Forgot your password?
typodupeerror
The Courts Government News Your Rights Online

Tufts Tells Judge, We Can't Tie IP To MAC Addresses 419

Posted by kdawson
from the we're-cooperatin'-here dept.
NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
This discussion has been archived. No new comments can be posted.

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Comments Filter:
  • hehe (Score:5, Funny)

    by Hougaard (163563) on Wednesday August 06, 2008 @04:28AM (#24493513) Homepage Journal

    Next hot network thing: RIAA approved DHCP ;)

    • Re:hehe (Score:5, Insightful)

      by drspliff (652992) <harry.roberts@NOSPAM.midnight-labs.org> on Wednesday August 06, 2008 @04:33AM (#24493549)

      How long until it makes law?

      We were recently required to explicitly keep something like 6 months worth of call data records (although we keep many years worth already due to customer requirements) so that wasn't such an issue.

      However, if ISPs (and universities or other large organisations) were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.

      • I thought that was pretty much standard practice these days.

        Anyway, it's trivial to do.

         

        • by the4thdimension (1151939) on Wednesday August 06, 2008 @06:55AM (#24494287) Homepage
          Still impossible to tie it to a MAC address with any certainty that that MAC address corresponds to the same person now as it did then. For instance, say CompOnwer 1 owns Comp A with MAC 1 uploads a bunch of crap on kazaa. RIAA gets to requesting the info but lags. In the mean time, Comp A is sold to another person on the same campus, becoming CompOwner 2 owning Comp A with MAC 1. The way DHCP works, they are likely to end up with the same IP and same MAC address but its a totally different person.
          • by sgbett (739519) <slashdot@remailer.org> on Wednesday August 06, 2008 @07:12AM (#24494397) Homepage

            And, of course, nobody has *ever* spoofed a MAC Address ....

            • Re: (Score:3, Informative)

              by Kent Recal (714863)

              Spot on. The lack of clue within the RIAA is mindnumbing.
              A MAC-Address is completely meaningless. As in:

              ifconfig eth0 hw ether 00:DE:AD:BE:EF:00

              Entertaining lawsuit indeed.
              But the sour point is that the RIAA apparently still has money to burn... Will it ever end?

          • Re: (Score:3, Informative)

            by bjourne (1034822)
            Not necessarily. Many ISP:s ties the IP address allocation to the socket. It is quite common to do so for student apartments and dormitories. That is, the RIAA could prove, with the universitys help, which network socket the infringing file came from.
            • Re: (Score:3, Informative)

              Not necessarily. Many ISP:s ties the IP address allocation to the socket. It is quite common to do so for student apartments and dormitories. That is, the RIAA could prove, with the universitys help, which network socket the infringing file came from.

              And how exactly does that help? Student housing generally has two to four people in the same room or suite, students sometimes provide their own WAP or wired switches, and students often share their computers with friends.

              The most restrictive arrangements I encountered in over five years as a CIO in higher education was a college that required students to register their MAC address and tied it to the switch port, blocking all other traffic on that port. This arrangement is prone to MAC spoofing as well a

          • by IceCreamGuy (904648) on Wednesday August 06, 2008 @07:52AM (#24494839) Homepage
            Why don't you go a step further and just assume that everyone does their illegal sharing in a virtual machine? Hell, you could change the MAC every day. The possibilities for error by tying an IP to a MAC are pretty boundless.
          • Re: (Score:3, Insightful)

            I guess a working catch phrase might be "hardware is not people".
      • Re:hehe (Score:5, Funny)

        by Sophia Ricci (1337419) on Wednesday August 06, 2008 @05:24AM (#24493775)
        Nobody is addressing real problem. Students are facing hard time downloading music.

        The universities should provide a server within campus to download music. Problem solved.

      • Re: (Score:3, Insightful)

        by The Spoonman (634311)
        were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.

