Re: RIAA timestamps off

["Sweeny, Jonny" <jsweeny () IU EDU>]

Jordan, we've been evaluating the same predicament.  In the past we've
chosen option #2.  We'd just prefer that the timestamps be accurate ;)
because:

* the flow analysis is very time-consuming for us as well, and
* it is not our responsibility to correct someone's timestamps that are
off.

I'll agree with what many folks have said since my initial post last
Tuesday:  In most cases, if we look through NetFlow data and connection
(vpn,dhcp,dialup) logs, we are able to identify the user responsible for
the traffic that the RIAA timestamp meant to identify.  However, if the
timestamp was during a time when no one was using that IP address, we
just bounce the notice back with an explanation that their timestamp is
off.

Unlike some Universities, we do not examine the computers or search for
the files so I cannot say anything regarding how many were truly guilty
(though we do not have many file counter-notices when flows do 'confirm'
that we've ID'd the right user).

--
~Jonny Sweeny, GSEC, GCWN, GCIH, SSP-CNSA
Incident Response Manager, Lead Security Analyst
Office of the VP for Information Technology, Indiana University
PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny
jsweeny () iu edu  p(812)855-4194  f(812)856-1011


-----Original Message-----
From: Jordan Wiens [mailto:numatrix () UFL EDU] 
Sent: Monday, October 01, 2007 11:11
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RIAA timestamps off

We have had multiple cases where students contested the claim and  
flow-analysis backed up that they were not participating in the P2P  
traffic identified in the complaint.  Not a high percentage, mind  
you, but some.

Unfortunately, verifying complaints through flow analysis is time- 
consuming and tedious.  So our two options are:

1) Verify each complaint, requiring much more work by the security  
team, in cases where the complaint /doesn't/ line up based on flow- 
data, do we expand our search to try to find and correct the time- 
stamp on the complaint?
2) Waste the student and judicial affairs time by rounding up  
everybody and sending them through the process, hoping the innocent  
ones actually contest it and then we can exonerate them.

This is not ideal.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061


On Sep 30, 2007, at 9:31 AM, Ken Connelly wrote:

> I will echo Rick's sentiments and experiences.  I, too, have been  
> dealing with these since day one.  We have never had a student  
> dispute the copyright infringement complaint other than a case or  
> two where the student registered another's computer for them.  In  
> those cases, we redirected the complaint to the true owner and had  
> no further dispute.
>
> - ken
>
> Rick Coloccia wrote:
> > We got 14 these past two weeks.  Very frustrating, since we use a  
> > packet shaper and an Audible Magic box to minimize this kind of  
> > traffic.  (All 14 were for encrypted protocols...) In every single  
> > case, the student admits, "Yes I use limewire/ares/etc" and "Yes I  
> > have that song" so while the timestamps may well be off we don't  
> > think that's a significant issue with regard to these takedown  
> > notices.  Our students admit to the file sharing (but most claim  
> > they don't know that the same program that lets them get the song  
> > re-shares it to the world), they get their stern warning, and life  
> > goes on.  I realize that there are technical differences between  
> > "making available" and someone "actually downloading" the song via  
> > a p2p program, but with my students the difference isn't truly  
> > significant.  We bring students in, teach them the highlights of  
> > the dmca, insist they uninstall any p2p software, explain how the  
> > takedown notice affects them as a Geneseo student (If we receive a  
> > second takedown notice on their behalf, they'll meet the Dean of  
> > Students who will likely start a process that can only end in  
> > suspension or expulsion) and send them on their way.  It works for  
> > us.
> > I'm not taking the side of the riaa, just sharing my experiences  
> > having done this for years now, since the very first one...
> >
> > -Rick
> >
> > Valdis Kletnieks wrote:
> > > On Sat, 29 Sep 2007 06:50:42 EDT, David Taylor said:
> > >
> > > > I'm wondering if they are just going by the name of the file  
> > > > without even
> > > > verifying the contents of the file.
> > >
> > > One has to wonder if this isn't a Beavis-and-Butthead routine,  
> > > where one
> > > group hired by the RIAA to seed file sharing networks with bogus  
> > > and corrupt
> > > versions of files has managed to plonk a suspiciously named file  
> > > onto
> > > somebody's hard drive, and then the *other* group hired by the  
> > > RIAA to find
> > > violators has found said file...
> > >
> > > It would fit in with the level of forensic rigor we've seen in  
> > > the past...