Sicherheit

The Pirates Among Us

28.04.2003 von Sarah Scalet
Die zügige Anbindung von Unternehmen ans Internet veranlasst viele Angestellte, für den Tausch von Musik und Filmen das Firmennetz zu verwenden. Die notwendigen P2P-Programme öffnen nicht nur Sicherheitslöcher, sondern bringen auch rechtliche Risiken für das Unternehmen mit.

Quelle: CIO, USA

To this day, the CIO of a well-respected research organization in California has no idea how someone hacked into his company's computer systems and used them to store and transmit pirated movies and music. He's not even sure how the Motion Picture Association of America (MPAA) learned about the crime before he did. What he does know is this: The film industry association tipped off the FBI, which came knocking, and he hasn't seen the compromised hard drives since - nor does he want to. The CIO wants to be finished with the whole business.

"The MPAA must have ways of detecting illegal use," says the CIO, who spoke on the condition of anonymity to protect the FBI's investigation, which is still active. (Neither the MPAA nor the FBI would comment on the case.) "They contacted us and said our IP address was illegally serving up information, and we said, 'No, that's not possible."

Indeed it was.

Fortunately, for him and his organization though, he is done with the whole business. The hard drives cost only a few hundred dollars to replace, and downtime was minimal. In addition, the MPAA didn't pursue legal action because, he says, his organization was an innocent bystander that cooperated fully with the investigation.

But if the entertainment industry has its way, your company might not be as fortunate. The industry is taking steps to hold your company liable if your systems are used to share pirated materials -which could happen either when a hacker invades and loots your free disk space or when your users are busy swapping copies of the latest song from the Dixie Chicks. The warning shots have already been fired: In April2002, Integrated Information Systems, a high-tech company, paid the Recording Industry Association of America (RIAA) $1 million in an out-of-court settlement, after the company allegedly permitted its employees to share copyrighted MP3 files on its corporate network. Although this may come off as a scare tactic, there are good reasons to protect your company from becoming the entertainment industry's next poster child for copyright infringement. We'll tell you how seriously to take the warnings and how to protect your company - which is easier to do than you might think.

The Entertainment Police

When music industry associations won the court battle to shut down Napster - that giddy but short-lived music-swapping service that made peer-to-peer (P2P) a household phrase - they were just getting started. The entertainment industry is at war with Internet pirates, which it believes are threatening its very livelihood. The MPAA, which estimates that the U.S. film industry loses $3 billion a year from physical piracy alone, is growing increasingly frustrated by how often video files are available on the Internet before the movies are released in theaters or on DVD and video. The RIAA, meanwhile, blames piracy for the 7 percent decrease in the number of compact disc shipments during the first half of 2002. That kind of research causes much eye-rolling among Internet libertarians who believe file-swappers aren't necessarily downloading files they would otherwise purchase, and others who say that a free sample might entice listeners into buying a whole album. But the threat to the industry is real, if overstated.

Part of the problem is organized hacking groups, plain and simple. So-called Warez (pronounced "wares") groups host websites that proffer pirated software, music, movies and pornography. Hackers get bragging rights for being the first to post new files or to crack copyright protection schemes. It's likely that our anonymous CIO's computer systems were being used by one of these groups.

To hear the entertainment industry tell it, though, covert Ware activity on the networks of unassuming companies - the risk of which can be minimized by heeding long-established security best practices - is only background music. Security 101 precautions such as properly configured firewalls, the dogged installation of patches to fix newly discovered software vulnerabilities and even carefully monitored intrusion detection systems will go only so far in preventing illegal activities. That's because, while Napster is no more, dozens of services, such as eDonkey, Gnutella, Grokster and Kazaa, have sprouted in its place - and have earned the reputation of being venues for exchanging pirated files.

These P2P systems, which allow people who download their software to exchange .exes, MP3s, .mpegs and other files directly with one another, have legitimate reasons for being. Some artists like to giveaway songs or videos to win fans, and the business possibilities of file-swapping are promising enough that Lotus Notes creator Ray Ozzie started a company, Groove Networks, that is working on P2P for the enterprise, with funding from Microsoft. Kazaa, the most popular P2P service in the United States, boasts that its software has been downloaded more than 200 million times.

Citing estimates from third-party analysts who put the number of illegal file downloads at 2.6 billion a month, RIAA President Cary Sherman says, "You're just not going to get those kinds of numbers from people going to Warez sites."

In response, the entertainment industry has launched a campaign the likes of which CIOs haven't seen since the Business Software Alliance and Software Publishers Association started cracking down on pirated software in the mid-1990s. Collectively, the two groups earned a reputation as "the software police," says Ted Claypoole, an attorney for Womble, Carlyle, Sandridge & Rice. "I've been to seminars where representatives have spoken and handed out whistles with their phone numbers on them for people to call and be a whistle-blower. That's what they rely on."

But the entertainment police don't need whistle-blowers. All they have to do is surf the Internet.

Warning Shots

Tom Temple spends his workdays trolling the Internet for free copies of the latest blockbusters. After all, that is what the MPAA pays him to do. "If somebody is using a P2P server or is set up as a P2P server, then we will find it using our search engines," says Temple, director of worldwide Internet enforcement for the MPAA. When he and his team find copyrighted movies online, they mail an infringement notification to the owners of the IP address, warning them of potential liability and ask that the material be removed. When they unearth an operation larger than a single P2P user, they get law enforcement involved.

