Re: RIAA timestamps off

[Bob Bayn <Bob.Bayn () USU EDU>]

Most of our recent RIAA complaints have been against our wireless
address space and all have matched up with the connection logs
we have.  No identified students have protested their innocence
(other than to claim that they let someone else use their computer).
however, we only get a few DMCA complaints a week here.

Bob Bayn
IT Security Team
Utah State University


> Has anyone else had issues where the RIAA timestamps for DMCA notices
> are off?  I don't know how many of you compare them with NetFlow data,
> but we've found that when we do, there are often inconsistencies -- the
> largest being 41 hours, but more often being 1-10 hours off.  We use
> NTP, and are confident about our timestamps, logs and NetFlow data.  The
> majority of our recent notices have been for VPN IP addresses (the
> turnaround time of that IP space is *very* short) so these errors could
> easily lead to misidentification.  We're assuming that the reason
> they're sending incorrect timestamps because their detection
> system/application is using cached data.

> One recent example for illustration: a connection ends at 16:56 UTC.
> Tons of traffic on port 37107 during that session.  The RIAA alleges
> (under penalty of perjury) that file sharing occurred at 18:16.  No one
> was using that IP address at that time.  NetFlow data confirms that
> there was no traffic at 18:16.

> Anyone else comparing allegations with NetFlow data?

> Anyone else seeing inconsistencies?

> Thanks,

> --
> ~Jonny Sweeny, GSEC, GCWN, GCIH, SSP-CNSA
> Incident Response Manager, Lead Security Analyst
> Office of the VP for Information Technology, Indiana University
> PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny
> jsweeny () iu edu  p(812)855-4194  f(812)856-1011