Network News

X My Profile
View More Activity

MPAA University 'Toolkit' Raises Privacy Concerns

The Motion Picture Association of America is urging some of the nation's largest universities to deploy custom software designed to pinpoint students who may be using the schools' networks to illegally download pirated movies. A closer look at the MPAA's software, however, raises some serious privacy and security concerns for both the entertainment industry and the schools that choose to deploy the technology.

On Oct. 24, MPAA sent a letter to the presidents of 25 universities that the association has identified as top locations for the downloading of pirated movies over online file-sharing networks. In the letter, the group said it "has developed the University Toolkit, an application which can produce a report that is strictly internal and therefore confidential to illustrate the level of file sharing on [your school's] network. In addition, we will send a hard copy in the near future to your university's Chief Information Officer."

Security Fix downloaded the University Toolkit and studied it, with the help of David Taylor, a senior information security specialist with the University of Pennsylvania in Philadelphia. (Taylor's school was not among those that received the letter.)

What we found was that depending on how a university's network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school's network.

First, an explanation of what the toolkit is and how it works. The University Toolkit is essentially an operating system (xubuntu) that you can boot up from a CD-ROM. The package bundles some powerful, open-source network monitoring tools, including "Snort," which captures detailed information about all traffic flowing across a network; as well as "ntop," a tool used to take data feeds from tools like Snort and display the data in more user-friendly graphics and charts.

The MPAA overview of the toolkit stresses that the software does not communicate any information about a university's network back to the association. But in its current configuration, the very first thing the toolkit does once it is fired up is phone home to the MPAA's servers and check for a new version of the software. So, right away, the MPAA knows the Internet address every computer that is running the software.

The MPAA also claims that using the tool on a university network presents "no privacy issues -- the content of traffic is never examined or displayed." That statement, however, is misleading.

Here's why: The toolkit sets up an Apache Web server on the user's machine. It also automatically configures all of the data and graphs gathered about activity on the local network to be displayed on a Web page, complete with ntop-generated graphics showing not only bandwidth usage generated by each user on the network, but also the Internet address of every Web site each user has visited.

Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic -- and a great many universities do not -- that Web server is going to be visible and accessible by anyone with a Web browser. But wait, you say: Wouldn't someone need to know the domain name or Internet address of the Web server that's running the toolkit? Yes. However, anyone familiar enough with the file-naming convention used by the toolkit could use Google to search for the server.

But surely there are ways a network administrator might keep this information from being available to the entire Web, right? Yes. The toolkit allows an administrator to require a username and password for access to the Web server. The problem is that the person responsible for running the toolkit is never prompted to create a username and password. What's more, while Apache includes a feature that can record when an outsider views the site, that logging is turned off by default in the MPAA's University Toolkit.

On the surface at least, it was beginning to seem like the MPAA was asking universities to install a black box tool that would allow anyone to wiretap their networks, all the while hiding the tracks of those listening in on the network. So I put a few questions to the MPAA about its toolkit.

Craig Winter, the MPAA's deputy director for Internet enforcement, said the toolkit was in the "beta" phase. Winter said the MPAA and the developer of the software -- Fairfax, Va.-based Mantech International Corp. -- plan to release another version of the software within "a few weeks."

When asked about the phone-home update feature of the toolkit, Winter said the MPAA ultimately decided to include the update mechanism so that it could ship a new version when developers had fixed what he said was a "bug" in the ntop software. According to Winter, once the portion of the ntop program that counts the ones and zeros representing how much bandwidth a given connection has used gets to four gigabytes, it resets, starting the counter back at zero again.

Winter emphasized several times that the toolkit was not designed to determine whether someone is infringing on copyrights. "It can tell you how much traffic is going back and forth on BitTorrent [a popular file-sharing service], but it can't see what's in those files or what the names of those files are, and it doesn't communicate anything back to the Internet. "

He added that the MPAA would consider making it mandatory for administrators of the toolkit to set a username and password for the Web server, and that future versions of the software may also ask users if they want to check for updates rather than phoning home automatically each time the toolkit is booted up.

"It's certainly not a tool intended for us to come and inspect [university networks] without permission," Winter said. "We wanted to make this as easy to use as possible, to accommodate system administrators who might want to go back to their dorm and monitor it remotely."

Unfortunately, even with a firewall keeping non-university students from accessing the toolkit's Web server, any student on the network armed with the Internet address of the Web server could view all of the traffic on his or her segment of the network, said Penn's Dave Taylor.

The MPAA's letter campaign and the release of this software package comes as Congress is considering a higher-education funding bill that would place new anti-piracy obligations on universities that participate in federal financial aid programs. Included in that massive bill, which was approved by the House Education and Labor Committee last week, are provisions that would require the very same 25 universities that received the MPAA letter to develop technology-based approaches to keep students from downloading infringing content.

It's not clear how many -- if any -- universities are currently using the MPAA's toolkit. The MPAA itself says it doesn't know how many have deployed it. Doug Pearson, a technical director of the Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC), said he is not aware of any schools that have installed the toolkit, but that many were still poking and prodding it.

"There are a lot of people trying to figure out exactly what all the thing does and what risks it might present to a network that it's placed on," Pearson said.

Steve Worona, director of policy and networking programs at EDUCAUSE, a nonprofit association that promotes the use of information technology in higher learning, said he'd like to think that "no university network administrator in their right mind would install this toolkit on their networks." But he said some campus IT personnel may fail to dig too deeply into what the device actually does before installing it.

Reached by cell phone on Thanksgiving eve, Worona said he hadn't had time to investigate the toolkit, but that if Taylor's report was accurate then the MPAA's toolkit conjures up memories of the Sony rootkit fiasco. In that saga, Sony got in trouble with privacy and security advocates after it shipped hidden anti-piracy software with a number of music CDs, software that not only destabilized PCs running it but also opened them up to a host of Internet security threats.

"The important thing about the Sony rootkit wasn't the details about what a rootkit was or why it ended up being put into those CDs, but rather what the intention was versus what the CDs really did," Worona said. "The MPAA appears to be asking university administrators to run something which could expose sensitive, private data and in the process leave the campus subject to privacy complaints by virtue of student data being exposed."

If you know of any universities that are using the MPAA toolkit, please post in the comments. We'll also watch to see if and when MPAA updates the software and whether the update addresses the privacy and security issues raised here.

Update, 10:56 a.m. ET, Nov. 27: A previous version of this blog post incorrectly stated that anti-piracy provisions in a higher-education funding bill approved by the House Education and Labor Committee would cut public funding for schools that did not implement policies and technological measures to combat online copyright infringement. A committee staffer contacted Security Fix to clarify that the bill "bill would not strip financial aid away from a college if students continue to illegally download on campus, and does not make the development of these plans a part of the colleges' program participation agreement with the Education Department."

By Brian Krebs  |  November 23, 2007; 6:30 AM ET
Categories:  From the Bunker , Piracy , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Credit Card Thieves Flood Wikimedia With Pennies
Next: Exploit Released for Unpatched QuickTime Flaw

Comments

"illegally download pirated movies"

I thought the legal issue was the uploading of pirated movies (one and the same if you're using Bit Torrents, I suppose) but very different if you're using other P2P software and not actually sharing the files you're downloading.

db

Posted by: David Bradley | November 23, 2007 6:43 AM | Report abuse

Thank god we've got the Democrats in power in congress! They'll never kowtow to Hollywood or to private equity firms! They're for the little guy who lives in Manhattan, or Malibu.

Posted by: Robert | November 23, 2007 7:33 AM | Report abuse

David Bradley:

It is illegal to share copyrighted material without proper authorization, period. However they seem to mainly go after those that are making it available for download.

Posted by: D | November 23, 2007 8:04 AM | Report abuse

The MPAA itself says it doesn't know how many have deployed it.

...

But in its current configuration, the very first thing the toolkit does once it is fired up is phone home to the MPAA's servers and check for a new version of the software.

???

Yah, we can trust them to not log, and identify, the ips and schools from which their software phones home. They have the purest of intentions, I'm sure.

Posted by: Still Anonymous | November 23, 2007 10:50 AM | Report abuse

"It is illegal to share copyrighted material without proper authorization, period."

No, it's not. Downloading is not legally sharing. Under U.S. law, it is only illegal to offer for download, no matter how many groups try to convince you otherwise. There has not been a single court case or conviction for downloading, they have all been for making it available to others.

Posted by: Saint | November 23, 2007 11:23 AM | Report abuse

Saint:

Yes, it is.

http://www.us-cert.gov/cas/tips/ST05-004.html

I 'said' it is true they normally chase the ones that make the copyrighted content available for download but just because you can't find a court case about it doesn't mean it isn't illegal.

Posted by: D | November 23, 2007 11:28 AM | Report abuse

David Bradley...with respect...with your insight logically applied to this issue...the entire internet is illegal thus making all links to any information anywhere on the internet subject to prosecution unless there are ads on the page.

The perceived issue here is that the larger entity is heffing and hawing to MAKE the internet a market place which it is not. To have the MPAA and the RIAA force information that makes it to the public domain subject to copyright laws is as ludicrous as the DMCA itself. We are drowning ourselves in laws and rules and regulations that should have been determined before hand. This is becoming a ridiculous joke with the punchline leaning towards the RIAA and MPAA once again.

Posted by: Yummykind | November 23, 2007 11:57 AM | Report abuse

This is all baloney anyway, the MPAA needs to grow up and get with the times. Technology has evolved, their old business models can't work in todays world. They need to come up with new ways to make the sky-high amounts of money they were making before, charging $20 or more a CD that cost < $1 to make and maybe just as much to ship. Most other fields have realized they need to change their business models and are in the process of doing so, taking advantage of the web's capabilities and the intelligence of those who commit their lives to it, apparently the MPAA wants to time travel back to the late 1980's and early 1990's when they had 100% control. That time has passed. It's 2007 now, the collective people are smarter then the few corporations.

Posted by: Kevin | November 23, 2007 11:57 AM | Report abuse

I also believe the US CERT was only formed in 2003 as an after thought...it is still new and is part of the Dept of Homeland Security which was supposed to protect us from Terrorism and yet is merely instituting for laws and regulations inside of its own borders...if your ideologies fall in line with the constitution then the Dept of Homeland Security making rules about how you should use the internet once information is posted there becomes bunk. Cert, among other things tells you to 'beware' of things...well...of things like your entire computer (Your browser, all office product therein and anything used to connect to the internet)...like a fear creating parent per say...catering to the ignorant who would rather have the government tell them what to do rather than educate themselves on the matter then proceed forward.

