Re: DMCA and NAT

["SCHALIP, MICHAEL" <mschalip () CNM EDU>]

Having gone through this exact sort of thing at both a higher ed institution *and* a fed R&D lab - you are exactly 
right.  Even having source and destination usually isn't enough.....you pretty much have to catch someone with "hands 
on the keyboard" to satisfy any kind of legal test.  Can you satisfy an "internal policy"?.....that depends on how well 
you write the policy, and how far someone is willing to stretch/enforce that policy.  What about the defense claim of a 
"compromised account"?, (whether real or contrived?).....or the "accidental click"?......or "my computer had malware, 
but I cleaned it up now"?  I've heard all of these - and seen them both succeed and fail as "defense".....

Tough nut to crack.....

M

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Kaftan
Sent: Wednesday, November 30, 2011 5:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DMCA and NAT

We are blocking P2P as best as we can with our UTM firewall and opening it up for special requests.  I get about 1 
request per year.  So far every distro that uses P2P also does has a unicast option.  It is just slower but it works.  

We get very few RIAA complaints (1-2 per year).  So far they have only been warnings.  When we do get them it just says 
the source address time and port.  I do not believe that is not enough information to prove guilt.  I really need 
source and destination.  With the differences in system time I cannot say for sure that an individual downloaded or 
uploaded content with just source and port number.  Those of you who are using your logs to do this do you feel 
comfortable accusing someone without having all of the info?  Is it not possible that more than one machine could be 
using the same port at the same time, one legal and one illegal?  Accusing one of our "customers" of stealing and 
putting them through the legal consequences is a serious thing.  I'm not willing to do that without time, source IP, 
destination IP, source port, destination port.  

Even then how do I know someone has not spoofed a MAC address and posed as someone else on the network?  We use a MAC 
auth NAC to identify individuals.
Anyone who know anything about networking could use Wireshark to grab a MAC address from a broadcast packet.  Later 
they could spoof their MAC to make themselves look like someone else.

The only way I can think of to absolutely prove an individual's guilt would be to force them to use 802.1x.  I've seen 
that horror movie.



John Kaftan
IT Infrastructure Manager
Utica College
315.792.3102



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian 
Helman
Sent: Tuesday, November 29, 2011 3:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DMCA and NAT

We are not blocking P2P, but I am throttling it way back.  I used to get ~2 notices a day from the RIAA/MPAA, but those 
stopped about 6-7 months ago.  I don't think it's because of my rate-shaping though.  Maybe I'm just doing a better job 
sending their emails to the junk folder?

I have told my ISP and the RIAA and the MPAA that, if they give me more information (e.g the address of the system that 
located the offending computer on-campus), that I will gladly track down the offender and shut them down .. (insert 
cricket noise here).  I don't have the manpower to pour through logs.

Having said that, we are going to implement a 1:1 NAT pool in the next few weeks.  I'll then know who had a specific 
public address at any given time.

-Brian

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Daniel 
Bennett
Sent: Tuesday, November 29, 2011 11:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DMCA and NAT

We had a very large number of DMCA/RIAA notices a few years back at the end of a Spring semester.  The decision was 
made to make a best effort attempt to block P2P traffic and we have gone years without a DMCA notice from the RIAA.  We 
decided that the abuse of P2P traffic at our university far out weighed the good uses.


________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Bulanda, Dave G 
[DGBulanda () INDIANATECH EDU]
Sent: Tuesday, November 29, 2011 11:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] DMCA and NAT

Kevin,

The way that I handle the DMCA and NAT issue is that I run syslog of my border firewall in a somewhat "INSANE" level.

Match Outside address to inside address - Take the inside address and match via NAC system and DHCP logs to client 
machine.

Then I send notice to student/StudentLife Office and suspend network access.

Dave

David Bulanda
Network Services Manager
dgbulanda () indianatech edu
Indiana Tech



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Halgren
Sent: Tuesday, November 29, 2011 10:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] DMCA and NAT

Looking at the current discussion on DMCA notices, I was wondering how those of you using NAT handle associating a DMCA 
notice with a particular client system.  This continues to be a challenge for us.

Kevin

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.