Educause Security Discussion mailing list archives
Re: How do you handle the P2P problem?
From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Fri, 14 Nov 2003 09:27:26 -0500
Hear, hear, Dan! Just by way of chatting: After the session on copyright at EDUCAUSE, two representatives from the RIAA *enthusiastically* inquired about that old saw "monitoring our network for their content." Here was their latest point: so long as campuses are embarking on IPTV operations -- bringing cable content to residence halls on data networks -- and "monitor" the content in terms of "not providing pornography" then why don't we start monitoring our networks for such violative material as child pornography and their copyrights? I failed to see the one-to-one relationship between the two -- cable content and proactive monitoring for content -- (not to mention the problems imbedded in a line of reasoning that collapses child pornography and copyright infringement), but perhaps folks on this list would like to discuss it. We then moved the conversation to a recognition of the difference in the missions of our respective corporations, and I believe for the first time we came to a genuine understanding: we agreed to disagree but at least saw where each other was coming from on that point. They want to protect their investments and we want to protect the integrity of the academic enterprise. I was also impressed to note that Mr. Sherman did not press the point about monitoring campus networks for content at the general session the next day, and even said something to the effect of "respecting campus culture and traditions." Lord help us, maybe we -- content holders and higher education -- are getting somewhere? Tracy At 07:27 AM 11/14/2003 -0600, you wrote:
Bruce and colleagues, Photocopy machines can be used in violation of copyright. Telephones can be used to arrange drug deals. A judge has ruled that P2P technology is not, per se, illegal. That said, a campus administration could well decide to ban P2P. In my opinion, such a decision should not be made by the IT organization acting alone, but rather in a collaborative process with academic administration and legal counsel. With all due respect, the comfort level of IT personnel is not the dominant consideration in these issues. If your goal is protecting your students from possible lawsuits or criminal prosecution, what are you doing about the Network Neighborhood? Are you preventing LAN-based file sharing? Four students were sued last spring for facilitating LAN-based sharing at Michigan Tech, Princeton, and RPI. These are difficult times and difficult issues. I believe it's imperative to engage in discussion across the university to arrive at sound institutional policies and protocols. Regards, Dan Updegrove Quoting Bruce Purcell <bpurcell () CSUHAYWARD EDU>: > While all of this may be true, it seems that it is picking nits just a bit. > Having installed P2P clients such as Kazaa (just to see what they do, of > course), I didn't see a high percentage of legal files being shared. Knowing > that and doing nothing seems to me to be worse than making an effort to stop > illegal activity -- we are still responsible for our networks and there are > ethical issues here as well as legal. I don't think any single university > has a clientele as large as a major ISP, it just isn't as difficult to take > some sort of action. > > I would not be comfortable going to court and pointing out P2P in itself is > legal, therefore we allowed it to continue without checking it. And, while > we are the student's ISP, I also wouldn't want the DMCA subpoenaing my logs > to track someone down as ISPs have had -- I feel funny helping in the > investigation of my clientele, particularly when it may be something that I > could have prevented. > > Bruce Purcell > Cal State Hayward > > -----Original Message----- > From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU] > Sent: Thursday, November 13, 2003 7:39 AM > Subject: Re: How do you handle the P2P problem? > > > Colleagues, > > I'm not an attorney, but I think we need to challenge some of the > assumptions in these posts: > > * "Illegal peer-to-peer file sharing" is a problematic concept. In May 2003 > a federal judge ruled that P2P software was not illegal, although some uses > of it may be. This suggests to me the only way to detect *illegal* P2P file > sharing is to sniff the content itself, which most campuses are loathe to > do. > > * The notion that a *campus* could face legal liability for P2P traffic > appears to me to violate the basic premises of the Digital Millennium > Copyright Act (DMCA), which provides a "safe harbor" for Internet Service > Providers, including campuses providing network services to non-employees. > > This is not to suggest that use