Article 43


Tuesday, December 04, 2007

Spying For the MPA


The MPAA’s UNIVERSITY TOOLKIT (a piece of monitoring software that universities are being asked to install on their networks to spy on students’ communications) has been taken down, due to copyright violations. The Toolkit is based on the GPL-licensed Xubuntu operating system (a flavor of Linux). The GPL requires anyone who makes a program based on GPL’ed code has to release the source code for their program and license it under the GPL. The MPAA refused multiple requests to provide the sources for their spyware, so an Ubuntu developer sent a DMCA notice to the MPAA’s ISP and DEMANDED THAT THE MATERIAL BE TAKEN DOWN as infringing.

MPAA University ‘Toolkit’ Raises Privacy Concerns
By Brian Krebs
Washington Post Blogs
November 23, 2007

The MOTION PICTURE ASSOCIATION OF AMERICA is urging some of the nation’s largest universities to deploy custom software designed to pinpoint students who may be using the schools’ networks to illegally download pirated movies. A closer look at the MPAA’s software, however, raises some serious privacy and security concerns for both the entertainment industry and the schools that choose to deploy the technology.

On Oct. 24, MPAA sent A LETTER to the presidents of 25 universities that the association has identified as top locations for the downloading of pirated movies over online file-sharing networks. In the letter, the group said it “has developed the University Toolkit, an application which can produce a report that is strictly internal and therefore confidential to illustrate the level of file sharing on [your school’s] network. In addition, we will send a hard copy in the near future to your university’s Chief Information Officer.”

Security Fix downloaded the University Toolkit and studied it, with the help of David Taylor, a senior information security specialist with the University of Pennsylvania in Philadelphia. (Taylor’s school was not among those that received the letter.)

What we found was that depending on how a university’s network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school’s network.

First, an explanation of what the toolkit is and how it works. The University Toolkit is essentially an operating system (xubuntu) that you can boot up from a CD-ROM. The package bundles some powerful, open-source network monitoring tools, including “Snort,” which captures detailed information about all traffic flowing across a network; as well as “ntop,” a tool used to take data feeds from tools like Snort and display the data in more user-friendly graphics and charts.

The MPAA OVERVIEW OF THE TOOLKIT stresses that the software does not communicate any information about a university’s network back to the association. But in its current configuration, the very first thing the toolkit does once it is fired up is phone home to the MPAA’s servers and check for a new version of the software. So, right away, the MPAA knows the Internet address every computer that is running the software.

The MPAA also claims that using the tool on a university network presents “no privacy issues—the content of traffic is never examined or displayed.” That statement, however, is misleading.

Here’s why: The toolkit sets up an Apache Web server on the user’s machine. It also automatically configures all of the data and graphs gathered about activity on the local network to be displayed on a Web page, complete with ntop-generated graphics showing not only bandwidth usage generated by each user on the network, but also the Internet address of every Web site each user has visited.

Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic—and a great many universities do not—that Web server is going to be visible and accessible by anyone with a Web browser. But wait, you say: Wouldn’t someone need to know the domain name or Internet address of the Web server that’s running the toolkit? Yes. However, anyone familiar enough with the file-naming convention used by the toolkit could use Google to search for the server.

But surely there are ways a network administrator might keep this information from being available to the entire Web, right? Yes. The toolkit allows an administrator to require a username and password for access to the Web server. The problem is that the person responsible for running the toolkit is never prompted to create a username and password. What’s more, while Apache includes a feature that can record when an outsider views the site, that logging is turned off by default in the MPAA’s University Toolkit.

On the surface at least, it was beginning to seem like the MPAA was asking universities to install a black box tool that would allow anyone to wiretap their networks, all the while hiding the tracks of those listening in on the network. So I put a few questions to the MPAA about its toolkit.