There's one problem. Colleges aren't cable providers, RIAA has no authority to obtain the subpoenas nor does the MPAA. If the schools were hosting the infringing content, the labels would be able to wield the DMCA sledgehammer and easily obtain the names of the students sharing the content. And if the schools were cable operators as defined by the CCPA, they would be forced to turn over identifying data, just as the likes of Comcast, Verizon, Cox, and AT&T are. But it appears that neither law applies to colleges and universities when it comes to students sharing music over KaZaA. Unless Congress sees fit to change the law, the RIAA may be stuck between a rock and a hard place on this issue.

I personally find it odd that our Government is spending quite a bit of energy changing laws and rules to stop dance parties and your ability to listen to music and watch movies to the point of this life becoming a really bad adaptation of Footloose....the movie. I can site a movie reference here without linking to it can't I?

Posted by: Yummykind | November 23, 2007 12:12 PM | Report abuse

Some folks seem to be reacting to the name of the sponsor instead of tools. The reality is most programmers are very bad at security and defaults, so many software programs have insecure installations. Yes, many programmers seem to assume a firewall or something else will provide security, so they don't. Even P2P programmers make the same mistakes with insecure default settings. Most of the software programs in the MPAA University Toolkit are opensource tools already used by many university network administrators, and have the same insecure defaults whether installed on its own or as part of a packaged toolkit.

Posted by: sdonelan | November 23, 2007 12:31 PM | Report abuse

mudkips, we liek them

Posted by: anon | November 23, 2007 1:17 PM | Report abuse

Kinda funny that they chose to use an open source OS and program/programs to do this with.

Posted by: DOUGman | November 23, 2007 2:00 PM | Report abuse

DOUGman writes:
"Kinda funny that they chose to use an open source OS and program/programs to do this with."

Also kinda funny that I can't find an offer of source code for their modified version anywhere. This in itself is a serious GPL violation - ironic that the copyright police themselves have no desire to respect the copyrights of others.

Posted by: Eric | November 23, 2007 3:00 PM | Report abuse

This software might be illegal in Germany:

http://www.theregister.co.uk/2007/08/13/german_anti-hacker_law/

However, the picture of the students on the website clearly shows that it will only be used for legitimate reasons. lol.

Posted by: darko | November 23, 2007 4:21 PM | Report abuse

Ironic is it not, that such an icon of proprietary claims on what is termed «intellectual property» as the MPAA would choose to use a toolkit based on Xubuntu, which is freely available and can be freely modified under a GPU license. I note that on the «Get Xubuntu» page, the following notice appears : «Unfortunately, unlike the other Ubuntu derivatives, Xubuntu does not yet have free cds available for shipping due to lack of funding.» But perhaps the MPAA will donate some small proportion of the funds they have spent on the «University toolkit» to enable Xubuntu CDs to be sent free of charge to those who need them....

Henri

Posted by: mhenriday | November 23, 2007 5:10 PM | Report abuse

Taosecurity downloaded and analyzed the toolkit. Pretty interesting.

http://taosecurity.blogspot.com/2007/11/examining-mpaa-university-toolkit.html

Posted by: David Taylor | November 23, 2007 5:55 PM | Report abuse

I really dislike it that so many systems, be it open source or closed source, fire up different network daemons without asking admins what to do.

Everything should be disabled (network, daemons) at boot and only started if user chooses to start it.

Posted by: me | November 23, 2007 6:05 PM | Report abuse

This is why Linux must be destroyed, litigated out of existence!
http://fakesteveballmer.blogspot.com

Posted by: steve ballmer | November 24, 2007 7:37 PM | Report abuse

Some info for Ubuntu (and, I suspect, Debian) users:

If you want to inspect the toolkit with a little more finesse than actually booting a system off it (and assuming you don't have squashfs directly available in your kernel), then do the following as root:

wget http://universitytoolkit.org/peerwatch-1.2-RC5.iso
mount -o ro,loop peerwatch-1.2-RC5.iso /mnt
unsquashfs /mnt/casper/filesystem.squashfs
umount /mnt

This leaves you with the unpacked filesystem in ./squashfs-root. You'll need about 560MB for the initial image, and then about 1.5GB for the unpacked filesystem content.

If you don't have unsquashfs, then:

apt-get install squashfs-tools

Posted by: antibozo | November 25, 2007 12:09 AM | Report abuse

A few followup comments:

Bk> What we found was that depending on how a university's network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school's network.

Possible, but that sort of statement is true of nearly any monitoring system someone sets up.

In practice, the only traffic this system will see a priori is traffic to the system itself, until a network admin gets involved and configures a span port to deliver a profile (or full feed) of the campus's core or border traffic. At that point, you know this system is not being set up by just one random bozo (i.e. more than one bozo, and possibly a non-bozo, are involved). This makes it a bit less likely that someone will just boot up a box that is both completely exposed and seeing any useful traffic.

There's no need for this system to be publicly exposed at all to operate. Anyone who's set up a few high-bandwidth snort boxes will know to simply feed the traffic to a monitor-only interface and keep the primary interface on a private LAN.

Bk> However, anyone familiar enough with the file-naming convention used by the toolkit could use Google to search for the server.

Google isn't magic. It doesn't just *know* about everything out there--someone has to point to it for it to crawl its way over there. Even if Google were speculatively crawling random IPs, it would have to be pretty aggressive to find the web servers on this thing (there are two, but neither runs on port 80).

Your point is valid, however, in that the system is easily discovered with, say, nmap, since those two web servers on odd ports amount to a pretty clear signature.

D> It is illegal to share copyrighted material without proper authorization, period.

Isn't that a tautology?

Yummykind> I also believe the US CERT was only formed in 2003 as an after thought

I don't know what your intended point is, but US-CERT is an entirely benevolent organization dedicated to providing security resources to the rest of the government and to the general public. It is really a spin-off of the Carnegie-Mellon CERT that existed, basically, since the Morris worm.

Eric> Also kinda funny that I can't find an offer of source code for their modified version anywhere. This in itself is a serious GPL violation

I don't believe they have modified anything GPL. They've customized snort and ntop, and customized Xubuntu slightly. All of the customizations are clearly visible. The key tweak is that they have /etc/skel/.bashrc run their python startup app in /usr/local/sbin/peerwatch.py, which gathers some config info from the user and fires up snort, Tomcat, and ntop.

They only binary content I've found is the contents of the peerwatch Tomcat webapp's Java classes. Source is easily reconstructed from that, and those classes do very little; I'm not even sure why it isn't all JSP. In any case, it's their own code, not under GPL.

As for the toolkit itself, it's really just a poor-man's basic IDS with traffic profiling--any decent network engineer should already have something superior set up. A few points of irony:

- The kernel includes the non-free nvidia driver. Not sure if that's a license violation but it's kind of funny.

- The Tomcat webapp has both SQL injection and XSS vulnerabilities. I don't see any way to do anything harmful with them, but it doesn't bode well.

- The administrative password--prompted for during setup, and later used to shutdown, restart, or "purge" the system--is written in unsalted MD5 digest form to, of all places, the peerwatch webapp's directory, where it is exposed to whoever can talk to the system. Unless the password is particularly strong, John the Ripper (for example) should be able to find it in reasonable time. I imagine offending students who run across one of these systems might appreciate the ability to "purge". I also hope the network engineers don't reuse the enable password for this. (!)

Posted by: antibozo | November 25, 2007 5:12 AM | Report abuse

I would also like to point out that there are many of us out here that actually do purchase our audio/video media legally. P2P is not only for downloading illegal material. It still a powerful and highly used tool for sharing thoughts, idea, and open-source, GNU licenced software. It is a powerful distibution tools, and if greedy jackhineys like the folk at the MPAA and RIAA would realize this and adapt their business model to match the changing times they might happen to actually profit if the changes offered a better value to the masses.

Well that was my two cents that is all. Thanks

Posted by: NoBodyIsSafe | November 25, 2007 6:12 AM | Report abuse

Antibozo:

You've not quite got the grasp of the GPL. Even if they don't modify packages they must still make an offer of the full source to people they distribute GPL'd software too.

It's not permissible to simply point at the upstream providers.

This is a subtle point that most people miss, so they have broken the GPL and as such do not have a license to distribute this version of Xubuntu. And because of that they are now infringing copyright and should be sued. Maybe the gpl-violations guy will get onto it?

It really does smack of do as we say not as we do.

Hopefully it can be proved that their infringement was willfull and they'll have to pay $150,000 damages for "making available". :o)

Posted by: Phil | November 25, 2007 6:35 AM | Report abuse

Phil> It's not permissible to simply point at the upstream providers.

Of course it is permissible. The Xubuntu distribution itself is not some kind of magic GPL box; it is a collection of free software, some of it under GPL, some of it under Apache license, etc. GPL requires you to make source available (not necessarily distribute along with binaries) for things you have modified, not for everything else you happen to put on your CD image unmolested, and having received already under GPL.

GPLv2 (note option 'c'):
"3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

"a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

"b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

"c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)"

Posted by: antibozo | November 25, 2007 7:26 AM | Report abuse

we should Torrent their "University Toolkit"

Posted by: daniel a | November 25, 2007 7:46 AM | Report abuse

Anyone notice there's an "MPAA_University_Toolkit_Admin_Guide.pdf" but also a (hidden(ish)) MPAA_University_Toolkit_Administrators_Guide.pdf as well
Both different sizes

Posted by: Bob | November 25, 2007 10:09 AM | Report abuse

"It can tell you how much traffic is going back and forth on BitTorrent [a popular file-sharing service], but it can't see what's in those files or what the names of those files are, and it doesn't communicate anything back to the Internet. "

So it will tell the MPAA how many people are updating their World of Warcraft accounts? WoW uses Bit torrent for its patching system. Heck they use it to download HD Videos from their sites sometimes. I can't wait to see the lawsuits when a new patch is released.

Many Linux distros use it to get their images out there. Many Legal activities happen on BitTorrent as well.

The whole idea that P2P is something automatically illegal is insulting.

Posted by: JB | November 25, 2007 1:08 PM | Report abuse

This is like some cheech and chong movie.

The cops all standing round the box poking it...
[head cop] Go on larry kick it...get some info outta it.
larry kicks it....the box fizzles.

Posted by: airtonix | November 25, 2007 2:37 PM | Report abuse

JB> The whole idea that P2P is something automatically illegal is insulting.

