Re: P2P Software

[Tracy Mitrano <tbm3 () CORNELL EDU>]

Hi Tom and others,

I am curious: do you consider this activity "monitoring" the network for
content and do you have any IT policies regarding "monitoring?"

Thanks,

Tracy

At 01:47 PM 2/27/2003 -0500, you wrote:
> KaZaa is currently the most popular Peer-To-Peer (P2P) software.
>
> I have figured out how to scan for KaZaa users currently on-line.  The
> scanner is a relatively simple perl script.  The script tries to retrieve
> the ".files" directory page from KaZaa running on the target machine.  KaZaa
> is just an "http" server which stores the file list in a page called
> ".files".  The scanner only indicates whether the target machine is using
> KaZaa or not.  Retrieving the actual file list (and determining if there is
> copyrighted material) will be much harder.
>
> Here's why:
>
> Although KaZaa is just an "http" server it uses some tricks, including
> encryption to prevent any client such as Internet Explorer from reading the
> files and downloading.  When a client requests the file list from KaZaa,
> KaZaa responds with an error 403 (permission denied), but it keeps the
> connection open.  The client responds immediately with another request and
> then it gets the files page.  The original error 403 from the KaZaa (server)
> contains a code which the requesting KaZaa (client) must transform into
> another code when it requests the second time.
>
> Because only KaZaa clients know how to translate that code (currently), only
> KaZaa can be used as a client.  There is no way to request the files of a
> particular IP address in KaZaa.  I believe that is by design.  This prevents
> you from checking if your IPs are sharing files on KaZaa.
>
> The fact that a server responds with a 403 error and not with a 404 (file
> not found) distinguishes KaZaa servers from machines not running KaZaa.
> That is the nature of scanning for KaZaa users.  You start by scanning for
> machines with open port 1214 (the default KaZaa port).  You then request the
> page ".files" from that port and check the return code.  To be completely
> inclusive you would have to do that for every open port since the default
> port for KaZaa can be changed.
>
> Again, you never actually got the ".files" file so you don't know what files
> (if any) are being shared.  You only know that the machine is running KaZaa.
> If you do manage to get the file list you would still need to determine if
> the material is copyrighted.
>
> Blocking the default KaZaa port (1214) on your campus would probably stop
> KaZaa usage.  However, there are other P2P network apps just waiting to take
> its place.
>
> That's what I know so far.  Hope it helps.
>
> Tom Conley
> Network Security
> Ohio University
> conleyt () ohio edu
>
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Piscitello, Frank
> Sent: Thursday, February 27, 2003 11:23 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] P2P Software
>
>
> Is anybody out there using any type of software to find copyrighted
> materials on their campus network other than just firewall/ids logs?
>
> -Frank
>
> ------------------------------------------------------------------
> Frank J. Piscitello, Jr.
> Information Security Manager
> Office of Information Security
> Networking & Telecommunications
> West Chester University of PA
> West Chester, PA 19383
> Phone: 610-436-3192
>
> There are only 10 types of people in the world:  Those who understand binary
> and those who don't.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.