Main Nav

Based off some Netflow data, we think that a lot our students are using products like BTGuard which will tunnel the traffic over HTTPS from an anonymous IP in Canada. Very difficult to track, but it usually doesn't get logged back to our IP space. Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappalli@brandeis.edu

Comments

That's interesting. Does it set up a tunnel for each for each connection or does it all pass over one tunnel? In other words, do you end up seeing hundreds of https connections due to obscene number of connections that bittorrent uses. Or is just a few connections that "tunnel" the traffic back to the anonymous IP then break it up. On 10/22/2013 11:27 AM, Tim Cappalli wrote: > Based off some Netflow data, we think that a lot our students are using > products like BTGuard which will tunnel the traffic over HTTPS from an > anonymous IP in Canada. Very difficult to track, but it usually doesn't > get logged back to our IP space. > > > Tim Cappalli, Network Engineer > LTS | Brandeis University > x67149 | (617) 701-7149 > cappalli@brandeis.edu > >

It appears to use multiple sessions to the proxy server. I misspoke earlier about HTTPS. It uses TCP port 1025. I created an account and attempted to download a legitimate Linux ISO from an MIT mirror. See below:

 

 

 

Tim Cappalli, Network Engineer

LTS | Brandeis University

x67149 | (617) 701-7149

cappalli@brandeis.edu

 