Yes, it would be, if the toolkit made any such assertion. The 2-page overview document on the toolkit site says:

"The University Toolkit software is distributed for free to university technical staff via CD or as a download from UniversityToolkit.com. It is designed to be user friendly and require as little time as possible to run and collect meaningful information. The program cannot distinguish between legal and illegal activity and does not identify the titles of the files being passed across the network."

I have no more love for the MPAA than the next guy, but all they're doing here is trying to put something into the hands of the few network engineers who are too incompetent to figure out for themselves where the bandwidth is being sucked down. Believe it or not, people who have nothing to do with the MPAA or RIAA have reasons to want to curb peer-to-peer activity where feasible, because cumulatively it accounts for a very large slice of peering bandwidth. A tool like this can also help identify systems that are participating in botnets or infected with worms.

No doubt the MPAA represents some greedy little misers. That doesn't mean there's anything wrong, in principle, with this toolkit. It could be a great deal cleverer, but if you bother to download and inspect it I think you'll find there's nothing so invasive or horrible about it. Almost every capability it has is provided by free software you can readily install yourself by firing up Xubuntu and doing a few apt-get commands; the rest of what they've provided is a pedestrian web interface to generate overview graphs. A decent engineer could have put this disc together in about two man-weeks and done a better job. I find it hard to be offended by such mediocrity. Those offended by the MPAA's past injustices can amuse themselves speculating as to how much Mantech charged the MPAA for this thing.

Posted by: antibozo | November 25, 2007 2:39 PM | Report abuse

Since there is a Bill in Congress that the MPAA is pushing that will take away funding for Universities that don't use 'technical deterrents' this could be a serious problem. The MPAA wants Universities to basically stop all 'file sharing' for the most part. A blanketed hammer on pretty much all P2P applications. There are legitimate uses for P2P. This technology is even being used for new ways to download movie content to subscribers for vudu.com. Of course the Universities that have stopped all these applications are getting less notices. They are also curbing the very future of technology, in my opinion. And do you think they are targeting Universities because that is where the real problem is? I don't think so. I think that is where they can get the most attention.

I'm sure everyone remembers MediaDefender. Well, they have some leaked emails that made it into the public domain that show EDU IP addresses to be a very low count. If this is true then where is the MPAA getting their numbers from?

Open up Google and search for this:

site:mediadefender-defenders.com intitle:edu.ips

You will find the percentages to be 2.5% and lower. Wow, this is such a huge number, huh? I think there are less Students sharing files (this is a number of IP addresses found on P2P networks and not necessarily that they are illegal file sharers) than what they think. Are the entire 2.5% breaking the law? Perhaps the numbers are actually way lower in reality.

Posted by: Anonymous Coward | November 25, 2007 5:00 PM | Report abuse

Anonymous Coward> The MPAA wants Universities to basically stop all 'file sharing' for the most part.

Not that I would defend the MPAA, but let's be fair--employing technical measures to detect copyright infringement does not at all equate to banning legitimate file sharing or taking away anyone's rights. If I'm managing a network and 2.5% of the users are consuming 75% of the bandwidth, I'm certainly going to make an effort to identify as much illicit traffic as I can, within reason, and shut it down. It's harming the other users and possibly attracting law enforcement to my network. And I can speak from experience in providing security to a high-bandwidth network to say that, while it's practically impossible to use technical measures to *stop* illicit peer-to-peer traffic, it's not at all difficult to *detect* and *deter* a lot of it, and even identify many of the particular media files being shared. Combined with a reasonable acceptable use policy, such techniques could benefit university networks as a whole. What's more, the same instrumentation can detect many forms of malware, thus protecting the rest of us as well. Any sensible network engineers are already doing this; requiring universities to employ competent network staff doesn't sound like a bad thing from a network manager's point of view. Effectively it will add some priority to security funding.

Anonymous Coward> [MediaDefender] have some leaked emails that made it into the public domain that show EDU IP addresses to be a very low count.

Surely you realize that, thanks to NAT, IP addresses do not correlate with individuals. This is one reason the MPAA would want to facilitate measures that could be deployed behind NAT devices where individual systems could be identified.

Posted by: antibozo | November 25, 2007 6:25 PM | Report abuse

SCANDAL!!!!

Posted by: Sandro | November 25, 2007 8:03 PM | Report abuse

Perhaps I'm wrong, but an important point seems to be missing from this discussion. Is it appropriate to hold Universities responsible for policing and enforcing copywrite infringements? Universities have always been about a free exchange of ideas and information, forcing them to in essence become a branch of law enforcement, could stifle one of the few venues where open communication and independant thought are still celebrated and encouraged.

Considering the fact that many institutions are already strapped for cash, is it appropriate to force them to police and protect the feduciary interests of independant private businesses?

Bittorrent is being used not only to exchange "illegal" content, but also as a vehicle for legitemate content, such as research data. Perhaps, the focus should be on placing the responsibility where it belongs, with the Torrent services. If there was some sort of validation system in place in order to register files for sharing than atleast the most blatant transgressors could be blocked. After all if they cannot list the "illegal" files than no one could download them.

It is unfortunate that the MPAA and RIAA did not embrace this technology when it first emerged. If instead of fighting it, had they viewed it as a new venue, an opportunity to add to their distribution network, all this posturing and chest beating might have been avoided and they would have been richer for it.

Posted by: cav | November 25, 2007 9:52 PM | Report abuse

cav> Universities have always been about a free exchange of ideas and information, forcing them to in essence become a branch of law enforcement, could stifle one of the few venues where open communication and independant thought are still celebrated and encouraged.

I'm confused--are you suggesting that copyright infringement is an act of free speech? Is sharing protected content some new kind of performance art?

Most universities of any size actually have a campus law enforcement branch. Nonetheless, the talk so far hasn't been about forcing universities to participate in law enforcement in the manner you seem to be thinking of. Deterring infringing behavior doesn't mean arresting anyone or notifying the MPAA or BSA or FBI; it means throttling it, or taking the offending system off the network, to name a couple of simple measures at the network manager's disposal.

cav> is it appropriate to force them to police and protect the feduciary interests of independant private businesses?

It is appropriate to expect people to have some idea what's going on on their networks, and if it's illegal, take *some* action to deter it. If a student burned thousands of copies of copyright-protected DVDs and ran ads in the campus newspaper (another communication medium) offering them in exchange for copies of other protected DVDs, wouldn't you expect the newspaper editors to cancel the ads? Would you prefer that the FBI come and arrest him? If the FBI never found out, would that make it "okay"?

cav> Perhaps, the focus should be on placing the responsibility where it belongs, with the Torrent services.

I don't think you realize how BitTorrent (which is only one of the protocols under discussion) works. There is no centralized Torrent service to make responsible. Anyone can seed a torrent, and any IRC channel or jabber "chat room" works as a rendezvous medium. Ban instant messaging? I thought free speech is important...

cav> If there was some sort of validation system in place in order to register files for sharing than atleast the most blatant transgressors could be blocked.

Even if that were technically feasible, who gets to moderate? I thought free speech is important...

cav> It is unfortunate that the MPAA and RIAA did not embrace this technology when it first emerged.

I fully agree that the MPAA and RIAA are blithering idiots with an unhealthy addiction to the status quo. And people love to trot out this sort of reasoning in these discussions. By all means, if you feel that the film distribution industry has failed to adapt to changes in technology, vote with your wallet and stop purchasing their wares--don't go to the movies, and don't buy or rent DVDs. Note that making this choice does not automatically entitle you to enjoy their wares for free. Similarly, if you don't like Wal-Mart, don't shop there, but if you shoplift as a form of protest you're still accountable to the law no matter how vile and reprehensible the Wal-Mart corporation might be. Hell, there are enough people on the theft-as-protest bandwagon to form a *major* lobby to push legislation forcing the MPAA and RIAA to get with the times--too bad so many of them are sitting on their butts watching stolen movies.

Posted by: antibozo | November 25, 2007 11:02 PM | Report abuse

Well IANAL but hopefully this story will get enough buzz that the FSF becomes aware of it and will look at it for possible GPL violations by the MPAA. I understand that the Sony rootkit software made illegal use of GPL'd software.

As for the MPAA and RIAA, the time for them to move on to a new business model is long overdue.


Posted by: Soviet Canuckistani | November 26, 2007 12:48 AM | Report abuse

antibozo:

"employing technical measures to detect copyright infringement does not at all equate to banning legitimate file sharing or taking away anyone's rights. If I'm managing a network and 2.5% of the users are consuming 75% of the bandwidth, I'm certainly going to make an effort to identify as much illicit traffic as I can, within reason, and shut it down."

So you are saying that since blocking P2P will also help improve the network performance for Universities that it is okay for Congress to pass a bill for this? Shouldn't network management of bandwidth be up to the people who run the networks? You don't have any data that these 2.5% of users are using a certain amount of bandwidth. It is all just speculation.

The point I was trying to make is that the MPAA is telling Congress one thing when reality says a different thing. The numbers are not as high as they say they are.

"The MPAA estimates that about 44% of the movie industry's domestic losses to piracy -- over $500 million annually -- are attributed to college students illegally sharing files over peer-to-peer networks"

How do they equate 44% of losses to 2.5% of the P2P file sharers? It is obvious these numbers are way off.

Posted by: Anonymous Coward | November 26, 2007 6:48 AM | Report abuse

Anonymous Coward> So you are saying that since blocking P2P will also help improve the network performance for Universities that it is okay for Congress to pass a bill for this?

Go back and read what I wrote. I'm saying that *deterring* p2p will improve universities' network performance, and also (not therefore) that it is reasonable and even desirable for federal funding to come with requirements on basic network security, which includes having instrumentation to have at least some clue as to what is going on on your network.

Anonymous Coward> Shouldn't network management of bandwidth be up to the people who run the networks?

If we are going to subsidize university networks with Federal funding, there should be minimal standards on security. Imagine if universities had to accredit their systems under FISMA... the requirements discussed above are a cakewalk and should already be in place--again, because the same measures are useful against malware of all kinds.

Anonymous Coward> The numbers are not as high as they say they are.

Again, read what I wrote. The numbers you quoted are for IP addresses, not individuals. A single IP address may represent hundreds of individuals. In other words, statistics on IP addresses tell us nothing about how many individuals are participating in p2p networks.

I don't doubt that the MPAA inflates their estimates, but you are being just as disingenuous with yours.

