Friday, November 23, 2007

MPAA University Toolkit Phone Home

This is a follow-up to my story Examining the MPAA University Toolkit.

After reading the hysteria posted on the Slashdot story MPAA College Toolkit Raises Privacy, Security Concerns, I thought I would take a look at traffic leaving the box. Aside from traffic generated by the auto-start of Firefox, the only interesting event was the following. I captured it with my gateway Sguil sensor.

Sensor Name: hacom
Timestamp: 2007-11-23 21:27:04
Connection ID: .hacom_5136150487897024842
Src IP: (
Dst IP: (Unknown)
Src Port: 39532
Dst Port: 80
OS Fingerprint: - UNKNOWN
[S4:61:1:60:M1460,S,T,N,W4:.:?:?] (up: 3 hrs)
OS Fingerprint: -> (link: ethernet/modem)

SRC: GET /version.txt HTTP/1.1
SRC: Accept-Encoding: identity
SRC: Host:
SRC: Connection: close
SRC: User-Agent: Python-urllib/2.5
DST: HTTP/1.1 200 OK
DST: Date: Fri, 23 Nov 2007 21:27:31 GMT
DST: Server: Apache/2.0.52 (Red Hat)
DST: Last-Modified: Fri, 12 Oct 2007 14:14:45 GMT
DST: ETag: "4f4002-7-57333f40"
DST: Accept-Ranges: bytes
DST: Content-Length: 7
DST: Connection: close
DST: Content-Type: text/plain; charset=UTF-8
DST: 1.2-RC3

That's it.


Anonymous said...

I don't follow /., but I do note the following about the MPAA University Toolkit in addition to its inappropriate data disclosure problems.

It does not (and cannot) distinguish between p2p traffic and p2p traffic undesired by the MPAA. It instead flags all p2p traffic. Despite the resulting analysis (traffic content examination, user interviews) necessary to differentiate, they claim that such noisy reports will produce "minimal workload" for IT staff. That's at best laughable.

Such a tool can only be workable in an environment in which prior permission must be granted to send each type of traffic on the network. This describes some military and corporate networks, but certainly not general consumer ISP or university networks.

As a propaganda ploy for the MPAA, who is seeking to drive legislation mandating technical measures against infringement, providing the tool may be useful regardless of how useless that tool actually is. For actually helping flag and correct infringement problems on a real network, however, it's very much worse than useless.

Anonymous said...
This comment has been removed by a blog administrator.