Re: Fwd: Question about DMCA "stuff"

[Mark Poepping <poepping () CMU EDU>]

This situation seems a lot like vandalism to me: somebody defaces, an
authority cleans up - sooner or later you want to stop the defacing -
generally you try to detect the behavior to get them to stop...

 

A few ideas - that I'm sure others will refine or debunk.

 

These first three methods presume that you know how this file is being
'published' (e.g. ftp), and it's not a service that is 'supposed to be'
running on the machine (e.g. an ftp server).  Generally kiosk machines aren't
expected to be providing any kind of inbound service for the internet.

 . Vulnerability or 'service' scanners (e.g. nessus):

use a service detection tool (vulnerability scanner) to poll the machine and
notify you when the service reappears.

 . Network service enforcement (e.g. firewall):

insert some middlebox functionality to prevent inbound connections [of this
type].  This is most often done with router filters or a NAT/firewall box.

 . Network service audit (e.g. argus or netflow)

'track' the service traffic, watch for "bad kind" and raise an alarm when it
occurs.  You don't need to track IP addresses or content, but instead track
services and most likely discover when the problem reappears (before DMCA
notification) and pinpoint the times when it comes back (giving the library
folks something to watch out for).

 

A fourth idea is to use a tool with IDS capability (e.g. snort or argus) to
look for the specific file name (or signature), probably on the specific path
in question, so you can know when the file had been acquired.  This doesn't
work if you have an encrypted path (e.g. ssl), and it would provide slightly
less accuracy for correlation.

 

The first three methods require that you understand the Internet service
profiles for the terminals, i.e. how they're used (probably not difficult) and
all four methods require that you have an effective control point for
discovering (or implementing) the traffic policy (sometimes not so easy,
depending on administrative and network management boundaries).

 

I understand that Cornell uses Cisco NetFlow for its usage-based billing, and
this is exactly the same data that would enable you to implement the third
method.

 

Links:

Nessus:            www.nessus.org <http://www.nessus.org/> 

NetFlow:           www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml

                        www.sflow.org <http://www.sflow.org/> 

Argus:               www.qosient.com/argus

Snort:               www.snort.org <http://www.snort.org/> 

 

Mark.

 

 

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tracy Mitrano
Sent: Tuesday, November 04, 2003 10:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fwd: Question about DMCA "stuff"

 

Peter, 

Cornell -- university counsel and judicial administration, not IT -- has set
three intentional violations as the magic number for repeat offender.

Recently we received a third notice, same machine, same file, from a public
computer in one of our (contract colleges) libraries.  Do any of you guys have
similar situations?  Any creative fixes out their about public (mandated)
terminals?

Thanks,

Tracy

At 08:58 AM 11/4/2003 -0600, you wrote:



Peter,

I recommend engaging your college legal counsel asap. The DMCA requires
service termination on "repeat" infringement. Although colleges and
universities appear to differ on what number constitutes "repeat" -- two?
three? -- certainly it's not one.

Regards,
Dan

P.S. I am not an attorney.

At 07:42 AM 11/4/2003, you wrote:



I know that this is SLIGHTLY off topic, but ...

We were sent this this morning concerning one of our students that was
using Direct Connect for file-sharing.  This is the first message I
have received that is not a cease and desist order for removing the
offending material - it an account termination request.  I thought that
all we had to so was have the user stop file-sharing OR have them stop
sharing the offending material.  Comments?

I am NOT questioning the legality or illegality of file-sharing and
don't want to start a discussion about that.  Is this company,
MediaSentry, over the edge?

P

Begin forwarded message:




We are writing this letter on behalf of New Line Cinema, a division
of Time Warner Entertainment Company, L.P. ("New Line").

As you may know, New Line is the holder of rights under copyright,
including exclusive distribution rights, in and to the motion
picture(s) listed above.

No one is authorized to perform, exhibit, reproduce, transmit, or
otherwise distribute the above-mentioned work(s) without the express
written permission of
New Line, which permission New Line has not granted to 137.165.x.y
(obfuscated).

We have received information that an individual has utilized the
above-referenced IP address at the noted date and time to offer
downloads of the
above-mentioned work through a "peer-to-peer" service.

The attached documentation specifies the location on your network
where the infringement occurred, the number of repeat violations
recorded at this specific
location, as well as any available identifying information.

The distribution of unauthorized copies of copyrighted motion
pictures constitutes copyright infringement under the Copyright Act,
Title 17 United States
Code Section 106(3).  This conduct may also violate the laws of other
countries, international law, and/or treaty obligations.

Since you own this IP address, we request that you immediately do the
following:

1) Disable access to the individual who has engaged in the conduct
described above; and
2) Terminate any and all accounts that this individual has through
you.

On behalf of New Line, owner of the exclusive rights to the
copyrighted material at issue in this notice, we hereby state,
pursuant to the Digital
Millennium Copyright Act, Title 17 United States Code Section 512,
that we have a good faith belief that use of the material in the
manner complained of is
not authorized by New Line, its respective agents, or the law.

Also pursuant to the Digital Millennium Copyright Act, we hereby
state that we believe the information in this notification is
accurate, and, under penalty
of perjury, that MediaSentry is authorized to act on behalf of the
owner of the exclusive rights being infringed as set forth in this
notification.

Please contact us at the above listed address or by replying to this
email should you have any questions.

We appreciate your assistance and thank you for your cooperation in
this matter.  In your future correspondence with us, please refer to
Case ID XXYYZZ (obfuscated).

Your prompt response is requested.



PeteC

Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (desk)
(413) 822-2922 (cell)

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.



VP  for Information Technology          Phone (512) 232-9610
The University of Texas at Austin       Fax (512) 232-9607
FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
P.O. Box 7407                                   http://wnt.utexas.edu/~danu/
Austin, TX 78713-7407

**********
Participation and subscription information for this EDUCAUSE Discussion Group
discussion list can be found at http://www.educause.edu/cg/.

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.