Posted by: antibozo | November 26, 2007 7:12 AM | Report abuse

Posted by: anonymous | November 26, 2007 7:19 AM | Report abuse

Correction:

antibozo> I'm saying that *deterring* p2p will improve universities' network performance,

Should read "I'm saying that *deterring* illicit p2p..."

Oh, and also:

Anonymous Coward> You don't have any data that these 2.5% of users are using a certain amount of bandwidth. It is all just speculation.

I didn't claim anyone was using a certain amount of bandwidth. But I can tell you from experience that a small percentage of p2p users can chew up an impressive percentage of bandwidth, which should be obvious if you bother to think about it.

Posted by: antibozo | November 26, 2007 7:23 AM | Report abuse

anonymous> Just read this.

Why don't you reciprocate and read the previous comments before posting? That link was posted here over two days ago. And it's not very insightful, actually. Okay, so they're not masterful at writing snort rules. Big surprise.

Posted by: antibozo | November 26, 2007 7:27 AM | Report abuse

kudos, antibozo. You seem to be a patient and careful reasoner.

Back in the 80s and 90s I was a university professor and one of those guys who helped build the underlying nets on campus. I did a lot of "velvet ropes" security. The idea wasn't to prevent activity, really, it was to raise awareness and help students do the 'right thing'. Doom was the p2p of my day - kids playing would launch broadcast storms that would kill the poor secretaries trying to print.

My job, then, was to try to architect the net into proper segments and do some simple filtering, so the kids could do what they wanted to do without destroying the workplace of others, and to help them to understand what was going on, so they could take reasonable steps (like waiting until 5PM to start the LAN party if it overlapped with others workspace.)

Plus ça change, plus c'est la même chose. The two percent that uses 80% of the bandwidth, well... if this were my job now I'd probably architect some services to balance out the p2p traffic a bit, perhaps rate limit generally but put some local proxies/seeds in place, to control the supply side. Probably also try to encourage local discussion and debate on file sharing mechanisms, if not to moderate the demand side to at least raise awareness in the students -- as antibozo notes, perhaps to get them off their butts instead of watching downloaded movies; recall that 'copyright' is a relatively modern phenomenon, perhaps 400 years old (Shakespeare had no copyright!) and perhaps legal/moral/creative mores are ripe for change.

The real shame here is that the toolkit exists in the first place -- not because it is invasive, but because it is so clumsy. Do network engineers really not know snort and ntop? (Do network engineers not know cflowd?) Are university networks really so hard to understand that they can't be managed well?

Posted by: woody weaver | November 26, 2007 10:40 AM | Report abuse

OMG. Great work Bk as always. But can't someone please put these ??AA people out of our misery?

Posted by: Rick | November 26, 2007 12:17 PM | Report abuse

It is not much of a stretch to foresee this creating the largest FERPA (Family Educational Rights and Privacy Act -- also known as the Buckley Amendment) violation in US history. FERPA specifies that:

"Institutions may not disclose information about students nor permit inspection of their records without written permission, unless such action is covered by certain exceptions permitted in the Act."

More information about the Act may be found at http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Hopefully universities won't allow their students to be victimized by what appears to be a trojan horse.

Universities with suitable Acceptable Use policies can simply throttle or block peer to peer traffic, without violating their students' privacy rights. While there is no presumption of a right to freely download, there is a right to privacy.

Posted by: Craig Herberg | November 26, 2007 1:26 PM | Report abuse

Craig Herberg> It is not much of a stretch to foresee this creating the largest FERPA (Family Educational Rights and Privacy Act -- also known as the Buckley Amendment) violation in US history... While there is no presumption of a right to freely download, there is a right to privacy.

That depends on what you mean by "privacy"--privacy from the MPAA or privacy from university staff or privacy from other students--and the university's AUP, which itself may constitute written permission. In any case, FERPA is about educational records, and it's a much bigger stretch to try to make that encompass network traffic, especially the traffic in question here, which may not even be correlatable with individuals, let alone students (as opposed to faculty).

Craig Herberg> Universities with suitable Acceptable Use policies can simply throttle or block peer to peer traffic, without violating their students' privacy rights.

Not, generally, without actually *looking* at it, which is all this toolkit does.

I really don't understand all the hype about this thing. If university network staff fired up stock Xubuntu and downloaded and installed, say, snort + acid with no external access control, you'd have something with the same potential risk for compromise of assumed network privacy, and it wouldn't involve the MPAA at all. Yet I don't see everyone decrying the dangers of snort + acid; it seems the only reason this particular case garners so much attention is because it's the MPAA and therefore must be evil in intent, and must be a trojan horse, and not simply the MPAA's preemptive due diligence for the moment when in court or Congress someone asks them, "What have you done to assist educational institutions in identifying infringing behavior?"

Posted by: antibozo | November 26, 2007 1:46 PM | Report abuse

antibozo> ...and not simply the MPAA's preemptive due diligence for the moment when in court or Congress someone asks them, "What have you done to assist educational institutions in identifying infringing behavior?"

An MPAA spokesperson has said that the Toolkit doesn't detect infringement. So then you need to define infringing behaviour. P2P traffic does not define infringing behaviour.

I'm not sure what the motives of the MPAA are with this apparently harmless Toolkit, but I do know one thing, I don't trust them!
I'm confident that the MPAA aren't doing this as a charity to education to help with network congestion, or to boost education in the country. Nope, my bets are on, that any institution who uses this toolkit will regret it. Ordinary people doing ordinary things that cause no harm will get burned.
I believe they're not doing this for the benefit of the majority but are doing this for themselves.

antibozo, I'm not having a dig at you, in fact i agree with a lot of what you have said, but as innocent as the toolkit might be according to you, I think we still need to question the motives of the MPAA/RIAA and others.
IMO, we shouldn't be so concerned about security, privacy, network monitoring or GPL violations, we should be concerned as to what these organisations are up to and what effect will this have on our children's educational future.

Posted by: Fungyo | November 27, 2007 8:59 AM | Report abuse

The purpose of the toolkit is to educate university network operators who may not already be aware of how much bandwidth widespread P2P traffic uses. I imagine the ultimate goal would be enlist their help in curbing the most egregious users and cutting back on the supply-side of the copyright violations. I think the target audience for this tool is pretty small, as most operators who have an interest in this information are likely to have at least comparable tools. But it's their money, and they can spend it how they wish.

Posted by: kawaru | November 27, 2007 12:07 PM | Report abuse

The MPAA has no business policing networks of universities period!

It's irrelevant what the toolkit does. MPAA should not be controlling anything anything outside of their own corporate offices. They are a corporation...not a government agency.

Anyone even considering that they should be setting public policy or controlling public interests is not realizing this.


Posted by: j | November 27, 2007 3:29 PM | Report abuse

I'm curious what percentage of the population pirates movies. What if it's over 50%? In a democracy wouldn't this mean that popular opinion is pro movie piracy? Wouldn't it also mean that a law preventing piracy is therefore anti-democratic? Shouldn't this particular law then be relaxed or eliminated as the people have spoken?

Why don't we all hold a vote and let the people decide what is right in this case?
It is the people that are being prosecuted because of a corporate agenda, and this is undemocratic.

Posted by: Fango | November 27, 2007 3:38 PM | Report abuse

This is definitely fishy but there are some legitimate concerns here. I can reasonably assume that the RIAA would have had the entire thing designed to finger illegal downloaders by sniffing the packets but the MPAA has been more reserved and mature in its stance, in my opinion.
They are losing money to freeloaders. They can't demand the universities do this but they can suggest it as a way to avoid future lawsuits. IP rights are very important to these people. Just be happy this isn't completely like the rootkit (close to it but still, this appears to be in beta and they are at least announcing it unlike SONY).

Now if only we could get them to lower the price of Blu-Ray and HD-DVD.

Posted by: Rob | November 27, 2007 3:46 PM | Report abuse

Fungyo> P2P traffic does not define infringing behaviour.

I believe I said the same thing a number of times above. That's why I used the phrase "assist... in detecting". You need to be able to look at the p2p traffic before you can identify which of it is infringing.

Fungyo> I believe they're not doing this for the benefit of the majority but are doing this for themselves.

I agree. That doesn't mean *what* they are doing is particularly harmful. Overall, the fact that they released an inspectable ISO with no obfuscation, rather than a Windows zip executable installer for a win32 binary, is pretty clear indication to me that they are showing a modicum of good faith.

Fungyo> I think we still need to question the motives of the MPAA/RIAA and others.

Of course. But we also need to apply Occam's razor, and not overhype elaborate explanations when simpler ones will suffice.

kawaru> I think the target audience for this tool is pretty small,

That's why I think it's really a due diligence token for the sake of legislation more than anything else. Being offered at no charge, it endeavors to blunt argument in Congress that requiring universities to implement technical deterrents to illicit file sharing would require large amounts of additional funding.

Fango> Why don't we all hold a vote and let the people decide what is right in this case?

See my comments above. You don't just get to "have a vote"; first you need to get Congress to pass a bill calling for a referendum. To do this requires lobbying. If you feel that there's something wrong with the status quo, you're free to say so, and if there are as many people involved in illicit p2p file sharing as the MPAA thinks there are, they are vastly outnumbered.

It's a stretch to think you could significantly modify copyright law, though, as the U.S. is party to international agreements governing a lot of it. But it's possible that a big enough lobby could roll back parts of the DMCA and require entertainment distributors to offer fair pricing on alternative distribution methods, and offer some form of purchasable amnesty for prior infringement, and put explicit curbs on what information distributors can seek from ISPs and other service providers, et al.

Rob> Just be happy this isn't completely like the rootkit (close to it but still, this appears to be in beta and they are at least announcing it unlike SONY).

I don't see how this is even remotely similar to Sony's rootkit. Sony's rootkit installed itself on your system without telling you, hid certain files and processes, and was embedded in mass-marketed media. This toolkit is software offered for free download to a small population of potential users, which you can fully inspect, and which can operate without any installation. Where's the similarity? Well, I'll grant you that they're both software, both include GPL software, and both come from media corporations.

Posted by: antibozo | November 27, 2007 4:42 PM | Report abuse

Does the RIAA use this themselves on their network? How about the MPAA? Do they modify a default or two?

This, antibozo, is the similarity - how much damage did the rootkit do internally at Sony?

Not much I'll bet. Why is that?

Posted by: GTexas | November 27, 2007 4:59 PM | Report abuse

GTexas> Does the RIAA use this themselves on their network? How about the MPAA?

