Educause Security Discussion mailing list archives
Re: RIAA timestamps off
From: "Sweeny, Jonny" <jsweeny () IU EDU>
Date: Mon, 1 Oct 2007 13:03:51 -0400
Jordan, we've been evaluating the same predicament. In the past we've chosen option #2. We'd just prefer that the timestamps be accurate ;) because: * the flow analysis is very time-consuming for us as well, and * it is not our responsibility to correct someone's timestamps that are off. I'll agree with what many folks have said since my initial post last Tuesday: In most cases, if we look through NetFlow data and connection (vpn,dhcp,dialup) logs, we are able to identify the user responsible for the traffic that the RIAA timestamp meant to identify. However, if the timestamp was during a time when no one was using that IP address, we just bounce the notice back with an explanation that their timestamp is off. Unlike some Universities, we do not examine the computers or search for the files so I cannot say anything regarding how many were truly guilty (though we do not have many file counter-notices when flows do 'confirm' that we've ID'd the right user). -- ~Jonny Sweeny, GSEC, GCWN, GCIH, SSP-CNSA Incident Response Manager, Lead Security Analyst Office of the VP for Information Technology, Indiana University PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny jsweeny () iu edu p(812)855-4194 f(812)856-1011 -----Original Message----- From: Jordan Wiens [mailto:numatrix () UFL EDU] Sent: Monday, October 01, 2007 11:11 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] RIAA timestamps off We have had multiple cases where students contested the claim and flow-analysis backed up that they were not participating in the P2P traffic identified in the complaint. Not a high percentage, mind you, but some. Unfortunately, verifying complaints through flow analysis is time- consuming and tedious. So our two options are: 1) Verify each complaint, requiring much more work by the security team, in cases where the complaint /doesn't/ line up based on flow- data, do we expand our search to try to find and correct the time- stamp on the complaint? 2) Waste the student and judicial affairs time by rounding up everybody and sending them through the process, hoping the innocent ones actually contest it and then we can exonerate them. This is not ideal. -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 On Sep 30, 2007, at 9:31 AM, Ken Connelly wrote:
I will echo Rick's sentiments and experiences. I, too, have been dealing with these since day one. We have never had a student dispute the copyright infringement complaint other than a case or two where the student registered another's computer for them. In those cases, we redirected the complaint to the true owner and had no further dispute. - ken Rick Coloccia wrote:We got 14 these past two weeks. Very frustrating, since we use a packet shaper and an Audible Magic box to minimize this kind of traffic. (All 14 were for encrypted protocols...) In every single case, the student admits, "Yes I use limewire/ares/etc" and "Yes I have that song" so while the timestamps may well be off we don't think that's a significant issue with regard to these takedown notices. Our students admit to the file sharing (but most claim they don't know that the same program that lets them get the song re-shares it to the world), they get their stern warning, and life goes on. I realize that there are technical differences between "making available" and someone "actually downloading" the song via a p2p program, but with my students the difference isn't truly significant. We bring students in, teach them the highlights of the dmca, insist they uninstall any p2p software, explain how the takedown notice affects them as a Geneseo student (If we receive a second takedown notice on their behalf, they'll meet the Dean of Students who will likely start a process that can only end in suspension or expulsion) and send them on their way. It works for us. I'm not taking the side of the riaa, just sharing my experiences having done this for years now, since the very first one... -Rick Valdis Kletnieks wrote:On Sat, 29 Sep 2007 06:50:42 EDT, David Taylor said:I'm wondering if they are just going by the name of the file without even verifying the contents of the file.One has to wonder if this isn't a Beavis-and-Butthead routine, where one group hired by the RIAA to seed file sharing networks with bogus and corrupt versions of files has managed to plonk a suspiciously named file onto somebody's hard drive, and then the *other* group hired by the RIAA to find violators has found said file... It would fit in with the level of forensic rigor we've seen in the past...
Current thread:
- Re: RIAA timestamps off Jordan Wiens (Oct 01)
- <Possible follow-ups>
- Re: RIAA timestamps off Sweeny, Jonny (Oct 01)
- Re: RIAA timestamps off Dave Koontz (Oct 01)
- Re: RIAA Timestamps Off Dennis Bohn (Oct 02)
- Re: RIAA timestamps off Chris Edwards (Oct 03)
- Re: RIAA timestamps off David Taylor (Oct 03)
- Re: RIAA Timestamps Off Scholz, Greg (Oct 03)
- Re: RIAA Timestamps Off Alex Everett (Oct 03)
- Re: RIAA timestamps off Valdis Kletnieks (Oct 03)