Â An Washington Post article by Brian Krebs details a new piece of spyware that the MPAA are trying to foist on universities. Krebs had the ‘University Toolkit’ tested by security experts and concludes that it is full of holes that could allow third parties to view the gathered information.
from the article:
The MPAA overview of the toolkit stresses that the software does not communicate any information about a university’s network back to the association. But in its current configuration, the very first thing the toolkit does once it is fired up is phone home to the MPAA’s servers and check for a new version of the software. So, right away, the MPAA knows the Internet address every computer that is running the software.
The MPAA also claims that using the tool on a university network presents “no privacy issues — the content of traffic is never examined or displayed.” That statement, however, is misleading.
Here’s why: The toolkit sets up an Apache Web server on the user’s machine. It also automatically configures all of the data and graphs gathered about activity on the local network to be displayed on a Web page, complete with ntop-generated graphics showing not only bandwidth usage generated by each user on the network, but also the Internet address of every Web site each user has visited.
Unless a school using the tool has firewalls on the borders of its network designed to block unsolicited Internet traffic — and a great many universities do not — that Web server is going to be visible and accessible by anyone with a Web browser. But wait, you say: Wouldn’t someone need to know the domain name or Internet address of the Web server that’s running the toolkit? Yes. However, anyone familiar enough with the file-naming convention used by the toolkit could use Google to search for the server.
But surely there are ways a network administrator might keep this information from being available to the entire Web, right? Yes. The toolkit allows an administrator to require a username and password for access to the Web server. The problem is that the person responsible for running the toolkit is never prompted create a username and password. What’s more, while Apache includes a feature that can record when an outsider views the site, that logging is turned off by default in the MPAA’s University Toolkit.
On the surface at least, it was beginning to seem like the MPAA was asking universities to install a black box tool that would allow anyone to wiretap their networks, all the while hiding the tracks of those listening in on the network.