There are no reports that the RIAA has anything to do with this. As for the MPAA, why would they? Do you think it's likely that MPAA staff are responsible for significant illicit sharing of content over p2p networks?

Do you understand what this thing is? It's a bootable CD with free network monitoring and intrusion detection software installed. You can boot a system off it and watch what's going on on your network. It's mediocre in execution and, like any intrusion detection or monitoring system, needs to be deployed carefully and correctly.

I imagine the MPAA doesn't have a very large network nor a very fast Internet connection, so they may not have a network intrusion detection system of any kind. Universities, on the other hand, all *should* have one. Many of them are peered at speeds in excess of 10Gb/s to both I1 and I2, and host thousands of Windows systems with decentralized administration.

GTexas> This, antibozo, is the similarity - how much damage did the rootkit do internally at Sony? Not much I'll bet. Why is that?

I have no idea what you're trying to say. I can respond to the statements you make, but not your intended point, because it's opaque to me.

How much damage did the rootkit do internally to Sony's bottom line and technical organization? How about the little software company that wrote it for them? You are aware that Sony settled the major class action suit on that to the tune (ha ha) of $7.50 per claim, aren't you?

In contrast, how much damage of any kind has the MPAA toolkit done to anyone? How much potential damage could it do? How does it present greater risk than independent installations of snort, or acid, or ntop, or Cisco Secure IDS, or McAfee IntruShield, or ISS RealSecure, or NetScreen IDP, or rrdtool, or any number of other network monitoring and IDS solutions that have been available for years?

And what does this have to do with the Sony rootkit, again?

Posted by: antibozo | November 27, 2007 5:29 PM | Report abuse

This is easily defeated. Students can just refuse to install the software on their machines.

Posted by: OmegaWolf747 | November 27, 2007 7:12 PM | Report abuse

OmegaWolf747:

Did you read the article? It isn't a tool that students install. They would have no choice but to be monitored by this toolkit if it were on the network.

Posted by: Coward | November 28, 2007 10:04 AM | Report abuse

hai gaise

Posted by: anon | November 28, 2007 10:59 AM | Report abuse

Phil>> It's not permissible to simply point at the upstream providers.

AntiBozo> Of course it is permissible. The Xubuntu distribution itself is not some kind of magic GPL box; it is a collection of free software, some of it under GPL, some of it under Apache license, etc. GPL requires you to make source available (not necessarily distribute along with binaries) for things you have modified, not for everything else you happen to put on your CD image unmolested, and having received already under GPL.

GPLv2 (note option 'c'):
...
...
-----------------------------
Option 3c of GPL v2.0 only applies if the distribution is noncommercial. There is a preponderance of precedent that activities undertaken by a non-profit organization funded by for-profit organizations which directly benefit from those activities are considered "commercial activities" by U.S. courts.

Since the MPAA distribution of GPL software is not non-commercial, even if unmodified, it is not eligible for the 3c) exemption. The MPAA are required to provide the source code themselves, it is not sufficient to point to the upstream provider.

Posted by: saulgoode | November 28, 2007 12:27 PM | Report abuse

antibozo> Not that I would defend the MPAA...

From your posts, that's exactly what your are doing. The very least you can do is be honest enough to admit it.

Posted by: Not_An_MPAA_Lacky | November 28, 2007 1:12 PM | Report abuse

saulgoode> Since the MPAA distribution of GPL software is not non-commercial, even if unmodified, it is not eligible for the 3c) exemption.

Even if your analysis that this is "commercial" is correct (I'm not convinced), pursuing them on this would be pure vindinctiveness. I could point to any number of other clearly commercial cases of GPL repackaging (vendor firmware for routers, LOM interfaces, etc.) that nobody cares one whit about. So the question remains for me--why the high horses in this case? I mean, do we *need* MPAA to provide yet another mirror of the source for the GPL packages in xubuntu? Not enough mirrors for you?

antibozo> Not that I would defend the MPAA...

Not_An_MPAA_Lacky> From your posts, that's exactly what your are doing.

Not really. I'm objecting to the biased manner in which this software is being regarded; it isn't fundamentally any different from a lot of other things in widespread use, and it's inconsistent for people to be so up-in-arms about it.

The conspiracy theories about how the MPAA would update the distribution to do their legal investigation for them seem totally absurd to me. Why would they do that in such an easily detected and transparent way? They would almost certainly run afoul of wiretap and privacy laws; does no one remember what happened to HP last year?

If the MPAA wanted to bypass the law to identify copyright infringers, the subtle way for them to do it would be to hire some of the botnet operators in Eastern Europe to distribute code to all the zombies that would identify content and individuals... for example. Who knows? Maybe they financed the Storm worm...

Getting back to consensual reality--all of the major NIDSes already include p2p detection signatures. And people regularly download unsigned software and update their systems in an insecure way, while a lot of free software distributions have historically insecure repository practices. We don't know the distro maintainers--why do we trust, for example, CentOS? I say all this as a major user of free software--I'm writing this on an Ubuntu box right now.

Snort itself has had remote arbitrary code execution vulnerabilities in the past, and I fully expect others will show up in the future. This is the *real* threat, and the reason that someone who offers something like this *should* have an automated update process. Operation of any NIDS has to be done with extreme care--a compromised NIDS of any kind is a privacy nightmare. So would we really prefer that the system didn't try to phone home to check for updates? As I mentioned before, I already found XSS and SQL injection vulnerabilities in their JSP code, after looking at it for about 10 minutes.

So you can toss out snide accusations that I'm dishonest. Or you could aim a little higher and explain to me why this toolkit is such an important threat to privacy in the vast landscape of intrusion detection and network monitoring, rather than a little gambit by the MPAA to improve the posture of the legislation they're pushing.

Posted by: antibozo | November 28, 2007 2:54 PM | Report abuse

Posted by: antibozo> Even if your analysis that this is "commercial" is correct (I'm not convinced), pursuing them on this would be pure vindinctiveness.
------------
What you term vindictiveness are the license terms of the copyright. It is the "price" demanded by the copyright holders and, just as I should not copy motion pictures without properly paying those copyright holders their price, the MPAA should not distribute GPL software without "paying the price".
------------
Posted by: antibozo> I could point to any number of other clearly commercial cases of GPL repackaging (vendor firmware for routers, LOM interfaces, etc.) that nobody cares one whit about.
------------
It is my opinion that the "unmodified, non-commercial" clause was included so that GPL software could be shared amongst friends or handed out in a truly non-commercial manner. GNU/Linux distributions are expected to provide the source.

ALL commercial Linux distributions are expected to make available the full source code. MEPIS was notified of their non-compliance when they merely pointed to the Debian repositories for all their unmodified code. All of the *buntu flavors provide source repos: although doing this is part and parcel of their Philosophy, it is also a firm requirement because the for-profit Canonical Corporation has funded the Ubuntu Foundation trust and benefits from the trust's "non-commercial" activity.

I have no more legal expectation of the MPAA than that they abide by the same rules as all of the other GNU/Linux distributions. I do not expect any great lawsuits (none that reach the courts, anyway) but I do expect that the MPAA will be called upon to come into compliance with the copyright licenses of the media they are distributing.

If you know of some violations of the General Public License taking place, perhaps you should contact the copyright holders and let them know -- if you don't feel it is your duty to police the copyright infringements of others' works, I would find that a fully understandable position (nudge, nudge. wink, wink). Of course, the copyright holder always has the option whether or not to take legal action. In the commercial world, such decisions are based upon a cost/benefit analysis; I imagine the same is true for Free Software -- though the benefit is not measured in dollars.

Posted by: Anonymous | November 28, 2007 4:06 PM | Report abuse

I think the students of america should file a class action suit against the mpaa for violation of their civil rights, laws concerning the right to privacy, and violation of the constitution that you are innocent till proven guilty. Even if you do not use this software, a lot of student staff work for the colleges. if that student is using that software in a university office where sensitive data is being handled, the right of privacy is inherently violated automatically. Most colleges do not separate public network traffic and network traffic carrying sensitive student college data. I guess colleges will now be prone to more lawsuits for invasion of privacy because of the mpaa. This will drive up college costs even more. the MPAA aka Ebenezer Scrooge aka Gestapo has to be stopped. I no longer purchase media or go to movies. Most of it is garbage anyway. I will just write my own tunes and play them on my own guitar. Boycott the MPAA,

Posted by: rico giove | November 28, 2007 5:20 PM | Report abuse

Clearly, only antibozo and a small number of responders even understand what this software is or perhaps even read the article or even did any real follow-up on the products. Sheesh. We already have the capabilities of this toolkit and it's all open source.

I can fully understand why they would want to distribute a live-CD or installer that doesn't require setting up Snort, BASE, MySQL, and all the dependencies to get it up and running correctly and quickly. It the difference between getting someone to try it or not. --and they believe this makes it easy enough to try.

Yes, it's to raise the awarness of how much bandwidth is being consumed by p2p traffic. So? I suppose they hope that if you have a policy against it you might enforce it now that you see it (wholesale -infringing or not) or a least rate-limit it. Which is basically a win-win for them and the network. A compromise really.

Don't be so freaking nieve people. If they wanted to track this thing they could do something as simple as place a logo on an install webpage that points a URI back to a site they can monitor.

Privacy rights? Yeah, we'll see what you think when everyone gets your SSN and account information because someone accidentally shared out their root drive or some other storage location.

What, you think ONLY the students are running p2p? You don't think interns, student workers, and staff run this stuff on business computers?

Got news for you...EDU IPs? Some educational institutions are on State backbones. Those IPs you see may appear to be one agency but really be the NAT for an EDU's firewall. Yes, your tax dollars are paying to handle complaints, increase bandwidth, and remedy security incidents.

The p2p often violates firewalls by generating outgoing connections that let outside IPs return communications. Your State government can be serving up child porn. Even if it isn't stored within the network the fact that internal nodes pass on the search requests and respond with where to go to get it means your government systems may be facilitating in the distribution of child porn as well as infringements and legitimate traffic.

At any rate, all they've done is pre-package something and tried to dumb-it-down enough to get them to try it hoping they'll be in shock at how much of their bandwidth is 24x7 file sharing --which, from experience, does happen to typically be all from a few internal sources.

I don't even figure the MPAA into this really...it's about the product really and if anyone really is suspicious they can just put a sniffer in front of it to see if it sends anything out or allows any unathorized remote access...even safer, firewall it and check the hit counts.

