of Video Files with reduced artifacts. X30 files can be viewed from any server platform much like a jpeg file. Encoding VX30 files is a very simple 1 - 2 - 3 process that generates files for every download speed."

The VX30 suite combines a few separate products in different combinations:

• VX30 Encoder
  Used for converting a variety of media formats into the 'VX30 format' for streaming via VX30 Live.

• VX30 Live
  
  Video streaming software which one installs on their own server to stream VX30-encoded content to clients, or to a set of VX30 B-Cast relays.

• Java Client
  
  VX30 bills itself as a 'playerless streaming solution', and this is where the java client comes in. It's not as impressive as it sounds, and basically just means the video is displayed via a java applet within your browser window.

• VX30 B-Cast
  
  VX30 B-Cast is software that works in conjunction with the VX30 Encoder, and basically allows one to setup a series of relay machines for serving streaming video, rather than having it all run off of one server.

• VX30 Ad-Stats
  
  VX30 Ad-Stats is a 'hosted' solution by MXS which provides for advertising and gathering tracking data for your streaming video. When someone views content on your server, the java player sends session and other data back to MXS's servers. You can then login to to MXS's Ad-Stats server and view the statistics and upload content, among other things.

They've also promised 'VX30 Ad-Magic' for embedding video in advertising and 'VX30 Zentu', a forthcoming video conferencing and messaging tool that they claim will include file and desktop sharing. None of those are shipping. They were also hyping 'video emails' for awhile in their press releases, but that seems to have been put on the backburner.

One of the first things you were struck with by Maui X-Stream's other product was just how cheap it was compared to other software serving a similar role. If you'll recall, CherryOS went from $50 to $99 to $14.95 before it was pulled from the market (Yes, it was that bizarre). VX30 is not cheap.

If we look at their price sheet, the various VX30 solutions start at $799 and work their way up to $10,000 USD. This is without their VX30 B-Cast software, which is a complementary add-on and retails between $2,500 and $10,000 depending on how many client connections you need. If you're buying this stuff, you have some coin in your pockets, and people have bought this stuff.

I haven't compiled a detailed list of who uses VX30, but we know on their website MXS touts customer testimonial quotes by Hugh Porter of BM&M and James Lowe of Realty Sight. OEM Parts Express, a machine parts manufacturer in China, also had a quote up and has a VX30 on their front page. If we look at their 'showcase', we see several other customers:

• Boarding School Review
• CITY cosmetics
• Lanai Luxury Homes
• Africast TV
• Maui Online

Chances are if you've heard of any of those companies it would be CITY cosmetics, but you've probably heard of the Hollywood Foreign Press Association, which used VX30 for the 62nd annual Golden Globe Awards:

You can click the above link to see Arben in his glory, or this one for more standard fare, but here's the pertinent text:

The simplicity and ease of use of VX30(TM) technology is evident in the single-man operation it will take to capture, automatically encode and post the Golden Globes video to the HFPA Website. Arben Kryeziu, developer of the software, will man the computer station himself.

And:

Backstage goes blacktie. l-r: Erkki Kanto, IT director for the Hollywood Foreign Press Association (HFPA); Max Cipicca, HFPA web designer; and Arben Kryeziu, inventor of the VX30(TM) encoding software, don blacktie during production of the 62nd Annual Golden Globe Awards.

And yes, you can actually go to the Golden Globe Awards website and view clips 'Powered by VX30' throughout 2005.

Another example of a large customer of theirs is GEICO, a very large insurance company known for its commercials with a cute little Gecko running around which uses VX30 for its Video Library. [added 2005.05.11]

While to my knowledge I've never contacted an MXS customer (more on that later) I don't think there'd really be anything wrong with doing so and asking some questions. In fact, I'd be surprised if journalists didn't.

In the listing of the 'showcase' clients I mentioned above on MXS's website, Maui Online is notable because, well, Maui Online is located and owned by:

Paradise Television Network, Inc.
1024 Front Street
Lahaina, HI 96761
(808) 661-5065

You've probably never heard of the Paradise Television Network, as it's a station which broadcasts tourist stuff about Maui straight to the TVs in some of the island's hotels. Paradise Television is notable because Maui X-Stream, whose president is Jim Kartes, is also a subsidiary of Paradise Television.

Basically, through Paradise Television, Jim Kartes has his fingers in a whole bunch of pies, but tracking down what is and isn't a subsidiary, and is and isn't owned by Jim Kartes can get a bit odd.

As an example, we know he also owns Maui Giclee, a company specializing in large-format fine art printing. Jim also owns an art gallery, with some 600 works on display, which appears to be a division of Maui Giclee focused on wholesale and retail for artists to sell the prints they've had made. Of course, the wholesale gallery is actually called Image Station Art and has its own separate site. I know who designed, or is redesigning, Maui Giclee's website, but Jim Kartes and Arben have their fingers in a ton of different 'ventures'. I.E., Image Station Art's website was designed by Bump Networks, which is a company owned by Arben and his wife (Which I suspect(ed) is another subsidiary of MXS), and which we'll be talking about later.

I've been compiling listings of anyone connected to them, but the various relationships just get strange as we'll see in a little bit.

If you glanced through the press release linked above, you'd have seen this text:

X30(TM) is ranked by http://www.playerless-streaming.org as the best playerless streaming solution on the market today. The software employs a patent-pending technology which allows for higher compression of video files. The dramatic reduction in file size results in significant cost savings on bandwidth usage. VX30(TM) instantly broadcasts TV-quality images over the Internet at 30 frames per second.

Playerless-streaming.org is something we'll come back to, but it's hard to miss the bit about the patent-pending technology in VX30. Well, the patent applications mentioned are online (there are four). They're one hell of an amusing read, and I couldn't do them justice by breaking them down here, but I'd encourage you to give them a once over.

If you did give them a once over, you might notice a few things:

• The 'inventor' is listed as Arben Kryeziu

• The address for 'correspondence' is a P.O. Box for "SCHWEGMAN, LUNDBERG, WOESSNER & KLUTH, P.A."

• The 'assignee name' for the oldest application (Feb, 2003) is Paradise Television, but the others are under Maui X-Stream

• On two of the patent applications, Maui X-Stream is misspelled as Maui X-tream. This has zero correlation to anything that I'm aware of, it just makes me laugh. After the 100+ hours I've spent on these people I needed it, so as an aside to whoever screwed up, thanks.

The fact that Arben Kryeziu is associated here with both Paradise Television and Maui X-Stream is one example of what I meant by how confusing it can be to tell just how some of these business relationships are intertwined, and it'll only get worse as we get on, but for now let's focus on "SCHWEGMAN, LUNDBERG, WOESSNER & KLUTH, P.A." (SLWK).

You may have noticed that SLWK has a Minnesota address, that they're intellectual property attorneys, and that they're a different group of lawyers than MXS has sending me noticed that they're investigating ways they can sue me (Bill Kealey of Stuart and Branigin, which are in Lafayette and Indianapolis, Indiana).

Setting aside that it's a bit unusual, you might be confused as to why, if Jim Kartes' companies are located on islands in Hawaii, his lawyers are in Minnesota and Indiana. For that we need to take a quick look at Jim Kartes and his background.

The background of Jim Kartes, that can be found online anyways, is pretty much written by, well, himself:

Jim started his career in 1960 working for local television news in Minneapolis, and then Indianapolis. He later worked as a news and documentary cameraman for CBS News in New York. He traveled the world filming special assignments for CBS Reports and 60-minutes.

In 1974, Jim and his wife Nancy, started Kartes Video Communications, (KVC) primarily to produce television commercials and corporate communications. In 1977, Jim set up a home video division, to produce, manufacture and market home video cassette programming. KVC specialized in producing and marketing how-to videos and a large library of classic movies branded as Video Film Classics, which they sold through a network of distributors to over 150,000 retailers.

Time magazine stated Jim was the Henry Ford of home video. Jim pioneered the marketing of home video and indeed some major studios still use his marketing plan. Jim later sold this company and moved to Hawaii to retire. Being a restless sort, he started a small television channel that later became the Paradise Television Network and now Maui X-Stream. Jim has worked in the television industries for 45 years.

Jim Kartes in Minnesota is pretty much a blank slate, and it's something I've been very careful about (and would urge you to be as well) as while there is info for a Jim Kartes in MN around, it's for someone involved with building and zoning, and it doesn't seem to jive up with his background.

Since he says he worked for a local television news station in MN, someone with more resources (I.E., a larger long distance budget and some time) should be able to figure this out if they were so inclined, as well as his work with CBS News and 60-minutes. The last two are pretty big feathers in one's cap, and the fact that they're so vague just makes my eyebrow go up a bit, although I did find a small bit about CBS News which we'll get to in a moment.

Kartes Video Communications was an easier thing to bite into, and it's amusing to get a glimpse of some of their product ('Garbage Pail Kids' and 'The Art of Meeting Men' next to 'A Charlie Brown Thanksgiving'). It seems to have been founded in the mid-1980s (1984-86), and at one point was located at 7225 Woodland Drive in Indianapolis, Indiana, which would explain why an Indianapolis IP attorney represents Maui X-Stream now.

While I didn't look into the 60-minutes or CBS News stuff that hard, I got really curious about the fact that Time magazine apparently stated 'Jim was the Henry Ford of home video', and dug into that a bit. Time Magazine has all of their archives online that I can tell (going back to 1923), and some pretty powerful advanced search capabilities. I was unable to find a mention of a "Kartes", let alone a "Jim Kartes", but "rocket pack" pulls up articles going back to 1944, and searching for "Henry Ford" brings up articles going back to the 1920s. Searching for "Henry Ford" and "home video" together brings up nada, as does searching for "Henry Ford" and "video".

Now, I'm not saying Time Magazine didn't say what Jim Kartes said they said, only that if they did they've made their quote very difficult to find and it's probably worth following up on.

If we dig really, really deep (which is scarier, that I found this or that someone had a page about it?) we also come away with a site explaining what one sees before one watched a video put out by Kartes' company:

We start out with a field of stars coming toward us (all of them, some going diagonally), and at the same time, 9 K's, all of which are the company's logo come toward us forming part 1 of the background of the closing sequence, which appears to be a field of diagonal lines. Another set of 9 K's, all of which are the outlines of the first 9 K's, come into the picture the opposite direction of the first 9 K's.

Then the real logo along with the company name with a lighthouse next to it and the words "A Scripps Howard Company" under it all fall onto the background. The lighthouse light next to "A Scripps Howard Company" turns on, and the word "Presents" falls into the background.

Some research tells us that the lighthouse was the logo of "United Media", but I was a little more interested in the whole Scripps Howard angle, as Scripps is a name that's been around for awhile in all sorts of areas, primarily media. As it turns out, the Scripps Group purchased Kartes Video in 1985, but it's unknown how long Jim Kartes stuck around. One could reasonably assume this is where Jim got the cash to move himself out to Hawaii and start buying up TV stations and Printing companies, but here is where things turn really, really weird.

