Re: How do you handle the P2P problem?

[Bruce Purcell <bpurcell () CSUHAYWARD EDU>]

Actually, you seem to have made an assumption here that isn't correct. I do
not work in our central IT department. I am involved in our campus security
project, I have been a network engineer, but I work as an administrator in a
department. And, our campus administration has not yet banned P2P on our
campus though I believe it should. One place that we agree is that I don't
believe that blocking P2P should be an IT decision, that isn't IT's place.
IT has the mission of supporting the business, not deciding how to run it.
It isn't IT comfort levels I'm concerned with when I recommend blocking P2P
protocols where possible, it is campus responsibility.

The fact is that by and large, popular P2P programs were built primarily to
share files illegally and that is how they are used. That doesn't mean that
everyone does that or that P2P is "bad" technology (in fact, I'm truly
impressed by how it works) or that the protocols are any more illegal than,
say FTP, but it is a wee bit difficult to overlook the current uses. Can
that be said about LAN-based file sharing, photocopier use or even
telephones? I haven't done any hard research, but I would venture to say
that photocopiers, telephones and even LAN-based file sharing were primarily
created for legal use and are primarily used that way (though many ISPs
block filesharing ports as a standard practice for security and other
reasons).

Clever people will find ways to share files anyway. I can FTP MP3s around
campus as easily as I can use P2P (and probably even pay a hefty fine if
caught) -- Microsoft has done me the favor of making it easy to turn my
workstation into an FTP server, but I wouldn't propose banning FTP in
general. There are just too many legitimate, legal uses of it to consider
blocking it because some people use it illegally. Once P2P shows that its
primary use is for legal filesharing, I'll change my stand on it.

I agree that sound policies are arrived at by discussion across the
university and I find the views expressed here very interesting and
informative. But, are we really going to say that P2P as currently used is
okay because telephones are okay? I prefer to think that we can decide to
block P2P on campus, legal though it may be, as a method of discouraging
illegal file sharing without having to shut down our switchboards as well to
discourage drug deals.

Bruce Purcell
Cal State Hayward

-----Original Message-----
From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU] 
Sent: Friday, November 14, 2003 5:27 AM
Subject: Re: How do you handle the P2P problem?


Bruce and colleagues,

Photocopy machines can be used in violation of copyright. Telephones can be
used to arrange drug deals. A judge has ruled that P2P technology is not,
per se, illegal.

That said, a campus administration could well decide to ban P2P. In my
opinion, such a decision should not be made by the IT organization acting
alone, but rather in a collaborative process with academic administration
and legal counsel. With all due respect, the comfort level of IT personnel
is not the dominant consideration in these issues.

If your goal is protecting your students from possible lawsuits or criminal
prosecution, what are you doing about the Network Neighborhood? Are you
preventing LAN-based file sharing? Four students were sued last spring for
facilitating LAN-based sharing at Michigan Tech, Princeton, and RPI.

These are difficult times and difficult issues. I believe it's imperative to
engage in discussion across the university to arrive at sound institutional
policies and protocols.

Regards,
Dan Updegrove


Quoting Bruce Purcell <bpurcell () CSUHAYWARD EDU>:

> While all of this may be true, it seems that it is picking nits just a 
> bit. Having installed P2P clients such as Kazaa (just to see what they 
> do, of course), I didn't see a high percentage of legal files being 
> shared. Knowing that and doing nothing seems to me to be worse than 
> making an effort to stop illegal activity -- we are still responsible 
> for our networks and there are ethical issues here as well as legal. I 
> don't think any single university has a clientele as large as a major 
> ISP, it just isn't as difficult to take some sort of action.
>
> I would not be comfortable going to court and pointing out P2P in 
> itself is legal, therefore we allowed it to continue without checking 
> it. And, while we are the student's ISP, I also wouldn't want the DMCA 
> subpoenaing my logs to track someone down as ISPs have had -- I feel 
> funny helping in the investigation of my clientele, particularly when 
> it may be something that I could have prevented.
>
> Bruce Purcell
> Cal State Hayward
>
> -----Original Message-----
> From: Dan Updegrove [mailto:updegrove () MAIL UTEXAS EDU]
> Sent: Thursday, November 13, 2003 7:39 AM
> Subject: Re: How do you handle the P2P problem?
>
>
> Colleagues,
>
> I'm not an attorney, but I think we need to challenge some of the 
> assumptions in these posts:
>
> * "Illegal peer-to-peer file sharing" is a problematic concept. In May 
> 2003 a federal judge ruled that P2P software was not illegal, although 
> some uses of it may be. This suggests to me the only way to detect 
> *illegal* P2P file sharing is to sniff the content itself, which most 
> campuses are loathe to do.
>
> * The notion that a *campus* could face legal liability for P2P 
> traffic appears to me to violate the basic premises of the Digital 
> Millennium Copyright Act (DMCA), which provides a "safe harbor" for 
> Internet Service Providers, including campuses providing network 
> services to non-employees.
>
> This is not to suggest that use of P2P software on campus is harmless. 
> Rather I think we need to understand that P2P traffic, per se, is not 
> illegal. The fact that a campus administration chooses to ban P2P -- 
> which it might do to manage its bandwidth or to discourage illegal 
> behavior -- should not, in my view, expose it to legal liability for 
> student use. Faculty and staff use is another matter, as is the case 
> of an institution that does not abide by the DMCA regs protecting the 
> safe harbor.
>
> Regards,
> Dan Updegrove
>
> At 06:42 AM 11/13/2003, Peter Charbonneau wrote:
> > We are a fully switched Cisco campus.  We have been using CiscoWorks 
> > to locate people (CampusManager); given that polling takes place 
> > every 2 hours, this is not a good solution for mobility.  We have 
> > created a "home-grown" Perl and PHP poller that polls all 350 
> > switches every 15 minutes; we use the dynamic arp cache in the core 
> > 6509's to map MAC to IP address - voila - instant locator.
> >
> > We also use Snort.  WE DO get quite a number of false positives; 
> > however, I have NEVER seen false positives for the P2P users.  If you 
> > turn on the P2P rules, I think you will find the IPs of the 
> > violators.
> >
> > Out legal counsel has told us that if we ban P2P, and anything 
> > "slips" through, then we are liable AS A CAMPUS.
> >
> > HTH,
> >
> > PeteC
> >
> > *************************************************************************
> > Peter Charbonneau                       Williams College
> > Sr. Network and Systems Administrator   Office for Information Technology
> > Jesup Hall Room 112                     22 Lab Campus Drive
> > (413) 597-3408 (Phone)                  Williamstown, MA 01267
> > (413) 597-4103 (Fax)                    Peter.Charbonneau () williams edu
> > *********************************************************************
> > **
> > **
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv 
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Clyde Hoadley
> > Sent: Wednesday, November 12, 2003 1:54 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] How do you handle the P2P problem?
> >
> >
> > I'm looking for simple and low cost solutions to some difficult 
> > problems.
> >
> > How do you accurately detect illegal peer-to-peer file sharing 
> > activity?
> >
> > How do you accurately identify and locate a user who is engaging in 
> > illegal peer-to-peer file sharing?
> >
> > Metro State does have some problems with illegal peer-to-peer file 
> > sharing however, we are solely a commuter campus.  We do not have 
> > dormitories etc... to support.  So, our P2P problem probably isn't as 
> > big as some other institutions P2P problems.
> >
> > Most of our network uses DHCP addresses.  We are not using MAC 
> > address authorization at this time.  We have a single Internet 
> > gateway.  We are doing Ingress filtering - permitting incoming 
> > connections for specific port/protocols to specific hosts.  We do 
> > limited Egress filtering - permitting almost any outgoing connection.  
> > We also have SNORT watching the gateway traffic but have most of the 
> > rules turned off due to the high volume of false positives.  We could 
> > deny high port to high port connections but that would also stop a 
> > lot of very legitimate traffic.
> >
> > We have not received any subpoenas but we do occasionally receive an 
> > Email notice of Copyright infringement.  How are the rest of you 
> > dealing with the illegal peer-to-peer file sharing problem?
> >
> > --
> > Clyde Hoadley
> > Security & Disaster Recovery Coordinator
> > Division of Information Technology
> > Metropolitan State College of Denver
> > hoadleyc () mscd edu
> > http://clem.mscd.edu/~hoadleyc/
> > (303) 556-5074
> >
> > **********
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407
http://wnt.utexas.edu/~danu/
> Austin, TX 78713-7407
>
> **********

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.