"Toolkit" MPAA Offers Schools to Monitor File-Sharing Traffic More Like a Rootkit

The MPAA is such a kind and giving organization. After compiling a list of the top 25 schools for piracy, it sent them a letter last month offering the free, super-helpful University Toolkit to track naughty file-sharing on their networks. It "can produce a report that is strictly internal and therefore confidential to illustrate the level of file sharing on [your school's] network. In addition, we will send a hard copy in the near future to your university's Chief Information Officer." Of course, the first thing it does is call home. That's before the security holes.

The toolkit's actually a modified version of xubuntu rolled up with some network monitoring tools like Snort, which "captures detailed information about all traffic flowing across a network" and ntop, which makes pretty graphs from the data produced by Snort.

After you install it, it sets up an Apache Web server that uploads all of the data and graphs to a web page that displays "not only bandwidth usage generated by each user on the network, but also the Internet address of every Web site each user has visited." The kicker is that unless it's properly firewalled, the page is open to anyone and easily Googlable if you know the kit's URL conventions. Yet the MPAA's overview explicitly promises "No privacy issues—the content of traffic is never examined or displayed."

It gets better. The person who installs the toolkit isn't prompted to setup a user/pass to block access to the site, and the default setting is to not log outsider views of the page. Like, say, the MPAA's people. And even with the firewall blocking outsiders, tech-savvy university students can still sneak peaks.

To be fair, the MPAA's Craig Winter emphasizes

It can tell you how much traffic is going back and forth on BitTorrent [a popular file-sharing service], but it can't see what's in those files or what the names of those files are, and it doesn't communicate anything back to the Internet.
On the upside, no schools appear to have blindly installed it, and are still "poking and prodding it." You know, I almost admire the MPAA's persistence, if only they weren't such assholes about it. [WaPo's Security Fix via Techdirt, Flickr]