Apparently, James T. Kartes and Nancy Kartes were part of a contract case that is -- and I shite you not -- in a book [PDF] and was actually used as an example in the Loyola Law School of Los Angeles's curriculum [HTML Handout, and PDF] when they got to contract law back in 2002.

The suit itself isn't very important, it's an appeal from 1995, but there are some interesting nuggets in it:

• We learn that by 1984, James T. Kartes and Nancy Kartes were only part-owners in Kartes Video Communications. It's unknown whether they ever the full owners of the company, or if they had previously sold part of their stake in the company.

• We learn that at some point, the Kartes sold their interest in their company to Saffron Associates and not the Scripps Group.

I wasn't able to find a whole lot about Saffron Associates, although there appears to have been a Saffron that went belly up in a nasty way judging by some court papers found online. Considering the suit involving the Kartes involved a company named Saffron in the around-about same time period...

When exactly Jim loaded up the truck and moved to Hawaii is unclear, although we know his printing company -- Maui Giclee -- was originally called Bishop Stress Press but changed its name when Jim purchased it in 1999.

Little else is known about Jim Kartes in Hawaii, although it would appear he's pro-republican and really likes to give money to those running for city counsel [$1,000 in one case and 'at least' $7,000 in another]. He also appears to have a serious thing for seeing an airport runway extended in Maui.

Rich Schmelzer, who apparently knew and worked with Jim Kartes, gives some interesting insights into how Paradise Television Network (PTN) was purchased and works, by detailing the models he used for the stations he started (Which were modeled on PTN). Rich also says Jim was a cameraman for Walter Cronkite at CBS, which is amusing for some reason.

From his statements, it would appear that Rich was the person who got Jim all hot and bothered to get their TV content online, which led to Maui Online.

It would also appear (Based on timeline, and Arben's upcoming comments) the need for streaming on Maui Online is what led to VX30 being 'invented' in the first place, and will be our segue back to VX30, and the code within it.

Ryan Thoryk (aka EventHorizon), a Unix and Network Specialist in Illinois, is the one who put all of the hard work into peeking around the original VX30 binaries, and pulled out the evidence. And then dumping the memory and looking for infringing code... and finding it again. And then looking for it in later versions, and finding the copyright strings and such removed, but the code still there.

We'll go into detail regarding how the evidence was gathered -- along with how to duplicate yourself -- in just a little bit. Suffice to say the below was put together very carefully and again, can be reproduced by yourself if you so choose.

It's also worth noting that while the below is a lot, it's not everything, just some of the really fun stuff. Also, many bits of code are reproducible in more than one application. For example, XviD copyright strings are found in both the VX30 Live application as well as the VX30 Encoder application. Some of the evidence is extremely obvious, in others I had to do some hunting to see exactly where it came from, but it's all verifiable.

XviD is project whose goal is to produce an open-source cross-platform MPEG4-compliant video codec. It's used by many, many applications on many, many platforms. Inside the VX30 Live application, we find:

If we look in the older, 2004 version we can also find things like:

And, just as an example, the same XviD copyright string, GNU notification and version as was found in the 2005 version:

I sent a ping to Michael Militzer of the XviD project, asking both about the evidence and to get his general thoughts on the matter, and received this response (2005.14.05):

Well, we're not finished investigating the VX30 product. What I can say is that we have not given MXS any special license on XviD code. Also, preliminary analysis of the VX30 binaries have revealed XviD-specific strings. So we can confirm Ryan Thoryk's findings as we've indecently found the same strings than he did.

However, the VX30 binary is packed and hard to analyze. So far, we can't really tell how much of XviD's code is actually included in the VX30 product and for which purpose it is used.

You'll want to make particular notice of his noting that the VX30 is 'packed' and hard to analyze, as that will come up again when we get to how the evidence was gathered.

Media Player Classic, which is light-weight open source media player for Windows. It supports QuickTime, RealVideo, subtitles, real-time zoom, etc. It's pretty feature-rich, and licensed under the GPL.

The above screenshot is a listing of the CLI options for Media Player Classic. Amusingly enough, those same options, or switches, are found verbatim within the VX30 Live application:

The below is amusing because the VX30 Live app contains a reference to the MPC web server and the MPCSESSIONID, both of which are referenced in this block of Media Player Classic code.

Things get even more amusing when we take a look at an MPC window next to a window from the VX30 Encoder application using a resource editor/viewer. The screenshot below shows the 'subtitles' windows for both applications, with the VX30 Encoder window on the right.

The below screenshot shows the 'playback' options for both applications, with the VX30 Encoder window on the right.

I contacted the author of Media Player Classic, Gabest, to see if there was any way they had granted MXS a special license to use their code, and received (2005.05.08):

To answer your question first, no, I can't remember giving any special license to them. I'm sending you that email and also another about a different product too, they might be helpful to you with your article.

The "different product" he mentioned is KMPlayer, which is a Windows-based movie player that's very popular in Korea and China which allegedly contains Media Player Classic code. It's distributed compiled as freeware, but the source is not and purportedly will not be made available which, if it contains GPL code, would be a violation. As of this article, I haven't yet thoroughly investigated the claims in this, as I wanted to keep myself somewhat on-track, but someone probably should...

To go a little further, the below screenshot is a fascinating example of a really weird string that shows up in the 2005 VX30 Live app:

We know we're looking for something involving "Must kill opener thread" within a specific function called "CloseMedia" within a file named CMainFrame. Again, if we look at Gabest's GPL'd mplayerc code, we can see it there plain as day. Actually, a bunch of the strings and such from the screenshot can be found in that file...

LAME is an LGPL-licensed MP3 encoder, known for it's high quality. For decoding, LAME also includes mpglib from the mpg123 project.

In the packed (we'll get to what this means) 2005 version of the VX30 Live application, we find:

If we look into the older unpacked 2004 version, we find some even more amusing things:

If the screenshot above, you can see that like with XviD, they're kind enough to tell us exactly version of LAME was used. In the screenshot below, they've actually left the website of LAME in their app...

In fact, there are so many LAME strings (basically it's complete set of input options, encoding, etc.) that I'm just going to link to some of the shots here:

• Lame 01
• Lame 02
• Lame 03
• Lame 04
• Lame 05
• Lame 06
• Lame 07
• Lame 08
• Lame 09
• Lame 10
• Lame 11
• Lame 12

In the older 2004 version, there's another oddity, namely that mpg123 shows up along with at least one of of its libraries:

It's unclear to me exactly how and where say, mpg123 is being used or why it's referenced, but as I mentioned before it is included with LAME for decoding.

I talked to Gabriel Bouvigne of the LAME project, to ask whether or not the LAME project had granted MXS any type of special license to include the LAME code in their proprietary app, who responded thusly:

Lame is LGPL, so it is easy to comply with the license, even in a commercial product. It seems that this company did not comply with the LGPL license. However, right now I do not really know what to think about it, considering the strange business practice that seems to be used by this company.

We (the Lame project) had a few cases of LGPL violations in the past that we managed to solve, but we never encountered such a strange case.

Lame is LGPL in order to be usable in commercial products, that is a "strategic" choice. However, I personally understand that people might want to use the GPL license, and I think that this should be respected by complying with the license terms.

I haven't contacted the mpg123 group to see whether or not they granted MXS a license...

SHOUTcast is an app/protocol designed for streaming -- as far as I'm aware it's geared towards streaming mp3 frames via the shoutcast protocol. If you would, take a look at the screenshot found in the 2005 VX30 Live application:

There are a few strings of note:

• "Icy-MetaData" This is part of the SHOUTcast meta-data protocol, or what one would get if one was streaming an MP3 from a ShoutCast-compatible source but wanted extra information, such as song titles and other such things. There's a wealth of information on how the protocol is broken down.

• "icy-metaint"
  This is the interval at which the ShoutCast stream source will be sending the meta data we explained above.

• "User-Agent: shoutcastsource"
  This is probably the most important giveaway in terms of just what code they're using. There are different implementations of ShoutCast servers and clients, shoutcastsource is a specific implementation put up by Gabest, who we know from Media Player Classic.

FileDropListCtrl is a class that was written to improve multiple-selection and drag-and-drop in Windows dialog boxes, which is why it was amusing to see this come up in the VX30 Live app:

If we download the source to this control and take a peek we see:

// Jan 2000, Stuart Carter, stuart.carter@hotmail.com
//
// You're free to use, modify and distribute this code as long as credit is given..."

You can find this code on a ton of websites, all with the copyright intact, but somehow I think just leaving the copyright notice within the app itself isn't exactly what Stuart Carter had in mind.

Everyone has heard of JPEG, which is one of the reasons why the below is so amusing:

Thomas G. Lane is the author of libjpeg, which is put out via the Independent JPEG Group. I downloaded and checked out their licensing, which is remarkably liberal -- similar in some aspects to the LGPL and BSD license:

From the top of their README:

1. We don't promise that this software works. (But if you find any bugs, please let us know!)

2. You can use this software for whatever you want. You don't have to pay us.

3. You may not pretend that you wrote this software. If you use it in a program, you must acknowledge somewhere in your documentation that you've used the IJG code.

It was worth checking out the legalese, which clarified things a bit:

Permission is hereby granted to use, copy, modify, and distribute this software (or portions thereof) for any purpose, without fee, subject to these conditions:

(1) If any part of the source code for this software is distributed, then this README file must be included, with this copyright and no-warranty notice unaltered; and any additions, deletions, or changes to the original files must be clearly indicated in accompanying documentation.

(2) If only executable code is distributed, then the accompanying documentation must state that "this software is based in part on the work of the Independent JPEG Group".

(3) Permission for use of this software is granted only if the user accepts full responsibility for any undesirable consequences; the authors accept NO LIABILITY for damages of any kind.

I sent off a ping to Tom Lane, but haven't yet heard back, but this is where we have to start being really careful. We know that code, and the copyright strings, are showing up within the VX30 app but we don't know exactly how they got there or how they're being used.

The Inflate/Deflate copyright strings are another example of both strange things we can find within the VX30 Live app, and how careful one needs to be regarding some of the code one might come across toiling around in the XV30 executables:

Inflate and Deflate are a compression and decompression route written by Mark Adler and Jean-loup Gailley and as distributed within Zlib. You may have heard Mark and Jean-loup's names before; Jean-loup is the primary author and maintainer of the gzip software, and Mark did the decompression routines for both gzip and Unzip and wrote the original Zip app.

Zlib is very popular -- people like Sun have adopted it for Java .jar files to improve their file sizes -- but its license is extremely liberal. I contacted Mark Adler to clarify their license for Zlib, which basically states it's entirely fine to include it within a commercial app without credit or any other such thing.