Craig Winter, the MPAA’s deputy director for Internet enforcement, said the toolkit was in the “beta” phase. Winter said the MPAA and the developer of the software—Fairfax, Va.-based MANTECH INTERNATIONAL CORP—plan to release another version of the software within “a few weeks.”

When asked about the phone-home update feature of the toolkit, Winter said the MPAA ultimately decided to include the update mechanism so that it could ship a new version when developers had fixed what he said was a “bug” in the ntop software. According to Winter, once the portion of the ntop program that counts the ones and zeros representing how much bandwidth a given connection has used gets to four gigabytes, it resets, starting the counter back at zero again.

Winter emphasized several times that the toolkit was not designed to determine whether someone is infringing on copyrights. “It can tell you how much traffic is going back and forth on BitTorrent [a popular file-sharing service], but it can’t see what’s in those files or what the names of those files are, and it doesn’t communicate anything back to the Internet. “

He added that the MPAA would consider making it mandatory for administrators of the toolkit to set a username and password for the Web server, and that future versions of the software may also ask users if they want to check for updates rather than phoning home automatically each time the toolkit is booted up.

“It’s certainly not a tool intended for us to come and inspect [university networks] without permission,” Winter said. “We wanted to make this as easy to use as possible, to accommodate system administrators who might want to go back to their dorm and monitor it remotely.”

Unfortunately, even with a firewall keeping non-university students from accessing the toolkit’s Web server, any student on the network armed with the Internet address of the Web server could view all of the traffic on his or her segment of the network, said Penn’s Dave Taylor.

The MPAA’s letter campaign and the release of this software package comes as Congress is considering a higher-education funding bill that would place new anti-piracy obligations on universities that participate in federal financial aid programs. Included in that massive bill, which was approved by the House Education and Labor Committee last week, are provisions that would require the very same 25 universities that received the MPAA letter to develop technology-based approaches to keep students from downloading infringing content.

It’s not clear how many—if any—universities are currently using the MPAA’s toolkit. The MPAA itself says it doesn’t know how many have deployed it. Doug Pearson, a technical director of the Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC), said he is not aware of any schools that have installed the toolkit, but that many were still poking and prodding it.

“There are a lot of people trying to figure out exactly what all the thing does and what risks it might present to a network that it’s placed on,” Pearson said.

Steve Worona, director of policy and networking programs at EDUCAUSE, a nonprofit association that promotes the use of information technology in higher learning, said he’d like to think that “no university network administrator in their right mind would install this toolkit on their networks.” But he said some campus IT personnel may fail to dig too deeply into what the device actually does before installing it.

Reached by cell phone on Thanksgiving eve, Worona said he hadn’t had time to investigate the toolkit, but that if Taylor’s report was accurate then the MPAA’s toolkit conjures up memories of the Sony rootkit fiasco. In that saga, Sony got in trouble with privacy and security advocates after it shipped hidden anti-piracy software with a number of music CDs, software that not only destabilized PCs running it but also opened them up to a host of Internet security threats.

“The important thing about the Sony rootkit wasn’t the details about what a rootkit was or why it ended up being put into those CDs, but rather what the intention was versus what the CDs really did,” Worona said. “The MPAA appears to be asking university administrators to run something which could expose sensitive, private data and in the process leave the campus subject to privacy complaints by virtue of student data being exposed.”

If you know of any universities that are using the MPAA toolkit, please post in the comments. We’ll also watch to see if and when MPAA updates the software and whether the update addresses the privacy and security issues raised here.

Update, 10:56 a.m. ET, Nov. 27: A previous version of this blog post incorrectly stated that anti-piracy provisions in a higher-education funding bill approved by the House Education and Labor Committee would cut public funding for schools that did not implement policies and technological measures to combat online copyright infringement. A committee staffer contacted Security Fix to clarify that the bill “bill would not strip financial aid away from a college if students continue to illegally download on campus, and does not make the development of these plans a part of the colleges’ program participation agreement with the Education Department.”


