-
Created by
Phil Benchoff, last updated on Dec 05, 2007
4 minute read
Summary
Current Situation
- The MPAA sent a letter to 25 university presidents about the availability of the "MPAA University Toolkit" and offering a conference call to discuss "how we can work more collaboratively and successfully." The letter is linked from the Washington Post article below.
- The toolkit has two open-source network monitoring applications: ntop and snort. It is built on a bootable Ubuntu Linux CD. This toolkit does not provide any capabilities we don't already have and is not particularly suited to the scale and security requirements of our network.
- CNS has a bandwidth management plan in place that discourages large amounts of data sharing from the residence halls. The methods used do not depend on the protocol or content of the traffic, merely the volume.
- CNS engineers participated in the Educause "Workshop on Requirements for Technological Control of Illegal File Sharing on College and University Networks" which took place on 19-20 April 2007. The report from this group is available at http://connect.educause.edu/library/abstract/WorkshoponRequiremen/45209.
- The university has procedures in place to meet our requirements under the DMCA.
Possible Future Changes/Issues
- Any scheme to restrict the use of P2P file sharing is likely to be part of a technological "arms race" where development of P2P software and P2P detection/remediation change at a rapid pace. This is particularly true for products intended specifically to identify P2P software and/or infringing content.
- How deeply do we want to inspect the data contents of network traffic?
- Can we really tell if the work is infringing?
- Does this create a reasonable expectation for users that other content (malware, porn, etc.) will be filtered?
- Technological alternatives
- Filter - deny traffic that "looks like" P2P.
- Disrupt - forge packets to reset connections that "look like" P2P.
- Notify - notify users that traffic patterns that "look like" P2P have been seen on their connection. This would not necessarily be considered an AUP violation, but a security notification. Notification of other traffic patterns indicating possible security problems could also be provided.
Background Information
- MPAA University Toolkit
- Administrator's Guide
- Overview
- Download
- Articles
- Washington Post: MPAA University 'Toolkit' Raises Privacy Concerns
- Letter sent to 25 university presidents about the tool kit and suggesting a conference call.
- Comments on security of kit.
- David Taylor (UPENN): MPAA University Toolkit/Backdoor - detailed analysis of the kit and configuration
- TaoSecurity: Examining the MPAA University Toolkit - looks at some of the snort rules in detail.
- TaoSecurity: MPAA University Toolkit Phone Home
- Slashdot: MPAA College Toolkit Raises Privacy, Security Concerns
- MPAA's University Toolkit hit with DMCA takedown notice after GPL violation
- Washington Post: MPAA University 'Toolkit' Raises Privacy Concerns
The Toolkit
Claims from the Overview and Comments.
Here are some claims made in the Overview document and some comments. These comments are partly based on David Taylor's analysis.
- Each network protocol such as BitTorrent or FTP has a unique signature.
- The program cannot distinguish between legal and illegal activity and does not identify the titles of the files being passed across the network.
- The University Toolkit is a free software application to analyze the traffic on campus local networks
- DT: It didn't cost me a thing to download.
- Creates a simple graphical report on the extent of file sharing occurring within the campus network
- DT: not just file sharing!
- The University toolkit does not identify infringements
- DT: This is true
- No privacy issues - the content of traffic is never examined or displayed
- DT: This is not true. There are a lot of privacy issues with this and I'll show you why later
- It does not communicate results to the MPA
- DT: This will take some time to verify. The sensor will check in for an update for a newer version. Doesn't that mean the MPAA now has the IP address of the toolkit sensor?! More on this later as well!
- It is offered for free to all universities on CD and as a download on UniversityToolkit.com.
- DT: This is true
- Requires minimal effort from IT staff.
- DT: This isn't entirely true. The work that has to be done for this to be effective (for their purposes) is great.
- Access to NTop and Snort data for detailed analysis.
- DT: From a web based console that has no authentication and lets you view it from anywhere in the world. Yes, this is true!
Details of the Contents
This section is just some notes on the specific content and structure of the kit and is probably not of general interest.
- ntop
- Snort
- Custom configuration
- "Bleeding edge P2P rules"
- Custom configuration
- Bootable XUbuntu Linux - Ubuntu (Xubuntu, if you really care) Feisty Fawn, or 7.04
- Squashfs -
- xubuntu
- "Peerwatch"
- Apache
- Port 8180
- No userid or password required to view the primary report application
- Password required to change some configuration options.
wget http://universitytoolkit.org/peerwatch-1.2-RC5.iso # mount -o ro,loop peerwatch-1.2-RC5.iso /mnt/removable # initrd # in work directory gunzip -c /mnt/removable/casper/initrd.gz | cpio -i --make-directories # unsquashfs /mnt/casper/filesystem.squashfs umount /mnt/removable $ diff -rq --exclude=ubuntu xubuntu-7.04-desktop-i386 peerwatch-1.2-RC5 Files xubuntu-7.04-desktop-i386/casper/filesystem.manifest and peerwatch-1.2-RC5/casper/filesystem.manifest differ Files xubuntu-7.04-desktop-i386/casper/filesystem.manifest-desktop and peerwatch-1.2-RC5/casper/filesystem.manifest-desktop differ Only in peerwatch-1.2-RC5/casper: filesystem.manifest-desktope Files xubuntu-7.04-desktop-i386/casper/filesystem.squashfs and peerwatch-1.2-RC5/casper/filesystem.squashfs differ Files xubuntu-7.04-desktop-i386/isolinux/boot.cat and peerwatch-1.2-RC5/isolinux/boot.cat differ Files xubuntu-7.04-desktop-i386/isolinux/isolinux.bin and peerwatch-1.2-RC5/isolinux/isolinux.bin differ Files xubuntu-7.04-desktop-i386/md5sum.txt and peerwatch-1.2-RC5/md5sum.txt differ
Current Technical Activities
This is a summary of current technical practices related to P2P file sharing.
- CNS monitors daily traffic volume for users in our residence halls and restricts the available bandwidth to connections that exceed a daily limit for as long as they exceed that limit.
- Eric participated in the Educause "Workshop on Requirements for Technological Control of Illegal File Sharing on College and University Networks" which took place on 19-20 April 2007. The report from this group is available at http://connect.educause.edu/library/abstract/WorkshoponRequiremen/45209. This is the workshop referenced in the "Draft talking Points on the P2P Sections" by Mark Luker.
Alternatives
- Audible Magic
- Vendor's claim: "The CopySense Appliance is the only solution that can identify and block illegal sharing of copyrighted files while allowing other legitimate P2P uses to continue."
- Copyright owners register their works with the vendor who determines a "fingerprint" for each work. The contents of P2P file transfers are examined for this fingerprint.
- EFF: Audible Magic - No Silver Bullet for P2P Infringement - also links to Audible Magic's reply and the EFF's reply to that.
- Red Lambda Integrity
- packet forgery