If we want to switch back to the 'weird' side of the fence, another example of would be the 'Paco' reference found within the older 2004 VX30 Encoder:

If you start drilling down through paco.net, we end up back at 'Oops!', a 'high-performance proxy server' which comes out of Russia. We simply don't know how or why some of this stuff is in there without more investigation, and there is a lot of weird stuff in there.

Basically, while some of this stuff is obvious, when we get to how you can look for evidence yourself, and verify what has been shown, do be careful.

Earlier I mentioned VX30 Ad-Stats as being one part of the suite you can buy, and Maui X-Stream describes it thusly:

VX30 Ad-Stats is an invaluable reporting tool that allows you to collect data on your video's presentation on the web. The Ad-Stats Server collects a wide array of data from the number of times your video is displayed all the way down to the types of screen resolutions on your client's computer.

The problem is that the developer of the OSS software phpAdsNew advertising server has claimed that VX30 Ad-Stats basically is his software. phpAdsNew allows for client access of inventory (clips, ads, etc.) statistics, along with a variety of methods for getting that information.

phpAdsNew is very popular -- probably the most popular open-source advertising server around, and while you may not have heard the name I'm pretty sure you've seen it on various sites.

An interesting aspect about phpAdsNew is that it will even accept data over XML-RPC or javascript, so one can contact it not from a local website but remotely. This may take the form of another server, standalone software on someone's desktop, or perhaps a java client in someone's browser.

At first blush, the claim of infringing code within VX30 Ad-Stats certainly looks as though it bears investigating. The features offered by both are in... remarkable alignment... unfortunately MXS removed both the VX30 User Guide and the online demo of the product from their website while I was trying to look into it. Well, not removed as such, it's just that the links go nowhere.

However, I was able to get my hands on the Ad-Stats User Manual -- which contains many screenshots of the application -- and compare it with the User Guide for phpAdsNew. You can actually download the User Manual from a place on their website which isn't linked which -- if you'd like to verify what I'm about to show you -- I'd probably recommend you do sooner rather than later. The User and Admin guides for phpAdsNew are easily downloadable.

• If we look at Page 9 of the Ad-Stats manual and Page 12 of the phpAdsNew user guide, we see the UI for how both systems display clips. It would appear some options have just been moved around in the Ad-Stats system.

• If we look at Page 14 of the Ad-Stats manual and Page 23 of the phpAdsNew user guide we see can compare the UI for modifying the 'banner' properties of a phpAdsNew site versus modifying the 'clip' properties within VX30 Ad-Stats.

• If we look at Page 17 of the Ad-Stats manual and Page 34 and 35 of the phpAdsNew administrator guide we see identical settings for the respective databases. Same order, same UI. Even the same icons.

• If we look at Page 18 of the Ad-Stats manual and Page 52 of the phpAdsNew administrator guide we see see identical administrative settings. Not just "language" or very similar things, but highly-specific conventions like "log hourly priority calculations".

Like I said, it certainly bears investigating. phpAdsNew 2 has two main developers, Niels Leenheer and Matteo Becatti, with help from others. For the purposes of this, I talked to Niels Leenheer who had a whole slew of interesting things to say:

phpAdsNew has a very distinct user interface that I would recognize everywhere. Although it was modified in VX30, the manual contains several screenshots that clearly reveals the origins of VX30 Adstats.

[On page 17] Note the 'Use database compatibility mode'... That is something that I personally 'invented' to make phpAdsNew compatible with different CMS systems. There is absolutely no reason why a separately developed system would have this option. It's phpAdsNew specific.

[On page 18] Apart from the identical screenshots, once again there is something phpAdsNew specific: 'priority calculations' were created by me and Matteo Beccati. There is no reason why a separately developed system would have this option.

Also on page 18 of the Adstats manual you'll find a screenshot of the Administrator settings. It contains a Prompt for newly released development versions". This option was added on the 10th of September 2003 to the CVS of phpAdsNew by Matteo Becatti. The first release in which this option was available was 2.0, released on 29th of September 2003.

The reason this option was added, was that we expected to release some development builds in the nearby future. These versions are highly unstable and only for people who want to latest of the latest and not for regular users of phpAdsNew. In order to prevent these regular users to be disturbed by 'update notifications' for these development builds we added this option. Only people who enabled this option would receive notifications for development builds.

So once again an option very specific to phpAdsNew. But if you think a bit further you'll probably start to wonder something else. Why would a closed source, proprietary product, release development builds? Would the normal release notification not be enough? This feature is only useful in an open-source environment where the development builds are publicly available.

That was yummy, but I was curious about the 'priority calculations', and why Niels was so sure that these were specific to phpAdsNew. Once again, Niels didn't disappoint:

The hourly priority calculations were created to be able to reliably deliver a preset number of banners for a particular client on one day. What the algorithm does is globally check how many banner were delivered so far, how many of those were for that particular client and how many banner are we expected to deliver in the remaining hours. Based on this data it can make predictions about how the delivery of particular banners should be prioritized in order to come as close as possible to the preset number.

As you can imagine this is quite a complicated algorithm and unfortunately it took some time to get this working properly. In order so fine-tune this algorithm we needed user-feedback. If the option 'log hourly priority calculations' is turned on, phpAdsNew would store the data used in the calculation, which the user could send to us in case something went wrong. Based on this data we could debug the algorithm and improve accuracy.

The algorithm is now stable, but his option was never taken out of phpAdsNew. There is simply no reason why a separately developed application would have the same option. It is very specific to phpAdsNew, so the only conclusion I can make is that VX30 Adstats is based on phpAdsNew.

And the 'database compatibility mode'?

The 'database compatibility' mode is also something specific to phpAdsNew. This option was added to ensure compatibility with phpNuke and phpBB when phpAdsNew is called through a PHP API called 'local mode invocation'. The problem here was that phpNuke would open the database, execute some queries and hand over control to phpAdsNew. phpAdsNew would reuse the existing database connection, switch databases, execute some queries and hand back control to phpNuke.

When phpNuke tried to execute some more queries things went wrong, because phpNuke expected that the database connection was still in the state it was before phpAdsNew was called. The 'database compatiblity' mode leaves the database connection in exactly the same state at the expense of some performance. Once again, this option was created to solve a problem specific to phpAdsNew.

There are other similarities:

• The config file is called 'config.inc.php' in both cases.
• You can see the same icons in the screenshots. These icons were created by me personally based on the XP icon theme.

At around this point, Niels was seriously making my day when it came to VX30 Ad-Stats. However, it's good to remember that Maui X-Stream is using this for a very different task (letting people upload clips instead of banner advertising -- although they do have an advertising product on the way as we mentioned before, called AdMagic).

Neil went on to state some of the differences between the two:

• The UI has been changes 'somewhat'

• The statistics interface has been rewritten

• Much functionality seems to be removed

All in all, I do not believe VX30 Adstats is a clone of phpAdsNew. There simply changed too many things to call it a clone. But is it derived from phpAdsNew? Definitely, without any doubt.

Now, please pay special note to Niels' assertion that the "statistics interface has been rewritten", as here is where things get really, really interesting.

Niels wasn't aware of this, but as it turns out Maui X-Stream likes to make a lot of use of outsourcing, often through an online service called "ELance Online" where their username is mxs808.

With a system like Elance, if one has some work they want done, they put up the details and let programmers and companies bid on the job, or vice versa. While you have to create an account to see specifics of any project, you can see a listing of the software projects, who was awarded them, etc. by clicking the username above.

A project named "Adstats Software Development" stuck out at me, for two reasons:

• The project was about adding statistics to AdStats

• The project was awarded to a company named 'bnetworks', which is based in the Ukraine with a contact named Alex Germek.

Besides the fact that we've probably found exactly where the statistics interface got rewritten, there is this weird bnetworks connection. If you look closely enough at some of the source to VX30 you can find some weird references that might tie back to the Ukraine... I'm not kidding.

It's also important to separate out bnetworks from Bump Networks, which is a company owned by Arben (of CherryOS fame) and his wife Crystal. It gets even weirder when you realize Bump Networks also uses Elance, and all of their work has been for Maui X-Stream or Paradise Network, which is the TV station I went so into in great detail before. An example might be MXS's need for a "interface design for our video GUI".

As we'll see later, someone could have a field day going through the details of some of these, but there's another oddity here. The bio on MXS's web-page at one point claimed the company was started by both Arben and Jim Kartes, and since Arben's name is all over the BumpNetworks WHOIS info, it's a little strange that Bump Networks, MXS and Paradise Networks are all selling to each other...

I will say a journalist would be will within his rights to comb through some of their projects that seem a little hmmmm and ask those who didn't get the bid exactly what they were about... However, I told you you could reproduce this evidence, but to do that we first need to explain how the evidence was gathered.

If you'll recall, much of the evidence from The Pits in CherryOS centered around blatant and obvious strings let in binary.

If you'll also recall, strings are the equivalent of english sentences... a computer executes binary code (ones and zeros) to run, but if you want to display an error dialog the text is stored as a string. If you want that dialog to not be generic, you have to store graphics and such inside the executable.

It isn't difficult to take say, the PearPC .exe and the CherryOS .exe and then drop them into the same folder and run a program which compares one against the other looking for matches. And if you'll recall, Maui X-Stream got tripped up because of this: both from the specific examples I gave, and the fact that they'd given an early version to Wired magazine who promptly handed it off to senior systems engineer at the University of Wisconsin, who then confirmed that there was indeed PearPC code in CherryOS.

Now, Maui X-Stream's response to the claims of infringing code within their products was "That is simply not true. They know not what they speak...", and the world's response was incredulity, both at Jim Kartes's response and The Mac Observer's display of watch-dog journalism.

The problem was that Maui X-Stream realized it had a problem. The 'obfuscation' that took place to hide the origins of their project were fairly laughable by any measure). It was way, way too easy for people to figure out exactly where and how they were infringing, and after awhile the "he-said-she-said" gambit falls very flat when the other person is holding up actual evidence.

The solution: Pack the code in the executable.

'Packing' the code of an application can take a variety of forms depending on the specific way it's done, but the idea is basically the same: the executable is 'scrambled', and when it is loaded there is code in the executable whose job is to unscramble the code as it is loaded into memory so it can be run.

I was able to confirm that Jim Kartes registered EXECryptor in July of 2004 from Soft Complete. Snippets loaded into memory showed that it is indeed the method they're using to pack their code.

Now, there's nothing necessarily wrong with scrambling one's binary, and many companies look to it as a way to slow down crackers from hacking their software for serials or reverse engineering. Unfortunately, while it is often possible to 'unpack' software, for these purposes EXECryptor is pretty good at what it does and it took awhile to get a way around it.

With CherryOS, MXS didn't start packing their software right away, and people had a nice fat (although older) executable to compare against, although it didn't take long for them to realize that if they have other's copyright strings within their binary they should probably figure out a way for those to not show up if they're going to claim the rest of the world are idiots.

Hence, CherryOS became 'packed' and finding any new evidence in the new executables became very difficult.