        Not necessarily. The easiest way is to just increase your IP pool and lease time. I have Roadrunner, and I've had the same IP for about 10 months now. Now, mine is on 24/7, but even after being offline for a day or so (because of power outages), I'll get the same IP when I reconnect. It doesn't take a large amount of horsepower to store a database of 75,000 IP addresses that only chang
    • Re:hehe (Score:5, Insightful)

      by NewYorkCountryLawyer (912032) * <ray.beckermanlegal@com> on Wednesday August 06, 2008 @06:11AM (#24494011) Homepage Journal

      Next hot network thing: RIAA approved DHCP ;)

      Scary, isn't it?

  • by Deus.1.01 (946808) on Wednesday August 06, 2008 @04:29AM (#24493521) Journal
    I'm sure the ICT department were real sorry they couldnt facilitate RIAA's demands.
  • by Bazman (4849) on Wednesday August 06, 2008 @04:33AM (#24493547) Journal

    I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?".

    http://www.theinquirer.net/en/inquirer/news/2007/05/17/judge-has-beatles-moment-over-internet [theinquirer.net]

    or maybe he didnt:

    http://www.theinquirer.net/en/inquirer/news/2007/05/18/judge-didnt-have-beatles-moment-after-all [theinquirer.net]

    Apparently the original story of the judge saying 'Who are the Beatles?' might be a myth anyway...

    • by Opportunist (166417) on Wednesday August 06, 2008 @04:42AM (#24493595)

      What makes you think judges know anything about technology?

      That's not a requirement for them. Here, we have sworn in experts for almost every field in existance, from agriculture to zoology. And of course electronics, electrotechnics and yes, even IT. And with the IT field expanding, they're broadening the board of experts in that field.

      If a judge doesn't know jack about something, he calls an expert and has him explain what's cooking. What does this or that mean, how does this or that work, is this claim credible, everything. These experts are required by law to give a verifyable and cross examined report about their findings and expertise, and usually (not always) their claims stands unchallenged by either side, because they usually are actually right.

      Of course either side may bring their own experts to the table and discuss it out with the court's expert. And yes, it makes sense to bring your own expert, especially if you're the defendent, since all you have to do is punch holes into the court's expertise. All your expert has to do is create "credible doubt". But, as said before, the experts there are far from dumb (or they don't retain that status, together with the rather good payment, for long), so punching holes into his expertise is already nontrivial.

      That whole ordeal is expensive, of course, and usually only warranted if the value of the claim exceeds trivial amounts. Maybe that's the reason why the RIAA (or its sister organisation here) didn't try a multi million charge yet so far. I have good faith that the court's experts alone blow them and their "proof" out of the courtroom before the session even starts.

      • by bhima (46039) *

        "Here" where? In the US? I had no idea they did that. I've been in court a few times and never saw anything like that, even though I thought it was needed.

      • by squizzar (1031726) on Wednesday August 06, 2008 @06:09AM (#24493997)

        I don't know about the US, but in the UK an expert witness must give completely impartial testimony, or face being held in contempt. Whilst a company may hire an expert witness to investigate a case, once they are sworn in they must answer all questions in a completely honest manner, even if it is detrimental to their employers case. We had a lecture at uni from a guy who worked as an investigative engineering consultant (or something like that). He said he'd quite often inform companies that hired him that maybe they shouldn't take a case to court as he would be obliged to give honest and impartial testimony, and that may not be a good thing for them.

        • Re: (Score:3, Insightful)

          by Opportunist (166417)

          Generally that's true, of course. Still, a court expert may bring up facts that the opposing side (of a expert brought in by one side) wouldn't think of. The court experts are required to offer all information they consider important to a case, unasked.

          Generally it is frowned upon when they can't at least credibly try to offer information benefitial for both sides, the very last thing one of those "impartial experts" wants is to be accused of offering biased testimonies, something that happens easily when t

      • No they don't (Score:3, Insightful)

        by tjstork (137384)

        Lawyers as a whole, and judges in particular, think that they can "cut to the chase" of a problem and dig into the details of any field by analyzing every activity with respect to the law. So they never grasp the technology per se as much as they extract talking points with which to argue their side. Judges just tend to go with whoever makes the better argument. Expert witnesses and consultants are brought in to boost the credibility of the lawyers and their talking points, not, to help aid in any real u

    • by meringuoid (568297) on Wednesday August 06, 2008 @05:13AM (#24493731)
      I suppose in the US you have judges with clue. In the UK it's fuddy duddy old men in wigs who go "What is this 'internet'?"

