Re: DMCA and NAT

["Everett, Alex D" <alex.everett () UNC EDU>]

Michael:

Here is an article from our student paper, I would not take it as gospel, but it is probably a good estimate.
http://www.dailytarheel.com/index.php/article/2011/09/illegal_files_0914

Also, our students are not undergoing NAT.

Sincerely,

Alex Everett
University of North Carolina

On Nov 30, 2011, at 10:39 AM, SCHALIP, MICHAEL wrote:

Has anyone gone as far as trying to calculate the “cost per incident” of having to respond to something like this?  
While it’s almost always *possible* to track something like this down to a 95% certainty, (given enough time and FTE 
funding to HAVE someone do this!?)……what is it costing our institutions to respond to these kinds of things??  Even if 
it only takes 1-2 hours to come up with this 95% certainty – what is that 1-2 hours costing us over the course of a 
year?  Surely someone has already calculated this….??

M

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of hall, 
rand
Sent: Wednesday, November 30, 2011 8:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] DMCA and NAT

Kevin,

We generate copious NAT logs off our firewall (Cisco ASA) and compress the crap out of them nightly. Doable.

When we get a takedown notice we decompress the log for the day in question and and grep the IP/port combo. By and 
large, the time is right on target (well within a minute). That log file entry goes in the evidence pile.[The only 
requests We've had trouble with are ARES requests from RIAA. I've repeatedly offered to work with them to figure out 
why they're broken. Crickets.]

We look at our NAC (Impulse) records to see who owned the internal address at that time. We grab a pretty screenshot 
and add it to the evidence pile.

If the address is from an internal wireless (Meraki) pool we look for layer 7 evidence of P2P use. If we see any we 
grab a pretty screenshot and add it to the evidence pile.

If the identified machine is currently on the network we'll look for live evidence of P2P traffic on our bandwidth 
shaper (Procera).  If we see any we grab a pretty screenshot and add it to the evidence pile.

Once the evidence is compiled we forward the takedown notice and evidence to the student. In our cover letter we are 
charitable and suggest that, perhaps, they don't realize that they are sharing the file and ask them to disable access 
to the file. We offer to further explain, to assist in disabling access, and to accept that they actually have 
copyright holder's permission to share the file. We ask them to help the college maintain its online reputation.


Rand

Rand P. Hall
Director, Network Services                 askIT!
Merrimack College
978-837-3532
rand.hall () merrimack edu<mailto:rand.hall () merrimack edu>


On Tue, Nov 29, 2011 at 10:42 AM, Kevin Halgren <kevin.halgren () washburn edu<mailto:kevin.halgren () washburn edu>> 
wrote:
Looking at the current discussion on DMCA notices, I was wondering how those of you using NAT handle associating a DMCA 
notice with a particular client system.  This continues to be a challenge for us.

Kevin



--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner<http://www.mailscanner.info/>, and is
believed to be clean.

Sincerely,

Alex Everett, CISSP, CCNA
Information Security Office
University of North Carolina at Chapel Hill
919.445.9393