You may recall MXS promising -- and then posting -- proof that CherryOS and PearPC did not share any code. This 'proof' was in the form of a screenshot comparing the PearPC executable with the 'packed' CherryOS executable using a tool called UltraCompare.

After what we've just gone through, you should have an idea of just how silly it is to compare a packed executable against a normal one and declare it proves there is no shared code, but it got sillier. After just a little while, the screenshot and proof disappeared from the CherryOS website.

UltraCompare is made by IDM Computer Solutions, Inc., also known for their UltraEdit text editor. UltraEdit has one hell of a name on Windows. If you're a Mac user, think of this as Windows's BBEdit. They have a name and reputation, and I'd have been remiss if I didn't contact them regarding it. I talked to the President of IDM, Ian D. Mead, who had this to say in an email on (2005.04.15):

I did send a message to MXS Inc regarding there use of both the Professional Version of UltraCompare, and boxed images without permission. I indicated that I found no registration for the product in their names, or the company name and as such was not happy about them show captures to promote their cause.

They did then remove the articles. They asked what it would take to get things right so they could use it. After I responded with several points regarding not just registration, but also integrity of the tests and doing apples for apples comparisons I received no further communications.

I felt it very inappropriate to use unlicensed software for what they were doing.

While this was amusing to no end, when it came to VX30 MXS had learned a bit and now everything they put out now has been 'packed', which means the evidence gathered above was put together through three methods:

1. An older, unpacked build of VX30 Encoder from 2004 which was passed on. Testing this for code is as easy as loading it up with HEX Editor, as we'll see.

2. Memory dumping, which involves running a 2005 build of VX30 and then dumping that processes' memory out to disk.

3. Using an application to 'unpack' the 2005 build of VX30 with incriminating strings, and then loading that up with a HEX editor.

Because the 'memory dump' part of the equation may be a bit confusing, what you basically do is take a minimal system (just to cross the i's and dot the t's) and run the VX30 executables, which causes the code to be unscrambled and loaded into memory for whatever you're accessing in the app. You then identify the process it is running in, and write out the memory from RAM to the hard drive as a large file. Within that memory dump, you can then look for what you're trying to find.

One thing that might crop into your brain is that if you are dumping out the computer's RAM, what's to keep you from knowing the file you've created isn't 'contaminated' with running code from other apps? If you were just dumping out the RAM, there might be something to that, however:

• When dumping the memory to disk, you aren't dumping all of the RAM contents to disk. Rather you are grabbing the unique ID (PID) of the process you want to dump to disk and telling the debugger to only grab that.

• If you don't have Media Player Classic, XviD, LAME, etc. running, let alone installed on your system, there's simply no reason why their copyright notices should be loaded into RAM.

• You allow for something weird going on with one person's system by independently verifying the results on several systems by several different people.

However, memory dumping isn't really ideal. It's slow, and the files can end up being very large, and if something hasn't been loaded into RAM it can't be then dumped out to the file. As an example, if you run the application and there is a specific string in a dialog, but that isn't loaded into RAM, it won't be dumped out as it wasn't in RAM in the first place. Also, if you have a memory-limited system, you just never know what will be swapped out to disk, etc.

The preferred method, which we'll get to shortly, involves pointing another app towards the VX30 executables and letting it unpack them. This doesn't take very long, and you end up with an executable that has been unpacked and can be loaded into your HEX editor to find the strings and such I showed above.

However, all three methods work just fine, but again, the 'unpacking' method is preferred.

There's a small problem when it comes to the evidence, in that MXS does pay attention to what is being said on the forums and the various websites. As we saw with CherryOS as evidence is posted MXS's apps have a tendency to be 'updated for bug fixes which they choose not to disclose', but the evidence that can be found in the previous builds isn't there in the later builds.

Such is the case with the VX30 software. All of the evidence was found via the downloadable demos (with the exception of the unpacked build from 2004 which was passed on) from MXS's site, however if you just go and download it now it won't contain much of the strings mentioned above.

However, things got more complicated when Ryan Thoryk (the guy who did the hard work of finding the strings in CherryOS and VX30) received a Cease and Desist from our friend Bill Kealey at Stuart and Branigin. You can download the PDF of the Cease and Desist, but this screenshot will also do:

If you think linking to a screenshot and calling it copyright infringement is a bit ludicrous, you should see Jim Kartes' original emails to Ryan. Still, it's nice to know how seriously they take copyright infringement.

What's a little more interesting about the timing of Ryan's Cease and Desist -- when we get to my 'chat' with Arben in here in a little bit, along with my short exchange with Jim, you'll see what I mean.

Still, we have a very real problem here. There's fairly clear evidence of infringement, however the only place to get it was being served with a Cease and Desist... And as we know, the current demos they have on their site have had many of the incriminating 'strings' removed.

We've been down this road before, with he-said she-said, it's time for that to stop. Screenshots aren't going to cut it this time, and I'd much prefer a journalist asking why they're able to find XviD strings within a XV30 executable than asking about a screenshot here.

I have not only verified the evidence we went through myself, I've had several others verify they can reproduce it also, like Patrick Scott, a technical manager for a very large Dulles-based ISP, or Adam Iser of the AdiumX project. I'm so confident that there is infringing code within the XV30 projects that I've moved them here.

If you have a Windows machine -- and the inclination -- I've asked Ryan to create some short tutorials on how to find the evidence for yourself using the techniques we talked about before:

• Page one Instructions for downloading the builds and performing a memory dump, as well as how to then look for the evidence. You'll want 'the previous version'.

• Page two (preferred)
  Instructions for downloading the builds and 'unpacking' the code, as well how to look for the evidence. As above, you'll want to be using 'the previous version'.

• Full .tar.gz (208 MB)
  This is for creating your own mirrors, and includes the analysis pages above, along with the screenshots and binaries. Please use a mirror to the right if at all possible.

If you download the full .tar.gz to create your own mirror, you'll find the two evidence pages at /xv30/analysis.html and /xv30/analysis2.html, which, because they reference some folders of images, do require directory indexes to be turned on for full viewing.

Now, I take copyright very seriously. And as we saw earlier in this post, open source software is entirely based on copyright. I think it is very important, even if the law on it is often entirely out of whack for the new world.

I wouldn't be doing the above if I didn't think it was necessary or that I wasn't in the right. Of course, there's a problem when it comes to civil lawsuits. As a lawyer pal in Indianapolis said recently to me:

If someone really wants to, they can make things difficult. If something's totally baseless, it can be a sanctionable violation of the Rules of Procedure and professional ethics (believe it or not, lawyers have rather high standards that we're supposed to follow).

As they told us in law school, someone can sue you for *anything*. One of my profs used the example of suing someone for having a greener lawn. You can file the suit, but there are several ways of getting it thrown out. But since our system is adversarial, it's up to you (or your lawyer) to move the court to do so.

Courts don't do stuff like that themselves (unlike the roman-based "inquisitorial" system wherein the court is actively involved in questioning--trust me, our system is better).

Basically, it doesn't matter if someone does or doesn't have a leg to stand on. They could sue Ryan just because his server was faster than theirs, and he'd have to deal with it.

Now, if we'll recall the letter sent to me by Bill Kealey, claiming that for all intents and purposes they were trying to figure out how to sue me:

MXS customers report that you have contacted them. Those customers attribute to you statements about MXS and its products that are false. Speaking untruths to a third party is slander.

A slanderer is liable for damages resulting from the slander. MXS's investigation to date gives MXS cause to believe that slanders by you have caused MXS to lose sales. MXS has authorized me to investigate legal action against you for those damages.

Please provide me immediately a list of MXS customers contacted by you and the dates on which the contacts occurred. Please also supply me the name of your counsel.

We'll get to the whole slanderer and customers part in a moment, but basically they're going to do what they're going to do and I'll have to deal with it. However, I'll have help. I'll be represented in these matters by:

Yano Rubinstein, of:
Rubinstein Law Group
100 Pine Street
20th Floor
San Francisco, CA 94111
tel: 415.277.1900
fax: 415.651.9853

You may recall the name, as Yano answered a few questions for the site regarding someone else he was representing back in April, although he recently wrapped that up. The name of their firm is changing from Summers Rubinstein, but it's still the same IP lawyer, and Yano is still the man.

It's a big deal that he's doing this, and let's just say if I was forced to pay the full cost of his services we'd be talking indentured servitude. If there is a guy to send your love to for helping out, it's him. MXS is going to do what they feel they have to do, but one way or another -- with some help from some friends -- it'll work out as it should.

If you took the time to glance through the press release linked way above, you'd see this text:

VX30(TM) is ranked by http://www.playerless-streaming.org as the best playerless streaming solution on the market today. The software employs a patent-pending technology which allows for higher compression of video files. The dramatic reduction in file size results in significant cost savings on bandwidth usage. VX30(TM) instantly broadcasts TV-quality images over the Internet at 30 frames per second.

As you can imagine, playerless-streaming.org made my radar in a really big way. What made me especially curious was:

• It's a very bare-bones site, basically consisting of a few reviews and a google ad.

• As far as I can tell, it's only linked to from the VX30 press releases and one other 'streaming media consortium' that was black box enough that it made me a bit suspicious...

• Of the reviews that were there, they were extremely favorable of VX30 and 'MediaFrame' yet basically made the others sound like dogfood. Basically, if you used anything but MediaFrame or VX30 you were an idiot.

Obviously the above isn't damning smoking-gun stuff, but it did make me curious, and I'm not alone. Judging by my inbox, many people were suspicious of this site so it warranted some digging. I was hoping to rule out that they had any connection to MXS in any way, but then things started to get really weird again.

A WHOIS lookup shows:

David Watson
Org: David Watson
Westbourne Studios
242 Acklam Rd.
Postal Code: W105JJ
Country: GB
Phone: +044.2073119034
info@playerless-streaming.org

The problem with that address is that there's no suite number, and Westbourne Studios is basically filled with little studio spaces, most of which are listed. There's one floor which doesn't list its tenants, but all the rest were there... something about it was tripping off my spidey-sense, but I'll admit I'd been down the rabbit hole with these guys for awhile.

It just seemed strange, so I mapped the number to see where it was located, which was when it got stranger. It could be valid, and if it existed it would be in the same round-about area of London as Westbourne Studios, but it didn't seem to really exist. I enlisted a few UK readers (note to brain: get more Hawaiian readers) to call the number and see who picked up, just in case the bits on the web were outdated somehow. Nothing doing -- the number wasn't really valid, it just "could" be real.

It's understandable when one has fuzzed WHOIS info, but it's a little strange for a website being referenced as an authoritative voice on the subject -- in the same press release as the Golden Globes -- to be a black box. Even I get what's sent to my WHOIS info eventually.

It was worth sending off an email, basically to check if the email was valid and ask if I could ask some questions. I did get a reply, but it was from a David Willis as the author, not a David Watson, which was fine as it had 'David' in the sig. And, if someone is going to fuzz their WHOIS info, it's understandable that whatever was causing him to fuzz in the first place might cause him to fuzz the last name.