      You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.

      What, exactly, legally speaking, is a 'website'? Where does one 'website' end and another begin? How does a 'site' differ from a 'page', if at all? Is a 'forum' part of a 'website', or only attached to it? Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music? What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?

      A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.

      • by Viol8 (599362)

        You could say that about many things in life. eg: How do you define a car? Is an SUV a car? What about a pickup - they're more or less the same size? Is a pickup really a truck? What is a truck anyway? Whats the difference between a house and a mansion? etc etc etc.

        Very few things outside mathematics or physics have an absolute carved in stone definition. This is either because theres a whole spectrum of similar things with no clear demarcation anywhere , or , simply because of limitations of human language

    • by bloobloo (957543) on Wednesday August 06, 2008 @07:36AM (#24494669) Homepage

      Judges ask questions like that in order to ensure clarity. Remember, their cases will still be sitting in archives in hundreds of years' time, potentially to be used as precedent.

      While I expect Elvis, Sinatra, The Beatles and other artists of that calibre will be known for a LONG time, at what level do you draw the line? Radiohead? S Club 7? The Cheeky Girls?

      By adding less than 30 seconds to the case by the exchange:

      "Who or what are the Beatles?"
      "A popular beat combo musical band, m'lud. "

      not only will humour be created by people saying "Oh, how ignorant judges are!", it ensures that 500 years down the line a case about cockroaches isn't confused by people pulling out the wrong information.

  • Remember, kids... (Score:5, Insightful)

    by Anonymous Coward on Wednesday August 06, 2008 @04:38AM (#24493575)
    Remember kids: Just because an IP address doesn't necessarily identify a person doesn't mean that copyright infringement is OK.
    • Re: (Score:3, Insightful)

      by fortyonejb (1116789)
      It also doesn't mean spinning the roulette wheel of blame to choose who to pin the infringement on is OK either.
    • Re: (Score:3, Insightful)

      by sm62704 (957197)

      Remember kids: Just because copyright infringement may not be OK doesn't mean you can't share work that the copyright owner WANTS shared. The danger is having downloads go into a shared folder and downloading the RIAA's crap instead. You not only get dreck, but you get sued for your mistake.

      It seems to me that there ought to be proof of intent. If I'm trying to download The Station's The Fog but I get Radiohead's completely different song by the same name instead, why should Radiohead's label be able to sue

  • by apathy maybe (922212) on Wednesday August 06, 2008 @04:44AM (#24493607) Homepage Journal

    Actually, I would and have done that.

    Say you are in a situation where you can't connect your laptop to a network, but you can find the MAC address for a computer that is connected to that same network.

    1) Disconnect the computer that is connected;
    2) Change your laptop MAC (I assume you are all using some variant of GNU/Linux, but whichever, you can find information http://www.irongeek.com/i.php?page=security/changemac [irongeek.com] which will get you started, there is also a tool available for Ubuntu (and I guess other *nix) which can randomise your MAC, choice a MAC based on a specific company etc.)
    3) Connect your laptop to the network in place of the other computer.

    Did I mention profit? I never did, but all I wanted to do was not be forced to use Windows and MSIE. (Of course, disconnect your laptop before reconnecting the other computer, having two machines with the same MAC could cause problems.)

    So, even if you have a case of having to register your MAC before connecting to the network (which is the case in many places), because it is so easy to spoof MAC's, I don't think that you can even reliably connect MAC addresses to a computer (at least in the cases where geeks are around), let alone an IP address to a computer.

