Re: P2P Software

[Tom Conley <conleyt () OHIO EDU>]

Tracy et al,

In practice, we do not monitor traffic or content unless it is related to a
network security issue or abuse incident.  In such matters we defer to Legal
Affairs or Campus Police.  We do collect and store log files neccesary to
monitor the health and security of the network.  To quote our policy:

"The university considers any violation of acceptable use principles or
guidelines to be a serious offense and reserves the right to test and
monitor security, and copy and examine any files or information resident on
university systems allegedly related to unacceptable use. "

We handle numerous "complaints" related to copyright infringement over P2P
networks.  However, besides the copyright issue, I believe that there is
also a security issue related to the P2P networks because of the large
volume of users and the nature of the applications.  I think it's important
to understand how they work and their scope, and be ready to respond if an
incident such as a virus starts spreading through a P2P network.

Tom



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Tracy Mitrano
Sent: Thursday, February 27, 2003 2:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] P2P Software


Hi Tom and others,

I am curious: do you consider this activity "monitoring" the network for
content and do you have any IT policies regarding "monitoring?"

Thanks,

Tracy

At 01:47 PM 2/27/2003 -0500, you wrote:
> KaZaa is currently the most popular Peer-To-Peer (P2P) software.
>
> I have figured out how to scan for KaZaa users currently on-line.  The
> scanner is a relatively simple perl script.  The script tries to retrieve
> the ".files" directory page from KaZaa running on the target machine.
KaZaa
> is just an "http" server which stores the file list in a page called
> ".files".  The scanner only indicates whether the target machine is using
> KaZaa or not.  Retrieving the actual file list (and determining if there is
> copyrighted material) will be much harder.
>
> Here's why:
>
> Although KaZaa is just an "http" server it uses some tricks, including
> encryption to prevent any client such as Internet Explorer from reading the
> files and downloading.  When a client requests the file list from KaZaa,
> KaZaa responds with an error 403 (permission denied), but it keeps the
> connection open.  The client responds immediately with another request and
> then it gets the files page.  The original error 403 from the KaZaa
(server)
> contains a code which the requesting KaZaa (client) must transform into
> another code when it requests the second time.
>
> Because only KaZaa clients know how to translate that code (currently),
only
> KaZaa can be used as a client.  There is no way to request the files of a
> particular IP address in KaZaa.  I believe that is by design.  This
prevents
> you from checking if your IPs are sharing files on KaZaa.
>
> The fact that a server responds with a 403 error and not with a 404 (file
> not found) distinguishes KaZaa servers from machines not running KaZaa.
> That is the nature of scanning for KaZaa users.  You start by scanning for
> machines with open port 1214 (the default KaZaa port).  You then request
the
> page ".files" from that port and check the return code.  To be completely
> inclusive you would have to do that for every open port since the default
> port for KaZaa can be changed.
>
> Again, you never actually got the ".files" file so you don't know what
files
> (if any) are being shared.  You only know that the machine is running
KaZaa.
> If you do manage to get the file list you would still need to determine if
> the material is copyrighted.
>
> Blocking the default KaZaa port (1214) on your campus would probably stop
> KaZaa usage.  However, there are other P2P network apps just waiting to
take
> its place.
>
> That's what I know so far.  Hope it helps.
>
> Tom Conley
> Network Security
> Ohio University
> conleyt () ohio edu
>
>
>
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Piscitello, Frank
> Sent: Thursday, February 27, 2003 11:23 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] P2P Software
>
>
> Is anybody out there using any type of software to find copyrighted
> materials on their campus network other than just firewall/ids logs?
>
> -Frank
>
> ------------------------------------------------------------------
> Frank J. Piscitello, Jr.
> Information Security Manager
> Office of Information Security
> Networking & Telecommunications
> West Chester University of PA
> West Chester, PA 19383
> Phone: 610-436-3192
>
> There are only 10 types of people in the world:  Those who understand
binary
> and those who don't.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.