Where it got weird was that I got the same message again, also from 'David Willis' and tagged with 'David', but with the .sig of a "Joseph Denne, Technical Director of Airlock" tacked onto the very end. I also noticed that both replies came from theairlock.com, even though the return path was back towards playerless-streaming.org.

Now, the problem here is that the theairlock.com is an ad agency, Airlock Limited, are the ones who created MediaFrame, the java-based streaming video solution which was reviewed at playerless-streaming.org. They're also known for their viral marketing campaigns.

They open-sourced MediaFrame late in 2004 in an effort to keep it relevant and get improvements into it. It didn't help that playerless-streaming.org links to some statistics on theairlock as though it's an independent entity.

My questions became pretty simple:

1. Who is "David Watson"?
2. Who is "David Willis"?
3. What is the story behind the site, and why is (theoretically) the technical director behind theairlock.com involved with this behind the scenes in any way, considering their own product is being reviewed?
4. Why is the address and phone of the WHOIS bogus?
5. What's going on? None of this is adding up, and I'd really like to tie this off in some way for my story.

I got another response from 'David' on April 13, 2005:

I love conspiracy theories! Playerless streaming is a site designed to promote the playerless, specific Java based, technologies on the market today. It was originally setup by the technical director at Airlock as an impartial promotional device for some technology that company developed. Now their technology was spun off and became MediaFrame (mediaframe.org) a year or so ago and the playerless-streaming.org site was handed over to myself at the same time. I work in the city, but dabble in technology and am affiliated with the MediaFrame project, but I do try to keep the site as impartial as possible.

Regarding MXS: I've read a lot about the company and their practices recently (all negative) and have been asking around the industry for information regarding their playerless application. it turns out that it is just as big a fraud as CheeryOS. It's simply a wrapper for mpeg-1 and Ogg, which uses open source components from several sources. We're going to be exposing this in some form as soon as I have all of the facts down. Please note that our original review was written without any of this information; simply on the strength of video playback.

You can speak to the mediaframe boys via the site. Airlock's technical director (they moved offices an age ago) can be reached here: joseph@theairlock.com

Please keep me up to date with your progress and it's important to me that we have as many of the facts as possible.

David

My questions to that became pretty simple:

1. If you're now 'independent', why is the email you just sent me going out from theairlock.com's servers with a return-path to info@playerless-streaming.org?

2. Are you David Willis, David Watson, and how are you connected to theairlock.com?

3. Why did I originally receive a duplicate message -- a minutes apart -- with the .sig of Joseph Denne, the technical director of theairlock?

4. Does or has playerless-streaming.org had a relationship with MXS or VX30?

I never received a reply. Perhaps it's the tinfoil hat, but they're still very valid questions to me and think it would be worthwhile for someone to follow up on.

I was always a little bit fascinated by how Arben Kryeziu sorta dropped off the map when it came to CherryOS. Early on, Arben was really the face of the whole deal, but then it was almost as though Arben was pulled; all the quotes you'd read everywhere were from Jim Kartes.

Honestly, there's not a whole lot out there about Arben and what is there can sometimes be conflicting. To give an example, the 'about us' page of MXS says:

Jim Kartes is the president of Maui-X Stream. He and Arben Kryesiu started the company in the winter of 2003.

However, if we look at an older Wired article, it says:

Kryeziu, a native of former Yugoslavia who grew up in Germany, said he developed the software initially on his own, but was persuaded to release it as a product by his boss at Maui X-Stream, Jim Kartes.

Kryeziu said he settled in Hawaii after meeting his wife on vacation. There, he found a job with Maui X-Stream developing a streaming video player.

Did he get a job at Maui X-Stream (looks at ELance), or did he start MXS with Jim? I was trying to figure out these things, and then got interested in Arben's wife and how she was related. We know from this article that she's a web developer (there's a picture of her 'reviewing' VX30), and from other places we know she's been involved with some MXS ventures like Maui Online.

We also know that she was originally Crystal Johnson, and graduated from High School in Maui in 1995. Strangely enough, from that school we can also gather that she's Episcopalian, which is only useful for the home-trivia version of DrunkenBlog which will be out sometime next month. If you'll notice on the high school site, Crystal Johnson links to crystalkai.com which has had it's content down, but not before I made sure to make a mirror:

You aren't missing a whole lot, just some pictures of their porsche and a funny video of Arben running around trying to paraglide. Oh, and a picture or two of Arben and Crystal at Halloween as Mystique and some sort of Porno Santa. I was fine with all the bikini pictures, but seeing Arben with painted nipples was starting to round the horn.

Sometime within the last few years she dropped the Johnson and turned into Crystal Kryeziu. We can glean a few other things, like the fact that she works at Bump Networks and her personal email is crystalkai@yahoo.com. Bump Networks starts to get weird again, as we saw above with their ELance profile -- there appear to be some real incestuous business relationships going on here.

As an example, Bump Network's really big profile client is "Fresh Island Fish, Inc.". As it turns out, the owner is Bruce Johnson, or Crystal Kryeziu's father. If the whole 'Johnson' thing is too tenuous of a link for you, well, I saw the company party photos.

Another of their clients is Image Station Art, which if you'll recall is owned by Jim Kartes. And another of their clients is Maui Style, run by Michael Cummings who it turns out is a very good friend of Arben's, and are responsible for the CherryOS hot shorts.

I know, I had the same reaction the first time I saw them, but it's to illustrate a point. Almost everything these people do seems to be connected in strange ways, and sometimes really strange ways.

Whenever I'd wonder if I needed to take off the tinfoil hat, I'd remember the hot shorts. Not only because I'd never have believed it if someone had told me, but what it says about where their head was -- and expectations -- regarding CherryOS.

By this point, I'd amassed piles of things for my story, and figured I should talk to someone over at MXS before just going with it. This was problematic, in that from what I'd heard from journalist pals, MXS had a habit of just not wanting to answer specific questions about evidence.

There's an old interviewing trick that says if you want to know what's really going on, talk to as many people as you can without them knowing you're talking to the others, then look for the discrepancies. The discrepancies are almost always where you'll find the interesting bits.

So, I started gathering names of people associated with MXS, employees, and then widening the circle out to friends, and was just going to start pinging them to see what shook loose. As it turned out, a series of events made that pretty much unnecessary.

I mentioned we had Crystal's personal email from her site, which is an @yahoo.com address. A quick look at the profile showed she had Yahoo messenger, and that she was also online on 04/11/05. Now, this didn't chat didn't go well, and basically consisted of "Who are you?" followed by her pressing the ignore button.

Fairly understandable, but I followed up with an email anyways, basically saying "I'm writing a story regarding... I can understand why you wouldn't want to talk, and while I'm not out to hassle you and can understand why you wouldn't want to talk, it's really not in your best interest." And really, at this point, I don't think it is in their best interest to clam up and not just say what's going on, but that's how it goes.

It didn't take her very long to respond:

I'm not sure what "story" you're writing. But I suggest it's "in your best interest" to talk with our attorneys if you have something to say. Let me know if you'd like their contact information.

Now see, that's just not very friendly, but I was actually perfectly game to talk to their lawyers at this point. After all, I'm just writing a story, and MXS had thrown around some legal threats and there are some fairly valid questions that could be thrown their attorney's way. And truth be told, no one really knew who exactly MXS's attorney's were.

Bill Kealey was mentioned on a few of MXS's legal notices on their site, but I hadn't been able to get my hands on some of the cease and desists that were floating about. My response was "Actually, I would, thank you" :)", which did little to thaw Crystal's unease but did get me a response 15 minutes later:

They have requested you register your information here:

http://www.mxsinc.com/pages.php?cid=MDE0MTAy&PHPSESSID=97a0e9e2791d48fde18c2c44f2ef2826

And they will get back to you at their discretion.

It was already 6:20pm in Indiana where MXS's lawyers are, so she's got one hell of a direct line. Still, this was just starting to get weird again, and I'd pretty much given Crystal up as a lost cause, and was just going to throw a few questions towards whomever their lawyer was. So my reply was: "If you really want to go that route, surely you can give me the *name* of your 'lawyers'?"

No response, so I gave it up as a lost avenue and would just send Bill Kealey a quick email asking if he represented MXS... However, about 5 minutes later, Arben dropped in.

Arben Kryeziu messaged me on Yahoo using the name 'benardoh', and wasn't too happy that I'd talked to Crystal, saying she was completely unrelated to Maui X-Stream, CherryOS, as was Bump Networks.

This conversation took place between 6:23 PM and 9:28 PM on 04/11/2005, and for reasons which will be apparent later I am linking the entire file here online: time-stamps, typos, warts, and all. If you have a few minutes it's probably worth a read, as while we'll summarize the chat in a moment you'll be missing out on my getting annoyed and asking Arben if he's high.

• Arben claims Crystal is the owner of Bump Networks, and that while they did work for Maui X-Stream, they moved their offices and 'split' with MXS on the 1st of April.

• Arben really, really doesn't want Crystal's name to be in the story.

• He claims a company named Comsdev worked on CherryOS, and that they didn't do the work as promised. To hear him tell it, Comsdev took their money and never gave them the source, only the actual builds of CherryOS.

• Arben claims that because Comsdev never gave them the source, he and Jim are unable to know whether or not there is OSS code within CherryOS.

• He claims Bump Networks started CherryOS, and then Maui X-Stream came in and paid a bunch more money to finish and improve it.

• Arben says he never actually gave ComsDev any source code, just a project script of what they wanted (A PowerPC emulator with xyz capabilities).

• When asked about VX30, Arben claims it was developed for 2.5 years, and that he'll give me the source if I'd like to verify it.

• He says that VX30 came about because they needed a playerless system for mauionline.com, and that the encoder took two years to develop.

• When asked to let me see the source, just to validate that there was no OSS code within it... Well, you can guess how this goes. "Jim Kartes owns the source, and would sue me if I..."

• When asked whether there is anyone else's code within VX30, Arben claims they had two other companies working on 'new functionalities for the encoder', and that he's been looking into whether there may be OSS code since "last wednesday".

• When asked why -- if he's split from MXS -- he's looking into issues in code Jim Kartes owns, Arben claims he's under pressure from Jim Kartes to figure out whether there may be other's code in their products, otherwise he'll have lawyers on his neck.

• Arben says Crystal was always the owner of Bump Networks, but "I did ask her to join forces and maybe we could do video-streaming and web-services, as a combined package. But that didn't work out." [I still don't understand this]

• When asked if anyone else's code would be showing up in the VX30 products -- outside of the two companies who were working on the encoder -- Arben says "Not from any code that I created in VX30".

• When asked why, if he had outsourced the entire project to others, he had claimed he had coded it from scratch himself (In four months, if you'll recall), Arben says it was all marketing, and not his idea.