But, as was said...those tools are already out there and most places already implement them.

Privacy? Hah. There's a lot more steps to just knowing a p2p signature and IP to place it to an individual. I have yet to see a signature that can decode the p2p to determine what files are actually being transferred.

In short --too late, I know. :-) What one does with their broadband connection and how they interpret that TOS is up to them. I see no reason a network admin shouldn't know where the bandwidth is going and I see nothing inherently evil about this distro.

So what's the big deal? Already have the capabilities, already use them... Meh.

Posted by: netadmin | November 28, 2007 10:18 PM | Report abuse

antibozo, just wanted to say thanks for attempting to clear up the FUD and misconceptions of various posters, especially in light of a somewhat disappointing (and FUD-tinged) article from Krebs. Just wanting to let you know your comments are *much* appreciated.

Posted by: LonerVamp | November 29, 2007 9:59 AM | Report abuse

Antibozo:

Section 3(c) of the GPL is irrelevant here, for a couple of reasons:

1) The ISO isn't provided with a written offer for source. 3(c) clearly states that it has to accompany the software.
2) Xubuntu is distributed by Canonical under 3(a), not 3(b). As a result, 3(c) can only apply if a third party made an offer under 3(b) - and if they did that, it can't be satisfied by them pointing at the main Ubuntu mirrors.

Posted by: Matthew Garrett | November 30, 2007 2:46 AM | Report abuse

Matthew Garrett> Section 3(c) of the GPL is irrelevant here

Let's assume for the sake of argument that you and the anonymous poster above are correct, and the MPAA should be distributing source with the toolkit. As I asked earlier: what difference does it make? Do we need yet another mirror of the source for the GPL packages on Xubuntu?

I could understand caring about it if there were modifications without source, but not over yet another copy of the same binaries you can get sources for off any existing Ubuntu mirror.

Ideally, the MPAA will drop a source ISO or written offer out on their site, resolving the issue, but I truly do not understand why anyone would care, other than out of resentment toward the MPAA.

Posted by: antibozo | November 30, 2007 10:57 AM | Report abuse

antibozo:

The GPL is about ensuring that whoever obtains a piece of covered software can obtain the source code. I agree that it's unlikely that Canonical will suddenly vanish and all the existing sources of Ubuntu source will disappear, but if that did happen then there'd be a problem. I don't want people to download binary versions of my code and end up with no way of obtaining the source. That's why I released it under the GPL.

As for why I care - firstly, it's not just the MPAA. I've been involved in more than one case of GPLed code being distributed without source being provided. Secondly, it's easy enough to sympathise with some guy in a bedroom failing to understand GPL obligations. A well-funded organisation with a history of enforcing copyrights in a heavy-handed manner and a large number of well-trained IP lawyers on hand? Ignorance really isn't an excuse. They ought to know better.

Posted by: Matthew Garrett | November 30, 2007 1:18 PM | Report abuse

Matthew Garrett> I agree that it's unlikely that Canonical will suddenly vanish and all the existing sources of Ubuntu source will disappear, but if that did happen then there'd be a problem.

"If it did happen?" How is it even remotely possible for that to happen in the real world? Can you describe any plausible scenario where it would become the least bit difficult to acquire Ubuntu sources?

I'm asking in earnest here, still: why does it matter? If the answer is "because the MPAA is hypocritical about copyrights," I won't dispute that, but I still don't see why it matters, legally, practically, or in any other way. If the MPAA sues some college student for sharing pre-release film DVDs, do you think the judge would consider this as mitigation? If the FSF sued the MPAA over it and won, would damages be awarded, or would the MPAA simply be compelled to add source ISOs to the web site?

Posted by: antibozo | November 30, 2007 1:43 PM | Report abuse

Hey, maybe they even did it deliberately as a taunt--see how it feels? I wouldn't put it past them. In the overlap between GPL defenders and film copyright infringers (there is plenty of hypocrisy to go around), they might even score a point or two.

Posted by: antibozo | November 30, 2007 1:51 PM | Report abuse

Who keeps the stats on illegal downloading? I recently heard the music industry crying over the decrease in CD sales (caused by the illegal copying of CD's). I travel by air and can assure you that I am the only person in the US that listens to CD's when traveling. I doubt people listen at home either.

As far as the students, they may download and listen or watch, but it is a limited selection that gets watched or listened twice. Assuming huge media sales if downloading is prevented is just plain stupid, it won't happen. Students don't have money.

Once out of college, no one has the time, they just buy or rent.

A friend had a business many years ago renting scratchy used records for a dollar. He was put out of business by you-know-who. Records sales were declining so it was his fault, folks were making bootleg tapes and then cassettes. The real facts were people wanted to listen to obscure music and sometimes make a few tapes, they had little interest in spending the time editing tapes made from scratchy records. His only customers were the poor college students.

The movie and music industry are not supported by students and never have been. I buy all my DVD's, watch them once and put them away, most movies are not that good. Books get re-read many times. Audio books get much, much more play than music in my car, but I am not a student any longer.

Someone needs to invent a web crawler that you program and your favorite Blogs, podcast, audio book or news website are read/played to you over FM while you drive . Hook up using satellite or VZ wireless card. That would be awesome. You couldn't wait to drive to work and get stuck in traffic.

Posted by: Bud | November 30, 2007 2:48 PM | Report abuse

Antibozo:

No, in this case I don't think there's any especially practical way that it would happen. In other cases it could (and in one or two, it has), which is why it's in the license. However, it's not just about the lack of source provision - it's also the lack of information provided. There are going to be people downloading this with no idea that they can request the source code to large parts of it (and while I think Ubuntu has done a great deal to increase awareness of Linux, I don't think anyone can claim that everybody in the technology industry has heard of it), which /is/ something I care about. That's why I think it matters from a philosophical point of view.

Legally it matters because the license is the only thing granting the right to redistribute the software, and so failing to follow the license means that it's being redistributed without permission. The DMCA provides for statutory damages of between $750 and $30,000 for infringement, which can be raised to $150,000 if it can be demonstrated that the infringement was wilful (a possibility, given that I emailed the contact address a week ago and source still hasn't been made available, despite the website being updated).

I've no real sympathy for people caught downloading movies, though I tend to believe that the damages being sought are overlarge and the generic "Peer to peer software is bad" message is damaging. I dislike it when people infringe my copyright, and I do my best to get the situation rectified. In this case, compliance is trivial - boot the CD, then run:

for x in $(dpkg -l | awk '{print $2}'); do apt-get --download-only source $x; done

and stick all the files on an FTP site or just burn them to an ISO. They don't even need to do it until someone asks for the source code, as long as they make the offer in the first place. When it's that easy, there's absolutely no excuse.

There's several thousand copyright holders, and they're all entitled to damages. In the worst case, the potential liability is hundreds of millions of dollars plus the PR hit and loss of credibility. From the MPAA's point of view, I think that's a pretty strong argument that it matters.

Posted by: Matthew Garrett | November 30, 2007 2:59 PM | Report abuse

I just want to know when the MPAA and RIAA will respect the license I pay for when I scratch my DVD or CD. Why should I have to buy the rights all over again? I have bought the same music over and over on 8-tracks, cassettes, LPs and CDs and never once have I been offered to pay only for the media replacement. Each time I have to buy the license all over again. If the MPAA and RIAA want the public to respect the value of a license, then they must respect the value of it themselves, by offering a broken-media replacement plan.

To those who are saying it's a copyright infringement to download, what if the downloader has already bought the product and is downloading it to replace what was lost on scratched media? If you paid for it, you own it in perpetuity, and that should not be limited by the life of the media.

Posted by: earl, jr | November 30, 2007 11:24 PM | Report abuse

earl, jr> I have bought the same music over and over on 8-tracks, cassettes, LPs and CDs and never once have I been offered to pay only for the media replacement. Each time I have to buy the license all over again.

Obviously, the music itself is not all you're getting with each format change. Presumably you find CD audio of higher quality than 8-track.

earl, jr> To those who are saying it's a copyright infringement to download, what if the downloader has already bought the product and is downloading it to replace what was lost on scratched media?

You certainly have the right to make backup copies of media, at least those you don't need to circumvent cryptographic protection to copy. For audio, a lot of us don't use original media for playback at all--we rip to MP3 and play that back on a compact device. There is a growing industry supplying music in purely electronic format, where media don't exist to get scratched, and the entire library of purchased tracks may be downloaded legally (by you) as many times as you like.

Whether downloading a replacement copy in the case of damaged original media would be legal under current copyright law I can't say, but I have the pretty strong feeling that someone doing so is not at high risk of getting sued over it. Surely you realize that the vast majority of content downloadable via NNTP or p2p networks is not being provided for media protection purposes.

Posted by: antibozo | December 1, 2007 9:56 PM | Report abuse

This software has now been taken offline, as it was in violation of the GPL. Screw you MPAA.

Posted by: User29939882 | December 3, 2007 9:02 PM | Report abuse

yea, they are sayin cause its a beta is the reason has no security messures what so ever. yea huh sounds more like when it phones home they are hopeing none of the network admin's bothersed to setup a login and pw on the site so they would free axx to all data running accross that network. MPAA and even RIAA assume that if you use bit torrent your commiting piracy. Hell to them there is no black and white bit torrent usage its all black illegal.

Posted by: Arb | December 3, 2007 9:58 PM | Report abuse

Matthew> 2) Xubuntu is distributed by Canonical under 3(a), not 3(b).

Do the Xubuntu CDs (live or alternate) really have the source on them?

Posted by: PaulM | December 4, 2007 12:20 AM | Report abuse

"MPAA Forced To Take Down University Toolkit"
http://yro.slashdot.org/yro/07/12/04/015229.shtml

Posted by: Ben Gay | December 4, 2007 12:43 AM | Report abuse

As for BitTorrent being a tool of illegal file sharing, I use BitTorrent on a regular basis. I have *NEVER* used it in violation of anyone's copyright.

A decent amount to download ISOs of Linux and other free OSes, a decent amount to download large media files that are made available by their original creators (Star Trek: The New Voyages, for one.)

Posted by: Anonymous Freak | December 4, 2007 1:07 AM | Report abuse

yes taken down for refusing to provide the source code. wonder what else is wrong in antibozo's FUD soliloquies?

Posted by: mikelotus | December 4, 2007 2:27 AM | Report abuse

mikelotus> yes taken down for refusing to provide the source code.