I totally concur with Michael. The whole point of DMCA is so that it is not our liability just like conversations on the phone are not the phone companies responsibility. We just play the role of the messenger. We don't play any role in actively trying to detect it. Besides, given all the encrypted tunneling going on, it is almost impossible anyways. Note: We will send multiple offenders to the Dean for a reminder on lawful practice and college policy. And technically speaking, not all P2P is illegal. Tim
The problem we were having is I believe our subnets were being targeted. At one point 2 years ago, we were getting 50-100 notices per week before we started blocking it with our Bluecoat Packetshaper. Just the time it took to identify the students then get all the info over to the Deans Office or Judicial affairs was terrible. Then on top of that, there was the backlash from the students who were getting sent there. Eventually, the traffic got past the Packetshaper but the Tipping Point has been excellent since we installed it. I haven't received any formal complaints about us blocking torrents. Every now and then we have to whitelist or workaround gaming downloads, but it hasn't been unmanageable. If the students were using VPN or proxies to get past the IPS then the DMCA notices wouldn't come back to us. We cap bandwidth per student so I'm more concerned about the notices than the actual traffic on our network. I will look into the safe harbor status so thanks for bringing that up guys. Do think simply blocking P2P would jeopardize that? On 10/22/2013 5:38 PM, Tim Tyler wrote: > I totally concur with Michael. The whole point of DMCA is so that it is > not our liability just like conversations on the phone are not the phone > companies responsibility. We just play the role of the messenger. We > don't play any role in actively trying to detect it. Besides, given all > the encrypted tunneling going on, it is almost impossible anyways. Note: > We will send multiple offenders to the Dean for a reminder on lawful > practice and college policy. And technically speaking, not all P2P is > illegal. > Tim > >
Tim and Michael are correct. At CMU, we have been specifically advised by our attorneys not to implement anything that would give us any information on the infringing payloads. We can implement solutions based on IP header information, traffic and protocols but nothing that would notify us of the infringing content. Once we are notified, we are legally obligated to do something about it. Given that not all P2P is illegal, we aren't inclined to outright block the protocols. With the tunneling options now available, it becomes a losing battle in the cat and mouse game to try and segregate legitimate/illegal traffic anyway. To deal with the current complaints, we simply wrote a system that monitors our DMCA registered agent email account, parses the legitimate emails for the IP/date/time and correlates that data with our NAC solution. The offense gets logged and automatically emails the user. A second offense gets automatically sent to our Office of Student Rights and Responsibilities as well where they call the student into their office and the student gets slapped with a hefty fine. The illegal activities usually stop there. A third and subsequent offenses are the same as the second offense but the fine is bigger yet and they face potential dismissal from the university. It took time to develop the solution but it has made our lives much better not having to manually process every complaint. We do still have to deal with the idiots who send the complaints to our abuse account instead of our DMCA account but that is a simple forward of the email to the correct account. Our attorneys are very careful to make sure we do not jeopardize our safe-harbor status. It was also one of our attorneys who got the pre-litigation letters to stop because the company sending the letters were not licensed private investigators in the State of Michigan so they were, in fact, violating the law trying to take legal action against our students who were violating the copyright laws. Mark... Mark Strandskov Associate Director ­ Networks Central Michigan University Office of Information Technology 100 Telecom Drive, 007F Woldt LL Mount Pleasant MI 48859 On 10/22/13 5:38 PM, "Tim Tyler" wrote: >I totally concur with Michael. The whole point of DMCA is so that it is >not our liability just like conversations on the phone are not the phone >companies responsibility. We just play the role of the messenger. We >don't play any role in actively trying to detect it. Besides, given all >the encrypted tunneling going on, it is almost impossible anyways. Note: >We will send multiple offenders to the Dean for a reminder on lawful >practice and college policy. And technically speaking, not all P2P is >illegal. >Tim > >
Thanks for the info. It's very helpful. How many notices do you get in a months since you don't block it? Does this script also quarantine or remove them from the network? I just read over the safe-harbor status FAQ and there was a section in there that once the DMCA tells you content is illegally being shared that you have to remove it immediately. Or am I interpreting this wrong? On 10/23/2013 10:10 AM, Strandskov, Mark D. wrote: > Tim and Michael are correct. At CMU, we have been specifically advised by > our attorneys not to implement anything that would give us any information > on the infringing payloads. We can implement solutions based on IP header > information, traffic and protocols but nothing that would notify us of the > infringing content. Once we are notified, we are legally obligated to do > something about it. Given that not all P2P is illegal, we aren't inclined > to outright block the protocols. With the tunneling options now > available, it becomes a losing battle in the cat and mouse game to try and > segregate legitimate/illegal traffic anyway. > > To deal with the current complaints, we simply wrote a system that > monitors our DMCA registered agent email account, parses the legitimate > emails for the IP/date/time and correlates that data with our NAC > solution. The offense gets logged and automatically emails the user. A > second offense gets automatically sent to our Office of Student Rights and > Responsibilities as well where they call the student into their office and > the student gets slapped with a hefty fine. The illegal activities > usually stop there. A third and subsequent offenses are the same as the > second offense but the fine is bigger yet and they face potential > dismissal from the university. It took time to develop the solution but > it has made our lives much better not having to manually process every > complaint. We do still have to deal with the idiots who send the > complaints to our abuse account instead of our DMCA account but that is a > simple forward of the email to the correct account. > > Our attorneys are very careful to make sure we do not jeopardize our > safe-harbor status. It was also one of our attorneys who got the > pre-litigation letters to stop because the company sending the letters > were not licensed private investigators in the State of Michigan so they > were, in fact, violating the law trying to take legal action against our > students who were violating the copyright laws. > > Mark... > > Mark Strandskov > Associate Director ­ Networks > Central Michigan University > Office of Information Technology > 100 Telecom Drive, 007F Woldt LL > Mount Pleasant MI 48859 > > > > On 10/22/13 5:38 PM, "Tim Tyler" wrote: > >> I totally concur with Michael. The whole point of DMCA is so that it is >> not our liability just like conversations on the phone are not the phone >> companies responsibility. We just play the role of the messenger. We >> don't play any role in actively trying to detect it. Besides, given all >> the encrypted tunneling going on, it is almost impossible anyways. Note: >> We will send multiple offenders to the Dean for a reminder on lawful >> practice and college policy. And technically speaking, not all P2P is >> illegal. >> Tim >> >>