    Basically, the only way that one should be trying to identify individuals is by using username/password, and even that is potentially problematic. (At my old Uni, to connect to the Wireless network you had to use your network login/password, it then didn't matter which computer you were using. Though in that case, I think the software only worked for MS Windows, the Mac and *nix software for the protocol wasn't up to scratch.)

    • by Carthag (643047) on Wednesday August 06, 2008 @05:05AM (#24493689) Homepage

      At the dorm I used to live we had to authenticate our computers in order to gain access to the network, this was done via username/password combos. There were several that multiple people knew (mostly to get around bandwidth limits - you'd just jump on another account if you exceeded your quota).

      It registered the MAC address at this point, but I doubt they were actually saved, as the quota was obviously tied to the user account and not the MAC.

    • by huge (52607) on Wednesday August 06, 2008 @05:07AM (#24493697)

      People should understand that MAC address is no more permanent than IP address is.

      Unfortunately they don't.

      • by Stellian (673475) on Wednesday August 06, 2008 @06:16AM (#24494033)

        Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application. That would then constitute the actual evidence they need.

        • Re: (Score:3, Insightful)

          by huge (52607)

          Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application.

          That's exactly the point. It has been established that the IP address on its own is not enough as it can not be tied to single user/pc. That's the reason why they try to use IP/MAC pair to single out the computer they want to confiscate.

          IP/MAC is just as reliable as IP address on its own.

      • by Ratbert42 (452340) on Wednesday August 06, 2008 @06:42AM (#24494199)

        One of the IS guys at work came by, checked the number on my ethernet port, then asked if I was the f*cker that changed my MAC address to DE:AD:BE:EF:CA:FE. Yes I was. B00B1E5.

    • Re: (Score:3, Informative)

      by yakumo.unr (833476)

      On windows, most wired NIC drivers will let you set the "Locally Administered Address" which is your MAC address in the devices advanced properties.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      And with Wifi, it's even easier (useful for these Kiosk-type nets wthat present you with a login page on first access):

      • tcpdump traffic for a while
      • chose a low-activity mac and matching IP
      • configure victim's mac and IP on your card.
      • no need to even disconnect or remove victim's computer
      • surf ahead!

      Well, occasionally you (or the victim) might get one or the other dropped connection, but in practice, this is extremely rare.

    • by JustKidding (591117) on Wednesday August 06, 2008 @05:11AM (#24493717)

      This is almost exactly what I was thinking: aside from the difficulties and uncertainties of matching an IP to a MAC at any given time in the past, with NAT and everything adding a lot of ambiguity to whole mess, it's simply not possible to match a MAC address to any given NIC, much less to a user of the computing containing this NIC, let alone establish knowledge or intent of the alleged infringement.

      MAC forgery for dummies:
      1) start packet sniffer
      2) start ping probe of network segment, record ARP replies
      3) when you want to forge a MAC address, probe the network segment again
      4) use MAC from any host that is not responding, but that you did record the MAC address for previously
      5) enter MAC in advanced setting for the network card (in windows, all dummies use windows).

      The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router. This is, of course, not possible with a wireless network.

      username/password systems won't work reliably either, passwords can be sniffed, keylogged, or brute-forced.

      • by apathy maybe (922212) on Wednesday August 06, 2008 @05:30AM (#24493809) Homepage Journal

        Username/password is still better then MAC or IP. Yes there are problems, but as I outline below...

        Encryption much? Prevents password sniffing. The protocol that my old Uni used was, I think, something based on http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol [wikipedia.org] EAP. No more sharing a single password amongst everyone.

        My own computer much? Prevents keylogging. (Not to mention, software keylogging is prevented on lab machines by locking them down and drawing the image down the network when you login. So even if you install keylogging software, if it works at all, it would only work for your login. Hardware keyloggers are expensive/hard to get.)

        Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.

        • Re: (Score:2, Insightful)

          by base3 (539820)

          Hardware keyloggers are expensive/hard to get.