There is, so far, no statement as to why it was taken down, only Matthew Garrett's claim of coincidence. It is also possible that they acted in view of the vulnerabilities and flaws I and others have reported, or a combination of these factors. Maybe we'll find out the truth, if we're patient.

mikelotus> wonder what else is wrong in antibozo's FUD soliloquies?

I would love to know what I've said that you consider FUD. Please elaborate.

Posted by: antibozo | December 4, 2007 3:01 AM | Report abuse

I took a look at the web site for the toolkit. It seems to me that by inspecting the packets in this manner puts any university using it in a position of losing their safe harbor status. In this case, ignorance can be bliss.

Posted by: Jimmy | December 4, 2007 10:19 AM | Report abuse

The part of this that I find most amusing is that the MPA assumes that many (if any) of these large Universities "identified as top locations for the downloading of pirated movies", need anyone's help in analyzing their own network traffic. The University of Pennsylvania is hardly the only university with security, IT and CS experts/professors more than capable of configuring _existing_ open-source software.

Who did they think would jump at this 'exciting' tool... small liberal-arts colleges? This program had 'FAIL' written all over it even without violating the GPL.

Posted by: Rob | December 4, 2007 10:49 AM | Report abuse

When I was an admin at a university back in 2000 we had so much bandwidth usage by file sharers that it was making the sending of mere text emails take longer than dialup. Having the ability to throttle or shut off file sharers is necessary. Universities have no obligation to provide you with the capability to share files via bittorrent or any other p2p software. That is not a right, that is a desire. A universities network belongs to the University, not to the students.

It appears that some of you sanctimonius freeloaders have forgotten (if you ever knew in the first place) that services are costly and provided to enhance learning. Once you go out into the real world, you will expect to be paid for your labor, so why is it 'evil' for another to expect this as well?

Posted by: Anonymous | December 4, 2007 10:58 AM | Report abuse

Hmm, I wonder if this is a scary scheme? Perhaps they want to get sued, go to court, *lose*, and thereby set a precedent.....

Posted by: eb | December 4, 2007 2:00 PM | Report abuse

The University Toolkit was taken down for copyright violations.
See http://yro.slashdot.org/article.pl?sid=07/12/04/015229

Posted by: noone | December 4, 2007 2:03 PM | Report abuse

Rob> The part of this that I find most amusing is that the MPA assumes that many (if any) of these large Universities "identified as top locations for the downloading of pirated movies", need anyone's help in analyzing their own network traffic.

Seems logical to me. If they didn't need help, they would have curbed the activity on their own.

Posted by: antibozo | December 4, 2007 2:23 PM | Report abuse

antibozo doesn't grok the GPL. Pointing upstream doesn't meet the requirements because upstream has an obligation for a set number of years to provide the source. If you distribute at the end of their obligation, or if they update their software, then the source to what you provided isn't available. The legal obligation is on you, not them, to provide the source for the binaries that you distribute, unless you contract with them to fulfill your obligation. Besides which, they failed to provide the written offer (which is a violation in and of itself.) As to why people might care more about this instance, people tend to get upset about hypocrisy. However, if you are aware of GPL violations I'd like to challenge you to do the right thing and make the violations public.

Posted by: george | December 4, 2007 4:07 PM | Report abuse

george> antibozo doesn't grok the GPL.

IANAL, but as I noted earlier (for those who don't bother to read), my interpretation in this case is based on the 3(c) exemption; we don't know specifically how the MPAA acquired xubuntu so it's hard to say whether they received it under 3(b). I allow, however, that if it is a commercial release (an assessment I'm not convinced of) it would be a technical violation of the license. As for whether they made a written offer, I don't know that anyone has fully inspected the toolkit and its associated documentation to establish that it was never made.

The point I've stressed, however, (again, if you'd bother to read) is that it doesn't actually matter. I actually distribute some of my own code under the GPL. I chose the GPL for this to protect my code against being made proprietary in a closed form. I *don't* *care* if someone redistributes my unmodified binaries; it's an area of GPLv2 that I have no personal interest in.

If you can show what actual harm is done by the MPAA's redistribution of unmodified GPL binaries, I'd be interested. As Matthew Garrett noted earlier, it's possible they could be liable for statutory damages in such a case, but I've yet to hear of such a thing happening with GPL software. Indeed if you look at a related license, the Artistic License, things aren't looking so hot. The first actual legal test of the GPL in the U.S. was only recently begun, and the outcome is uncertain. You might want to review the following for context:

http://techdirt.com/articles/20070921/145609.shtml
http://lawandlifesiliconvalley.blogspot.com/2007/08/new-open-source-legal-decision-jacobsen.html

george> However, if you are aware of GPL violations I'd like to challenge you to do the right thing and make the violations public.

As I've stated, I don't care about binary redistribution of my own code, and I don't consider it my duty to report such to the world where I might find it. Where I know of *modification* and redistribution in violation, I do take time to report it; recently, for example, I reported a case to the BusyBox people--guess what: I never got any response from them.

Related to this, it's interesting how many people report how useful BitTorrent is for legitimate distribution of Linux. Let's look at that for a second--if someone tosses me a torrent URL for Ubuntu in an IM chat, how am I supposed to go from there to retrieving the source? Isn't every use of BitTorrent to distribute GPL binaries in fact a technical violation of the GPL, unless it comes with a parallel torrent URL for a source ISO? And why should we care? Where is the harm?

Posted by: antibozo | December 4, 2007 4:40 PM | Report abuse

"D" mispoke, "It is illegal to share copyrighted material without proper authorization, period." This is blatantly untrue. There are many exceptions loosely grouped under the heading of "fair use".

Posted by: george | December 4, 2007 6:00 PM | Report abuse

george, yup. wasn't really talking about fair use. just trying to make a point that downloading copyrighted material without proper permission is not legal. for instance, if i get on limewire and download one of madonna's songs i would be breaking the law. at least as far as i understand it.

Posted by: D | December 4, 2007 8:55 PM | Report abuse

D> just trying to make a point that downloading copyrighted material without proper permission is not legal.

Again, it's a tautology--true by definition. By default, copying rights on copyrighted works are reserved to the copyright holder, with specific exceptions granted by law for fair use, media protection, etc., so there is simply no way for your statement to be false--that's exactly what the word "copyright" means. For example, fair use exceptions constitute "proper permission" or "proper authorization", as does a license statement from the copyright holder authorizing unlimited distribution.

IOW, you're not saying anything that isn't already implicit in the word "copyright".

Posted by: antibozo | December 4, 2007 9:33 PM | Report abuse

antibozo> If you can show what actual harm is done by the MPAA's redistribution of unmodified GPL binaries, I'd be interested.
------------------------------
The price of the GPL is to provide the source code when you distribute binaries. You agree to pay a price, the distribution of source code, in exchange for being able to freely distribute the binaries to the general public. You are effectively taking money away from the producer (money they could have made selling the software) when you refuse to uphold your end of the bargain.

So you're saying that if a single entity such as one file-sharer refuses to uphold their end of the bargain and prevents the MPAA member company from making money on the movie, that there is no actual harm from this action. Oh, oops, I meant the GPL producer instead of the MPAA member, silly me. ;-)

The MPAA has made the GPL's argument for it: by allowing one guy to violate a license you encourage thousands of others to do the same, and eventually producers lose money. Licenses are only as strong as the respect people have for them.

Posted by: webgiant | December 5, 2007 1:11 AM | Report abuse

webgiant> You are effectively taking money away from the producer (money they could have made selling the software) when you refuse to uphold your end of the bargain.

Note that I've asked repeatedly for someone to show *actual* harm, and the replies have all attempted to show *theoretical* harm--maybe the word "actual" is just passing people by.

But I'm still game, even for theoretical harm--please explain how the MPAA not providing source downloads could financially affect the subset of copyright holders invested in Xubuntu who are distributing under the GPL. Where, specifically, do you think money is being exchanged, and where is this exchange impeded by the MPAA's non-compliance, even theoretically?

The rest of your post is, I'm afraid, opaque to me. What bargain did the file-sharer make, with whom? How was the MPAA member company making money from the file-sharer, and how does the GPL producer fit in? Please explicate.

Posted by: antibozo | December 5, 2007 2:16 AM | Report abuse

Ars Technica has some follow-up indicating that, according to a quoted MPAA officer, the company did take the software down in response to Garett's notification of copyright infringement. There is more of interest:

http://arstechnica.com/news.ars/post/20071204-mpaas-university-toolkit-hit-with-dmca-takedown-notice-after-gpl-violation.html

Posted by: antibozo | December 5, 2007 2:20 AM | Report abuse

Antibozo> IANAL, but as I noted earlier (for those who don't bother to read), my interpretation in this case is based on the 3(c) exemption; we don't know specifically how the MPAA acquired xubuntu so it's hard to say whether they received it under 3(b). I allow, however, that if it is a commercial release (an assessment I'm not convinced of) it would be a technical violation of the license.

Perhaps you would consider the following in assessing whether the MPAA's distro qualifies as a "commercial release":

The MPAA is indeed categorized as a non-profit organization; however, they are funded to the tune of about $550,000,000 PER YEAR by the four major film studios. The MPAA, by their own admission, CONTRACTED a third party to produce their GNU/Linux distribution (this contract would presumably entail some exchange of commodities directly correlating to a monetary value). Furthermore, the film studios which fund the MPAA would directly benefit if the MPAA's distro resulted in a reduction of "piracy" taking place through peer-to-peer networking.

You might wish to investigate precedents in U.S. case law such as commercial fishing being prevented by Alaskan regulations to employ a "proxy" non-profit organization to seed fishing grounds. Alternatively, you could just apply common sense and realize that every corporation in the world would create "non-profit associations" to promote their products, and thus bypass all tax, anti-trust, or environmental regulations which might otherwise hinder them.

Could you provide some basis for your skepticism that the MPAA's distro was anything but a "commercial" endeavor?

Posted by: saulgoode | December 5, 2007 4:02 PM | Report abuse

saulgoode> Could you provide some basis for your skepticism that the MPAA's distro was anything but a "commercial" endeavor?

1. The fact that there is no direct commercial gain to the MPAA from distribution of the product. Theoretical gain to the MPAA from this product relies on the university admins being able to correctly identify and throttle illicit sharing of films, using the product, *perhaps* eventually resulting in indirect profit to the film distributors from increased sales, who *might* then choose to increase funding to the MPAA. That's a pretty long stretch, even for indirect commercial gain.

