Tufts Tells Judge, We Can't Tie IP To MAC Addresses 419
NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
Re:And the judge understood it? (Score:5, Informative)
What makes you think judges know anything about technology?
That's not a requirement for them. Here, we have sworn in experts for almost every field in existance, from agriculture to zoology. And of course electronics, electrotechnics and yes, even IT. And with the IT field expanding, they're broadening the board of experts in that field.
If a judge doesn't know jack about something, he calls an expert and has him explain what's cooking. What does this or that mean, how does this or that work, is this claim credible, everything. These experts are required by law to give a verifyable and cross examined report about their findings and expertise, and usually (not always) their claims stands unchallenged by either side, because they usually are actually right.
Of course either side may bring their own experts to the table and discuss it out with the court's expert. And yes, it makes sense to bring your own expert, especially if you're the defendent, since all you have to do is punch holes into the court's expertise. All your expert has to do is create "credible doubt". But, as said before, the experts there are far from dumb (or they don't retain that status, together with the rather good payment, for long), so punching holes into his expertise is already nontrivial.
That whole ordeal is expensive, of course, and usually only warranted if the value of the claim exceeds trivial amounts. Maybe that's the reason why the RIAA (or its sister organisation here) didn't try a multi million charge yet so far. I have good faith that the court's experts alone blow them and their "proof" out of the courtroom before the session even starts.
What, me change MAC address? I wouldn't do that... (Score:5, Informative)
Actually, I would and have done that.
Say you are in a situation where you can't connect your laptop to a network, but you can find the MAC address for a computer that is connected to that same network.
1) Disconnect the computer that is connected;
2) Change your laptop MAC (I assume you are all using some variant of GNU/Linux, but whichever, you can find information http://www.irongeek.com/i.php?page=security/changemac [irongeek.com] which will get you started, there is also a tool available for Ubuntu (and I guess other *nix) which can randomise your MAC, choice a MAC based on a specific company etc.)
3) Connect your laptop to the network in place of the other computer.
Did I mention profit? I never did, but all I wanted to do was not be forced to use Windows and MSIE. (Of course, disconnect your laptop before reconnecting the other computer, having two machines with the same MAC could cause problems.)
So, even if you have a case of having to register your MAC before connecting to the network (which is the case in many places), because it is so easy to spoof MAC's, I don't think that you can even reliably connect MAC addresses to a computer (at least in the cases where geeks are around), let alone an IP address to a computer.
Basically, the only way that one should be trying to identify individuals is by using username/password, and even that is potentially problematic. (At my old Uni, to connect to the Wireless network you had to use your network login/password, it then didn't matter which computer you were using. Though in that case, I think the software only worked for MS Windows, the Mac and *nix software for the protocol wasn't up to scratch.)
Re:What, me change MAC address? I wouldn't do that (Score:3, Informative)
On windows, most wired NIC drivers will let you set the "Locally Administered Address" which is your MAC address in the devices advanced properties.
Re:What, me change MAC address? I wouldn't do that (Score:5, Informative)
This is almost exactly what I was thinking: aside from the difficulties and uncertainties of matching an IP to a MAC at any given time in the past, with NAT and everything adding a lot of ambiguity to whole mess, it's simply not possible to match a MAC address to any given NIC, much less to a user of the computing containing this NIC, let alone establish knowledge or intent of the alleged infringement.
MAC forgery for dummies:
1) start packet sniffer
2) start ping probe of network segment, record ARP replies
3) when you want to forge a MAC address, probe the network segment again
4) use MAC from any host that is not responding, but that you did record the MAC address for previously
5) enter MAC in advanced setting for the network card (in windows, all dummies use windows).
The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router. This is, of course, not possible with a wireless network.
username/password systems won't work reliably either, passwords can be sniffed, keylogged, or brute-forced.
Re:What, me change MAC address? I wouldn't do that (Score:5, Informative)
Username/password is still better then MAC or IP. Yes there are problems, but as I outline below...
Encryption much? Prevents password sniffing. The protocol that my old Uni used was, I think, something based on http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol [wikipedia.org] EAP. No more sharing a single password amongst everyone.
My own computer much? Prevents keylogging. (Not to mention, software keylogging is prevented on lab machines by locking them down and drawing the image down the network when you login. So even if you install keylogging software, if it works at all, it would only work for your login. Hardware keyloggers are expensive/hard to get.)
Brute-forced... Joking much? The password file is stored at the other end of the network, you can't just grab it. And good luck tapping in different passwords by hand, with an enforced three second delay.
Re:What, me change MAC address? I wouldn't do that (Score:4, Informative)
Hardware keyloggers are expensive/hard to get.