          While I've never bought one, they seem to be readily [keyghost.com] available [keydevil.com] although buying one untraceably would be a bit more difficult (but not impossible) which would be a necessary step to avoid having the keylogger found and an investigator simply asking (perhaps under subpoena) the selling company for the purchase information for that (probably serialized) keylogger.

        • by ciderVisor (1318765) on Wednesday August 06, 2008 @06:06AM (#24493985)

          Hardware keyloggers are expensive/hard to get.

          O RLY ? http://www.blueunplugged.com/p.aspx?p=121554 [blueunplugged.com]

        • Aside from the hardware keyloggers, which would take ayd remotely competent freshman CS student a whopping whole Saturday evening to build from scratch (the PS/2 keyboard protocol is very slow, simple en well documented), you reasoning contains one major flaw:

          universities (at least in the Netherlands) are basically government institutions and are run as such. I have yet to see a university with half-way decent network security, given that the network has to be usable by clueless non-CS students (and worse,

      • Re: (Score:3, Insightful)

        by Oidhche (1244906)

        The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router.

        Even this wouldn't prevent it if you can physically access the cables.

  • DHCP lease logs (Score:5, Interesting)

    by Ted Freeman (1319075) on Wednesday August 06, 2008 @05:00AM (#24493673) Homepage
    Nice job from the IT department. They say how difficult it is to extract meaningful information from the ARP cache records, but you don't need them anyway. All they would need to do is keep the DHCP lease logs. Conveniently they

    In both cases the retention notice arrived in such close proximity to the expiration of the ten day retention period of the DHCP data that we were unable to access the data before it was overwritten.

    So they used the same excuse twice - log rotation - RIAAs new enemy.

  • by lysse (516445) on Wednesday August 06, 2008 @05:12AM (#24493721)

    Nice move on Tufts' part. If they ever do receive such a "notice to preserve", they can relay it straight back to their students and staff and say "look, the RIAA is watching us with a view to screwing you, so behave yourselves" for the duration of such a notice; and if they don't, they have effectively insulated their charges from all further RIAA action. And all whilst looking extermely co-operative for the benefit of the courts...

    • by Overzeetop (214511) on Wednesday August 06, 2008 @07:30AM (#24494595) Journal

      More interstingly, I would presume that Tuft's would be within their rights to use that as a profit center as well. Those things don't preserve themselves, and in most litigation the financial burden of collecting pre-discovery data (and some discovery data) is on the requesting party.

      I wouldn't be surprised to find that Tuft's would give explicit notice to the faculty/students, as well as charging for the software, installation, maintenance, and storage of custom logging operations. That can get expensive quickly, especially when people are billing hourly and university overhead is often north of 50-60% of direct costs.

  • by jskline (301574) on Wednesday August 06, 2008 @05:16AM (#24493747) Homepage

    Of course if a regime change happens at the end of the year, you can rest assured that there are certain politicians who will push hard for law changes to formally "outlaw" the use of DHCP in computer networks due to it's haphazard way of handling network IP's, traffic; and because it doesn't know who the user is!...

    What a joke. If you think I'm wrong on this, take a look at the democratic side of the US Congress and look at some discussions that have been bantered about recently! Thats all I'll say on that.

    God I hope and pray we get to replace them all next year! They're all bad.

  • by Lunarsight (1053230) on Wednesday August 06, 2008 @05:20AM (#24493761) Homepage

    For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

    I honestly wish Tufts hadn't even suggested this to the RIAA, since we all know this will be the next thing they'll try and have legislated through Congress. One of the congressmen on the RIAA payroll will attempt to slip it into a bill undetected.

    They won't limit it to colleges either - they'll probably make it a requirement of ISPs in general.

  • Why? (Score:4, Insightful)

    by Armakuni (1091299) on Wednesday August 06, 2008 @05:36AM (#24493833) Homepage
    For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit.

    Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.
    • Re: (Score:2, Interesting)

      For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit.

      Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.

      That's what I want to know. Why?

