Chasing illegal downloading: It’s not just for Universities anymore

You probably noticed the cheerful note C&IT sent yesterday warning you about illegal filesharing. As you probably know, the RIAA and MPAA are attempting to combat the sharing of their copyrighted files through underground distribution systems such as BitTorrent. They do this by posing as downloaders and trolling for their copyrighted files, then sending an email to the owner of the network that is being used. For many years they have sent emails to Wayne State saying they have found illegal files on some IP address. C&IT is required by the Digital Millennium Copyright Act to find out who was using that IP address and send a ‘take-down’ notice to that person, ordering them to remove the offending files, and we have a fine, automated process to do just that. As we mentioned in the message, there may also be sanctions, such as fines if the address resolves to someone in the Residence Halls, and students are subject to the Student Conduct Code.

Okay, you’ve heard all of this before. What you may not have heard is that RIAA and MPAA are now going after the other internet service providers, beyond universities. They have made agreements with Comcast, AT&T and so on to do the same thing to users of those services (which includes pretty much everybody reading this). So, if you are sharing files illegally, they may go after you. There is a ‘six strikes and you’re out’ rule (i.e. they will warn you six times before they start limiting your download speed). You can read the details here:


A word to the wise.

Oxford University Blocks Google Docs

There was an uproar among the university IT security professionals around the world yesterday. Oxford University (yes, that Oxford) blocked access to Google Docs from its campus on Monday.

In case you haven’t heard of it, Google Docs is a very powerful online collaboration tool. You can treat it like an online word processor or spreadsheet, which you can then access from anywhere you can log in to Google (i.e. from any computer anywhere in the world, or from a tablet or smartphone).

But you can also use it to collect data from the web. You can set up a Google Docs form, which you can then publish, and people can visit it and fill out the form, and you’ll get a spreadsheet with all their data. So, for example, you could do an online course evaluation–set up some questions, give your students the URL (web address) and they can fill it out. It does not record who fills it out (assuming you’ve set it up that way), so responses are anonymous. Last semester I set up an informal mid-semester course evaluation because I was teaching a new course in a subject that was new to me (Computers and Linguistics), and the feedback was very valuable. Many faculty around the world are using it for that, and for many other purposes.

However, phishers around the world are using it for something else–they make it look like a log-in screen from the university’s Help Desk, and ask people to enter their AccessID and password. This gives them a nice database of university credentials, which can then be used to take over (in webspeak pwn) many university-based machines. They can then be used to run spam campaigns

Wayne State received such an attack a couple of weeks ago, and we advised anyone who asked us to tell Google about it. They will respond by taking the form down (there is a ‘report abuse’ button on every form)

So what happened at Oxford? The IT security folks there thought it was taking Google too long to react to complaints (a day is way too long–you could collect hundreds of sets of credentials by then), so they thought they’d teach the Oxford community a lesson by temporarily blocking all access to Google Docs. You can read their (very long, but entertaining message here). As you might expect, this caused considerable consternation on the Oxford campus, and around the world. I subscribe to a security listserv and there was a flurry of posts either approving or not about Oxford IT’s decision. It later got picked up in other university news sources, such as Inside Higher Ed and the Chronicle of Higher Education.

Take-away: phishing is getting more sophisticated. NEVER put your credentials into a link provided in an email, not even ‘from’ C&IT.