Colleges - with their high-speed connections and privacy protections - are the bane of Temple's existence. "It's hard for me off the top of my head to think of a university that hasn't gotten a [cease-and-desist] letter from us," he says. It's no wonder then that the MPAA, along with the RIAA, National Music Publishers' Association and Songwriters Guild of America, in October 2002 sent a letter to more than 2,300college and university presidents urging them to prevent copyright infringement by students. The letter asks schools to create rules against sharing copyrighted materials, and to monitor compliance and impose effective remedies against violators.

Later that month, the associations broadened the audience, sending a similar letter to the CEO or president of every company in the Fortune1000. "It appears that many corporate network users are taking advantage of fast Internet connections at work by publicly uploading and downloading infringing files on P2P services and also distributing and storing such files on corporate intranets," the letter says. It goes on to warn executives that this use of networks "subjects your employees and your company to significant legal liability under the federal copyright law."

More will follow, warns the RIAA's Sherman. "We've started this as an education campaign, and now we're beginning to do searches. At some point after that we will be more aggressive in terms of enforcement," he says.

Some would say they've been plenty aggressive already. In January, a federal judge in Washington ordered Verizon Communications to reveal to the RIAA the identity of an Internet subscriber suspected of illegally exchanging copyrighted files - a huge blow for critics of the Digital Millennium Copyright Act (DMCA), a controversial law passed in1998 that gave copyright holders greater power in pursuing copyright infringement cases. Meanwhile, the RIAA has been lobbying Congress to pass legislation that would allow copyright holders to disable file-sharing operations using technical means such as file-blocking or even, critics contend, hacking.

None of this has made the association exactly popular. But it's not only fringe protesters and Web vandals who have been put off by the RIAA's approach. Some members of the university community bristle at the way the RIAA is interpreting a clause in the DMCA that protects Internet service providers from liability if their service is used to share files illegally. This clause is thought by many to exist because of the legal difference between selling Internet access to individuals for their own personal use and giving them a computer and Internet connection to use for work. Universities believe that the safe harbor includes them because they function as ISPs, where students plug their own computers into university networks for Internet access.

"I think that their tactics have been rather heavy-handed," says Paul Morris, CIO of Drake University, who was surprised to learn that Drake's security policy was cited as a model in the letter the entertainment industry sent to universities. "I don't see that the RIAA has any legal basis to take action against universities. They do have a strong ethical case, and I think if they approached this as an ethical issue rather than a legal one, universities might be more receptive."

The industry's vigilance, however, should come as no surprise. The stakes are high. "They're so afraid of losing control of the revenue stream from copyrighted files that for them the sky is falling," says Evan Bauer, a principal research fellow at the Robert Frances Group and former CTO for global infrastructure at Credit Suisse First Boston. "It's good for them if they can create blind panic, especially in the legal department."

How to Protect Your Company

So how seriously should you take what the entertainment industry is doing? Not as seriously as they might like you to, but you need to do something. Organizations that allow illegal files to be stored on their hard drives could indeed open themselves up to millions of dollars of potential liability. So far the entertainment industry - perhaps assuming that companies have their own incentives to try to keep out hackers - has been sympathetic to organizations that inadvertently let hackers into their systems. But the industry is harder on organizations that look the other way when it comes to illegal employee activity. For them, liability is a way to provide that incentive - and prosecuting individuals won't get them far. "If someone has a stolen copy of Shrek that they're serving up to the world, the studio is not going to go after the person; they're going to go after the corporation," Bauer says.

But keeping your company from being hauled into court won't be the most difficult issue you've ever tackled. "The most important thing is having a policy," says Tsvi Gal, senior vice president and CIO of Warner Music Group. "Issue a policy stating that your organization opposes the illegal infringement of copyrighted files and that a person caught doing it on company assets will be subject to discipline. If people understand that it is wrong and that there maybe steps taken against them, they will probably cease doing this."

Drake's policy, for example, states that it's not acceptable to "violate the federal copyright law by downloading copyrighted audio, video, graphics or text materials from the Internet without proof of proper licensing arrangements." The policy warns that rule-breakers may lose computing privileges, be suspended or expelled, and will beheld liable or prosecuted under state or federal statutes.

Following up on that policy is key, attorneys say. "The worst thing to do is to have a policy that sets a standard that you never enforce," says attorney Bruce Keller, a partner at Debevoise & Plimpton and a leading expert on copyright law. "You've defined the standard to which you're going to hold yourself."

A few technical steps can help enforce the policy. In addition, there are other incentives for doing so. By their very nature, P2P services have security risks. Employees may be inadvertently "sharing" more than they realize and making sensitive documents available publicly, or they may be downloading files that contain viruses and worms. Stopping it can be to your advantage. What's more, cutting down on illegal file-sharing can go a long way toward freeing bandwidth and disk space to be used for other - more productive and legal - activities.

James R. Bottum, vice president for information technology and CIO at Purdue University, opted not to ban P2P software outright but instead to discourage it. First, he and his staff started educating students about why exchanging copyrighted material is not acceptable. Then they limited the amount of bandwidth that any one student could consume, with a process known as traffic shaping. When a student gets close to his bandwidth quota - which is sufficient for typical e-mail and Web surfing but not enough to serve up Seinfeld to everyone in the northern hemisphere - his connection slows down.

Although Bottum won't share specifics, he says the process has paid off. "If you have 80 percent of your bandwidth chewed up by people dragging music and movies around, is that what you want to spend your money on?" Bottum asks. And if you're still not sure of the answer, just call the RIAA or MPAA.