Tufts Tells Judge, We Can't Tie IP To MAC Addresses 419
NewYorkCountryLawyer writes "Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
That's one smug grin i would love to see. (Score:4, Insightful)
Re:hehe (Score:5, Insightful)
How long until it makes law?
We were recently required to explicitly keep something like 6 months worth of call data records (although we keep many years worth already due to customer requirements) so that wasn't such an issue.
However, if ISPs (and universities or other large organisations) were suddenly required to keep track of all IP allocations for 6 months or more it'd cost a bucket load to implement.
Remember, kids... (Score:5, Insightful)
Re:What, me change MAC address? I wouldn't do that (Score:5, Insightful)
People should understand that MAC address is no more permanent than IP address is.
Unfortunately they don't.
More like "notice that you're being watched" (Score:5, Insightful)
Nice move on Tufts' part. If they ever do receive such a "notice to preserve", they can relay it straight back to their students and staff and say "look, the RIAA is watching us with a view to screwing you, so behave yourselves" for the duration of such a notice; and if they don't, they have effectively insulated their charges from all further RIAA action. And all whilst looking extermely co-operative for the benefit of the courts...
Re:And the judge understood it? (Score:5, Insightful)
You mean judges who know meaningless jargon when they hear it, and want all terms of reference used in their courtroom to be clearly defined.
What, exactly, legally speaking, is a 'website'? Where does one 'website' end and another begin? How does a 'site' differ from a 'page', if at all? Is a 'forum' part of a 'website', or only attached to it? Is there, as the media often says, a 'file sharing website' called 'BitTorrent' on which pirates trade music? What exactly is this 'Web' thing anyway, and how is it distinct from the 'Internet', if at all?
A lot of terms bandied about in common parlance regarding Internet services are very vague, and I'm glad to hear of judges demanding that they be defined clearly and unambiguously when in court.
Of course if a regime change happens... (Score:3, Insightful)
Of course if a regime change happens at the end of the year, you can rest assured that there are certain politicians who will push hard for law changes to formally "outlaw" the use of DHCP in computer networks due to it's haphazard way of handling network IP's, traffic; and because it doesn't know who the user is!...
What a joke. If you think I'm wrong on this, take a look at the democratic side of the US Congress and look at some discussions that have been bantered about recently! Thats all I'll say on that.
God I hope and pray we get to replace them all next year! They're all bad.
Please don't even GIVE them this idea. (Score:5, Insightful)
For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."
I honestly wish Tufts hadn't even suggested this to the RIAA, since we all know this will be the next thing they'll try and have legislated through Congress. One of the congressmen on the RIAA payroll will attempt to slip it into a bill undetected.
They won't limit it to colleges either - they'll probably make it a requirement of ISPs in general.
Why? (Score:4, Insightful)
Why? The RIAA is not a court of law or even a government agency. Surely the university would have no obligation to comply with its requests? Talking about the RIAA in these terms ("notices", "forensic") lends it unwarranted legitimacy and authority.
Re:What, me change MAC address? I wouldn't do that (Score:3, Insightful)
The only thing I can think of to prevent this, is tying the MAC address to the physical port on the router.
Even this wouldn't prevent it if you can physically access the cables.
Re:What, me change MAC address? I wouldn't do that (Score:4, Insightful)
And how the fuck are you going to prevent them? Hide your computers and just let them access the screen, keyboard and mouse?
Unless you put your lab machines in a safe, there is always a way to access the network cables. (Even if it involves pulling the cover away from where they go into the wall.)
Why don't they just come out and say... (Score:2, Insightful)
Please stop feeding the idiots, they foul the footpaths of life.
Re:What, me change MAC address? I wouldn't do that (Score:3, Insightful)
- I changed my ethernet card
- I was using a friends laptop
- I bought a new computer
- I bought two new computers
- Must have been a room mates friend
- etc...
Re:hehe (Score:5, Insightful)
Right, aim high!
Re:What, me change MAC address? I wouldn't do that (Score:2, Insightful)
While I've never bought one, they seem to be readily [keyghost.com] available [keydevil.com] although buying one untraceably would be a bit more difficult (but not impossible) which would be a necessary step to avoid having the keylogger found and an investigator simply asking (perhaps under subpoena) the selling company for the purchase information for that (probably serialized) keylogger.
Re:hehe (Score:5, Insightful)
Next hot network thing: RIAA approved DHCP ;)
Scary, isn't it?
