Slashdot Mirror
MPAA College Toolkit Raises Privacy, Security Concerns
An anonymous reader writes "The Motion Picture Association of America last month sent letters to the presidents of 25 major universities (pdf), urging them to download and install a 'university toolkit' to help identify students who were downloading/sharing movie files. The Washington Post's Security Fix blog reports that any university that installs the software could be placing a virtual wiretap on their networks for the MPAA (and the rest of the world) to listen in on all of the school's traffic. From the story: 'The MPAA also claims that using the tool on a university network presents "no privacy issues — the content of traffic is never examined or displayed.' That statement, however, is misleading. Here's why: The toolkit sets up an Apache Web server on the user's machine. It also automatically configures all of the data and graphs gathered about activity on the local network to be displayed on a Web page, complete with ntop-generated graphics showing not only bandwidth usage generated by each user on the network, but also the Internet address of every Web site each user has visited. Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic — and a great many universities do not — that Web server is going to be visible and accessible by anyone with a Web browser."
nice social engineering
I don't see the universities listed anywhere in the article. Which ones are they? We need to know so we can write them letters.
This makes no sense. What are they going to accomplish by going after college kids, who really don't have that much disposable income? It seems counter-productive to me. You piss off a bunch of college kids, who can't afford to spend money on movies anyway, and who are going to earn money in the future, and will probably chose not to spend their money on movies, since the MPAA were being dicks. Not to mention the horrible invasion of privacy and security issues.
can we tag all zonk posts "the end is near! repent!" and move along like we do with all the homeless crazies brandishing tinfoil hats and shouting on the streetcorners?
Any university that installs that has a problem. University networks are constantly "played with" by students, so the IT department has to be on the ball. Any dumb enough to install this probably have had many student hacks already...
Nice. For those of you that didn't read TFA, the toolkit is basically Xubuntu, with some tools like Snort preinstalled.
c++;
Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic -- and a great many universities do not -- that Web server is going to be visible and accessible by anyone with a Web browser.
Seriously - WTF? I've never worked in academia, but that just sounds stupid. Why would such a server be in a dmz?
Given that the aim of the toolkit is supposedly to
then how do they manage it without examining traffic? If the toolkit monitors BitTorrent (and other) ports then that would tell you who is using P2P, but not who is sharing movies. Maybe all that traffic is from students internally torrenting various Linux distros or their garage bands' MP3s.
Thank goodness I never lived in University halls.
It just amazes me that no other large news organization has a reporter devoted to covering this stuff full time, as Krebs does. Hell, Krebs isn't even part of the paper; he's attached to the Web site. I guess that says it all. Keep up the great work Brian.
I wonder how much of the data collected will be burnt to disks and sent to Britain.
Pacifist paratroopers yell, "Ghandi!" when they jump.
They're about to become corporate serfs. Give them a four year break from corporate dominance, so they have that much more psychological trauma when they exit school, which will make them the perfect mentally broken spiritual voids who need to buy our products.
Thanks,
The NWO
Anti-Globalism
This toolkit in comparison to instead installing a filter system that the MPAA (slashdot lame filter see this as junk characters) would then maintain a database off site from the university ...
But students would find ways around the filter?
vs.
Their toolkit wrongly identifies students as illegal down loaders who actually aren't.
In other words, how is the toolkit going to verify an illegal download or is it just passing all traffic to the Motion Picture spys?
Somehow this sounds more Hitleronian tell on you family, then its supports education.
Just because the entertainment industry has found interest in attacking its customers, should the universities follow suit?
All this will be is another challenge for people to find work-arounds. Has any of this stuff actually ever worked? Has any attempt to stifle people downloading ever resulted in anything other than increased downloading? How many times has the RIAA for example, declared victory and "great strides"? Funny that a week or so after a record executive says the RIAA going after consumers was a mistake, the MPAA shows up to take up the gauntlet. And again, down the RIAA path of going after college students. We'll see how that works out for them.
it's all about control and flexing their legal muscles to intimidate the rest of the public into towing the line. The MPAA is using this to gather more ammo in order to sue the people who are old enough to know what P2P is, who tend to use P2P apps to get music/movies/etc. on a regular basis, and who tend to have limited resources to fight back in court.