We received 4 so far in this month, 73 in September, 17 in August, 1 in July. We are at 225 for the year. We have 27,000 students to put this in perspective. Last year, we were at 398 through October (430 for the 2012 year). I think we rolled the system into production in the mid-late spring of 2012. This is again down from 871 in 2011 before we implemented the system and 2024, our peak in 2010. Now I need to clearly state that I am not an attorney and am not giving any legal advice. Legal wants to make sure we are clear on this. :-) We have discussed shutting off the service from the first incident however, we don't currently. Legal has vetted our policy as it is. With the current system, we immediately notify the user and they are informed to immediately take action and remove the infringing content. We are hesitant to just block the user from the beginning because we have had documented cases where the complaints were wrong. (e.g. Dates and times corresponded to when there was no one using that address at that stated date and time.) There is also some legal grey areas where the companies hired to gather this information and send the complaints are authorized to download the material. They typically look for who is advertising a copyrighted piece of work and then sending the notice to the service provider. Since they are authorized by the copyright owners, if they download the material, it is not illegal and there is no way they can prove that a non-authorized individual did, in fact, download the copyrighted material off that individual's system. The user's are merely advertising the copyrighted material. It also states in Subsection 512(c) of the Digital Millennium Copyright Act, a "service provider has designated an agent to receive notifications of claimed infringement by providing contact information to the Copyright Office." We have done that. Under the notice and takedown procedure, "a copyright owner submits a notification under penalty of perjury, including a list of specified elements, to the service provider¹s designated agent. Failure to comply substantially with the statutory requirements means that the notification will not be considered in determining the requisite level of knowledge by the service provider." So should I ignore any complaints (which are unfortunately significant) because they are not following the statutory requirements and sending to the wrong email account? No. Also, like I indicated before, the copyright owners haven't necessarily followed the law in the past with their pre-litigation notices. Our attorneys are ok with our safe harbor status given our current policy and procedures. Again, anyone can claim copyright infringement and while they "submit the notification under penalty of perjury," they are simply sending a take down notice. Given we have documented cases where we could prove that there was no one on the network at those given times, our attorneys feel we are complying with the law with our current policy. We also have no way to validate or verify whether a user has complied unless we don¹t receive further complaints. Doing so, would then alert us to copyright infringement activity on our network which we would then be legally obligated to do something about it and our safe harbor status would be in jeopardy. It is like the song "There's a hole in the bucket." I know that when this first came out our attorneys along with their other higher ed cohorts, did analyze the law extensively and it was from this that we came up with our current policy. It was only recently that we were able to automatically process the complaints in a very timely fashion. In 2010, I received as many as 150 in one day, usually sent on Friday afternoons for some reason. Now, if I were to receive that many complaints in a day, they fully processed in a matter of seconds. Again, I think the most important thing is for you to make sure your legal department or institutional attorneys believe you are following the law to maintain your safe harbor status. They are the ones who ultimately know your circumstances and can give you the best legal advice. I hope this helps from my non-legal viewpoint. Mark...
That was very helpful. Thanks for taking the time to write that up. Now that we're getting these notices we're probably going to have to reevaluate our game plan. On 10/23/2013 11:50 AM, Strandskov, Mark D. wrote: > We received 4 so far in this month, 73 in September, 17 in August, 1 in > July. We are at 225 for the year. We have 27,000 students to put this > in perspective. Last year, we were at 398 through October (430 for the > 2012 year). I think we rolled the system into production in the mid-late > spring of 2012. This is again down from 871 in 2011 before we implemented > the system and 2024, our peak in 2010. > > Now I need to clearly state that I am not an attorney and am not giving > any legal advice. Legal wants to make sure we are clear on this. :-) > > We have discussed shutting off the service from the first incident > however, we don't currently. Legal has vetted our policy as it is. With > the current system, we immediately notify the user and they are informed > to immediately take action and remove the infringing content. We are > hesitant to just block the user from the beginning because we have had > documented cases where the complaints were wrong. (e.g. Dates and times > corresponded to when there was no one using that address at that stated > date and time.) There is also some legal grey areas where the companies > hired to gather this information and send the complaints are authorized to > download the material. They typically look for who is advertising a > copyrighted piece of work and then sending the notice to the service > provider. Since they are authorized by the copyright owners, if they > download the material, it is not illegal and there is no way they can > prove that a non-authorized individual did, in fact, download the > copyrighted material off that individual's system. The user's are merely > advertising the copyrighted material. > > It also states in Subsection 512(c) of the Digital Millennium Copyright > Act, a "service provider has designated an agent to receive notifications > of claimed infringement by providing contact information to the Copyright > Office." We have done that. Under the notice and takedown procedure, "a > copyright owner submits a notification under penalty of perjury, including > a list of specified elements, to the service provider¹s designated agent. > Failure to comply substantially with the statutory requirements means that > the notification will not be considered in determining the requisite level > of knowledge by the service provider." So should I ignore any complaints > (which are unfortunately significant) because they are not following the > statutory requirements and sending to the wrong email account? No. Also, > like I indicated before, the copyright owners haven't necessarily followed > the law in the past with their pre-litigation notices. Our attorneys are > ok with our safe harbor status given our current policy and procedures. > Again, anyone can claim copyright infringement and while they "submit the > notification under penalty of perjury," they are simply sending a take > down notice. Given we have documented cases where we could prove that > there was no one on the network at those given times, our attorneys feel > we are complying with the law with our current policy. We also have no > way to validate or verify whether a user has complied unless we don¹t > receive further complaints. Doing so, would then alert us to copyright > infringement activity on our network which we would then be legally > obligated to do something about it and our safe harbor status would be in > jeopardy. It is like the song "There's a hole in the bucket." > > I know that when this first came out our attorneys along with their other > higher ed cohorts, did analyze the law extensively and it was from this > that we came up with our current policy. It was only recently that we > were able to automatically process the complaints in a very timely > fashion. In 2010, I received as many as 150 in one day, usually sent on > Friday afternoons for some reason. Now, if I were to receive that many > complaints in a day, they fully processed in a matter of seconds. > > Again, I think the most important thing is for you to make sure your legal > department or institutional attorneys believe you are following the law to > maintain your safe harbor status. They are the ones who ultimately know > your circumstances and can give you the best legal advice. > > > I hope this helps from my non-legal viewpoint. > > Mark... > >
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.