O RLY ? http://www.blueunplugged.com/p.aspx?p=121554 [blueunplugged.com]
The MAC is not in DHCP leases (Score:2, Informative)
Everyone has missed the point. The DHCP protocol does not use MAC addresses to identify clients. It uses client identifiers, which can be any unique string. The fact the *windows* chooses to use the mac address as a client identifier is beside the point. Who says the client being investigated is using windows?
I expected more from the MS-bashing Slashdot crowd. Apparently you are all windows users.
Re:And the judge understood it? (Score:5, Informative)
I don't know about the US, but in the UK an expert witness must give completely impartial testimony, or face being held in contempt. Whilst a company may hire an expert witness to investigate a case, once they are sworn in they must answer all questions in a completely honest manner, even if it is detrimental to their employers case. We had a lecture at uni from a guy who worked as an investigative engineering consultant (or something like that). He said he'd quite often inform companies that hired him that maybe they shouldn't take a case to court as he would be obliged to give honest and impartial testimony, and that may not be a good thing for them.
Re:The MAC is not in DHCP leases (Score:4, Informative)
Yes, but once the computer is assigned an IP address, ARP ties the MAC address to the IP address. You could then, in principle, log the mappings by dumping the router's ARP table at regular intervals.
Re:You don't have a loghost? (Score:5, Informative)
Re:IP To MAC Addresses? (Score:3, Informative)
In advising this to people, I'm sure you know what will happen to a network (and to the helpdesk of said network) when multiple people start using the same mac-address, right ?
Re:hehe (Score:2, Informative)
Re:Also (Score:5, Informative)
Spoofed? It can be changed!
http://linuxhelp.blogspot.com/2005/09/how-to-change-mac-address-of-your.html [blogspot.com]
Re:hehe (Score:1, Informative)
All of them are heavily DRM restricted, don't work on linux, and most importantly, can't be synced to an iPod. The IT department understands that for these reasons, it will never be a real alternative to downloading MP3s illegally. Due to the RIAA and some pork barrel legislation tied to our acceptance of government grants, we are required to provide some kind of legal alternative, no matter how futile.
Another complaint hardly unique to Tufts is that we are no longer an IT department. We've simply become an RIAA/MPAA response team. Between receiving the sometimes hundreds of infringement notifications (of which only a fraction actually end up in court) to shifting through our records to find a matching MAC so that we can restrict it, to finally "re-educating" the infringers with RIAA provided propaganda, we hardly have time to address real problems with the network.
Re:You don't have a loghost? (Score:3, Informative)
Re:That's one smug grin i would love to see. (Score:3, Informative)
A dhcp server can't match ip to mac ?
Not if doesn't log. Furthermore, what they're really saying is that it can't match IP to ephemeral MAC that may or may not have been spoofed.
Re:You don't have a loghost? (Score:3, Informative)
Spot on. The lack of clue within the RIAA is mindnumbing.
A MAC-Address is completely meaningless. As in:
ifconfig eth0 hw ether 00:DE:AD:BE:EF:00
Entertaining lawsuit indeed.
But the sour point is that the RIAA apparently still has money to burn... Will it ever end?
Re:The MAC is not in DHCP leases (Score:3, Informative)
Uh, that completely depends on how you've chosen to set it up. My DHCP server sees the client ID you send, logs it, and ignores it completely, using only your MAC address to determine what IP address to assign you (either a static IP I've configured, or a dynamic IP from the pool).
I'm sure I could set it to use the client ID instead, but I'd have to RTFM to figure out how. I know there are some cable companies that use the client ID to determine who you are and won't give you an IP if your client ID isn't one they recognize - or at least there used to be; I haven't encountered this in years. I think @Home used to do it, or maybe I'm thinking of the network AT&T Broadband set up after @Home went out of business and before selling it to Comcast. In any case, it's definitely possible, just not very common.
Re:You don't have a loghost? (Score:1, Informative)
All you'd need to do is change your mac address using ifconfig, then get a new DHCP lease before you did the illegal and nobody knows nuttin'. After you are done, just reboot.
You *cannot* use MAC address as a reliable identifier. You can change yours in approximately 15 seconds. As long as the octets are valid it will work(even AA-AA-AA-AA-AA-AA) Then you grab a new lease which is just about guaranteed to get an unused IP address, which is different than the one you got with the default hardware mac address. When you are done Kazzaing, just reboot. Your MAC will reset back to the default hardware settings and you'll get your IP back.
I've done this research because my boss at the bank I used to work for was trying to find a reliable way to ID a computer. The answer is you can't. You have to ID the user, not the hardware ;) The only way to do this is to go KGB with your network, which most schools will never do.
-Viz
Re:That's one smug grin i would love to see. (Score:5, Informative)
I run an ISP which uses multiple DHCP servers on each layer2 segment. DHCP assignments are logged and kept for a month but quite frequently we get a notice of claimed infringement, spam, or malicious behavior that can't be mapped to an active DHCP assignment at the time stated in the notice. That is not to say that the claimant is making things up, rather that DHCP is not authoritative. A DHCP offer does not need to be taken and even if taken it does not need to be kept. Mac (Not MAC) users seem to have the habit of taking an IP address they have received in the past and setting it as a static IP. I don't use a Mac but this must be in the gui somewhere because it happens all the time.