  • .. Hey, RIAA, you guys must be pretty stupid if you don't realize that a MAC address can be changed with trivial ease. Therefore, even if we could dredge up the DHCP logs, the IP address to MAC address mapping you are so interested in wouldn't tell you anything anyway.

    Please stop feeding the idiots, they foul the footpaths of life.
  • IT to RIAA: (Score:5, Interesting)

    by nimbius (983462) on Wednesday August 06, 2008 @06:02AM (#24493969) Homepage
    you're the reason we aren't keeping logs of this stuff.
  • by Anonymous Coward

    Everyone has missed the point. The DHCP protocol does not use MAC addresses to identify clients. It uses client identifiers, which can be any unique string. The fact the *windows* chooses to use the mac address as a client identifier is beside the point. Who says the client being investigated is using windows?

    I expected more from the MS-bashing Slashdot crowd. Apparently you are all windows users.

    • by jeremyp (130771) on Wednesday August 06, 2008 @06:53AM (#24494259) Homepage Journal

      Yes, but once the computer is assigned an IP address, ARP ties the MAC address to the IP address. You could then, in principle, log the mappings by dumping the router's ARP table at regular intervals.

    • Everyone has missed the point. The DHCP protocol does not use MAC addresses to identify clients. It uses client identifiers, which can be any unique string. The fact the *windows* chooses to use the mac address as a client identifier is beside the point. Who says the client being investigated is using windows?

      I expected more from the MS-bashing Slashdot crowd. Apparently you are all windows users.

      So it's time for someone to write a tiny little app that changes the client identifier for the Windows DHCP protocol.

      As for non-Windows users didn't someone in another post mention an auto MAC changer?

      What I'd love to see here is an MIT style hack where all of a sudden the students put all the computers behind NATs with MAC addresses that match faculty workstations.

      MAFIAA:"Okay Professor you now owe us $500K."

    • Re: (Score:3, Informative)

      by Phroggy (441)

      Uh, that completely depends on how you've chosen to set it up. My DHCP server sees the client ID you send, logs it, and ignores it completely, using only your MAC address to determine what IP address to assign you (either a static IP I've configured, or a dynamic IP from the pool).

      I'm sure I could set it to use the client ID instead, but I'd have to RTFM to figure out how. I know there are some cable companies that use the client ID to determine who you are and won't give you an IP if your client ID isn't

  • by houghi (78078) on Wednesday August 06, 2008 @06:18AM (#24494051)

    Anybody have some MAC addresses from the RIAA? That way people can use those in some semi-random rotating system and they can sue themselves.

    After all if the IP can be linked to the MAC, the MAC can be linked to the user, so anybody with that MAC will be guilty.

    • Re: (Score:3, Funny)

      by Carthag (643047)

      Maybe the RIAA is already spoofing *our* MAC addresses so they have random people to sue!

    • Re: (Score:3, Informative)

      by OeLeWaPpErKe (412765)

      In advising this to people, I'm sure you know what will happen to a network (and to the helpdesk of said network) when multiple people start using the same mac-address, right ?

  • by Anonymous Coward

    ... then you're liable! I'm expecting the courts to come up with that simple principle. Kinda like when your car is caught speeding: identify the driver or pay the fine.

    That, of course, will make not only university LAN's but also corporate LAN's much more expensive to build. It'll also make it difficult to support multi-user machines as you'd have to tie each and every TCP connection to a user.

    And after that liability scheme collapses under its own weight, we'll be rid of the whole copyright nonsense.

  • My cheap-ass router (4-port) allows me to make up a MAC address to use. I could, theoretically, post crap to Kazaa under MAC address #1, and then change to a completely different MAC Address (and new IP to go with it). What's the RIAA gonna do about that? As far as they know, I didn't do anything....

  • by zerofoo (262795) on Wednesday August 06, 2008 @07:26AM (#24494561)

    The RIAA and the courts will eventually figure out that any computer forensic logs can be faked, and will not be a reliable means of identifying computer users.

    Trying to pin criminal or civil liability on someone based on DHCP logs or ARP tables is sheer stupidity. These records could easily identify multiple users - we aren't talking about DNA evidence here.