2. The fact that the product's release is targeted at universities, which are typically regarded as non-commercial enterprises.

I think the analogies with commercial fishing, etc. are a red herring (ha ha). Companies for profit can still make non-commercial software releases; it's ultimately irrelevant that the MPAA is funded by commercial enterprises. The question is the product's intended purpose, its method of release, and how it may benefit the MPAA, if I understand correctly.

Curious: do you think Knoppix is a commercial release? How about Helix?

Posted by: antibozo | December 5, 2007 5:32 PM | Report abuse

cqimrfk ylihra rehlbu kjbepwtz fqul wicj puwhxq http://www.uygpje.erqklnv.com

Posted by: crwdub trjwmp | December 6, 2007 3:51 PM | Report abuse

Antibozo> I think the analogies with commercial fishing, etc. are a red herring (ha ha). Companies for profit can still make non-commercial software releases; it's ultimately irrelevant that the MPAA is funded by commercial enterprises.

It is relevant if those commercial enterprises benefit from the otherwise non-commercial endeavor (it wasn't intended as an analogy, but as an actual case precedent).

And for what it's worth, I feel that neither Knoppix and Helix should qualify as non-commercial distributions. Whether the benefit is from direct CD/DVD sales, website advertising, or T-shirts and coffee mugs, as soon as you engage in revenue generating activities which benefit from the distribution, you can no longer be considered non-commercial.

Posted by: saulgoode | December 6, 2007 9:48 PM | Report abuse

saulgoode> it wasn't intended as an analogy, but as an actual case precedent

Again, IANAL, but I don't see how Alaskan fisheries regulations can be considered a precedent for interpretation of the GPL. Even if it were legally relevant to copyrights, it's backwards. It sounds like you're talking about a case where the commercial organization fired up a non-profit for the purpose of skirting regulation, and courts didn't allow it on principle. But I don't think anyone could argue the MPAA was created *for the purpose* of releasing GPL code in a non-commercial context.

saulgoode> as soon as you engage in revenue generating activities which benefit from the distribution,

I think your constraints basically define "non-commercial" out of existence. Even if there were no such thing as a Knoppix t-shirt or mug, Klaus Knopper would still get residual positive reputation from preparing the distribution, which would factor into his income, and this is the case no matter how altruistic the act. Perhaps you can describe a context for someone to release what you would consider "non-commercial software". Is there a real example you can think of?

Back to the case at hand, if you want to disqualify the university toolkit distribution on commercial grounds, I think the burden is really on you to show that the MPAA incontrovertibly stands to garner revenue from the distribution. Some argue, after all, that film revenues would decline if p2p were eliminated.

Posted by: antibozo | December 7, 2007 2:46 AM | Report abuse

Well, to everyone arguing about the GPL and how it factors in, please note that the University Toolkit has been taken offline by the MPAA since they received a DMCA-takedown notice from Matthew Garrett, one of the Ubuntu developers.

Posted by: Mackenzie | December 7, 2007 1:18 PM | Report abuse

Mackenzie, you really should bother to take a look at previous comments before posting something pathologically redundant.

Posted by: antibozo | December 7, 2007 2:18 PM | Report abuse

I like a lot of the "back and forth" on the comments. It's been very insightful.

I didn't manage to read every one of them yet, but one thing I noticed in the half of them I did get through (so far) is people wondering *why* the MPAA would release this type of tool.

One of the defenses that several universities have used when the RIAA has tried to pressure them for information, is that they only have an IP address related to the supposed infringement (which isn't sufficiently determinant information for providing an identity of the user at many universities) and that the university cannot be held responsible for "creating evidence" for the RIAA to determine the owner of the IP address at the time of infringement.

An example of this would be if there are two students sharing a single IP address in a dorm room. Because that IP isn't sufficient to determine the identity of the user, the school can not be forced to reveal the identity of the user(s). The school also can not be forced into a situation where they have to perform forensics on both of the suspect machines in order to "create" evidence that would allow them to identify the offender.

Depending on the configuration of this tool and what information is being logged to the snort database, it is conceivable that any information stored in the sensor could be subpoenaed by one of these organizations (RIAA, MPAA, BSA, etc) as a way of retrieving additional information that they could then try to use as justification (to a court) to force the universities to surrender the name(s) of students as well as potentially giving the organization "cause" to request that the students machines be surrendered in order to have the forensics performed by a third party that the RIAA, et al have hired for this purpose.

but that's just my 2 cents

Posted by: CJ | December 7, 2007 5:12 PM | Report abuse

Antibozo> Again, IANAL, but I don't see how Alaskan fisheries regulations can be considered a precedent for interpretation of the GPL. Even if it were legally relevant to copyrights, it's backwards.

It is "legally relevant" against the defense that since the MPAA is a non-profit organization, any of its activities should be considered non-commercial. It may not conclusively define the case, but it does offer some insight which is, IMO, significant.

> It sounds like you're talking about a case where the commercial organization fired up a non-profit for the purpose of skirting regulation, and courts didn't allow it on principle. But I don't think anyone could argue the MPAA was created *for the purpose* of releasing GPL code in a non-commercial context.

Of course not specifically created for the purpose of distributing GNU/Linux, nonetheless, founded as a trade association for the purpose of furthering the interests of the motion picture industry.

> I think your constraints basically define "non-commercial" out of existence.

Perhaps my interpretation is more limiting than you would like, but it still leaves room for free exchange of GPLed software under Section 3c if no monetary benefit is garnered. I would agree with you that, with my interpretation, even releasing under a trademarked "distro" would be disqualified from 3c's exemption (trademarks inherently have value).

It should be realized that the GPL pre-dates Linux (even version 2.0 came six months before Linus's Usenet announcement) and, for that matter, what have come to be called "distros". It is indeed my opinion that the vast majority of distros should not be considered "non-commercial" -- i.e., they engage in commercial enterprise to some degree. Maybe not enough to be profitable or even marginally offset their expenses, yet still enough to disqualify them from being considered non-commercial distribution. If you peruse the GPL FAQs, it should be fairly apparent that its authors are employing the term "non-commercially" in reference to users sharing the unmodified code they receive from distributors.

If I am right, why is this a problem? Provide the source code! That's it. That's what the GPL is about. You are already providing the binaries, what's so hard about offering the source as well?

> Back to the case at hand, if you want to disqualify the university toolkit distribution on commercial grounds, I think the burden is really on you to show that the MPAA incontrovertibly stands to garner revenue from the distribution.

Hopefully I have established my interpretation of "commercial distribution" with regard to GPL 2.0; and even if I am wrong, I need not provide any incontrovertible association between MPAA revenues and their University distro because they did not even fulfill the GPL requirements for NON-commercial distribution. There was no notice on their download site either pointing upstream at Xubuntu or offering a snail mail copy at cost. In short, they made no attempt to comply with the (very generous) licenses of the media they were distributing.

Posted by: saulgoode | December 7, 2007 8:15 PM | Report abuse

Drugstore, http://drugstores.wordpress.com All Drugs are here.

Posted by: Jack | December 14, 2007 1:19 PM | Report abuse

saulgoode> It is "legally relevant" against the defense that since the MPAA is a non-profit organization, any of its activities should be considered non-commercial.

That defense wasn't being employed here. The observation being made was that the university toolkit appears to be a noncommercial release, at least to some of us, regardless of the status of the MPAA as a for-profit or non-profit organization. I believe that, the way most people view the term "noncommercial", for-profit organizations *can* release noncommercial software. Consider, for example, Oracle's OCFS2 release. And it isn't even clear that the "noncommercial" wording in the GPL applies to the release--it may apply to the intended use by the recipients of the release. It's really a fairly glaring flaw in GPLv2 that the meaning of "noncommercial distribution" isn't spelled out, IMHO.

I think that the rest of your response goes away from the question of whether the 3c exemption applies and back into well-worn territory. Again, I don't see where there is actual harm, and I don't see how it's anything other than vindictive pedantry to insist that the MPAA distribute the GPL sources, even though I agree that, in all probability, they should, if only to cover their own butts against cringeworthily pedantic lawsuits that wouldn't deter them in the slightest and might end up serving instead as undermining precedent for GPL cases.

Posted by: antibozo | December 17, 2007 12:12 AM | Report abuse

Yhanks you0b408b54b0bdcdcf76b5ca72e4ac78ce

Posted by: free music | December 21, 2007 12:44 PM | Report abuse

Hi boys!ddd82d036c7773e191486e93c9ecef2f

Posted by: free music downloads | December 21, 2007 12:46 PM | Report abuse

antibozo requested an instance of actual harm from distributors of binaries pointing to upsteam source repositories.

Xubuntu creates binary from sources - provides both

antibozo distributes binary unchanged - points upstream to obtain sources

reaper obtains binary from antibozo wants sources

Xubuntu has no obligation to provide sources to reaper as they didn't distribute any binary to reaper.

antibozo has seemingly obligated Xubuntu to provide bandwith and hosting resources to provide source materials to someone which they do not have any connection with or provide binaries to. This is actual monetary cost to provide bandwith and hosting resources.

Regarding unavailibility of sources. It isn't very likely Xubuntu sources would disappear from the web. The non Xubuntu packages are more of a problem however. Someone stated an included packaged was an old version 2.3.3 (IIRC). Once that package rolls past the 3 year mark, there is no obligation for the original source to be available to anyone. If the binaries antibozo distributed can't be recreated from source ( because antibozo deferred the responsibility to someone else upstream ), then the requirements of the GPL aren't being met then either.

Multiple posibilities occur with ISO distributions like MPAA posted.

1. Executables from 3rd party may be security risks. Provide source for vetting.

2. It doesn't work on XYZ computer because it was built on ABC model. I need the source to fix the problem ( not recognizing LAN chip ).

3. someone pulled from CVS or SVN and that source is no longer 'available' because the snapshot available via the web only gives the current (daily) snapshot tarball and there is no direct CVS access.

4. someone pointed to the original source repository where they obtained the source and it is no longer there and the distributor of the
executable doesn't have it either because they relied upon the original source to remain available

5. someone created source of their own, built an executable, distributed it and then misplaced their souce or their 1 drive containing it dies.

6. When source is requested by one of the few which might do so, it needs to be the actual source used to create whatever was distributed,
not what repository A has available now vs what distributor B grabbed from that location when patch xx was not rolled into the source.

It boils down to:

If someone distributes a binary, they should have the exact sources the binary was built from available for distrubution upon request.

Posted by: reaper | January 13, 2008 4:19 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company