Posted by Elvis on 12/04/07 •
Section Privacy And Rights
View (0) comment(s) or add a new one
Printable viewLink to this article

Seven Deadly Interview Sins

There are a few things to keep in mind when going on a job interview: Don’t get drunk during the meeting. Wear something more professional than jeans and flip-flops. Keep your conversation free from curse words. Know what the company does. Don’t invite your parents to join you on the interview. While these things may seem obvious, a substantial chunk of job seekers violate those rules and oh, so many more.

David Hoffman recalls taking a candidate out for dinner for the final interview. The candidate impressed the hiring committee throughout several rounds of interviews and he was their choice to become a senior consultant at DHR, the Chicago-based executive search firm of which Hoffman is CEO. This informal meeting was the final hurdle. The candidate drank so much scotch that Hoffman had to call an ambulance.

Interviewees: Never forget your judgment is scrutinized at every point of the interview process. That means everything--from what you wear to the language you use--will be examined.

So take a moment, and make yourself aware of 7 deadly interview sins, sure to leave a bad impression:

Showing Up Late

Prospective employers are looking for eager employees to work at their company. Showing up late doesn’t project that impression. Leave early to get there on time. Getting stuck in traffic frazzles most people and that’s not the state of mind to be in on a job interview. But if you get stuck in traffic or there’s an unforeseen situation, call your contact at the job interview and explain why you’re going to be late.

Inappropriately Dressed

The proper attire for a job interview is a suit for men and a suit (or slacks or a skirt) for women. If you’re uncertain about the dress code of a company your default should be a suit. This is true even for jobs that don’t require one daily. The idea is to project success, or at least an understanding of what is appropriate, so dress the part.


Be honest about your experience level. Getting into a job that is over your head is a frustrating situation for you and your employer. Also, never lie on your resume. It’s too easy for a prospective employer to fact-check your resume. Sites like LinkedIn make contacting your former co-workers hassle-free.

Bringing Your Parent On The Interview

There’s been a lot of talk about helicopter parents--the ones who hover around their children and are a part of everything they do. While you might want to discuss the opportunity with your parents, do not have them contact the company or join you on your interview. It makes you seem like a child who can’t make important decisions independently. Employers don’t want to hire someone who has to call his or her parents to get tasks accomplished on the job.

Not Knowing Your Own “History”

Come to the interview prepared to talk about your past experience and interests and how those fit with the company’s mission. Employers like candidates who are enthusiastic about the job, so make it clear why you’ll be a good fit.

Cellphone/Pager Beeping And Buzzing

Shut them off. What is more important than landing the job of your dreams? If someone needs to get in touch with you, they’ll leave a message. Also, it will likely distract you from the discussion you’re having with your prospective employer.

Not asking questions

Show your interest in the company by asking the interviewer specific questions. It shows you’ve done your research and it makes the interview more of a conversation. It also shows how you think--that you reviewed the information and you want to know more.

Credit: Job Seeker Weekly

Posted by Elvis on 12/04/07 •
Section Dealing with Layoff
View (0) comment(s) or add a new one
Printable viewLink to this article
Page 1 of 1 pages


Total page hits 12268709
Page rendered in 0.7838 seconds
40 queries executed
Debug mode is off
Total Entries: 3455
Total Comments: 339
Most Recent Entry: 01/27/2023 09:58 am
Most Recent Comment on: 09/26/2021 05:03 pm
Total Logged in members: 0
Total guests: 11
Total anonymous users: 1
The most visitors ever was 588 on 01/11/2023 03:46 pm

Current Logged-in Members: 

Email Us


Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

I hate and I love: why I do so you may well ask. I do not know, but I feel it happen and am in agony. - Catullus


Advanced Search



December 2007
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Must Read

Most recent entries

RSS Feeds

CNN Top Stories

ARS Technica

External Links

Elvis Favorites

BLS and FRED Pages


Other Links

All Posts



Creative Commons License

Support Bloggers' Rights