Educause Security Discussion mailing list archives
Re: classifying P2P traffic - what about legit uses? Part Deux
From: Randy Marchany <marchany () VT EDU>
Date: Tue, 29 Jan 2008 17:37:22 -0500
A few more observations..... 1. There is no direct correlation between banning P2P traffic and reducing the number of DMCA violations that occur on your campus. I can violate the DMCA with HTTP, SSH, FTP. All that you can say is that no DMCA violators using P2P have been "caught" by the MPAA/RIAA. You can't claim you've eliminated DMCA violations. If the P2P block is at the campus border, you still have P2P within campus and you can still have DMCA violations. If you block P2P within campus, then I feel sorry for your net admins :-). It says nothing about the practice of downloading illegal copies of material. Solve this user awareness issue and illegal DMCA events drop dramatically. 2. Blocking/restricting P2P traffic because of performance issues is a legit concern. However, even the smallest schools can address this issue by doing things like rate limiting, charging the highest bandwidth users, etc. and not banning the technology outright. Remember that P2P isn't the only massive data transfer service on the net. In the days before P2P, it was WWW, FTP traffic. Do you block those services because they consume net bandwidth? Restrict access? How do you justify interfering with the normal course of business (I need my FTP, I need my P2P, I need my SSH, I need my HTTP) of your institution? Bandwidth limiting addresses a net performance problem that is "independent" of data transfer technologies such P2P, FTP, HTTP, SSH, etc. and DMCA violations. Blocking one technology only shifts the burden to other transfer technologies. The real problem to be solved here is how to increase net bandwidth. 3. I'm part of our IT Security Office and have done security stuff for 16 years or so. One of the most difficult things to do is balance security needs with normal business operations of the University. One of the easiest errors a security type can make is to dictate a certain security course of action without examining its impact on the business process of the departments. Years ago, a friend of mine got a Mac. I geeked over it and she patiently waited for me to finish and then calmly told me, "That's nice but as far as my job is concerned, the Mac is a stapler. It helps me do my REAL job." The message: IT is a tool that make the business process more efficient. Now, when we come up with security directives, we try to measure its impact on the business process. If it's too restrictive, people will work around and the end result is that we still have a security issue. Too restrictive works in the commercial and military world, not ours. 4. We need to figure what the real problem is and then work to solve it. The real problem of "illegal" P2P traffic is copyright violations and the threat of sanction from RIAA/MPAA. Joel said it simply: "if it's against the law and you get caught, you are in trouble." Hammer that message to your user community and we start to solve this problem. 5. Remember that my original comments were on "legitimate" use of P2P. Find solutions that allow that to happen and don't take the easy way out by banning it. You only shift the problem to other transfer technologies. A number of schools leave up to a vendor solution (IPS, etc.) to identify illegal P2P traffic. How does a vendor know what's illegal? Why would you trust them? -r.
Current thread:
- Re: classifying P2P traffic - what about legit uses? Part Deux Randy Marchany (Jan 29)
- <Possible follow-ups>
- Re: classifying P2P traffic - what about legit uses? Part Deux Roger Safian (Jan 30)
- Re: classifying P2P traffic - what about legit uses? Part Deux Ozzie Paez (Jan 30)
- Re: classifying P2P traffic - what about legit uses? Part Deux Kevin Shalla (Jan 31)