• Arben, when asked how they are going to deliver an OSS project on May 1st -- as promised -- when they don't even have the source code to CherryOS, he says they'll be 'starting' an OSS project, and that he is writing the C++ GUI for it and will go on to 'help' on the project as a developer.

• Arben claims Jim Kartes will chop his head if he doesn't deliver an OSS CherryOS by May 1st.

• When asked why, if he's not working for Jim Kartes anymore, he has to create an entire OSS PowerPC emulator from scratch in a few weeks, Arben says it's another obligation he's required to finish up in order to not have obligations to MXS.

• Arben claims that as allegations of infringement starting coming out, Arben would pass them onto Comsdev, who would say they weren't true and everything was fine, and that they are responsible for the builds starting to become 'packed' and evidence disappearing. He says that while he responsible for the project, he was 'not in control'.

• He says he never actually tried to verify any of the evidence himself, not even what could be verified without the source code. When asked if he could still do it now, he says "I should. Specially now, [but] too scared of the outcome".

• When asked if Comsdev will give the same story when I talk to them, Arben says they're not in contact anymore, "for a very good reason", and as such as no idea what they'll say.

• When asked for the names of the two companies who 'worked on the encoder', Arben says one of them no longer exists and that if "what people are saying is true, I can have the name of the other company."

• When told he can check for the evidence for himself, Arben says "I don't have the sources for that SDK." He says it's the "Same [ASCII expletive] problem [as CherryOS].

• When asked if that means he doesn't have the source for VX30, he says "No, not for the complete application." and then "Not for the SDK that is effected", and then goes on to say that yes he has all of the source... He then says he did a search of all the source, and could find no OSS code.

• I send Arben the link to Ryan's site, and mention that it's probably only a matter of time before instructions go up somewhere detailing how others can found the evidence in VX30...

• Arben says he thinks what the community is after is an apology. Somewhere, something small and precious inside me dies.

• I show Arben a screenshot at Ryan's site of XviD, and then get to explain to Arben how a memory dump works, and then tell him I'll be "Working on this for the next few days" and if something comes to mind that he'd like to add, please do send me an email.

• Arben asks me for the specific section where some of the code is found, and I get to explain that I don't have the source. Arben goes on to say he has two separate SDKs that are connected; one set of source files for VX30 that he uses, and another set that the company working on the encoder uses...

• I get to hang out while Arben "tries to find the strings in the other source right now.", but to be honest what he says he's doing doesn't make a whole lot of sense to me.

• Arben -- and I swear to Gawd -- asks me what he should do if it turns out there is OSS code in the "SDK" the outsourcers are using... Asking what actions would be correct. Basically, Arben has just become VP of fantasy-land and was trying to get me ride the damn magic tea cups.

• I ask Arben to send me an email so I'd have his contact information, which (honestly) was one of the reasons why I wanted his email. I'll admit I also wanted to check the headers a bit...

• Arben tells me again he'll check the other SDKs for infringement and he'll let me know if he finds anything, and then goes on to ask, if he does happen to find it, "how will it effect the software".

• I mention that this story won't go away now, etc. and Arben mentions that they've had clients calling them about various things.

• I ask Arben what email address I should be looking for the email from, and am told arben@kryeziu.com, which I then get.

• Arben says he'll be in touch with me, either to tell me he was able to find the code or not, and reminds me to "not play any story games". I reiterate that the entire chat will be included... We're about to wrap up again.

• This doesn't happen, as Arben starts talking about Daniel Foesch, a PearPC developer, and a phone call that took place that ended up with John at MXS essentially telling Daniel to go get a lawyer.

• Arben then says the reason that CherryOS was put on hold was because he'd "walked out of the office, saying he hadn't been included in any decisions". He mentions the "license" CherryOS was supposed to be released under as one of those decisions, and the strangeness of having the "GNU logo" on the CherryOS website (this was when it was announced it would be open source) when they'd be using their own proprietary license.

• When asked if he's really expected to have an open-source PowerPC emulator up by May 1st, Arben says if he doesn't, he'll have to deal with legal action from Jim Kartes as "Jim has the money to put him anywhere."

• I mention that at least Arben has the porsche. Arben says the porsche is actually Jim Kartes's, and he just lets Arben drive it as his salary increase.

• Last, Arben lets me know -- because we're not playing games with each other -- that "the last update to the VX30 Encoder was posted just today, changing some things in the container output because they'd had problems with the Microsoft Java VM." He says he's telling me so I won't think he's playing games.

• Arben says he'll research "today and tomorrow" on the evidences posted, and then write me an official email stating what he sees.

You know, I went into the conversation with Arben with a salt mine, and was sitting outside it the entire time, but I really was trying to give him the benefit of the doubt and to see whether he'd follow up. That didn't happen.

I waited two days for Arben to follow up with me regarding his search for code in VX30 and CherryOS, and never heard back. I had a bit of a problem though; Arben had attributed words and actions to Jim Kartes that -- at least in a fair world -- he should be given a chance to respond to.

I'd gotten his contact information while I was compiling that sort of thing earlier, and sent him a short message explaining who I was, the story I was writing, and that I'd had a long conversation with Arben who'd told me he'd split from MXS (among other things) and I wanted to see if he was interested in setting up a time to talk so I could also have his version of events.

His response on 04/13/2005 was just this side of disturbing:

Dear Mr. Bell. Your facts are total off base. Arben denies he ever talked with you. Arben is still with Maui X stream. It has also come to our attention that you are calling our clients and customers and slandering us. This matter is now being turned over to our Attorneys. Do an interview with someone who refers to himself as drunkenbatman indeed.

Now, all of what he said was pretty much expected. I didn't really expect him to want to sit down and have a chat, but I wanted to be able to say I'd offered. What really, really threw me was the whole "calling their clients and customers and slandering them" bit.

Now, this was amusing in a sad way for three reasons:

• Unless their 'client' was playerless-streaming.org, which would be highly interesting, I hadn't really contacted any company regarding what I was working on except for say, the fine folks at IDM who make UltraCompare and UltraEdit.

• At the time Jim was saying this, I hadn't picked up the phone once in relation to MXS. Not to a friend, not to a client of MXS, not even to a lawyer. I just don't like phones, and for the type of stuff I was digging on, it just didn't add up.

• I got to see that Jim uses Microsoft Entourage for his emailing needs, and it's nice to know one thing has panned out; they really do like Macs. Actually, so do the people at playerless-streaming.org.

I shot back a quick email, mentioning that I had enough things regarding the chat that I wasn't worried about them trying to say it wasn't real, asked for their attorney's names, who I was alleged to have called and how I slandered their company. I hadn't heard back, so six hours later I emailed Jim again, basically asking for the same things I'd asked the first go-around.

I'll admit it, at this point I was starting to get severely, severely pissed and Mr. Kartes was doing a damn fine job of making this personal. Throughout going through this company I'd been annoyed, frustrated, amused and even bemused, but this was the first time I was just plain pissed.

It's one thing to lie about what you're doing, lying about me, for whatever reason, just isn't fucking cool. It was on.

One thing Jim said was that Arben was denying he'd ever talked to me, and that needed to be followed up on, so a little later that day I saw 'benardoh' come online and pinged him. The conversation was short, and to the point:

2:17:57 PM drunkenbatman: Arben, do you have a moment?

2:20:31 PM benardoh: not after I actually took time and read all your articles, very clever writer .. I am officaly working for MXS now, and will deliver a opensource CherryOS on the 1st of May, I researched the VX30 product line and compared it with ryans comparison, I was not able to save my dump, but as far as I got I was not able to find any of your findings as true. Do not write me or contact me any further, as I saw in your stories your methods are pretty clear to me.

2:21:09 PM drunkenbatman: Sure, that's completely fine -- I won't contact you after this

2:21:15 PM drunkenbatman: And you are going to deny we talked?

2:22:10 PM benardoh: Mr, I just received the last emails you are sending out, and I am pretty clear what your mission is. That won't work with me. Have a nice Day.

Again, these are the types of statements that make my head hurt. Arben was unable to save the memory dump, but "as far as he got" he wasn't able to show any of the findings as true. Somehow I think readers will have better luck, but still, the whole Arben possibly trying to deny he'd talk to me was wiggling around in the back of my head.

Just for the record, here is how I know it was Arben (besides the obvious):

• I love AdiumX, and am glad I have it as my chat client, but anyone seriously involved with it knows its current archive format is sort of a crusty HTML-thing that'll get improved at some point. The time involved to create fake AdiumX logs for these chats would be insane, and of course those can be passed on.

• If you'll recall, some time into the 'chat' I asked Arben to send me an email. You can actually see that email, as raw source, which if you know what you're looking for is pretty informative. You'll want to pay particular note to "mbloom.com" in the headers, as that'll come up again.

• 'benardoh' is a pretty damn unique name, as a google will show. If you did google it, you'll find things like a listing of domain names for sale by a 'benardoh', and if you look closer at the WHOIS for those domains you'll see it's our Arben. This is what I did when Arben first messaged me, and why I ended up asking if it was him.

• We know I was contacting Crystal, as the information came from her site and well, matched up with the name of her site. Basically, if it was someone else besides Arben, they'd have to know who I was messaging, just happen to be around, and happy to know things that very few people had any clue about.

• These conversations took place on the 11th and the 13th, and on the 15th Ryan Thoryk got his cease and desist, referencing the exact things mentioned in the chat with Arben.

Basically, while they're going to say whatever they want to say, I think we're again at that crossroads where anyone with the critical thinking skills above the level of a toaster knows the deal.

If you'll recall, during our chat Arben started talking about Comsdev -- out of the blue -- and the fact that they'd worked on CherryOS. Now, while we have to take exactly what was said with a grain of salt, this wasn't too surprising.

Back in The Pits in CherryOS, it was noted that the time-stamps of the build were placing them somewhere across the globe, and 'Comsdev' showed up in the executable, along with some foreign names. And back in a Wired interview, Arben once stated that at one point at least, there had been PearPC code in CherryOS although he claimed 'some programmer' had done it:

Kryeziu said the inclusion of PearPC code was the fault of one of his programmers, who is no longer with the company. "I fired his ass," Kryeziu said.

Still, Arben had made some pretty strong claims about COMSDEV in our chat, and it was really only fair to contact COMSDEV (A Pakistani offshoring company) to give them a chance to respond. However, instead of going straight to COMSDEV I dug around for names associated with them, older employees, and talked to them first. As you'll see, I'm really glad I did.

I first contacted a Jahanzeb Farooq (Tippu), to confirm whether he'd worked at COMSDEV and whether he happened to know anything about CherryOS, who had this to say:

Hi, Yes I have been their employee. Yes sure, you can ask questions, but the 'allegation' thing is very strage to me. Please clear it to me, about which allegations you wrote.

I know about CherryOS. It was under develpment when I left the job, what questions you want to ask about it.

Also, I will like to know who gave you my email address.