Re:What, me change MAC address? I wouldn't do that (Score:5, Insightful)
Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application. That would then constitute the actual evidence they need.
Re:Why don't they just come out and say... (Score:3, Insightful)
Because they're not 13 years old, and have a hint of maturity about them.
Re:Why don't they just come out and say... (Score:4, Insightful)
.. Hey, RIAA, you guys must be pretty stupid if you don't realize that a MAC address can be changed with trivial ease. Therefore, even if we could dredge up the DHCP logs, the IP address to MAC address mapping you are so interested in wouldn't tell you anything anyway.
They don't care. They just want to have someone to sue.
Re:More like "notice that you're being watched" (Score:1, Insightful)
Re:And the judge understood it? (Score:3, Insightful)
Generally that's true, of course. Still, a court expert may bring up facts that the opposing side (of a expert brought in by one side) wouldn't think of. The court experts are required to offer all information they consider important to a case, unasked.
Generally it is frowned upon when they can't at least credibly try to offer information benefitial for both sides, the very last thing one of those "impartial experts" wants is to be accused of offering biased testimonies, something that happens easily when the testimony appears biased. Since their testimonies have a lot of influence on a verdict (the judge basically has to trust this expertise and often simply tack it to the verdict), if a side gets disadvantaged by it their most likely attempt at a defense is to bring in an expert of their own and have him come up with scenarios that are beneficial for their side that were left out by the court's expert and argue that he is biased. It is often the only defense you have against it.
Now, the very last thing such a court expert wants is an accusation of a biased expertise. It can easily cost him his position, and since it's very easy money for them, bribery is usually quite useless. People who are even considered for such a position usually do it less for the money, since they are such luminaries in their field that they usually already have earned more than they can spend in a lifetime. The goodwill loss for being labeled a biased court expert is most of the time a bigger fear for them than any money can wipe.
Re:Remember, kids... (Score:1, Insightful)
Doesn't mean it's not OK either. It's an orthogonal argument.
No they don't (Score:3, Insightful)
Lawyers as a whole, and judges in particular, think that they can "cut to the chase" of a problem and dig into the details of any field by analyzing every activity with respect to the law. So they never grasp the technology per se as much as they extract talking points with which to argue their side. Judges just tend to go with whoever makes the better argument. Expert witnesses and consultants are brought in to boost the credibility of the lawyers and their talking points, not, to help aid in any real understanding.
Re:You don't have a loghost? (Score:5, Insightful)
And, of course, nobody has *ever* spoofed a MAC Address ....
Re:What, me change MAC address? I wouldn't do that (Score:3, Insightful)
Yes but the proof RIAA would bring to the court is not just the IP/MAC address combination. That's just a pretext to grab a random student who's IP happens to match, seize his computer and find thousands of MP3 files in the shared folders of a P2P application.
That's exactly the point. It has been established that the IP address on its own is not enough as it can not be tied to single user/pc. That's the reason why they try to use IP/MAC pair to single out the computer they want to confiscate.
IP/MAC is just as reliable as IP address on its own.
Re:Remember, kids... (Score:3, Insightful)
About the only way to ensure who's doing what... (Score:2, Insightful)
At my work we use two-factor authentication. (We use RSA [rsa.com] SmartID tokens and a RADIUS server, but other similar systems are available.) Two factor authentication relies on something you know (in this case, a PIN number), and something you have (in our case, a hardware key-fob that generates a pseudo-random number every 60 seconds). We use this to allow VPN connections into our network while on the road.
The price for these tokens is coming down to the point where banks are considering giving them to their customers who wish to bank online, I don't see why universities couldn't use them to allow access to their network, whether via Ethernet or wireless.
If your keyfob is lost or stolen, you report it immediately and the IT department disables that fob and issues a new one, presumably with a fee. Otherwise, you are held accountable for whatever is done with your account.
I'd imagine that this fob would also allow you to access any of the other services that are typically offered online by universities (access to library resources, registering for classes online, etc).
It's not that difficult to store information as to which IP address is issued to which account during which time, we do it at work.
Re:More like "notice that you're being watched" (Score:4, Insightful)
More interstingly, I would presume that Tuft's would be within their rights to use that as a profit center as well. Those things don't preserve themselves, and in most litigation the financial burden of collecting pre-discovery data (and some discovery data) is on the requesting party.
I wouldn't be surprised to find that Tuft's would give explicit notice to the faculty/students, as well as charging for the software, installation, maintenance, and storage of custom logging operations. That can get expensive quickly, especially when people are billing hourly and university overhead is often north of 50-60% of direct costs.