A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).
1) User 1 receives a DHCP assignment and sets it as static. They then turn off their laptop after some time.
2) Lease runs out and the address is returned to the pool.
3) User 2 requests an IP and is assigned the same IP (IP1).
4) User1 gets home and turns on their computer and starts sharing "The Wire ...".
5) User2 gets IP conflict message and repairs connection. Gets different IP (IP2) from other DHCP server.
6) HBO sends me a "Notice of Claimed Infringement" for IP1 at time X.
7) I look up who was assigned IP1 at said time and come up with user2.
Looks like we got our match.
Re:That's one smug grin i would love to see. (Score:3, Informative)
A dhcp server can't match ip to mac ? Oh sure why not ... if I were the RIAA's lawyer I'd say "then I'm sure you won't mind if I take a look at those logfiles, now will you ?". And then accept their apology in trade for a promise not to persecute this guy personally for lying in court (2 years).
And they'd say "Sure, here's the last 10 days worth of DHCP logs. Sorry, but we don't keep them longer than that. These won't be of much use to you, of course... if you want useful logs in the future you'll have to notify us within 10 days of the alleged infraction." (oh wait: they did say that.)
"Only ARP is possible" riiiiiiiiiiiiiight ... and that would have nothing to do with arp being impossible after the computer is disconnected, in other words, it'd be worthless for the RIAA.
Um, they're saying "without DHCP logs, ARP is the only thing remaining to possibly tie a user to an IP address, and it can't conclusively do so." Which is pretty much the same thing as you're saying, if you look at it closely.
Re:The MAC is not in DHCP leases (Score:2, Informative)
Re:You don't have a loghost? (Score:3, Informative)
Not necessarily. Many ISP:s ties the IP address allocation to the socket. It is quite common to do so for student apartments and dormitories. That is, the RIAA could prove, with the universitys help, which network socket the infringing file came from.
And how exactly does that help? Student housing generally has two to four people in the same room or suite, students sometimes provide their own WAP or wired switches, and students often share their computers with friends.
The most restrictive arrangements I encountered in over five years as a CIO in higher education was a college that required students to register their MAC address and tied it to the switch port, blocking all other traffic on that port. This arrangement is prone to MAC spoofing as well as a router or firewall that will NAT traffic from the room.
I know another college that went the other way and shared a single business-class cable connection across an entire dorm. I'm sure their upload rates were terrible, but they had more download bandwidth than the administration LAN. And, neither the school nor the ISP had any user-to-traffic logs available.
I'm not suggesting that a more airtight solution doesn't exist but colleges usually are concerned with network management, not with providing enough evidence to meet the standards of a civil lawsuit. As you make the process more restrictive, you increase the inconvenience to your end-users. As you increase the amount of useful data that you log, you increase the cost of providing network services.
Re:And the judge understood it? (Score:1, Informative)
'Expert' witnesses are coming under more scrutiny here in the US. Here are two that I've heard of in the past year.
1) There is a forensics expert who was caught intentionally deceiving the court (for the prosecution, I believe) for a number of years. All cases where his testimony was relevant to the outcome of the trial are/were reexamined.
2) The FBI was providing 'proof' that they could match one spent bullet with a box of bullets by claiming metallurgicaly that they were from the same production batch. This continued until their science was proven bad and that they knew their science was bad.
Cases like this illustrate that expert witnesses may give biased or even false testimony.
Re:Generally? (Score:1, Informative)
There are still ISPs who try to say that the connection is for one and only one computer, and refuse to troubleshoot if you have a router, so you hook up a live computer, get it running, and they bind the connection to that particular MAC. Then, you have to clone that MAC on your router in order to use it to share. Really, really stupid shit.
Re:IP To MAC Addresses? (Score:1, Informative)
In advising this to people, I'm sure you know what will happen to a network (and to the helpdesk of said network) when multiple people start using the same mac-address, right ?
As long as you're not using the same mac address at the same time on the same broadcast domain, it won't cause any trouble.
One way around the mac address based authentication systems is to run tcpdump, gather a bunch of authorized mac addresses, wait for the user to go away, then change your mac address to an authorized one.
You can have a lot of fun with arp-spoofing on wifi!
Re:You don't have a loghost? (Score:3, Informative)
Re:Be honest (Score:3, Informative)
Re:Be honest (Score:3, Informative)
Comment removed (Score:3, Informative)
Re:Generally? (Score:4, Informative)
You do understand all you have to do is cycle the cable modems power and it will grab the new MAC address, yes I used to do this daily. There is no need to "call/hold/bitch" to anyone.