Ad astra per aspera (A rough road leads to the stars)
And they said open source wasn't viable for big corporations!
.... That schools that do not install this "tool" will get the lion's share of RIAA lawsuits?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
... the hacker team MPAA for this great social engineering attack.
Everyone please remember to distribute those IP addresses of the kit downloaders so we can hit these colleges HARD!
install an anti-MAFIAA toolkit!
:D
1) Install a firewall that sniffs traffic
2) See if it's not bittorrent or bittorrent sites
3) if it is, BLOCK IT
4) Put the MPAA toolkit in a machine behind the firewall! Ta-da!
Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic -- and a great many universities do not -- that Web server is going to be visible and accessible by anyone with a Web browser.
Huh? Which Universities are incapable of setting up firewalls to block incoming traffic?
It disgusts me that open source software is being used for this... I'm glad the licenses are open, but there is no solution to prevent this kind of rape on open source to undermine privacy and freedom. I remember a slashdot article awhile ago about a new license that would forbid military use in smart bombs, etc. However, I doubt there is an airtight solution. Does anyone have any ideas?
I think it would be funny as all hell is a college student wrote a retrovirus that effectively performed search and destroy operations on this toolkit!
Thats true, I Spent the majority of my first week at college figuring out how the firewall worked and bypassing to so me and the other guys in my class can play Quake 3 and stuff :D :P Lots of fun.
Then I reconfigured the network boot process to not load up the (local) firewall so we can download new games to play, it also booted up a hell of a sight faster. I told the IT guys id messed with it, left it to them to fix it
College kids may be portrayed as dorky and drunken, but they're smart. And chances are CS students will find a way around this.
What's the value of information that you don't know?
Dear MPAA and RIAA:
You've noticed that the number of students who think downloading movies and music via the internet is OK. Well, here's some news for you:
Vox populi, vox Dei.
The MPAA got the same people to write this "tool" as they get to write those super-realistic computer scenes in the movies!
ccalam - acoustic versions of new songs.
mpaaBuddy is an on-screen "intelligent software agent" created by the MPAA, and based upon Microsoft Agent technology. The goal of the program is to help users enrich their online movie experience as they discover digital movies together with the included "mpaaBuddy," which is an animated, purple Tom Cruise. Users can interact with Tom by asking him questions, get recommendations on new movies released by MPAA members, as well as be politely informed when unapproved websites are loaded.
Other features include, an integrated download tracker, movie-related themes, desktops, screen savers, and cute, animated emoticons, bearing a resemblance to top-selling actors. Also included is a desktop search utility that indexes a hard drive's contents in order to allow the user to easily perform searches.
While initial response to the program has been positive, a few early users complain that the program is buggy. "The program keeps changing my home page to a crappy MPAA home page," said one teenager who wished to remain anonymous out of fear of a MPAA-sponsored lawsuit. There have also been complaints of an increase in pop-up advertising.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
This is why they don't sue anyone at Harvard, they know in the long run that would create lawyers who dislike them.
but it is ok comrade.
thank God the internet isn't a human right.
If university said ok, but MPAA must bond them against financial losses from lawsuits etc, would MPAA do it?
Will they distribute the source code with it? Will they allow people to freely copy and modify that toolkit? I say, download it, get the tech department to modify it to their liking, and install it! That's what the open source spirit is all about, fixing broken software. I suggest they get fixing that privacy issue first...
Give Kashyyyk back to the Wookies
Also, the software developer is breaking the law. They haven't shipped the modified code they've made (eg ntop).
Every third story on slashdot seems to be a bunch of whining about the RIAA by people who just want to steal stuff. please do us a favour and grow up, stop leeching, or just go the whole way and rename the site digg.com. this is getting boring now.
