Slashdot Log In
Tufts Tells Judge, We Can't Tie IP To MAC Addresses
Posted by
kdawson
on Wed Aug 06, 2008 04:21 AM
from the we're-cooperatin'-here dept.
from the we're-cooperatin'-here dept.
NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
hehe (Score:5, Funny)
Next hot network thing: RIAA approved DHCP ;)
Re:hehe (Score:5, Insightful)
How long until it makes law?
We were recently required to explicitly keep something like 6 months worth of call data records (although we keep many years worth already due to customer requirements) so that wasn't such an issue.
However, if ISPs (and universities or other large organisations) were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.
Parent
Re:hehe (Score:5, Funny)
The universities should provide a server within campus to download music. Problem solved.
Parent
Re:hehe (Score:4, Funny)
Parent
Re:hehe (Score:5, Funny)
We should address the real issue here and provide sex to all students!
Corrected for you.
Parent
Re:hehe (Score:5, Insightful)
Right, aim high!
Parent
Re:hehe (Score:5, Funny)
No I think he's aiming a bit lower.
Parent
Re:hehe (Score:5, Funny)
I think you have it backwards. I think it is largely the students that provide porn to us.
Parent
Re:You don't have a loghost? (Score:5, Informative)
Parent
Re:You don't have a loghost? (Score:5, Insightful)
And, of course, nobody has *ever* spoofed a MAC Address ....
Parent
Re:Be honest (Score:5, Insightful)
True, but I bet that most CIS and IS students know that you CAN do it. Then it becomes a simple matter of googling. The key here is that anyone who has taken a bAIX networking course has enough knowledge to dispute evidence crucial to the RIAA's case. The fact the RIAA is able to continually present this evidence in a court room tells me that
1. Judges and juries do not know enough about the technology that they are ruling on.
2. The RIAA's experts are deliberately misleading the judges and juries. This is not ethical and should have consequence.
Parent
Re:Be honest (Score:5, Insightful)
It's not like every student would have to be going around spoofing MAC addresses. You could have ten kids going around sniffing MAC addresses, then spoofing a different MAC every day to do their file sharing. You could certainly be vulnerable to this without knowing how it works.
Parent
Re:You don't have a loghost? (Score:5, Insightful)
Spot on. The lack of clue within the RIAA is mindnumbing.
I suspect the RIAA knows EXACTLY what the technical facts are. But if they can still sue w/o having those get in their way, so much the better! (For them)
Remember this is law, not logic.
Parent
Re:Generally? (Score:5, Interesting)
Tech support swears they don't do this, so you have two choices: call/hold/bitch at tech support till they reset your account (locking you into your current router's MAC so you start over if you get another router) or just clone the MAC and start moving packets.
Parent
Re:You don't have a loghost? (Score:4, Interesting)
Parent
Re:Also (Score:5, Informative)
Spoofed? It can be changed!
http://linuxhelp.blogspot.com/2005/09/how-to-change-mac-address-of-your.html [blogspot.com]
Parent
Re:Also (Score:5, Funny)
Out of curiosity, what did you perceive as the difference?
Parent
Re:Also (Score:5, Funny)
I wonder how hard it would be to find out what the MAC addres of the provost's pc is? Let the spoofing hilarity begin!
Parent
Re:hehe (Score:5, Insightful)
Next hot network thing: RIAA approved DHCP ;)
Scary, isn't it?
Parent
That's one smug grin i would love to see. (Score:4, Insightful)
Re:That's one smug grin i would love to see. (Score:4, Insightful)
DHCP is not required keep a mapping between MAC and IP address. At least not at the protocol level. A very minimalistic implementation of a DHCP daemon would only need to keep the IP addresses that it has doled out and for how long - after expirey time, mark that address as unused. The client, according to the RFC, is supposed to ask for a new IP address and work properly if it gets a new address. That would qualify as conforming under the RFC that spells out DHCP. If you do that and don't store the IP address, you can't reverse the mapping using DHCP - only ARP can.
Last I checked, universities were not required to keep log files, and if you kept log files from the above program (that printed "Issued IP xx.xx.xx.xx at 12:00:00UTC for 4h"), it wouldn't help you in the slightest.