Re:That's one smug grin i would love to see. (Score:4, Insightful)
DHCP is not required keep a mapping between MAC and IP address. At least not at the protocol level. A very minimalistic implementation of a DHCP daemon would only need to keep the IP addresses that it has doled out and for how long - after expirey time, mark that address as unused. The client, according to the RFC, is supposed to ask for a new IP address and work properly if it gets a new address. That would qualify as conforming under the RFC that spells out DHCP. If you do that and don't store the IP address, you can't reverse the mapping using DHCP - only ARP can.
Last I checked, universities were not required to keep log files, and if you kept log files from the above program (that printed "Issued IP xx.xx.xx.xx at 12:00:00UTC for 4h"), it wouldn't help you in the slightest.
Bypass the Internet (Score:1, Insightful)
Re:Remember, kids... (Score:3, Insightful)
Remember kids: Just because copyright infringement may not be OK doesn't mean you can't share work that the copyright owner WANTS shared. The danger is having downloads go into a shared folder and downloading the RIAA's crap instead. You not only get dreck, but you get sued for your mistake.
It seems to me that there ought to be proof of intent. If I'm trying to download The Station's The Fog but I get Radiohead's completely different song by the same name instead, why should Radiohead's label be able to sue me?
Re:You don't have a loghost? (Score:1, Insightful)
Tying IP+Time to MAC is easy, the problem is that it doesnt tie to a person.
The solution to that is just active sniffing, which is far scarier than anything they're doing now.
Log any screennames or usernames they login to on that IP+Time+Mac session. Factor in things like browser useragent, TCP timestamps and sequence numbers, browsing patterns, etc.
none of this is 100% certainty, but enough pieces of data and you could get a reasonably accurate view of who someone is, and at the same time pick up plenty of more useful info too such as profiling-- which users primarily load torrent sites, who they IM most often, really..anything you do in cleartext.
And if you do everything encrypted, I hope you convince everyone else to give up their unencrypted things and do the same, otherwise you being the only 100% encrypted person would give you away.
Not to mention you could still tie what IPs you communicate to, and who signed the keys you're talking to. Or just block any non-approved encryption (including all HTTPS to self-signed certs).
None of this is easy, but all of this is doable with todays technology and a little funding.
Re:University and MACs (Score:3, Insightful)
If by a stinker you mean you suck at lying... Yes.
You borrowed a MAC address. A piece of information that only lives on in your specific network segment and then attached it to wireless that was set up by someone who wasn't smart enough to secure it. This means it was no doubt set up with the default config which means it was a router...
The network admin had a super special routable MAC address did he?
Re:Be honest (Score:5, Insightful)
True, but I bet that most CIS and IS students know that you CAN do it. Then it becomes a simple matter of googling. The key here is that anyone who has taken a bAIX networking course has enough knowledge to dispute evidence crucial to the RIAA's case. The fact the RIAA is able to continually present this evidence in a court room tells me that
1. Judges and juries do not know enough about the technology that they are ruling on.
2. The RIAA's experts are deliberately misleading the judges and juries. This is not ethical and should have consequence.
Re:Be honest (Score:5, Insightful)
It's not like every student would have to be going around spoofing MAC addresses. You could have ten kids going around sniffing MAC addresses, then spoofing a different MAC every day to do their file sharing. You could certainly be vulnerable to this without knowing how it works.
Re:You don't have a loghost? (Score:3, Insightful)
Re:You don't have a loghost? (Score:5, Insightful)
Spot on. The lack of clue within the RIAA is mindnumbing.
I suspect the RIAA knows EXACTLY what the technical facts are. But if they can still sue w/o having those get in their way, so much the better! (For them)
Remember this is law, not logic.
Re:hehe (Score:1, Insightful)
That is a bit misleading...
lets say its 6 months. ~30 days per month 6 months and something large like 10k in machines. That is about 1800000 records if each one requests 1 new ip per day. Then 4 bytes to hold the ip 4 bytes to hold the pointer to 'who owned it'. So about 28 meg of data. Hardly a 'bucket load' of data. When I can get a TB of HD for ~200 bucks its not even that cost prohibitive.
Even if all the machines request 10 times a day that is 280 meg of raw data. That is NOTHING in the world of a relational db.
Just obfuscating the problem with 'bucket load' only pisses judges off. They will THEN start making unreasonable demands.
