Educause Security Discussion mailing list archives
Re: RIAA timestamps off
From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Tue, 25 Sep 2007 13:31:13 -0400
I am curious how people are interpreting the "last found" date/time listed on the RIAA notices? I never read "file sharing occurred at". It is my general suspicion that they troll the Internet looking for the advertisement of songs. Maybe they attempt to download them maybe they don't. So UserX logs into limewire, song list is made public. 10 hrs later song list is still public but no one may be actually pulling the data. Technically it is the making of the infringing material available that is the "crime" so the user is "seen" and is sought by the RIAA. So this might account for timestamps off and still be a somewhat legitimate scenario. Thoughts? _________________________ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -----Original Message----- From: Sweeny, Jonny [mailto:jsweeny () IU EDU] Sent: Tuesday, September 25, 2007 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] RIAA timestamps off Has anyone else had issues where the RIAA timestamps for DMCA notices are off? I don't know how many of you compare them with NetFlow data, but we've found that when we do, there are often inconsistencies -- the largest being 41 hours, but more often being 1-10 hours off. We use NTP, and are confident about our timestamps, logs and NetFlow data. The majority of our recent notices have been for VPN IP addresses (the turnaround time of that IP space is *very* short) so these errors could easily lead to misidentification. We're assuming that the reason they're sending incorrect timestamps because their detection system/application is using cached data. One recent example for illustration: a connection ends at 16:56 UTC. Tons of traffic on port 37107 during that session. The RIAA alleges (under penalty of perjury) that file sharing occurred at 18:16. No one was using that IP address at that time. NetFlow data confirms that there was no traffic at 18:16. Anyone else comparing allegations with NetFlow data? Anyone else seeing inconsistencies? Thanks, -- ~Jonny Sweeny, GSEC, GCWN, GCIH, SSP-CNSA Incident Response Manager, Lead Security Analyst Office of the VP for Information Technology, Indiana University PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny jsweeny () iu edu p(812)855-4194 f(812)856-1011
Current thread:
- RIAA timestamps off Sweeny, Jonny (Sep 25)
- <Possible follow-ups>
- Re: RIAA timestamps off Bob Bayn (Sep 25)
- Re: RIAA timestamps off Roger Safian (Sep 25)
- Re: RIAA timestamps off Marc Scarborough (Sep 25)
- Re: RIAA timestamps off Mike Lococo (Sep 25)
- Re: RIAA timestamps off Jeff Holden (Sep 25)
- Re: RIAA timestamps off Scholz, Greg (Sep 25)
- Re: RIAA timestamps off Jeff Kell (Sep 25)
- Re: RIAA timestamps off Jeff Holden (Sep 25)
- Re: RIAA timestamps off Steve Worona (Sep 25)
- Re: RIAA timestamps off Scholz, Greg (Sep 25)
- Re: RIAA timestamps off Alex Everett (Sep 28)
- Re: RIAA timestamps off David Taylor (Sep 29)
- Re: RIAA timestamps off Valdis Kletnieks (Sep 29)
- Re: RIAA timestamps off Rick Coloccia (Sep 30)
- Re: RIAA timestamps off Ken Connelly (Sep 30)