Re: HBO and DMCA, and peer2peer directory mining

["Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>]

Jim,

Relying on cached directory information certainly doesn't seem like direct knowledge, since it's possible to put fake 
information in the directory. In fact, an investigative technique that has been used is to actually seed a directory 
with a bogus (or otherwise tagged) file that can be monitored for downloads and subsequent offerings. Given that 
tactic, there's no non-repudiation involved. In fact, given that *some* people eagerly use these applications for 
illegal purposes, it would be surprising if non-repudiation were even considered as a feature. But even more basically, 
with IPv4, there's no non-repudiation possible unless you're using some sort of crypto function to sign and/or encrypt 
the traffic. What's to keep someone outside your University from spoofing the address in the first place?

As for your campus judicial process (IANAL = I am not a lawyer), I would never want to instigate an action based solely 
on a complaint like this, wihout first seeking corroborating evidence through an internal IT investigative process. 
"Preponderance" of evidence suggests that you'd want confirmation (like your own traffic logs, system snapshots, etc).

Steve


==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: James Moore [mailto:jhmiso () RIT EDU]
Sent: Monday, April 30, 2007 1:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HBO and DMCA, and peer2peer directory mining

This brings up an interesting policy (for our student judicial
proceeding) and law issue (in terms of response), which is why I also included the Educause ICPL group.

If what HBO (and ???) is reading is directory information from peer to peer services, then what validity does that have 
to legal complaints.
Isn't this like hearsay (if not, please explain the differences -- HBO doesn't have direct knowledge, do they)? (Note: 
I am not an attorney, just a security professional interested in stating responses accurately).

Has anyone analyzed the directory protocols of peer to peer file sharing for elements of non-repudiation.

And from our campus judicial system perspective, we operate on the basis of preponderance of evidence.  Is this 
something that with a lack of non-repudiation, and issues with currency of data, that we have preponderance of evidence?

Jim

-----Original Message-----
From: Lovaas,Steven [mailto:Steven.Lovaas () COLOSTATE EDU]
Sent: Monday, April 30, 2007 2:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HOB and DMCA

We've had a lot of these, and we think we've figure out what's going on:

HBO's notice is based on detecting a particular address' presence in a cache - basically, a server publishes a list of 
addresses that will provide the desired content. When HBO sees their content on one of those lists, they grab all the 
addresses in the list. But the problem is, this is not a live list - it lives on the server for a certain length of 
time until an inactive address times out.

On our wired network, where addresses tend to be re-used by the same device over a long period of time, an HBO 
complaint based on this tactic usually captures something real. But when it's a wireless address (in our case, through 
our VPN), we cycle through the address pool fairly quickly. So by the time we get the complaint, a simple time stamp 
for when HBO saw the cache list no longer gives us enough information to track down the offender.

So the problem is not that HBO is giving us bogus information; it's that they're not giving us ENOUGH information. They 
give us an address that has been used *at some point in the past defined by the caching time*, without giving an 
indication of when the address was ACTUALLY used. So we can't really find the culprit.

And that's basically how we've been replying to them... Meanwhile, we're altering our policies to simply prevent 
bittorrent, etc. on our wireless/VPN. Legitimate users can use the wired network.

Steve


==============================================
Steven Lovaas, MSIA, CISSP
Network Security Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
============================================
-----Original Message-----
From: Pace, Guy [mailto:gpace () CIS CTC EDU]
Sent: Monday, April 30, 2007 12:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HOB and DMCA


We have had similar notices from HBO over the last month or so. Most have indicated activity more than 9 days and as 
long as 15 days old. My responses haven't bounced, but I did tell them that chances of finding anything of value from 
data that old was negligible. I have yet to see anything like a reply to email or returned phone call from any of the 
senders of these notices--not just from the HBO outfit. I wonder about the validity of these notices ... enough so that 
I'm tempted to recommend they be added to the spam filter.

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu


-----Original Message-----
From: Bob Bayn [mailto:Bob.Bayn () USU EDU]
Sent: Monday, April 30, 2007 10:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HOB and DMCA

> ----- Original Message -----
> From: Dick Jacobson <Dick.Jacobson () NDSU NODAK EDU>
>
> There is apparently discussion on the REN-ISAC list about invlaid DMCA

> notices from HBO.

I just reviewed our DMCA complaints.  We haven't been bothered by HBO much at all, but just got a complaint recently.  
It was sent 10 days after the alleged infringement and implicated our proxy server for which we don't keep logs that 
long.  The delivery headers of the complaint didn't look suspicious, and my reply didn't bounce.

Bob
Utah State University