Regards,

Jahanzeb Farooq (Tippu)
-----------------------------
M.Sc in Computer Sciences
Umeå University - Sweden
Bachelor in Computer Sciences
Hamdard University Karachi
-----------------------------

So that's cool, we at least have confirmation that COMSDEV was involved. I explained some of what Arben had said regarding COMSDEV, and passed along some links to my site regarding CherryOS, and received (04/13/2005):

I read your mail and the page you referred. All thing is very strange to me. I am sorry that I could not help you much regarding the true thing because I did not work on CherryOS. Ya, I know the developer who was working on it that time. If you like, I can forward your mail to him, or to head of Comsdev, they can tell you the exact thing.

Yeah, now we're starting to get somewhere. I asked Tippu to please forward on my mail to the developer who 'worked on CherryOS at the time', and also asked for his name (04/14/2005):

Yes, of course I know him. I know him because he used to sit in the same room as I. (There might be others working on CherryOS but I don't know them). Anyhow I have sent him a mail, as soon I get response, I will forward your mails to him.

Also, if you like, I can forward to the CEO of Comsdev. He can tell you the whole thing.

As you can imagine, I didn't really want things to get forwarded onto the CEO of COMSDEV just yet as -- as we mentioned above -- in a situation like this it's generally a good idea to talk to as many people as possible and see where things start clashing.

I was also talking to a Khurram Hanif, asking the same sorts of things, and received this reply (04/14/05):

I did work for Comsdev for some time. I was appointed as Asst. Project Manager but my responsibilitites was also revolving aroung coding and designing applications. I'll see what sort of help you need and what sort of questions you carry. Regards Khurram Hanif

After thanking him for the reply, I asked Khurram "I've glanced through your employment but have not yet gotten to matching up the dates, were you working at Comsdev while they worked on the CherryOS project?", to which he replied (04/14/2005):

Hi Michael Yes i was at Comsdev when there were a MUCH DISCUSSED project CherryOS. I read a lot of discussion on internet regarding this project. But i keep myself quit due to many reasons.

Well CherryOS is going to be Open Source next month(i'm not 100% sure about it :( ) and with that all discussion will be dead (which is not possible).
Regards
Khurram Hanif

When it comes to whether or not CherryOS would get open-sourced, Khurram seems to be wise and prescient indeed. I actually liked dealing with Khurram, he seemed like a pretty cool guy.

I talked to a few other ex-employees who were very helpful in letting me know I was going in the right direction as well as say, getting me the contact information I needed to ping some of these people.

Of course, one of them was going to end up contacting the CEO of COMSDEV eventually. I know if I was a programmer, and seeing the havoc going on about CherryOS around the web and I was starting to get contacted, I'd certainly want to pass the buck up as quickly as possible.

Which meant it was time to send a letter to the CEO.

Via email, I asked the CEO some very targeted questions, such as:

1. E-Lance records show you were the developer, and there were references to your companies name in the source. I've interviewed Arben Kryeziu, who claimed you developed CherryOS for them, and also said many other things:

2. That you were commissioned to create a PowerPC emulator for Windows, similar to PearPC, from scratch.

3. That you have never given him or the company the source code, and that when allegations of code infringement occurred, you were asked for an explanation by Arben and you said others' code was not included. Meanwhile, you provided him with versions of the application that had 'bug fixes' but also removed traces of evidence from the application, which he was unaware of.

4. I would simply like to get your side of the story before publication if you consider any of the above to not be truth.

His response was, if you'll pardon my opinion, just a little strange (04/14/2005):

Thanks for your email. This is Khalid, the CEO of COMSDEV. Before I can answer your query let me explain what COMSDEV is so that everything should be crystal clear in your mind while writing your story.

COMSDEV is an offshore software development company consisting of 25 to 30 developers. We offer wide variety of our services including Windows Application Development, Web Application Development, SEO and Graphics Designing. Our 60% to 70% of business came from Elance.com. So you can say that Elance plays a big role in our company. Our process starts by submitting proposals to customer's RFP documents/postings. We understand customer requirements and suggest our proposed solution with all possible pros and cons. Based upon our proposal, we may reach towards a service agreement. Usually 70% of our customers demands from us to sign their provided NDA (Non-Disclosure Agreement) in order to safeguard themselves. We respect our signed NDAs and try our best not to disclose any of our respected customer's information to the 3rd party without expressed and written permission from our customer. This is why our customer trusts us and continuously giving us more and more business.

COMSDEV has no products to claim. We are in fact seriously thinking about developing our own products but didn't yet finished anyone. So we have no part to play in Product Based Business.

Now you will have clear picture of COMSDEV's business model in your mind. In fact this is not a new model. Many US Companies are also doing very similar business.

As far as MXS is concerned, we have a great relationship with them through Elance and working on their different products (not launched yet). Like with many other companies, we have signed their NDA and are bounded not to disclose any of their product information. I have wrote to MXS to allow us to disclose some of the information regarding their future products to clear up the smoke but they didn't allowed us as disclosing their future product information is not a desirable thing for them (Off course!... many companies follow this strategy to hide their future products until unless they are finished with them).

Now at the last, lets talk about CherryOS. COMSDEV has no relationship with CherryOS. COMSDEV and COSDEV are very similar terms when being referred however there is a huge difference between them in meanings. We by no means violated GPL or any other License Agreement. We are selling our development services and getting reward against them.

I am sure now you will be clear about COMSDEV. We have no concerns whatever MXS is launching as their product but we are very much concerned what MXS is asking from us to develop and deliver.

Thanks,

M. Khalid Farooq
Chief Executive Officer
COMSDEV
http://www.comsdev.com.pk

I'm still not quite sure what he's referring to with the whole 'cosdev' versus 'comsdev' thing, I never mentioned it so I have no clue as to where it came from. The intro to offshoring 101 lecture was equally bizarre, but he possibly just didn't know who he was really talking to, which is understandable.

One thing that stuck out at me is that both the CEO and one of the developers have the same last name, 'Farooq', but unfortunately I'm ignorant enough about Pakistani culture. It could well just be the American equivalent of 'Johnson', and I'll leave it that way until I'm better informed.

I responded, saying:

• While I respect the fact that they may be under a non-disclosure agreement with MXS that would prevent them from commenting at all -- which I would understand -- stuff is going to go out anyways, like their name and the connections, and they're putting themselves in a compromising position.

• That I had a trail at ELance tying them to a 'PowerPC Emulator' they'd worked on for Bump Networks. From previous chapters, Bump Networks should sound familiar to you.

• I mentioned that I'd talked to former COMSDEV employees who had confirmed that they were at COMSDEV when the CherryOS project came in...

• I reiterated what Arben had said in his interview with me regarding COMSDEV

Lastly I said "Without more from you, what I am going to have to run with is what they said, plus the employees I've talked to, with you denying you ever worked on it and you can understand how readers will draw what may be strange conclusions."

As you can imagine, this didn't go well at all, but it wasn't really meant to (04/15/2005):

Hi Mr. drunkenbatman,

Today I contacted MXS regarding your So-Called Abren's Interview and found that there is nothing such happend at all. MXS simply replied to me "How this can be happend while COMSDEV has no relationship with CherryOS?"

Now its quite open to me that you are consistantly telling lies in order to get some point to make it ISSUE. This might be your business but please keep us away from this dirt.

As far as our former employees are concerned, I don't know to whome you have talked. However you may found thousands of ppl around that can claim as they were working in COMSDEV only to get famous by their names. This publicity might be helpful for them in their career.

You are open to publish whatever you want. However if you still feel that you need to be justice then first prove that the persons you are referring are employees of COMSDEV and then qoute any of their words.

Last thing to say, its strange to me as you are investigating a Violation of an Agreement while constantly insisting me to violate our own signed NDA (another Agreement). How you justify this by yourself? Looks like you don't care what an Agreement imposed to us or what are the ethics of a Business. You should rather be insisting MXS to give permission to COMSDEV to open up their relationship.

Thanks but unable to understand the meanings of "Peace",

Khalid

FYI, I often sign my emails with "Peace", just because I'm kinda Emo like that and apparently something got lost in the translation.

The rest of his email was just getting weird, and I can't imagine why he'd think the whole "Random people are claiming to be COMSDEV employees to be part of the story" thing would work; I'm just continually amazed at the holes these guys start digging for themselves.

I responded, saying:

• "[The interview with Arben] took place over 3 hours, and I have enough witnesses and evidence that even though Mr. Kartes may try to deny it because he doesn't like what Arben says, I'll post the interview, along with the evidence showing it to be real, and let the public decide."

• "I haven't lied to you in any way, but understand you are asking me not to contact you again. However, everything I've told you will be made public, and I'll take your emails as all you have to say on the subject until you are contacted by others."

• "Of course I'll be using their names and words in the story. Will I give them to you ahead of time? No, as there are now more employees all of which are stunned you would deny Comsdev worked on CherryOS. You certainly haven't explained why you worked on a PowerPC emulator for Maui X-Stream that was NOT CherryOS. It would be poor form to try to discredit your employees."

• "*sigh* Insulting me is not a way for a CEO to really behave, but it'll be interesting in the story.

  A non disclosure agreement requires you to not disclose information -- and I do respect that you're well within your rights to not talk and I won't contact you again -- however it does not require you to lie for your client. If Mr. Kartes has that in your agreement, you've signed a poor agreement indeed and eventually the evidence will cast its own shadow."

Oh yeah, that pretty much did it, and Khalid for all intents and purposes became my new favorite (04/15/2005):

Dear drunkenbatman,

Interesting to see increase in your list of COMSDEV employees. As I told you, it may go beyond 1000 because everyone will be looking forward to get his name inside the story :-) What is the validity of your interview which has been openly denied by MXS? Good Luck with your Story having fake interviews and fake employees.

Nothing to explain regarding PowerPC Emulator Project Listing at Elance. Everyone can read it out that this wasn't about creating PowerPC Emulator at all.

Regarding your statement abt how should I behave, just want to say onething. I DON"T NEED YOUR CERTIFICATE TO BE CEO.

Thanks,

Khalid

I could pretty much imagine what was going to be happening behind the scenes, and figured it was only a matter of time before things got weird. If I were in his position, I'd be doing my best to figure out who I'd talked to, starting with those involved with CherryOS directly and trying to do some damage control.

I can imagine that MXS wasn't my biggest fan at this point either, as the same day Ryan is getting his cease and desist notice to take down his evidence, here I am asking around through another avenue. Ah, to be a fly on the wall.

And yeah, it didn't take long for some stories to start changing.

Since it's been mentioned a few times, it's really worth discussing that 'PowerPC Emulator at Elance' that's come up a few times, which you can also see via the below screenshot:

If you'll notice, this was a transaction between COMSDEV and Bump Networks; with the project being posted on June 2004 and COMSDEV being awarded the project on July of 2004... With CherryOS being 'released' (it was subsequently pulled) in October of 2004.