    The justice system is slow - intentionally. It will take a while before judges get the technical details of this and realize that these identification methods are unreliable.

    What worries me is that the RIAA/MPAA will buy enough of congress to legislate unique tokens for computer users and mandatory log retention. It is possible that congress will make all of us (network admins) do the dirty work for private industry. It happened in banking, and it will probably happen again.

    I think I need to make another donation to the EFF and to the ACLU. Those organizations might be our only hope.

    -ted

  • by hyades1 (1149581) <hyades1@hotmail.com> on Wednesday August 06, 2008 @08:08AM (#24495059)

    "For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information..."

    So based on the university IT department's willingness to accommodate, I should maybe send Natalie Portman a "Notice That I'd Like A Date", and I could have a reasonable expectation of spending an evening in geek ecstasy?

    If all it takes to persuade a major university that it should bend over and drop trou is a freakin' notice, there MUST be hope for me.

  • by Skapare (16644) on Wednesday August 06, 2008 @11:25AM (#24498479) Homepage

    They can tie an IP address to a MAC address, although with less than total certainty. But, depending on how the network is wired, there is also no total certainty in tying a MAC address to a specific ethernet controller (and hence to a student). If their network is ethernet technology based, a MAC address can "float" from one port to another, even if there is a time delay in that from a switch flushing its cache.

    All someone has to do is know the MAC addresses of other computers in the LAN. This can be known by sending IP packets to each of the addresses in the subnet, and checking what MAC addresses respond (and seen in the local ARP table). By scanning this network periodically, they can discover which computers get turned off or unplugged. As soon as that happens, the MAC address of the computer no longer responding is fed over to another computer which has an ethernet controller which allows substituting the MAC address by software. That other computer then assumes the MAC address and its associated IP address. Most ethernet switches will eventually associate that MAC address with a new port. Usually I see that happening within 3 to 10 seconds (the computer on the new port has to be sending ethernet frames with that MAC address as the source, plus some other computer trying to send ethernet frames to that MAC address). In the worst case I've seen it took 2 minutes for the switch to figure out where the MAC address "moved" to.

    Once the switch associates the MAC address with a new port, the computer there can do whatever they want and there and it will be known under the original MAC and IP addresses.

    There are means to prevent this. But would these means be implemented and deployed? One is for the switch to be configured to disallow a MAC address to move to another port. But that can make life difficult for students in dorms, where students with laptops, and even students with towers, are known to gather in one room, or a commons area, to work on things together with multiple computers (whether it is class work or otherwise). Another possibility is for the switch itself to log any port changes. That would at least reveal which dorm room a given MAC was "stolen" from. A more secure network would force all communications through an encrypted tunnel within the ethernet infrastructure, but this would be costly, impact performance, and require special drivers and/or proxies.

    Imagine a plot of degree of security vs. cost. As you get close to 100% security, the cost begins to rise dramatically. At some point the cost of more security exceeds the potential loss due to that security not being 100%. Of course the **AA's would like to see their own losses figured into that, and without them having to pay for the extra security. The reality is, most schools will not achieve 100% security on their networks, and aside from the issue of piracy, will not be concerned with it. It's the same as the issue of how well do you secure your home from burglars. For most people it's just not worth tens of thousands of dollars in security equipment to protect tens of thousands of dollars of property. People like Bill Gates would certainly have a lot more security at home. But he's the exception. I'd expect the restricted areas of government intelligence agencies to have far more network security than any college or university.

    So what it comes down to is, even the one and only student named as the user of a given MAC/IP combination, and even if their own computer was kept perfectly secure, may be just as much a victim of someone else doing the piracy, as the content owners are. And we know from history, the **AA's don't really care about making sure they have the true pirate.

    If they would like to see the schools achieve 100% total security, maybe they should pay for it. Of course they don't want to. They want someone else to pay for maintaining their profit margins, even if that means raising taxes and/or tuition.

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...