Parent
Re:That's one smug grin i would love to see. (Score:5, Informative)
I run an ISP which uses multiple DHCP servers on each layer2 segment. DHCP assignments are logged and kept for a month but quite frequently we get a notice of claimed infringement, spam, or malicious behavior that can't be mapped to an active DHCP assignment at the time stated in the notice. That is not to say that the claimant is making things up, rather that DHCP is not authoritative. A DHCP offer does not need to be taken and even if taken it does not need to be kept. Mac (Not MAC) users seem to have the habit of taking an IP address they have received in the past and setting it as a static IP. I don't use a Mac but this must be in the gui somewhere because it happens all the time.
A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).
1) User 1 receives a DHCP assignment and sets it as static. They then turn off their laptop after some time.
2) Lease runs out and the address is returned to the pool.
3) User 2 requests an IP and is assigned the same IP (IP1).
4) User1 gets home and turns on their computer and starts sharing "The Wire ...".
5) User2 gets IP conflict message and repairs connection. Gets different IP (IP2) from other DHCP server.
6) HBO sends me a "Notice of Claimed Infringement" for IP1 at time X.
7) I look up who was assigned IP1 at said time and come up with user2.
Looks like we got our match.
Parent
And the judge understood it? (Score:5, Interesting)
I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?".
http://www.theinquirer.net/en/inquirer/news/2007/05/17/judge-has-beatles-moment-over-internet [theinquirer.net]
or maybe he didnt:
http://www.theinquirer.net/en/inquirer/news/2007/05/18/judge-didnt-have-beatles-moment-after-all [theinquirer.net]
Apparently the original story of the judge saying 'Who are the Beatles?' might be a myth anyway...
Re:And the judge understood it? (Score:5, Informative)
What makes you think judges know anything about technology?
That's not a requirement for them. Here, we have sworn in experts for almost every field in existance, from agriculture to zoology. And of course electronics, electrotechnics and yes, even IT. And with the IT field expanding, they're broadening the board of experts in that field.
If a judge doesn't know jack about something, he calls an expert and has him explain what's cooking. What does this or that mean, how does this or that work, is this claim credible, everything. These experts are required by law to give a verifyable and cross examined report about their findings and expertise, and usually (not always) their claims stands unchallenged by either side, because they usually are actually right.
Of course either side may bring their own experts to the table and discuss it out with the court's expert. And yes, it makes sense to bring your own expert, especially if you're the defendent, since all you have to do is punch holes into the court's expertise. All your expert has to do is create "credible doubt". But, as said before, the experts there are far from dumb (or they don't retain that status, together with the rather good payment, for long), so punching holes into his expertise is already nontrivial.
That whole ordeal is expensive, of course, and usually only warranted if the value of the claim exceeds trivial amounts. Maybe that's the reason why the RIAA (or its sister organisation here) didn't try a multi million charge yet so far. I have good faith that the court's experts alone blow them and their "proof" out of the courtroom before the session even starts.
Parent
Re:And the judge understood it? (Score:5, Informative)
I don't know about the US, but in the UK an expert witness must give completely impartial testimony, or face being held in contempt. Whilst a company may hire an expert witness to investigate a case, once they are sworn in they must answer all questions in a completely honest manner, even if it is detrimental to their employers case. We had a lecture at uni from a guy who worked as an investigative engineering consultant (or something like that). He said he'd quite often inform companies that hired him that maybe they shouldn't take a case to court as he would be obliged to give honest and impartial testimony, and that may not be a good thing for them.
Parent
Re:And the judge understood it? (Score:5, Insightful)
You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.
What, exactly, legally speaking, is a 'website'? Where does one 'website' end and another begin? How does a 'site' differ from a 'page', if at all? Is a 'forum' part of a 'website', or only attached to it? Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music? What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?
A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.
Parent
Re:And the judge understood it? (Score:5, Funny)
How do you define a car? Is an SUV a car? What about a pickup - they're more or less the same size? Is a pickup really a truck?
The answer, of course, is programmatically.
Parent
Re:And the judge understood it? (Score:5, Interesting)
Judges ask questions like that in order to ensure clarity. Remember, their cases will still be sitting in archives in hundreds of years' time, potentially to be used as precedent.
While I expect Elvis, Sinatra, The Beatles and other artists of that calibre will be known for a LONG time, at what level do you draw the line? Radiohead? S Club 7? The Cheeky Girls?