Or about four months, which those of you playing the trivia version at home will remember as being the amount of time Arben originally claimed it'd taken to write CherryOS. Of course, there were four other bidders, and it would probably be worth someone's while to contact them...

This should also clear up part of the chat with Arben for some, where I asked about 'the script'. If you'll recall, he claimed it was a translation error of sorts, that he meant it as a sort of project description.

COMSDEV has actually done quite a bit of work for MXS and Bump Networks. 'AdMagic' seems to have been canceled, however if we look back over the projects COMSDEV have worked on we can see mxs808 and Bump Networks have paid at least $45,000 to them over the last while.

Where it gets strange is that after the initial payment from Bump Networks for a 'PowerPC Emulator which already had a script', MXS starts paying them almost $15,000 for "Application Developments" and "Application Modification" in sealed deals. Probably the most intriguing aspect of this is just how closely it matches up to some of what Arben said in our chat; that Bump Networks started the project, and then MXS came in with the real financing.

Another interesting aspect is that as far as ELance goes, MXS and Bump Networks seem to make up at least two thirds of COMSDEV's income. I have a feeling that with some digging by someone, interesting bits would shake loose here.

From what I can tell, MXS and Paradise Networks have paid Bump Networks a little over $20,000 over the last year, while 'mxs808' has paid out almost $110,000 to various companies. It would appear that outsourcing wasn't some one-time thing, and is an integral part of their business model.

If you'll recall our pal Jahanzeb Farooq (Tippu), well, he came back a few days later and dropped this (04/18/2005):

Hi,

I am really very sorry that actually I misunderstood the name. I have been in contact with the developer, he has left Comsdev and working in another softwatre house. The name of PowerPC Emulator project that Comsdev was working on was OSChoice, and it was not a PowerPC Emulator software but a demonstration in the form of web application. The demonstration/ presentation teaches someone what a PowerPC Emulator really does as far as their architecture is concerned.

I am really sorry that I mixed the names CherryOS and OSChoice. As I left Comsdev long time, I forgot the name. Also it mixed in my mind because both are related to PowerPC emulator.

If you want to know more about OSChoice, the developer referred to Comsdev web site www.comsdev.com.pk or to contact CEO of Comsdev.

I am sorry that for the time being, I mislead your investigation.

Regards

Jahanzeb Farooq (Tippu)

Call me crazy, but I'm thinking to myself that the CEO of Comsdev has been talking to people, which as I mentioned is to be expected (Come on, you're thinking it too).

However, the OSChoice thing was pretty much out of nowhere and had me royally amused. It was just so backwards from everything else I was hearing... but fair enough. I had to follow up, which means I had to ask for who the specific developer was. Tippu told me it was 'Zeeshan' (a name you'll recognize from Comsdev feedback page on Elance), which made sense, and gave me an email.

When I mentioned to Tippu that others were saying the exact opposite of him, that CherryOS had indeed come into Comsdev, he told me he'd only worked at Comsdev for 4.5 months and didn't feel comfortable saying whether or not CherryOS was worked on them or not...

Which is fair, which meant it was time to talk to 'Zeeshan', so I asked him:

1. Is it true you claim Comsdev never worked on CherryOS or had any involvement?

2. Can you think of any reason why your name would have been found in the CherryOS source code?

I heard back fairly quickly (04/26/2005):

drunkenbatman, First of all plz tell me where u r going to post your story? (1) Yes!... when I was at Comsdev, I didn't worked on any project named Cherryos. Tippu refered me URLs where cherryos is quite a popular story and ppl are saying that its taken code from pearpc project. I infact hear this name pearpc first time in my life.

(2) Really? Did you find my name in the source code? Can you forward me that source code? Is that source code in Java?

regards,

zeeshan

Ah, the dangers of typos. I said 'source code', but I actually just meant CherryOS, which had to be explained, etc. I gave generalities, but not specifics, and received (04/28/05):

hello, its really strange. anyway, i worked at comsdev for almost 1 year and just resigned from few months earlier. i worked there on a web based presentation named OSChoice that was appeared to be for powerpc architecture students to understand how it works. i didn't see any development with the name of cherryos in my tenour there. anyhow you can directly talk to Khalid, the ceo of the company, and I am sure he will definitely tell you something useful for your story. plz let me know if you need his email address. zeeshan

This OSChoice thing was really starting to crack me up, and we'll see why in a moment. If you google on OSChoice, there's really only two things: oschoice.org and oschoice.com. OSChoice.org is -- by far -- the most likely of the two to have any bearing on this, so I pinged the author of the site, Walter Ian Kaye, who told me had never heard of any of this.

The problem, our friend Tippu has his website, and if you click around a bit you'll find:

Which gives us a few names, all of which worked at COMSDEV:

• Sarfraz Anwar
• Usman Hameed
• Umer Zeeshan
• Bilal Niaz
• Imran Anwar.

As it turns out, those names are pretty important. Umer Zeeshan should sound familiar, as he just got done telling us he'd never worked on anything called CherryOS. Unfortunately, if you look at the properties for the LicenseAgreement.doc for CherryOS, his name (along with COMSDEV) comes up twice. 'Imran' seems to fair the worst, showing up quite a bit, really.

And of course, I mentioned the other employees, and we'll stop back in and look at one of them now. If you'll recall, we'd been chatting with an ex-COMSDEV employee named Khurram Hanif who confirmed he was at COMSDEV when they worked on CherryOS, and I actually had a few more replies from him (04/15/2005):

Hey there Well i was just an employee at Comsdev and I had long discussions regarding CherryOS and its development with all the persons around it except Arben. I know a lot about it but i dont understand why you are taking so much interest. I think you should wait, everyone will come to know the REAL STORY after some days when CherryOS will go open source (if it goes). I cann't say anything regarding Comsdev or its CEO. If you have any questions just ask me and dont tell me the stories what Arben says to you or what Comsdev CEO says to you. Regards Khurram Hanif

I actually did end up waiting quite a bit (obviously), and you do have to admire the guy's candor. Out of all of them, Khurram is definitely my favorite of the bunch. I sent him:

"I would be most appreciative if you could answer my questions, I am just trying to bring some credibility to the situation. If you find yourself able to answer any of these questions, it would be immensely helpful:

1. Does CherryOS contain GPL, LGPL or otherwise copyrighted code such as PearPC?

2. Was Comsdev given code to use that was copyrighted, or asked to do so in working on CherryOS?"

Khurram replied back to me the next day (04/16/2005), saying:

Hello Michael I decided to tell the truth whatever its result would be. Yes! there was PearPc code in CherryOS and it was given to Comsdev by Arben. This is the whole story. Thats why i was saying CherryOS will never be open source. I request you to keep at least my refrence secrete. And tell this story to whole world. I think everyone already know this. Regards Khurram

You know, COMSDEV is going to say what they want, and Maui X-Stream is going to say what they want, and at this point I've given up having a clue as to what they'll say. I'll just let you make up your own mind as to how the names got into CherryOS, or how COMSDEV's name got into the CherryOS documentation.

Back when Maui X-Stream said they were going to open source CherryOS, I said how I thought it would go. As we'll get into in a moment, obviously I was wrong, but it's worth looking at something in the past that led me to those conclusions.

Awhile up I mentioned mbloom.com showing up in the headers of Arben's email being important. You see, Arben has been down this road at least once before and until recently you were able to download the source for an application called "PDFConv". Bump Network's name is tied to it as well around the web.

PDFConv was a utility to, well, convert PDFs; specifically into HTML. The problem is that it turned out PDFConv was using source from verypdf.com's PDF2HTML app which (surprisingly enough) converts PDFs into HTML. While verypdf.com charges for the current version of their product (version 1.6 at the moment) they make the older version (v1.2 at the moment) available under the GNU GPL license.

Some in the community got wind that PDFConv was using the code from PDF2HTML, and pressure started to build on them to yank or open source the product. The product was yanked, however it was eventually put up online again, this time with a twist: the source code for the application was put up along with it.

Ryan Thoryk (who we remember from the analysis.html pages above) came along about this time and heard the rumors. He ran a DIFF between the source of PDFConv and PDF2HTML (where you take two files, or sets of files, and compare them together so you can see what the differences are) and it became obvious Arben had simply stripped out the original copyright notices within verypdf.com's code and posted it as his own.

Ryan contacted verypdf.com to notify them of the GPL infringement, who then contacted Arben, and then the code was taken down straight quick. Basically, between PDFConv, CherryOS and now VX30, we aren't looking at isolated events.

It's been an interesting week when it comes to CherryOS:

• Brian's Brain mentions he talked to Jim Kartes at MXS who -- while showing his cordial nature yet again -- told Brian that Arben Kryeziu had left MXS and would be taking CherryOS with him as 'part of his departure settlement'. From what I've been able to gather, there's no word on the Porsche. Everyone is apparently told to email Arben at his kryeziu.com website.

• A reader, Larry David, passed along that he'd contacted Karol McGuire of Open Access Communications, Inc. who is apparently the PR firm for Maui X-Stream (Where the hell have these people been, and why aren't they talking to the media instead of Jim Kartes?) who passed on some similar information:

  By way of update on the CherryOS G4 emulation software: Arben Kryeziu, developer of CherryOS, is leaving Maui X-Stream (MXS, Inc.) to pursue other opportunities. CherryOS and all licensing rights to it have been transferred to Arben. For more information concerning future releases of the product, please contact him directly at arben@kryeziu.com.

• Arben's website (I can't tell you how annoying having to go to this again was) has a suitably bizarre blog post up where, among other things, he mentions he's decided that C-OS (CherryOS) is just not worth the hassle.

The obvious questions that come to mind is: If Arben left MXS and took the rights to CherryOS with him, who will be slinking away with the rights to VX30?

If you've gotten to the end, it wouldn't surprise me if you were right where I am mentally regarding Jim Kartes, Maui X-Stream, Arben Kryeziu, Bump Networks, CherryOS and VX30. Obviously, something has to break here.

There's an old Monty Python Parrot Sketch where a guy carries back a parrot he purchased 30 minutes earlier to make a complaint: The Parrot is dead. The shopkeeper protests vociferously, and an amusing exchange goes on and on between the two until eventually, out of excuses, the shopkeeper offers the man a slug for appeasement.

While I've never heard the voice of Arben Kryeziu or Jim Kartes, whenever I read anything attributed to them now it might as well be John Cleese and Michael Palin yapping about in my head. Which is distressing, because I really like John Cleese and Michael Palin.

I've gone about as deep into these guys as someone can go, and wrapping this up feels akin to crawling out of a sewer and looking for a shower. These guys are often very adept at getting out what they want to get out while trying to outrun the story, but there should be enough here for 50 stories. Write them, and they won't be able to outrun it.

special acknowledgment: Charles Darvy of PearPC was incredibly helpful in putting this together. From bringing things to my attention to helping compile contacts, he has my sincere thanks.