Re: RIAA Moves Against College-Control of your Computers

["Dennis Meharchand, CEO Valt.x" <dennis () VALTX COM>]

What does the RIAA want?

Impenetrable Hardware Technology is available to secure campus owned
computers from having P2P applications such as KaZaa installed- see
Valt.X Instant Recovery sub-system at www.valtx.com/ir.pdf. All
unauthorized changes are automatically eliminated upon system reboot.

The RIAA can't expect network operators to control what students do with
their own computers - or do they?

Is there a defense fund?


Dennis Meharchand
CEO, Valt.X Technologies Inc.
Tel: 416-746-6669
Fax: 416-746-2774
http://www.valtx.com
email: dennis () valtx com


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bruhn, Mark S.
Sent: Friday, April 04, 2003 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RIAA Moves Against College-Network Fileswapping

There is an implication here that P2P applications are illegal ("P2P or
other violation of copyright laws"), which isn't the case.  I assume
that's not what you meant.

Setting aside our policies and general interest in our resources being
used appropriately, is it true that if a student does something illegal
and we know about it, are we obligated to report that to law
enforcement?

We don't have a policy that specifically prohibits ellicit drug use, but
we don't have people systematically searching through residence hall
rooms searching for drugs (at least we don't).  Do we not do this
because we are certain this isn't being done on our campuses?

--
Mark S. Bruhn, CISSP

Chief IT Security and Policy Officer
Interim Director, Research and Educational Networking Information
Sharing and Analysis Center (ren-isac () iu edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Ken Shaurette [mailto:Ken.Shaurette () OMNITECHCORP COM]
Sent: Friday, April 04, 2003 10:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RIAA Moves Against College-Network Fileswapping


It is true that you should never have anything written in policy that
you cannot or do not intend to enforce even if only with awareness and
reminders that it breaks policy.  Having a policy and not consistently
enforcing it raises penalties of itself and is loosely identified in
Federal Sentencing Guidelines.

Not having policy does not protect against the law suit.  An
organization could still be shown negligent if they had P2P or other
violation of copyright laws occuring, were aware of it and did nothing
to stop or discourage.  The act in and of itself is illegal, promoting
(or not stopping) when made aware of the violation could be argued by a
good lawyer as particpation in the act of committing the crime.  Could
it also be argued that you should know your network and this type of use
is very common so you should have a policy and enforcement measures to
discourage?

Your organizaiton is providing the resources to commit the crime whether
you have policy against it or not.  Lending your car to a person you
know is planning to use it to rob a bank does not remove you from
liability of having particpated in the commision of the robbery.

Definition of a jury:  12 men and women who are your peers and determine
who has the best lawyer.

Ken
Information Security Analyst and Security Solutions Manager
Omni Tech Corporation
(262) 523-3300 x486

        -----Original Message-----
        From: Bruhn, Mark S. [mailto:mbruhn () INDIANA EDU]
        Sent: Fri 4/4/2003 9:31 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Cc:
        Subject: Re: [SECURITY] RIAA Moves Against College-Network
Fileswapping


        This supports the notion that policies shouldn't be written
unless they are necessary for specific situations, and unless the
organization has the means and desire to enforce them.  This is one  of
the reasons (though maybe not the most important) we don't have such a
policy, and indeed this citation lends add'l credibility to how most of
us operate in this area (reactive instead of proactive).
        M.

        --
        Mark S. Bruhn, CISSP

        Chief IT Security and Policy Officer
        Interim Director, Research and Educational Networking
Information Sharing and Analysis Center (ren-isac () iu edu)

        Office of the Vice President for Information Technology and CIO
        Indiana University
        812-855-0326

        Incidents involving IU IT resources: it-incident () iu edu
        Complaints/kudos about OVPIT/UITS services: itombuds () iu edu


        -----Original Message-----
        From: Robert Myles [mailto:mylesr () OHSU EDU]
        Sent: Friday, April 04, 2003 10:23 AM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: Re: [SECURITY] RIAA Moves Against College-Network
Fileswapping


        There is precedence for the suit against the institution, case
was settled for 1.5 million last year in the southwest against a company
that had a policy against download of MP3's and P2P software, new of a
P2P server on their system that they did not get around to shutting
down, and were found a fault for not following their own policy.
Lawsuits always go for the deep pockets!!

        Robert Myles, CISSP
        Information Security Officer
        Oregon Health & Science University


        >>> tbm3 () CORNELL EDU 4/4/2003 4:44:03 AM >>>
        Great question, the answer of which may substantially depend on
whether
        they followed DMCA registration and procedures.  Verizon did
not, which is
        why RIAA subpoenaed them for user name.  If these schools follow
"safe
        harbor" provisions of the DMCA, they should be immune from
contributory
        copyright liability.  And even if they did not, there is
language in the
        DMCA regarding ISPs which should go a long towards protecting
them.  But
        still, these are $64,000 questions, becoming more costly by the
minute.

        Tracy

        At 06:30 AM 4/4/2003 -0600, you wrote:
        >Do you feel this excludes them from turning a law suit against
the college
        >network operators next?  Especially if they feel a college
hasn't done
        >enough to discourage the activity?
        >
        >Ken M. Shaurette, CISSP, CISA, CISM, IAM
        >Omni Tech Corporation, www.omnitechcorp.com
        >(262) 523-3304
        >
        >         -----Original Message-----
        >         From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU]
        >         Sent: Thu 4/3/2003 9:06 PM
        >         To: SECURITY () LISTSERV EDUCAUSE EDU
        >         Cc:
        >         Subject: Re: [SECURITY] RIAA Moves Against
College-Network
        > Fileswapping
        >
        >
        >
        >         Please note, the action is not against network
operators, but users,
        >         students.  Attached is the RIAA letter concerning this
        > matter.  Tracy Mitrano
        >
        >
        >         At 08:56 PM 4/3/2003 -0500, you wrote:
        >         >For those of you that don't read slashdot -
        >         >
        >         >"The RIAA is taking action against college "Napster
networks".
        > It's suing
        >         >four network operators, two at Renssalaer Polytechnic
Institute,
        > one at
        >         >Princeton University, and one at Michigan
Technological
        > University."..
        >         >
        >
> http://yro.slashdot.org/yro/03/04/03/2312220.shtml?tid=141
        >         >
        >         >If you have lots of p2p traffic on your network you
might want
        > to touched
        >         >base with your general council, if you haven't
already.
        >         >
        >         >Cheers -
        >         >
        >         >**********
        >         >Participation and subscription information for this
EDUCAUSE
        > Discussion
        >         >Group discussion list can be found at
        > http://www.educause.edu/memdir/cg/.
        >
        >         **********
        >         Participation and subscription information for this
EDUCAUSE
        > Discussion Group discussion list can be found at
        > http://www.educause.edu/memdir/cg/.
        >

        **********
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

        ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.