By adding less than 30 seconds to the case by the exchange:
"Who or what are the Beatles?"
"A popular beat combo musical band, m'lud. "
not only will humour be created by people saying "Oh, how ignorant judges are!", it ensures that 500 years down the line a case about cockroaches isn't confused by people pulling out the wrong information.
Parent
Remember, kids... (Score:5, Insightful)
What, me change MAC address? I wouldn't do that... (Score:5, Informative)
Actually, I would and have done that.
Say you are in a situation where you can't connect your laptop to a network, but you can find the MAC address for a computer that is connected to that same network.
1) Disconnect the computer that is connected;
2) Change your laptop MAC (I assume you are all using some variant of GNU/Linux, but whichever, you can find information http://www.irongeek.com/i.php?page=security/changemac [irongeek.com] which will get you started, there is also a tool available for Ubuntu (and I guess other *nix) which can randomise your MAC, choice a MAC based on a specific company etc.)
3) Connect your laptop to the network in place of the other computer.
Did I mention profit? I never did, but all I wanted to do was not be forced to use Windows and MSIE. (Of course, disconnect your laptop before reconnecting the other computer, having two machines with the same MAC could cause problems.)
So, even if you have a case of having to register your MAC before connecting to the network (which is the case in many places), because it is so easy to spoof MAC's, I don't think that you can even reliably connect MAC addresses to a computer (at least in the cases where geeks are around), let alone an IP address to a computer.
Basically, the only way that one should be trying to identify individuals is by using username/password, and even that is potentially problematic. (At my old Uni, to connect to the Wireless network you had to use your network login/password, it then didn't matter which computer you were using. Though in that case, I think the software only worked for MS Windows, the Mac and *nix software for the protocol wasn't up to scratch.)
Re:What, me change MAC address? I wouldn't do that (Score:4, Interesting)
At the dorm I used to live we had to authenticate our computers in order to gain access to the network, this was done via username/password combos. There were several that multiple people knew (mostly to get around bandwidth limits - you'd just jump on another account if you exceeded your quota).
It registered the MAC address at this point, but I doubt they were actually saved, as the quota was obviously tied to the user account and not the MAC.
Parent
Re:What, me change MAC address? I wouldn't do that (Score:5, Insightful)
People should understand that MAC address is no more permanent than IP address is.
Unfortunately they don't.
Parent
Re:What, me change MAC address? I wouldn't do that (Score:5, Insightful)
Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application. That would then constitute the actual evidence they need.
Parent
Re:What, me change MAC address? I wouldn't do that (Score:5, Funny)
One of the IS guys at work came by, checked the number on my ethernet port, then asked if I was the f*cker that changed my MAC address to DE:AD:BE:EF:CA:FE. Yes I was. B00B1E5.
Parent
Re:What, me change MAC address? I wouldn't do that (Score:5, Informative)
This is almost exactly what I was thinking: aside from the difficulties and uncertainties of matching an IP to a MAC at any given time in the past, with NAT and everything adding a lot of ambiguity to whole mess, it's simply not possible to match a MAC address to any given NIC, much less to a user of the computing containing this NIC, let alone establish knowledge or intent of the alleged infringement.
MAC forgery for dummies:
1) start packet sniffer
2) start ping probe of network segment, record ARP replies
3) when you want to forge a MAC address, probe the network segment again
4) use MAC from any host that is not responding, but that you did record the MAC address for previously
5) enter MAC in advanced setting for the network card (in windows, all dummies use windows).
The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router. This is, of course, not possible with a wireless network.
username/password systems won't work reliably either, passwords can be sniffed, keylogged, or brute-forced.
Parent
Re:What, me change MAC address? I wouldn't do that (Score:5, Informative)
Username/password is still better then MAC or IP. Yes there are problems, but as I outline below...
Encryption much? Prevents password sniffing. The protocol that my old Uni used was, I think, something based on http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol [wikipedia.org] EAP. No more sharing a single password amongst everyone.
My own computer much? Prevents keylogging. (Not to mention, software keylogging is prevented on lab machines by locking them down and drawing the image down the network when you login. So even if you install keylogging software, if it works at all, it would only work for your login. Hardware keyloggers are expensive/hard to get.)
Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.
Parent
Re:What, me change MAC address? I wouldn't do that (Score:4, Informative)
Hardware keyloggers are expensive/hard to get.
O RLY ? http://www.blueunplugged.com/p.aspx?p=121554 [blueunplugged.com]
Parent
Re:What, me change MAC address? I wouldn't do that (Score:4, Insightful)
And how the fuck are you going to prevent them? Hide your computers and just let them access the screen, keyboard and mouse?
Unless you put your lab machines in a safe, there is always a way to access the network cables. (Even if it involves pulling the cover away from where they go into the wall.)
Parent
DHCP lease logs (Score:5, Interesting)
In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.
So they used the same excuse twice - log rotation - RIAAs new enemy.
Re:DHCP lease logs (Score:5, Interesting)
Parent
More like "notice that you're being watched" (Score:5, Insightful)
Nice move on Tufts' part. If they ever do receive such a "notice to preserve", they can relay it straight back to their students and staff and say "look, the RIAA is watching us with a view to screwing you, so behave yourselves" for the duration of such a notice; and if they don't, they have effectively insulated their charges from all further RIAA action. And all whilst looking extermely co-operative for the benefit of the courts...
Re:More like "notice that you're being watched" (Score:4, Insightful)
More interstingly, I would presume that Tuft's would be within their rights to use that as a profit center as well. Those things don't preserve themselves, and in most litigation the financial burden of collecting pre-discovery data (and some discovery data) is on the requesting party.
I wouldn't be surprised to find that Tuft's would give explicit notice to the faculty/students, as well as charging for the software, installation, maintenance, and storage of custom logging operations. That can get expensive quickly, especially when people are billing hourly and university overhead is often north of 50-60% of direct costs.
Parent
Please don't even GIVE them this idea. (Score:5, Insightful)
For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
I honestly wish Tufts hadn't even suggested this to the RIAA, since we all know this will be the next thing they'll try and have legislated through Congress. One of the congressmen on the RIAA payroll will attempt to slip it into a bill undetected.
They won't limit it to colleges either - they'll probably make it a requirement of ISPs in general.
Why? (Score:4, Insightful)
Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.
IT to RIAA: (Score:5, Interesting)
IP To MAC Addresses? (Score:5, Funny)
Anybody have some MAC addresses from the RIAA? That way people can use those in some semi-random rotating system and they can sue themselves.
After all if the IP can be linked to the MAC, the MAC can be linked to the user, so anybody with that MAC will be guilty.
What a congressman costs... (Score:4, Interesting)
The RIAA and the courts will eventually figure out that any computer forensic logs can be faked, and will not be a reliable means of identifying computer users.
Trying to pin criminal or civil liability on someone based on DHCP logs or ARP tables is sheer stupidity. These records could easily identify multiple users - we aren't talking about DNA evidence here.
The justice system is slow - intentionally. It will take a while before judges get the technical details of this and realize that these identification methods are unreliable.
What worries me is that the RIAA/MPAA will buy enough of congress to legislate unique tokens for computer users and mandatory log retention. It is possible that congress will make all of us (network admins) do the dirty work for private industry. It happened in banking, and it will probably happen again.
I think I need to make another donation to the EFF and to the ACLU. Those organizations might be our only hope.
-ted
And all this time, I thought it would be difficult (Score:4, Funny)
"For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information..."
So based on the university IT department's willingness to accommodate, I should maybe send Natalie Portman a "Notice That I'd Like A Date", and I could have a reasonable expectation of spending an evening in geek ecstasy?
If all it takes to persuade a major university that it should bend over and drop trou is a freakin' notice, there MUST be hope for me.
Re:Why don't they just come out and say... (Score:4, Insightful)
.. Hey, RIAA, you guys must be pretty stupid if you don't realize that a MAC address can be changed with trivial ease. Therefore, even if we could dredge up the DHCP logs, the IP address to MAC address mapping you are so interested in wouldn't tell you anything anyway.
They don't care. They just want to have someone to sue.
Parent
Re:The MAC is not in DHCP leases (Score:4, Informative)
Yes, but once the computer is assigned an IP address, ARP ties the MAC address to the IP address. You could then, in principle, log the mappings by dumping the router's ARP table at regular intervals.
Parent