Does this tool put a lot of load on the network like what port scan and other Brute force hacking tools do?
Does it try to suck up network bandwidth?
You wonder why no large media companies (fixed it for you) have a report devoted to this, or even report on it much or do anything but rehash the RIAA/MPAA press statements and never ever examine it.
Follow the money. You might as well ask, why do popular entertainment shows like Futurama show a dislike for things like napster and filesharing in general? Because they are the ones whose files are being shared!
Geez, name a news company that isn't part of some huge media giant. You might start to realize that those who should report on the RIAA/MPAA are in fact its members. Geez, you might as well expect Dell to launch a survey, computers, do we really need them.
What next, do you expect the tabaco industry to report on the dangers of smoking?
Follow the money, who is the person you expect to report on something paid for. There was an issue a few years ago around Oprah when she said something bad about meat. That was just the advertisers complaining. Reporting on the RIAA/MPAA tactics, that will get you a letter direct from the head office "STOP IT".
What next, Ruport Murdoch writing a story "Why it is a bad idea for one guy to own a lot of media"?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Anyone want to download the kit at universitytoolkit.com and make sure all the source is being distributed as well? If they are not making the source available for their little Linux distribution someone should get the GNU to sic their lawyers on them.
Does anyone have a .torrent for the iso?
This sig is intentionally left blank
1. Since the kit is a derivative of the default Xbuntu install, is the MPAA still allowed to ship the kit with Canonical's trademark (Xbuntu) prominently displayed as boot splash?
2. Since the MPAA is distributing GPL'd software aren't they obligated to provide source code for the kit upon request?
3. Is there any MPAA written programs included in the kit? Is it based on GPL software and thus required under the licensing terms to have its source code available upon request?
4. IIRC, Canonical products ship with some proprietary drivers. Since the MPAA kit is a derivative of Xbuntu, does it have permission to distribute the same drivers, or did Canonical get special permission which the MPAA does not have?
5. If the MPAA does not supply any source code that the may be legally obligated to do under GPLv2 license, then can individual copyright holders of the multitude of programs included with Xbuntu, give notice that they are revoking the MPAA's right to distribute their software under the provision of Section 4? Section 4 states:
Note that Fyodor terminated SCO's right to distribute Nmap in any of their products under that section, which SCO complied with.
When some research organization loses a federal grant because their institution forced them to violate disclosure rules, the door will open for a much more powerful voice than the MPAA to enter the debate.
-fb Everything not expressly forbidden is now mandatory.
Even if there is a firewall at the perimeter of the school network, all of the students are inside of it!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Stop oppressing me with words you commie nazi fascist!
This looks certain to hit the wrong targets, as is wont for the RIAA. All this would identify (if the truth is being told here) are heavy Internet users. That's even worse than their current method of sending questionable IP addresses and times. College should be teaching how the Internet will be a valuable part of your whole life because you can speak to to the entire World through it, but now it would seem you'll be in danger if you ever use it much at all.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
From age 14 to 21 I've started to develop a rule regarding movies, the rule said that I only bother to see a movie if it's porn or action. I lived happily for seven years getting these for free via cable TV (in Israel they've had free porn in normal cable channels, but no more...).
Anyhow, at age 21 I've discovered the cinemateque, in the cinemateque you only pay 100$ per year and you get to see free movies, and not just any movies, but quality movies. The cinemateque had many foreign movies and occasionally some american movie and/or violence (no porn though...). Also, since the cinemateque have selected the movies you would learn about things you did not know before and meet other interesting people with the same taste. The thing i do not understand, who the fuck wants to actually see movies any other way? I mean most of the movies that the MPAA make are probably just the usual action (hell, they don't even make porn) flick that you can get on TV anyway, so I have to ask, why wasting precious bandwidth on their movies, with all the por... er interesting scientific articles/alternative music/comics to see instead?
two words for mpaa
creative distruction
http://universitytoolkit.com/ (mentioned in the pdf) seems to have some hidden content. The page displays a link to: http://universitytoolkit.com/MPAA_University_Toolkit_Admin_Guide.pdf. If you look at the source, you can notice a link at the bottom which isn't displayed: MPAA_University_Toolkit_Administrators_Guide.pdf (it's a relative link in the source).