of P2P software on campus is harmless. > Rather I think we need to understand that P2P traffic, per se, is not > illegal. The fact that a campus administration chooses to ban P2P -- which > it might do to manage its bandwidth or to discourage illegal behavior -- > should not, in my view, expose it to legal liability for student use. > Faculty and staff use is another matter, as is the case of an institution > that does not abide by the DMCA regs protecting the safe harbor. > > Regards, > Dan Updegrove > > At 06:42 AM 11/13/2003, Peter Charbonneau wrote: > >We are a fully switched Cisco campus. We have been using CiscoWorks to > >locate people (CampusManager); given that polling takes place every 2 > >hours, this is not a good solution for mobility. We have created a > >"home-grown" Perl and PHP poller that polls all 350 switches every 15 > >minutes; we use the dynamic arp cache in the core 6509's to map MAC to > >IP address - voila - instant locator. > > > >We also use Snort. WE DO get quite a number of false positives; > >however, I have NEVER seen false positives for the P2P users. If you > >turn on the P2P rules, I think you will find the IPs of the violators. > > > >Out legal counsel has told us that if we ban P2P, and anything "slips" > >through, then we are liable AS A CAMPUS. > > > >HTH, > > > >PeteC > > > >************************************************************************* > >Peter Charbonneau Williams College > >Sr. Network and Systems Administrator Office for Information Technology > >Jesup Hall Room 112 22 Lab Campus Drive > >(413) 597-3408 (Phone) Williamstown, MA 01267 > >(413) 597-4103 (Fax) Peter.Charbonneau () williams edu > >*********************************************************************** > >** > > > >-----Original Message----- > >From: The EDUCAUSE Security Discussion Group Listserv > >[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Clyde Hoadley > >Sent: Wednesday, November 12, 2003 1:54 PM > >To: SECURITY () LISTSERV EDUCAUSE EDU > >Subject: [SECURITY] How do you handle the P2P problem? > > > > > >I'm looking for simple and low cost solutions to some difficult > >problems. > > > >How do you accurately detect illegal peer-to-peer file sharing > >activity? > > > >How do you accurately identify and locate a user who is engaging in > >illegal peer-to-peer file sharing? > > > >Metro State does have some problems with illegal peer-to-peer file > >sharing however, we are solely a commuter campus. We do not have > >dormitories etc... to support. So, our P2P problem probably isn't as > >big as some other institutions P2P problems. > > > >Most of our network uses DHCP addresses. We are not using MAC address > >authorization at this time. We have a single Internet gateway. We are > >doing Ingress filtering - permitting incoming connections for specific > >port/protocols to specific hosts. We do limited Egress filtering - > >permitting almost any outgoing connection. We also have SNORT watching > >the gateway traffic but have most of the rules turned off due to the > >high volume of false positives. We could deny high port to high port > >connections but that would also stop a lot of very legitimate traffic. > > > >We have not received any subpoenas but we do occasionally receive an > >Email notice of Copyright infringement. How are the rest of you > >dealing with the illegal peer-to-peer file sharing problem? > > > >-- > >Clyde Hoadley > >Security & Disaster Recovery Coordinator > >Division of Information Technology > >Metropolitan State College of Denver > >hoadleyc () mscd edu > >http://clem.mscd.edu/~hoadleyc/ > >(303) 556-5074 > > > >********** > > VP for Information Technology Phone (512) 232-9610 > The University of Texas at Austin Fax (512) 232-9607 > FAC 248 (Mail code: G9800) d.updegrove () its utexas edu > P.O. Box 7407 http://wnt.utexas.edu/~danu/ > Austin, TX 78713-7407 > > ********** ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: How do you handle the P2P problem?, (continued)
- Re: How do you handle the P2P problem? Mark Poepping (Nov 13)
- Re: How do you handle the P2P problem? Bradford B. Saul (Nov 13)
- Re: How do you handle the P2P problem? Dan Updegrove (Nov 13)
- Re: How do you handle the P2P problem? Bob Kalal (Nov 13)
- Re: How do you handle the P2P problem? Bruhn, Mark S. (Nov 13)
- Re: How do you handle the P2P problem? Bob Kalal (Nov 13)
- Re: How do you handle the P2P problem? Wada, Kent (Nov 13)
- Re: How do you handle the P2P problem? Bob Kalal (Nov 13)
- Re: How do you handle the P2P problem? Bruce Purcell (Nov 13)
- Re: How do you handle the P2P problem? Dan Updegrove (Nov 14)
- Re: How do you handle the P2P problem? Tracy Mitrano (Nov 14)
- Re: How do you handle the P2P problem? Bruce Purcell (Nov 14)
- Re: How do you handle the P2P problem? Willis Marti (Nov 15)