Re:You don't have a loghost? (Score:2, Insightful)
Sorry, I didn't mean to imply I disagreed in general, only that the RIAA doesn't "have a clue".
The RIAA isn't in the pattern of suing people they *KNOW* they can beat, they sue people they think they can beat. They're simply playing the odds; 1 big case won from legal shenanigans and/or technical ignorance can overcome many that never make it that far.
Total certainty - and MAC addresses (Score:4, Insightful)
They can tie an IP address to a MAC address, although with less than total certainty. But, depending on how the network is wired, there is also no total certainty in tying a MAC address to a specific ethernet controller (and hence to a student). If their network is ethernet technology based, a MAC address can "float" from one port to another, even if there is a time delay in that from a switch flushing its cache.
All someone has to do is know the MAC addresses of other computers in the LAN. This can be known by sending IP packets to each of the addresses in the subnet, and checking what MAC addresses respond (and seen in the local ARP table). By scanning this network periodically, they can discover which computers get turned off or unplugged. As soon as that happens, the MAC address of the computer no longer responding is fed over to another computer which has an ethernet controller which allows substituting the MAC address by software. That other computer then assumes the MAC address and its associated IP address. Most ethernet switches will eventually associate that MAC address with a new port. Usually I see that happening within 3 to 10 seconds (the computer on the new port has to be sending ethernet frames with that MAC address as the source, plus some other computer trying to send ethernet frames to that MAC address). In the worst case I've seen it took 2 minutes for the switch to figure out where the MAC address "moved" to.
Once the switch associates the MAC address with a new port, the computer there can do whatever they want and there and it will be known under the original MAC and IP addresses.
There are means to prevent this. But would these means be implemented and deployed? One is for the switch to be configured to disallow a MAC address to move to another port. But that can make life difficult for students in dorms, where students with laptops, and even students with towers, are known to gather in one room, or a commons area, to work on things together with multiple computers (whether it is class work or otherwise). Another possibility is for the switch itself to log any port changes. That would at least reveal which dorm room a given MAC was "stolen" from. A more secure network would force all communications through an encrypted tunnel within the ethernet infrastructure, but this would be costly, impact performance, and require special drivers and/or proxies.
Imagine a plot of degree of security vs. cost. As you get close to 100% security, the cost begins to rise dramatically. At some point the cost of more security exceeds the potential loss due to that security not being 100%. Of course the **AA's would like to see their own losses figured into that, and without them having to pay for the extra security. The reality is, most schools will not achieve 100% security on their networks, and aside from the issue of piracy, will not be concerned with it. It's the same as the issue of how well do you secure your home from burglars. For most people it's just not worth tens of thousands of dollars in security equipment to protect tens of thousands of dollars of property. People like Bill Gates would certainly have a lot more security at home. But he's the exception. I'd expect the restricted areas of government intelligence agencies to have far more network security than any college or university.
So what it comes down to is, even the one and only student named as the user of a given MAC/IP combination, and even if their own computer was kept perfectly secure, may be just as much a victim of someone else doing the piracy, as the content owners are. And we know from history, the **AA's don't really care about making sure they have the true pirate.
If they would like to see the schools achieve 100% total security, maybe they should pay for it. Of course they don't want to. They want someone else to pay for maintaining their profit margins, even if that means raising taxes and/or tuition.
Re:hehe (Score:3, Insightful)
Not necessarily. The easiest way is to just increase your IP pool and lease time. I have Roadrunner, and I've had the same IP for about 10 months now. Now, mine is on 24/7, but even after being offline for a day or so (because of power outages), I'll get the same IP when I reconnect. It doesn't take a large amount of horsepower to store a database of 75,000 IP addresses that only change once every few months.
AOL and the like, not as easy, but not very difficult to implement, either. But, does anyone have any info on how many dial-up users they've gone after? I can't imagine it's that many.
Re:What, me change MAC address? I wouldn't do that (Score:3, Insightful)
The hard-coded MAC address in a network adapter is simply a number that's guaranteed to be different from every other hard-coded address in every other adapter; in other words, it's a matter of convenience. It allows the software to use an address that should avoid conflicts with other machines. It's still nothing more than a recommended value, and using a different value is hardly drastic. "Spoofing", although I kind of like the term, makes it sound more drastic than it really is (maybe that's why I like it). Oh well...
Re:Arp (Score:4, Insightful)
I have this vision of the RIAA lawyers as a group of seals clapping their fins and barking, "arp, arp, arp, arp". not sure why.
I think of them more as hyenas, vultures, or wild dogs.