This version is slightly longer, with what looks like a section detailing development goals. Can anyone see anything incriminating there?
wish I had mod points... very insightful post
They are distributing software designed to gather evidence of copyright infringement in violation of copyright! The verve! The audacity! We know they know about copyrights. We know they know the penalties.
.iso. Add one to the number of copies.
I hope every contributor to the GPL'd software that they are distributing without a valid license sues them for the maximum legal statutory amount of $150,000 for each of these willful violations. Since the Linux core contains at least 6,000+ files, which would be 6,000+ violations for one copy, I'm sure being hit with a possible judgment of $900,000,000+ per copy would wake them up.
P.S. I downloaded the
I've read the article but it's a little thin on details. All I can see is that it has something to do with Xubuntu and installs an Apache webserver on your machine
However, if it installs Apache, what's to stop me just trashing the config file, setting up VirtualHosts that screw with it etc? Or creating some kind of loopback so that when it tries to phone home, it goes nowhere etc etc. Are these things taken into account?
Too bad its tied back to the industry, as a free and easy to setup network monitoring tool like that would be nice.
---- Booth was a patriot ----
I just went out to http://universitytoolkit.com/ and grabbed my own copy for evaluation purposes...... looking forward to playing with this 'toolkit'
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
I don't get the basic concept. What makes MPAA think that they even have the right to request to get any kind of their "toolkit" installed on a university network? Who do they think they are to have this kind of jurisdiction over an other, independent organisation? Law enforcement or something? Dirty Harry? Some kind of Schwarzenegger?
I would suggest the MPAA to completely abandon digital technology, go back to fully analog production and distribution.
Let's see how much would that raise the cost for them across the board, compared to digital. From that cost increase they can deduct the "piracy loss" and then they could compare if they are actually benefiting from digital technology or not. In the mean time, they can install their analog toolkits up in their own territories, where they have jurisdiction.
Tagged flamebait? Ah, but if the post is accurate, then the RIAA deserves flaming, in the sense of flaming hot coals being tenderly yet firmly ensconced between their buttocks.
I used to buy music online...DRM Free and legally. But the RIAA lobbyed the US President to make him ask the Russian President to close allofmp3 or else... I suppose Putin was kinda of relief. Can you imagine? He's planning to rebuild and strengthen all the nuclear arsenal and Bush instead of questioning on that matter goes on and ask to close a small internet store! FUNNY to the brim of ridicolous!
Since then I stopped buying Mp3s legally online, note that they were on piracy before and after the above mentioned events. And of course later on the charges against allofmp3 were dropped because they were inconsistent http://www.allofmp3.ru/press.shtml
The RIAA has closed a market opportunity with lobbying (at least one lost a consumer) Those in charge there are really IDIOTS. They just are donkey heads that can't do the math.
Here is the math:
I spend 15$ online get 8 albums = 50% profits estimated (And I suppose they go to Russia, anyway RIAA is known not to be fairer to the artists, see the article below)
I spend 0$ anywhere because of high prices = profits?
Here is the math of Courtney Love online since 2000: http://archive.salon.com/tech/feature/2000/06/14/love/index.html
Have a good read
http://www.universitytoolkit.org/peerwatch-1.2-RC5.iso
;)
dun-dun-dun... If you dare!
"The fight for freedom has only just begun." - Geert Wilders
If those were leaked, I suspect the problem would be fixed quite pronto...
(After the universities got slashdotted, that is.)
We all understand the legal jujitsu that allofmp3 used to find a loophole in the law. The fact that soemthing is legal doesn't make it ethical. It's no more ethical for allofmp3 to bypass copyright law than for the RIAA to abuse it. If you want to be consistent, you should approve of both or neither.
