Re: HOB and DMCA

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

We've had a lot of these, and we think we've figure out what's going on:

HBO's notice is based on detecting a particular address' presence in a cache - basically, a server publishes a list of 
addresses that will provide the desired content. When HBO sees their content on one of those lists, they grab all the 
addresses in the list. But the problem is, this is not a live list - it lives on the server for a certain length of 
time until an inactive address times out.

On our wired network, where addresses tend to be re-used by the same device over a long period of time, an HBO 
complaint based on this tactic usually captures something real. But when it's a wireless address (in our case, through 
our VPN), we cycle through the address pool fairly quickly. So by the time we get the complaint, a simple time stamp 
for when HBO saw the cache list no longer gives us enough information to track down the offender.

So the problem is not that HBO is giving us bogus information; it's that they're not giving us ENOUGH information. They 
give us an address that has been used *at some point in the past defined by the caching time*, without giving an 
indication of when the address was ACTUALLY used. So we can't really find the culprit.

And that's basically how we've been replying to them... Meanwhile, we're altering our policies to simply prevent 
bittorrent, etc. on our wireless/VPN. Legitimate users can use the wired network.

Steve


==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Pace, Guy [mailto:gpace () CIS CTC EDU]
Sent: Monday, April 30, 2007 12:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HOB and DMCA


We have had similar notices from HBO over the last month or so. Most have indicated activity more than 9 days and as 
long as 15 days old. My responses haven't bounced, but I did tell them that chances of finding anything of value from 
data that old was negligible. I have yet to see anything like a reply to email or returned phone call from any of the 
senders of these notices--not just from the HBO outfit. I wonder about the validity of these notices ... enough so that 
I'm tempted to recommend they be added to the spam filter.

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu


-----Original Message-----
From: Bob Bayn [mailto:Bob.Bayn () USU EDU]
Sent: Monday, April 30, 2007 10:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HOB and DMCA

> ----- Original Message -----
> From: Dick Jacobson <Dick.Jacobson () NDSU NODAK EDU>
>
> There is apparently discussion on the REN-ISAC list about invlaid DMCA

> notices from HBO.

I just reviewed our DMCA complaints.  We haven't been bothered by HBO much at all, but just got a complaint recently.  
It was sent 10 days after the alleged infringement and implicated our proxy server for which we don't keep logs that 
long.  The delivery headers of the complaint didn't look suspicious, and my reply didn't bounce.

Bob
Utah State University