Home page logo

educause logo Educause Security Discussion mailing list archives

RIAA timestamps off
From: "Sweeny, Jonny" <jsweeny () IU EDU>
Date: Tue, 25 Sep 2007 11:49:51 -0400

Has anyone else had issues where the RIAA timestamps for DMCA notices
are off?  I don't know how many of you compare them with NetFlow data,
but we've found that when we do, there are often inconsistencies -- the
largest being 41 hours, but more often being 1-10 hours off.  We use
NTP, and are confident about our timestamps, logs and NetFlow data.  The
majority of our recent notices have been for VPN IP addresses (the
turnaround time of that IP space is *very* short) so these errors could
easily lead to misidentification.  We're assuming that the reason
they're sending incorrect timestamps because their detection
system/application is using cached data.  

One recent example for illustration: a connection ends at 16:56 UTC.
Tons of traffic on port 37107 during that session.  The RIAA alleges
(under penalty of perjury) that file sharing occurred at 18:16.  No one
was using that IP address at that time.  NetFlow data confirms that
there was no traffic at 18:16.

Anyone else comparing allegations with NetFlow data?

Anyone else seeing inconsistencies?


Incident Response Manager, Lead Security Analyst
Office of the VP for Information Technology, Indiana University
PGP key & S/MIME cert: https://itso.iu.edu/Jonny_Sweeny
jsweeny () iu edu  p(812)855-4194  f(812)856-1011

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]