Quick everybody download the ISO from their "secure server," maybe we can slashdot this sucker and make this trash unavailable for a few days :)
How about releasing the movies in a timely manner on a product we want to buy?
Surfs up hit torrent sites at least a month ago, just about to appear in Danish cinemas, that means at least another 4-5 months before we can buy it on DVD.
Yeah they want to get as much money from us as they can by forcing us to go to the cinemas, I did just that tonight to watch beowulf - my first trip to a cinema for 3-4 months and I got reminded why I hate it there - the stink of popcorn, the constant yabbering and 25 minuttes of commercials before a movie I have paid premium to watch!
Want us to buy your product? Sell one we want to buy!
(P.s. I don't copy music, I don't copy movies - I do however read books and buy music from indie records (see other thread from yesterday) - I will buy movies when they sell a product that gives me value for my money).
Some interesting facts.
http://taosecurity.blogspot.com/2007/11/examining-mpaa-university-toolkit.html
They are using an old version of snort that has vulnerabilities. I didn't realize the version of snort they are running is from over two years ago!
I sure hope this version they are running isn't vulnerable to this. http://www.kb.cert.org/vuls/id/175500 If so, someone could totally own the box and sniff whatever traffic they want to. All of it including the content.
How could anyone believe for a second this wouldn't be a privacy issue? How the fuck do they intend to discover and then report information that would identify someone sharing files illegally WITHOUT violating those people's privacy?
This is a very interesting situation. The MPAA is attempting to monitor internet traffic at many universities. At the same time, the (US) Department of Defense (DOD) has work being done in collaboration with many universities. I wonder if the DOD is aware and/or approves of MPAA spying on the DOD work? Perhaps someone should clue the DOD in. Anybody care to speculate on who will win a dispute between the MPAA and the DOD. I'll take the Marines, and hope the MPAA gives them a hard time (for a short while, very short while).
Don't you find it a bit weird that it installs OPEN source software to monitor them.... :)
Now if I remember right... if you make a product with GPL software, you must provide the source to it... (not sure about Apache2)
And I know copyright holders can remove the rights of the software to anyone... Im sure some of the software owners would love to stick it to them.
If it was up to me, and I made GPL software, I sure as hell wouldn't let the MPAA/RIAA use my software.
Dear Stewart D. Mclaurin,
What our students do on the campus network is really none of your fucking business. Comparing physical theft to COPY RIGHT INFRINGEMENT is utter nonsense and holds no basis in reality. I find it amusing that you are trying to impose your limited view on us. I pity anyone who fights the tide of a new understanding. An understanding that if you do provide what people want the way they want it at a low cost with minimal hassle you will find yourself out of a job as others that are not limited by your constraints will take over for you. The very reason this situation has reached the point of insanity is because your belief system is drenched in a deep sense of greed. Your organization and affiliates have lost all touch with the very people you are trying to serve.
Your actions show that you are unable to understand and accept a long standing unexpected shift in the ideas and values of our society. Its time to either alter your perception of the situation or pass the decision making on to the next generation.
Sincerely yours, Presidents from all collages and universities across the country.
Interestingly, this would probably be illegal in the UK under Part II of the "big brother" RIPA (Regulation of Investigatory Powers Act). Usually we hear about it as an egregious violation of privacy, but on the one occasion I've had to deal with it, I was able to tell a US business partner that there was no way I was going to add in a monitor that they wanted, and give them chapter and verse.
More to the point, several discussions on this have been going on in the higher ed. computer security community, including conversations involving people on closed, vetted lists. The general consensus:
The most likely way for this or similar technology to get shoved onto my network is for the *AA to go directly to the university CIO or president, or get some stupid mandate tacked onto legislation.
In short: If you don't want to see this sort of crap showing up on your local higher ed. network, then you need to make sure your local higher ed. leadership and your local representatives know about the potential problems. They won't listen to me; I'm too close to the issue.