Kazaa Huzzah!

by Marcia J. Wilson, CCSP Staff Writer
March 24, 2004

"Reprinted from March 14, 2K3"
The expression "Huzzah" is used as an exclamation of great joy. Kazaa is one of the world's most popular peer-to-peer file-sharing applications available, and it's free. Just using the two words together is sure to anger the Recording Industry Association of America (RIAA). It's just as sure to make a few people laugh heartily out loud.

The RIAA contends that people who use such file-sharing applications to share, and thereby distribute, copyrighted material should be treated as criminals. I read of recent court decisions to punish some poor college kids for copyright infringement, and I immediately went to my brood of teenagers and said, "You are going to have to stop using Kazaa now!" Their response: "Mom, you gotta be kidding! We can't afford to buy CDs at $20 a pop. And besides, we'd have to each buy 10 or 15 CDs just to get the few songs we want to mix on our own CDs."

I pointed to the articles in the paper and said something like, "Too bad, uninstall it, or I will!" At this point, I don't care what the legal and political issues are, I just don't want to get sued by anyone. Weak, you say? Yup.

A few weeks ago, several colleagues and I got into a discussion about the morality of using such an application to share and download music. Very fine and ethical people seemed to be divided evenly between opinions: It's totally wrong vs. depends upon what your intent is.

My daughter's intent is to download several popular tunes, mix the songs just the way she wants to, burn them to a CD and use the result for her dance team's drill and performances. (This is high-tech stuff. I can't believe how well and easily she whips through what used to be a complicated process.) It's not like she's selling her CDs for a profit. But, I guess it doesn't matter what she uses them for. The issue seems to be that she didn't pay for the use of the music, no matter how she's using it. Her argument to that is she doesn't pay to listen to the radio. She doesn't pay to watch TV. Why should she pay to listen to music from the Internet? Friends share stuff. Why can't she share music? I tried to explain to her that the speed and reach of the Internet changes the dynamics of sharing in a way that might be financially hurting the creators of the music, but I felt lost.

I decided to conduct an informal poll of colleagues and friends. Here's what I asked them:

As an end user:

1. Do you use Kazaa at home or at work?
   
   
2. Do you feel that using Kazaa to download music and make your own CDs is OK? Why?
   
   
3. Do your kids use Kazaa or a similar utility to download or share music?
   
   
4. Are you worried about your Internet service provider cracking down on individual usage?
   
   
5. Are you worried about getting into trouble at work for usage of Kazaa?

As a network manager or security manager:

1. How do you handle Kazaa users on your network?
   
   
2. Is there any way to stop Kazaa usage?
   
   
3. If so, what is your current strategy?
   
   
4. Do you have a policy that forbids running such utilities on your network?
   
   
5. What are the consequences if any employee violates the policy?
   
   
6. Are your concerns bandwidth-related, security-related or productivity-related?

Here is what people said:

Senior telecommunications manager:

"Kids use it all the time at home. No usage at work!

"Most downloads are illegal. Just look at the music stores that are closing up because no one needs to buy CDs anymore. All one has to do is wait for someone to put something on the network and you can get anything you want [including 'Alice's Restaurant'].

"College networks are a disaster; they are even downloading TV shows. Megabyte files!

"We watch network traffic with our IDS [intrusion-detection system] and find out who is doing something inappropriate and turn it off. Everyone has signed an electronic media policy."

Vice president, business controls:

"We ban all P2P services!

"Don't use it at home or at work.

"It's not OK for two reasons: security risk and copyright violation.

"From a corporate standpoint, the corporation could be liable for copyright infringement.

"We shoot the end users caught using it. No, not really, but we do monitor with the IDS and go to the individual and his/her manager to explain why it's so bad.

"Haven't figured out a way to stop it yet, other than issuing policy, monitoring usage and going after those who do use any P2P.

"My issue is security; network operations is concerned with bandwidth, especially over the WAN links, and as for productivity, that's up to the managers; IM [instant messaging] seems to be a bigger problem."

Information security officer:

"It's not OK. Regardless of your views on the pricing and practices of the RIAA, it's theft. It costs money to record, engineer and produce those songs, and unauthorized downloading of them without paying for them takes money from the artists' pockets. Apple's recently released Music Store is a much better approach in my opinion [see story].

"We have a zero-tolerance policy for Kazaa and other peer-to-peer file-sharing protocols. We monitor closely for any signs of usage and investigate every incident. There have been a few cases when the use was legitimate -- rebuilding a lost, licensed application install CD via files shared on GNUtella. Apart from that, we haven't had many incidents.

"In regards to consequences, anything from reprimand to termination.

"Downloads can steal bandwidth from clients trying to access our Web sites and can cost us money in additional bandwidth fees. Sharing a portion of your hard disk, no matter how closely defined, segregated and monitored, opens a hole in our security measures that others can exploit. Time spent downloading the latest from They Might Be Giants is time not spent doing what you're paid to do."

Senior systems engineer:

"There are several modified versions of Kazaa floating around that install spyware on your machine. I use something called WinMX that doesn't run on the fast-track network."

Systems analyst:

"With a background in broadcasting, I understand the issues, but it's like taping a song off the radio in the old days. I don't think in terms of whether it's right or wrong; it's one of those things I call 'socially legitimate' because everyone does it, like when people always drive faster than the posted speed limit in certain areas because that is the flow of traffic."

Network engineer:

"I personally believe that Kazaa is one of the largest virus depots around, and I believe that anyone connecting to Kazaa [had] better know what they are getting into. I realize that Kazaa now has some virus-scanning protection on their network, but it still requires all ports open inbound and outbound on your firewall and the basic installation creates a shared file system on your computer which allows anyone on the network to access the share."

It appears that the times they are a-changing. I think the RIAA is going to win this one, even if only in formal venues such as educational institutions and corporate settings. Companies aren't going to take the risk of allowing Kazaa on their networks. Parents, on the other hand, are going to have an uphill battle. Maybe there's a market here for home IDS systems?

---

*Note: Some links to stories may no longer function or now require you to register to view.





by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC , a company focused on providing independent network security auditing and risk analysis. She can be reached at .