MIT alarmed by new round of downloading

download MIT alarmed by new round of downloading

of 6

Transcript of MIT alarmed by new round of downloading

  • 8/12/2019 MIT alarmed by new round of downloading

    1/6

    i i i l i i i 4 2011 S,09AMRe MIT Abuse Recurrence

    From:SentTo:Ccubject

    HeyI found it. Its a laptop hidden under a box in the network closet. What would you like to do?n Jan 4,2011, at 2:49 AM, tVmit.edu> wrote:

    This i s th e same guy who, 2 months ago, s t a r t e d t h el i b r a r i e s JSTOR wondering i f t h e r e should be a c c e s sc o n t r o l s on MIT s j o u r n a l a c c e s s . . . had i n d i c a t e dt o l l l l l b a c k then f i n d i n g th e l o c a t i o n o f t h i s guy - - h i s ~ i n c l u d e changing h i s mac a l o t n o t u s i n g dhcp,fake r e g i s t r a t i o n i n f o and down load ing e n t i r e o n l i n ej o u r n a l s :b24-rtr-3>sh arp Iinc 18.55.6.240Internet 18.55.6.240 876 004c.e5aO.c756 ARPA Vlan55b24-rtr-3>sh arp I inc c756Internet 10.124.7.24427 0004.t217.c756 ARPA Vlan1124Internet 18.55.7.240 0 004c.e5aO.c756 ARPA Vlan55Internet 18.55.6.240876 004e.e5aO.e756 ARPA Vlan55b24-rtr-3>sh int trunk Ime 55Gi8/1655,1055,2055b24-rtr-3>sh cdp neigh gig8/16in J6-004t-sVv-entry.mit.cdllGig 8/16 177 R S I WS-C4006 Gig 1/1

    and t h a t s as f a r as I can gO . .r e s t of t h e way would be s u p e r . any h e l p g e t t i n g th ethanks

    On Jan 4, 2011, at 1 : 3 4 A M _ w r o t e :

    Hey guys, happy new year can you let me know how we re progressing on this issue and ifthereis anything I can do to assist?

    Begin forwarded message:

    MIT 151

  • 8/12/2019 MIT alarmed by new round of downloading

    2/6

    From: mit eduDate: January 3 2 11 9:46:48 PM ESTTo: mit eduSubject: Fwd: MIT Abuse RecurrenceHappy New Year. Let me know where we are with this. Thanks.Sent from my iPhoneBegin forwarded message:

    was in touch w i t ~ t JSTOR about this earlier t ~ ehis email about the ~ use, and at that time sked inIS T to investigate whether we can identify anyone associated with the IPaddress reported, so that we can follow up. (The tool I use to connect anindividual user to an IP address had no information for the particular IP.)We are in the process o moving JSTOR to our econtrol system. which as youknow offers a more secure authorization process, but we have been waiting toimplement that until JSTOR finished work on a special landing page on their siteto redirect MIT users who attempt to access JSTOR directly without using ourgetURL or going through Vera. JSTOR offered to do this to reduce barriers toaccess for legitimate MIT users. However, it s taken much longer than theyanticipated to finalize this special landing page for MIT. Earlier today and Iagreed that it would make more sense to move to econtrol now rather thancontinue to wait for the landing page. Without more information on our endabout this incident it is not clear whether econtrol would have prohibited thismisuse, but that is one o the things we will try to evaluate right away once I havedetails from IS T.

    and I are finalizing the messages that need to go out to our staff and users~ t move to econtrol (those messages need to be rewritten now that therewon t be a special landing page). The switchover to ccontrol can happen nextweek as soon as is back from furlough (we d need this week to getthe communications out anyway, most likely.)

    2

    MIT 152

  • 8/12/2019 MIT alarmed by new round of downloading

    3/6

    Meanwhile keep y u posted along the way as I h e ~ h i n g about this latestcase of excessive use. I sent an update to nd rlier today but I msorry I forgot to copy you on that. I have ~ r back f r o m ~ e t

    f Librariesp

    htt;p://libraries.mit.edu/scholaTly

    iThis is a heck of a way to start the new year. can you please give me a status report onthis situation and keep me in the loop as you investigate? We need to escalate theseriousness of our response. This looks like grand theft.

    Thanks

    3

    MIT 153

  • 8/12/2019 MIT alarmed by new round of downloading

    4/6

    From:sent: ondaTo:Cc: ubject FW: MIT Abuse RecurrenceDear .

    r am sa l to have to send this message during the holiday break but I supposethe people who are trying to use MIT to access restricted resources are trying toexploit that opportunity. Once again we are seeing extreme unauthorized activityfrom MIT. We really need to find out who is doing this; it is malicious andintentional and as best we can tell is coming from inside of MIT.

    Thanks

    ~ ~ m b e r 26 201011:31 To:Cc: ubject MIT AbuseRecurrence

    Good Evening

    I sent the email below a short time ago to inform MITthat the excessive activityreturned this afternoon around 12:30 PM. the activity around 9:00PM when checking on M Oe for something else. The activity did not hit ourdownlo ad thresholds and does not appear to have affected other user s experience._ is reporting that we sent them 152824 PDF ~speculates about the amount of content ju st pure volume ~ r toimagin e what is going on. 87 GBs of DFs this time that s no small feat requiresorganization. The script itself isn t very smart but the activity is organized and onpurpose.

    4

    MIT 154

  • 8/12/2019 MIT alarmed by new round of downloading

    5/6

    Attempts to identify the user revealed that the computer and network were up todate with patches and didnthave known side doors to hack. does belie vethat he could trace the IP back to a specific building, which you will see includedin my email to MIT.

    I intend to call s t thing in the morning. Not sure if all of their staff are offthis week or not , but I want to reach out directly and try and work with them toaccomplish the most immediate concern , Ident ifying the usen s responsible.

    Finall y, we do have the proposed login requ ired solution ready, but we had nowindow to test on both ends after the 12.18 release and had planned to implementit with them in mid-January, once success ful testing could be accomplished. And,for clarity, this solution continues to be a stressed as a separate workflow fromidenti fy the user s responsible and secure the content garnered.

    Best,

    2 1 11: 2 PM

    Good Eveni ng,

    We have identi fied activity this evening around 9:00 pm that resembles the abuseof the JSTOR archive previously reported on 9 5 9 6 and 109 of th is year.

    The activity is originating from 18.55.6.240, and we believe that it may be fromthe orrance Building on the MIT campus. We will be suspending the Class C

    5

    MIT 155

  • 8/12/2019 MIT alarmed by new round of downloading

    6/6

    range 18.55.6. and monitoring closely for additional activity, suspending accessas necessary.

    We are requesting that every effort be made to identify the individuals responsibleand to ensure that the content taken in this incident and those previouslymentioned is secured and deleted. detailed report the activity and the contentacquired will follow.

    JSTOR Portico

    6

    MIT 156