Oklahoma Security Expert Attacks RIAA Claims 280
NewYorkCountryLawyer writes "A group of Oklahoma University students has made a motion to vacate the ex parte order the RIAA had obtained compelling the university to turn over their names and addresses. In support of their motion was the expert witness declaration (PDF) of a computer security and forensics expert who essentially attacked the entire premise of the RIAA's lawsuit, characterizing the declaration upon which the RIAA based its motion as 'factually erroneous' and 'misleading.' Among other things he pointed out that 'An individual cannot be uniquely identified by an IP address,' and that 'Many computers can be connected to the Internet with identical IP addresses as long as they remain behind control points.' The students are represented by the same Oklahoma lawyer who recently obtained a award for $68,000-plus in attorneys fees against the RIAA in Capitol v. Foster."
What's taken so long? (Score:5, Informative)
I'm actually ashamed of this, BTW
OSU, not OU (Score:3, Informative)
TFA says the 11 students are at Oklahoma State University (OSU), not that Other University to the south (OU).
[ Yes, I am an alumni of OSU. ]
Many computers, one IP address. (Score:0, Informative)
As usual, the RIAA is full of shit.
Re:Oh come on (Score:5, Informative)
Re:A little oversimplified... (Score:5, Informative)
One thing, though, he could have mentioned - various IP spoofing methods. Imagine you are on a DHCP network (on campus, for example.) You ask for an IP and you will get it, and this will be logged: "00:f0:3e:45:33:66, authorized as belonging to John Doe, asked for an IP and got 10.0.15.213 for 6 hours". Nice. However what if you want to misrepresent yourself? An enterprising student can use ping and arp (if not some better tools) to find out what IP and MAC addresses are online, and once some of those computers go to class (or to sleep, for example,) take over the MAC address and ask for a new DHCP lease ... done, and you have a new shiny IP address, perfectly logged as belonging to John Doe whereas you are someone else entirely.
This would clearly demonstrate that the DHCP has no authentication beyond the MAC address, and that can be easily changed [nthelp.com] on many cards. Any judge, however technically illiterate, can understand that if you can get any identity by just asking then it's pointless to hold the identity owner responsible.
This text, as seen here [windowsecurity.com], would be relevant in the expert's refutation:
Unfortunately it's the very simplicity of DHCP that's actually the problem as far as security goes. No authentication or authorization takes place during an exchange between a DHCP server and DCHP client, so the server has no way of knowing if the client requesting the address is a legitimate client on the network, and the client has no way of knowing if the server that assigned the address is a legitimate DHCP server. The possibility of rogue clients and servers on your network can create all kinds of problems.
Re:As a matter of curiousity... (Score:5, Informative)
That's because it's not in the RIAA's playbook to pick on someone who can fight back.
The articles you're thinking of, by Harvard Law School profs, "Universities to RIAA: Take a Hike" [blogspot.com] and "Protect Harvard from the RIAA" [blogspot.com], urged Harvard and other universities to fight back if the RIAA were to come knocking.... but so far it hasn't come knocking at Harvard.
And don't hold your breath waiting for it to do so.
Re:Sad thing is... (Score:3, Informative)
Re:A little oversimplified... (Score:4, Informative)
Ok, now tell me how hard it is to hack a WEP-enabled wireless network? It takes all of what, 90 seconds?
Re:Sad thing is... (Score:4, Informative)
Mmm.. I doubt it. I'd be surprised if most of the lawyers defending RIAA "victims" (for lack of a better word) are charging their full rates, considering they're mostly defending poor college students.
On the other hand RIAA lawyers aren't paid by the hour, and whether they win or lose their salary is the same (you think they're working for a percentage of a $10,000 settlement?)
They've created a climate of fear, which is all this has been about from the beginning. If they win a case the reward is a pittance to them, if they lose, well, they can afford it. Either way, considering the press it's still generating a lawsuit costs much less and is much more effective than a prime time television ad campaign. Unless there's some way to assign a penalty that really hurts or put a stop to their abuse of the legal system altogether they will continue to sue even if they lose almost every case.
Re:As a matter of curiousity... (Score:3, Informative)
--Dave
Re:Oh come on (Score:3, Informative)
Re:A little oversimplified... (Score:2, Informative)
First, this is an ad hominem attack.
Second, it's not even a very good ad hominem attack. There are a lot of (native English speaking) people that use the plural form (i.e. "codes") instead of treating it as a mass noun (i.e. "code"). It seems to be more common among the older generations of programmers. (I personally think it should be a mass noun, but I'm just pointing out that a significant minority use the plural form. Sort of like "ketchup" vs "catsup".)
Re:As a matter of curiousity... (Score:2, Informative)